Vulnerabilities / Threats
4/15/2010
03:56 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

SAP, Other ERP Applications At Risk Of Targeted Attacks

Black Hat Europe researcher demonstrates techniques for inserting 'backdoors' into popular enterprise resource planning apps that aren't properly secured

Backdoor Trojans and rootkits that let attackers gain a foothold and remain entrenched in a compromised system aren't just for Windows PCs anymore -- SAP and other enterprise resource planning (ERP) applications are also susceptible to this form of attack.

Click here for more of Dark Reading's Black Hat articles.
A researcher at Black Hat Europe in Barcelona this week demonstrated techniques for inserting into SAP applications backdoors that provide attackers a way to gain control of them. Mariano Nunez Di Croce, director of research and development at Onapsis, says an attacker would initially exploit weak database protections or vulnerabilities in the underlying operating system, for instance, to gain access to the SAP apps and data.

The hacks don't exploit any new or existing vulnerabilities in SAP. Once the system is compromised, the attacker would grab the necessary elevated privileges to insert the stealthy backdoor code and remain under the radar to pilfer sensitive information. With the backdoor presence, the attacker could modify a victim company's electronic payments to a vendor, for example. "So every automated payment to that vendor would go to the attacker's [bank] account [instead]," Nunez Di Croce says.

But most organizations today don't consider SAP or other ERP apps a big target for attackers, Nunez Di Croce says. "They think of SAP security as segregation of duties, and management of user name and profiles," he says. "But it's much more than that."

ERP systems, which are tied in with a database platform and often contain multiple interfaces to other apps, run sensitive business processes, such as financial, sales, production, expenditures, billing, and payroll, so any such targeted attacks would be damaging financially and production-wise, Nunez Di Croce says. "This is very sensitive data the applications handle. They are running the most important business processes in the company," he says.

Nunez Di Croce will release a free tool in the next week for detecting the presence of SAP backdoors called Onapsis Integrity Analyzer for SAP. The tool checks for changes or modifications in the application's database and flags any suspicious activity that needs to be addressed. Onapsis is also developing a commercial product that performs vulnerability assessments and penetration testing on SAP applications, Nunez Di Croce says.

In one demo at Black Hat, Nunez Di Croce showed how an attacker could capitalize on unsecured integration settings between the SAP app and another application running on the system to then take over the SAP app with elevated user privileges. "The attacker then could install a hidden login account" that he could use to come and go, without the real system administrator even noticing it, he says.

He also showed how an attacker could exploit the underlying database to insert a backdoor. The attack connects directly to the production database so the attacker can modify code in the SAP production system, he says. A third demo showed how an attacker could bypass security settings to modify the SAP app's authentication. "Someone could modify the login program so that the next time someone logs into the SAP application, a backdoor sends the user name and password to a remote Web server," Nunez Di Croce says.

The bad news is that even if an SAP or ERP backdoor is discovered, it's difficult to limit the attacker's access and activity. "It's difficult to prevent him from doing anything if he has full control: He's like a full [systems] administrator. How can you stop him from creating a new user or new privileges?" Nunez Di Croce says.

The best bet is to minimize risk by using automated controls and performing regular security assessments of the SAP applications, as well as penetration tests, he says. "You want to minimize the [chance of an] initial compromise," Nunez Di Croce says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.