Reports over the past several weeks have pointed to potential malware — a variation on the Shiz banking-related Trojan — that is targeting SAP installations. This nasty piece of business was originally designed to provide attackers with remote access to an infected PC and steal online-banking passwords and cryptographic certificates.
According to Infoworld, the malware was discovered a few weeks ago by Russian antivirus company Doctor Web, which shared it with security researchers. Alexander Polyakov, chief technology officer at ERPScan, gave presentations at RSA Europe and at Black Hat. He claims this is not just a proof-of-concept, but an actual virus that was created in the wild by evil-doers.
According to this blog post on ERPScan’s website, the attack uses this chain of vulnerabilities:
- Unauthorized access to a Web service on SAP PI, which allows sending XML packets. SAP PI can usually be accessed from the Internet.
- XML Tunneling: A new technique which allows sending any TCP packet to internal systems by putting them into XML packets.
- Buffer overflow in SAP Kernel.
What makes things worse is that the entire attack can be accomplished by sending a single packet, making it almost impossible to create a signature to detect it. A similar kind of attack has happened recently to JavaVMs.
Indeed, it’s a wonder that no one has done this before: The SAP protocols are ripe for potential abuse since attackers can gain access to servers and sift through all sorts of customer records, financial information and company trade secrets. And typical SAP customers are large enterprises with thousands of users, making them juicy targets. The researchers suggest that this is just the first of many who will target the SAP ecosystem.
Lest you think that SAP is a sitting duck, they actually worked with the security researchers in advance of the announcements and issued a patch for this vulnerability several months ago. However, ERPScan found that out of 5,000 SAP machines online, only 15 percent currently have the patch. I wonder why so many folks have been so slow to implement the updates. Nevertheless, you have been warned.