DHS Warns of Impending Cyber-Attacks on ERP Systems

Today, the US Department of Homeland Security (DHS) has issued an alert warning of increased activity from nation-state hackers, criminal groups, and hacktivists against Enterprise Resource Planning (ERP) systems.

The warning is based on a joint report published two days ago by threat intelligence firms Digital Shadows and Onapsis.

The report, available for download from here or here, details a recent spike in interest from nation-state hackers, criminal groups, and hacktivists in regards to ERP systems.

ERPs are web-based applications, often cloud-based systems, that allow companies to manage various facets of their business, such as customer accounts, finances, HR issues, marketing ops, sales, product distribution, and about anything else that happens in a company.

Because of the data depth and richness, ERPs make some of the most attractive targets for intruders, may them be nation-state hackers, cyber-criminal gangs, or hacktivist groups.

Cybercriminals are looking for info on ERP hacks

The joint report warns about increased interest in vulnerabilities and zero-days related to SAP and Oracle, the two biggest providers of cloud-based ERP software.

"We observed detailed information on SAP hacking being exchanged at a major Russian-speaking criminal forum, as well as individuals interested in acquiring SAP HANA-specific exploits on the dark web," the report reads.

"This goes in hand with an observed 100% increase of public exploits for SAP and Oracle ERP applications over the last three years, and a 160% increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017."

ERP attacks range from old flaws to password guessing

Experts say that most of the attacks they tracked or documented for their report do not use zero-days, but known vulnerabilities. Attackers usually go after self-hosted ERP applications that have not received recent patches, or after cloud-based ERP applications where companies did not set up strong security policies.

Most often, researchers say, attackers leverage username and password info leaked in breaches at other companies to attempt to break into an employee's ERP account.

This type of attack is common because researchers identified over 17,000 ERP applications connected to the Internet, on which brute-force or dictionary attacks can be mounted to break into unsecured accounts.

But if attackers aren't willing to put in the work into identifying employees of a certain company and then brute-forcing his account, there are also simpler solutions at hand.

For example, Digital Shadows and Onapsis researchers say they identified over 500 ERP configuration files exposed online in unsecured file repositories. Attackers can data-mine these config files for information they could use in future attacks.

In addition, researchers say they've also seen the continued exploitation of a seven-year-old SAP vulnerability that was at the center of a May 2016 DHS alert, suggesting that threat actors are having success exploiting old flaws like this.

APTs and criminal groups have already attacked ERPs

These security slip-ups haven't been ignored by threat actors, the report points out.

"We have captured evidence of cyberattacks attributed to nation-state affiliated actors, in which ERP applications were compromised in order to access highly-sensitive information and/or disrupt critical business processes," researchers said.

Previous reports from FireEye and ProtectWise on the activities of Chinese cyber-espionage groups APT10 and APT17, respectively, have confirmed nation-state actors' interest in cloud applications, such as ERP systems.

Furthermore, day-to-day cybercrime groups have also started targeting ERPs. Digital Shadows and Onapsis point out that the notorious Dridex banking trojan was updated in 2017 to look for and steal credentials for ERP systems, and SAP software, in particular.

Hacktivist groups, while not as active as they were a decade ago, have also expressed interest online in breaching ERP systems in order to sabotage business-critical applications.

Attacks on ERP systems can cause WannaCry-like situations

All in all, the report and associated DHS alert want to raise a sign of alarm in regards to securing ERP systems before it may be too late for companies to act.

"The implications of this research go beyond the risk to individual companies," researchers say.

"Based on the observed threat actors, the pervasive nature of these applications in the world’s largest organizations and the dependence on them for the execution of business-critical processes, wide-scale attacks on ERP applications could also have macroeconomic implications," say researchers, suggesting attacks on ERP systems could easily have a WannaCry-like impact in some cases.