This is the complete versions of the interview with ERPScan CTO Alexander Polyakov which was published by Dark Reading: Is a Tsunami of SAP Attacks Coming?
For a start don't you mind to tell us a bit about trojan.ibank you found recently and how it attacks SAP?
Let's start from what this thing is. Basically, it is just a modification of the rather old Shiz Trojan (also based partially on Carberb family) that was initially designed to steal keys, passwords and information about system configuration of Internet banks. Technically, the largest part of the old Trojan's code is a remote desktop server implementation that is able to work with the dedicated Zeus server. And this was used to execute remote control to the workstations. So we could say that it was an ordinary banking Trojan horse. You may ask why we became so interested in this Trojan and the answer is quite simple – our friends from an anti-virus developers' team told us that the main function of this Shiz trojan (also known as Trojan.ibank) modification was to monitor whether the SAP client application was installed on workstations.
We can only guess now why hackers have upgraded the old Trojan with such functionality. But I could try to speculate on a few possibilities, based on the similar situations from the world of digital security. The easiest way to use such Trojan is simply to gather some general information about the infected workstation. Surprisingly enough, even such basic data could be sold to the third parties. With a bit of searching, one can find special forums where the information about the company location, its computer infrastructure and the installed software could be offered for sale. Those places remind me of black-markets that were envisioned in the Sci-fi literature, but you would be surprised what people can sell in our IT-dominated world. We do not have to mention that the trade of personal and business information is against the law. But, coming back to the discussion on that particular Trojan, the other way of usage of such Trojan poses a real threat. Imagine that this thing is just sitting there and waiting for a critical number of the systems to become infected. Then it just uploads a special alien module for SAP. Needless to say, we decided to warn our clients, the Internet community and the SAP security response team so that we could preclude such scenario from happening.
But can you explain how such information like SAP user's location could be useful for anybody?
Let me remind you, what a Trojan is. To intercept important data it uses a traffic analyzer, a system that monitors web banking activities and a screengrabber. The main objective of the Trojan is to collect the user input from various window forms, to gather certificate files from secure workflow systems, and to send this information to the attackers' server. And in our case it already has an access to the infected workstation and it knows that this workstation have SAP Client, which in turn means that the workstation has an access to SAP Server. Further actions are simple , by looking at Microsoft's report we can find that trojan already have a functionality to make screenshots of logins to SAP System and collect critical data of systems as well as trojan have keylogging functionality to steel passwords inserted during login. All this is enough to do a lot of dangerous stuff in SAP server, so even this information can be sold to 3rdparties. But what's more dangerous and what usually such trojans do for every supported target system - a hacker can upload a module which will read SAP GUI configuration with at least IPs of SAP Servers which could be connected from the infected workstation. Also, the Trojan can read passwords from configuration files on this workstation, because sometimes they can be found. So we are talking not just about the location data, we are talking about much more sensitive types of information that can be collected. There are dozens of ways to steal those passwords and use them, for instance, to connect to the remote SAP Server and commit a fraudulent transaction, or simply steal critical information such as clients list or employees' personal data.
We've heard that you are connected with SAP Security in Figures Project. Can you tell us something about it and about recent updates you've made?
Yes, I'm proud to say that our team finally released our SAP Security in Figures 2013 whitepaper.(/wp-content/uploads/2013/11/SAP-Security-in-Figures-A-Global-Survey-2013.pdf) This time we were very excited about analyzing the SAP Router and its vulnerabilities. As you probably can remember the main purpose of this service is to get updates from SAP and install them on SAP systems remotely. There is the number of ways how implementations could be done - either by configuring VPN access to SAP or by remotely exposing SAP Router service to the Internet port which is 3299 by default and well known to all whom it may be interesting. That's why we decided to analyze how many SAP router services could be vulnerable to the existing issues and especially one very critical heap overflow vulnerability. It was found by our research team and was also nominated for PWNIES awards in BH Vegas. This vulnerability allowed to get full control on SAP Router with help of only one TCP packet and to obtain access to internal network of the company. This issue was closed in the month of May 2013. But six months passed and to great surprise of our team we found out that in fact only fifteen percent from about 5000 SAP Routers available via Internet were patched. And it means that the huge amount of them, eighty five percent to be precise, are at risk till now. As for other critical SAP Router issues - they are presented in about 20% of routers
Do you think that more companies need to be warned about attacks on ERP systems and other business applications? And does it mean that security issues within business applications are usually ignored?
Let's put it this way: business applications were the heart of the company with all the business-critical data usually stored inside and used in difficult business processes. That's why more and more companies started to worry if their "heart" is well protected. However, the situation with data securing processes in business applications, compared with the situation of three or five years old, has lots and lots of positive changes. Our team is collecting informational reports about the number of companies having started projects for continuous monitoring technical side of SAP security and became quite good in this process since the very beginning of 2013. But having in mind that only SAP has about 250000 customers, the radical changes in the protection of ERP systems and other business applications are only to happen in future.
Are ERP systems more vulnerable than other business applications? Is it easy enough to attack such system?
It's quite difficult to find out if one of the business applications more or less vulnerable than another. Frankly speaking, every area of business applications our team tried to analyze was easily broken. We started our tests from ERP's, but also at BlackHat USA we have shown examples of attacks on Peoplesoft HR and on Business Intelligence systems. And the only one thing I can tell you with absolute certainty is that nowadays it is far easier to break Complex Business Application then any of Operational Systems or browsers. My own experience shows that I could found only one issue in Microsoft Windows but more than 150 in SAP applications.
Can you give some examples of attacks that you experienced working with ERP systems?
If you interested in examples of real attacks and data stealing I can give you some of the public examples, but not exactly connected with ERP. One of the recent attacks on USA DOE was against their HR system and as a result - fourteen thousand personal records were stolen. Another interesting attack was against Istanbul Provincial Administration and in those situation hackers gained access to debts erasing functions. But when we start to talk about espionage you have to keep in mind that it is hard to find much more public examples. These happens, mostly, because of only ten percent of SAP systems that we analyzed have used logging. And it means that even if there is a breach it's almost impossible to find it. As for the unpublished examples of hackers' attacks on ERP applications - some of customers told us stories about internal fraud like salary modification or backdoors left in ABAP code by third-party developers.
And finally, what can you recommend to the companies to minimize the risks of their ERP system being hacked?
At least they should start from something. For example our team is now working on EAS-SEC.org It is a framework for securing business-critical applications during implementation, maintenance or development of custom applications. There are lists like "TOP-9 implementation issues" and "TOP-9 development issues". It's kind of OWASP for Business applications but slightly different. This framework helps you to find most critical issues in working of business applications for start and then proceed go to less important. Thank you and may the Safeness of your Business be with you.