US-CERT Warns About Increasing ERP System Attacks

The United States Computer Emergency Readiness Team (US-CERT) has warned companies abut the growing risk of cyberattacks on enterprise resource planning (ERP) systems such as the cloud-based ERPs developed by Oracle and SAP.

These internet-based apps are used to manage business operations such as finances, billing, payroll, logistics, and human resources processes. These systems include a considerable volume of sensitive information. The exact types of information sought by cybercriminals for identify theft, fraud, and cyber espionage.

Additionally, a lot of businesses depend on their ERP systems to function. A cyberattack on an ERP system that takes it out of action could prove catastrophic. These systems are appealing targets for hacktivists, nation state sponsored hackers, competitors and ransomware gangs.

The US-CERT caution follows a joint report on the growing risk of ERP system attacks by cybersecurity companies Onapsis and Digital Shadows. The report concentrated on two of the most commonly used ERP systems: Oracle E-Business and SAP HANA.

The authors explained that the quantity of publicly available exploits for Oracle E-Business and SAP have grown by 100% in the last three years and comprehensive details on exploiting these systems is being traded on darkweb forums.

ERP apps are currently being targeted by cyber-attackers. One hacking group has re-purposed the banking Trojan Dridex and are using it to obtain ERP system credentials seeing. Demand for these credentials is particularly high and they can be sold for large sums of money.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

In addition to gaining access to ERP servers to steal data, cybercriminals are also installing malware to mine cryptocurrencies. One cybercriminal group utilized a publicly accessible exploit for WebLogic in order to gain access to ERP servers to install software that mined the Monero cryptocurrency. That single campaign earned the group $226,000 in Monero. The authors of the report said there’s a lot of talk regarding the use of SAP servers to exploit cryptocurrency on Internet Relay Chat (IRC) channels.

When ERP systems accessible over the web they are far more prone to being attacked. The researchers explained that internet-linked ERP systems aren’t hard to locate. Over 17,000 internet-linked ERPs were discovered by the researchers which could possibly be accessed by using dictionary or brute force strategies to guess login credentials. THere are also many vulnerabilities that could be exploited to gain access to ERP systems. There are more than 50 SAP and 30 Oracle exploits being actively exchanged in darknet communities.

The developers of ERP systems regularly patch their platforms. Just like any software solution, patches need to be applied promptly. However, oftentimes patching is postponed because of the complexity of installations and customized functions. These delays provide a window of opportunity for hackers to exploit vulnerabilities and gain access to ERP systems.

In addition to prompt patching, strong, unique passwords must be used and system privileges should be set carefully based on the rule of least privilege. ERP apps should be scanned for uninstalled patches and unsafe configuration setting and any APIs that are not being used should be disabled along with unnecessary internet facing logins.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: