In a new alert issued by the United States Department of Homeland Security (DHS), the agency is warning that corporate applications are being targeted by hackers using the darknet. The DHS issued the alert based on information it had received in a report from the cybersecurity and digital risk management firms Digital Shadows and Onapsis. Their report claims that Enterprise Resource Planning applications are being targeted by criminals on the darknet. Enterprise Resource Planning applications typically contain a company’s most confidential and private information.
The new cybersecurity alert was issued by a division of the DHS known as the United States Computer Emergency Readiness Team, or US-CERT, which itself is under the DHS National Protection and Programs Directorate (NPPD). US-CERT is also a branch of the National Cybersecurity and Communications and Integration Center and the Office of Cybersecurity and Communications (CS&C). The National Cybersecurity and Communications Integration Center is the DHS cyber defense and cyber incident response branch.
The DHS had previously issued an alert in May of 2016 that 36 international organizations had been the target of hackers. In the new report from Digital Shadows and Onapsis, researchers said that they believe that the May 2016 alert from the DHS was “only the tip of the iceberg,” and that attacks from hackers “evolved” and “expanded.” Through the partnership of digital risk management firms Digital Shadows and Onapsis, their experts have obtained research and threat intelligence from the darknet, as well as other sources. Experts from Onapsis also obtained data for the report from incident responses and forensic investigations of attacks on Enterprise Resource Planning applications.
The attacks on Enterprise Resource Planning applications are often the work of cybercriminals, hacktivists, and nation-state actors. In their report, the experts from Digital Shadows and Onapsis claim that, over the last three years, there has been a very significant increase in the interest among hackers on cybercrime forums on the darknet for exploits that effect SAP applications, such as SAP HANA, as well as exploits that affect Oracle’s Enterprise Resource Planning applications. Much of this discussion relating to the exploits that affect Enterprise Resource Planning applications was found to be occurring on Russian language cybercrime forums on the darknet. The researchers from Digital Shadows and Onapsis also claim in their new report to have observed a 100% increase over the last three years in the number of public exploits affecting SAP and Oracle Enterprise Resource Planning applications. The researchers also say they have observed a 160% increase between 2016 and last year in activity related to, and interest in, exploits that affect Enterprise Resource Planning applications.
The researchers at Digital Shadows and Onapsis identified over 17,000 SAP and Oracle Enterprise Resource Planning applications that were directly connected to the internet. Many of the over 17,000 organizations running these Enterprise Resource Planning applications are located in the United States, the United Kingdom, and Germany. A large portion of these Enterprise Resource Planning applications are being operated by governments and large corporations. Many of these applications that are online are old and vulnerable versions of the applications and are unprotected. Hackers have been discussing the targeting of these applications through forums on the darknet.
Some of these exploits for Enterprise Resource Planning applications have been sold on darknet markets, or traded on forums on the darknet. The researchers observed that on one clearnet forum, called 0day.today, there were about 50 exploits that affected SAP applications, and about 30 exploits that affected Oracle’s Enterprise Resource Planning applications. The researchers discovered an early sign of the beginning of interest in taking advantage of vulnerabilities in these types of corporate applications in a forum post made on a forum by a user on Exploit.in back in 2013. The researchers looked at how interest grew in these types of exploits over time. “We analyzed the last five years. There has been a consistent number of campaigns through all five years and we have seen examples as early as April this year as well,” Juan Perez-Etchegoyen, the Chief Technology Officer (CTO) of Onapsis, told Fox News.