Cyberattacks on business-critical ERP applications are becoming more common and more complex, resulting in new laws being passed to protect organizations and consumers, putting security at the forefront of decision making. As we head into 2023, Onapsis executives share their predictions around the exponential growth of ERP application security and offer some thoughts on how to deal with it.
Mariano Nunez, CEO of Onapsis
Protecting ERP and business applications will be the fastest-growing application security category
ERP systems, such as SAP and Oracle applications, run essential business functions and contain an organization’s most valuable data, from HR information to company financials. Despite their importance, security teams often lack complete visibility into their ERP threat landscape and are unable to detect hidden vulnerabilities and suspicious activity. This has become increasingly dangerous, as attacks against business-critical applications are quickly accelerating. SAP and Onapsis recently found evidence of more than 300 successful exploitation attempts against unsecured SAP applications, pointing to cybercriminals’ clear understanding of ERP applications.
In the coming year, enterprises will ramp up the deployment of business-critical application security tools as the number of attacks against these systems continues to grow exponentially. With the general application security market expected to reach $22.54 billion by 2028, up from $6.95 billion in 2021, it’s evident that organizations are already recognizing the increasing need to protect their enterprise crown jewels.
The utilities sector will become increasingly prone to attack
Previous cyberattacks against critical infrastructure have proven to show the far-reaching, real-world impact they can cause, from Colonial Pipeline to the recent U.K. water treatment plant ransomware attack. While there have been significant steps forward to protect utilities organizations from attacks, such as the Environmental Protection Agency's plan to secure water systems and several enforced reporting requirements in 2022, critical cybersecurity gaps remain in the sector.
In 2023, attacks against utilities will accelerate and organizations that aren’t prepared may face far more destruction than the Colonial Pipeline attack aftermath. This will put more pressure on the government to increase funding toward smaller utilities companies that may not have the resources to defend themselves, as well as push these organizations to develop more robust cybersecurity programs.
Sadik Al-Abdulla, CPO of Onapsis
Attackers will seek out the next Log4j vulnerability and will likely become successful
The impact of the Log4j flaw has been widespread and far-reaching, with countless organizations still reeling from its massive ripple effect. Log4j has underscored the level of difficulty in patching vulnerabilities within commonly used libraries, as almost every vendor within the software supply chain has been responsible for fixing it. Attackers have become well aware of this and have continued taking advantage of unpatched Log4j vulnerabilities. Recently, we saw North Korean nation-state threat actors exploiting Log4shell to hack energy providers and conduct espionage campaigns.
In 2023, we’ll not only continue to see the breadth of Log4j’s exposure increase, but we’ll also see threat actors focusing more on exploiting open-source libraries. To mitigate the impact of a vulnerability as critical as Log4shell, organizations must adopt a risk-based vulnerability management program that can help them prioritize patching the vulnerabilities that are most at-risk.
During a time of economic downturn, organizations will go back to security basics
Given the current period of economic uncertainty, organizations will continue cutting their budgets and putting their dollars into resources that are most critical to their business. While strengthening their cybersecurity programs will be a priority in the coming year, organizations will begin rethinking the types of tools they are investing in. In 2023, we’ll see organizations lean more toward fundamental security technologies to protect their business assets. For instance, business-critical application security tools, such as vulnerability management platforms specifically designed for enterprise resource planning (ERP) applications, will help defend valuable data that enables an organization to successfully operate.
JP Perez-Etchegoyen, CTO of Onapsis
The exploitation of known vulnerabilities will become a leading attack vector
While threat actors are constantly on the hunt for new attack vectors, they tend to pay particularly close attention to known vulnerabilities, which provide them with an easy entry point into an enterprise’s network. Research by the Onapsis Research Labs, SAP, and CISA shows that it takes the average organization 97 days to apply a patch, from the time a flaw is identified to the time a patch has been applied, tested, and deployed. At the same time, it takes less than 72 hours for cybercriminals to exploit ERP vulnerabilities after a patch is released.
Next year, we will continue seeing an increase in exploits against known vulnerabilities, especially those within web-facing applications, as those tend to be very lucrative assets for cybercriminals. Organizations must prepare by equipping themselves with automated vulnerability management tools that can provide them with complete visibility over their IT ecosystem and help them understand each vulnerability’s level of criticality.
Threat actors will shift away from ransomware and opt for more discreet methods to monetize
Ransomware has historically been the primary method of monetizing for threat actors. However, research has revealed a decrease in both ransomware attacks and ransomware payments this past year, suggesting that cybercriminals are evolving their strategies. Rather than blatantly threatening organizations, threat actors will begin leveraging more discreet techniques to make a profit. Threat groups like Elephant Beetle have proven that cybercriminals can enter business-critical applications and remain undetected for months, even years, while silently siphoning off tens of millions of dollars.
While ransomware will still be a prominent cyber threat in the coming year, we will see more malicious groups directly targeting ERP applications. Organizations must develop cybersecurity protocols specifically around their business applications to ensure their most critical resources and valuable data are secure.