Chinese attack on USIS using SAP vulnerability – Detailed review and comments
On 11th of May, a security headline broke the news about the USIS cyber attack (U.S. Investigations Services) potentially conducted by Chinese state-sponsored hackers via a vulnerability in SAP Software. Hackers broke into third-party software in 2013 to open personal records of federal employees and contractors with access to classified intelligence, according to the government’s largest private employee investigation provider .
USIS is a federal contractor which conducts background checks for DHS – the largest commercial provider of background investigations to the federal government. It has more than 5,700 employees providing services in all 50 states of the U.S. territories and overseas. As the result of the breach, more than 27,000 personnel seeking security clearances were compromised. Similar hacks also affected servers at the Office of Personnel Management (OPM), which holds information on security clearance investigations. Once hackers have a list of employees who possess government security clearances, they can exploit other aspects of those employees’ lives for further malicious gain.
Within a couple of hours after information that it was an SAP vulnerability we contacted with journalists of DarkReading and gave them feedback and some comments.
Now we sharing all comments that were prepared as well as additional research conducted by us, to tell you what can be the next steps for organizations to secure their systems and prevent these attacks.
Below you can find the timeline of this attack investigation, the collection of historical facts from different resources, and our comments on the topic.
Initial Attack against USIS Supplier potentially started .
Attack continued against USIS .
Both USIS and OPM were hacked around March 2014, and while the security controls in place at OPM’s networks shielded employee information, the networks at USIS were not as secured. At USIS, hackers deployed spyware designed to capture screenshots when a background check window was open,
– said spokesman from Stroz Friedberg, Digital Forensic agency.
Hackers infiltrated a network belonging to one of USIS’s suppliers that stored enterprise resource planning software. That network was connected to USIS’s network.
According to NextGov, “the attacker was able to navigate from the third-party-managed environment into the USIS network in late (redacted) by successfully brute-forcing a password on an application server,” – wrote Padres, referring to a hacking technique that systematically checks all possible passwords. “Once the attacker was able to log into that server, the attacker installed a malicious backdoor.”
June 05, 2014
USIS reported about the cyberattack to federal authorities on June 5, more than two months before acknowledging it publicly .
July 09, 2014
It was published, that Chinese hackers in March broke into the computer networks of some United States government agency that houses the personal information of all federal employees. But officials also said that neither the personnel agency nor Homeland Security had identified any loss of personally identifiable information .
August 06, 2014
USIS published the press release stating that they were hacked. And potentially it was a state-sponsored attack. They also hired independent Forensic investigation company – Stroz Friedberg to perform an investigation .
August 22, 2014
Detailed information about the breach appeared in the news.
The agency has identified some 25,000 employees whose information it believes were exposed in the breach. While the number of employees affected is relatively small compared to breaches at retailers such as Target or Home Depot which have affected tens of millions of customers, nonetheless quite serious,
– one of DHS officials told Reuters.
Files on background checks contain highly sensitive data that foreign intelligence agencies could attempt to exploit to intimidate government workers with access to classified information.
This information includes Social Security numbers, education and criminal history, birth dates along with information about spouses, other relatives, and friends including their names and addresses. 
November 03 2014
First detailed information about the attack appeared on Associated Press website. At this time without any details that attack on SAP ERP System was used for conducting attack .
A cyber attack similar to previous hacker intrusions from China penetrated computer networks for months at USIS, the government’s leading security clearance contractor, before the company noticed, officials and others familiar with an FBI investigation and related official inquiries. The breach, first revealed by the company and government agencies in August, compromised the private records of at least 25,000 employees at the Homeland Security Department and cost the company hundreds of millions of dollars in lost government contracts. In addition to trying to identify the perpetrators and evaluate the scale of the stolen material, the government inquiries have prompted concerns about why computer detection alarms inside the company failed to quickly notice the hackers and whether federal agencies that hired the company should have monitored its practices more closely
– told reporters from The Associated Press .
In the private analysis prepared for USIS by Stroz Friedberg, a digital risk management firm, managing director Bret A. Padres said the company’s computers had government-approved “perimeter protection, antivirus, user authentication and intrusion-detection technologies.” But Padres said his firm did not evaluate the strength of USIS’ cybersecurity measures before the intrusion.
So, what we can learn from that statement “government inquiries have prompted concerns about why computer detection alarms inside the company failed to quickly notice the hackers”?
As we have mentioned in many reports, SAP Security, much like any business application security area is rarely covered by traditional security tools such as vulnerability management and intrusion detection systems. SAP has very specific vulnerabilities and configuration issues that should be assessed by high-quality experts. To give you an example, there are thousands of parameters related to security in each SAP System just in an application server. In addition, there were 3300+ vulnerabilities found in SAP from 2001 till 2015. Also, if we continue to speak about complexity, there are 1200 web services installed by default on SAP NetWeaver 7.2 (SAP’s application server), each web service is like a small website. So, you can get an idea of the complexity of this system and how many issues there can exist. Needless to say that “complexity kills security”. Even after the latest SAP’s marketing campaign “SAP is Simple” (which is a great idea), it will take you years to make it really simple with such amount of legacy systems.
November 04, 2014
New information appeared in the news .
The hackers attacked a vulnerable computer server in a connected but separate network, managed by a third party not affiliated with USIS,
– said Bret Padres from Stroz Friedberg, Digital Forensic agency.
Now we learned, that the actual attack was conducted via separate network owned by 3rd party, but still nothing special about how exactly it has happened.
April 28, 2015
After almost 5 months of silence, finally some new information appeared, and this was the first resource where we found information that pointed us to the fact that the initial attack was against ERP System. And this ERP System was on the separate network managed by a separate company. 
Hackers infiltrated a network belonging to one of USIS’s suppliers, which stored enterprise resource planning software. That network was connected to USIS’s network. 
The attacker was able to navigate from the third-party-managed environment into the USIS network in late (redacted) by successfully brute-forcing a password on an application server,
– wrote Padres.
When we speak about business applications, we need to consider their highly interconnected nature. You can’t just implement dozens of business applications in a company and leave them unconnected. For example, to automate business processes, your ERP system should be able to automatically create an invoice in banking system, so these systems should be somehow connected on the application layer even if they are separated by the network. In the real life we see dozens or even hundreds of connections between different SAP Systems, and some of these connections (so-called RFC Destinations) store usernames and passwords (according to our statistics, average number of connections in SAP System is about 50 while 30% of them usually store usernames and passwords).
Once an attacker gets an access to the weakest SAP System, he can easily get access to connected systems and from them to others, so on and so forth spreading his access like a spider’s web.
Another way how business applications can be connected is via Enterprise Service Bus, such as SAP PI, or process integration system, these systems also have vulnerabilities as reported by ERPScan Research team during BlackHat 2013 conference.
Finally even direct connections don’t exist, there is a research conducted by ERPScan Research team, with explanation of SSRF attack that can be used to bypass firewall restriction and attack systems using their trust connections .
Taking into account those connections, it comes as no surprise that attackers were able to get access to the connected network of another company.
Finally we would like to say that those connections can be even more dangerous if we talk about Manufacturing, Oil and Gas and Nuclear companies, where SAP can be connected with Field devices and Plant Floor.
May 10, 2015
From the previous article we may make a decision that this ERP system was most probably SAP as the most popular one, and the new article confirmed this fact. NextGov became the first resource to tell that it was actually SAP.
That software apparently was an SAP enterprise resource planning application. It’s unclear if there was a fix available for the program flaw at the time of the attack. It’s also not clear whether SAP—which was responsible for maintaining the application—or USIS would have been responsible for patching the flaw. But in the end, sensitive details on tens of thousands of national security personnel were exposed in March 2014. Assailants infiltrated USIS by piggybacking on an “exploit,” a glitch that can be abused by hackers, that was present in a widely used and highly-regarded enterprise resource planning (‘ERP’) software package.
– an internal investigation obtained by Nextgov found.
USIS officials declined to explicitly name the software application, saying they would let the report, compiled by Stroz Friedberg, a digital forensics firm retained by USIS, speak for itself.” 
This report also includes a try to look deeper into SAP vulnerabilities and make a guess what has happened:
During the period of the hacking operation, which began in 2013 and was exposed in June 2014, 20 to 30 new critical vulnerabilities were identified in SAP’s enterprise resource planning software .
From our point of view, real figures about potential vulnerabilities are much larger. If we assume that real attack was conducted in 2013, let’s say on the beginning of the year, the actual number of vulnerabilities patched by SAP from 2001 to the middle of 2013 were about 2000, according to the research “SAP Security in figures 2013”  based on information from SAP Support portal about all vulnerabilities.
The number of SAP vulnerabilities would have given attackers many options to target SAP directly, based on how USIS deployed the ERP tool
– said Richard Barger, chief intelligence officer at ThreatConnect, former Army intelligence analyst.
This is more than true. In addition, more than 2000 potential vulnerabilities existed in SAP Applications, there also can be some vulnerabilities in custom programs developed by USIS subcontractor or even another 3rd party.
It is unclear which vulnerability the intruders exploited. Defects in programs used by the government and contractors sometimes aren’t fixed for years after software developers announce a weakness.
May 11, 2015
Some other details appeared .
Lawmakers have been pressing for answers about the breach since last year. Suspected Chinese hackers got into the USIS systems in late 2013 but weren’t discovered until June 2014. It is totally not surprising us. Some of the companies that we had a chance to assess don’t have any visibility to their systems. According to our research, only 10% of customers really configure and analyze SAP Security logs and other events.
May 12, 2015
An article from DarkReading where we gave our first comments regarding this breach.
So now, you can get the full picture of the USIS cyber attack, and there is only one question left – how this attack was conducted. Let’s try to answer it.
What kind of vulnerability was exploited?
The news states that the vulnerability is “present in a widely-used and highly regarded enterprise resource planning (‘ERP’) software package”
No other details about the vulnerability were provided.
Let’s try to understand what kind of vulnerabilities were used in this attack, but first of all, let’s look at the history. We provide annual reviews about SAP Vulnerabilities, these reports usually titled “SAP Security in figures”
- 2011. SAP SECURITY IN FIGURES 2007-2011 
- 2013. SAP SECURITY IN FIGURES 2013 
- 2014. Analysis of 3000 SAP Security notes 
- 2015. Blog post with latest review 
From those reports we can get information about most critical vulnerabilities. Taking into account that the attack has happened in late 2013, only the first three reports will be relevant for us.
Another guideline provided by ERPScan Research team is focused on most popular vulnerabilities, taking into consideration their criticality as well. So, combining data from these reports we can give an overview of vulnerabilities that were most probably used in this attack. And even if this assumption won’t be true, we will anyway get the list of most critical and popular vulnerabilities affecting SAP ERP Systems. The fact that we are mostly looking for SAP ERP vulnerabilities also should be taken into account.
We also excluded most of the vulnerabilities that can be used only with combination with others, most of the specific vulnerabilities, and those vulnerabilities that require some user’s actions such as XSS. So finally we collected 15 vulnerabilities that were likely to have been used against ERP System in this period of time and can give attacker and easy way to get full access to vulnerable SAP System.
And finally we limited the list of vulnerabilities by publication date and select only those which were published before Q2 2013.
We added a couple of parameters to each vulnerability to calculate final likehood that this particular vulnerability was used.
- Criticality – Real impact to system, such as full administrative access or just an information disclosure.
- Popularity– Amount of information in public sources such as presentations, whitepapers, and advisories with vulnerability description.
- Ease of exploitation – If there is a publicly available free tool with exploit, or exploit, or POC, or advisory, or some kind of details.
- Applicability– our personal thoughts if this vulnerability is applicable to particular system that has been used in organization.
- Likehood – overall probability that this particular vulnerability was exploited based on previously mentioned parameters.
Below is the table with details of our analysis.
|Vulnerability Title||Year||Likehood||Popularity||Criticality||Ease of exploitation||Applicability||CVSSv2||Patch|
|Default passwords for administrative users||2002||100,00%||5||5||5||5||N/A||1414256|
|RFC Gateway remote command execution||2007||80,00%||5||5||4||5||7.5||1425765,1408081,1473017,1069911,1480644 ,614971,1525125|
|Remote code execution via TH_GREP||2011||38.40%||4||5||3||4||6.0||1620632|
|Unauthorized access to SAP Management console||2011||38.40%||4||3||4||5||5.6||1439348|
|SAP Host Control – Code Injection||2012||36,00%||3||5||5||3||10||1341333|
|SAP Dispatcher – DIAG protocol Buffer Overflow||2012||24,00%||3||5||2||5||9.3||1687910|
|Authentication bypass through Verb Tampering||2011||20,00%||5||5||5||1||10||1589525, 1624450|
|Authentication bypass through the Invoker servlet||2011||20,00%||5||5||5||1||10||1585527|
|SAP Message Server – Buffer Overflow||2012||16,00%||2||5||2||5||10||1649840|
|SAP NetWeaver DI – Arbitrary file upload||2013||10,24%||2||4||2||4||9.3||1757675|
|Message Server Auth Bypass||2008||7,68%||3||4||1||4||7.5||1421005|
|SAP GRMGApp – XXE and authentication bypass||2013||5,76%||2||3||2||3||7.3||1729293, 1725390|
|SAP NetWeaver J2EE – DilbertMSG SSRF||2012||4,32%||3||3||3||1||7.3||1707494|
|Buffer overflow in ABAP Kernel call||2011||3,20%||1||5||1||4||4.8||1487330, 1529807|
So, most likely the vulnerability that was used was one of those:
- Default passwords for administrative users
- RFC Gateway remote command execution
- SAP/Oracle REMOTE_OS_AUTHENT
- Remote code execution via TH_GREP
- Unauthorized access to SAP Management console
We recommend you to implement some of the most critical SAP Security Notes, which were probably used during this attack, which listed in the table provided in the previous chapter.
Thirdly, check this presentation, as well as all other slides and guidelines  about SAP Security and you are also welcome to follow us during security conferences worldwide. Here is the list of nearest events.
Since all steps discussed previously require a lot of workforces, we recommend you to check automatic solutions to assess and secure your system as soon as possible, as nobody knows whether or not your system is under attack.
Takeaways for CISOs are:
As you see, when some researchers start flagging security loopholes by publishing information about one or another system’s security vulnerability, it’s only a matter of time before cyber criminals actually exploit it. Who will fall victim to be anybody guess. So, apart from the fact that it’s better to take precautionary actions before the real example surfaces, we started to talk about this 8 years ago.
Our lessons are simply three:
- You can’t only trust traditional security solutions when we speak about advanced cyber attacks.
- You can’t be sure that everything is ok in your network unless you really monitor it from all angles, if we talk about SAP Security it means that VA, Custom code security, SoD, and event monitoring – all areas should be on the radar.
- And the most important for business applications is that they are highly connected within each other, and as you see in this example, and it’s not only the problem of your infrastructure cybersecurity, it’s also a problem of all your external connections and 3rd party cybersecurity.
So what it boils down to is that “a system is only as secure as its weakest link”.