SAP Security for CISO. Part 8: SAP Risks – Fraud
In my opinion, fraud is the most common issue in business applications, especially in an ERP System. Most of Segregation of Duties scenarios are about fraud, and every industry has its own examples related to this risk. If an attacker or malicious insider gains access to more privileges than needed to accomplish his work, he or she can commit fraud in the system. According to the Association of Certified Fraud Examiners (ACFE), losses to internal fraud constitutes 7 % of profit (!) on average.
To make it easier to embrace the examples, let’s digest several subdivisions based on the object the fraud deals with:
- Assets fraud, i.e. falsification of business-critical data to spend more money when it’s not required
- Row materials fraud, i.e. manipulation with bill of materials
- Finished goods fraud, i.e. stealing goods from warehouse or changing their price
- Funds fraud, i.e. transferring money to unintended bank account
- Financial Reports fraud, i.e. tampering prices
- Payroll fraud, i.e. changing salaries
The real fraud examples for each category and the ways it can be carried out in SAP are provided below.
Asset management is a backbone for every large company, and EAS (Emergency Alert Systems) fulfills this purpose. As we know from the previous part, SAP Risks – Sabotage, EAM (Enterprise Asset Management) systems are usually integrated with CBM (Condition Based Maintenance) systems for better business processes optimization. In the case of malicious actions within these systems, the data about equipment health can be modified. For example, an attacker may change data passing from CMB in the way the different elements of facilities would require replacement thus forcing the company to spend extra money and time on new equipment. Perpetrators are also able to purchase necessary facilities in collusion with an equipment supplier or create a fictitious vendor with this intention.
Row Materials Fraud
Most of the companies use ERP for material resource management.
In industry, there is a list called BOM (Bill of Materials) that holds the information about components and the quantity of materials needed to manufacture a product according to the regulation. Manipulation of this data, as for changing the prescription, results in raw materials surpluses to steal.
Another example of an attack is actually manipulation of data on the quantity of material resources in stock or delivery and pilfer from warehouses conspiring with the employees entrusted with the stock. This attack can be executed by direct modification of tables, which supply data about material quantity. Information about tables and their relationships can be found in open sources quite easily.
Finished Goods Fraud
In fact, fraud with finished goods is more common than one with raw materials so there are some examples of how and what exactly can happen.
- Unauthorized Product price modifications. One of the SAP ECC modules is MM (Material Management) that stores actual data of material resources and goods’ price. Obtaining an access to it, an attacker can manipulate the data of this price (by using transaction MR21). A malicious insider can decrease the price and then buy goods with high discount by creating a fake vendor in the system.
- Changing limits for operations. Access to MM module may allow a perpetrator to change the tolerance limits for the operations of price and quantity change. Disabling tolerance limits makes it possible to manage unlimited operations in purchasing and selling.
Financial fraud, or a kind of fraud where attackers actually steal not goods but money, is more widespread among insiders due to the opportunity to immediately reap the benefit. However, it is therefore flawed in that having relative detection simplicity. Find a few examples below.
- Theft of funds. Corruption. An unauthorized access to SAP SCM (Supply Chain Management) can cause the reducing of company income or even transferring money to a different organization. For example, a company employee in connivance with a third party organization engages in theft of funds on the basis of the difference between the real cost of services and the cost deceptively entered in the SAP SCM with an unauthorized access. In addition, funds could be transferred to a false vendor. A well-known example of such an attack is that of “a surreptitious vendor having bagged an order for bomb detectors with a total cost of 55 million dollars by Iraq. As it turned out, this operation was a fraud”.
- Product cost manipulation. With an access to SD module, a perpetrator is likely to change the data used for product price assignment process. Setting a price is processed automatically in SAP products based on monetary value of the transaction, the type of customer, season, discounts, markups, etc. The actions are controlled by transactions VK11, VK12, VK14. Bear in mind that the price being calculated automatically involves processes that could be outside of executors’ reach, so product cost manipulation could remain unnoticed.
In addition to SAP SCM system, the same attack is possible if an attacker accesses the SD (Sales and Distribution) module of SAP ECC. An attacker has a chance to create a fake vendor in the system by using transaction VD01 and generate sales order for this vendor via transaction VA01 afterward. It will allow him to embezzle money from the company.
Financial Reports Fraud
Well, we will shift to more business-oriented scenarios. What about financial reports and other high-level data traditionally used by CxOs? They mostly refer to Business Intelligence systems, let’s say, SAP Business Objects. There are at least three attack vectors:
- Unauthorized data modification of financial reports. One can divert the management’s attention by causing problems with the auditors and leading to drying up of Return on Investment of projects.
- Tangible and intangible resources unauthorized data modification. Improper estimates from the incorrect data on the spending of resources and workload of employees could lead to the misuse of funds and cause direct and indirect losses.
- Unauthorized data modification of sales reports can lead to wrong conclusions about pricing strategy and, as a result, lost profits.
From a technical point of view, SAP BI system is based on SAP Business Objects platform with 80 vulnerabilities found, and the number of security issues is growing every year. This number may not seem so looming, but take into account that a single vulnerability is enough to get access to all business-critical data.
Access to the SAP HR system, a Payroll module in particular, allows insiders to change their wages. Since the direct modification can be easily detected, the risk lies in changing the number of additional working hours to be processed, which affects the total wages. In this case, the fraud is extremely difficult to detect. There are tax exemptions and other values that can affect total wages as well.
You have seen a rash of fraud examples in different SAP systems ranging from fraud assets to trivial money embezzlement. All these examples are a small part of what a perpetrator could do after gaining unauthorized access to an SAP system. Typical SoD matrices intended to identify users with rights enabling to wage such attacks involve approximately 200 examples apart from specific cases for different verticals. With the help of even perfectly configured SoD rights, there is a possibility to repeat any of the scenarios described above by exploiting a common SAP vulnerability and gaining administrator rights.
The next articles will shed light on the vulnerabilities a malicious actor could exploit to access to SAP systems.