Market Overview

New Report Reveals Evidence That ERP Applications are Under Attack by Cybercriminals, Hacktivists and Nation-state Actors


Cyberattackers are exploiting ERP business-critical applications and
expanding their operations to target high-value assets, according to new
threat research from Digital Shadows and Onapsis

New research from leading digital risk management firm Digital
and ERP cybersecurity and compliance firm Onapsis
reveals evidence that the business-critical applications running the
biggest organizations in the world are under attack. The
report shows a dramatic rise in cyberattacks on widely-used enterprise
resource planning (ERP) applications such as SAP and Oracle
— which
currently have a combined 9,000 known security vulnerabilities.

The report also highlights an increase in attacks on these systems by
nation-state actors, cybercriminals and hacktivists that include both
hacking and distributed denial of service (DDoS) attempts to compromise
and disrupt the operations of these high-value assets. This convergence
of threats puts thousands of organizations and their crown jewels
directly at risk of espionage, sabotage and financial fraud.

This research is considered so critical that the Department
of Homeland Security's United States Computer Emergency Readiness Team
(US-CERT) issued an alert today
warning of the risk of these ERP
application attacks. Attacks of this nature were first warned about in
May 2016 when the US-CERT
issued an alert
advising of a significant threat that included the exploitation
of 36 global organizations
through the abuse of a then five-year-old
vulnerability in SAP applications. These warnings have been proven to be
prescient with the new research revealing:

  • Cybercriminal organizations are exploiting ERP applications,
    leveraging known vulnerabilities and targeting high-value assets such
    as SAP HANA
    • A 100 percent increase in the number of publicly-available
      exploits for SAP and Oracle ERP applications over the last three
    • A 160 percent increase in the activity and interest in
      ERP-specific vulnerabilities from 2016 to 2017
  • Well-known hacktivists and cyber criminal groups are expanding their
    tactics, techniques and procedures (TTPs) to now specifically target
    ERP applications
    • Hacktivist groups, such as those affiliated with the Anonymous
      collective, have expanded their operations to include penetrating
      and disrupting mission-critical ERP platforms, having targeted
      these platforms in over nine operations since 2013
    • Well-known malware kits such as Dridex are being evolved to steal
      user credentials and data from behind-the-firewall ERP applications
    • Nation-state affiliated actors have been attributed for the
      compromise of ERP applications in order to access highly-sensitive
      information and/or disrupt critical business processes
  • Third parties and employees are exposing information that can provide
    highly valuable to sophisticated actors. The research discovered 545
    SAP configuration files publicly exposed on misconfigured FTP and SMB.
    These provide valuable information for attackers to locate sensitive
    files on organizations' networks, greatly reducing effort once they
    gain access to an organization's network

Furthermore, cloud, mobile and digital transformations are rapidly
expanding the ERP attack surface. More than 17,000 SAP and Oracle ERP
applications were found to be exposed on the internet, many running
vulnerable versions and unprotected components, and threat actors are
actively sharing information to take advantage of this opportunity.

The vast majority of large organizations have implemented ERP
applications from vendors such as SAP and Oracle, relying on products
like SAP Business Suite, SAP S/4HANA and Oracle E-Business
Suite/Financials. They rely on these applications to support business
processes such as payroll, treasury, inventory management,
manufacturing, financial planning, sales, logistics, billing and hosting
data such as financial results, manufacturing formulas, pricing,
critical intellectual property, credit cards and personally identifiable
information (PII) from employees, customers and suppliers, among other
sensitive information.

Prior to this report, the ERP cybersecurity problem had remained largely
ignored due to the lack of publicly-disclosed breaches and information
about the threat actors in what was considered by many information
security teams to be a complex and obscure domain.

"Threat actors are continually evolving their tactics and targets to
profit at the expense of organizations. On the one hand, with the type
of data that ERP platforms hold, this isn't shocking. However, we were
surprised to find just how real and severe the problem is," said Rick
Holland, CISO and VP of Strategy at Digital Shadows.

"This collaboration with Digital Shadows provides a breadth and depth of
threat intelligence that is unprecedented," said Juan Pablo
Perez-Etchegoyen, CTO at Onapsis. "By showing how these applications are
being actively targeted by a variety of threat actors across different
geographies and industries, we hope to overcome the misconceptions in
the industry and help CIOs, CISOs and their organizations head off and
manage the risk of wide-scale attacks on ERP applications, which could
have a devastating impact, as well as macroeconomic implications."

the report now
for details of the research and the key actions
organizations need to take. Contact
us to request a live demo
of the anatomy of an ERP cybersecurity
breach at Black Hat USA.

To find out more about the threats associated with ERP applications,
visit the Digital
Shadows Black Hat Booth 1627
and the Onapsis
Booth 1601


Digital Shadows enables organizations to manage digital risk by
identifying and eliminating threats to their business and brand. We
monitor for digital risk across the widest range of data sources within
the open, deep and dark web to deliver relevant threat intelligence,
context and actionable remediation options that enable security teams to
be more effective and efficient. Our clients can focus on growing their
core business knowing that they are protected if their data is exposed,
if employees or third parties put them at risk, or if their brand is
being misused. To learn more, visit


Onapsis cybersecurity solutions automate the monitoring and protection
of ERP systems SAP and Oracle, keeping these business-critical
applications compliant and safe from insider and outsider threats. As
the proven market leader, global enterprises trust Onapsis to protect
the essential information and processes that run their businesses.

Experts at the Onapsis
Research Labs
were the first to lecture on SAP cyberattacks and have
uncovered and helped fix hundreds of security vulnerabilities to-date
affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile
applications, as well as Oracle JD Edwards and Oracle E-Business Suite
platforms. This patented technology is well known, industry wide, and
has gained Onapsis recognition on the Deloitte Technology Fast-500, as a
Red Herring North America Top 100 company and a SINET 16 Innovator.

Headquartered in Boston, MA, Onapsis serves over 200 customers including
many of the Global 2000. Onapsis's solutions are also the de-facto
standard for leading consulting and audit firms such as Deloitte, IBM,
Infosys and PwC.

For more information, please visit,
or connect with us on Twitter,
or LinkedIn.

View Comments and Join the Discussion!