Research reports alert that the threat of hacking by SAP and Oracle business management software is increasing
The US Department of Homeland Security is preparing to issue a security alert based on a report that lists the security risks faced by thousands of unpatched commercial systems from two major software developers, Oracle and SAP.
Researchers say the systems of two government agencies and companies in the media, energy and finance industries have been attacked because they have not been patched or have taken other security measures recommended by Oracle or SAP.
According to the report, more than 4,000 known vulnerabilities in SAP software and more than 5,000 known vulnerabilities in Oracle software pose a security threat. The government departments and organizations that run the software believe that the old systems that are too expensive to repair are particularly at risk. .
The two network security companies told Reuters that at least a dozen companies and government agencies have been targeted by hackers because of the hacking of old security vulnerabilities in management software, and thousands of organizations are at risk of data breaches.
Cases of attacks due to SAP or Oracle, in the order of timelines:
Researchers say the US Department of Homeland Security is preparing to issue a security alert based on a report that lists the security risks faced by thousands of unpatched commercial systems from two major software developers, Oracle and SAP, and thus hackers It was able to steal company secrets.
The US Department of Homeland Security declined to comment, and Reuters could not immediately confirm the warnings from independent sources.
Experts at the two security companies, Onapsis and Digital Shadows, said that the systems of two government agencies and companies in the media, energy and finance industries have been hit because they have not been patched or have taken other security measures recommended by Oracle or SAP. attack.
The two companies told Reuters that security alerts from the US Department of Homeland Security's Computer Emergency Response Team (US-CERT) include measures that organizations can take to identify vulnerable systems and block long-standing security gaps. .
This threat is worrying because companies often store highly sensitive data (including financial reports, production secrets, and credit card numbers) in vulnerable products such as enterprise resource planning (ERP) and store them in use. To manage the relevant applications of customers, employees and suppliers.
Onanasis CEO Mariano Nunez told Reuters that many of these problems can be traced back to a decade or more, but the new study shows hacking activists, cybercriminals and The interest of government espionage agencies in making a fuss about these issues is rapidly increasing.
He said: "These attackers are ready to make a fuss about the risks that existed a few years ago. These risks allow attackers to fully access SAP systems and Oracle systems without being discovered. For the chief security officer and CEO, the situation should be much more urgent. ”
SAP and Oracle declined to comment immediately.
Nunez said that the US government department issued a security alert is no precedent: As early as 2016, Onapsis discovered the conspiracy of Chinese hackers intending to exploit the outdated software used by many companies, the US Department of Homeland Security issued an alert to SAP customers. .
Nunez said that organizations sometimes delay the deployment of security fixes for ERP software for months or even years, fearing that doing so could undermine key business functions supported by software, including manufacturing, sales, and finance.
The risk also comes from technical installation errors or this increasingly popular practice: connecting traditional back-office business systems to the cloud to reach mobile users or online users.
In the latest research report, Onapsis and Internet monitoring company Digital Shadows found that approximately 17,000 SAP software and Oracle software installed in more than 3,000 well-known companies, government agencies and universities were exposed to the Internet.
The authors of the report warned that at least 10,000 servers are running incorrectly configured software that could expose them to direct attacks that exploit known SAP or Oracle vulnerabilities.
According to a report released by Onapsis and Digital Shadows on Wednesday, more than 4,000 known vulnerabilities in SAP software and more than 5,000 known vulnerabilities in Oracle software pose a security threat, and the government departments and organizations that run the software believe that the cost of repair Old systems that are too high are especially at risk.
Digital Shadows has sorted out Google search, social media chats and the dark web, and they found posts on the China and Russian hacking forums discussing how to exploit specific SAP and Oracle vulnerabilities.
Onapsis and Digital Shadows' ERP research reports are available fromhttps://goo.gl/pWbz3Qdownload.