Learning from Zombie Zero Attacks Targeting ERP Systems

In my previous post I talked about the discovery of targeted malware embedded in physical scanners that were sold to shipping and logistics companies. Once operational the malware searched the victim's network for ERP systems, compromised them (from the report it would appear all systems were compromised; and based on our own experience that has been the case in our engagements) and coped the data from these systems back to command and control servers, reportedly based in China.

It is tempting to think that this is an isolated problem only specific to one industry, but the reality is all businesses have hardware attached to their network that runs or has access to their critical systems and infrastructure. Counterfeit equipment is a long standing problem, with these fakes being hard to detect from the real thing. With the practice of the hardware being assembled by one company and the firmware being produced by another there is even more room for malicious software or instructions being added to printers, switches, routers and other equipment that exists in almost every network today.

For a security or risk practitioner this has caused a shift in thinking. The adage of hardening and protecting your perimeter in order to sleep well at night is no longer valid. Ignoring the reality that a perimeter is hard to define (contracting companies with VPN access to internal systems, internal employees accessing external email and file sharing applications from within the corporate network).  Instead that new printer installed down the hall could, in addition to printing 30 pages a minute, run a program that harvests the credentials of every employee who executes a print job and then between the hours of 1am and 4am systematically log into every ERP system with those credentials and copies the contents? Or simply creates an electronic copy of every print job and uploads or emails them to a server online…

Nor can traditional, generic security solutions help. What software are you going to run on your network switch or printer to detect this activity? What system is ERP aware to the point of understanding the Jsmith just accessed your SAP system from the printer IP address and tried to run a financial report, despite the fact that they have only ever run HR transactions historically?

With these dynamic and agile modern day attacks and attack vectors we cannot afford to move at the speed of historical SAP security efforts. SOD works when you are worried about someone with a single set of credentials trying to carry out fraudulent of espionage activities on your system. But what if that same attacker has everyone’s credentials? You need intelligent, SAP aware defensive technology to protect your business from that risk.

The scary truth is this is not an isolated incident. In November last year the Microsoft Malware Protection Center reported on a newly discovered trojan that would look for the SAPGUI client on any system it compromised. When the client was discovered the trojan would run a keylogger when the client was executed.

The biggest ‘learning moment’ to take from these attacks is that threats against your ERP systems are a clear and present danger. What isn’t clear is where the attacks will come from; so instead of trying to lock down all potential attack sources, focus on protecting the attack target. Measure the current attack and vulnerability surface of your SAP systems, develop a mature SAP vulnerability management program, define how you will measure the effectiveness of this program and then carry it out.

If you would like to hear more about how our customers have successfully created such a program, contact me. SAP solutions are large and complex, but their risk and vulnerabilities can be measured and reduced to acceptable levels.



Leave a comment