Security firms Onapsis and Digital Shadows said in their report that they identified security threats to SAP and Oracle business management software.
Hackers are exploiting old security flaws in management software supplied by US-based Oracle and Germany-based SAP. The security issue will impact at least a dozen companies and government agencies and thousands more organizations are exposed to data breaches, Reuters reported.
The U.S. Department of Homeland Security is preparing on Wednesday to issue an alert based on the report about the risks posed to thousands of unpatched business systems from software makers Oracle and SAP, which can enable hackers to steal corporate secrets, the researchers said.
Systems at two government agencies and at firms in the media, energy and finance sectors have been hit after failing to install patches or take other security measures advised by Oracle or SAP.
The security alert from the Homeland Security’s Computer Emergency Response Team (US-CERT) includes steps that organizations can take to identify vulnerable systems and close long-standing security gaps.
The threat is alarming because businesses store highly sensitive data – including financial results, manufacturing secrets and credit card numbers – in the vulnerable products, known as enterprise resource planning (ERP) software and in related applications for managing customers, employees and suppliers.
Many of these issues date back a decade or more, but the study shows rising interest by hacker activists, cyber criminals and government spy agencies in capitalizing on these issues, Onapsis CEO Mariano Nunez said.
“These attackers are ready to exploit years-old risks that give them full access to SAP and Oracle systems without being detected,” he said. “The urgency level among chief security officers and CEOs should be far higher.”
The new alert would expand on a 2016 Homeland Security department warning to SAP customers after Onapsis uncovered plans by Chinese hackers to exploit out-date software used by dozens of companies, Nunez said.
Organizations sometimes delay security fixes to ERP software for months or even years out of concern that doing so could disrupt the critical functions the programs support, including manufacturing, sales and finance, Nunez said.
Onapsis, together with web monitoring firm Digital Shadows, identified some 17,000 SAP and Oracle software installations exposed to the internet at more than 3,000 top companies, government agencies and universities.
At least 10,000 servers are running incorrectly configured software that could subject them to direct attack using known SAP or Oracle exploits.
More than 4,000 bugs in SAP and 5,000 in Oracle software pose security threats, especially in older systems that operators may consider uneconomical to fix, according to the report from Onapsis and Digital Shadows.
Digital Shadows combed through Google searches, social media chatter and the dark web where they found discussions in Chinese and Russian hacker forums regarding how to use specific SAP and Oracle vulnerabilities.