Just recently, reports of a banking Trojan modified to look for SAP GUI (graphical user interface) installations reignited discussion about vulnerabilities impacting SAP ERP (enterprise resource planning) systems.
Hoping to build on the awareness, researchers at Rapid7 released a paper outlining how its Metasploit tool can be used to perform penetration tests on ERP systems.
“As criminals get smarter about ERP systems, I have no doubt they’ll use that to their advantage,” said Todd Beardsley, Metasploit Engineering Manager at Rapid7. “This is why we’re trying to educate legit security practitioners; the existence of a Trojan that targets SAP directly says that at least someone in the criminal underground already knows a thing or two about SAP, so Metasploit is striving to level the playing field between attackers and defenders.”
As part of its research, Rapid7 discovered approximately 3,000 SAP systems directly exposed to the Internet. Systems covered by SAP run the gamut from ERP to customer relationship management (CRM) and product lifecycle management (PLM) systems, Rapid7 noted, meaning that comprising them could spell disaster.
Oftentimes, attackers will try to get access to SAP systems through a compromised host on the target network; for example compromising a desktop computer through a spear-phishing email. In the report, Rapid7 runs through a number of attack vectors, such as attacking SOAP (Simple Object Access Protocol) remote function calls and bruteforcing the SAP Web GUI login with Metasploit.
“It is hard to imagine any type of important data that is not stored and processed in these systems,” according to the report. “Targeting SAP systems should therefore be part of every penetration test that simulates a malicious attack on an enterprise to mitigate espionage, sabotage and financial fraud risks. The challenge is that many penetration testers are more familiar with operating systems, databases, and web applications, so descending into the world of SAP systems can be daunting.”
Many of the vulnerabilities Rapid7 sees are related to abusing functions of the SAP platform in order to get profit and or abuse configuration issues and weaknesses, explained Juan Vazquez, Rapid7 Exploit Developer. Similar to other big software, there are also issues related to programming errors when handling input, like buffer overflows, he added.
“SAP is complex software that’s often treated like a black box from a security perspective; we believe that very few security organizations have a firm grasp on their SAP infrastructure,” Beardsley noted. “That’s why we wrote the paper in the first place, to educate both pen-testers and users of this software to these rather large question marks.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Ferrari Says Ransomware Attack Exposed Customer Data
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- New York Man Arrested for Running BreachForums Cybercrime Website
