TokenChpoken attack on Oracle PeopleSoft affecting nearly half of large enterprises and government organizations

Palo Alto, CA – June 29, 2015 ERPScan Research department specializing in SAP and Oracle applications security has published the results of the recent research on public-facing Oracle PeopleSoft applications and their vulnerabilities. These applications are usually used by Fortune 500 companies and government organizations. Almost 50% of companies using Oracle PeopleSoft HRMS system are vulnerable. More than 200 of them can be attacked via the internet. In the list of those companies, there are 18 companies from Fortune 500 and 25 companies included in Forbes 2000 World’s Biggest Public Companies.

Oracle is the second largest vendor in the ERP market, and its PeopleSoft HRMS system is used in more than 7000 companies including about 50% of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA. They are usually considered a solution mostly used in higher education, but it is not completely true. Oracle does not give official statistics of PeopleSoft customers, however, according to PeopleSoft users lists provided by third parties, the Educational sector constitutes only about 36% of all customers, which is about 1900 organizations. They are also widely used in Manufacturing (22%, about 1160 companies), Computing & IT (18%, about 1000 companies), Retail (8%, about 440 companies), and Government.

The statistics provided below were collected using special Google search requests. Our research shows that 549 PeopleSoft systems are available via the internet including systems implemented in Banks (20 servers), Manufacturing (17 servers) and Retail (24 servers) enterprises. The obtained findings were divided into three groups: Military and Governmental institutions (64 servers), Commercial Enterprises (249 servers with 169 in The US), and Universities (236 servers). The largest percentage of systems available via the Internet (of number of all companies using PeopleSoft in this industry) belongs to the companies in the following industries:

  • Healthcare (35%);
  • Universities (13%)
  • Wholesale (7%,),
  • Transport (6%),
  • Retail (5%).

Moreover, slightly less than half of PeopleSoft systems available online (42%, 231 servers) are vulnerable to TokenChpoken attack presented at HackInParis Conference. The attack allows to find the correct key to Token, login under any account and get the full access to the system. It also gives an attacker an opportunity to hack other systems as well as third-party data stores.

In most cases, it takes not more than a day to decrypt Token by using a special bruteforcing program on latest GPU that costs about $500. Taking into account that organizations using PeopleSoft systems have about 5000 employees, the cost of getting personal data of one of them is only 10 cents! In addition, on the black market the average cost of these data is about $200, so, this attack seems to be a rather profitable business.

Besides, there is a close conjunction between government and commercial companies that presented on a technical level as the import and export of various data. In theory, it allows attackers to penetrate into the system of sub-contractor. An example of such attack via SAP vulnerability has recently been covered by Washington Post.

Below there is the list of organizations that have the highest percentage of vulnerable Oracle Peoplesoft servers (of number of available online):

  • Charity (85%),
  • Food & Agriculture (83%)
  • Insurance (67%)
  • Manufacturing (59%)
  • Retail (58%)
  • Transport (55%)
  • Governmental institutions (53%)
  • Healthcare (47%)
  • Universities (34%)

List of vulnerable organizations includes 18 companies from Fortune 500. Also, 25 companies are in Forbes’s 2000 World’s Biggest Public Companies. It should be mentioned that one of the largest Pharmaceutical Company is also vulnerable to this attack.

The most dangerous is that several systems still have a default password for Token. The number of these systems is about 10%, but taking into account that such systems can be just googled, every script-kiddie can exploit this vulnerability.

Several cases of data breaches related to vulnerabilities in Oracle PeopleSoft applications have been published in the news since 2010. For example, in March 2013, Salem State University in Massachusetts alerted 25000 students and staff that their Social Security Numbers may have been compromised in a database breach. If the pattern of the last few years repeats itself, expect higher education institutions to experience another half dozen major security breaches.

Not only universities but all enterprises using Oracle PeopleSoft applications can be under attack because they have the same vulnerabilities, according to Alexey Tuyrin’s (Director of Oracle Security at ERPScan) research.

The recent attack against OPM shows that nowadays thieve of personal data is one of the most popular cyber-crime. While we still don’t know what kind of system were compromised and how exactly it happened, it is known that Oracle PeopleSoft systems are used to store data about employees in other public services. It’s also known from public sources, that Oracle PeopleSoft is at least implemented in different public services such as Department of Agriculture’s National Finance Center, Department of Health and Human Services or Department of the Treasury. Attacks on governmental PeopleSoft systems can result in the same or even worse consequences than after the attack on the OPM.

The optimal attack vector depends on a hacker’s goal. The impact of different attacks can involve espionage, sabotage and fraud. We have highlighted the five most serious consequences of these attacks, but they should not be considered the only possible ones:

  • Theft of Social Security Number, also known as identity theft. Employees’ SSNs are stored in Human Resource Management Systems. A malicious person can use the victim’s SSN to get other personal information or apply for a loan on their behalf. Getting a new number instead of the compromised one is not easy, and it’s entirely up to the Social Security Administration. All companies using PeopleSoft HRMS are at risk, especially Government.
  • Employees’ and clients’ credit card data (cardholder name, PAN, expiration date, and CVV code) are stored in various PeopleSoft applications. If an application has a breach in security, it puts this information at the risk of stealing. Every enterprise can be a victim of this attack, but it is primarily relevant for the Retail industry.
  • Having access to PeopleSoft Enterprise Service Automation, an attacker can forge business-critical information about the stage of project implementation, so leaders can make a wrong decision that results in the waste of resources, commitment failure, and reputational losses. This sabotage scenario is especially dangerous for Manufacturing companies.
  • The operating assets of an organization, from facilities and equipment to rolling stock and production machinery, are central to accomplishing the enterprise’s objectives. PeopleSoft Asset Lifecycle Management provides the ability to monitor and optimally maintain those assets. Asset Lifecycle Management is usually connected to the plant floor. If an attacker has access to this application, it gives him an opportunity to forge equipment health information. There are two scenarios. First, a malicious person can forge a message that a new detail is going to be worn out soon, so the company spends more money without any need. Second, an attacker can make the system lie that a long-exploited detail is new, which can lead to a manufacturing disaster. This sabotage attack is more likely to be performed against Manufacturing companies.
  • Oracle PeopleSoft Supplier Relationship Management application keeps information about tenders and contracts. If an attacker gets to know a supplier’s proposal, they can use this information in their own proposal. It can result in reputational and financial losses for the company holding the tender.

Along with this particular vulnerability, ERPScan researchers have found multiple issues in PeopleSoft applications such as Information disclosure, XSS, XXE, and authentication bypass. Their criticality is rather high, and most of these issues stay unresolved for years!

It is notable that Oracle PeopleSoft applications usually work as a complex system comprised of several applications. So once attackers get access to the weakest part of the system, they can easily get access to connected applications.