In an alert named ‘Malicious cyber activity targeting ERP applications’, the Department of Homeland Security stated that a number of government and private organizations have been exposed to cyber attacks due to security flaws in some of the business systems manufactured by Oracle or SAP.
The alarm was raised in the wake of the recent survey by two cybersecurity firms Onapsis and Digital Shadows that highlighted ERP (Enterprise Resource Planning) software applications as one of the primary targets for the breach. According to the survey report, unpatched business systems at two government agencies and other firms in the media, energy, and finance sectors are vulnerable to cyber attacks, as they failed to take necessary security measures advised by Oracle or SAP.
“These attackers are ready to exploit years-old risks that give them full access to SAP and Oracle systems without being detected,” said Onapsis Chief Executive Mariano Nunez. “The urgency level among chief security officers and CEOs should be far higher.”
According to Reuters, the study identified that around 17,000 SAP and Oracle software installations are exposed to the Internet at more than 3,000 private companies, government agencies, and universities. And more than 4,000 known bugs in SAP and 5,000 in Oracle software pose security threats, especially in older business systems. It also warned that at least 10,000 servers are running incorrectly configured software that could allow cybercriminals to exploit the vulnerabilities in SAP or Oracle applications to obtain access to sensitive information. An SAP spokesman recommended all customers to implement SAP security patches as soon as they are available to protect the SAP infrastructure from attacks.