This article is more than 1 year old

US Homeland Security warns of latest hacker craze – ERP pwnage

Attacks on SAP, Oracle platforms incoming

Hackers are increasingly looking to target enterprise resource planning (ERP) systems to disrupt and steal data from large companies.

This according to a report (PDF) from security companies Digital Shadows and Onapsis, who say that hacktivists and state-sponsored groups in particular have been looking to exploit flaws in Oracle and SAP platforms.

"ERP applications are being actively targeted by a variety of cyber-attackers across different geographies and industries," the report reads.

"Traditional controls of ERP application security such as user identity management and segregation of duties are ineffective to prevent or detect the observed TTPs used by attackers."

The report has received the endorsement of DHS, who recommended companies read and follow its findings.

Because ERP applications are so heavily relied upon by companies and because they are increasingly exposed to the public internet as cloud services, the platforms are very attractive as both targets for sabotage and as the entry point for larger data-theft operations.

Because of this, the study found, the number of public exploits for SAP HANA and Oracle ERP software has doubled over the last three years. The researchers also note that demand for stolen credentials has also gone up, with some hackers repurposing banking malware to lift ERP system logins.

CPU thieves get in on the act

Even cryptominers are looking to get in on the act, say researchers. The paper notes a 2017 incident where hackers used an exploit for WebLogic to plant mining code on servers and rack up around $226,000 worth of Monero coins.

"While it is hard to know how widespread this activity is, we have detected individuals discussing the potential of using SAP servers to mine Monero on Internet Relay Chat (IRC) channels," the report says.

"In January 2018, one IRC user discussed that 'sap servers are well known to have high cores,' and that 'Sapadm' could be used as a 'combo'. Combos' refer to username and password combinations that could be brute-forced to gain access to a particular server."


No big deal... Kremlin hackers 'jumped air-gapped networks' to pwn US power utilities


To help prevent attacks, the two companies are advising administrators to take a careful look at their ERP applications for things like uninstalled patches and insecure configurations where users may have more privileges than needed.

The paper also recommends admins look to disable unused APIs and internet-facing logins that are not necessary. In general, admins should look to minimize the attack surface on their ERP software.

"Given the complexity and high-degree of interconnectivity between different ERP applications, it is very important to stress that these controls and recommendations must be applied across the entire ERP application platform, including all instances/application servers of production environments as well as non-production ones (i.e., development, quality assurance, sandbox, pre-production)," the report concludes.

"A vulnerable setting in one QA application server can result in a full compromise of the entire ERP platform." ®

More about


Send us news

Other stories you might like