Abstract image of a woman sitting on books and studying on a laptop

If I want a perfect cyberweapon, I'll target ERP - second edition

ERPScan, profile picture
ERPScan

This document discusses security risks associated with enterprise resource planning (ERP) systems like SAP. It begins by noting how critical ERP systems are for large companies and the vast number of customers that major ERP vendors have. It then provides examples of security risks like espionage, sabotage and fraud that can occur in ERP modules like materials management. Specific vulnerabilities that could allow manipulating materials prices or blocking materials posting are described. The document emphasizes that while examples focus on SAP, the risks apply to all major ERP systems.

Software
1 of 56
Downloaded 24 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
Invest  in  security   to  secure  investments   If  I  Want  a  Perfect  Cyberweapon  I'll   Target  ERP:  Second  edi<on.     Alexander  Polyakov.  CTO  ERPScan  
About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu<on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta=ons  key  security  conferences  worldwide   •  25  Awards  and  nomina=ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
•  Intro   •  Big  companies  and  cri<cal  systems   •  ERP  Risks   •  How  easy  is  that   •  What  can  happen   •  Examples   •  What  we  can  do   •  Conclusions   3   Intro  
Big  companies   4     Portal   HR   Logis<cs   Warehouse   ERP   Billing   Suppliers   Customers   Banks   Insurance  Partners   Branches   BI   Industry   CRM   SRM  
Big  companies   •  Oil  and  Gas   •  Manufacturing   •  Logis<cs   •  Financials   •  Nuclear  Installa<ons   •  Retail   •  Telecommunica<on   •  etc.   5  
SAP   •  More  than  246000  customers  worldwide     •  86%  of  Forbes  500   Oracle   •  100%  of  Fortune  100   MicrosoK   •  More   than   300,000   businesses   worldwide   choose   Microso^   Dynamics  ERP  and  CRM  so^ware     6   If  business  applica=ons  are  popular?  
•  Business  applica<ons  can  make  your  life  easier   •  The  need  to  harness  them  to  op<mize  business-­‐processes   •  Scope   for   enormous   reduc<ons   in   resource   overheads   and   other  direct  monetary  benefits.     •  Poten<al  problems  that  one  can’t  disregard   •  The  need  to  consider  security,  can  it  be  overstated!   •  And  it’s  a  REAL  and  Existent  Risk   7   Business  Applica=ons  
•  Espionage   –  Stealing  financial  informa<on   –  Stealing  corporate  secrets   –  Stealing  supplier  and  customer  lists   –  Stealing  HR  data   •  Sabotage   –  Denial  of  service   –  Modifica<on  of  financial  reports   –  Access  to  technology  network  (SCADA)  by  trust  rela<ons   •  Fraud   –  False  transac<ons   –  Modifica<on  of  master  data     8   What  can  happen  
•  I  have  spent  7  years  analyzing  security  of  Business  Applica<ons   •  I  started  with  simple  things  such  as   –  web  applica<ons  and  CRM  systems   –  Applica<on  servers  such  as  Websphere,  Weblogic,  Apache  Tomcat..   –  Then  Databases:  Oracle,  MsSQL…   •  A^er  that  I  switched  to  huge  enterprises   –  SAP  ECC  /  SAP  Portal       –  Oracle  Peopleso^  HRMS   –  Microso^  Dynamics   •  I  exposed  about  300  different  vulnerabili<es  in  those  systems   and  I  can  say  it  was  not  too  hard     9   Why  
•  Most  of  my  work  has  focused  on  SAP  Security   •  Things  that  will  be  discussed  can  be  applied  to  every  system   •  Just  because  I  know  SAP  much  bejer  most  examples  will  be  SAP   relevant.   •  Then  again  all  ideas,  ajacks,  risks  can  be  applied  to  every   system   •  This  talk  is  not  a  faulkinding  exercise  with  SAP  as  you  may   assume   •  It  is  about  the  things  you  need,  you  can’t  afford  to  ignore  post   implementa<on  of  any  business  applica<on  which  process   cri<cal  data   •  So,  let’s  go!   10   SAP  
•  Risk:  misappropria=on  of  material  resources   •  Affec<ng:  Oil  And  Gas,  Opera<ons  related  to  mining  natural   resources,  Retail  and  others   •  Type:    Insider  Fraud   •  Module:  MM(Material  Management)  –  part  of  ECC     •  Ajacker  can  manipulate  data  about  quan<ty  of  material   resources  in  stock  or  delivery,  pilfer  from  warehouses  at  <mes   in  collusion  with  the  very  employees  entrusted  with  the  stock   taking  responsibili<es.   11   SAP  ECC  Risks  (1)  
•  Risk:  Blocking  of  materials  for  pos=ng   •  Affec<ng:  Retail,  Other.   •  Type:    Sabotage   •  Module:  MM(Material  Management)  –  part  of  ECC     •  It  is  possible  to  block  material  pos<ng  by  star<ng    physical   inventoriza<on  process.  Thus  it  will  not  be  possible  to  do  any   opera<ons  with  goods.  The  only  way  to  get  back  to  normal   opera<ons  is  to  use  transac<on  responsible  for  Freezing  Book   Inventory.     12   SAP  ECC  Risks  (2)  
•  Risk:  Changing  the  goods’  price   •  Affec<ng:  Retail,  Other   •  Type:    Insider  Fraud/Sabotage   •  Module:  MM(Material  Management)  –  part  of  ECC     •  Ajacker  can  manipulate  actual  data  of  the  goods’  price  (by   using  transac<on  MR21).  Then,  there  are  two  ways.   –  If  you  are  insider,  you  can  decrease  price  and  then  buy  goods  with  high   discount    by  crea<ng    a  fake  vendor  in  the  system.     –  If  you  are  compe<tor,  you  can  increase  prices  for  goods  of  this  company,   so  that  number  of  their  exis<ng  clients  declines.  That’s  not  all,  now  you   can  easily  lure  the  affected  clients  by  offering  more  compe<<ve  pricing.     13   SAP  ECC  Risks  (3)  
•  Risk:  Changing  limits  for  opera=ons   •  Affec<ng:  All   •  Type:    Insider  Fraud/Sabotage   •  Module:  MM(Material  Management)  –  part  of  ECC     •  Ajacker  can  Change  tolerance  limits    for  price  and  quan<ty.  By   modifying  those  limits  it  will  be  possible  to:   –  By  disabling  tolerance  limits  it  will  be  possible  to  make  unlimited   opera<ons  in  purchasing  and  selling  (Insider  Fraud)   –  By  increasing  tolerance  limits  it  will  be  possible  to  make  a  denial  of   service  ajack  because  for  all  purchase  orders  there  should  be  an   approval  (Sabotage)   14   SAP  ECC  Risks  (4)  
•  Risk:  Stealing  the  Money!   •  Affec<ng:  All   •  Type:    Insider  Fraud   •  Module:  SD(  Sales  and  Distribu<on)  –  part  of  ECC     •  Ajacker  can  create  fake  vendor  in  the  system  by  using   transac<on  VD01  and  a^er  that,  generate  sales  order  for  this   vendor  by  using  transac<on  VA01.  It  will  enable  him  to  quietly   siphon  off  the  money  from  the  company.   15   SAP  ECC  Risks  (5)  
•  Risk:  Changing  credit  limits   •  Affec<ng:  All     •  Type:    Sabotage   •  Module:  SD(  Sales  and  Distribu<on)  –  part  of  ECC     •  Ajacker  can  modify  limits  for  opera<ons  with  credit  by  using   transac<ons  Customer  Credit    Management    Change  (  FD32)  or   Credit    Limit  Data  Mass  Change(F.34).  By  modifying  those  limits,   company  will  procure  goods  without  any  limits  and  if  there  are   no  other  checks  or  signs  which  can  tell  that  credit  limits  are   exceeded,  company  even  risks  bankruptcy.   16   SAP  ECC  Risks  (6)  
•  Risk:  Modifica=on  of  price  by  changing  condi=ons     •  Affec<ng:  All   •  Type:    Insider  Fraud/Sabotage   •  Module:  SD(  Sales  and  Distribu<on)  –  part  of  ECC     •  In  SAP,  pricing  is  automa<cally  generated  based  on  predefined     condi<ons.  Condi<ons  are  factors  used  by  the  system  to   calculate  a  price.  They  can  include  factors  such  as  customer   group,  order  quan<ty,  date,  discount  and  so  on.  These  factors   are  stored  as  condi<on  records  in  master  data  and  controlled  by   transac<ons  VK11,  VK12,  VK14.  Taking  into  account  that  price  is   usually  calculated  automa<cally  and  sales  reps  o^en  don’t   remember  all  condi<ons,  any  modifica<on  such  as  increasing  or   decreasing  price  can  o^en  go  undetected.         17   SAP  ECC  Risks  (7)  
•  Risk:  Stealing  credit  card  data   •  Affec<ng:  Companies  that  store  and  process  PCI  data:  Banks,   Processing,  Merchants,  Payment  Gateways,  Retail.     •  Type:    Espionage   •  Module:  SD(  Sales  and  Distribu<on)  –  part  of  ECC     •  Ajacker  can  get  access  to  tables  that  store  credit  card  data.   There  are  mul<ple  tables  in  SAP  where  this  data  is  stored.   Tables  such  as  VCKUN,    VCNUM  ,CCARDEC  and  also  about  50   other  tables.  Stealing  of  credit  card  data  is  a  direct  monetary   and  reputa<on  loss.   18   SAP  ECC  Risks  (8)  
•  Risk:  Modifica=on  of  financial  reports   •  Affec<ng:  Any   •  Type:    Sabotage   •  Module:  SD(  Sales  and  Distribu<on)  or  FI  –  part  of  ECC     •  Ajacker  can  make  a  unauthorized  modifica<on  of  financial   reports  thereby  digressing  management’s  focus  from  core   business  issues  to  problems  with  auditors  or  choose  false   direc<on  by  having  fake  financial  reports.   19   SAP  ECC  Risks  (9)  
Some  more  examples  of  Fraud   •  Invoice  company  for  a  greater  number  of  hours  than  worked   •  Ghost  employees  of  the  vendor   •  Vendor  employees  billed  at  amounts  higher  than  contract  rate   •  Vendor  employees  billed  at  higher  job  classifica<on  than  actual   work  performed  (skilled  vs.  non-­‐skilled  labor  rates)   •  Invoice  company  for  incorrect  equipment  or  materials  charges   •  Vendor  charges  for  equipment  not  needed  or  used  for  the  job   performed   20  
Some  more  examples  of  Fraud   •  Vendor  charges  for  materials  not  used  or  materials  are  for  the   personal  benefit  of  company  employee   •  Vendor  charges  for  equipment  or  material  at  higher  prices  than   allowed  by  the  contract   •  Invoice  company  incorrectly  for  other  services   •  Vendor  charges  for  services  performed  where  work  is  not   subject  to  audit  clause   •  Vendor  charges  include  material  purchases  from  or  for  work   performed  by  related  companies  at  inflated  prices   hjp://www.padgej-­‐cpa.com/insights/ar<cles/fraud-­‐risks-­‐oil-­‐ and-­‐gas-­‐industry   21  
Fraud   •  The  Associa<on  of  Cer<fied  Fraud  Examiners  (ACFE)  survey   showed  that  U.S.  organiza<ons  lose  an  es<mated  7%  of  annual   revenues  to  fraud.   •  Average  annual  loss  per  organiza<on  for  fraud  was  $500k  +   collateral  damage   •  PWC  Survey:  3000  organiza<ons  in  54  countries  –  30%  were   vic<ms  of  economic  crime  in  previous  12  months   •  Real  examples  that  we  came  across:   –  Salary  modifica<on   –  Material  management  fraud   –  Mistaken  transac<ons   22  
SAP  ECC  Vulnerabili=es   •  2368  Vulnerabili<es  were  found  in  SAP  NetWeaver  ABAP    based   systems   •  1050  Vulnerabili<es  were  found  in  basic  components  which  are   the  same  for  every  system   •  About  350  Vulnerabili<es  were  found  in  ECC  modules.     •  Finally  we  have  around  1400  vulnerabili<es  affec<ng  SAP  ECC   •  This  is  cri<cal  considering  that  some<mes  one  vulnerability    is   enough  to  get  access  to  all  data     23  
24   Public  examples  
•  Sabotage   Real  example  of  stealing     14000  records   •  Target:  HR  system     •  unauthorized  disclosure  of  federal  employee  Personally   Iden<fiable  Informa<on     25   US  Department  of  Energy  Breach  
          •  Unauthorized  disclosure  of  federal  employees’  Personal     Iden<ty  Informa<on     •  Erase  peoples  debts   26   Istanbul  Provincial  Administra=on  
    27   Now,  it  adds,  “We  gained  full  access  to  the  Greek  Ministry  of   Finance.  Those  funky  IBM  servers  don't  look  so  safe  now,  do   they...”  Anonymous  claims  to  have  a  “sweet  0day  SAP  exploit”,   and  the  group  intends  to  “sploit  the  hell  out  of  it.”   *  This  ajack  has  not  been  confirmed  by  the  customer  nor  by  the  police  authori<es  in  Greece    inves<ga<ng  the  case.  SAP  does  not  have  any  indica<on  that  it  happened.   Poten=al  Anonymous  a`ack  
Fraud  in  Oil  And  Gas   FRAUD and other infractions in Nigeria’s critical oil and gas industry are enough to derail any stable economy, going by the report of the Petroleum Revenue Special Task Force by a former chairman of the Economic and Financial Crimes Commission (EFCC), Mallam Nuhu Ribadu. 28  
SAP  Security   29   What  can  happen?  
What  can  be  next?   •  Now  imagine  mul<ple  ajacks  of  the  same  type   •  Combine  tradi<onal  Fraud  with  Computer  worm/malware   •  Just  imagine  what  could  be  done  by  breaking:    All  Business  applica<ons  of  a  company    All  ERP  systems  of  a  par<cular  industry    All  ERP  Systems  in  a  par<cular  country   30  
SAP  Security   31   How  easy  is  that?  
Ease  of  development   •  Price  of  vulnerability  is  low   •  Patching  is  nightmare   •  Crea<on  of  exploit  is  easy   •  Interconnec<on  is  high   •  Availability  via  internet   32  
Price  of  vulnerability   •  Price  for  typical  vulnerabili<es  in  flash  and  browsers  are  geung   higher.   •  Security  of  applica<ons  and  OS  is  growing   •  It  is  much  easier  to  find  architecture  vulnerability  in  ERP     •  And  this  vulnerability  will  work  for  years     •  3000  vulnerabili<es  closed  only  by  SAP     hjp://erpscan.com/publica<ons/analysis-­‐of-­‐3000-­‐vulnerabili<es-­‐ in-­‐sap/     33  
SAP  Security  notes  by  year   34   More  than  3000  in  total   1   1   13   10   10   27   14   77   130   833   731   641   364   161   322   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   2014   Number  of  vulnerabili=es  closed  by  SAP  is  about  5%  of  all   exis=ng  vulnerabili=es  in  the  world  
Patching  is  nightmare   •  You  need  to  halt  business  processes  or  produc<on   •  Some<mes  you  need  to  update  mul<ple  parts   •  Examples  of  huge  architectural  issues  from:   –  Microso^  Dynamics   –  Oracle  JDE     –  SAP  SDM   35  
MicrosoK  Dynamics  authen=ca=on   Dynamics  security  –  only  visual  restric<ons  of  the  fat  client   1.  User  enters  applica<on  login  and  password   2.  Client  applica<on  took  password,  and  made  a  “secret”   modifica<on  with  password     3.  Client  applica<on  connects  to  database  with  this  password   4.  Client    Applica<on  just  checks  the  type  of  user  in  database   table  and  based  on  this  informa<on  decides  what  kind  of   func<onality  should  be  enabled  on  client  applica<on.   5.  But  by  connec<ng  directly  to  database  we  can  do  whatever  we   want   NO  PATCH!  Only  new  architecture  can  help  (but  there  isn’t  any)   36  
Oracle  JD  Edwards  authen=ca=on   •  JD  Edwards  security  -­‐  only  visual  restric<ons  of  the  fat  client   •  In  fact,  all  users  have  the  rights  to  the  company’s  data  because   client  is  connected  using  special  account  JDE   •  Then  depending  on  user  and  password  the  security  is  checked   on  Fat  client   •  User  can  connect  directly  to  database  using  JDE  account  and   modify  his  rights  at  the  ‘table  level’   •  Every  user  can  become  Administrator   •  NO  PATCH!  The  only  solu=on  is  to  move  to  3-­‐=er  architecture   37  
SAP  SDM  authen=ca=on   •  Authen<ca<on  is  done  by  providing  hash  of  password   •  It  means  that  it  is  possible  to  do  ‘PassTheHash’   •  First  of  all  hash  can  simply  be  sniffed  so  it  is  like  authen<ca<ng   using  clear  password.   •  Secondly  hashes  are  stored  in  an  OS  file  so  they  can  be  accessed   by  using  other  vulnerabili<es.   •  A^er  geung  a  hash  it  is  possible  to  upload  any  backdoor  into   SAP   •  To  patch  it  you  need  to  modify  client  and  server  at  one  <me.     •  Install  SAP  Note  1724516   38  
SAP  NetWeaver  ABAP  -­‐    versions       39   35%   23%   19%   11%   6%   5%   NetWeaver  ABAP    versions  by  popularity   7.0  EHP  0      (Nov  2005)   7.0  EHP  2      (Apr    2010)     7.0  EHP  1      (Oct  2008)   7.3                              (Jun  2011)   6.2                              (Dec    2003)   6.4                            (Mar  2004)   The  most  popular  release  (35%,  previously  45%)  is     s<ll  NetWeaver  7.0,  and  it  was  released  in  2005!  
Special  payload  is  not  needed   •  Remember    ‘  Verb  Tampering”  vulnerability  for  User  crea<on   •  Just  one  request  and  you  are  inside  the  system   •  Second  request  and  you  are  the  ‘admin’   •  Then  you  can  do  whatever  you  please  with  simple  HTTP   requests   •  If  it  is  only  technical  system  you  can  jump  to  connected  system   40  
Systems  are  highly  connected     •  Systems  are  highly  connected  with  each  other  by  trust   rela<onship     •  Even  between  companies  they  are  connected  by  ESB  systems   •  Remember  SSRF?     •  hjp://cwe.mitre.org/data/defini<ons/918.html   •  Second  place  in  Top  10  web  applica<on  techniques  2012   •  Allows  to  bypass  firewall  restric<ons  and  directly  connect  to   protected  systems  via  connected  systems   41  
Business  applica=ons  on  the  Internet   •  Companies  have  Portals,  SRMs,  CRMs  remotely  accessible   •  Companies  connect  different  offices  by  ESB   •  SAP  users  are  connected  to  SAP  via  SAPRouter   •  Administrators  open  management  interfaces  to  the  Internet  for   remote  control     42  
Business  applica=ons  on  the  Internet   SAP  HTTP  Services  can  be  easily  found  on  the  Internet:   •  inurl:/irj/portal •  inurl:/IciEventService sap •  inurl:/IciEventService/IciEventConf •  inurl:/wsnavigator/jsps/test.jsp •  inurl:/irj/go/km/docs/ 43  
Shodan  scan   44   A  total  of    3741  server  with  different     SAP  web  applica=ons  were  found   94% 72% 30% -20% -55% -­‐80%   -­‐60%   -­‐40%   -­‐20%   0%   20%   40%   60%   80%   100%   120%   Growth  by  applica=on  server   40%   34%   20%   6%   SAP NetWeaver J2EE SAP NetWeaver ABAP SAP Web Application Server
SAP  Router   •  Special  applica<on  proxy     •  Transfers  requests  from  Internet  to  SAP  (and  not  only)   •  Can  work  through  VPN  or  SNC     •  Almost  every  company  uses  it  for  connec<ng  to  SAP  to   download  updates   •  Usually  listens  to  port  3299     •  Internet  accessible    (Approximately  5000  IP’s  )   •  hjp://www.easymarketplace.de/saprouter.php   45  
•  Absence  of  ACL  –  15%   –   Possible  to  proxy  any  request  to  any  internal  address     •  Informa<on  disclosure  about  internal  systems  –  19%   –  Denial  of  service  by  specifying  many  connec<ons  to  any  of  the  listed  SAP   servers   –  Proxy  requests  to  internal  network  if  there  is  absence  of  ACL   •  Insecure  configura<on,  authen<ca<on  bypass  –  5%     •  Remote  code  execu=on  –  85%   SAP  Router:  known  issues   46  
Port  scan  results   •  Are  you  sure  that  only  the  necessary  SAP  services  are  exposed   to  the  Internet?   •  We  were  not   •  In  2011,  we  ran  a  global  project  to  scan  all  of  the  Internet  for   SAP  services   •  It  is  not  completely  finished  yet,  but  we  have  the  results  for  the   top  1000  companies   •  We  were  absolutely  shocked  by  what  we  saw!   47  
Port  scan  results       48   0   5   10   15   20   25   30   35   SAP  HostControl   SAP  Dispatcher   SAP  MMC   SAP  Message  Server   hjpd   SAP  Message  Server     SAP  Router   Exposed  services  2011   Exposed  services  2013   Listed  services  should  not  be  accessible  from  the  Internet  
Examples     49  
50   SAP  Worm  
SAP  Security  Forensics   •  There  is  not  so  much  informa<on  about  breaches  in  the  public   domain   •  Companies  are  not  interested  in  publica<on  of  compromises   •  But  main  problem  is  here:   –  How  can  you  be  sure  that  there  was  no  compromise?   –  Only  10%  of  systems  have  Security  Audit  Log  enabled   –  Only  few  of  them  analyze  those  logs   –  And  much  fewer  do  a  central  storage  and  correla<on   *  Based  on  the  assessment  of  over  250  servers  of  companies  that   allowed  us  to  share  results.   51  
•  EAS-­‐SEC:  Recourse  which  combines     –  Guidelines  for  assessing  enterprise  applica<on  security   –  Guidelines  for  assessing  custom  code   –  Surveys  about  enterprise  applica<on  security   52   Defense  
1.  Lack  of  patch  management     2.  Default  passwords     3.  Unnecessary  enabled  func<onality   4.  Remotely  enabled  administra<ve  services     5.  Insecure  configura<on     6.  Unencrypted  communica<ons   7.  Internal  access  control  and  SoD     8.  Insecure  trust  rela<ons     9.  Monitoring  of  security  events   hjp://erpscan.com/publica<ons/the-­‐sap-­‐netweaver-­‐abap-­‐ plakorm-­‐vulnerability-­‐assessment-­‐guide/       53   EAS-­‐SEC  Guidelines  
  54    Guides   Security  assessments    Code  review   Con=nuous  Monitoring  of  all  areas   Segrega=on  of  du=es   Conclusion  
•  Issues  are  everywhere,  it  is  not  only  an  ERP  problem   •  It  is  also  not  just  a  SAP  problem,  other  applica<ons  are  the   same   •  Problem  is  that  price  of  a  ‘lapse’  in  Business  Applica<ons  is   much  bigger  than  in  tradi<onal  IT  security     55   Conclusion  
SAP  Security   56   QuesAons?  

More Related Content

PDF
SAP SDM Hacking
ERPScan
 
PDF
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
PDF
SAP security landscape. How to protect(hack) your(their) big business
ERPScan
 
PDF
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
PDF
Assess and monitor SAP security
ERPScan
 
PDF
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
ERPScan
 
PDF
If I want a perfect cyberweapon, I'll target ERP
ERPScan
 
PDF
Assessing and Securing SAP Solutions
ERPScan
 
SAP SDM Hacking
ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
SAP security landscape. How to protect(hack) your(their) big business
ERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
ERPScan
 
Assess and monitor SAP security
ERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP
ERPScan
 
Assessing and Securing SAP Solutions
ERPScan
 

What's hot (20)

PDF
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
PDF
SAP (in)security: New and best
ERPScan
 
PDF
5 real ways to destroy business by breaking SAP applications
ERPScan
 
PDF
All your SAP passwords belong to us
ERPScan
 
PDF
Attacking SAP Mobile
ERPScan
 
PDF
Attacking SAP users with sapsploit
ERPScan
 
PDF
The latest changes to SAP cybersecurity landscape
ERPScan
 
PPT
Sap security – thinking with a hacker’s hat
n|u - The Open Security Community
 
PDF
SAP Business Objects Attacks
Onapsis Inc.
 
PDF
Cyber-attacks to SAP Systems
Onapsis Inc.
 
PDF
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
ERPScan
 
PDF
Securing SAP in 5 steps
ERPScan
 
PDF
Oracle PeopleSoft applications are under attacks (Hack in Paris)
ERPScan
 
PDF
Sap penetration testing_defense_in_depth
Igor Igoroshka
 
PDF
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
PDF
Implementing SAP security in 5 steps
ERPScan
 
PDF
SAP security made easy
ERPScan
 
PDF
Penetration Testing SAP Systems
Onapsis Inc.
 
PDF
Forgotten world - Corporate Business Application Systems
ERPScan
 
PDF
SAP security in figures
ERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
ERPScan
 
SAP (in)security: New and best
ERPScan
 
5 real ways to destroy business by breaking SAP applications
ERPScan
 
All your SAP passwords belong to us
ERPScan
 
Attacking SAP Mobile
ERPScan
 
Attacking SAP users with sapsploit
ERPScan
 
The latest changes to SAP cybersecurity landscape
ERPScan
 
Sap security – thinking with a hacker’s hat
n|u - The Open Security Community
 
SAP Business Objects Attacks
Onapsis Inc.
 
Cyber-attacks to SAP Systems
Onapsis Inc.
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
ERPScan
 
Securing SAP in 5 steps
ERPScan
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
ERPScan
 
Sap penetration testing_defense_in_depth
Igor Igoroshka
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
Implementing SAP security in 5 steps
ERPScan
 
SAP security made easy
ERPScan
 
Penetration Testing SAP Systems
Onapsis Inc.
 
Forgotten world - Corporate Business Application Systems
ERPScan
 
SAP security in figures
ERPScan
 
Ad

Viewers also liked (6)

PDF
SAP portal: breaking and forensicating
ERPScan
 
PDF
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 
PDF
Breaking SAP portal (HashDays)
ERPScan
 
PDF
Practical pentesting of ERPs and business applications
ERPScan
 
PDF
What CISOs should know about SAP security
ERPScan
 
PDF
EAS-SEC: Framework for securing business applications
ERPScan
 
SAP portal: breaking and forensicating
ERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 
Breaking SAP portal (HashDays)
ERPScan
 
Practical pentesting of ERPs and business applications
ERPScan
 
What CISOs should know about SAP security
ERPScan
 
EAS-SEC: Framework for securing business applications
ERPScan
 
Ad

Similar to If I want a perfect cyberweapon, I'll target ERP - second edition (17)

PDF
13 real ways to destroy business by breaking company’s SAP applications
ERPScan
 
PDF
EAS-SEC Project
ERPScan
 
PDF
GRC 2013 Preventing Cyber Attacks for SAP - Onapsis Presentation
rclark004
 
PPTX
SAP (In)Security: New and Best
Positive Hack Days
 
PDF
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
CODE BLUE
 
PDF
JDE & Peoplesoft 2 _ Mike Ward _ Security implications of Upgrading JDE.pdf
InSync2011
 
PDF
MacIT 2014 - Essential Security & Risk Fundamentals
Alison Gianotto
 
PDF
ERP Security. Myths, Problems, Solutions
ERPScan
 
PDF
Sitnl 2012 erp security
Twan van den Broek
 
PDF
Sitnl 2012 erp security
jvandevis
 
PPSX
Enterprise mobileapplicationsecurity
Venkat Alagarsamy
 
PDF
Blinde la seguridad de su empresa
SAP Latinoamérica
 
PDF
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Virtual Forge
 
PDF
Agam Profile
Agama Consulting
 
PDF
Agama Profile
Agama Consulting
 
PDF
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
PROIDEA
 
PDF
Cloud Auditing
Jonathan Sinclair
 
13 real ways to destroy business by breaking company’s SAP applications
ERPScan
 
EAS-SEC Project
ERPScan
 
GRC 2013 Preventing Cyber Attacks for SAP - Onapsis Presentation
rclark004
 
SAP (In)Security: New and Best
Positive Hack Days
 
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
CODE BLUE
 
JDE & Peoplesoft 2 _ Mike Ward _ Security implications of Upgrading JDE.pdf
InSync2011
 
MacIT 2014 - Essential Security & Risk Fundamentals
Alison Gianotto
 
ERP Security. Myths, Problems, Solutions
ERPScan
 
Sitnl 2012 erp security
Twan van den Broek
 
Sitnl 2012 erp security
jvandevis
 
Enterprise mobileapplicationsecurity
Venkat Alagarsamy
 
Blinde la seguridad de su empresa
SAP Latinoamérica
 
Mobile Trends And The New Threats - Is Your SAP System Vulnerable to Cyber At...
Virtual Forge
 
Agam Profile
Agama Consulting
 
Agama Profile
Agama Consulting
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
PROIDEA
 
Cloud Auditing
Jonathan Sinclair
 

Recently uploaded (20)

PPTX
Computer Software - Technology and Livelihood Education
ShielaGuevarra6
 
PDF
Time Tracking Features That Teams and Organizations Actually Need
Orangescrum
 
PDF
Types of Token_ From Utility to Security.pdf
Herond Labs
 
PDF
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
PDF
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PDF
Topaz Photo AI Crack New Download (Latest 2025)
hashmi66g66
 
PDF
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
PDF
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
PPTX
Cybersecurity: Protecting the Digital World
SURULIAPPANPREMKMAR
 
PDF
Autodesk AutoCAD Crack Free Download 2025
hggfcrd hgggref
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PDF
MCP Security Tutorial - Beginner to Advanced
Harish Ramadoss
 
PDF
AI/ML Infra Meetup | LLM Agents and Implementation Challenges
Alluxio, Inc.
 
PPTX
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
PDF
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
PPTX
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
PPTX
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
PPTX
Tech Workshop Escape Room Tech Workshop
muthuiyad
 
PDF
CCleaner 6.39.11548 Crack 2025 License Key
viktamscs
 
Computer Software - Technology and Livelihood Education
ShielaGuevarra6
 
Time Tracking Features That Teams and Organizations Actually Need
Orangescrum
 
Types of Token_ From Utility to Security.pdf
Herond Labs
 
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
Topaz Photo AI Crack New Download (Latest 2025)
hashmi66g66
 
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
Cybersecurity: Protecting the Digital World
SURULIAPPANPREMKMAR
 
Autodesk AutoCAD Crack Free Download 2025
hggfcrd hgggref
 
assetexplorer- product-overview - presentation
nonameist3434
 
MCP Security Tutorial - Beginner to Advanced
Harish Ramadoss
 
AI/ML Infra Meetup | LLM Agents and Implementation Challenges
Alluxio, Inc.
 
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
Tech Workshop Escape Room Tech Workshop
muthuiyad
 
CCleaner 6.39.11548 Crack 2025 License Key
viktamscs
 

If I want a perfect cyberweapon, I'll target ERP - second edition

  • 1. Invest  in  security   to  secure  investments   If  I  Want  a  Perfect  Cyberweapon  I'll   Target  ERP:  Second  edi<on.     Alexander  Polyakov.  CTO  ERPScan  
  • 2. About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu<on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta=ons  key  security  conferences  worldwide   •  25  Awards  and  nomina=ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
  • 3. •  Intro   •  Big  companies  and  cri<cal  systems   •  ERP  Risks   •  How  easy  is  that   •  What  can  happen   •  Examples   •  What  we  can  do   •  Conclusions   3   Intro  
  • 4. Big  companies   4     Portal   HR   Logis<cs   Warehouse   ERP   Billing   Suppliers   Customers   Banks   Insurance  Partners   Branches   BI   Industry   CRM   SRM  
  • 5. Big  companies   •  Oil  and  Gas   •  Manufacturing   •  Logis<cs   •  Financials   •  Nuclear  Installa<ons   •  Retail   •  Telecommunica<on   •  etc.   5  
  • 6. SAP   •  More  than  246000  customers  worldwide     •  86%  of  Forbes  500   Oracle   •  100%  of  Fortune  100   MicrosoK   •  More   than   300,000   businesses   worldwide   choose   Microso^   Dynamics  ERP  and  CRM  so^ware     6   If  business  applica=ons  are  popular?  
  • 7. •  Business  applica<ons  can  make  your  life  easier   •  The  need  to  harness  them  to  op<mize  business-­‐processes   •  Scope   for   enormous   reduc<ons   in   resource   overheads   and   other  direct  monetary  benefits.     •  Poten<al  problems  that  one  can’t  disregard   •  The  need  to  consider  security,  can  it  be  overstated!   •  And  it’s  a  REAL  and  Existent  Risk   7   Business  Applica=ons  
  • 8. •  Espionage   –  Stealing  financial  informa<on   –  Stealing  corporate  secrets   –  Stealing  supplier  and  customer  lists   –  Stealing  HR  data   •  Sabotage   –  Denial  of  service   –  Modifica<on  of  financial  reports   –  Access  to  technology  network  (SCADA)  by  trust  rela<ons   •  Fraud   –  False  transac<ons   –  Modifica<on  of  master  data     8   What  can  happen  
  • 9. •  I  have  spent  7  years  analyzing  security  of  Business  Applica<ons   •  I  started  with  simple  things  such  as   –  web  applica<ons  and  CRM  systems   –  Applica<on  servers  such  as  Websphere,  Weblogic,  Apache  Tomcat..   –  Then  Databases:  Oracle,  MsSQL…   •  A^er  that  I  switched  to  huge  enterprises   –  SAP  ECC  /  SAP  Portal       –  Oracle  Peopleso^  HRMS   –  Microso^  Dynamics   •  I  exposed  about  300  different  vulnerabili<es  in  those  systems   and  I  can  say  it  was  not  too  hard     9   Why  
  • 10. •  Most  of  my  work  has  focused  on  SAP  Security   •  Things  that  will  be  discussed  can  be  applied  to  every  system   •  Just  because  I  know  SAP  much  bejer  most  examples  will  be  SAP   relevant.   •  Then  again  all  ideas,  ajacks,  risks  can  be  applied  to  every   system   •  This  talk  is  not  a  faulkinding  exercise  with  SAP  as  you  may   assume   •  It  is  about  the  things  you  need,  you  can’t  afford  to  ignore  post   implementa<on  of  any  business  applica<on  which  process   cri<cal  data   •  So,  let’s  go!   10   SAP  
  • 11. •  Risk:  misappropria=on  of  material  resources   •  Affec<ng:  Oil  And  Gas,  Opera<ons  related  to  mining  natural   resources,  Retail  and  others   •  Type:    Insider  Fraud   •  Module:  MM(Material  Management)  –  part  of  ECC     •  Ajacker  can  manipulate  data  about  quan<ty  of  material   resources  in  stock  or  delivery,  pilfer  from  warehouses  at  <mes   in  collusion  with  the  very  employees  entrusted  with  the  stock   taking  responsibili<es.   11   SAP  ECC  Risks  (1)  
  • 12. •  Risk:  Blocking  of  materials  for  pos=ng   •  Affec<ng:  Retail,  Other.   •  Type:    Sabotage   •  Module:  MM(Material  Management)  –  part  of  ECC     •  It  is  possible  to  block  material  pos<ng  by  star<ng    physical   inventoriza<on  process.  Thus  it  will  not  be  possible  to  do  any   opera<ons  with  goods.  The  only  way  to  get  back  to  normal   opera<ons  is  to  use  transac<on  responsible  for  Freezing  Book   Inventory.     12   SAP  ECC  Risks  (2)  
  • 13. •  Risk:  Changing  the  goods’  price   •  Affec<ng:  Retail,  Other   •  Type:    Insider  Fraud/Sabotage   •  Module:  MM(Material  Management)  –  part  of  ECC     •  Ajacker  can  manipulate  actual  data  of  the  goods’  price  (by   using  transac<on  MR21).  Then,  there  are  two  ways.   –  If  you  are  insider,  you  can  decrease  price  and  then  buy  goods  with  high   discount    by  crea<ng    a  fake  vendor  in  the  system.     –  If  you  are  compe<tor,  you  can  increase  prices  for  goods  of  this  company,   so  that  number  of  their  exis<ng  clients  declines.  That’s  not  all,  now  you   can  easily  lure  the  affected  clients  by  offering  more  compe<<ve  pricing.     13   SAP  ECC  Risks  (3)  
  • 14. •  Risk:  Changing  limits  for  opera=ons   •  Affec<ng:  All   •  Type:    Insider  Fraud/Sabotage   •  Module:  MM(Material  Management)  –  part  of  ECC     •  Ajacker  can  Change  tolerance  limits    for  price  and  quan<ty.  By   modifying  those  limits  it  will  be  possible  to:   –  By  disabling  tolerance  limits  it  will  be  possible  to  make  unlimited   opera<ons  in  purchasing  and  selling  (Insider  Fraud)   –  By  increasing  tolerance  limits  it  will  be  possible  to  make  a  denial  of   service  ajack  because  for  all  purchase  orders  there  should  be  an   approval  (Sabotage)   14   SAP  ECC  Risks  (4)  
  • 15. •  Risk:  Stealing  the  Money!   •  Affec<ng:  All   •  Type:    Insider  Fraud   •  Module:  SD(  Sales  and  Distribu<on)  –  part  of  ECC     •  Ajacker  can  create  fake  vendor  in  the  system  by  using   transac<on  VD01  and  a^er  that,  generate  sales  order  for  this   vendor  by  using  transac<on  VA01.  It  will  enable  him  to  quietly   siphon  off  the  money  from  the  company.   15   SAP  ECC  Risks  (5)  
  • 16. •  Risk:  Changing  credit  limits   •  Affec<ng:  All     •  Type:    Sabotage   •  Module:  SD(  Sales  and  Distribu<on)  –  part  of  ECC     •  Ajacker  can  modify  limits  for  opera<ons  with  credit  by  using   transac<ons  Customer  Credit    Management    Change  (  FD32)  or   Credit    Limit  Data  Mass  Change(F.34).  By  modifying  those  limits,   company  will  procure  goods  without  any  limits  and  if  there  are   no  other  checks  or  signs  which  can  tell  that  credit  limits  are   exceeded,  company  even  risks  bankruptcy.   16   SAP  ECC  Risks  (6)  
  • 17. •  Risk:  Modifica=on  of  price  by  changing  condi=ons     •  Affec<ng:  All   •  Type:    Insider  Fraud/Sabotage   •  Module:  SD(  Sales  and  Distribu<on)  –  part  of  ECC     •  In  SAP,  pricing  is  automa<cally  generated  based  on  predefined     condi<ons.  Condi<ons  are  factors  used  by  the  system  to   calculate  a  price.  They  can  include  factors  such  as  customer   group,  order  quan<ty,  date,  discount  and  so  on.  These  factors   are  stored  as  condi<on  records  in  master  data  and  controlled  by   transac<ons  VK11,  VK12,  VK14.  Taking  into  account  that  price  is   usually  calculated  automa<cally  and  sales  reps  o^en  don’t   remember  all  condi<ons,  any  modifica<on  such  as  increasing  or   decreasing  price  can  o^en  go  undetected.         17   SAP  ECC  Risks  (7)  
  • 18. •  Risk:  Stealing  credit  card  data   •  Affec<ng:  Companies  that  store  and  process  PCI  data:  Banks,   Processing,  Merchants,  Payment  Gateways,  Retail.     •  Type:    Espionage   •  Module:  SD(  Sales  and  Distribu<on)  –  part  of  ECC     •  Ajacker  can  get  access  to  tables  that  store  credit  card  data.   There  are  mul<ple  tables  in  SAP  where  this  data  is  stored.   Tables  such  as  VCKUN,    VCNUM  ,CCARDEC  and  also  about  50   other  tables.  Stealing  of  credit  card  data  is  a  direct  monetary   and  reputa<on  loss.   18   SAP  ECC  Risks  (8)  
  • 19. •  Risk:  Modifica=on  of  financial  reports   •  Affec<ng:  Any   •  Type:    Sabotage   •  Module:  SD(  Sales  and  Distribu<on)  or  FI  –  part  of  ECC     •  Ajacker  can  make  a  unauthorized  modifica<on  of  financial   reports  thereby  digressing  management’s  focus  from  core   business  issues  to  problems  with  auditors  or  choose  false   direc<on  by  having  fake  financial  reports.   19   SAP  ECC  Risks  (9)  
  • 20. Some  more  examples  of  Fraud   •  Invoice  company  for  a  greater  number  of  hours  than  worked   •  Ghost  employees  of  the  vendor   •  Vendor  employees  billed  at  amounts  higher  than  contract  rate   •  Vendor  employees  billed  at  higher  job  classifica<on  than  actual   work  performed  (skilled  vs.  non-­‐skilled  labor  rates)   •  Invoice  company  for  incorrect  equipment  or  materials  charges   •  Vendor  charges  for  equipment  not  needed  or  used  for  the  job   performed   20  
  • 21. Some  more  examples  of  Fraud   •  Vendor  charges  for  materials  not  used  or  materials  are  for  the   personal  benefit  of  company  employee   •  Vendor  charges  for  equipment  or  material  at  higher  prices  than   allowed  by  the  contract   •  Invoice  company  incorrectly  for  other  services   •  Vendor  charges  for  services  performed  where  work  is  not   subject  to  audit  clause   •  Vendor  charges  include  material  purchases  from  or  for  work   performed  by  related  companies  at  inflated  prices   hjp://www.padgej-­‐cpa.com/insights/ar<cles/fraud-­‐risks-­‐oil-­‐ and-­‐gas-­‐industry   21  
  • 22. Fraud   •  The  Associa<on  of  Cer<fied  Fraud  Examiners  (ACFE)  survey   showed  that  U.S.  organiza<ons  lose  an  es<mated  7%  of  annual   revenues  to  fraud.   •  Average  annual  loss  per  organiza<on  for  fraud  was  $500k  +   collateral  damage   •  PWC  Survey:  3000  organiza<ons  in  54  countries  –  30%  were   vic<ms  of  economic  crime  in  previous  12  months   •  Real  examples  that  we  came  across:   –  Salary  modifica<on   –  Material  management  fraud   –  Mistaken  transac<ons   22  
  • 23. SAP  ECC  Vulnerabili=es   •  2368  Vulnerabili<es  were  found  in  SAP  NetWeaver  ABAP    based   systems   •  1050  Vulnerabili<es  were  found  in  basic  components  which  are   the  same  for  every  system   •  About  350  Vulnerabili<es  were  found  in  ECC  modules.     •  Finally  we  have  around  1400  vulnerabili<es  affec<ng  SAP  ECC   •  This  is  cri<cal  considering  that  some<mes  one  vulnerability    is   enough  to  get  access  to  all  data     23  
  • 25. •  Sabotage   Real  example  of  stealing     14000  records   •  Target:  HR  system     •  unauthorized  disclosure  of  federal  employee  Personally   Iden<fiable  Informa<on     25   US  Department  of  Energy  Breach  
  • 26.           •  Unauthorized  disclosure  of  federal  employees’  Personal     Iden<ty  Informa<on     •  Erase  peoples  debts   26   Istanbul  Provincial  Administra=on  
  • 27.     27   Now,  it  adds,  “We  gained  full  access  to  the  Greek  Ministry  of   Finance.  Those  funky  IBM  servers  don't  look  so  safe  now,  do   they...”  Anonymous  claims  to  have  a  “sweet  0day  SAP  exploit”,   and  the  group  intends  to  “sploit  the  hell  out  of  it.”   *  This  ajack  has  not  been  confirmed  by  the  customer  nor  by  the  police  authori<es  in  Greece    inves<ga<ng  the  case.  SAP  does  not  have  any  indica<on  that  it  happened.   Poten=al  Anonymous  a`ack  
  • 28. Fraud  in  Oil  And  Gas   FRAUD and other infractions in Nigeria’s critical oil and gas industry are enough to derail any stable economy, going by the report of the Petroleum Revenue Special Task Force by a former chairman of the Economic and Financial Crimes Commission (EFCC), Mallam Nuhu Ribadu. 28  
  • 29. SAP  Security   29   What  can  happen?  
  • 30. What  can  be  next?   •  Now  imagine  mul<ple  ajacks  of  the  same  type   •  Combine  tradi<onal  Fraud  with  Computer  worm/malware   •  Just  imagine  what  could  be  done  by  breaking:    All  Business  applica<ons  of  a  company    All  ERP  systems  of  a  par<cular  industry    All  ERP  Systems  in  a  par<cular  country   30  
  • 31. SAP  Security   31   How  easy  is  that?  
  • 32. Ease  of  development   •  Price  of  vulnerability  is  low   •  Patching  is  nightmare   •  Crea<on  of  exploit  is  easy   •  Interconnec<on  is  high   •  Availability  via  internet   32  
  • 33. Price  of  vulnerability   •  Price  for  typical  vulnerabili<es  in  flash  and  browsers  are  geung   higher.   •  Security  of  applica<ons  and  OS  is  growing   •  It  is  much  easier  to  find  architecture  vulnerability  in  ERP     •  And  this  vulnerability  will  work  for  years     •  3000  vulnerabili<es  closed  only  by  SAP     hjp://erpscan.com/publica<ons/analysis-­‐of-­‐3000-­‐vulnerabili<es-­‐ in-­‐sap/     33  
  • 34. SAP  Security  notes  by  year   34   More  than  3000  in  total   1   1   13   10   10   27   14   77   130   833   731   641   364   161   322   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013   2014   Number  of  vulnerabili=es  closed  by  SAP  is  about  5%  of  all   exis=ng  vulnerabili=es  in  the  world  
  • 35. Patching  is  nightmare   •  You  need  to  halt  business  processes  or  produc<on   •  Some<mes  you  need  to  update  mul<ple  parts   •  Examples  of  huge  architectural  issues  from:   –  Microso^  Dynamics   –  Oracle  JDE     –  SAP  SDM   35  
  • 36. MicrosoK  Dynamics  authen=ca=on   Dynamics  security  –  only  visual  restric<ons  of  the  fat  client   1.  User  enters  applica<on  login  and  password   2.  Client  applica<on  took  password,  and  made  a  “secret”   modifica<on  with  password     3.  Client  applica<on  connects  to  database  with  this  password   4.  Client    Applica<on  just  checks  the  type  of  user  in  database   table  and  based  on  this  informa<on  decides  what  kind  of   func<onality  should  be  enabled  on  client  applica<on.   5.  But  by  connec<ng  directly  to  database  we  can  do  whatever  we   want   NO  PATCH!  Only  new  architecture  can  help  (but  there  isn’t  any)   36  
  • 37. Oracle  JD  Edwards  authen=ca=on   •  JD  Edwards  security  -­‐  only  visual  restric<ons  of  the  fat  client   •  In  fact,  all  users  have  the  rights  to  the  company’s  data  because   client  is  connected  using  special  account  JDE   •  Then  depending  on  user  and  password  the  security  is  checked   on  Fat  client   •  User  can  connect  directly  to  database  using  JDE  account  and   modify  his  rights  at  the  ‘table  level’   •  Every  user  can  become  Administrator   •  NO  PATCH!  The  only  solu=on  is  to  move  to  3-­‐=er  architecture   37  
  • 38. SAP  SDM  authen=ca=on   •  Authen<ca<on  is  done  by  providing  hash  of  password   •  It  means  that  it  is  possible  to  do  ‘PassTheHash’   •  First  of  all  hash  can  simply  be  sniffed  so  it  is  like  authen<ca<ng   using  clear  password.   •  Secondly  hashes  are  stored  in  an  OS  file  so  they  can  be  accessed   by  using  other  vulnerabili<es.   •  A^er  geung  a  hash  it  is  possible  to  upload  any  backdoor  into   SAP   •  To  patch  it  you  need  to  modify  client  and  server  at  one  <me.     •  Install  SAP  Note  1724516   38  
  • 39. SAP  NetWeaver  ABAP  -­‐    versions       39   35%   23%   19%   11%   6%   5%   NetWeaver  ABAP    versions  by  popularity   7.0  EHP  0      (Nov  2005)   7.0  EHP  2      (Apr    2010)     7.0  EHP  1      (Oct  2008)   7.3                              (Jun  2011)   6.2                              (Dec    2003)   6.4                            (Mar  2004)   The  most  popular  release  (35%,  previously  45%)  is     s<ll  NetWeaver  7.0,  and  it  was  released  in  2005!  
  • 40. Special  payload  is  not  needed   •  Remember    ‘  Verb  Tampering”  vulnerability  for  User  crea<on   •  Just  one  request  and  you  are  inside  the  system   •  Second  request  and  you  are  the  ‘admin’   •  Then  you  can  do  whatever  you  please  with  simple  HTTP   requests   •  If  it  is  only  technical  system  you  can  jump  to  connected  system   40  
  • 41. Systems  are  highly  connected     •  Systems  are  highly  connected  with  each  other  by  trust   rela<onship     •  Even  between  companies  they  are  connected  by  ESB  systems   •  Remember  SSRF?     •  hjp://cwe.mitre.org/data/defini<ons/918.html   •  Second  place  in  Top  10  web  applica<on  techniques  2012   •  Allows  to  bypass  firewall  restric<ons  and  directly  connect  to   protected  systems  via  connected  systems   41  
  • 42. Business  applica=ons  on  the  Internet   •  Companies  have  Portals,  SRMs,  CRMs  remotely  accessible   •  Companies  connect  different  offices  by  ESB   •  SAP  users  are  connected  to  SAP  via  SAPRouter   •  Administrators  open  management  interfaces  to  the  Internet  for   remote  control     42  
  • 43. Business  applica=ons  on  the  Internet   SAP  HTTP  Services  can  be  easily  found  on  the  Internet:   •  inurl:/irj/portal •  inurl:/IciEventService sap •  inurl:/IciEventService/IciEventConf •  inurl:/wsnavigator/jsps/test.jsp •  inurl:/irj/go/km/docs/ 43  
  • 44. Shodan  scan   44   A  total  of    3741  server  with  different     SAP  web  applica=ons  were  found   94% 72% 30% -20% -55% -­‐80%   -­‐60%   -­‐40%   -­‐20%   0%   20%   40%   60%   80%   100%   120%   Growth  by  applica=on  server   40%   34%   20%   6%   SAP NetWeaver J2EE SAP NetWeaver ABAP SAP Web Application Server
  • 45. SAP  Router   •  Special  applica<on  proxy     •  Transfers  requests  from  Internet  to  SAP  (and  not  only)   •  Can  work  through  VPN  or  SNC     •  Almost  every  company  uses  it  for  connec<ng  to  SAP  to   download  updates   •  Usually  listens  to  port  3299     •  Internet  accessible    (Approximately  5000  IP’s  )   •  hjp://www.easymarketplace.de/saprouter.php   45  
  • 46. •  Absence  of  ACL  –  15%   –   Possible  to  proxy  any  request  to  any  internal  address     •  Informa<on  disclosure  about  internal  systems  –  19%   –  Denial  of  service  by  specifying  many  connec<ons  to  any  of  the  listed  SAP   servers   –  Proxy  requests  to  internal  network  if  there  is  absence  of  ACL   •  Insecure  configura<on,  authen<ca<on  bypass  –  5%     •  Remote  code  execu=on  –  85%   SAP  Router:  known  issues   46  
  • 47. Port  scan  results   •  Are  you  sure  that  only  the  necessary  SAP  services  are  exposed   to  the  Internet?   •  We  were  not   •  In  2011,  we  ran  a  global  project  to  scan  all  of  the  Internet  for   SAP  services   •  It  is  not  completely  finished  yet,  but  we  have  the  results  for  the   top  1000  companies   •  We  were  absolutely  shocked  by  what  we  saw!   47  
  • 48. Port  scan  results       48   0   5   10   15   20   25   30   35   SAP  HostControl   SAP  Dispatcher   SAP  MMC   SAP  Message  Server   hjpd   SAP  Message  Server     SAP  Router   Exposed  services  2011   Exposed  services  2013   Listed  services  should  not  be  accessible  from  the  Internet  
  • 51. SAP  Security  Forensics   •  There  is  not  so  much  informa<on  about  breaches  in  the  public   domain   •  Companies  are  not  interested  in  publica<on  of  compromises   •  But  main  problem  is  here:   –  How  can  you  be  sure  that  there  was  no  compromise?   –  Only  10%  of  systems  have  Security  Audit  Log  enabled   –  Only  few  of  them  analyze  those  logs   –  And  much  fewer  do  a  central  storage  and  correla<on   *  Based  on  the  assessment  of  over  250  servers  of  companies  that   allowed  us  to  share  results.   51  
  • 52. •  EAS-­‐SEC:  Recourse  which  combines     –  Guidelines  for  assessing  enterprise  applica<on  security   –  Guidelines  for  assessing  custom  code   –  Surveys  about  enterprise  applica<on  security   52   Defense  
  • 53. 1.  Lack  of  patch  management     2.  Default  passwords     3.  Unnecessary  enabled  func<onality   4.  Remotely  enabled  administra<ve  services     5.  Insecure  configura<on     6.  Unencrypted  communica<ons   7.  Internal  access  control  and  SoD     8.  Insecure  trust  rela<ons     9.  Monitoring  of  security  events   hjp://erpscan.com/publica<ons/the-­‐sap-­‐netweaver-­‐abap-­‐ plakorm-­‐vulnerability-­‐assessment-­‐guide/       53   EAS-­‐SEC  Guidelines  
  • 54.   54    Guides   Security  assessments    Code  review   Con=nuous  Monitoring  of  all  areas   Segrega=on  of  du=es   Conclusion  
  • 55. •  Issues  are  everywhere,  it  is  not  only  an  ERP  problem   •  It  is  also  not  just  a  SAP  problem,  other  applica<ons  are  the   same   •  Problem  is  that  price  of  a  ‘lapse’  in  Business  Applica<ons  is   much  bigger  than  in  tradi<onal  IT  security     55   Conclusion  
  • 56. SAP  Security   56   QuesAons?