'Project Mayhem' Hacks Accounting Software

No exploit required for defrauding Microsoft and other accounting systems, researchers at Black Hat Abu Dhabi reveal
"Really, the back-end controls you need to have in place [are] restrictions on how 'vendors' are added into the accounting system, periodic reconciliation of vendor accounts in the system, and disabling vendors you are no longer doing business with," Eston says. Microsoft also could add program flags in the GP auto-alert feature to reconcile accounts on specific dates, for example, he says.

You can manually set up the program to issue a notification when a record is changed, moved, added, or removed, Kimmell says, or such a feature could be added by Microsoft. It's all about regular reconciliation and auditing to catch these types of nefarious intrusions so inside jobs aren't long-term and devastating, he says.

Onapsis' Nunez says sophisticated targeted attacks against the organization's financial systems are a real threat today. "We are not talking anymore about protecting ourselves only from our employees. Now we need also to protect our system from high-profile targeted attacks that can be exploited by malicious parties who don't even have a valid user account in the ERP systems," Onapsis' Nunez says. "If they are successful in breaking in, you can be sure that a financial fraud would be a matter of minutes."

A copy of Eston and Kimmell's white paper is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.