Press Release

New Report Reveals Evidence That ERP Applications are Under Attack by Cybercriminals, Hacktivists and Nation-state Actors

Boston, London and San Francisco – July 25, 2018 – New research from leading digital risk management firm Digital Shadows and ERP cybersecurity and compliance firm Onapsis reveals evidence that the business-critical applications running the biggest organizations in the world are under attack. The report shows a dramatic rise in cyberattacks on widely-used enterprise resource planning (ERP) applications such as SAP and Oracle — which currently have a combined 9,000 known security vulnerabilities.

The report also highlights an increase in attacks on these systems by nation-state actors, cybercriminals and hacktivists that include both hacking and distributed denial of service (DDoS) attempts to compromise and disrupt the operations of these high-value assets. This convergence of threats puts thousands of organizations and their crown jewels directly at risk of espionage, sabotage and financial fraud.

This research is considered so critical that the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) issued an alert today warning of the risk of these ERP application attacks. Attacks of this nature were first warned about in May 2016 when the US-CERT issued an alert advising of a significant threat that included the exploitation of 36 global organizations through the abuse of a then five-year-old vulnerability in SAP applications.

These warnings have been proven to be prescient with the new research revealing: 

– Cybercriminal organizations are exploiting ERP applications, leveraging known vulnerabilities and targeting high-value assets such as SAP HANA

  • A 100 percent increase in the number of publicly-available exploits for SAP and Oracle ERP applications over the last three years
  • A 160 percent increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017

– Well-known hacktivists and cyber criminal groups are expanding their tactics, techniques and procedures (TTPs) to now specifically target ERP applications

  • Hacktivist groups, such as those affiliated with the Anonymous collective, have expanded their operations to include penetrating and disrupting mission-critical ERP platforms, having targeted these platforms in over nine operations since 2013
  • Well-known malware kits such as Dridex are being evolved to steal user credentials and data from behind-the-firewall ERP applications
  • Nation-state affiliated actors have been attributed for the compromise of ERP applications in order to access highly-sensitive information and/or disrupt critical business processes

– Third parties and employees are exposing information that can provide highly valuable to sophisticated actors. The research discovered 545 SAP configuration files publicly exposed on misconfigured FTP and SMB. These provide valuable information for attackers to locate sensitive files on organizations’ networks, greatly reducing effort once they gain access to an organization’s network

Furthermore, cloud, mobile and digital transformations are rapidly expanding the ERP attack surface. More than 17,000 SAP and Oracle ERP applications were found to be exposed on the internet, many running vulnerable versions and unprotected components, and threat actors are actively sharing information to take advantage of this opportunity.    
The vast majority of large organizations have implemented ERP applications from vendors such as SAP and Oracle, relying on products like SAP Business Suite, SAP S/4HANA and Oracle E-Business Suite/Financials. They rely on these applications to support business processes such as payroll, treasury, inventory management, manufacturing, financial planning, sales, logistics, billing and hosting data such as financial results, manufacturing formulas, pricing, critical intellectual property, credit cards and personally identifiable information (PII) from employees, customers and suppliers, among other sensitive information.

Prior to this report, the ERP cybersecurity problem had remained largely ignored due to the lack of publicly-disclosed breaches and information about the threat actors in what was considered by many information security teams to be a complex and obscure domain.

“Threat actors are continually evolving their tactics and targets to profit at the expense of organizations. On the one hand, with the type of data that ERP platforms hold, this isn’t shocking. However, we were surprised to find just how real and severe the problem is,” said Rick Holland, CISO and VP of Strategy at Digital Shadows.

“This collaboration with Digital Shadows provides a breadth and depth of threat intelligence that is unprecedented,” said Juan Pablo Perez-Etchegoyen, CTO at Onapsis. “By showing how these applications are being actively targeted by a variety of threat actors across different geographies and industries, we hope to overcome the misconceptions in the industry and help CIOs, CISOs and their organizations head off and manage the risk of wide-scale attacks on ERP applications, which could have a devastating impact, as well as macroeconomic implications.”

Download the report now for details of the research and the key actions organizations need to take. Contact us to request a live demo of the anatomy of an ERP cybersecurity breach at Black Hat USA.

To find out more about the threats associated with ERP applications, visit the Digital Shadows Black Hat Booth 1627 and the Onapsis Booth 1601


Digital Shadows enables organizations to manage digital risk by identifying and eliminating threats to their business and brand. We monitor for digital risk across the widest range of data sources within the open, deep and dark web to deliver relevant threat intelligence, context and actionable remediation options that enable security teams to be more effective and efficient. Our clients can focus on growing their core business knowing that they are protected if their data is exposed, if employees or third parties put them at risk, or if their brand is being misused. To learn more, visit


Onapsis cybersecurity solutions automate the monitoring and protection of ERP systems SAP and Oracle, keeping these business-critical applications compliant and safe from insider and outsider threats. As the proven market leader, global enterprises trust Onapsis to protect the essential information and processes that run their businesses.

Experts at the Onapsis Research Labs were the first to lecture on SAP cyberattacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. This patented technology is well known, industry wide, and has gained Onapsis recognition on the Deloitte Technology Fast-500, as a Red Herring North America Top 100 company and a SINET 16 Innovator.

Headquartered in Boston, MA, Onapsis serves over 200 customers including many of the Global 2000. Onapsis’s solutions are also the de-facto standard for leading consulting and audit firms such as Deloitte, IBM, Infosys and PwC.

For more information, please visit, or connect with us on Twitter, Google+, or LinkedIn.