Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Rapid7 Outlines SAP Attack Vectors for Pen Testers

Just recently, reports of a banking Trojan modified to look for SAP GUI (graphical user interface) installations reignited discussion about vulnerabilities impacting SAP ERP (enterprise resource planning) systems.

Just recently, reports of a banking Trojan modified to look for SAP GUI (graphical user interface) installations reignited discussion about vulnerabilities impacting SAP ERP (enterprise resource planning) systems.

Hoping to build on the awareness, researchers at Rapid7 released a paper outlining how its Metasploit tool can be used to perform penetration tests on ERP systems.  

“As criminals get smarter about ERP systems, I have no doubt they’ll use that to their advantage,” said Todd Beardsley, Metasploit Engineering Manager at Rapid7. “This is why we’re trying to educate legit security practitioners; the existence of a Trojan that targets SAP directly says that at least someone in the criminal underground already knows a thing or two about SAP, so Metasploit is striving to level the playing field between attackers and defenders.”

As part of its research, Rapid7 discovered approximately 3,000 SAP systems directly exposed to the Internet. Systems covered by SAP run the gamut from ERP to customer relationship management (CRM) and product lifecycle management (PLM) systems, Rapid7 noted, meaning that comprising them could spell disaster.  

Oftentimes, attackers will try to get access to SAP systems through a compromised host on the target network; for example compromising a desktop computer through a spear-phishing email. In the report, Rapid7 runs through a number of attack vectors, such as attacking SOAP (Simple Object Access Protocol) remote function calls and bruteforcing the SAP Web GUI login with Metasploit.

Advertisement. Scroll to continue reading.

“It is hard to imagine any type of important data that is not stored and processed in these systems,” according to the report. “Targeting SAP systems should therefore be part of every penetration test that simulates a malicious attack on an enterprise to mitigate espionage, sabotage and financial fraud risks. The challenge is that many penetration testers are more familiar with operating systems, databases, and web applications, so descending into the world of SAP systems can be daunting.”

Many of the vulnerabilities Rapid7 sees are related to abusing functions of the SAP platform in order to get profit and or abuse configuration issues and weaknesses, explained Juan Vazquez, Rapid7 Exploit Developer. Similar to other big software, there are also issues related to programming errors when handling input, like buffer overflows, he added.

“SAP is complex software that’s often treated like a black box from a security perspective; we believe that very few security organizations have a firm grasp on their SAP infrastructure,” Beardsley noted. “That’s why we wrote the paper in the first place, to educate both pen-testers and users of this software to these rather large question marks.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.