June 14, 2021

Cybercriminals looking to target SAP users

SAP_logoFresh warnings have been issued by RSA Europe and ERPScan following the discovery of a modified banking Trojan that now also searches for SAP client applications on infected systems. Recently a new variant of the malware Trojan.ibank was found by researchers at Dr. WEB who then passed on the information to ERPScan, a company which develops security monitoring products for SAP systems.

RSA Europe also issued a warning about the new malware variant suggesting that its existence could mean that there is a new wave of SAP based attacks coming. The issue of the malware was discussed by Alexander Polyakov, co-founder and CTO of ERPScan, at the RSA Europe security conference in Amsterdam which hosted sessions on the dangers of SAP and ERP vulnerabilities.

According to Polyakov one of the likely ways that attackers could be using the new malware is to gather information that could then be sold on the black market. However an alternative scenario is that the attackers will wait until a larger number of systems are infected and then start to steal sensitive information via a specially crafted malicious SAP modules which the Trojan uploads from and command and control server.

“There are dozens of ways to steal those passwords and use them,” said Polyakov to Dark Reading. “It is possible to connect to SAP Server and do any kind of fraud in the system or simply steal critical information such as client lists or employees’ personal information. We decided to warn people and SAP’s Security response team with whom we closely work before this can happen.”

Once the malware has found a SAP client there are lots of ways to steal information including from configuration files that contain the IP addresses of the servers. There is also the possibility of sniffing for passwords. Once on to the servers the cyber-criminals can perform all many of malicious activities, including theft and fraud via false transactions.

Black Hat: SAP Vulnerabilities Demonstrated

(LiveHacking.Com) – Alexander Polyakov of ERPScan has demonstrated a security hole in SAP’s J2EE engine, NetWeaver at BlackHat USA 2011. Once exploited an attacker can create new administrator accounts remotely.

This new vulnerability is particularly dangerous because it works on systems normally protected by two-factor authentication and by passes these completely. According to ERPScan, more than half of available servers on the Internet can be hacked using this vulnerability.

“Danger is in that it is not only a new vulnerability, but a whole class of vulnerabilities that was theoretically described earlier but not popular in practice. During our research we only detected several examples in standard system configuration, and because each company customizes the system under its own business processes, new examples of vulnerabilities of the given class can be potentially detected at each company in the future. We have developed a free program which can detect unique vulnerabilities of such type in order to protect companies on time and it is also included in our professional product – ERPScan Security Scanner for SAP.” — noted Alexander.

Over 500 patches for SAP

On Tuesday, SAP – one of the largest manufacturers of business applications and enterprise software – released a huge number of so-called Security Notes. An e-mail sent to SAP customers speaks euphemistically of “a significant number of security notes”, it’s rumoured there are 525 of these notes.

Read the full story here.