New malware variant suggests cybercriminals targeting SAP users

[Lee J <lee () riskbasedsecurity com>]

http://www.infoworld.com/d/security/new-malware-variant-suggests-cybercriminals-targeting-sap-users-230014

A new variant of a Trojan program that targets online banking accounts also
contains code to search if infected computers have SAP client applications
installed, suggesting that attackers might target SAP systems in the future.

The malware was discovered a few weeks ago by Russian antivirus company
Doctor Web, which shared it with researchers from ERPScan, a developer of
security monitoring products for SAP systems.

"We've analyzed the malware and all it does right now is to check which
systems have SAP applications installed," said Alexander Polyakov, chief
technology officer at ERPScan. "However, this might be the beginning for
future attacks."

When malware does this type of reconnaissance to see if particular software
is installed, the attackers either plan to sell access to those infected
computers to other cybercriminals interested in exploiting that software or
they intend to exploit it themselves at a later time, the researcher said.

Polyakov presented the risks of such attacks and others against SAP systems
at the RSA Europe security conference in Amsterdam on Thursday.

To his knowledge, this is the first piece of malware targeting SAP client
software that wasn't created as a proof-of-concept by researchers, but by
real cybercriminals.

SAP client applications running on workstations have configuration files
that can be easily read and contain the IP addresses of the SAP servers
they connect to. Attackers can also hook into the application processes and
sniff SAP user passwords, or read them from configuration files and GUI
automation scripts, Polyakov said.

There's a lot that attackers can do with access to SAP servers. Depending
on what permissions the stolen credentials have, they can steal customer
information and trade secrets or they can steal money from the company by
setting up and approving rogue payments or changing the bank account of
existing customers to redirect future payments to their account, he added.

There are efforts in some enterprise environments to limit permissions for
SAP users based on their duties, but those are big and complex projects. In
practice most companies allow their SAP users to do almost everything or
more than what they're supposed to, Polyakov said.

Even if some stolen user credentials don't give attackers the access they
want, there are default administrative credentials that many companies
never change or forget to change on some instances of their development
systems that have snapshots of the company data, the researcher said.

With access to SAP client software, attackers could steal sensitive data
like financial information, corporate secrets, customer lists or human
resources information and sell it to competitors. They could also launch
denial-of-service attacks against a company's SAP servers to disrupt its
business operations and cause financial damage, Polyakov said.

SAP customers are usually very large enterprises. There are almost 250,000
companies using SAP products in the world, including over 80 percent of
those on the Forbes 500 list, according to Polyakov.

If timed correctly, some attacks could even influence the company's stock
and would allow the attackers to profit on the stock market, according to
Polyakov.

Dr. Web detects the new malware variant as part of the Trojan.Ibank family,
but this is likely a generic alias, he said. "My colleagues said that this
is a new modification of a known banking Trojan, but it's not one of the
very popular ones like ZeuS or SpyEye."

However, malware is not the only threat to SAP customers. ERPScan
discovered a critical unauthenticated remote code execution vulnerability
in SAProuter, an application that acts as a proxy between internal SAP
systems and the Internet.

A patch for this vulnerability was released six months ago, but ERPScan
found that out of 5,000 SAProuters accessible from the Internet, only 15
percent currently have the patch, Polyakov said. If you get access to a
company's SAProuter, you're inside the network and you can do the same
things you can when you have access to a SAP workstation, he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.