General security

SAP Risks — Espionage

Now when you learned what SAP is and its difference from traditional systems, let's talk about the most common risks related to attacks against SAP systems.

What kind of malicious actions can cyber-criminals perform if they get access to SAP via one or another vulnerability? As you know, to manage cyber-security, the CIA triad (Confidentiality, Integrity, and Availability) is used. When we speak about SAP Systems (especially with C-level executives), these terms transform into Espionage, Sabotage, and Fraud, which are considered as the main risks. Let us put it simply. If somebody gets access to SAP system, he or she can obtain information about HR, finance, credit cards, and any other critical data. Hackers can also commit sabotage by executing denial of service attacks, thus making any operation in system unavailable. More dangerous is the fact that SAP is usually connected with other company's systems such as plant floor devices, asset management systems or even ICS and SCADA. The last and the most common risk is fraud, which is well known by organizations using SAP. If an external attacker or malicious insider gains access to more privileges than required to accomplish the work, he or she can commit fraud in the system. According to the Association of Certified Fraud Examiners (ACFE), losses to internal fraud constitute 7 % of profits (!) on average.

Today's topic is Espionage or the obtaining of confidential or secret information without the permission of its holder.

What exactly can a malefactor obtain?

Financial information (e.g. Financial reports)
Corporate plans (e.g. Sales, Financial, Productions and Strategy planning documentation)
Proprietary information (e.g. corporate trade secrets, intellectual property or different formulas)
Supplier data (e.g. contacts, prices, etc.)
Customer data (e.g. contacts, personal records, credit cards, and other sensitive info)
Employee data (e.g. salaries, SSNs)

Let's look at each group in detail.

Theft of Financial Information

Financial reports are the most valuable information for a company. Cyber-criminals, who can find this information before official publication, may use it for financial gain by stock trading. Moreover, it's required to securely store this data to comply with different regulations such as SOX.

An attacker can find financial reports, which are usually stored in SAP System. Their place is quite easy to find, as most of SAP solutions store these reports in the same place (unlike other data, which are mostly stored in non-standard place depending on a system configuration).

For instance, cyber-criminals can get access to financial reports, using the transactions GRR or GR55. Here you need to select a group of reports, for example, 0F01 and then enter some parameters, such as period, company, code, etc. As a result, you will be able to see, say, a "Cost of sales report," which will show you company's net profit for a year.

As you may know (and as I told), SAP systems are so complex, that there are multiple ways to perform the same action; so, financial reports can also be accessed by other methods, for example, with the help of the transaction GR31.

From a technical point of view, SAP FI Module which stores this data is based on SAP NetWeaver ABAP platform, thus, an attacker may exploit 60+ issues affecting Financial (FI) module and one of more than 1000 different vulnerabilities identified in the platform itself. Their number is growing every year (the most updated information you can find in SAP Cyber- Threat Report 2016).

Strategic company plans

What about different strategic plans and other high-level information traditionally used by CXOs? There are some solutions to provide reports and dashboards with all relevant information for decision-makers. I'm talking about Business Intelligence systems, for example, SAP Business Objects.

Attack vectors are different; unauthorized data modification of financial reports is no doubt possible as well, but today espionage is our topic. One can find relevant sales and marketing reports to understand management decisions. So, being able to get this data is neat for competitors.

From a technical point of view, SAP BI system is based on SAP Business Objects platform with about 80 fixed vulnerabilities, and new ones are regularly discovered.

Theft of Proprietary information

Let's look at probably the most remarkable risk – industrial espionage. As it was mentioned, the main data, which can be stolen from SAP systems, are different trade secrets and industrial know-hows. How can an attacker conduct such attack? It's usually enough to simply get access to PLM, or Product Lifecycle Management, system.

SAP PLM is one of the most commonly used systems. It is a part of SAP Business Suite and relays to business systems which usually store company's critical data. This system is used for processing at every stage of product manufacturing – from project and production to technical support. Imagine you own a Brewing Company. You need a platform, which can manage all the steps of the production process. Your trade secret is maintained there in the form of the recipe, and some cyber-criminals try to get this data to produce local copies of your most valuable and high-end product.

Complicated technological systems like ships, planes or cars can be monitored in such software.

Unauthorized access to a product lifecycle management system usually means possibly compromising classified information about technical details, intellectual property, and special features of production. To make matters worse, this system is often accessible from the Internet to give a convenient remote access to partners, subcontractors, and service providers.

Access to SAP

PLM systems could cause theft of classified information about products under development, intellectual property, and other confidential data. This scenario is not a bad movie plot as far as we know about viruses made especially for project systems, such as AutoCAD. Since viruses were used to steal data about different constructions and components, it is possible that these viruses can be made for SAP PLM or other SAP modules as well.

From a technical point of view, SAP PLM Module, which stores this data, is based on SAP NetWeaver ABAP platform. Thus an attacker can use one of more than 1000 different vulnerabilities found in the platform and 50+ issues affecting PLM module itself; the number of these vulnerabilities is growing every year.

Supplier Data Theft

Another risk related to espionage is compromising of competitor's bidding information. It affects only Supplier Relationship management systems.

SAP Supplier Relationship Management (SRM) is a part of SAP Business Suite and relays to business systems which usually store and process critical company data. It is used to optimize the working processes with suppliers and tenders.

Unauthorized access to this system or access to more functionality than required could result in endangering the control over tenders, RFP documents and other critical details of relationships with external partners, putting a company at risk of reputational and material losses. The most alarming fact about this system is that it is accessible through the Internet. Thus it allows unfair competitors to view privileged information to propose competitive pricing and to win a tender dishonestly (knowing this information, they can change the prices or other details).

SAP SRM System uses application server SAP NetWeaver application server ABAP as the main platform. It is potentially vulnerable to all of the issues affecting the platform: their approximate number is 1050. There are more than 110 vulnerabilities affecting SAP SRM module in particular.

Customer data theft

Customer data such as contacts, personal records, credit cards, and other sensitive information are stored in business application systems, such as Customer Relationship Management (CRM).

SAP CRM is a part of SAP Business Suite and relays to business systems which usually store and process critical company data. It is used to optimize work processes related to clients, leads, and contracts. Unauthorized access to this system could result in gaining control over client contracts, prices or even credit card data that can cause significant reputational and material losses to a victim company. This system is accessible via the Internet and gives partners or customers a convenient remote access.

But the primary risk is a credit card data theft since here monetary losses definitely take place. It threats companies which store and process PCI data such as Banks, Processing, Merchants, Payment Gateways, and Retail. An attacker can get access to the tables that contains credit card information. There are more than 50 such tables in SAP (for instance, VCKUN).

Let's look at the simplest attack scenario. In most cases, this data is stored in an unencrypted form. However, even so, some internal SAP functions can be used by an attacker to decrypt it. One of the ways to decrypt CC data is to use CCARD_DENVELOPE function Module.

As a solution, we can only recommend traditional ways to secure your system from unauthorized access because if an attacker is already inside the system, almost nothing can stop him from getting access to CC data.

On the screenshot below, you can see how easy it is to get CC data in the plain text by clicking 2 buttons in SAP interface.

SAP CRM can be called an entry point for hackers since the biggest number of issues were identified in this module. SAP CRM system application server has SAP NetWeaver Application Server ABAP (AS ABAP) as the main platform, SAP NetWeaver Application Server Java (AS Java) as a backend, and SAP Enterprise Portal (EP) as a frontend, thus, it is potentially vulnerable to all of about 1050 ABAP Platform and approximately 500 JAVA Platform issues, and especially there are about 350 vulnerabilities affecting SAP CRM in particular.

Employee Data Theft

Finally, if all mentioned did not impress you, here is another scripted attack - attackers may find employee data and use it for identity theft.

Access to the SAP HR system allows obtaining company's confidential data. For example, using the transaction PA20, one can access SSNs. Another way to get access to SSNs or any other similar personal identifiers is to read the table PA0002 in the ID Number column directly.

Here is a short list of other personal identifiers and sensitive data, which could be critical depending on the country, such as:

USA:
- SSN, or Social Security Number
- Driver license numbers
- Government forms (I-9, W2, and other)
Germany:
- SGB (Social Security Number, Social Welfare Code)
Brazil:
- CPF-taxpayer identification number (CadastrodePessoaFísica)
Spain:
- CUIL/CUIT

As an example of such breaches, it can be pointed out that U.S. Department of Energy was hacked in 2013, and personal data of 104,000 workers hit the net. The investigation revealed that their HR system was directly accessible from the Internet.

Probably, you haven't heard about the previous examples partly because these incidents are very hard to identify, but the attack I'm going to discuss now is quite widespread, and almost everybody has witnessed real examples or, at least, heard about it from colleagues.

I'm talking about unauthorized access to information which I suppose affects every company that somehow automates its HR systems. Unfortunately, the more they automate, the likelier attacks remain undetected. To conduct the attack, a malicious insider needs to have access to HR system, also called HCM (Human Capital Management). Access to SAP HCM system also allows insiders to find wage amounts by using the transaction PA30.

Access to the SAP HR system can compromise information of the most qualified and competent employees and their emoluments, especially that of top executives. This can enable HR departments of a rival company to entice them by making irresistible job offers.

If a malicious insider has improper rights in the system or somehow escalates his privileges, he or she can at least find details about colleagues' salary which can lead to unexpected behavior. Moreover, sometimes it's also possible to modify data using access to known transactions, so if you add some hours of overtime work, it is likely that nobody will notice.

Now you know what kind of highly secure data may be stored in business applications and how hackers can easily get access to it. The question is how prepared you are.

Well, it's all for today. Keep looking at these series of articles, as I will soon provide examples of sabotage attacks on ERP Systems and business applications.

References

Attack on US DOE http://arstechnica.com/security/2013/12/how-hackers-made-minced-meat-of-department-of-energy-networks/

Posted: October 19, 2016

Alexander Polyakov

View Profile

Alexander Polyakov is the founder of ERPScan and President of the EAS-SEC.org project. Recognized as an R&D professional and Entrepreneur of the year, his expertise covers the security of enterprise business-critical software like ERP, CRM, SRM and industry specific solutions for Oil and Gas, Manufacturing, Retail and Banking; as well as other verticals developed by enterprise software companies such as SAP and Oracle. He has received numerous accolades and published over 100 vulnerabilities.

Alexander has also published a book about Oracle Database security, numerous white papers, such the award winning annual "SAP Security in Figures”; plus surveys devoted to information security research in SAP.

Alexander has presented his research on SAP and ERP security at more than 50 conferences and trainings in 20+ countries in all continents. He has also held trainings for the CISOs of Fortune 2000 companies, and for SAP SE itself.

He is the author of numerous whitepapers and surveys devoted to information security research in SAP like "SAP Security in figures." Alexander was invited to speak and train at international conferences such as BlackHat, RSA, HITB and 30 others around globe as well as in internal workshops for SAP and Fortune 500 companies.