The report said evidence had been found of nine operations by different groups targeting SAP and Oracle ERP applications, also of malware that had been updated and improved to steal SAP user credentials.
It claimed that nation-state attackers were targeting ERP applications in order to access sensitive information and disrupt business processes.
The US Department of Homeland Security issued an alert about the possibility of these attacks and linked to the report from the two companies.
"By their very nature, these applications host sensitive information, including financial results, manufacturing formulas, pricing, intellectual property, credit cards and personally identifiable information from employees, customers and suppliers."
Researchers at the two companies said there had been an increase in the interest in exploits for SAP applications, including SAP HANA, in dark web and cyber criminal forums.
"We observed detailed information on SAP hacking being exchanged at a major Russian-speaking criminal forum, as well as individuals interested in acquiring SAP HANA-specific exploits on the dark web," the report said.
"This goes hand in hand with an observed 100% increase of public exploits for SAP and Oracle ERP applications over the last three years, and a 160% increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017."
The report pointed out that the attack surface for ERP applications had grown over the years.
"We have identified more than 17,000 SAP and Oracle ERP applications directly connected to the Internet, many belonging to the world’s largest commercial and government organisations," it said.
"The US, Germany and the UK are among the highest in exposure. Threat actors are aware of this and are actively sharing information across the dark web and criminal forums to find and target these public applications. Many of these exposed systems run vulnerable versions and unprotected ERP components, which introduce a critical level of risk."
In a statement sent to iTWire, SAP said: SAP stands for secure, reliable and trustworthy software solutions. As the global leader in business software, we take security seriously and implement best practices in our security processes that include development, operations, tools and employee training.
"Confidentiality, integrity, availability and data privacy are core values for SAP. Our recommendation to all of our customers is to implement SAP security patches as soon as they are available – typically on the second Tuesday of every month to protect SAP infrastructure from attacks."