Study warns of rising hacker threats to SAP, Oracle business software

SAP logo at SAP headquarters in Walldorf, Germany, January 24, 2017. (Reuters)
Updated 25 July 2018
0

Study warns of rising hacker threats to SAP, Oracle business software

  • The study by security firms Digital Sky and Onassis highlights the risks posed to thousands of unpatched business systems from software makers Oracle and SAP
  • These can enable hackers to steal corporate secrets, the researchers said

LONDON: At least a dozen companies and government agencies have been targeted and thousands more are exposed to data breaches by hackers exploiting old security flaws in management software, two cybersecurity firms warned in study published on Wednesday.
The Department of Homeland Security issued an alert citing the study by security firms Digital Sky and Onapsis that highlights the risks posed to thousands of unpatched business systems from software makers Oracle and SAP.
These can enable hackers to steal corporate secrets, the researchers said.
Systems at two government agencies and at firms in the media, energy and finance sectors were hit after failing to install patches or take other security measures advised by Oracle or SAP, security firms Onapsis and Digital Shadows said in the newly published report. (https://goo.gl/pWbz3Q)
The alarm was raised because firms store highly sensitive data – including financial results, manufacturing secrets and credit card numbers – in the vulnerable products, known as enterprise resource planning (ERP) software and in related applications for managing customers, employees and suppliers.

In an alert entitled “Malicious cyber activity targeting ERP applications,” the Homeland Security’s National Cybersecurity and Communications Integration Center highlighted signs of increasing hacker focus on ERP applications, citing the study.
“An attacker can exploit these vulnerabilities to obtain access to sensitive information,” said NCCIC, an arm of the US Computer Emergency Readiness Team (US-CERT).
Many of these issues date back a decade or more, but the new report shows rapidly rising interest by hacker activists, cyber criminals and government spy agencies in capitalizing on these issues, Onapsis Chief Executive Mariano Nunez told Reuters.
“These attackers are ready to exploit years-old risks that give them full access to SAP and Oracle systems without being detected,” he said. “The urgency level among chief security officers and CEOs should be far higher.”
An SAP spokesman said that, in general, the company takes security issues seriously across its organization.
“Our recommendation to all of our customers is to implement SAP security patches as soon as they are available — typically on the second Tuesday of every month — to protect SAP infrastructure from attacks.
Oracle was not immediately available to comment.
Both companies release regular patches to known security bugs in their software. However, customers are often reluctant to make fixes out of fear doing so might disrupt their manufacturing, sales or finance activities.
Risks also arise from installation mistakes or growing moves to link traditionally back-office business systems to the cloud in order to reach mobile or online users.

SECURITY BY OBSCURITY
The new alert follows a 2016 Homeland Security department warning to some SAP customers after Onapsis uncovered plans by Chinese hackers to exploit out-of-date software used by dozens of companies, Nunez said. (https://reut.rs/2JKJvCI)
In their latest research, Onapsis and online monitoring firm Digital Shadows identified some 17,000 SAP and Oracle software installations exposed to the Internet at more than 3,000 top companies, government agencies and universities.
They did not name the affected organizations, but data seen by Reuters shows many of the world’s best-known firms at risk.
At least 10,000 servers are running incorrectly configured software that could subject them to direct attack using known SAP or Oracle exploits, the report’s authors warned.
More than 4,000 known bugs in SAP and 5,000 in Oracle software pose security threats, especially in older systems that operators may consider uneconomical to fix, they said in Wednesday’s report.
“Publicly disclosed attacks are rare, so the problem remains largely ignored,” Gartner industry analyst Neil MacDonald wrote in a review of corporate security tools last year.
One of the highest profile attacks occurred in 2013 and 2014 when hackers used an SAP vulnerability to break into the US Investigations Service, the largest commercial provider of background checks and security clearances for federal employees.
This year, hackers began exploiting a vulnerability in WebLogic servers which Oracle fixed last October. Their targets included attacking Oracle PeopleSoft ERP systems so as to make money from mining crypto currencies, the report said.
Digital Shadows combed through Google searches, social media chatter and the dark web where they found discussions in Chinese and Russian hacker forums regarding how to use specific SAP and Oracle vulnerabilities.
They also discovered some hackers were eavesdropping on discussion boards where third-party technology contractors share work tips, including default passwords that hackers can use to access some systems.
Hacker interest in how to exploit SAP and Oracle vulnerabilities spiked two years ago and jumped another 160 percent last year across Twitter, according to the study.


SABIC prepares to meet investors to offer bond

Updated 25 September 2018
0

SABIC prepares to meet investors to offer bond

  • The Kingdom’s petrochemical giant will be meeting investors in London, New York, Los Angeles and Boston from Sept. 25
  • SABIC has also confirmed the appointment of BNP Paribas and Citigroup as global coordinators on the sale

LONDON: Saudi Basic Industries Corp. (SABIC) is preparing to offer its dollar-denominated unsecured bond to the global market with investor meetings due to start this week.
The Kingdom’s petrochemical giant will be meeting investors in London, New York, Los Angeles and Boston from Sept. 25, according to a filing on the Saudi stock exchange on Tuesday.
The Saudi company is likely to be keen to tap into the heightened international interest in the Kingdom’s financial markets following the lifting of some restrictions on foreign investors’ activities at the start of the year.
SABIC has also confirmed the appointment of BNP Paribas and Citigroup as global coordinators on the sale, alongside HSBC Bank, Mitsubishi UFG Securities EMEA and Standard Chartered Bank acting as joint lead managers, in its Tadawul note.
The proposed issuance has been well-received so far by analysts with ratings agency Moody’s Investor Service assigning an ‘A1’ rating to the proposed senior unsecured notes to be issued by the financial vehicle, referred to as SABIC Capital II, and guaranteed by SABIC itself.
“SABIC’s A1 rating reflects its strong business position in the chemical sector and its ability to weather industry volatility, particularly given its healthy operational cash flows and conservative liquidity profile,” said Rehan Akbar, a senior analyst at Moody’s, in a note on Monday.

 

The bond is anticipated to be used in part to refinance an existing SR11.3 billion ($3 billion) one-year bridge loan raised in January this year to fund the company’s 24.99 percent stake in the Swiss chemical company Clariant, according to the Moody’s note. All regulatory requirements were completed on this acquisition earlier this month.
Cash proceeds from the bond may also be used to repay a $1 billion bond due on Oct. 3, according to Moody’s.
On Tuesday SABIC confirmed that the bond will be used mainly to refinance “outstanding financial obligations” of the company and its subsidiaries.
Analysts at rating agency S&P Global were also upbeat about SABIC’s outlook, with research published on Monday stating that the company has “strong profitability” via its KSA operations and a “strong” liquidity position.
“The debt issuance is helpful for the credit profile in the sense that it extends the company’s debt maturity profile and strengthens its liquidity position,” said Tommy Trask, corporate and infrastructure credit analyst at S&P Global.
The agency currently assigns the petrochemical firm an ‘A Minus’ rating, with a “stable outlook,” which it said reflects its “view on the sovereign as well as its expectations that SABIC will maintain high profitability under current benign industry conditions.”
S&P Global’s report said margins in the global chemical industry will “largely stabilize in 2018 following several years of improvement, attributable to the increase in commodity chemical capacity.”
However, it also warned that a key risk to credit quality is
the trend for mergers and acquisitions within the sector and the “potential negative impact on credit metrics from funding them with debt.”

FACTOID

SABIC operates in more than 50 countries across the world.