Invest  in  security  to  secure  investments  

If  I  Want  a  Perfect  Cyberweapon  I'll  Target  ERP    

Alexander  Polyakov  CTO  ERPScan  

About  ERPScan  

•  The   only   360-­‐degree   SAP   Security   solu=on   -­‐   ERPScan   Security  Monitoring  Suite  for  SAP  

•  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )  •  60+  presentaEons  key  security  conferences  worldwide  •  25  Awards  and  nominaEons  •  Research  team  -­‐  20  experts  with  experience  in    different  areas  

of  security  •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)      

2  

Alexander  Polyakov  

•  CTO  of  the  ERPScan  company  •  EAS-­‐SEC.org  project  leader    •  Business  applica=on  security  expert  •  R&D  Professional  of  the  year  by  Network  Product  Guide  •  Organizer  of  ZeroNights  conference      a.polyakov@erpscan.com  TwiYer:  @sh2kerr    

3  

ERPScan  

•  Develop  so\ware  for  SAP  security  monitoring    •  Provide  SAP/ERP  Security  Trainings  and  consul=ng  •  Leader  by  the  number  of  acknowledgements  from  SAP  (150+)  •  Invited  to  talk  at  50+  key  security  conferences  in  20+  countries  

in  all  con=nents  (BlackHat,  RSA,  HITB)  •  Most  acknowledged  ERP  Security  vendor  (18  awards)  Research   team   with   experience   in   different   areas   of   security   from   ERP   and   web   security   to  mobile,   embedded   devices,   and   cri9cal   infrastructure,   accumula9ng   their   knowledge   on   SAP  research.  

Leading  SAP  AG  partner  in  the  field  of  discovering  security  vulnerabiliEes    by  the  number  of  found  vulnerabiliEes  

4  

•  I  hate  “CYBER”  talks  and  this  buzz    •  I  usually  do  more  technical  presenta=ons  •  But  I  we  talk  about  it  why  do  we  skip  this  area?  •  I’m  about  Business  Applica=ons  and  ERP  systems        

5  

Intro  

•  Intro  •  Big  companies  and  cri=cal  systems  •  What  was  happen  •  How  easy  is  that  •  What  can  happen  •  Forensics  •  What  we  can  do  •  Conclusions  

6  

Intro  

Big  companies  

•  Oil  and  Gas  •  Manufacturing  •  Logis=cs  •  Financials  •  Nuclear  •  Retail  •  Telecommunica=on  •  etc  

7  

Big  companies  

 

Portal  

HR  Logis=cs  

Warehouse  

ERP  

Billing  

Suppliers  Customers  

Banks  Insurance  Partners  

Branches  

BI  

Industry  

CRM  

SRM  

8  

SAP  •  More  than  246000  customers  worldwide    •  86%  of  Forbes  500  Oracle  •  100%  of  Fortune  100  Microso\  •  More   than   300,000   businesses   worldwide   choose   Microso\  

Dynamics  ERP  and  CRM  so\ware    

9  

How  popular  are  business  applicaEons?  

•  Espionage  –  Stealing  financial  informa=on  –  Stealing  corporate  secrets  –  Stealing  supplier  and  customer  lists  –  Stealing  HR  data  

•  Sabotage  –  Denial  of  service  – Modifica=on  of  financial  reports  –  Access  to  technology  network  (SCADA)  by  trust  rela=ons  

•  Fraud  –  False  transac=ons  – Modifica=on  of  master  data  

 10  

What  can  happen  

•  Autocad  virus  •  Stealing  cri=cal  documents  •  Send  them  poten=ally  to  china  

–  hYp://www.telegraph.co.uk/technology/news/9346734/Espionage-­‐virus-­‐sent-­‐blueprints-­‐to-­‐China.html  

11  

Autocad  virus    (Industrial  espionage)  

•  Presented  on  BlackHat  USA  •  Old  and  New  issues  •  Old  one  was  a  buffer  overflow  in  a  login  page  •  Over  500  systems  can  be  found  by  Googling  •  New  issues  were  from  informa=on  disclose  to  unauthorized  

system  access  •  Poten=al  to  steal  20mil  customer  data  

12  

PeoplesoZ  vulnerabiliEes  (Sabotage)  

•  Sabotage  •  Real  example  of  stealing    •  14000  of  records  

•  Target:  HR  system  (Maybe  Peopleso\)  •  unauthorized  disclosure  of  federal  employee  Personally  

Iden=fiable  Informa=on    

13  

US  Department  of  Energy  Breach  

         •  Unauthorized  disclosure  of  federal  employee  Personally  

Iden=fiable  Informa=on    •  Erase  people  debts  

14  

Istanbul  Provincial  AdministraEon  

   

Now,  it  adds,  “We  gained  full  access  to  the  Greek  Ministry  of  Finance.  Those  funky  IBM  servers  don't  look  so  safe  now,  do  they...”  Anonymous  claims  to  have  a  “sweet  0day  SAP  exploit”,  and  the  group  intends  to  “sploit  the  hell  out  of  it.”  

*  This  aYack  has  not  been  confirmed  by  the  customer  nor  by  the  police  authori=es  in  Greece    inves=ga=ng  the  case.  SAP  does  not  have  any  indica=on  that  it  happened.  

15  

PotenEal  Anonymous  a_ack  

Fraud  

•  Invoice  company  for  a  greater  number  of  hours  than  worked  •  Ghost  employees  of  the  vendor  •  Vendor  employees  billed  at  amounts  higher  than  contract  rate  •  Vendor  employees  billed  at  higher  job  classifica=on  than  actual  

work  performed  (skilled  vs.  non-­‐skilled  labor  rates)  •  Invoice  company  for  incorrect  equipment  or  materials  charges  •  Vendor  charges  for  equipment  not  needed  or  used  for  the  job  

performed  

16  

Fraud  

•  Vendor  charges  for  materials  not  used  or  materials  are  for  the  personal  benefit  of  company  employee  

•  Vendor  charges  for  equipment  or  material  at  higher  prices  than  allowed  by  the  contract  

•  Invoice  company  incorrectly  for  other  services  •  Vendor  charges  for  services  performed  where  work  is  not  

subject  to  audit  clause  •  Vendor  charges  include  material  purchases  from  or  for  work  

performed  by  related  companies  at  inflated  prices  hYp://www.padgeY-­‐cpa.com/insights/ar=cles/fraud-­‐risks-­‐oil-­‐and-­‐gas-­‐industry  

17  

Fraud  

•  The  Associa=on  of  Cer=fied  Fraud  Examiners  (ACFE)  survey  showed  that  U.S.  organiza=ons  lose  an  es=mated  7%  of  annual  revenues  to  fraud.  

•  Real  examples  that  we  met:  –  Salary  modifica=on  –  Material  management  fraud  –  Mistaken  transac=ons  

18  

Fraud  

•  PWC  Survey:  3000  org  in  54  countries  –  30%were  vic=ms  of  economic  crime  in  prev  12  month  

•  Average  loss  per  organiza=on  for  fraud  $500k  +  collateral  damage  

•  asset  misappropria=on  -­‐83%  •  accoun=ng  fraud  –  33%  

19  

•  Internet-­‐Trading  virus  (Fraud)  –  Ranbys  modifica=on  for  QUIK  –   troyan-­‐spy.win32.broker.j.  for  QUIK  (stealing  keys)  –  hYp://www.welivesecurity.com/2012/12/19/win32spy-­‐ranbyus-­‐

modifying-­‐java-­‐code-­‐in-­‐rbs/  –  hYp://www.securitylab.ru/news/439695.php  

20  

Internet-­‐Trading  virus  (Fraud)  

Project  Mayhem    (Fraud)  

•  Hacker  could  manipulate  financial  data  and  change  entries  to  move  funds  to  an  outside  account.    –  alter  the  remiYance  address  on  vendor  records,  –  create  a  new  vendor  and  manual  check  entry,  –  change  general  ledger  accoun=ng  records,  –  increase  customer  credit  limit  –  credit  the  balance  in  a  customer  account  in  order  to  get  a  refund.  

21  

Fraud  in  Oil  And  Gas  

FRAUD and other infractions in Nigeria’s critical oil and gas industry are

enough to derail any stable economy, going by the report of the Petroleum Revenue Special Task Force by a former chairman of the Economic and Financial Crimes Commission (EFCC), Mallam Nuhu Ribadu.

22  

SAP  Security  

What  can  happen?  

23  

Ho  to  make  it  more  “Cyber/Danger”  

•  Breach  +  Worm  •  Mul=ple  aYacks  on  same  type  •  Against  one  country    

24  

What  can  be  next?  

•  Just  imagine  what  could  be  done  by  breaking:  •  One  ERP  system  •  All  Business  applica=ons  of  a  company  •  All  ERP  Systems  on  par=cular  country  

25  

SAP  Security  

How  easy  is  that?  

26  

Ease  of  development  

•  Price  of  vulnerability  is  low  •  Patching  is  nightmare  •  Vaporiza=on  is  easy  •  Interconnec=on  is  high  •  Availability  via  internet  

27  

Price  of  vulnerability  

•  Price  for  typical  vulnerabili=es  in  flash  and  browsers  going  higher.  

•  Security  of  applica=ons  and  OS  is  growing  •  It  is  much  easier  to  find  architecture  issue  in  ERP    •  2000  vulnerabili=es  closed  only  by  SAP  during  3  years  •  And  this  issue  will  work  for  years  

28  

SAP  Security  notes  by  year  

0  

100  

200  

300  

400  

500  

600  

700  

800  

900  

2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   2013  

More  than  2600  in  total  

29  

Patching  is  nightmare  

•  You  need  to  stop  business  process  •  Some=mes  you  need  to  update  mul=ple  parts  •  Examples  of  huge  architectural  issues  from:  

–  Microso\  Dynamics  –  Oracle  JDE    –  SAP  SDM  

30  

MicrosoZ  Dynamics  authenEcaEon  

•  Dynamics  security  –  only  visual  restric=ons  of  the  fat  client  •  All  users  have  the  rights  to  the  companies’  databases    •  The  only  obstruc=on:  impossible  to  connect  to  the  SQL  server  

directly  •  Reverse  engineering  to  understand  the  password  “encryp=on”  

algorithm  •  Create  a  tool  •  Every  user  can  became  Administrator  •  NO  PATCH!  Only  new  architecture  can  help  (but  there  is  no  

such)  

31  

Oracle  JD  Edwards  authenEcaEon  

•  All  the  security  of  JD  Edwards  relies  on  the  visual  restric=ons  of  the  fat  client  

•  In  fact,  all  users  have  the  rights  to  the  companies  data  because  client  connected  using  special  account  JDE  

•  Then  depending  on  user  and  password  security  is  checking  on  Fat  client  

•  User  can  connect  directly  to  database  using  JDE  account  and  modify  his  rights  on  table  level  

•  Every  user  can  became  Administrator  •  NO  PATCH!  Only  move  to  3-­‐Eer  architecture  

32  

SAP  SDM  authenEcaEon  

•  Authen=ca=on  is  done  by  providing  hash  of  password  •  It  means  that  it  is  possible  to  do  PassTheHash  •  First  of  all  hash  can  be  simply  sniffed  so  it  is  like  authen=ca=ng  

using  clear  password.  •  Secondly  hashes  are  stored  in  OS  file  so  they  can  be  accessed  by  

using  other  vulnerabili=es.  •  A\er  gexng  a  hash  it  is  possible  to  upload  any  backdoor  into  

SAP  •  To  patch  it  you  need  to  modify  client  and  server  at  one  =me.    •  Install  SAP  Note  1724516  

33  

SAP  Security  

DEMO  

34  

SAP  NetWeaver  ABAP  -­‐    versions  

35%  

23%  

19%  

11%  6%   5%  

NetWeaver  ABAP    versions  by  popularity  

7.0  EHP  0      (Nov  2005)  

7.0  EHP  2      (Apr    2010)    

7.0  EHP  1      (Oct  2008)  

7.3                              (Jun  2011)  

6.2                              (Dec    2003)  

6.4                            (Mar  2004)  

The  most  popular  release  (35%,  previously  45%)  is    

s=ll  NetWeaver  7.0,  and  it  was  released  in  2005!  

35  

Special  payload  is  not  needed  

•  Remember  Verb  Tampering  User  crea=on  •  Just  one  request  and  you  inside  the  system  •  Second  request  and  you  are  admin  •  Then  you  can  do  whatever  u  want  with  simple  HTTP  requests  •  If  it  is  only  technical  system  you  can  jump  to  connected  system  

36  

Systems  are  highly  connected    

•  Systems  are  highly  connected  with  each  other  by  trust  rela=onship    

•  Even  between  companies  they  are  connected  by  ESB  systems  •  Remember  also  SSRF?    •  hYp://cwe.mitre.org/data/defini=ons/918.html  •  Second  place  in  Top  10  web  applica=on  techniques  2012  •  Allows  to  bypass  firewall  restric=ons  and  directly  connect  to  

protected  systems  via  connected  systems  

37  

Business  applicaEons  on  the  Internet  

•  Companies  have  Portals,  SRMs,  CRMs  remotely  accessible  •  Companies  connect  different  offices  by  ESB  •  SAP  users  are  connected  to  SAP  via  SAPRouter  •  Administrators  open  management  interfaces  to  the  Internet  for  

remote  control    

38  

Business  applicaEons  on  the  Internet  

SAP  HTTP  Services  can  be  easily  found  on  the  Internet:  •       inurl:/irj/portal    •       inurl:/IciEventService  sap  •       inurl:/IciEventService/IciEventConf  •       inurl:/wsnavigator/jsps/test.jsp  •       inurl:/irj/go/km/docs/  

39  

Shodan  scan  

A  total  of    3741  server  with  different    

SAP  web  applicaEons  were  found  

41%

34%

20% 6%

SAP NetWeaver J2EE

SAP NetWeaver ABAP

SAP Web Application Server

Other (BusinessObjects,SAP Hosting, etc)

94% 72%

30%

-20% -55%

-­‐80%  

-­‐60%  

-­‐40%  

-­‐20%  

0%  

20%  

40%  

60%  

80%  

100%  

120%  

Growth  by  applicaEon  server  

40  

SAP  Router  

•  Special  applica=on  proxy    •  Transfers  requests  from  Internet  to  SAP  (and  not  only)  •  Can  work  through  VPN  or  SNC    •  Almost  every  company  uses  it  for  connec=ng  to  SAP  to  

download  updates  •  Usually  listens  to  port  3299    •  Internet  accessible    (Approximately  5000  IP’s  )  •  hYp://www.easymarketplace.de/saprouter.php  

41  

•  Absence  of  ACL  –  15%  –   Possible  to  proxy  any  request  to  any  internal  address    

•  Informa=on  disclosure  about  internal  systems  –  19%  –  Denial  of  service  by  specifying  many  connec=ons  to  any  of  the  listed  SAP  

servers  –  Proxy  requests  to  internal  network  if  there  is  absence  of  ACL  

•  Insecure  configura=on,  authen=ca=on  bypass  –  5%    •  Heap  corrupEon  vulnerability  –  many!  

SAP  Router:  known  issues  

42  

Port  scan  results  

•  Are  you  sure  that  only  the  necessary  SAP  services  are  exposed  to  the  Internet?  

•  We  were  not  •  In  2011,  we  ran  a  global  project  to  scan  all  of  the  Internet  for  

SAP  services  •  It  is  not  completely  finished  yet,  but  we  have  the  results  for  the  

top  1000  companies  •  We  were  shocked  when  we  saw  them  first  

43  

Port  scan  results  

0  

5  

10  

15  

20  

25  

30  

35  

SAP  HostControl   SAP  Dispatcher   SAP  MMC   SAP  Message  Server  hYpd  

SAP  Message  Server     SAP  Router  

Exposed  services  2011  

Exposed  services  2013  

Listed  services  should  not  be  accessible  from  the  Internet  

44  

Why?  

 Why  not  many  Public  examples  of  breaches  if  situa=on  is  so  bad  

45  

Examples  

•  Fraud  –  very  popular  inside  companies  but  you  see  only  some  incidents  

•  Sabotage  –  at  this  moment  maybe  easies  to  DDOS  then  DOS  but  will  see  

•  Espionage  –  here  what  we  dont  see  many,  because  it  is  designed  to  be  unseen.  You  never  know  how  about  it  especially  if  you  don’t  enable  logging      

46  

SAP  Security  Forensics  

•  There  is  not  so  many  info  on  public  •  Companies  are  not  interested  in  publica=on  of  compromise  •  But  main  problem  is  here:  

–  How  can  you  be  sure  that  there  were  no  compromise?  –  Only  10%  of  systems  have  Security  Audit  Log  enabled  –  Only  few  of  them  analyze  those  logs  –  And  much  less  do  central  storage  and  correla=on  

*  Based  on  the  assessment  of  over  250  servers  of  companies  that  allowed  us  to  share  results.  

47  

Percent  of  enabled  log  opEons  

•  ICM  log  icm/HTTP/logging_0      70%    •  Security  audit  log  in  ABAP      10%  •  Table  access  logging  rec/client          4%  •  Message  Server  log  ms/audit        2%  •  SAP  Gateway  access  lo            2%  

*  Based  on  the  assessment  of  over  250  servers  of  companies  that  allowed  us  to  share  results.  

48  

SAP  Security  

Weapons  

49  

•  DOS  for  Bank  •  Fraud  oil  then  manipulate  prices  and  economy    •  Mul=ple  money  transfer  fraud  •  Or?  

50  

Weapons  

51  

SAP  Worm  

•  EAS-­‐SEC:  Recourse  which  combine    –  Guidelines  for  assessing  enterprise  applica=on  security  –  Guidelines  for  assessing  custom  code  –  Surveys  about  enterprise  applica=on  security  

52  

Defense  

•  1.Lack  of  patch  management    •  2.Default  passwords    •  3.Unnecessary  enabled  func=onality  •  4.Remotely  enabled  administra=ve  services    •  5.Insecure  configura=on    •  6.Unencrypted  communica=ons  •  7.Internal  access  control  and  SoD    •  8.  Insecure  trust  rela=ons    •  9.  Monitoring  of  security  events  

53  

EAS-­‐SEC  Guidelines  

   Guides  

Security  assessments  

 Code  review  

ConEnuous  Monitoring  of  all  areas  

SegregaEon  of  duEes  

54  

Conclusion  

 Issues  are  everywhere  

but  the  risks    and  price    for  mi=ga=on  are    

 

different  55  

Conclusion  

SAP  Security  

Ques=ons?  

56  

We   devote   aHen9on   to   the   requirements   of   our  customers   and   prospects,   and   constantly   improve   our  product.   If   you   presume   that   our   scanner   lacks   a  par9cular  func9on,  you  can  e-­‐mail  us  or  give  us  a  call.  We  will   be   glad   to   consider   your   sugges9ons   for   the   next  releases  or  monthly  updates.  

web:  www.erpscan.com      www.dsecrg.com    e-­‐mail:  info@erpscan.com,  sales@erpscan.com  

57  

Conclusion