Companies With Unpatched SAP, Oracle Software At Risk

More than a dozen government agencies and companies have been targeted by hackers who are using an old security hole in SAP and Oracle management software, while thousands more businesses and the government are at risk.

Reuters, citing a new report from Onapsis and Digital Shadows, the two security firms, reported that the Department of Homeland Security issued an alert pointing to the study that showcases the risks to thousands of systems that are using unpatched Oracle and SAP software. The researchers, reported Reuters, said the lack of patches makes the companies and government agencies vulnerable to hackers. Onapsis and Digital Shadow said two government agencies, media companies, energy firms and financial companies were hit because they didn’t install the patches or take other security steps that SAP and Oracle advised, noted Reuters.

The Department of Homeland Security was prompted to issue the alert because a lot of companies keep sensitive data — including financial results, credit card information and company secrets — in this enterprise resource planning software. Reuters noted that in an email, Homeland Security’s National Cybersecurity and Communications Integration Center highlighted the risk from hackers targeting enterprise resource planning applications. “An attacker can exploit these vulnerabilities to obtain access to sensitive information,” said NCCIC, an arm of the U.S. Computer Emergency Readiness Team (US-CERT), according to Reuters.

Meanwhile, Mariano Nunez, Onapsis chief executive, told Reuters that the hackers are exploiting a security vulnerability that is a decade or more old. “These attackers are ready to exploit years-old risks that give them full access to SAP and Oracle systems without being detected,” Nunez said in the report. “The urgency level among chief security officers and CEOs should be far higher.” Nunez noted that in 2016 the Homeland Security department issued a warning to some SAP customers after Onapsis found Chinese hackers were planning to exploit old software that companies still use. Onapsis and Digital Shadow, in the current study, found around 17,000 SAP and Oracle software installations that were exposed — covering 3,000 companies, government agencies and universities. The firm did not name the companies, but Reuters reported some of them at risk are among the most well known across the globe. The researchers also found that more than 4,000 bugs in SAP and 5,000 in Oracle software could put companies at risk, particularly ones that have older systems.