Black Hat Europe researcher demonstrates techniques for inserting 'backdoors' into popular enterprise resource planning apps that aren't properly secured

Backdoor Trojans and rootkits that let attackers gain a foothold and remain entrenched in a compromised system aren't just for Windows PCs anymore -- SAP and other enterprise resource planning (ERP) applications are also susceptible to this form of attack.

A researcher at Black Hat Europe in Barcelona this week demonstrated techniques for inserting into SAP applications backdoors that provide attackers a way to gain control of them. Mariano Nunez Di Croce, director of research and development at Onapsis, says an attacker would initially exploit weak database protections or vulnerabilities in the underlying operating system, for instance, to gain access to the SAP apps and data.

The hacks don't exploit any new or existing vulnerabilities in SAP. Once the system is compromised, the attacker would grab the necessary elevated privileges to insert the stealthy backdoor code and remain under the radar to pilfer sensitive information. With the backdoor presence, the attacker could modify a victim company's electronic payments to a vendor, for example. "So every automated payment to that vendor would go to the attacker's [bank] account [instead]," Nunez Di Croce says.

But most organizations today don't consider SAP or other ERP apps a big target for attackers, Nunez Di Croce says. "They think of SAP security as segregation of duties, and management of user name and profiles," he says. "But it's much more than that."

ERP systems, which are tied in with a database platform and often contain multiple interfaces to other apps, run sensitive business processes, such as financial, sales, production, expenditures, billing, and payroll, so any such targeted attacks would be damaging financially and production-wise, Nunez Di Croce says. "This is very sensitive data the applications handle. They are running the most important business processes in the company," he says.

Nunez Di Croce will release a free tool in the next week for detecting the presence of SAP backdoors called Onapsis Integrity Analyzer for SAP. The tool checks for changes or modifications in the application's database and flags any suspicious activity that needs to be addressed. Onapsis is also developing a commercial product that performs vulnerability assessments and penetration testing on SAP applications, Nunez Di Croce says.

In one demo at Black Hat, Nunez Di Croce showed how an attacker could capitalize on unsecured integration settings between the SAP app and another application running on the system to then take over the SAP app with elevated user privileges. "The attacker then could install a hidden login account" that he could use to come and go, without the real system administrator even noticing it, he says.

He also showed how an attacker could exploit the underlying database to insert a backdoor. The attack connects directly to the production database so the attacker can modify code in the SAP production system, he says. A third demo showed how an attacker could bypass security settings to modify the SAP app's authentication. "Someone could modify the login program so that the next time someone logs into the SAP application, a backdoor sends the user name and password to a remote Web server," Nunez Di Croce says.

The bad news is that even if an SAP or ERP backdoor is discovered, it's difficult to limit the attacker's access and activity. "It's difficult to prevent him from doing anything if he has full control: He's like a full [systems] administrator. How can you stop him from creating a new user or new privileges?" Nunez Di Croce says.

The best bet is to minimize risk by using automated controls and performing regular security assessments of the SAP applications, as well as penetration tests, he says. "You want to minimize the [chance of an] initial compromise," Nunez Di Croce says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights