Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/12/2015
11:15 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

First Example Of SAP Breach Surfaces

USIS attack in 2013 stealing background check information about government personnel with classified clearance came by way of an SAP exploit.

After the better part of a decade of warnings that SAP and other enterprise resource planning (ERP) systems are wide open to attack at most organizations, this week finally brought confirmation of a high-profile breach that used SAP as its initial attack vector. The attack is a good example of the high-stakes information contained in ERP systems that are ripe for the plucking—in this case the stolen goods were files used for background checks on federal employees and contractors with access to classified intelligence.

Perpetrated back in 2013, this attack against US Investigations Services, a contractor in charge of conducting federal background checks, came to public light last year, but details at that time were sparse. Investigators had mentioned during the initial breaking of the story that they suspected state-sponsored Chinese attackers. But over the weekend Nextgov.com reported that an internal investigation points to evidence that attackers broke into USIS through an exploit in an SAP system managed by a third party.

Alexander Polyakov, CTO and co-founder of ERPScan, hopes that the public attention from this example will drive home to enterprises that the types of SAP vulnerabilities his firm and others like Onapsis have been talking about for years really deserve IT's attention. Over the past several years there have been limited examples of SAP exploitation in the public domain. In 2012 Anonymous claimed to have used an SAP zero-day to attack the Greece finance ministry, but nobody acknowledged that. And an SAP Trojan was reported in the wild in 2013, but there was no confirmation of organizations successfully attacked using it.  Just last week at SAP SAPPHIRE, Onapsis released a report that detailed the most common attack patterns used in attacks against SAP, but again there were no details confirming specific victims.

"There were some investigations like this, in which we've taken part but are not at liberty disclose any details about--it was a real attack via SAP," says Polyakov. "But this one is the first publicly acknowledged attack, and what's more important is that it's on such a critical government entity." 

Polyakov says the progression of SAP attacks will be a precautionary tale for enterprises to pay better attention to researchers' warnings before real examples of attacks start to surface. The attack against USIS played at least a partial role in the company shutting its doors this year.

"As you see when some researchers start flagging security loopholes by publishing information about one or another system's security vulnerability, it's only a matter of time before cyber criminals actually exploit it," he says. "Who will fall victim is anybody's guess."

He recommends that organizations that really want to address SAP security from all angles need to think seriously not just about vulnerability assessment and management, but also custom code security (he reports that 50 percent of enterprises have custom code on top of their SAP framework) as well as separation of duties and event monitoring.

Most importantly, it is critical to understand how SAP systems interconnect with other infrastructure.

"Business applications are highly connected with each other, and as you saw in the example, it's not only the problem of your infrastructure security, it's also a problem of all your external connections and third-party security," Polyakov says. "So what it boils down to is that a system is only as secure as its weakest link."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kritesh
50%
50%
kritesh,
User Rank: Apprentice
3/21/2018 | 7:11:37 AM
SAP ERP Blog
Thanks a lot for sharing a blog for SAP in SAP ERP Module. One of the best blog i have read for SAP ERP. With the help of SAP ERP you can easily control hacking issue in your software. With the help of ERP Training Programs you will easily manage and control. 
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1619
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
CVE-2019-1620
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
CVE-2019-1621
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
CVE-2019-1622
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.