Espionage, sabotage and fraudful actions: about attacks on ERP-systems on the BlackHat DC conference

Black Hat

During the BlackHat DC conference ERPScan experts told about attacks on corporate business-applications which can be used by cybercriminals for espionage, sabotage and fraudful actions concerning competitors. At the conference unknown earlier methods of attacks were presented on popular ERP-systems, such as SAP, JD Edwards, and also on RDBMS Open Edge, which is a universal platform for development custom business-applications.

Despite of the fact that companies like SAP and Oracle regularly release security updates in their products, they still are a subject for attacks, pointed on architectural vulnerabilities and configuration errors. In the report of Alexander Polyakov, CTO at ERPScan, the attention was paid to the architectural vulnerabilities of the listed systems, different methods of exploitation of these vulnerabilities were shown. Given vulnerabilities in the majority are hard to patch, and it entails the possibility of their exploitation in future.

Very few administrators of SAP-systems install updates regularly, and extremely few people who deeply understand technical details of ERP-systems, in the best limiting by SOD problems. That is why we see insecurely configured systems as the result of security assessments

– stated Alexander Polyakov.

There is an example in his report when during audit there was JD Edwards system of one decade’s prescription version, which had an architectural vulnerability, allowing any user to get access to all business-critical data. This vulnerability still exists in 2-tier installation with fat client. Another example of architectural vulnerability was found in RDBMS «Open Edge», which is used in many companies from the list «Fortune TOP 100 companies». In this application the trivial error takes place during authentification. Verification of a password’s hash was implemented on the client side (part), therefore, the authentification in system is possible, without knowing the password and the user name. The problem is that such vulnerability won’t be corrected by the manufacturer because of the necessity of the rewriting of all architecture.

Another example is a system SAP SRM, which is used among all other for the organization of tenders’ system. As a result of one architectural misconfiguration, any supplier can get access to tenders of other suppliers and also upload the Trojan program to a competitor network, that may be used for an industrial espionage.

The majority of the examples considered in the report tells us that security of ERP-applications is at level of one decade’s prescription and with the trend to post business-applications on the Internet for exchanging data between branches of companies or suppliers all these systems became accessible to a wide range of people seeking to use these loopholes for personal purpose. Till now the companies spent millions of dollars, eliminating SOD conflicts, and though it is an integral part of the ERP security, the nu,ber of technical vulnerabilities is growing exponentially, as an interest of attackers to these systems

– noted Alexander Polyakov.