How Malware is evolving into the first step of attacks against SAP systems

When I talk to CISOs and other business leaders who are responsible for critical applications that rely on SAP a common question I get is how I would quantify the threat to their SAP systems. We talk about stories that have been shared with them by their colleagues, and the importance and value of following best practices. This morning I have been sharing with them an article showing some apparent reconnaissance activities being taken to discover deployed SAP systems.

The article describes a newly discovered Trojan that primarily targets gaining access to victims online banking accounts. What this malware does that is setting of alarm bells for everyone who is responsible for SAP systems is it analyses each machine the malware runs on to determine if that end user computer is used to communicate with SAP systems. This information is then passed back to the owners of the malware.

So what kind of information are we talking about? A PC with a SAP client installed will have configuration information for that client stored locally. This will contain at least the IP address of the SAP servers that the client connects to. If these clients are configured to login automatically those credentials are obtainable; if not then it is a simple matter to hook the application and capture the password the next time the user logs in.

Now, for those people who are itching to tell  me that they don’t care is an external attacker learns the IP address of their internal SAP systems because they cannot reach these systems I would refer you to this blog post; which debunks the myth of “internal” systems. I’d also point out the reason why the attacker is able to learn the IP addresses of your internal SAP systems if because they have taken control of an internal machine on your network already. Of course if you think I am wrong then you are gambling with the safety and soundness of your SAP systems; which is a high stakes game to play.

Attacks against SAP systems is not new; what is setting off all these alarms is the scale of bulk harvesting of SAP systems as targets for attack. Never before have I seen this kind of mass collection; there appears to be no discrimination of SAP systems considered as targets; any PC that values victim to this malware is then used to harvest this information.

The big question I am discussing with my peers is why are they collecting this information? The malware is primarily for gaining access to banking information; however it is likely the authors are considering a secondary marker of either selling access to the machines under their control that have access to SAP system or have attacks against SAP systems in mind. Given SAP systems not only run critical inventory, ordering and other business processes but also store and process payroll and other financial information it is no surprise that these attackers are looking them as a big target.

Either way, I don’t believe they are doing it as an academic exercise, this is absolute evidence of reconnaissance and intelligence gathering about the deployment of SAP systems. The next step in any attackers playbook is to determine which are the targets that are going to provide value (this is a business for them after all) and which are not. I would expect to see some proactive attempts against the low value targets, and then attacks against their primary targets.

For Onapsis X1 customers they have already assessed their SAP systems against this type of threat. They have been able to identify any weakness that would provide that first crack for an attacker to leverage and implement remediation or compensating controls to reduce their overall risk.

If you’d like to learn more about how you can determine your level of risk against this type of attack please contact me; I would be more than happy to show how X1 not only identifies risks in SAP systems but provides you with prioritized remediation steps to reduce and manage that risk.

Leave a comment