The US-CERT arm of the U.S. Department of Homeland Security has issued an alert warning organizations about an increase in attacks targeting Enterprise Resource Planning (ERP) applications. The alert is based on a joint threat report released this week by vulnerability intelligence firm Onapsis and digital risk management firm Digital Shadows.
ERP applications play a critical role inside large enterprises, helping them manage their customer relationships, asset life cycle, supply chains, business intelligence and human resources. This means ERP applications store and process businesses’ most sensitive data—the “crown jewels” as it is known in the security industry.
“While some executives still consider ‘behind-the-firewall’ ERP implementations to be protected, we have observed clear indicators of malicious activity targeting environments without direct internet connectivity,” the two companies said in their report. “Further, there is an astonishing number of insecure ERP applications directly accessible online, both on-premise
(sic) and in public cloud environments, increasing the attack surface and exposure.”
During their investigation, researchers have identified nine attack campaigns targeting SAP and Oracle ERP applications that were launched by hacktivist groups, found evidence of attacks against ERP applications by nation-state affiliated actors and observed a sharp rise in discussions about SAP hacking and ERP exploits on cybercriminals forums and the Dark Web.
For example, the Dridex malware was updated in 2017 to steal user credentials from SAP client software, which could allow cybercriminals to access SAP environments. In many cases, hacking is not even required because employees publish SAP configuration files in public repositories or post credentials in public forums, the two companies found.
“Most of the observed TTPs leverage the lack of ERP application layer security patches and insecure configurations,” the researchers said. “Attackers are not being forced to resort to zero-day exploits as victim organizations are exposed by known ERP vulnerabilities.”
For example, there’s evidence hackers continue to successfully exploit a seven-year-old critical SAP vulnerability for which US-CERT issued a technical alert in 2016. And they have plenty of targets to choose from, as Onapsis identified more than 17,000 SAP and Oracle ERP applications directly connected to the internet, many of which belong to large commercial organizations and government institutions.
“Threat actors are aware of this and are actively sharing information across the dark web and criminal forums to find and target these public applications,” the researchers said. “Many of these exposed systems run vulnerable versions and unprotected ERP components, which introduce a critical level of risk.”
Hide ‘N Seek IoT Botnet Keeps Evolving at a Rapid Pace
Hide ‘N Seek (HNS), a botnet that started out in January by only targeting routers from Netgear and TP-Link, is now using nine exploits for different types of devices, including IP cameras, database servers and, more recently, home automation systems.
According to a new report from Fortinet, the latest addition to the botnet’s arsenal is a remote code execution exploit for HomeMatic Zentrale CCU2, the central control panel for a home automation system made by Germany-based manufacturer eQ-3.. The botnet’s full list of targets now includes: TP-Link, Netgear and Linksys routers; Belkin and AVTech cameras and DVRs; the Java AUGUR Web Server (JAWS); the Apache CouchDB and OrientDB database systems and HomeMatic Zentrale.
What’s interesting is that the HomeMatic exploit was disclosed publicly July 18 and was integrated by HNS’s creators in a matter of days. This adoption and integration speed has also been observed before with the exploit for Apache CouchDB. At the moment it doesn’t seem that HNS has any malicious code that specifically abuses the smart home functionality of HomeMatic devices.
“HNS has been aggressively adding exploits and targeting more platforms and devices to increase its propagation scope,” the Fortinet researchers said in a blog post. “Utilizing freshly released PoC exploits to its arsenal increases the chance for it to be the first to infect these vulnerable devices.”