Hackers target flaws in SAP, Oracle softwares
Systems at government agencies, media firms, energy and finance sectors have been hit
London, July 25: At least a dozen companies and government agencies have been targeted and thousands more are exposed to data breaches by hackers exploiting old security flaws in management software, two cyber security firms warned in study published on Wednesday.
The Department of Homeland Security (DHS) issued an alert citing the study by security firms Digital Sky and Onapsis that highlights the risks posed to thousands of unpatched business systems from Oracle and SAP.
These can enable hackers to steal corporate secrets, researchers said.
Systems at two government agencies and at firms in the media, energy and finance sectors were hit after failing to install patches or take other security measures advised by Oracle or SAP, security firms Onapsis and Digital Shadows said in the newly published report.
The alarm was raised because firms store highly sensitive data – including financial results, manufacturing secrets and credit card numbers – in the vulnerable products, known as enterprise resource planning (ERP) software and in related applications for managing customers, employees and suppliers.
In an alert, DHS’ National Cybersecurity and Communications Integration Center highlighted signs of increasing hacker focus on ERP applications, citing the study.
“An attacker can exploit these vulnerabilities to obtain access to sensitive information,” said NCCIC, an arm of the US-CERT.
Many of these issues date back a decade or more, but the new report shows rapidly rising interest by hacker activists, cyber criminals and government spy agencies in capitalising on these issues, Onapsis CEO Mariano Nunez told Reuters. “These attackers are ready to exploit yearsold risks that give them full access to SAP and Oracle systems without being detected,” he said. “The urgency level among chief security officers and chief executive officers should be far higher.”
An SAP spokesman said that, in general, the company takes security issues seriously across its organisation. “Our recommendation to all of our customers is to implement SAP security patches as soon as they are available typically on the second Tuesday of every month — to protect SAP infrastructure from attacks.”
— Reuters