The United States Department of Homeland Security issued a warning this week for malicious cyber activity targeting ERP applications including SAP. The warning is based on the findings of a recent report issued by Digital Shadows and Onapsis. The report discusses the dramatic rise in cyber attacks on widely used ERP applications. The report echoes the findings of an earlier study by Gartner that predicted a growth in attacks targeted at business applications.
The findings of the report are summarized below.
– The number of publicly available exploits for SAP applications has doubled in the past three years and there has been a 160% increase in the activity and interest in ERP-specific vulnerabilities between 2016-17
– Hacktivist groups are actively attacking ERP applications to disrupt critical business operations and penetrate target organizations
– Cybercriminals have evolved malware to target internal, “behind-the-firewall” ERP applications
– Nation-state sponsored actors have targeted ERP applications for cyber espionage and sabotage
– There has been a dramatic increase in the interest in exploits for SAP applications, including SAP HANA, in dark web and cybercriminal forums
– Attacks vectors are evolving, still mainly leveraging known ERP vulnerabilities vs. zero-days
– Cloud, mobile and digital transformations are rapidly expanding the ERP attack surface, and threat actors are taking advantage.
– Leaked information by third parties and employees can expose internal ERP applications.
In response, the report recommends the following actions to protect SAP applications from cyber attack.
– Identify and mitigate ERP application layer vulnerabilities, insecure configurations and excessive user privileges
– Identify and remove dangerous interfaces and APIs between the different ERP applications in the organization, especially those with third parties and that are internet-facing
– Monitor and respond to sensitive ERP user activity and ERP-specific indicators of compromise
– Monitor for leaked ERP data and user credentials
The recommended actions can be applied using SAP Solution Manager. System and user-level vulnerabilities can be identified using Service Level Reporting and Dashboards in Solution Manager. System Recommendations can be used to discover and apply security patches. Vulnerable cross-system connections including external connections can be discovered and monitored using Interface and Connection Monitoring (ICMon). The Monitoring and Alerting Infrastructure (MAI) in Solution Manager can be used to monitor SAP logs to detect indicators of compromise including the leakage of sensitive data. Finally, the Guided Procedure Framework provides a platform for incident response using standard operating procedures for alert investigation.