Chinese most likely using one of top three most common SAP exploits, as identified by Onapsis, to compromise US agencies

The Hill publication reported on November 3, 2014 that Chinese hackers roamed around unnoticed for months inside the network of USIS, is the biggest commercial provider of background investigations to the federal U.S. government.[1] In fact, two of the company’s biggest customers were the Department of Homeland Security (DHS) and the Office of Personnel Management (OPM).

The company performs several thousands of secret background investigations per month; however, this fact became noticed by the public after two renowned cases: the background investigations on Aaron Alexis (Washington Navy Yard shooter) and Edward Snowden (for disclosing top secret materials from the National Security Agency).

On August 6th, 2014, USIS published a press release stating they were hacked by an external entity, and the suspicion that it was a state-sponsored attack (http://www.usis.com/media-release-detail.aspx?dpid=151).

USIS-AP-620x414

Much has been said about this breach, especially the consequence of suspending government contracts with federal agencies (DHS, OPM), causing USIS the loss of millions of dollars and laying off thousands of investigators [1]. Initially, the date and scope of the attack, as well as the exposed information, were not specified. However it was later confirmed that the internal records of at least 25,000 employees of Department of Homeland Security as well as undercover investigators were exposed during this attack, including Social Security numbers, education and criminal history, birth dates along with marital information, other relatives and friends, names and addresses [2].

After the breach, USIS hired the digital forensics company Stroz Friedberg to perform the investigation. On September 2014, a letter from Stroz read: “The initial attack vector was a vulnerability in an application server, housed in a connected, but separate network, managed by a third party not affiliated with USIS.”

Earlier this week, this attack became noticed again when Nextgov [3] published some details about the report produced by the forensics firm on December 2014.

The original report claimed “Forensic evidence shows the cyberattacker gained access to USIS systems through an exploit in a system managed by a third party, and from there migrated to company managed systems. . . . Our findings were largely informed by a variety of logs, including, firewall logs, security event logs, VPN logs, and SAP application trace logs.” USIS spokeswoman, Ellen Davies, also said in the report “the third-party contractor was hacked and the hacker was then able to navigate into the USIS network via the third party’s network.”

According to THE HILL [4], the forensics report points out an SAP vulnerability as the hackers’ door in. Moreover, several sources [1][4][9][10] highlight that this state-sponsored attack is related to Chinese hackers. On March 2014, hackers who have penetrated computers at the Office of Personnel Management were traced to China; that attack was targeted to the files of tens of thousands of employees who have applied for top-secret security clearances [5]. This time, investigators are saying the USIS attack has several hallmarks to past Chinese intrusions like the one at OPM [1].

This breach illustrates a reality that often is not reported in mainstream news: the impact of cyber-attacks on SAP Systems to retrieve critical and confidential information. Attackers were able to access the USIS network in late 2013 but weren’t discovered until June 2014[6]. This means that the attackers had at least 6 months of access to internal and sensitive information without being noticed. The damage is difficult to estimate and shows the current lack of awareness around how SAP systems must be protected and monitored.

The report states that the vulnerability is “present in a widely used and highly-regarded enterprise resource planning (‘ERP’) software package”, however, there aren’t any details about the specific vulnerability or set of vulnerabilities that were used to compromise the SAP System.

Since the attack originated in late 2013, it is important to analyze the known vulnerabilities that were patched by SAP at that time, as well as the vulnerabilities patched after that date, which indicates the possibility of using 0-day exploits. Since the details are unknown, there is no way to specify whether the attackers used an exploit that was still not still patched by SAP, or if it was USIS who didn’t patch a well-known vulnerability.

According to the articles and research, USIS attackers exploited this SAP vulnerability externally in order to access the company network. Once inside the network they used it to pivot to other systems. Onapsis also recently released a study on top 3 SAP Cyber Attacks with one focused on “pivoting” [11][12][13][14], . This is a common approach used by attacker’s to gain access to employee data, customer information or even credit card data “Pivoting” Between SAP Systems. The attack begins with a pivot from a system with lower security such as a development or QA system, to a critical system in order to execute remote function module in the destination system. SAP systems are connected to the Internet and a single weak link is required for the attackers to start pivoting between systems and to then begin moving through the internal network. This appears to be the behavior described for the USIS hackers.

SAP systems have always been a target for hackers as they run the most critical and sensitive processes for the largest companies and government agencies in the world. Examples such as the USIS breach are showing the importance of protecting our SAP Systems and eradicates the false idea of business critical applications being “internal and isolated” as we often hear from SAP administrators. SAP itself has acknowledged the criticality of this topic, while presenting at its own conference, SAP TechEd 2014 as well as presenting cyber-crime related talks at SAP SAPPHIRE 2015, “SAP Runs SAP – How to Hack 95% of all SAP ABAP Systems and How to Protect them”.

It seems that hackers are knocking on the doors of our business-critical applications. As these kind of attacks are increasing, companies should move towards to the next steps in business critical applications security.

Onapsis Research Labs, experts since 2006 has been tracking other examples in the wild of this common attack vector and will be publishing a report at a later date. In the meantime, attackers are moving faster and companies and governments need to be prepared; automated, continuous monitoring and real-time security measures are the next step to solve and mitigate these ever evolving threats.

To discuss this issue in greater detail, Onapsis will be hosting a webcast on Thursday May 21st at both 9:00 A.M. EST and 2:00 P.M. EST. For more information, or to register please click here.

References:

[1]: http://thehill.com/policy/cybersecurity/222677-report-chinese-hacked-security-contractor

[2]: http://www.reuters.com/article/2014/08/22/us-usa-security-contractor-cyberattack-idUSKBN0GM1TZ20140822

[3]: http://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/

[4]: http://thehill.com/policy/cybersecurity/241588-report-hackers-infiltrated-security-contractor-using-third-party

[5]: http://www.nytimes.com/2014/07/10/world/asia/chinese-hackers-pursue-key-data-on-us-workers.html

[6]: http://bigstory.ap.org/article/427fbd5d88f5481eab35f5a8bbc534be/security-contractor-breach-not-detected-months

[7]: http://www.hsgac.senate.gov/media/majority-media/chairman-carper-statement-on-reported-usis-cyber-breach

[8]: http://www.onapsis.com/onapsis-research-study-reveals-top-three-cyber-attack-vectors-sap-systems

[9]: http://www.theblaze.com/stories/2014/11/04/cyberattack-on-top-u-s-govt-security-contractor-went-unnoticed-for-months/

[10]: http://www.foxnews.com/tech/2014/11/04/hacker-attack-on-federal-security-contractor-not-noticed-for-months-report/

[11]: Onapsis SSID – Volume IV: The Invoker Servlet – A Dangerous Detour into SAP Java Solutions

[12]: Onapsis SSID – Volume V: Our Crown Jewels Online – Attacks targeting SAP Web Applications

[13]: Onapsis SSID – Volume VI: Securing the Gates to the Kingdom – Auditing the SAProuter

[14]: Onapsis SSID – Volume VII: Preventing Cyber-attacks Against SAP Solution Manager

 

Share Button

Oracle Critical Patch Update (CPU April 2015)

As a company, Onapsis is focused on the security of business-critical applications such as SAP and Oracle. While our focus is on SAP applications, we have been doing research on Oracle business applications as well to identify and report critical vulnerabilities. In this sense, Oracle is different from SAP in regards to the method and timing that security patches are released and available to end users.

In this post, I will perform an analysis of the Oracle April 2015 Critical Patch Update (AKA CPU). The goal of this, is to provide oracle customers with detailed information about the newly released vulnerabilities affecting their business critical applications, and to help customers better understand and prioritize the testing of vulnerabilities on these systems within their organization.

During April 2015, Oracle published 98 vulnerabilities affecting 43 different Oracle products. Oracle uses the Common Vulnerabilities and Exposures standard (CVE) to uniquely identify the vulnerability and Common Vulnerability Scoring System V2 (CVSS) in order to measure the risk implied by the vulnerability in terms of different aspects such as exploitability, complexity and impact, to name a few.

41.8% of the total number of vulnerabilities fixed on the current CPU are vulnerabilities affecting the following business critical applications: Oracle Fusion Middleware, Supply Chain, PeopleSoft, E-Business Suite, Hyperion, Retail Applications, JD Edwards, Siebel CRM and Health Sciences Products.

On This month’s CPU, more than 41% of the vulnerabilities are affecting Business Critical  Applications. It means that companies should take immediate actions to mitigate the risks implied by them.

The top 3 affected product groups are: “MySQL”, “Fusion Middleware” and “Java SE”. It Is important to take into account that Java is widely used and deployed on nearly every corporate environment and business application. There are tons of applications and websites that simply won’t work, unless you have Java installed, therefore you must have an updated version, to avoid risk exposure.

The following table shows the number of vulnerabilities published by product group, according to the Oracle April 2015 CPU: Continue reading

Share Button

Analyzing SAP Security Notes April 2015 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business, or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general. To assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

Between the last published SAP Security Tuesday and today, there were 15 SAP Security notes published by SAP AG (taking into account 6 Support Packages and 9 Patch Day Notes). There were just three external security researchers mentioned this month. Two of them, Nahuel Sánchez and Fernando Russ, are from the Onapsis Research Labs. Together, they work with the rest of the Research team and SAP AG to help make SAP software more secure.

The plot graph illustrates the distribution of CVSS scores across the released Security Notes. The only notes taken into account were the ones to which SAP set a CVSS (5 out of the 15 SAP Security Notes). As it’s represented in the graph, the SAP Security Notes range values go from 3.6 to 5.8 with a median of 4.3.

Continue reading

Share Button

2015 Onapsis Roadshow – Coming to a City Near You!

Today is an important day in Onapsis history. We’re officially kicking off the first annual Onapsis Roadshow series in North America. We have seen rapid growth in customers engaging Onapsis for our expertise in SAP cyber-security solutions. With a growing amount of customers leveraging our solutions, now is the time for us to bring our customers together in order to share best practices and build out their networks to make the most out of their investment with  Onapsis.

To execute these roadshows, we’re collaborating with customers and partners who will host each one of our stops across the country. The following destinations are currently scheduled:

The Onapsis Roadshow series are events that we have specifically designed for security practitioners to foster collaboration with InfoSec and SAP security industry professionals. Attendees will have the opportunity to hear directly from their peers about security challenges that have effected their organization’s business-critical application security, and will gain insight to how those issues were overcome, and what can be expected for the future.

These events are tailored to all professionals that have a direct impact on their organization’s security infrastructure including Directors and Vice Presidents of Security, CISO’s, and members of Internal Audit and SAP Security teams.

All attendees will learn how SAP is becoming a critical component of all security and internal audit best practices, hear presentations on SAP Security implementation strategies and key lessons learned, network with other security professionals, and establish contacts for future collaboration.

A vibrant community is the only way to make each other successful. We are looking forward to seeing all of our customers and partners as two way conversations will allow us to continue creating innovative products for our customers, and with the input of our customers.

We look forward to seeing you in a city near you!

Share Button

The Evolving SAP Cyber-Security Landscape

Stephen Higgins, Senior Vice President of Customer Experience, Services and Solutions at Onapsis

$1.3 billion lost an hour!  This is what one of our global customer’s estimates is the impact to their business if their SAP systems become compromised and operations are disrupted.  The cost of an SAP breach can be inconceivable. And yet, it may be one of the most under scrutinized areas in IT security from a business continuity perspective.  Everyday our services team sees the real-world impact of breaches to organization’s SAP systems. This in mind, our consensus is that it is imperative to not only be able to detect a potential attack, but to have a response plan in place in case an attack still occurs. Responding quickly is where many organizations reach out to Onapsis for expert advice.

What we see is that there is a tendency amongst organizations to think that once a year is enough to perform a security assessment of SAP systems. More often than not, it’s assumed that Segregation of Duties and/or basic perimeter defenses are enough to protect systems from intrusion, and that penetration tests are only a necessary evil – for when internal auditors are requesting an update. However, with the “Bad Guys” getting more intelligent about business-critical systems, their ability to exploit these systems is becoming more and more advanced.

If you’ve taken a look at major headlines recently, you’ve likely noticed the staggering number of corporations who’ve suffered large-scale data breaches. Many of these breaches were targeted at SAP and other business-critical applications.  The impact of these breaches could have been minimized and potentially avoided had there been proper security measures in place for continuously monitoring their business-critical applications. As attacks of this nature will continue to evolve in complexity, it is absolutely imperative to have a preventative, systematic approach to SAP security in place in order to help your organization avoid interruptions to its business and incur huge financial liabilities.

Continue reading

Share Button

Building Secure Transactions on SAP Systems

Even though SAP has more than 10,000 standard transactions, all companies create their own custom ones. There are different reasons for building custom transactions. For example, a user might need a specific report, a list, or a functionality that isn’t in the system. Sometimes there are even cases where custom transactions with identical functionality of an existing standard transaction are created.

Creating custom transactions isn’t a problem, it is a normal usage of the system. The problem however, is all the potential security issues related to these new transactions.

When building custom programs, the priority is focused on delivering the required functionality to the user, which usually results in security measures being left aside. It is common to find ABAP developers who aren’t concerned with the importance of security or are simply unaware of all the security mechanisms SAP offers to enforce security. They just ensure that the program is working properly based on what the user had requested. Once it’s created, someone else adds the tcode to the user role, and that is it.

So the question is how can we ensure that in our organization custom transactions are built in a secure way?

The answer is easy: Use ABAP security standards – BIZEC APP11 as a guide to create the transactions. Easy to say, but hard to do. The standard includes different types of possible misconfigurations:

  • APP-01 ABAP Command Injection
  • APP-02 OS Command Injection
  • APP-03 Native SQL Injection
  • APP-04 Improper Authorization
  • APP-05 Directory Traversal
  • APP-06 Direct Database Modifications
  • APP-07 Cross-Client Database Access
  • APP-08 Open SQL Injection
  • APP-09 Generic Module Execution
  • APP-10 Cross-Site Scripting
  • APP-11 Obscure ABAP Code

Continue reading

Share Button

Analyzing SAP Security Notes March 2015 Edition

SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business, or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.

In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases the major part of their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at minimum.

At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general. To assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization.

Since the last SAP Security Tuesday and today, there were 21 SAP Security notes published by SAP (taking into account 3 Support Packages and 18 Patch Day Notes). There were notes published by external security researchers from which, Onapsis Research Labs reported SAP Security Note 2122391 (by Sergio Abraham).

The plot graph illustrates the distribution of CVSS scores across released Security Notes. The only notes taken into account were the ones to which SAP set a CVSS (16 out of the 21 SAP Security Notes). As represented in the graph, the SAP Security Notes value ranges from 3.5 to 6.8 with a median of 5.0. Continue reading

Share Button

SKIP-TLS/FREAK Vulnerabilities and SAP Systems

A few days ago, an important set of bugs that affect the suites of protocols TLS/SSL were published in https://www.smacktls.com/. These protocols are mainly used as the security layer underlying the HTTP(s) protocol, but many other protocols may be affected. The described vulnerabilities have received specific names: SKIP-TLS and FREAK. These bugs affect different implementations of the TLS/SSL cryptographic algorithms, but they are not vulnerabilities in the protocols themselves.

SKIP-TLS can be described as an implementation error in how the client and server manage unexpected messages in the protocol state machine. Different cipher suites require different messages in particular orders. This bug leverages this complexity by sending messages in an specific order to skip all messages related to key exchange and authentication as described in the paper (https://www.smacktls.com/smack.pdf).

The FREAK attack to the TLS/SSL protocol implementation attempts to degrade the cipher quality, giving an attacker the possibility of downgrading the cipher suite strength of a TLS/SSL connection. This means that a resourceful attacker performing a man-in-the-middle attack could trick the client to select a weaker cipher suite that could then be broken in during a later stage of the attack (like those marked as EXPORT).

In this blog post we will focus on understanding the security impact of SKIP-TLS/FREAK for a group of SAP products.

Continue reading

Share Button

Dealing with Authorization Groups: Part 2

As I said in a previous post, “Dealing with Authorization Gaps: Part 1,” the authorization groups aren’t limited to technical data as there are also many related to Business Master Data.

The concept of implementation is the same:

  • Understand the reason for using an authorization group.
  • Identify where to set the groups.
  • Find the related authorization objects.
  • Assign the values to the proper roles taking into account which users need each access.

Normally, there are more SAP business users than technical users, making the assignment to users much more complex.

Since there are many business authorization groups, I will focus on the ones I believe are the most critical:

  • For FI Document Types.
  • For Vendors.
  • For Customers.
  • For G/L Accounts.

Authorization Groups For FI Document Types

There are many transactions inside SAP which allow users to post financial documents. The best way to avoid having users posting document types that they shouldn’t is to assign authorization groups.

The document types can be updated using transaction OBA7. Since it’s a customizing transaction you will probably need to perform the change in Development and then transport it into Production.

Continue reading

Share Button

JVM Vulnerabilites and SAP Systems

In January, Oracle published a Critical Patch Update (CPU) with 19 vulnerabilities affecting JAVA SE (among other products): http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixJAVA

SAP has its own specific JAVA virtual machine implementation called SAPJVM, which according to SAP documentation:  “…is derived from Sun’s HotSpot VM and JDK implementation …  the SAP JVM is only targeting server-side applications. Certain features related to client environments are intentionally omitted or are not supported for general use.”.[1]

This information could be important to identify whether or not the vulnerabilities are affecting the SAP JVM because only 4 out of the 19 are affecting the server-side functionality of the Oracle JVM: CVE-2015-0383, CVE-2015-0410, CVE-2014-3566 and CVE-2014-6593. However, that information is not conclusive.

Continue reading

Share Button