|Click here for more of Dark Reading's Black Hat articles.|
The hacks don't exploit any new or existing vulnerabilities in SAP. Once the system is compromised, the attacker would grab the necessary elevated privileges to insert the stealthy backdoor code and remain under the radar to pilfer sensitive information. With the backdoor presence, the attacker could modify a victim company's electronic payments to a vendor, for example. "So every automated payment to that vendor would go to the attacker's [bank] account [instead]," Nunez Di Croce says.
But most organizations today don't consider SAP or other ERP apps a big target for attackers, Nunez Di Croce says. "They think of SAP security as segregation of duties, and management of user name and profiles," he says. "But it's much more than that."
ERP systems, which are tied in with a database platform and often contain multiple interfaces to other apps, run sensitive business processes, such as financial, sales, production, expenditures, billing, and payroll, so any such targeted attacks would be damaging financially and production-wise, Nunez Di Croce says. "This is very sensitive data the applications handle. They are running the most important business processes in the company," he says.
Nunez Di Croce will release a free tool in the next week for detecting the presence of SAP backdoors called Onapsis Integrity Analyzer for SAP. The tool checks for changes or modifications in the application's database and flags any suspicious activity that needs to be addressed. Onapsis is also developing a commercial product that performs vulnerability assessments and penetration testing on SAP applications, Nunez Di Croce says.
In one demo at Black Hat, Nunez Di Croce showed how an attacker could capitalize on unsecured integration settings between the SAP app and another application running on the system to then take over the SAP app with elevated user privileges. "The attacker then could install a hidden login account" that he could use to come and go, without the real system administrator even noticing it, he says.
He also showed how an attacker could exploit the underlying database to insert a backdoor. The attack connects directly to the production database so the attacker can modify code in the SAP production system, he says. A third demo showed how an attacker could bypass security settings to modify the SAP app's authentication. "Someone could modify the login program so that the next time someone logs into the SAP application, a backdoor sends the user name and password to a remote Web server," Nunez Di Croce says.
The bad news is that even if an SAP or ERP backdoor is discovered, it's difficult to limit the attacker's access and activity. "It's difficult to prevent him from doing anything if he has full control: He's like a full [systems] administrator. How can you stop him from creating a new user or new privileges?" Nunez Di Croce says.
The best bet is to minimize risk by using automated controls and performing regular security assessments of the SAP applications, as well as penetration tests, he says. "You want to minimize the [chance of an] initial compromise," Nunez Di Croce says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.