How to Protect Your Business from Hackers who Exploit ERP Vulnerabilities

Every company nowadays uses a variety of enterprise applications to enable employees to perform their duties. These applications include ERP, CRM, file sharing, and other tools.

Often, business applications are targeted by cybercriminals. One unprotected vulnerability opens up opportunities for serious cyber attacks. As a result, the offender can get access to financial instruments, confidential data and personal information of clients. Moreover, the affected company itself may unwittingly become a tool in fraudulent schemes.

The Scale of the Problem

More than 70% of the applications used in the corporate environment get damaged by at least one vulnerability that will be detected during the first scan using special tools. For Java applications, this number is even higher — more than 80%. At the same time, less than 30% of companies conduct regular checks for any vulnerable components.

It is not easy to provide the necessary maintenance for all applications in the enterprise since its number is constantly changing. Today, even small businesses can use up to 500 applications. Thus, an employee, based on his/her own preferences or habits, can afford to install a favorite application, which in the future will be a potential entry point for an attack.

Another threat is that more than 80% of the data that is inside the company either comes from public file-sharing systems or is loaded with applications that do not provide reliable storage of received data. The larger the enterprise, the greater the scale of potential threats and damage to the business.

Key facts:

• Hackers are actively attacking ERP applications to disrupt business processes in targeted organizations.
• Cybercriminals have developed malware to attack the internal, “behind-the-firewall” ERP application.
• Competing Companies are targeting ERP for cyber-espionage and sabotage.
• Over the past two years, interest in exploits for SAP applications, including SAP HANA, in dark web and cybercrime forums has increased by 200%.
• Attacks vectors are developing, but mainly leveraging known ERP vulnerabilities vs. zero-days.
• Cloud, mobile, and digital transformations are rapidly expanding ERP’s attack surface, and threat actors take advantage
• Leaked information from third parties and employees can expose internal ERP applications.

Request Consutation

According to VP Distinguished Analyst, Neil MacDonald

“As financially motivated attackers turn their attention ‘up the stack’ to the application layer, business applications such as ERP, CRM, and human resources are attractive targets. In many organizations, the ERP application is maintained by a completely separate team and security has not been a high priority. As a result, systems are often left unpatched for years in the name of operational availability.”

Threat Landscape & Reasons for Expanding the Area of EPR Attacks

One of the most serious threats may be the manipulation of the production environments of enterprises. This is the goal that cybercriminals pursue, trying to penetrate corporate information systems. There may be several scenarios for implementation of such penetration, but the most likely is a creation of disruptions in the work of information systems and a creation of so-called “digital clones” of management systems, whose activities will be aimed at disrupting business processes.

As a plausible example of such an attack, an easy-to-understand scenario can be cited: by gaining access to an ERP (enterprise resources planning) system, attackers substitute financial document numbers, transfer money, or even reboot the system. The result of such intervention is direct theft of funds from a company’s accounts and indirect losses that could be catastrophic for a business.

Clouds, mobility, and digital transformation are rapidly increasing the ERP attack area in 2018. More than 17,000 ERP applications from SAP and Oracle are open to the Internet. Many of their versions are vulnerable and have unprotected components. They belong to the largest commercial and governmental organizations of the world located in the most top-rated countries such as Great Britain, Germany, and the USA. Those who pose a threat are well aware of this and actively share information through the darknet and criminal forums to find this kind of public applications and make them their target.

The vast majority of large organizations use SAP and Oracle ERP applications to support business processes, as well as Microsoft Dynamics & GNU. These include products such as SAP Business Suite, SAP S / 4HANA, Microsoft Dynamics Naf, and Oracle E-Business Suite / Financials. Programs used for: financial planning, salary management, treasury, inventory, production, sales, logistics.

They store data such as financial results, production formulas, prices, critical intellectual property, credit cards, and personal information about employees, customers, and suppliers, as well as other confidential information.

The cybersecurity concerns of ERP have largely been ignored due to the lack of publications about hacks and information about those who pose a threat in this, as many security experts believe, a complex and little-known segment. That’s why criminals are constantly improving their tactics to profit from the organizations.

12 Ways to Protect Your ERP Application

1. Constantly evaluate specifics in ERP software vulnerabilities consistent with vendor security fix cadence (monthly for SAP and quarterly for Oracle), in addition to ongoing efforts to analyze operating system and database security gaps.
2. Constantly assess the configuration of the ERP system, detecting unsafe settings and settings, such as weak / default passwords, which can lead to security risks for the environment.
3. Constantly check the privileges of users responsible for administration or development, as well as those used for batch jobs and interfaces with other applications.
4. Implement a recurring process to ensure timely prevention or detection of gaps with the required ERP security base, as well as corrective actions.
5. Display existing interfaces and APIs between ERP applications, including connections from/to development, quality assurance, and pre-training systems, as they can be misused as reference points.
6. Evaluate the configuration of interfaces and APIs to evaluate encryption usage, service account privileges, and trusted relationships.
7. Analyze the presence of ERP on the Internet, Internet-oriented, to understand whether vulnerable applications are exposed without a valid business reason.
8. Perform regular vulnerability checks and penetration testing to identify vulnerabilities before it exposed.
9. Monitor and respond to sensitive ERP user activity and ERP-specific indicators of compromise. Continuously monitor ERP applications for suspicious user behavior, including both privileged and non-privileged users, for both technical and business user types.
10. Use Bug Bounty Programs from companies with a skilled community of security researchers and ethical hackers before vulnerability disclosed.
11. Continuously monitor systems for indicators of the compromise resulting from the exploitation of ERP vulnerabilities.
12. Implement a repeatable process to incorporate ERP applications into existing incident monitoring and response processes and capabilities.

Summing up

The demand for cybersecurity services is expected to be about $96 billion in 2018. As an example, Oracle, and SAP lost their reputation in the ERP field and still struggle to get all clients back. That’s why new innovative solutions and methods to combat hacker attacks are born every day. In order to be sure, your company has to go through regular checks such as penetration testing.

How Hacken can Help

No system is perfectly secure; no system is without flaws and weaknesses. If you are convinced yours is safe and sound, you just don’t know about potential vulnerabilities yet. At Hacken, we take security extremely seriously, and all the checks are performed according to the highest standards. If you have any questions about the topic or need a consultation, feel free to contact our Team!

Contact a Specialist