Upload
nguyenngoc
View
217
Download
0
Embed Size (px)
Citation preview
Invest in security to secure investments
If I Want a Perfect Cyberweapon I'll Target ERP
Alexander Polyakov CTO ERPScan
About ERPScan
• The only 360-‐degree SAP Security solu=on -‐ ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ ) • 60+ presentaEons key security conferences worldwide • 25 Awards and nominaEons • Research team -‐ 20 experts with experience in different areas
of security • Headquarters in Palo Alto (US) and Amsterdam (EU)
2
Alexander Polyakov
• CTO of the ERPScan company • EAS-‐SEC.org project leader • Business applica=on security expert • R&D Professional of the year by Network Product Guide • Organizer of ZeroNights conference [email protected] TwiYer: @sh2kerr
3
ERPScan
• Develop so\ware for SAP security monitoring • Provide SAP/ERP Security Trainings and consul=ng • Leader by the number of acknowledgements from SAP (150+) • Invited to talk at 50+ key security conferences in 20+ countries
in all con=nents (BlackHat, RSA, HITB) • Most acknowledged ERP Security vendor (18 awards) Research team with experience in different areas of security from ERP and web security to mobile, embedded devices, and cri9cal infrastructure, accumula9ng their knowledge on SAP research.
Leading SAP AG partner in the field of discovering security vulnerabiliEes by the number of found vulnerabiliEes
4
• I hate “CYBER” talks and this buzz • I usually do more technical presenta=ons • But I we talk about it why do we skip this area? • I’m about Business Applica=ons and ERP systems
5
Intro
• Intro • Big companies and cri=cal systems • What was happen • How easy is that • What can happen • Forensics • What we can do • Conclusions
6
Intro
Big companies
• Oil and Gas • Manufacturing • Logis=cs • Financials • Nuclear • Retail • Telecommunica=on • etc
7
Big companies
Portal
HR Logis=cs
Warehouse
ERP
Billing
Suppliers Customers
Banks Insurance Partners
Branches
BI
Industry
CRM
SRM
8
SAP • More than 246000 customers worldwide • 86% of Forbes 500 Oracle • 100% of Fortune 100 Microso\ • More than 300,000 businesses worldwide choose Microso\
Dynamics ERP and CRM so\ware
9
How popular are business applicaEons?
• Espionage – Stealing financial informa=on – Stealing corporate secrets – Stealing supplier and customer lists – Stealing HR data
• Sabotage – Denial of service – Modifica=on of financial reports – Access to technology network (SCADA) by trust rela=ons
• Fraud – False transac=ons – Modifica=on of master data
10
What can happen
• Autocad virus • Stealing cri=cal documents • Send them poten=ally to china
– hYp://www.telegraph.co.uk/technology/news/9346734/Espionage-‐virus-‐sent-‐blueprints-‐to-‐China.html
11
Autocad virus (Industrial espionage)
• Presented on BlackHat USA • Old and New issues • Old one was a buffer overflow in a login page • Over 500 systems can be found by Googling • New issues were from informa=on disclose to unauthorized
system access • Poten=al to steal 20mil customer data
12
PeoplesoZ vulnerabiliEes (Sabotage)
• Sabotage • Real example of stealing • 14000 of records
• Target: HR system (Maybe Peopleso\) • unauthorized disclosure of federal employee Personally
Iden=fiable Informa=on
13
US Department of Energy Breach
• Unauthorized disclosure of federal employee Personally
Iden=fiable Informa=on • Erase people debts
14
Istanbul Provincial AdministraEon
Now, it adds, “We gained full access to the Greek Ministry of Finance. Those funky IBM servers don't look so safe now, do they...” Anonymous claims to have a “sweet 0day SAP exploit”, and the group intends to “sploit the hell out of it.”
* This aYack has not been confirmed by the customer nor by the police authori=es in Greece inves=ga=ng the case. SAP does not have any indica=on that it happened.
15
PotenEal Anonymous a_ack
Fraud
• Invoice company for a greater number of hours than worked • Ghost employees of the vendor • Vendor employees billed at amounts higher than contract rate • Vendor employees billed at higher job classifica=on than actual
work performed (skilled vs. non-‐skilled labor rates) • Invoice company for incorrect equipment or materials charges • Vendor charges for equipment not needed or used for the job
performed
16
Fraud
• Vendor charges for materials not used or materials are for the personal benefit of company employee
• Vendor charges for equipment or material at higher prices than allowed by the contract
• Invoice company incorrectly for other services • Vendor charges for services performed where work is not
subject to audit clause • Vendor charges include material purchases from or for work
performed by related companies at inflated prices hYp://www.padgeY-‐cpa.com/insights/ar=cles/fraud-‐risks-‐oil-‐and-‐gas-‐industry
17
Fraud
• The Associa=on of Cer=fied Fraud Examiners (ACFE) survey showed that U.S. organiza=ons lose an es=mated 7% of annual revenues to fraud.
• Real examples that we met: – Salary modifica=on – Material management fraud – Mistaken transac=ons
18
Fraud
• PWC Survey: 3000 org in 54 countries – 30%were vic=ms of economic crime in prev 12 month
• Average loss per organiza=on for fraud $500k + collateral damage
• asset misappropria=on -‐83% • accoun=ng fraud – 33%
19
• Internet-‐Trading virus (Fraud) – Ranbys modifica=on for QUIK – troyan-‐spy.win32.broker.j. for QUIK (stealing keys) – hYp://www.welivesecurity.com/2012/12/19/win32spy-‐ranbyus-‐
modifying-‐java-‐code-‐in-‐rbs/ – hYp://www.securitylab.ru/news/439695.php
20
Internet-‐Trading virus (Fraud)
Project Mayhem (Fraud)
• Hacker could manipulate financial data and change entries to move funds to an outside account. – alter the remiYance address on vendor records, – create a new vendor and manual check entry, – change general ledger accoun=ng records, – increase customer credit limit – credit the balance in a customer account in order to get a refund.
21
Fraud in Oil And Gas
FRAUD and other infractions in Nigeria’s critical oil and gas industry are
enough to derail any stable economy, going by the report of the Petroleum Revenue Special Task Force by a former chairman of the Economic and Financial Crimes Commission (EFCC), Mallam Nuhu Ribadu.
22
SAP Security
What can happen?
23
Ho to make it more “Cyber/Danger”
• Breach + Worm • Mul=ple aYacks on same type • Against one country
24
What can be next?
• Just imagine what could be done by breaking: • One ERP system • All Business applica=ons of a company • All ERP Systems on par=cular country
25
SAP Security
How easy is that?
26
Ease of development
• Price of vulnerability is low • Patching is nightmare • Vaporiza=on is easy • Interconnec=on is high • Availability via internet
27
Price of vulnerability
• Price for typical vulnerabili=es in flash and browsers going higher.
• Security of applica=ons and OS is growing • It is much easier to find architecture issue in ERP • 2000 vulnerabili=es closed only by SAP during 3 years • And this issue will work for years
28
SAP Security notes by year
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
More than 2600 in total
29
Patching is nightmare
• You need to stop business process • Some=mes you need to update mul=ple parts • Examples of huge architectural issues from:
– Microso\ Dynamics – Oracle JDE – SAP SDM
30
MicrosoZ Dynamics authenEcaEon
• Dynamics security – only visual restric=ons of the fat client • All users have the rights to the companies’ databases • The only obstruc=on: impossible to connect to the SQL server
directly • Reverse engineering to understand the password “encryp=on”
algorithm • Create a tool • Every user can became Administrator • NO PATCH! Only new architecture can help (but there is no
such)
31
Oracle JD Edwards authenEcaEon
• All the security of JD Edwards relies on the visual restric=ons of the fat client
• In fact, all users have the rights to the companies data because client connected using special account JDE
• Then depending on user and password security is checking on Fat client
• User can connect directly to database using JDE account and modify his rights on table level
• Every user can became Administrator • NO PATCH! Only move to 3-‐Eer architecture
32
SAP SDM authenEcaEon
• Authen=ca=on is done by providing hash of password • It means that it is possible to do PassTheHash • First of all hash can be simply sniffed so it is like authen=ca=ng
using clear password. • Secondly hashes are stored in OS file so they can be accessed by
using other vulnerabili=es. • A\er gexng a hash it is possible to upload any backdoor into
SAP • To patch it you need to modify client and server at one =me. • Install SAP Note 1724516
33
SAP Security
DEMO
34
SAP NetWeaver ABAP -‐ versions
35%
23%
19%
11% 6% 5%
NetWeaver ABAP versions by popularity
7.0 EHP 0 (Nov 2005)
7.0 EHP 2 (Apr 2010)
7.0 EHP 1 (Oct 2008)
7.3 (Jun 2011)
6.2 (Dec 2003)
6.4 (Mar 2004)
The most popular release (35%, previously 45%) is
s=ll NetWeaver 7.0, and it was released in 2005!
35
Special payload is not needed
• Remember Verb Tampering User crea=on • Just one request and you inside the system • Second request and you are admin • Then you can do whatever u want with simple HTTP requests • If it is only technical system you can jump to connected system
36
Systems are highly connected
• Systems are highly connected with each other by trust rela=onship
• Even between companies they are connected by ESB systems • Remember also SSRF? • hYp://cwe.mitre.org/data/defini=ons/918.html • Second place in Top 10 web applica=on techniques 2012 • Allows to bypass firewall restric=ons and directly connect to
protected systems via connected systems
37
Business applicaEons on the Internet
• Companies have Portals, SRMs, CRMs remotely accessible • Companies connect different offices by ESB • SAP users are connected to SAP via SAPRouter • Administrators open management interfaces to the Internet for
remote control
38
Business applicaEons on the Internet
SAP HTTP Services can be easily found on the Internet: • inurl:/irj/portal • inurl:/IciEventService sap • inurl:/IciEventService/IciEventConf • inurl:/wsnavigator/jsps/test.jsp • inurl:/irj/go/km/docs/
39
Shodan scan
A total of 3741 server with different
SAP web applicaEons were found
41%
34%
20% 6%
SAP NetWeaver J2EE
SAP NetWeaver ABAP
SAP Web Application Server
Other (BusinessObjects,SAP Hosting, etc)
94% 72%
30%
-20% -55%
-‐80%
-‐60%
-‐40%
-‐20%
0%
20%
40%
60%
80%
100%
120%
Growth by applicaEon server
40
SAP Router
• Special applica=on proxy • Transfers requests from Internet to SAP (and not only) • Can work through VPN or SNC • Almost every company uses it for connec=ng to SAP to
download updates • Usually listens to port 3299 • Internet accessible (Approximately 5000 IP’s ) • hYp://www.easymarketplace.de/saprouter.php
41
• Absence of ACL – 15% – Possible to proxy any request to any internal address
• Informa=on disclosure about internal systems – 19% – Denial of service by specifying many connec=ons to any of the listed SAP
servers – Proxy requests to internal network if there is absence of ACL
• Insecure configura=on, authen=ca=on bypass – 5% • Heap corrupEon vulnerability – many!
SAP Router: known issues
42
Port scan results
• Are you sure that only the necessary SAP services are exposed to the Internet?
• We were not • In 2011, we ran a global project to scan all of the Internet for
SAP services • It is not completely finished yet, but we have the results for the
top 1000 companies • We were shocked when we saw them first
43
Port scan results
0
5
10
15
20
25
30
35
SAP HostControl SAP Dispatcher SAP MMC SAP Message Server hYpd
SAP Message Server SAP Router
Exposed services 2011
Exposed services 2013
Listed services should not be accessible from the Internet
44
Why?
Why not many Public examples of breaches if situa=on is so bad
45
Examples
• Fraud – very popular inside companies but you see only some incidents
• Sabotage – at this moment maybe easies to DDOS then DOS but will see
• Espionage – here what we dont see many, because it is designed to be unseen. You never know how about it especially if you don’t enable logging
46
SAP Security Forensics
• There is not so many info on public • Companies are not interested in publica=on of compromise • But main problem is here:
– How can you be sure that there were no compromise? – Only 10% of systems have Security Audit Log enabled – Only few of them analyze those logs – And much less do central storage and correla=on
* Based on the assessment of over 250 servers of companies that allowed us to share results.
47
Percent of enabled log opEons
• ICM log icm/HTTP/logging_0 70% • Security audit log in ABAP 10% • Table access logging rec/client 4% • Message Server log ms/audit 2% • SAP Gateway access lo 2%
* Based on the assessment of over 250 servers of companies that allowed us to share results.
48
SAP Security
Weapons
49
• DOS for Bank • Fraud oil then manipulate prices and economy • Mul=ple money transfer fraud • Or?
50
Weapons
51
SAP Worm
• EAS-‐SEC: Recourse which combine – Guidelines for assessing enterprise applica=on security – Guidelines for assessing custom code – Surveys about enterprise applica=on security
52
Defense
• 1.Lack of patch management • 2.Default passwords • 3.Unnecessary enabled func=onality • 4.Remotely enabled administra=ve services • 5.Insecure configura=on • 6.Unencrypted communica=ons • 7.Internal access control and SoD • 8. Insecure trust rela=ons • 9. Monitoring of security events
53
EAS-‐SEC Guidelines
Guides
Security assessments
Code review
ConEnuous Monitoring of all areas
SegregaEon of duEes
54
Conclusion
Issues are everywhere
but the risks and price for mi=ga=on are
different 55
Conclusion
SAP Security
Ques=ons?
56
We devote aHen9on to the requirements of our customers and prospects, and constantly improve our product. If you presume that our scanner lacks a par9cular func9on, you can e-‐mail us or give us a call. We will be glad to consider your sugges9ons for the next releases or monthly updates.
web: www.erpscan.com www.dsecrg.com e-‐mail: [email protected], [email protected]
57
Conclusion