Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/15/2010
03:56 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

SAP, Other ERP Applications At Risk Of Targeted Attacks

Black Hat Europe researcher demonstrates techniques for inserting 'backdoors' into popular enterprise resource planning apps that aren't properly secured

Backdoor Trojans and rootkits that let attackers gain a foothold and remain entrenched in a compromised system aren't just for Windows PCs anymore -- SAP and other enterprise resource planning (ERP) applications are also susceptible to this form of attack.

Click here for more of Dark Reading's Black Hat articles.
A researcher at Black Hat Europe in Barcelona this week demonstrated techniques for inserting into SAP applications backdoors that provide attackers a way to gain control of them. Mariano Nunez Di Croce, director of research and development at Onapsis, says an attacker would initially exploit weak database protections or vulnerabilities in the underlying operating system, for instance, to gain access to the SAP apps and data.

The hacks don't exploit any new or existing vulnerabilities in SAP. Once the system is compromised, the attacker would grab the necessary elevated privileges to insert the stealthy backdoor code and remain under the radar to pilfer sensitive information. With the backdoor presence, the attacker could modify a victim company's electronic payments to a vendor, for example. "So every automated payment to that vendor would go to the attacker's [bank] account [instead]," Nunez Di Croce says.

But most organizations today don't consider SAP or other ERP apps a big target for attackers, Nunez Di Croce says. "They think of SAP security as segregation of duties, and management of user name and profiles," he says. "But it's much more than that."

ERP systems, which are tied in with a database platform and often contain multiple interfaces to other apps, run sensitive business processes, such as financial, sales, production, expenditures, billing, and payroll, so any such targeted attacks would be damaging financially and production-wise, Nunez Di Croce says. "This is very sensitive data the applications handle. They are running the most important business processes in the company," he says.

Nunez Di Croce will release a free tool in the next week for detecting the presence of SAP backdoors called Onapsis Integrity Analyzer for SAP. The tool checks for changes or modifications in the application's database and flags any suspicious activity that needs to be addressed. Onapsis is also developing a commercial product that performs vulnerability assessments and penetration testing on SAP applications, Nunez Di Croce says.

In one demo at Black Hat, Nunez Di Croce showed how an attacker could capitalize on unsecured integration settings between the SAP app and another application running on the system to then take over the SAP app with elevated user privileges. "The attacker then could install a hidden login account" that he could use to come and go, without the real system administrator even noticing it, he says.

He also showed how an attacker could exploit the underlying database to insert a backdoor. The attack connects directly to the production database so the attacker can modify code in the SAP production system, he says. A third demo showed how an attacker could bypass security settings to modify the SAP app's authentication. "Someone could modify the login program so that the next time someone logs into the SAP application, a backdoor sends the user name and password to a remote Web server," Nunez Di Croce says.

The bad news is that even if an SAP or ERP backdoor is discovered, it's difficult to limit the attacker's access and activity. "It's difficult to prevent him from doing anything if he has full control: He's like a full [systems] administrator. How can you stop him from creating a new user or new privileges?" Nunez Di Croce says.

The best bet is to minimize risk by using automated controls and performing regular security assessments of the SAP applications, as well as penetration tests, he says. "You want to minimize the [chance of an] initial compromise," Nunez Di Croce says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26895
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
CVE-2020-26896
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
CVE-2020-5790
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5791
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
CVE-2020-5792
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.