Did you know that Sikich is one of only 14 companies in the US certified by the Payment Card Industry Security Standards Council (PCI SSC) to perform PCI forensic investigations of breaches involving payment card data? As a PCI Forensic Investigator (PFI), Sikich is certified to go in after a card data breach and figure out how the attackers got in, what they took, etc. Suffice it to say, we’ve seen a lot of breaches, whether related to credit card data or not, and learned quite a bit about how they can happen. With cyberattacks running rampant, we thought it worthwhile to provide some insight into the types attacks we’re learning about related to Enterprise Resource Planning (ERP).
Cyber extortion has become an increasingly common cyberattack for businesses of all sizes. There are a variety of ways attackers go about this type of attack, but they all boil down to the same result: an employee discovers that a bunch of files in the fileshare, databases, and applications on the application server were encrypted with a message saying, “Hey, if you want access to this file, you gotta pay us $X BTC.” Usually the message requests payment in Bitcoin and provides instructions for how to pay the ransom.
If this happens, you are left with some tough decisions:
- Do you shut down your IT network for an indefinite period of time to rebuild every workstation and server from backups (assuming you have them)?
- Do you figure out where the attacker is on the network and work to get them out by cleaning up one machine at a time?
- Do you pay the ransom and hope the attacker is willing and able to give you access to the files?
While some attackers may encrypt everything they can, others perform reconnaissance in the network and carefully choose which files to encrypt and hold for ransom. If you’re running an ERP system, odds are that they’ll figure out pretty quickly that the ERP system is critical to your business. They may also check the state of your backups. If they notice that your backups are out of date, they’ll feel pretty confident that you’ll pay the ransom.
IP/ Data Theft
Another cyber attack that greatly affects ERP users is one of simple theft. Employees might steal data and designs, quit, and then go to a competitor. Or a competitor might break in, access product designs, bids, costs, etc. to either underbid your company or outright take your designs for their own.
Another popular trend involves foreign competitors or even foreign business partners taking advantage of their connections to your network to steal information. Plenty of news stories have cropped up about China stealing trade secrets from US businesses to manufacture the same products in China.
It’s not uncommon for an attacker to use the tactic of redirecting your organization’s payments to their own offshore account. If the attacker can find your payment processes, no matter if it’s related to paying employees or paying vendors, they’ll do their due diligence to learn how exactly you make payments. They’ll look for wire transfers and ACH transactions and how your ERP system creates those files. Once they find the information they need, they’ll work to redirect those payments to themselves.
Or, if the ERP system is storing bank account numbers for those payments, the attacker might change the bank account number to their own. Usually attacker accounts are overseas, increasing the difficulty of recovering any of the stolen money.
On the surface, learning of a general network infection with the potential to cause outages, downtime, and missed deadlines doesn’t sound too bad. However, there can be several other consequences down the line.
If attackers can corrupt data, for example by changing your material orders or changing the configurations of your products or machines, that presents more than a simple missed-deadline problem. For manufacturers, this can be especially devastating, as it introduces a risk of producing bad products, damaging equipment, damaging materials, and harming employees on the manufacturing floor. With the increasing use of Internet of Things (IoT) devices for manufacturing, the damage could be catastrophic.
How Attackers Get In
Almost all breaches happen because an attacker gets unauthorized access to an account password. They don’t even need an administrator’s password to set up any of these attacks. Oftentimes, all it takes is compromising one employee account to get them in the door.
With that access to an employee’s account, the attacker can then take control over an email account or look for other passwords on the network or in email. They can also get into file services. If the compromised account has access to finance operations, the attacker may even gain access to payroll, benefits and the like.
Having access to that single, compromised account can also allow an attacker to plant a key logger on systems to try to capture passwords of higher ups or an administrator.
There are various ways attackers can get passwords, from password guessing or spraying, to obtaining breach lists, to password cracking, or using the default passwords that come programmed on a system. Yes, sometimes administrators fail to change default passwords or change administrator access permissions, leaving an opening for cyberattacks.
So how can you safeguard against these kinds of attacks? A first step is to make sure you aren’t using any default passwords or security settings, which will help button up one attack vector. Some other key protection controls include using strong passwords, conducting security awareness training, implementing multi-factor authentication and performing security testing. For additional insight, be sure to watch our webinar Nine Tactical Ways to Maintain ERP Data Security