ERP Systems are widely used in Oil and Gas, Manufacturing, Logistics, Financials
Nuclear, Retail, Telecommunication and other industries. All mission-critical data are stored in ERP Systems, so attacks against them may result in Espionage, Sabotage and Fraud.
The presentation gives examples of real and potential attacks and describes important details of ERP Security.
Alexander Polyakov, CTO of ERPScan, presented this talk at RSA Conference Europe 2013.
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...
If I want a perfect cyberweapon, I'll target ERP
1. Invest
in
security
to
secure
investments
If
I
Want
a
Perfect
Cyberweapon
I'll
Target
ERP
Alexander
Polyakov
CTO
ERPScan
2. About
ERPScan
• The
only
360-‐degree
SAP
Security
solu=on
-‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presentaEons
key
security
conferences
worldwide
• 25
Awards
and
nominaEons
• Research
team
-‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
3. Alexander
Polyakov
• CTO
of
the
ERPScan
company
• EAS-‐SEC.org
project
leader
• Business
applica=on
security
expert
• R&D
Professional
of
the
year
by
Network
Product
Guide
• Organizer
of
ZeroNights
conference
a.polyakov@erpscan.com
TwiYer:
@sh2kerr
3
4. ERPScan
• Develop
soware
for
SAP
security
monitoring
• Provide
SAP/ERP
Security
Trainings
and
consul=ng
• Leader
by
the
number
of
acknowledgements
from
SAP
(150+)
• Invited
to
talk
at
50+
key
security
conferences
in
20+
countries
in
all
con=nents
(BlackHat,
RSA,
HITB)
• Most
acknowledged
ERP
Security
vendor
(18
awards)
Research
team
with
experience
in
different
areas
of
security
from
ERP
and
web
security
to
mobile,
embedded
devices,
and
cri9cal
infrastructure,
accumula9ng
their
knowledge
on
SAP
research.
Leading
SAP
AG
partner
in
the
field
of
discovering
security
vulnerabiliEes
by
the
number
of
found
vulnerabiliEes
4
5. • I
hate
“CYBER”
talks
and
this
buzz
• I
usually
do
more
technical
presenta=ons
• But
I
we
talk
about
it
why
do
we
skip
this
area?
• I’m
about
Business
Applica=ons
and
ERP
systems
5
Intro
6. • Intro
• Big
companies
and
cri=cal
systems
• What
was
happen
• How
easy
is
that
• What
can
happen
• Forensics
• What
we
can
do
• Conclusions
6
Intro
7. Big
companies
• Oil
and
Gas
• Manufacturing
• Logis=cs
• Financials
• Nuclear
• Retail
• Telecommunica=on
• etc
7
8. Big
companies
Portal
HR
Logis=cs
Warehouse
ERP
Billing
Suppliers
Customers
Banks
Insurance
Partners
Branches
BI
Industry
CRM
SRM
8
9. SAP
• More
than
246000
customers
worldwide
• 86%
of
Forbes
500
Oracle
• 100%
of
Fortune
100
Microso
• More
than
300,000
businesses
worldwide
choose
Microso
Dynamics
ERP
and
CRM
soware
9
How
popular
are
business
applicaEons?
10. • Espionage
– Stealing
financial
informa=on
– Stealing
corporate
secrets
– Stealing
supplier
and
customer
lists
– Stealing
HR
data
• Sabotage
– Denial
of
service
– Modifica=on
of
financial
reports
– Access
to
technology
network
(SCADA)
by
trust
rela=ons
• Fraud
– False
transac=ons
– Modifica=on
of
master
data
10
What
can
happen
11. • Autocad
virus
• Stealing
cri=cal
documents
• Send
them
poten=ally
to
china
– hYp://www.telegraph.co.uk/technology/news/9346734/
Espionage-‐virus-‐sent-‐blueprints-‐to-‐China.html
11
Autocad
virus
(Industrial
espionage)
12. • Presented
on
BlackHat
USA
• Old
and
New
issues
• Old
one
was
a
buffer
overflow
in
a
login
page
• Over
500
systems
can
be
found
by
Googling
• New
issues
were
from
informa=on
disclose
to
unauthorized
system
access
• Poten=al
to
steal
20mil
customer
data
12
PeoplesoZ
vulnerabiliEes
(Sabotage)
13. • Sabotage
• Real
example
of
stealing
• 14000
of
records
• Target:
HR
system
(Maybe
Peopleso)
• unauthorized
disclosure
of
federal
employee
Personally
Iden=fiable
Informa=on
13
US
Department
of
Energy
Breach
14.
• Unauthorized
disclosure
of
federal
employee
Personally
Iden=fiable
Informa=on
• Erase
people
debts
14
Istanbul
Provincial
AdministraEon
15.
Now,
it
adds,
“We
gained
full
access
to
the
Greek
Ministry
of
Finance.
Those
funky
IBM
servers
don't
look
so
safe
now,
do
they...”
Anonymous
claims
to
have
a
“sweet
0day
SAP
exploit”,
and
the
group
intends
to
“sploit
the
hell
out
of
it.”
*
This
aYack
has
not
been
confirmed
by
the
customer
nor
by
the
police
authori=es
in
Greece
inves=ga=ng
the
case.
SAP
does
not
have
any
indica=on
that
it
happened.
15
PotenEal
Anonymous
a_ack
16. Fraud
• Invoice
company
for
a
greater
number
of
hours
than
worked
• Ghost
employees
of
the
vendor
• Vendor
employees
billed
at
amounts
higher
than
contract
rate
• Vendor
employees
billed
at
higher
job
classifica=on
than
actual
work
performed
(skilled
vs.
non-‐skilled
labor
rates)
• Invoice
company
for
incorrect
equipment
or
materials
charges
• Vendor
charges
for
equipment
not
needed
or
used
for
the
job
performed
16
17. Fraud
• Vendor
charges
for
materials
not
used
or
materials
are
for
the
personal
benefit
of
company
employee
• Vendor
charges
for
equipment
or
material
at
higher
prices
than
allowed
by
the
contract
• Invoice
company
incorrectly
for
other
services
• Vendor
charges
for
services
performed
where
work
is
not
subject
to
audit
clause
• Vendor
charges
include
material
purchases
from
or
for
work
performed
by
related
companies
at
inflated
prices
hYp://www.padgeY-‐cpa.com/insights/ar=cles/fraud-‐risks-‐oil-‐
and-‐gas-‐industry
17
18. Fraud
• The
Associa=on
of
Cer=fied
Fraud
Examiners
(ACFE)
survey
showed
that
U.S.
organiza=ons
lose
an
es=mated
7%
of
annual
revenues
to
fraud.
• Real
examples
that
we
met:
– Salary
modifica=on
– Material
management
fraud
– Mistaken
transac=ons
18
19. Fraud
• PWC
Survey:
3000
org
in
54
countries
–
30%were
vic=ms
of
economic
crime
in
prev
12
month
• Average
loss
per
organiza=on
for
fraud
$500k
+
collateral
damage
• asset
misappropria=on
-‐83%
• accoun=ng
fraud
–
33%
19
21. Project
Mayhem
(Fraud)
• Hacker
could
manipulate
financial
data
and
change
entries
to
move
funds
to
an
outside
account.
– alter
the
remiYance
address
on
vendor
records,
– create
a
new
vendor
and
manual
check
entry,
– change
general
ledger
accoun=ng
records,
– increase
customer
credit
limit
– credit
the
balance
in
a
customer
account
in
order
to
get
a
refund.
21
22. Fraud
in
Oil
And
Gas
FRAUD and other infractions in Nigeria’s critical oil and gas industry are
enough to derail any stable economy, going by the report of the Petroleum
Revenue Special Task Force by a former chairman of the Economic and
Financial Crimes Commission (EFCC), Mallam Nuhu Ribadu.
22
24. Ho
to
make
it
more
“Cyber/Danger”
• Breach
+
Worm
• Mul=ple
aYacks
on
same
type
• Against
one
country
24
25. What
can
be
next?
• Just
imagine
what
could
be
done
by
breaking:
• One
ERP
system
• All
Business
applica=ons
of
a
company
• All
ERP
Systems
on
par=cular
country
25
27. Ease
of
development
• Price
of
vulnerability
is
low
• Patching
is
nightmare
• Vaporiza=on
is
easy
• Interconnec=on
is
high
• Availability
via
internet
27
28. Price
of
vulnerability
• Price
for
typical
vulnerabili=es
in
flash
and
browsers
going
higher.
• Security
of
applica=ons
and
OS
is
growing
• It
is
much
easier
to
find
architecture
issue
in
ERP
• 2000
vulnerabili=es
closed
only
by
SAP
during
3
years
• And
this
issue
will
work
for
years
28
29. SAP
Security
notes
by
year
0
100
200
300
400
500
600
700
800
900
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
More
than
2600
in
total
29
30. Patching
is
nightmare
• You
need
to
stop
business
process
• Some=mes
you
need
to
update
mul=ple
parts
• Examples
of
huge
architectural
issues
from:
– Microso
Dynamics
– Oracle
JDE
– SAP
SDM
30
31. MicrosoZ
Dynamics
authenEcaEon
• Dynamics
security
–
only
visual
restric=ons
of
the
fat
client
• All
users
have
the
rights
to
the
companies’
databases
• The
only
obstruc=on:
impossible
to
connect
to
the
SQL
server
directly
• Reverse
engineering
to
understand
the
password
“encryp=on”
algorithm
• Create
a
tool
• Every
user
can
became
Administrator
• NO
PATCH!
Only
new
architecture
can
help
(but
there
is
no
such)
31
32. Oracle
JD
Edwards
authenEcaEon
• All
the
security
of
JD
Edwards
relies
on
the
visual
restric=ons
of
the
fat
client
• In
fact,
all
users
have
the
rights
to
the
companies
data
because
client
connected
using
special
account
JDE
• Then
depending
on
user
and
password
security
is
checking
on
Fat
client
• User
can
connect
directly
to
database
using
JDE
account
and
modify
his
rights
on
table
level
• Every
user
can
became
Administrator
• NO
PATCH!
Only
move
to
3-‐Eer
architecture
32
33. SAP
SDM
authenEcaEon
• Authen=ca=on
is
done
by
providing
hash
of
password
• It
means
that
it
is
possible
to
do
PassTheHash
• First
of
all
hash
can
be
simply
sniffed
so
it
is
like
authen=ca=ng
using
clear
password.
• Secondly
hashes
are
stored
in
OS
file
so
they
can
be
accessed
by
using
other
vulnerabili=es.
• Aer
gexng
a
hash
it
is
possible
to
upload
any
backdoor
into
SAP
• To
patch
it
you
need
to
modify
client
and
server
at
one
=me.
• Install
SAP
Note
1724516
33
35. SAP
NetWeaver
ABAP
-‐
versions
35%
23%
19%
11%
6%
5%
NetWeaver
ABAP
versions
by
popularity
7.0
EHP
0
(Nov
2005)
7.0
EHP
2
(Apr
2010)
7.0
EHP
1
(Oct
2008)
7.3
(Jun
2011)
6.2
(Dec
2003)
6.4
(Mar
2004)
The
most
popular
release
(35%,
previously
45%)
is
s=ll
NetWeaver
7.0,
and
it
was
released
in
2005!
35
36. Special
payload
is
not
needed
• Remember
Verb
Tampering
User
crea=on
• Just
one
request
and
you
inside
the
system
• Second
request
and
you
are
admin
• Then
you
can
do
whatever
u
want
with
simple
HTTP
requests
• If
it
is
only
technical
system
you
can
jump
to
connected
system
36
37. Systems
are
highly
connected
• Systems
are
highly
connected
with
each
other
by
trust
rela=onship
• Even
between
companies
they
are
connected
by
ESB
systems
• Remember
also
SSRF?
• hYp://cwe.mitre.org/data/defini=ons/918.html
• Second
place
in
Top
10
web
applica=on
techniques
2012
• Allows
to
bypass
firewall
restric=ons
and
directly
connect
to
protected
systems
via
connected
systems
37
38. Business
applicaEons
on
the
Internet
• Companies
have
Portals,
SRMs,
CRMs
remotely
accessible
• Companies
connect
different
offices
by
ESB
• SAP
users
are
connected
to
SAP
via
SAPRouter
• Administrators
open
management
interfaces
to
the
Internet
for
remote
control
38
39. Business
applicaEons
on
the
Internet
SAP
HTTP
Services
can
be
easily
found
on
the
Internet:
•
inurl:/irj/portal
•
inurl:/IciEventService
sap
•
inurl:/IciEventService/IciEventConf
•
inurl:/wsnavigator/jsps/test.jsp
•
inurl:/irj/go/km/docs/
39
40. Shodan
scan
A
total
of
3741
server
with
different
SAP
web
applicaEons
were
found
41%
34%
20%
6%
SAP NetWeaver J2EE
SAP NetWeaver ABAP
SAP Web Application Server
Other (BusinessObjects,SAP Hosting, etc)
94%
72%
30%
-20%
-55%
-‐80%
-‐60%
-‐40%
-‐20%
0%
20%
40%
60%
80%
100%
120%
Growth
by
applicaEon
server
40
41. SAP
Router
• Special
applica=on
proxy
• Transfers
requests
from
Internet
to
SAP
(and
not
only)
• Can
work
through
VPN
or
SNC
• Almost
every
company
uses
it
for
connec=ng
to
SAP
to
download
updates
• Usually
listens
to
port
3299
• Internet
accessible
(Approximately
5000
IP’s
)
• hYp://www.easymarketplace.de/saprouter.php
41
42. • Absence
of
ACL
–
15%
–
Possible
to
proxy
any
request
to
any
internal
address
• Informa=on
disclosure
about
internal
systems
–
19%
– Denial
of
service
by
specifying
many
connec=ons
to
any
of
the
listed
SAP
servers
– Proxy
requests
to
internal
network
if
there
is
absence
of
ACL
• Insecure
configura=on,
authen=ca=on
bypass
–
5%
• Heap
corrupEon
vulnerability
–
many!
SAP
Router:
known
issues
42
43. Port
scan
results
• Are
you
sure
that
only
the
necessary
SAP
services
are
exposed
to
the
Internet?
• We
were
not
• In
2011,
we
ran
a
global
project
to
scan
all
of
the
Internet
for
SAP
services
• It
is
not
completely
finished
yet,
but
we
have
the
results
for
the
top
1000
companies
• We
were
shocked
when
we
saw
them
first
43
44. Port
scan
results
0
5
10
15
20
25
30
35
SAP
HostControl
SAP
Dispatcher
SAP
MMC
SAP
Message
Server
hYpd
SAP
Message
Server
SAP
Router
Exposed
services
2011
Exposed
services
2013
Listed
services
should
not
be
accessible
from
the
Internet
44
45. Why?
Why
not
many
Public
examples
of
breaches
if
situa=on
is
so
bad
45
46. Examples
• Fraud
–
very
popular
inside
companies
but
you
see
only
some
incidents
• Sabotage
–
at
this
moment
maybe
easies
to
DDOS
then
DOS
but
will
see
• Espionage
–
here
what
we
dont
see
many,
because
it
is
designed
to
be
unseen.
You
never
know
how
about
it
especially
if
you
don’t
enable
logging
46
47. SAP
Security
Forensics
• There
is
not
so
many
info
on
public
• Companies
are
not
interested
in
publica=on
of
compromise
• But
main
problem
is
here:
– How
can
you
be
sure
that
there
were
no
compromise?
– Only
10%
of
systems
have
Security
Audit
Log
enabled
– Only
few
of
them
analyze
those
logs
– And
much
less
do
central
storage
and
correla=on
*
Based
on
the
assessment
of
over
250
servers
of
companies
that
allowed
us
to
share
results.
47
48. Percent
of
enabled
log
opEons
• ICM
log
icm/HTTP/logging_0
70%
• Security
audit
log
in
ABAP
10%
• Table
access
logging
rec/client
4%
• Message
Server
log
ms/audit
2%
• SAP
Gateway
access
lo
2%
*
Based
on
the
assessment
of
over
250
servers
of
companies
that
allowed
us
to
share
results.
48
57. We
devote
aHen9on
to
the
requirements
of
our
customers
and
prospects,
and
constantly
improve
our
product.
If
you
presume
that
our
scanner
lacks
a
par9cular
func9on,
you
can
e-‐mail
us
or
give
us
a
call.
We
will
be
glad
to
consider
your
sugges9ons
for
the
next
releases
or
monthly
updates.
web:
www.erpscan.com
www.dsecrg.com
e-‐mail:
info@erpscan.com,
sales@erpscan.com
57
Conclusion