SAP Malware – Detailed Interview with Alexander Polyakov
This is the complete versions of the interview with ERPScan CTO Alexander Polyakov which was published by Dark Reading: Is a Tsunami of SAP Attacks Coming?
Dark Reading: Can you tell me a little bit about trojan.ibank and how it attacks SAP? And what have you discovered about the collection of information about IPs running SAP to sell to other attackers?
Alexander Polyakov: Basically, it’s a very old trojan which is focused on stealing keys, passwords, and configuration from a wide range of Internet banking systems. The best part of the bot code is a VNC server implementation including the support of a protocol to work with a dedicated Zeus server, which is actually used to execute remote control. Otherwise, it’s just a regular banking trojan. But recently, our friends from the Dr.Web anti-virus company shared an example of a new modification of this Trojan which analyzes if there is an SAP GUI application installed on the workstation. We can only guess its purpose, but there are at least 2 common scenarios. First, it can simply gather information, which can then be sold to 3rd parties. As our colleagues from the anti-virus industry said, there is a demand on forums to buy infected workstations according to different criteria, such as installed software, geography, specific companies. So why not?
Second way to use it for attackers is to wait until a critical mass of systems is infected and then upload a special module for SAP. We decided to aware people and SAP Product Security Response Team, with whom we work closely, before this happens.
Dark Reading: Why would that kind of intelligence (about the location of SAP users) be useful to attackers?
AP: It’s pretty simple. They already have access to infected workstations, and they know these workstations have SAP clients, which means that they have access to SAP servers. From the trojan description: “To intercept important data, the trojan uses a traffic analyzer, a web banking activities monitoring system, a screengrabber, and data collectors for various banking systems. The main objective of the trojan is to gather input from various window forms, to gather certificate files from secure workflow systems, and to intercept web traffic to redirect the archived information to the attackers’ server”.
So they can later upload a module which will read SAP GUI configuration, including at least the SAP server IPs to which this user can connect. They can also read passwords from configuration files on workstations (they can be found sometimes) by simply sniffing them from the network. There are dozens of ways to steal those passwords to use them to connect to the SAP server. The attacker can then perform any kind of fraud in the system or simply steal critical information such as lists of clients or personal data of employees.
Dark Reading: Can you offer me some updates about the SAP Security in Figures project? In particular, how common is the vulnerability in SAProuter that you mentioned?
AP: Yes, we have just finally released the SAP Security in Figures 2013 whitepaper. The most interesting part was to analyze SAProuter and its vulnerabilities. The main mission of this service is to get updates from SAP and install them on SAP systems remotely. There is a number of ways of implementing it, including VPN access to SAP or exposing SAProuter remotely to a certain Internet port, which is 3299 by default and known to everybody.
First of all, we were interested in understanding how many of them are vulnerable to existing issues as well as to a very critical Heap Overflow vulnerability that was found by our researchers and was also nominated for the PWNIES awards at BH Vegas. The vulnerability allows getting full control over SAProuter within one TCP packet to obtain access to the internal corporate network. This issue was closed in May, but almost half a year later, we have found that only 15 % of about 5000 SAProuters available on the Internet were patched. It means that the majority of them (85 %) are vulnerable! Other less critical SAProuter issues are present in about 20 % of routers.
Dark Reading: Why do you think that more enterprises need to be concerned about attacks against ERP systems and other similar business applications? Are they generally ignoring security within these applications?
AP: Simply because those applications are the heart of any company, storing and processing all business-critical data. I can’t say that they are ignoring security in comparison with, like, 3-5 years ago. There’s been a huge change. Actually, since the beginning of 2013, lots of enterprises started projects to continuously monitor the technical side of SAP security, and they are quite good at this, too. But, taking into account that SAP alone has about 250000 customers, it’s still just the beginning.
Dark Reading: And are they any more vulnerable than other business applications? How easy is it to attack these systems?
AP: It’s hard to say which business applications are more vulnerable or less vulnerable. Every area that we have tried to analyze was easily broken: it was ERPs at first, but recently, at BlackHat USA, we showed examples of attacks on PeopleSoft HR and on Business Intelligence systems. But what I can conclude 100 % is that it is now way easier to break a complex business application that an OS or a browser. I found only one issue in Microsoft Windows but more than 150 in SAP applications.
Dark Reading: Can you give me a couple examples of attacks we’ve already seen of attacks on ERP?
If you are interested in real examples of attacks, I can give a couple of public examples but not exactly for ERP. For example, the recent attack on USA DOE was against their HR system, and 14000 person records were stolen. Another interesting attack was against Istanbul Provincial Administration, where hackers were able to erase debts. But if we talk about espionage, it’s hard to find many public examples – mostly because only 10 % of SAP systems that we have analyzed use logging. It means that, even if there is a breach, it’s almost impossible to expose it. As for unpublished attacks, some of our customers told us about internal fraud like salary modification or backdoors left in ABAP code by 3rd party developers.
Dark Reading: What is the biggest lesson you want enterprises to learn—what should they be doing to mitigate ERP risks?
AP: At least, they should start from something. We are working on EAS-SEC.org – it is a framework for securing business-critical applications during implementation and maintenance and during development of custom applications. There are lists like TOP 9 implementation issues and TOP 9 development issues. It’s kind of like OWASP for Business Applications but slightly different. This framework can help you to find the most critical issues first and then go for the less important ones.