LONDON (Reuters) – At least a dozen companies and government agencies have been targeted and thousands more organizations are exposed to data breaches by hackers exploiting old security flaws in management software, two cyber security firms told Reuters.
SAP logo is seen at SAP company offices in Woodmead, Johannesburg, South Africa, March 26, 2018. REUTERS/Siphiwe Sibeko
The U.S. Department of Homeland Security is preparing on Wednesday to issue an alert based on the report about the risks posed to thousands of unpatched business systems from software makers Oracle (ORCL.N) and SAP (SAPG.DE), which can enable hackers to steal corporate secrets, the researchers said.
Homeland Security declined to comment and Reuters could not immediately confirm the warning from independent sources.
Systems at two government agencies and at firms in the media, energy and finance sectors have been hit after failing to install patches or take other security measures advised by Oracle or SAP, experts at security firms Onapsis and Digital Shadows said.
The security alert from the Homeland Security’s Computer Emergency Response Team (US-CERT) includes steps that organizations can take to identify vulnerable systems and close long-standing security gaps, the companies told Reuters.
The threat is alarming because businesses store highly sensitive data – including financial results, manufacturing secrets and credit card numbers – in the vulnerable products, known as enterprise resource planning (ERP) software and in related applications for managing customers, employees and suppliers.
Many of these issues date back a decade or more, but the new study shows rapidly rising interest by hacker activists, cyber criminals and government spy agencies in capitalizing on these issues, Onapsis Chief Executive Mariano Nunez told Reuters.
“These attackers are ready to exploit years-old risks that give them full access to SAP and Oracle systems without being detected,” he said. “The urgency level among chief security officers and CEOs should be far higher.”
SAP and Oracle declined to comment immediately.
The new alert, if issued, would expand on a 2016 Homeland Security department warning to SAP customers after Onapsis uncovered plans by Chinese hackers to exploit out-date software used by dozens of companies, Nunez said. (reut.rs/2JKJvCI)
Organizations sometimes delay security fixes to ERP software for months or even years out of concern that doing so could disrupt the critical functions the programs support, including manufacturing, sales and finance, Nunez said.
Risks also arise from technical installation mistakes or growing moves to hook up traditionally back-office business systems to the cloud in order to reach mobile or online users.
In its latest research, Onapsis, together with web monitoring firm Digital Shadows, identified some 17,000 SAP and Oracle software installations exposed to the internet at more than 3,000 top companies, government agencies and universities.
At least 10,000 servers are running incorrectly configured software that could subject them to direct attack using known SAP or Oracle exploits, the report’s authors warned.
More than 4,000 known bugs in SAP and 5,000 in Oracle software pose security threats, especially in older systems that operators may consider uneconomical to fix, according to the report from Onapsis and Digital Shadows due out on Wednesday.
Digital Shadows combed through Google searches, social media chatter and the dark web where they found discussions in Chinese and Russian hacker forums regarding how to use specific SAP and Oracle vulnerabilities.
The ERP study by Onapsis and Digital Shadows is available for download at goo.gl/pWbz3Q
Reporting by Eric Auchard; editing by Jim Finkle and Jason Neely