SAP Malware – Detailed Interview with Alexander Polyakov

This is a complete version of the interview with ERPScan CTO Alexander Polyakov published by Dark Reading: Is a Tsunami of SAP Attacks Coming?

For a start don’t you mind to tell us a bit about trojan.ibank you found recently and how it attacks SAP?

Let’s start from what this thing is. Basically, it is just a modification of the rather old Shiz Trojan (also based partially on the Carberb family) that was initially designed to steal keys, passwords and the information about the system configuration of Internet banks. Technically, the largest part of the old Trojan’s code is a remote desktop server implementation that is able to work with the dedicated Zeus server. This was used to execute remote control to the workstations. So we could say that it was an ordinary banking Trojan horse. You may ask why we became so interested in this Trojan and the answer is quite simple – our friends from an anti-virus developers’ team told us that the main function of this Shiz Trojan (also known as Trojan.ibank) modification was to monitor whether the SAP client application was installed on workstations or not.

We can only guess now why hackers have upgraded the old Trojan with such functionality. I could try to speculate on a few possibilities, based on the similar situations from the world of digital security. The easiest way to use such Trojan is simply to gather some general information about the infected workstation. Surprisingly enough, even such basic data could be sold to the third parties. Making some research, one can find special forums where the information about the company location, its computer infrastructure and the installed software could be offered for sale. These places remind me of black-markets that were envisioned in the Sci-fi literature, but you would be surprised what people can sell in our IT-dominated world. We do not have to mention that the trade of personal and business information is against the law. However, coming back to the discussion on that particular Trojan, the other way of usage of such Trojan poses a real threat. Imagine that this thing is just sitting there and waiting for a critical number of the systems to become infected. Then it just uploads a special alien module for SAP. Needless to say, we decided to warn our clients, the Internet community and the SAP security response team so that we could preclude such scenario from happening.

Can you explain how such information like SAP user’s location could be useful for anybody?

Let me remind you, what a Trojan is. To intercept important data it uses a traffic analyzer, a system that monitors web banking activities and a screengrabber. The main objective of the Trojan is to collect the user input from various window forms, to gather certificate files from secure workflow systems, and to send this information to the attackers’ server. In our case it already has an access to the infected workstation and it knows that this workstation has SAP Client, which in means that the workstation has an access to the SAP Server. Further actions are simple , by looking at Microsoft’s report we can find that the Trojan already has a functionality to make screenshots of logins to SAP System and collect critical data of the systems as well as the Trojan has keylogging functionality to steel passwords inserted during login. All this is enough to take a lot of dangerous stuff in the SAP server, so even this information can be sold to third parties. What is more dangerous and what usually such Trojans do for every target system – a hacker can upload a module which will read the SAP GUI configuration with at least IPs of SAP Servers which could be connected from the infected workstation. Also, the Trojan can read passwords from configuration files on this workstation, because sometimes they can be found. So we are talking not just about the location data, we are talking about much more sensitive types of information that can be collected. There are dozens of ways to steal these passwords and use them, for instance, to connect to the remote SAP Server and commit a fraudulent transaction, or simply steal the critical information such as clients list or employees’ personal data.

We’ve heard that you are connected with SAP Security in Figures Project. Can you tell us something about it and about recent updates you’ve made?

Yes, I’m proud to say that our team finally released our SAP Security in Figures 2013 whitepaper.
This time we were very excited about analyzing the SAProuter and its vulnerabilities. As you may remember the main purpose of this service is to get updates from the vendor and install them on SAP systems remotely. There is the number of ways how implementations could be done – either by configuring VPN access to SAP or by remotely exposing SAP Router service to the Internet port which is 3299 by default and well known to all whom it may be interesting. That’s why we decided to analyze how many SAProuter services could be vulnerable to the existing issues and especially one very critical heap overflow vulnerability. It was found by our research team and was also nominated for PWNIES awards at BH Vegas. This vulnerability allowed to get full control on SAProuter with help of only one TCP packet and to obtain access to internal network of the company. This issue was closed in the month of May 2013. But six months later to great surprise of our team we found out that in fact only fifteen percent from about 5000 SAP routers are available via Internet were patched. It means that the huge amount of them, eighty five percent to be precise, are at risk till now. As for other critical SAP Router issues – they are presented in about 20% of routers

Do you think that more companies need to be warned about attacks on ERP systems and other business applications? And does it mean that security issues within business applications are usually ignored?

Let’s put it this way: business applications were the heart of the company with all the business-critical data usually stored inside and used in difficult business processes. That’s why more and more companies started to worry if their “heart” was well protected. However, in comparison with the situation of three or five years old, data securing processes in business applications got lots and lots of positive changes. Our team is collecting informational reports about the number of companies having started projects for continuous monitoring technical side of SAP security and became quite good in this process since the very beginning of 2013. Having in mind that only SAP has about 250000 customers, the radical changes in the protection of ERP systems and other business applications are only to happen in future.

Are ERP systems more vulnerable than other business applications? Is it easy enough to attack such system?

It’s quite difficult to find out which one of the business applications is more vulnerable than another. Frankly speaking, every area of business applications our team tried to analyze was easily broken. We started our tests from ERP’s, but also at BlackHat USA we have shown examples of attacks on PeopleSoft HR and on Business Intelligence systems. The only one thing I can tell you for sure is that nowadays it is far easier to break complex Business Application then any of Operational Systems or browsers. My own experience shows that I could find only one issue in Microsoft Windows but more than 150 in SAP applications.

Can you give some examples of attacks that you experienced working with ERP systems?

If you are interested in examples of real attacks and data stealing I can give you some of the public examples, but not exactly connected with ERP. One of the recent attacks on USA DOE was against their HR system and as a result – fourteen thousand personal records were stolen. Another interesting attack was against Istanbul Provincial Administration and in this situation hackers gained access to debts erasing functions. When we talk about espionage you have to keep in mind that it is hard to find much more public examples. These happens, mostly, because of the fact that only ten percent of SAP systems that we analyzed have used logging. It means that even if there is a breach it’s almost impossible to find it. As for the unpublished examples of hackers’ attacks on ERP applications – some of customers told us about the internal fraud like salary modification or backdoors left in ABAP code by third-party developers.

And finally, what can you recommend to the companies to minimize the risks of their ERP system being hacked?

At least they should start from something. For example our team is now working on It is a framework for securing business-critical applications during implementation, maintenance or development of custom applications. There are lists like “TOP-9 implementation issues” and “TOP-9 development issues”. It’s kind of OWASP for Business applications but slightly different. This framework helps you to find the most critical issues in working of business applications to start and then proceed go to less important. Thank you and may the Safeness of your Business be with you.

Do you want more?

Subscribe me to your mailing list