Invest in securityto secure investments

If I want a perfect cyberweapon i'll target ERP

Alexander PolyakovCTOERPScan

If I Want a Perfect Cyberweapon I'll Target ERP

Alexander PolyakovCTOERPScan

Alexander Polyakov

• CTO of the ERPScan company

• EAS-SEC.org project leader

• Business application security expert

• R&D Professional of the year by Network Product Guide

• Organizer of ZeroNights conference

a.polyakov@erpscan.com

Twitter: @sh2kerr

2erpscan.com ERPScan — invest in security to secure investments

ERPScan

• Develop software for SAP security monitoring

• Provide SAP/ERP Security Trainings and consulting

• Leader by the number of acknowledgements from SAP (150+)

• Invited to talk at 50+ key security conferences in 20+ countriesin all continents (BlackHat, RSA, HITB)

• Most acknowledged ERP Security vendor (18 awards)Research team with experience in different areas of security from ERP and web security tomobile, embedded devices, and critical infrastructure, accumulating their knowledge on SAPresearch.

3erpscan.com ERPScan — invest in security to secure investments

Leading SAP AG partner in the field of discovering security vulnerabilities by the number of found vulnerabilities

Intro

• I hate “CYBER” talks and this buzz

• I usually do more technical presentations

• But I we talk about it why do we skip this area?

• I’m about Business Applications and ERP systems

4erpscan.com ERPScan — invest in security to secure investments

Intro

• Intro

• Big companies and critical systems

• What was happen

• How easy is that

• What can happen

• Forensics

• What we can do

• Conclusions

5erpscan.com ERPScan — invest in security to secure investments

Big companies

• Oil and Gas

• Manufacturing

• Logistics

• Financials

• Nuclear

• Retail

• Telecommunication

• etc

6erpscan.com ERPScan — invest in security to secure investments

Big companies inside

erpscan.com 7ERPScan — invest in security to secure investments

Portal

HRLogistics

Warehouse

ERP

Billing

SuppliersCustomers

Banks

InsurancePartners

Branches

BI

Industry

CRM

SRM

If business applications are popular?

SAP

• More than 246000 customers worldwide

• 86% of Forbes 500

Oracle

• 100% of Fortune 100

Microsoft

• More than 300,000 businesses worldwide choose MicrosoftDynamics ERP and CRM software

8erpscan.com ERPScan — invest in security to secure investments

What can happen

• Espionage– Stealing financial information– Stealing corporate secrets– Stealing supplier and customer lists– Stealing HR data

• Sabotage– Denial of service– Modification of financial reports– Access to technology network (SCADA) by trust relations

• Fraud– False transactions– Modification of master data

9erpscan.com ERPScan — invest in security to secure investments

Autocad virus (Industrial espionage)

• Autocad virus

• Stealing critical documents

• Send them potentially to china

– http://www.telegraph.co.uk/technology/news/9346734/Espionage-virus-sent-blueprints-to-China.html

10erpscan.com ERPScan — invest in security to secure investments

Peoplesoft vulnerabilities (Sabotage)

• Presented on BlackHat USA

• Old and New issues

• Old one was a buffer overflow in a login page

• Over 500 systems can be found by Googling

• New issues were from information disclose to unauthorized system access

• Potential to steal 20mil customer data

11erpscan.com ERPScan — invest in security to secure investments

US Department of Energy Breach

• Sabotage

• Real example of stealing

• 14000 of records

• Target: HR system (Maybe Peoplesoft)

• unauthorized disclosure of federal employee Personally Identifiable Information

12erpscan.com ERPScan — invest in security to secure investments

Istanbul Provincial Administration

• Unauthorized disclosure of federal employee Personally Identifiable Information

• Erase people debts

13erpscan.com ERPScan — invest in security to secure investments

Potential Anonymous attack

14erpscan.com ERPScan — invest in security to secure investments

Now, it adds, “We gained full access to the Greek Ministry of Finance. Those funky IBM servers don't look so safe now, do they...” Anonymous claims to have a “sweet 0day SAP exploit”, and the group intends to “sploit the hell out of it.”

* This attack has not been confirmed by the customer nor by the police authorities in Greeceinvestigating the case. SAP does not have any indication that it happened.

Fraud

• Invoice company for a greater number of hours than worked

• Ghost employees of the vendor

• Vendor employees billed at amounts higher than contract rate

• Vendor employees billed at higher job classification than actual work performed (skilled vs. non-skilled labor rates)

• Invoice company for incorrect equipment or materials charges

• Vendor charges for equipment not needed or used for the job performed

• Vendor charges for materials not used or materials are for the personal benefit of company employee

• Vendor charges for equipment or material at higher prices than allowed by the contract

• Invoice company incorrectly for other services

• Vendor charges for services performed where work is not subject to audit clause

• Vendor charges include material purchases from or for work performed by related companies at inflated prices

http://www.padgett-cpa.com/insights/articles/fraud-risks-oil-and-gas-industry

15erpscan.com ERPScan — invest in security to secure investments

Fraud

• The Association of Certified Fraud Examiners (ACFE) survey showed that U.S. organizations lose an estimated 7% of annual revenues to fraud.

• Real examples that we met:

– Salary modification

– Material management fraud

– Mistaken transactions

16erpscan.com ERPScan — invest in security to secure investments

Fraud

• PWC Survey: 3000 org in 54 countries – 30%were victims of economic crime in prev 12 month

• Average loss per organization for fraud $500k + collateral damage

• asset misappropriation -83%

• accounting fraud – 33%

17erpscan.com ERPScan — invest in security to secure investments

Internet-Trading virus (Fraud)

• Internet-Trading virus (Fraud)

– Ranbys modification for QUIK

– troyan-spy.win32.broker.j. for QUIK (stealing keys)

– http://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/

– http://www.securitylab.ru/news/439695.php

18erpscan.com ERPScan — invest in security to secure investments

Project Mayhem (Fraud)

• Hacker could manipulate financial data and change entries to move funds to an outside account.

– alter the remittance address on vendor records,

– create a new vendor and manual check entry,

– change general ledger accounting records,

– increase customer credit limit

– credit the balance in a customer account in order to get a refund.

19erpscan.com ERPScan — invest in security to secure investments

Fraud in Oil And Gas

FRAUD and other infractions in Nigeria’s critical oil and gas industry are

enough to derail any stable economy, going by the report of the Petroleum

Revenue Special Task Force by a former chairman of the Economic and

Financial Crimes Commission (EFCC), Mallam Nuhu Ribadu.

20erpscan.com ERPScan — invest in security to secure investments

SAP Security

21erpscan.com ERPScan — invest in security to secure investments

What can happen?

Ho to make it more “Cyber/Danger”

• Breach + Worm

• Multiple attacks on same type

• Against one country

22erpscan.com ERPScan — invest in security to secure investments

What can be next?

• Just imagine what could be done by breaking:

• One ERP system

• All Business applications of a company

• All ERP Systems on particular country

23erpscan.com ERPScan — invest in security to secure investments

SAP Security

24erpscan.com ERPScan — invest in security to secure investments

How easy is that?

Ease of development

• Price of vulnerability is low

• Patching is nightmare

• Vaporization is easy

• Interconnection is high

• Availability via internet

25erpscan.com ERPScan — invest in security to secure investments

Price of vulnerability

• Price for typical vulnerabilities in flash and browsers going higher.

• Security of applications and OS is growing

• It is much easier to find architecture issue in ERP

• 2000 vulnerabilities closed only by SAP during 3 years

• And this issue will work for years

26erpscan.com ERPScan — invest in security to secure investments

SAP Security notes by year

erpscan.com 27ERPScan — invest in security to secure investments

0

100

200

300

400

500

600

700

800

900

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

More than 2600 in total

Patching is nightmare

• You need to stop business process

• Sometimes you need to update multiple parts

• Examples of huge architectural issues from:

– Microsoft Dynamics

– Oracle JDE

– SAP SDM

28erpscan.com ERPScan — invest in security to secure investments

Microsoft Dynamics authentication

• Dynamics security – only visual restrictions of the fat client

• All users have the rights to the companies’ databases

• The only obstruction: impossible to connect to the SQL server directly

• Reverse engineering to understand the password “encryption” algorithm

• Create a tool

• Every user can became Administrator

• NO PATCH! Only new architecture can help (but there is no such)

29erpscan.com ERPScan — invest in security to secure investments

Oracle JD Edwards authentication

• All the security of JD Edwards relies on the visual restrictions of the fat client

• In fact, all users have the rights to the companies data because client connected using special account JDE

• Then depending on user and password security is checking on Fat client

• User can connect directly to database using JDE account and modify his rights on table level

• Every user can became Administrator

• NO PATCH! Only move to 3-tier architecture

30erpscan.com ERPScan — invest in security to secure investments

SAP SDM authentication

• Authentication is done by providing hash of password

• It means that it is possible to do PassTheHash

• First of all hash can be simply sniffed so it is like authenticating using clear password.

• Secondly hashes are stored in OS file so they can be accessed by using other vulnerabilities.

• After getting a hash it is possible to upload any backdoor into SAP

• To patch it you need to modify client and server at one time.

• Install SAP Note 1724516

31erpscan.com ERPScan — invest in security to secure investments

SAP Security

32erpscan.com ERPScan — invest in security to secure investments

DEMO

SAP NetWeaver ABAP - versions

erpscan.com 33ERPScan — invest in security to secure investments

35%

23%

19%

11%6% 5%

NetWeaver ABAP versions by popularity

7.0 EHP 0 (Nov 2005)

7.0 EHP 2 (Apr 2010)

7.0 EHP 1 (Oct 2008)

7.3 (Jun 2011)

6.2 (Dec 2003)

6.4 (Mar 2004)

The most popular release (35%, previously 45%) is

still NetWeaver 7.0, and it was released in 2005!

Special payload is not needed

• Remember Verb Tampering User creation

• Just one request and you inside the system

• Second request and you are admin

• Then you can do whatever u want with simple HTTP requests

• If it is only technical system you can jump to connected system

34erpscan.com ERPScan — invest in security to secure investments

Systems are highly connected

• Systems are highly connected with each other by trust relationship

• Even between companies they are connected by ESB systems

• Remember also SSRF?

• http://cwe.mitre.org/data/definitions/918.html

• Second place in Top 10 web application techniques 2012

• Allows to bypass firewall restrictions and directly connect to protected systems via connected systems

35erpscan.com ERPScan — invest in security to secure investments

Business applications on the Internet

• Companies have Portals, SRMs, CRMs remotely accessible

• Companies connect different offices by ESB

• SAP users are connected to SAP via SAPRouter

• Administrators open management interfaces to the Internet for remote control

36erpscan.com ERPScan — invest in security to secure investments

Business applications on the Internet

SAP HTTP Services can be easily found on the Internet:

• inurl:/irj/portal

• inurl:/IciEventService sap

• inurl:/IciEventService/IciEventConf

• inurl:/wsnavigator/jsps/test.jsp

• inurl:/irj/go/km/docs/

37erpscan.com ERPScan — invest in security to secure investments

Shodan scan

erpscan.com 38ERPScan — invest in security to secure investments

A total of 3741 server with different

SAP web applications were found

41%

34%

20%

6%

SAP NetWeaver J2EE

SAP NetWeaver ABAP

SAP Web Application Server

Other (BusinessObjects,SAP Hosting, etc)

94%72%

30%

-20%

-55%

-80%

-60%

-40%

-20%

0%

20%

40%

60%

80%

100%

120%

Growth by application server

SAP Router

• Special application proxy

• Transfers requests from Internet to SAP (and not only)

• Can work through VPN or SNC

• Almost every company uses it for connecting to SAP to download updates

• Usually listens to port 3299

• Internet accessible (Approximately 5000 IP’s )

• http://www.easymarketplace.de/saprouter.php

39erpscan.com ERPScan — invest in security to secure investments

• Absence of ACL – 15%

– Possible to proxy any request to any internal address

• Information disclosure about internal systems – 19%

– Denial of service by specifying many connections to any of the listed SAP servers

– Proxy requests to internal network if there is absence of ACL

• Insecure configuration, authentication bypass – 5%

• Heap corruption vulnerability – many!

SAP Router: known issues

40erpscan.com ERPScan — invest in security to secure investments

Port scan results

• Are you sure that only the necessary SAP services are exposed to the Internet?

• We were not

• In 2011, we ran a global project to scan all of the Internet for SAP services

• It is not completely finished yet, but we have the results for the top 1000 companies

• We were shocked when we saw them first

41erpscan.com ERPScan — invest in security to secure investments

Port scan results

erpscan.com 42ERPScan — invest in security to secure investments

0

5

10

15

20

25

30

35

SAP HostControl SAP Dispatcher SAP MMC SAP Message Serverhttpd

SAP Message Server SAP Router

Exposed services 2011

Exposed services 2013

Listed services should not be accessible from the Internet

Why?

Why not many Public examples of breaches if situation is so bad

43erpscan.com ERPScan — invest in security to secure investments

Examples

• Fraud – very popular inside companies but you see only some incidents

• Sabotage – at this moment maybe easies to DDOS then DOS but will see

• Espionage – here what we dont see many, because it is designed to be unseen. You never know how about it especially if you don’t enable logging

44erpscan.com ERPScan — invest in security to secure investments

SAP Security Forensics

• There is not so many info on public

• Companies are not interested in publication of compromise

• But main problem is here:

– How can you be sure that there were no compromise?

– Only 10% of systems have Security Audit Log enabled

– Only few of them analyze those logs

– And much less do central storage and correlation

* Based on the assessment of over 250 servers of companies that allowed us to share results.

45erpscan.com ERPScan — invest in security to secure investments

Percent of enabled log options

• ICM log icm/HTTP/logging_0 70%

• Security audit log in ABAP 10%

• Table access logging rec/client 4%

• Message Server log ms/audit 2%

• SAP Gateway access lo 2%

* Based on the assessment of over 250 servers of companies that allowed us to share results.

46erpscan.com ERPScan — invest in security to secure investments

SAP Security

47erpscan.com ERPScan — invest in security to secure investments

Weapons

Weapons

• DOS for Bank

• Fraud oil then manipulate prices and economy

• Multiple money transfer fraud

• Or?

48erpscan.com ERPScan — invest in security to secure investments

SAP Worm

49erpscan.com ERPScan — invest in security to secure investments

Defense

• EAS-SEC: Recourse which combine

– Guidelines for assessing enterprise application security

– Guidelines for assessing custom code

– Surveys about enterprise application security

50erpscan.com ERPScan — invest in security to secure investments

EAS-SEC Guidelines

• 1.Lack of patch management

• 2.Default passwords

• 3.Unnecessary enabled functionality

• 4.Remotely enabled administrative services

• 5.Insecure configuration

• 6.Unencrypted communications

• 7.Internal access control and SoD

• 8. Insecure trust relations

• 9. Monitoring of security events

51erpscan.com ERPScan — invest in security to secure investments

Conclusion

52erpscan.com ERPScan — invest in security to secure investments

Guides

Security assessments

Code review

Continuous Monitoring of all areas

Segregation of duties

Conclusion

Issues are everywhere

but the risks

and price for mitigation are

different53erpscan.com ERPScan — invest in security to secure investments

SAP Security

54erpscan.com ERPScan — invest in security to secure investments

Questions?

Conclusion

We devote attention to the requirements of our

customers and prospects, and constantly improve our

product. If you presume that our scanner lacks a

particular function, you can e-mail us or give us a call. We

will be glad to consider your suggestions for the next

releases or monthly updates.

55erpscan.com ERPScan — invest in security to secure investments

web: www.erpscan.com www.dsecrg.com e-mail: info@erpscan.com, sales@erpscan.com