At least a dozen companies and government agencies have been targeted and thousands more are exposed to data breaches by hackers exploiting old security flaws in management software, two cybersecurity firms said in a study published on Wednesday.

The Department of Homeland Security issued an alert citing the study by security firms Digital Shadows and Onapsis that highlights the risks posed to thousands of unpatched business systems from software makers Oracle and SAP.

These can enable hackers to steal corporate secrets, the researchers said.

Systems at two government agencies and at firms in the media, energy and finance sectors were hit after failing to install patches or take other security measures advised by Oracle or SAP, security firms Onapsis and Digital Shadows said in the newly published report.

The alarm was raised because firms store highly sensitive data – including financial results, manufacturing secrets and credit card numbers – in the vulnerable products, known as enterprise resource planning (ERP) software and in related applications for managing customers, employees and suppliers.

In an alert entitled “Malicious cyber activity targeting ERP applications”, the Homeland Security’s National Cybersecurity and Communications Integration Center highlighted signs of increasing hacker focus on ERP applications, citing the study.

“An attacker can exploit these vulnerabilities to obtain access to sensitive information,” said NCCIC, an arm of the US Computer Emergency Readiness Team (US-CERT).

Many of these issues date back a decade or more, but the new report shows rapidly rising interest by hacker activists, cybercriminals and government spy agencies in capitalising on these issues, Onapsis Chief Executive Mariano Nunez told Reuters.

“These attackers are ready to exploit years-old risks that give them full access to SAP and Oracle systems without being detected,” he said. “The urgency level among chief security officers and CEOs should be far higher.”

An SAP spokesman said that, in general, the company takes security issues seriously across its organisation.

“Our recommendation to all of our customers is to implement SAP security patches as soon as they are available - typically on the second Tuesday of every month - to protect SAP infrastructure from attacks.

Oracle was not immediately available to comment.

Both companies release regular patches to known security bugs in their software. However, customers are often reluctant to make fixes out of fear doing so might disrupt their manufacturing, sales or finance activities.

Risks also arise from installation mistakes or growing moves to link traditionally back-office business systems to the cloud in order to reach mobile or online users.

The new alert follows a 2016 Homeland Security department warning to some SAP customers after Onapsis uncovered plans by Chinese hackers to exploit out-of-date software used by dozens of companies, Nunez said.

In their latest research, Onapsis and online monitoring firm Digital Shadows identified some 17,000 SAP and Oracle software installations exposed to the internet at more than 3,000 top companies, government agencies and universities.

(Source)