Log in
Show password
Forgot password ?
Become a member for free
Sign up
Sign up
New member
Sign up for FREE
New customer
Discover our services
Dynamic quotes 


SummaryMost relevantAll NewsAnalyst Reco.Other languagesPress ReleasesOfficial PublicationsSector newsMarketScreener Strategies

Study warns of rising hacker threats to SAP, Oracle business software

07/25/2018 | 10:52am EDT
The sign outside Oracle's offices in Broomfield

LONDON (Reuters) - At least a dozen companies and government agencies have been targeted and thousands more are exposed to data breaches by hackers exploiting old security flaws in management software, two cyber security firms said in a study published on Wednesday.

The Department of Homeland Security issued an alert citing the study by security firms Digital Shadows and Onapsis that highlights the risks posed to thousands of unpatched business systems from software makers Oracle and SAP.

These can enable hackers to steal corporate secrets, the researchers said.

Systems at two government agencies and at firms in the media, energy and finance sectors were hit after failing to install patches or take other security measures advised by Oracle or SAP, security firms Onapsis and Digital Shadows said in the newly published report. (https://goo.gl/pWbz3Q)

The alarm was raised because firms store highly sensitive data – including financial results, manufacturing secrets and credit card numbers – in the vulnerable products, known as enterprise resource planning (ERP) software and in related applications for managing customers, employees and suppliers.

In an alert entitled "Malicious cyber activity targeting ERP applications", the Homeland Security's National Cybersecurity and Communications Integration Center highlighted signs of increasing hacker focus on ERP applications, citing the study.

"An attacker can exploit these vulnerabilities to obtain access to sensitive information," said NCCIC, an arm of the U.S. Computer Emergency Readiness Team (US-CERT).

Many of these issues date back a decade or more, but the new report shows rapidly rising interest by hacker activists, cyber criminals and government spy agencies in capitalizing on these issues, Onapsis Chief Executive Mariano Nunez told Reuters.

"These attackers are ready to exploit years-old risks that give them full access to SAP and Oracle systems without being detected," he said. "The urgency level among chief security officers and CEOs should be far higher."

An SAP spokesman said that, in general, the company takes security issues seriously across its organization.

"Our recommendation to all of our customers is to implement SAP security patches as soon as they are available - typically on the second Tuesday of every month - to protect SAP infrastructure from attacks.

Oracle was not immediately available to comment.

Both companies release regular patches to known security bugs in their software. However, customers are often reluctant to make fixes out of fear doing so might disrupt their manufacturing, sales or finance activities.

Risks also arise from installation mistakes or growing moves to link traditionally back-office business systems to the cloud in order to reach mobile or online users.


The new alert follows a 2016 Homeland Security department warning to some SAP customers after Onapsis uncovered plans by Chinese hackers to exploit out-of-date s
oftware used by dozens of companies, Nunez said. (https://reut.rs/2JKJvCI

In their latest research, Onapsis and online monitoring firm Digital Shadows identified some 17,000 SAP and Oracle software installations exposed to the internet at more than 3,000 top companies, government agencies and universities.

They did not name the affected organizations, but data seen by Reuters shows many of the world's best-known firms at risk.

At least 10,000 servers are running incorrectly configured software that could subject them to direct attack using known SAP or Oracle exploits, the report's authors warned.

More than 4,000 known bugs in SAP and 5,000 in Oracle software pose security threats, especially in older systems that operators may consider uneconomical to fix, they said in Wednesday's report.

"Publicly disclosed attacks are rare, so the problem remains largely ignored," Gartner industry analyst Neil MacDonald wrote in a review of corporate security tools last year.

One of the highest profile attacks occurred in 2013 and 2014 when hackers used an SAP vulnerability to break into the U.S. Investigations Service, the largest commercial provider of background checks and security clearances for federal employees.

This year, hackers began exploiting a vulnerability in WebLogic servers which Oracle fixed last October. Their targets included attacking Oracle PeopleSoft ERP systems so as to make money from mining crypto currencies, the report said.

Digital Shadows combed through Google searches, social media chatter and the dark web where they found discussions in Chinese and Russian hacker forums regarding how to use specific SAP and Oracle vulnerabilities.

They also discovered some hackers were eavesdropping on discussion boards where third-party technology contractors share work tips, including default passwords that hackers can use to access some systems.

Hacker interest in how to exploit SAP and Oracle vulnerabilities spiked two years ago and jumped another 160 percent last year across Twitter, according to the study.

(This version of the story corrects name of security firm to "Digital Shadows" from "Digital Sky" in second paragraph)

(Reporting by Eric Auchard; editing by Jim Finkle, Jason Neely and Kirsten Donovan)

By Eric Auchard

© Reuters 2018
Stocks mentioned in the article
ChangeLast1st jan.
ALPHABET INC. -1.96% 2816 Delayed Quote.60.67%
BEST INC. 9.23% 1.42 Delayed Quote.-30.39%
GARTNER, INC. -1.77% 310.33 Delayed Quote.97.22%
JASON CO., LTD. -0.92% 539 End-of-day quote.-19.31%
ONE STOP SYSTEMS, INC. -1.48% 5.32 Delayed Quote.33.00%
ORACLE CORPORATION -0.99% 86.39 Delayed Quote.34.87%
SAGE GROUP PLC 0.35% 742.6 Delayed Quote.27.59%
SAP SE -0.34% 122.08 Delayed Quote.13.86%
TEAM, INC. 1.44% 3.53 Delayed Quote.-67.61%
09/17ORACLE : Barclays Adjusts Price Target on Oracle to $87 From $85, Maintains Equa..
09/16FTSE 100 Rises on Speculation over UK's Travel Restrictions Removal
09/16FTSE Rises, THG Shares Fall After 1st Half Loss as Shake-Up Looms
09/16ORACLE : Adenza Chooses Oracle Autonomous Database to Expand its Multi-Cloud Ris..
09/16Adenza Chooses Oracle Autonomous Database to Expand its Multi-Cloud Risk Anal..
09/16FTSE Rises, Ashtead Gains After 1Q Profit Boost, Guidance Increase
09/16Oxford Nanopore to Raise GBP300 Million in London IPO -- Update
09/16ORACLE : Teams Up With Oxford Nanopore to Boost Discovery of Medical Breakthroug..
09/16Oxford Nanopore to Raise GBP300 Million in London IPO
09/16ORACLE : and Oxford Nanopore Team Up to Improve Healthcare and Speed Discovery o..
More news
Analyst Recommendations on ORACLE CORPORATION
More recommendations
Financials (USD)
Sales 2022 42 265 M - -
Net income 2022 10 733 M - -
Net Debt 2022 41 416 M - -
P/E ratio 2022 23,9x
Yield 2022 1,48%
Capitalization 237 B 237 B -
EV / Sales 2022 6,58x
EV / Sales 2023 6,42x
Nbr of Employees 132 000
Free-Float 58,2%
Duration : Period :
Oracle Corporation Technical Analysis Chart | ORCL | US68389X1054 | MarketScreener
Technical analysis trends ORACLE CORPORATION
Short TermMid-TermLong Term
Income Statement Evolution
Mean consensus HOLD
Number of Analysts 27
Last Close Price 86,39 $
Average target price 87,04 $
Spread / Average Target 0,75%
EPS Revisions
Managers and Directors
Safra Ada Catz Chief Executive Officer & Director
Lawrence Joseph Ellison Chairman & Chief Technology Officer
Michael J. Boskin Independent Director
Jeffrey S. Berg Independent Director
Naomi O. Seligman Independent Director
Sector and Competitors
1st jan.Capi. (M$)
SAP SE13.86%169 998
INTUIT INC.50.82%156 449
SERVICENOW, INC.18.28%130 046
DOCUSIGN, INC.24.65%54 511