TokenChpoken Attack on Oracle PeopleSoft Affecting Nearly Half of Large Enterprises and Government Organizations: ERPScan's Research
ERPScan Research department specializing in security of SAP and Oracle applications has published the results of the recent research on public-facing Oracle PeopleSoft applications and their vulnerabilities. These applications are usually used by Fortune 500 companies and government organizations. Almost 50% of companies using Oracle PeopleSoft system are vulnerable. More than 200 of them can be attacked via the internet.
Palo Alto, CA, July 02, 2015 --(PR.com)-- Oracle is the second largest vendor in the ERP market, and its PeopleSoft HRMS system is used in more than 7000 companies including about 50% of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA. They are usually considered a solution mostly used in higher education, but it is not completely true. Oracle does not give official statistics of PeopleSoft customers, however, according to PeopleSoft users lists provided by third parties, the Educational sector makes up only about 36% of all customers, which is about 1900 organizations. They are also widely used in Manufacturing (22%, about 1160 companies), Computing & IT (18%, about 1000 companies), Retail (8%, about 440 companies), and Government.
The statistics provided below were collected using special Google search requests. ERPScan's research shows that 549 PeopleSoft systems are available via the internet including systems implemented in Banks (20 servers), Manufacturing (17 servers) and Retail (24 servers) enterprises. The obtained findings were divided into three groups: Military and Governmental institutions (64 servers), Commercial Enterprises (249 servers with 169 in The US), and Universities (236 servers). The largest percentage of systems available via the Internet (of number of all companies using PeopleSoft in this industry) belongs to the companies in the following industries:
· Healthcare (35%);
· Universities (13%)
· Wholesale (7%,),
· Transport (6%),
· Retail (5%).
Moreover, slightly less than half of PeopleSoft systems available online (42%, 231 servers) are vulnerable to TokenChpoken attack presented at HackInParis Conference. The attack allows to find the correct key to Token, login under any account and get the full access to the system. It also gives an attacker an opportunity to hack other systems as well as third-party data stores.
In most cases, it takes not more than a day to decrypt Token by using a special bruteforcing program on latest GPU that costs about $500. Taking into account that organizations using PeopleSoft systems have about 5000 employees, the cost of getting personal data of one of them is only 10 cents. In addition, on the black market the average cost of these data is about $200, so, this attack seems to be a rather profitable business.
Besides, there is a close conjunction between government and commercial companies that presents on a technical level as the import and export of various data. In theory, it allows attackers to penetrate into the system of sub-contractor. An example of such attack via SAP vulnerability has recently been covered by Washington Post.
Below there is the list of organizations that have the highest percentage of vulnerable Oracle Peoplesoft servers (of number of available online):
· Charity (85%),
· Food & Agriculture (83%)
· Insurance (67%)
· Manufacturing (59%)
· Retail (58%)
· Transport (55%)
· Governmental institutions (53%)
· Healthcare (47%)
· Universities (34%)
List of vulnerable organizations includes 18 companies from Fortune 500. Also, 25 companies are in Forbes's 2000 World’s Biggest Public Companies.
The most dangerous is that several systems still have a default password for Token. The number of these systems is about 10%, but taking into account that such systems can be just googled, every script-kiddie can exploit this vulnerability.
Several cases of data breaches related to vulnerabilities in Oracle PeopleSoft applications have been published in the news since 2010. For example, in March 2013, Salem State University in Massachusetts alerted 25000 students and staff that their Social Security Numbers may have been compromised in a database breach. If the pattern of the last few years repeats itself, expect higher education institutions to experience another half dozen major security breaches.
Not only universities but all enterprises using Oracle PeopleSoft applications can be under attack because they have the same vulnerabilities, according to Alexey Tuyrin’s (Director of Oracle Security at ERPScan) research.
The recent attack against OPM shows that nowadays thieve of personal data is one of the most popular cyber-crime. While nobody knows what kind of system were compromised and how exactly it happened, it is known that Oracle PeopleSoft systems are used to store data about employees in other public services. It’s also known from public sources, that Oracle PeopleSoft is at least implemented in different public services such as Department of Agriculture's National Finance Center, Department of Health and Human Services or Department of the Treasury. Attacks on governmental PeopleSoft systems can result in the same or even worse consequences than after the attack on the OPM.
Apart from this particular vulnerability, ERPScan researchers have found multiple issues in PeopleSoft applications such as Information disclosure, XSS, XXE, and authentication bypass. Their criticality is rather high, and most of these issues stay unresolved for years.
The statistics provided below were collected using special Google search requests. ERPScan's research shows that 549 PeopleSoft systems are available via the internet including systems implemented in Banks (20 servers), Manufacturing (17 servers) and Retail (24 servers) enterprises. The obtained findings were divided into three groups: Military and Governmental institutions (64 servers), Commercial Enterprises (249 servers with 169 in The US), and Universities (236 servers). The largest percentage of systems available via the Internet (of number of all companies using PeopleSoft in this industry) belongs to the companies in the following industries:
· Healthcare (35%);
· Universities (13%)
· Wholesale (7%,),
· Transport (6%),
· Retail (5%).
Moreover, slightly less than half of PeopleSoft systems available online (42%, 231 servers) are vulnerable to TokenChpoken attack presented at HackInParis Conference. The attack allows to find the correct key to Token, login under any account and get the full access to the system. It also gives an attacker an opportunity to hack other systems as well as third-party data stores.
In most cases, it takes not more than a day to decrypt Token by using a special bruteforcing program on latest GPU that costs about $500. Taking into account that organizations using PeopleSoft systems have about 5000 employees, the cost of getting personal data of one of them is only 10 cents. In addition, on the black market the average cost of these data is about $200, so, this attack seems to be a rather profitable business.
Besides, there is a close conjunction between government and commercial companies that presents on a technical level as the import and export of various data. In theory, it allows attackers to penetrate into the system of sub-contractor. An example of such attack via SAP vulnerability has recently been covered by Washington Post.
Below there is the list of organizations that have the highest percentage of vulnerable Oracle Peoplesoft servers (of number of available online):
· Charity (85%),
· Food & Agriculture (83%)
· Insurance (67%)
· Manufacturing (59%)
· Retail (58%)
· Transport (55%)
· Governmental institutions (53%)
· Healthcare (47%)
· Universities (34%)
List of vulnerable organizations includes 18 companies from Fortune 500. Also, 25 companies are in Forbes's 2000 World’s Biggest Public Companies.
The most dangerous is that several systems still have a default password for Token. The number of these systems is about 10%, but taking into account that such systems can be just googled, every script-kiddie can exploit this vulnerability.
Several cases of data breaches related to vulnerabilities in Oracle PeopleSoft applications have been published in the news since 2010. For example, in March 2013, Salem State University in Massachusetts alerted 25000 students and staff that their Social Security Numbers may have been compromised in a database breach. If the pattern of the last few years repeats itself, expect higher education institutions to experience another half dozen major security breaches.
Not only universities but all enterprises using Oracle PeopleSoft applications can be under attack because they have the same vulnerabilities, according to Alexey Tuyrin’s (Director of Oracle Security at ERPScan) research.
The recent attack against OPM shows that nowadays thieve of personal data is one of the most popular cyber-crime. While nobody knows what kind of system were compromised and how exactly it happened, it is known that Oracle PeopleSoft systems are used to store data about employees in other public services. It’s also known from public sources, that Oracle PeopleSoft is at least implemented in different public services such as Department of Agriculture's National Finance Center, Department of Health and Human Services or Department of the Treasury. Attacks on governmental PeopleSoft systems can result in the same or even worse consequences than after the attack on the OPM.
Apart from this particular vulnerability, ERPScan researchers have found multiple issues in PeopleSoft applications such as Information disclosure, XSS, XXE, and authentication bypass. Their criticality is rather high, and most of these issues stay unresolved for years.
Contact
ERPScan
Darya Maenkova
650.798.5254
erpscan.com
Darya Maenkova
650.798.5254
erpscan.com
Contact
Categories