Secure perimeter isn’t a panacea

By Alexander Polyakov, CEO, ERP SCAN

SAP security used to be a terra incognita with almost no real attacks on SAP systems known to the public. While the number of breaches in less critical applications was increasing rapidly, and so was the awareness, only a small group of professionals knew about attacks on business applications.

Typically, the attacks are different kinds of internal fraud. According to the Association of Certified Fraud Examiners, losses from internal fraud constitute 7% of profit on average. To prevent those attacks, the segregation of duties concept was created. However, SAP security isn’t limited to SoD. The issue of unauthorized access to system and user accounts via vulnerabilities still exists. Moreover, the increasing number of SAP vulnerabilities (from 100 in 2007 to 2000 in 2012) makes these issues more critical than ever.

Now, let’s describe 5 recent cyber attacks on SAP systems.

Incident 1. October 30,2012: Attack via an SAP vulnerability on the Greek Ministry of Finance
It was the first attack on SAP systems that came to light. Hackers from the Anonymous group claimed to have leaked Greek Ministry of Finance confidential documents, passwords, and usernames. The document from Anon Paste states that the purpose of the hack was to protest the worsening economic conditions in Greece. Anonymous posted a compressed file with credentials that the group claimed were valid. Anonymous said they had accessed IBM servers and that they possessed an SAP zero-day exploit.

Although this attack wasn’t approved or declined by any authority, there is no reason to not believe that it was real. Whether or not the attack was actually performed, the incident indicates that hackers are interested in exploiting SAP systems.

Lesson 1.Don’t underestimate attacks on SAP systems
Attacks on SAP systems should be considered serious because of the criticality of the data stored there. All types of sensitive information can be found in an SAP system, including credit card data, PII (SSN), healthcare records, clients and partners lists, trade secrets, and bank account numbers.

Incident 2: November 2013: SAP malware
The first example of malware targeting SAP was discovered in 2013. A new variant of a Trojan program that targeted online banking accounts also contained code to search if infected computers had SAP client applications installed, suggesting that attackers might target SAP systems in the future.
To intercept important data, it used a traffic analyzer, a system that monitors web banking activities, and a screen grabber. The main objective of the Trojan was to collect user input from various window forms, to gather certificate files from secure workflow systems, and to send this information to the attackers’ server. In this case, it already had access to the infected workstation and it knew that this workstation had an SAP client, which in turn means that the workstation had access to the SAP server. The Trojan was capable of making screenshots of logons into the SAP system and collecting critical system data. It also had key logging functionality to steal passwords input during logon. This is enough to do many malicious actions on an SAP server, so this information could be sold to third parties.

Lesson 2.Secure perimeter isn’t a panacea
In the new world of cloud and mobile, a company’s perimeter becomes more transparent and thus less secure. Until recently, implementing a firewall was enough. Now you have to put up with the idea that your perimeter isn’t secure by default. Besides Trojans, there are other ways for hackers to break into SAP, such as attacks on Internet resources (SAP Portal/CRM/SRP) or on multiple SAP services exposed to the Internet. To protect your systems, you should scan for unnecessary services and configure strict access control.

Incident 3.November 2013: Police SAP weakness
Auditors found serious weaknesses during the review of South West One AP IT Controls, accompany that runs IT and other services for Commercial and Government companies. Auditors claimed that weaknesses in security controls in SAP could allow non-police employees to access the force’s administrative database.
The weaknesses were there because several authorities shared a single SAP database. As a result, users with administrative rights were able to access the database or OS directly.

Lesson 3.Separation between systems
There are multiple ways to separate data. It’s recommended not to store information about different organizations in one application server. Second, there is an additional layer of data separation: a so-called Production Test and Development system. Even inside one company, there should be at least 3 systems with strict access control.

Incident 4.January 2014: Attack on NVidia
In January 2014, NVidia customer service website was likely attacked.
The finder of the vulnerability, who was from China and called himself Finger, said he notified NVidia about the vulnerability on November 21,2013. On January 5, 2014, information about vulnerability was posted on a Chinese vulnerability forum,, and reposted on Full Disclosure. The status of the bug is “unable to contact the vendor or actively neglected by the vendor”. The NetWeaver vulnerability was patched by SAP 3 years before the incident, but NVidia hadn’t implemented the fix. On January 8, 2014, NVidia took the customer service website offline for two weeks for investigation.

Lesson 4.Patch Management
NVidia is not an exception. Many companies don’t implement SAP Security Notes, as patching process seems time-consuming and costly.
During the period when a hacking attack could happen, SAP released almost 3000 Security Notes to close SAP vulnerabilities. Most can only be exploited if one has access to the corporate network, but some attacks can be conducted from the Internet. If a company uses web-based systems such as Portal or CRM, it’s recommended to update them in time.

Incident 5.May 2015: attack on USIS via a SAP vulnerability
On May 11, the news about an attack on USIS, a federal contractor that conducts background checks for DHS,blew up security media.It was potentially conducted by China-sponsored hackers via a vulnerability in SAP software. This breach dates back to 2013,when hackers broke into USIS through an exploit in an SAP system managed by a third party.
As a result of the breach, more than 27,000 personnel may have been compromised. A similar hack also affected servers of the Office of Personnel Management, which holds information on security clearance investigations.
USIS lost the contract with OPM, cut 2500 jobs, and the owner of USIS filed for bankruptcy.

Lesson 5: Connected systems security
To automate business processes, different modules have to be connected somehow. ERPScan’s research revealed that the average number of connections in SAP systems is about 50, and 30% of them usually store credentials.
Once attackers break into the weakest SAP module, they can easily get access to connected systems and from them to other ones.

The topic of SAP security is too large to be covered in one article. Now here are 3 more recommendations to keep SAP applications as secure as possible:

  1. Manage security events in time, as an attack can remain undetected for years.
  2. Check for default passwords, which are the most common of attack vectors.
  3. Analyze how secure custom-developed applications are.