Last week at RSA Europe, a leading researcher in the security of business-critical applications warned that a new wave of SAP attacks could crash down on enterprises after the discovery of an old banking Trojan had been modified to look for SAP GUI installations on infected endpoints. See full article here
The modified application was Trojan.ibank, which was recently found to be trolling for SAP installations by researchers at Dr. WEB, says Alexander Polyakov, co-founder and CTO of ERPScan. Polyakov brought up the modified malware in a broader talk at RSA about the dangers of SAP and ERP vulnerabilities. Polyakov told Dark Reading that one of the likely ways attackers could be using such targeted, malicious functionality could be for the purpose of gathering information that could be sold to third parties on the black market. But there could be another more dangerous motive.
A second way to use it ... is to wait until a critical mass of systems are infected and then upload a special module for SAP
he says, explaining this could be disastrous when combined with ibank's password-stealing functionality
There are dozens of ways to steal those passwords and use them. It is possible to connect to SAP Server and do any kind of fraud in the system, or simply steal critical information, such as client lists or employees' personal information. We decided to warn people and SAP's Security response team with whom we closely work before this can happen.
A long-time advocate for the improvement of security in business-critical business applications, such as SAP, Polyakov last week also presented findings from a recent survey of common SAP vulnerabilities and misconfigurations found within the typical enterprise. One of the key findings revolved around lingering problems from an extremely critical heap overflow vulnerability that ERPScan discovered and for which it was nominated for a Pwnie award at Black Hat Vegas.