A widespread misconfiguration in Oracle NetSuite’s SuiteCommerce Enterprise Resource Planning (ERP) platform has exposed sensitive customer data across thousands of websites.

Security company AppOmni the problem exposedwhich describes how many companies using NetSuite to support ecommerce have inadvertently allowed unauthorized access to customer data due to misconfigured access controls on custom record types (CRTs).

These CRTs store important data such as personal addresses and phone numbers, making them an attractive target for cybercriminals.

“Thousands of these organizations are leaking sensitive customer data to the public due to misconfigurations in their access controls,” Aaron Costello, head of SaaS security research at AppOmni, wrote in the blog. “The sheer scale at which I’ve seen these exposures is significant.”

Common Oracle NetSuite Misconfigurations

The problem isn’t with the NetSuite platform itself, but with the way some website operators configure their stores, allowing unauthorized users to access customer data via leaky APIs.

According to AppOmni, the misconfiguration primarily impacts external-facing stores on SuiteCommerce and could allow unauthorized individuals to access sensitive information without authentication through URL manipulation.

Costello wrote in the report that it appears the most exposed form of sensitive data is registered customers’ personally identifiable information (PII), including full addresses and mobile phone numbers.

NetSuite responded to the issue by urging customers to review their security settings and follow best practices to protect their CRTs from unauthorized access.

Costello noted that despite these efforts, many companies may not be aware that their sites are leaking sensitive data, or that they have been targeted. That’s because NetSuite doesn’t provide easily accessible transaction logs, making it difficult for companies to detect whether they’ve been exploited.

He added that many organizations struggle to implement and maintain a robust software as a service (SaaS) security program. He also said that more education is needed so that organizations are better prepared to identify and address both known and unknown risks to their SaaS applications.

“As vendors introduce increasingly complex functionality into their products to remain competitive, these risks will become even greater,” the report said. “Organizations attempting to address this issue will face challenges as these attack vectors can often only be discovered through tailored research.”

SaaS cybersecurity issues on the rise

NetSuite’s findings and recent attacks on customer accounts hosted on the Snowflake platform highlight the increasing security risks in SaaS environments.

The gist of this, according to AppOmni, is that SaaS platforms have significantly changed the modern attack surface, making some traditional attack steps redundant or easier for adversaries.

More specifically the traditional Lockheed Martin cyber kill chain — a classic basis for defend against attacks — identifies the steps of a successful campaign: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and objective actions (data exfiltration, malware implantation).

But in SaaS environments, “the kill chain from an attacker’s perspective is really centralized to a few points: initial access and credential access, and collection and exfiltration,” said Brandon Levene, Principal Product Manager, Threat Detection at AppOmni. told Dark Reading at Black Hat last week.

As a result, threat actors are now actively targeting corporate data within SaaS applications; adversaries include less sophisticated organizations, but also notorious gangs such as Scattered Spider, which switched to SaaS after traditionally focusing on Microsoft cloud environments and on-premises infrastructure.

As organizations expand their use of SaaS applications, they must rethink their approach to the cyber kill chain and adjust their defense accordingly. For example, in the case of e-commerce platforms, administrators should “review field-level access controls in website forms and identify which fields, if any, should be exposed,” according to AppOmni. They can then lock down the fields that don’t need public access.