Contact us today.

Subscribe me to your mailing list


TokenChpoken attack on Oracle PeopleSoft affecting nearly half of large enterprises and government organizations

Palo Alto, CA – June 29, 2015 ERPScan Research department specializing in SAP and Oracle applications security has published the results of the recent research on public-facing Oracle PeopleSoft applications and their vulnerabilities. These applications are usually used by Fortune 500 companies and government organizations. Almost 50% of companies using Oracle PeopleSoft HRMS system are vulnerable. More than 200 of them can be attacked via the internet. In the list of those companies, there are 18 companies from Fortune 500 and 25 companies included in Forbes 2000 World’s Biggest Public Companies.

Read more..

Can PeopleSoft be the target of cyber-attack against OPM?

We see many speculations on OPM breach and different guesses how attackers were able to get access to the corporate network. You’ll be surprised if we say that it almost doesn’t matter. What will change if we find out that the attack started by using SQL Injection, or Malware sent by email or by any other vulnerability? Almost nothing. There are millions of ways how attackers can get access to corporate network, and it’s nearly impossible to prevent them all.

What’s really important is how we secure our most critical assets. Attackers are looking for data, and data are stored in different enterprise business applications. As for OPM breach, it was likely to be HR system. We don’t know what kind of platform is implemented in OPM, but taking into account information about other departments, it is either PeopleSoft or an in-house developed software. There was news about critical vulnerabilities in PeopleSoft recently. Also, at least 5 proven attacks against PeopleSoft systems have been covered in media since 2010.

As mentioned before, PeopleSoft is not the only system that can be used by OPM, it may be SAP or any other. Moreover, an attacker can get the data not from the system itself, but, for example, from backup. So that, OPM’s HR system may not have been the direct target of the attack. Again, it doesn’t matter. What we really should care about is that enterprise business applications (such as HR, ERP, CRM, SRM, and others) which store and process business-critical data are the most important parts of company’s infrastructure and, surprisingly, they are the weakest ones.

Every month SAP and Oracle, the largest business applications vendors, release 30-50 patches for their software. It is difficult for system administrators to keep their systems secure by implementing each and every patch, as it stops business processes. Moreover, ERP systems are highly customized and complex. And, as we know, complexity kills security.

Read more..