The U.S. Department of Homeland Security Wednesday issued a warning to enterprises that hackers are actively targeting enterprise resource planning systems designed by Oracle Corp. and SAP SE.

The risk of attacks were highlighted in an alert published by the U.S. Computer Emergency Readiness Team based on a report by Digital Shadows Ltd. and Onapsis Inc. The alert said attackers are attempting to exploit vulnerabilities in ERP systems to steal confidential data.

“ERP applications help organizations manage critical business processes — such as product lifecycle management, customer relationship management and supply chain management,” US-CERT said, meaning that they store critical and confidential information at the heart of many businesses.

The report referred to details of a recent spike in interest from nation-state hackers, criminal groups and hacktivists in targeting ERP systems with a suggestion that there’s a lot more to come.

Joseph Carson, chief security scientist at Thycotic Software Ltd., told SiliconANGLE that the findings in the report aren’t in the least surprising.

“Anyone who analyzes enterprise-critical software will surely discover that cybercriminals are targeting them and that they will find vulnerabilities or existing, ongoing cyber campaigns,” Carson said. “Cybercriminals target applications that expose the internal workings of a company to specifically attack critical systems or steal sensitive data. Access to such ERP systems typically means security has been weak in other parts of the business, for example, securing systems and privileged access to critical business applications.”

Joseph Kucic, chief security officer at Cavirin Systems Inc., explained that the increase reflects hackers becoming “more sophisticated and focusing on higher value targets.” In addition, he said, “legacy ERP providers mentioned in the report are great targets as they originally started as internal-only applications, then later on acquired additional bolt-on components.”

As a result, ERP application security controls weren’t focused on external vulnerabilities. “Since these firms are growing by bolt-on acquisition strategic components — for example, SAP’s acquisition of Concur — there are extensive publicly exposed elements and those vendors lacked the focus on application security and vulnerability controls that cloud-born companies such as Salesforce, ServiceNow and Workday have had in place since Day One,” he said.

But he also expects those cloud-native companies will experience their own challenges as they make acquisitions such as Salesforce.com Inc.’s recent purchase of MuleSoft Inc.

Photo: Kalleboo/Wikimedia Commons