SlideShare a Scribd company logo

[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by Jordan Santarsieri

CODE BLUE
CODE BLUE

On this presentation, we will raise awareness on how the SAP Internet facing systems are particularly vulnerable to Spyware, Ransomware and Worms due to their inherent complexity. We will also introduce (for the first time in Asia ) the “Project ARSAP”. This project is a semi-automatic mechanism which main goal is to detect and register all the SAP systems that are exposed to the Internet, extracting the system’s metadata and cataloging the assets in base of their Geo-location, system type, version, installed components and potential risk of compromise. We will present a brief introduction to SAP, defining its architecture / entry points and explain with great detail the methodology behind the “ARSAP” project. Then, three different scenarios were malware could strike SAP will be showcased. We will start by recreating a real SAP cyber-attack, where a company got attacked via malicious emails and we will move forward to some other complex techniques that could allow anyone, directly from the Internet to compromise the whole Interfacing SAP system and jump to the adjacent network. This presentation will have several live demos where the attendees will be able to observe the entire attack workflow. We will conclude the presentation by presenting some suggested remediations and conclusions.

Presentations & Public Speaking
1 of 45
DISCLAIMER • This publication contains references to the products of SAP AG. SAP, R/3, SAP NetWeaver and other SAP products. • Products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany, in the US and in several other countries all over the world. • SAP AG is neither the author nor the publisher of this publication and is not responsible for its content. The SAP Group shall not be liable for errors or omissions with respect to the materials. Vicxer, Inc. Is a registered Trademark. All rights reserved. Reproduction of this presentation without author’s consent is forbidden.
JORDAN SANTARSIERI VICXER’S FOUNDER Originally devoted to Penetration Testing, Vulnerability Research & Exploit writing, discovered several vulnerabilities in Oracle, SAP, IBM and many others. Speaker and trainer at Black-Hat, OWASP-US, Hacker Halted, YSTS, Insomni’hack, AusCERT, Sec-T, RootCon, Infosec In the City, Ekoparty, etc. I started researching ERP Software back in 2008. Had the honor to secure more than 1000 SAP implementations all around the globe, including Fortune-500 companies, military institutions and the biggest ONG on the planet. @ J S A N T A R S I E R I
CHAPTER 02 Project ARSAP is Born CHAPTER 04 Ransomware and the Weaponization of Weaknesses CHAPTER 01 Brief Introduction to SAP CHAPTER 03 A Traditional Approach to Malware Distribution
INTRODUCTION CHAPTER 01 A Brief Introduction to SAP
WHAT IS SAP? • SAP stands for Systems Applications and Products in Data Processing. It is a German company founded in 1972 by ex-IBM employees. • SAP counts 98,000+ Employees Worldwide • SAP Has 437,000+ Customers • Is Present in More Than 180 Countries • Dominate the Market With 92% of Forbes Global 2000
• SAP ERP (Enterprise Resource Planning) • SAP BI (Business Intelligence) • SAP CRM (Customer Relationship Management) • SAP SRM (Supplier Relationship Management) TWO TYPES OF SAP SOLUTIONS ENTERPRISE SOLUTIONS SUPPORTING SOLUTIONS • SAP GRC (Government Risk and Compliance) • SAP Business Objects • SAP Mobile • SAP Cloud Connectors These Solutions, provide direct services to end users These Solutions support the operations of the Enterprise Solutions
SAP NETWEAVER • Netweaver is the framework where SAP is built in. It is the most important technology so far as it synchronizes and regulates the operatory of the different SAP components • Netweaver is service oriented! and it is divided in two different stacks, ABAP & J2EE. Database Operating System SAP Business Logic SAP Application Layer SAP Netweaver System SAP Solution Base Infrastructure
SAP NETWEAVER • Each stack counts with different services, some of them are shared between stacks, some others are not • Each one of those services will have its own protocol for communications. Some of them are open, but most of them are proprietary
SAP USER CLIENTS • There are MANY ways that a regular user could use to connect to the SAP systems. The most popular ones are: • SAP GUI (SAP proprietary protocol, extra thick client, around 1.4Gb of size) • SAP Web Application Servers (ICM, Java HTTP, XSA)
IN A FEW WORDS … • Why would someone attack your SAP implementation? Easy….
CHAPTER 02 A NEW BEGINNING “Project ARSAP is Born”
ABOUT US WE ARE VICXER! • A company focused in securing the business-critical applications and its adjacent infrastructure (SAP, Oracle Siebel and others) • All of our customers belong to the Fortune-500 Group • We do: Oracle & SAP Penetration Testing Cyber-Security Trainings Vulnerability Assessment and Management SAP Forensics & Many More!
PROJECT ARSAP “Sometimes, reinventing the wheel makes sense” - Scenario • As a young company, we had the same challenges that everyone else has when they just start, getting new leads that could end-up in new customers • The approach that most companies take here, is to simply buy a list of businesses that are already running SAP, so they can try to “cold call” the CISO / security managers and pitch what they do • The success rate of this procedure is 1%, same success rate that the spammers get. Coincidence? I think not! • We said to ourselves, this cannot be the best possible way! there must be a more efficient way to tackle this challenge ……. and then the project ARSAP was born!
PROJECT ARSAP “Sometimes, reinventing the wheel makes sense” - Scenario • We used search engines like Shodan, Google, Bing, ZoomEye to more “sketchy” and esoteric deep-web resources (deep-web search engines, private forums, etc.) in order to find the different SAP systems (ABAP, Java, Business Objects, HANA) that were already exposed to the Internet • We ended-up creating one “extractor” per each data-source, as we knew since the very beginning that the SAP map that we would obtain would be “alive”, meaning that the discovered SAP systems could come and go every-day (yes, people tend to expose non-productive SAP systems to the Internet too!) • Once we had a list of servers, we also had the necessity of categorizing and tagging the detected SAP systems for further analysis. Fortunately for us, the exposed SAP services were QUITE verbose!
PROJECT ARSAP “Sometimes, reinventing the wheel makes sense” - Scenario • At this point, we did not only have the list of exposed SAP systems, but we were also able to classify them per the exposed SAP services, country & continent (of the server hosting the SAP system), SSL support and the different SAP / services version! • We used different techniques to discover what companies / individuals were behind the discovered assets. • Now, of course, we needed a way to prioritize our efforts on which potential clients we would contact first, so what we did offline, was to analyze the detected SAP services versions and compare them to our own vulnerability database. This exercise allowed us to also classify the SAPs per “potential” risk (as we did not actually trigger any attack probes) Are you intrigued about the results?
PROJECT ARSAP “ARSAP By the Numbers” • We found more than 14k SAP Services
PROJECT ARSAP “ARSAP By the Numbers” • We have identified the owners of 37.86% of the detected assets
CODE BLUE EXCLUSIVE! For the very first time and as an exclusive release for Code Blue … • We are releasing our first “SAP Situation Report” • This report contains the number of assets that we found on the Internet, their type, host country, their version and the issues potentially affecting these systems • You can download a fresh copy from https://vicxer.com/events/2019/cblue.zip
PROJECT ARSAP “ARSAP By the Numbers” • We also discovered that at least 27% of the detected assets were potentially vulnerable to critical and high criticity vulnerabilities like RCE, Directory Transversal, Arbitrary File uploads / Arbitrary File Reads • We ended up being highly surprised by our discoveries and we immediately started to think that a sufficiently skilled attacker could provoke the “next SAP tragedy” without much effort • How? you say, well, keep watching …
YOU GOT EMAIL! CHAPTER 03 “A traditional approach to malware distribution”
“A traditional approach to Malware distribution” – Thinking Like an Attacker • Think about it, if you were an attacker who has collected the information that we highlighted on the previous slides, it would be trivial for you to enumerate email addresses from the people that works at the target company • You know that the target organization uses SAP, probably across the board • You know that the target organization has enough resources to acquire and use an SAP system. This indicates that the level of resources belonging to the company are high and the head-count is significant • Almost all the big companies, with good amount of resources and a lot of employees use SSO (Single Sign-on) to facilitate access to SAP YOU GOT EMAIL!
“SAP Gui Scripts” • In SAP Words • By default, the execution of SAP GUI scripts is disabled, but in our experience, 90% of corporate users use this functionality to do performance and functional testing YOU GOT EMAIL! “SAP GUI Scripting is an automation interface that enhances the capabilities of SAP GUI. By using this interface, end users may automate repetitive tasks by running macro-like scripts”
“SAP Gui Scripts” • The attacker has already harvested some corporate email accounts and is ready to send some malware • The distribution channel will be an email with a malicious SAP GUI Script attached to it • The attacker will leverage the privileges of the victim and use them to completely delete a table containing public debt, Robin Hood Style! YOU GOT EMAIL!
WEAPONIZATION “You Got Email!” - Scenario USER’S VLAN SERVER’S VLAN SAP End-User Back-End SAP ABAP System Attacker
“SAP Gui Scripts” - Prevention • If your organization is lucky enough to not need SAP Gui scripts, you could disable this functionality by making sure that the sapgui/user_scripting profile parameter is set to FALSE • As we mention before, most organizations cannot afford disabling SAP Gui scripts, but fear not, there is a valid workaround! • Leave the SAP Gui scripts enable and configure the script/user_scripting_per_user parameter to TRUE, then, just assign the authorization object S_SCR with value 16 to (only) the users that are allowed to use this functionality YOU GOT EMAIL!
“SAP Gui Scripts” - Prevention • Also, at the client level, make sure you select the “Notify when a script attaches to SAP GUI” option, to get a warning from the SAP GUI whenever a scripts tries to be executed YOU GOT EMAIL!
“Ransomware and the weaponization of weaknesses” CHAPTER 04 WEAPONIZATION & PREVENTION
WEAPONIZATION “The Ransomware Approach” • One of our recurrent thoughts after having the complete picture of the SAPs that were exposed to the Internet was “If a ransomware hits the SAP systems exposed to the Internet, the results would be catastrophic” • We wanted to help, but before we could recommend some countermeasures, we needed to think how an attacker could try to take over these assets…. (in SAP, that is no easy tasks) • By studying past ransomwares, we discovered that most of them shared some “personality traits” • They were designed to hit hard • Quick lateral movement was gold • Avoiding “making noise” was not a priority • Open to “weaponize” (aka reutilize) previously reported vulnerabilities
WEAPONIZATION “The Ransomware Approach” - Scenario DMZ INTERNAL NETWORK Front-End SAP Java Back-End SAP ABAP Attacker
WEAPONIZATION “The Ransomware Approach” • The hypothetical malware will be divided in 5 phases • Each action / stage will be complemented with the technical attack / technique and the respective countermeasure • The full Ransomware / Malware wont be distributed for obvious reasons ;-) but we will show some code! Stage Action Intrusion Remote Command Execution via SAP Java Invoker Servlet Credential Gathering Decrypting SAP Secure Storage Lateral Movement Around DMZ SSH / Password Guessing / Brute-force via RFC DMZ Escape / Lateral Movement Around Adjacent Network Credential Reutilization using SOAPRFC / Master Password Ransom & Expansion Encrypt all the things!!! And bonus!
WEAPONIZATION “The Ransomware Approach” - Intrusion • As other malwares like WannaCry, we will use a previously reported vulnerability and just weaponize the publicly available exploit. This makes sense as many sophisticated attackers already have “malware frameworks”, they just need a silver bullet and some vulnerable victims • Per our network diagram, on the first phase, we are going to take over the front-end SAP system that is located inside the DMZ • The exploit that we are going to use will allow us to execute operating system commands under the privileges of the operating system user that is running the SAP system. This vulnerability is due to a combination of a default misconfiguration and a security vulnerability in SAP • Modern versions of SAP are not vulnerable to this exploit, but according to our research, finding a vulnerable systems is easy enough (almost 3 out of 10!!!!)
PREVENTION “The Ransomware Approach” - Countermeasures • To prevent the abuse of the InvokerServlet and the unauthenticated command execution, SAP Notes 1445998, 1589525 and 1624450 must be implemented on the affected assets • After the SAP security notes have been implemented, you need to be sure that the Invoker Servlet functionality is globally disabled. For that, use the SAP Java config-tool or open the Netweaver administrator webpage (nwa), go to Server Configurations, locate the servlet_jsp option and make sure EnableInvokerServletGlobally is set to False • WARNING !!! There is a known issue / bug in SAP that will prevent old versions to start after implementing this fix. Please read SAP Note 1467771, before disabling the InvokerServlet • Unfortunately, changes will only take effect once you restart your SAP systems
WEAPONIZATION “The Ransomware Approach” – Getting some creds! • Once the ransomware’s target has been breached, the first thing that it needs to do is lateral movement • The easiest way to extract credentials from a SAP Java system is by opening an encrypted file called SAP J2EE Secure Storage • In the SAP Java systems, the secure storage is an encrypted container that lays on the file-system. This container is encrypted using 3-DES, a hardcoded key and an user key phrase which is defined at the installation time • The container holds the SAP’s database password and depending on the version, the SAP Java administrator password (which is usually the same one, aka Master Password) • The container is extremely trivial to decrypt ……..
PREVENTION “The Ransomware Approach” – Countermeasures • Access to the SAP J2EE Secure Storage must be protected at all cost! • Files: Should only be accessible by the SAP’s operating system user, local administrators and global admins • Our selected encryption key phrase must be different from the SAP master password • The password for the SAP Administrator must be different from the SAP database user • /usr/sap/<SID>/SYS/global/security/data/SecStore.properties, • /usr/sap/<SID>/SYS/global/security/data/SecStore.key
WEAPONIZATION “The Ransomware Approach” - Scenario DMZ INTERNAL NETWORK Front-End SAP Java Back-End SAP ABAP Attacker
WEAPONIZATION “The Ransomware Approach” – Getting some creds! • The ransomware now has the ability to execute operating system commands under the privileges of the user running the SAP system, has full access to the local database and some important credentials for an eventual brute force • But this is not all….. In order to connect to other SAP systems of “different stacks” the SAP Java systems have a mechanism called JCO Destinations, these destinations might contain sensitive data such as client, username and password for remote systems (inside or outside the DMZ) • Finally, we should always test if the passwords that we got so far correspond to the SAP Master Password. We could do this via SSH or SMB
WEAPONIZATION “The Ransomware Approach” – Master Password! • At the installation time, SAP will ask the user if he / she wants to assign a different password for the most important SAP accounts or use a Master Password • By default, the installer suggests the implementation of a Master Password • If the Master Password is selected, the most powerful SAP users like SAP*, DDIC, the SAP’s database user and the SAP OS administrator and the SAP OS service user will all share the same password • 95% of the surveyed companies use the SAP Master Password mechanism • If one password is compromised ….
“A Screen that no one wants to see on their SAPs” THE FINAL RESULT
PREVENTION “The Ransomware Approach” – Countermeasures • In order to protect your RFC destinations, first ask yourself the following question, do I have a real business need to create an RFC destination with hardcoded credentials? • If the answer is “Yes” because you need to interact with a poorly designed interface (quite common on the SAP world) the least privileged approach must be follow • Avoid the utilization of an SAP Master Password, each key account must have its own password, with such be in compliance to your local password policy • Review your firewall strategy, how are you connecting your SAP systems on the DMZ and from the DMZ to the adjacent network. Allow traffic to ONLY the services that you require and nothing else
WEAPONIZATION “The Ransomware Approach” - Scenario DMZ INTERNAL NETWORK Front-End SAP Java Back-End SAP ABAP Attacker
WEAPONIZATION “The Ransomware Approach” – Bonus Track • Now is time to leave the DMZ!. One of the most notable characteristics of SAP is that it has been born to be interconnected • We can safely assume that the RFC and the ICM ports will be accepting connections from the already compromised SAP systems on the DMZ • The malware will attack the ICM services on the adjacent network by trying to reutilize the obtained credentials. The attack will target a particularly vulnerable service called SOAPRFC • The malware will send fake messages from the SAP servers on the adjacent network to all the end-users (human beings) pretending to be the SAP administrators • The users will receive a pop-up saying that a new SAP add-on MUST be installed and if they do not proceed with the installation, they will “disrupt the SAP system”
P O W E R P O I N T T E M P L A T E WHAT DID WE LEARN TODAY?
A Few Take-Aways … • Always ask yourself, do I really need to expose my SAP system to the internet? If the answer is yes, you must ONLY expose the bare minimum • Use an SAP Web-dispatcher to restrict access to ALL the webpages that are not required by the business • Your Internet facing SAP systems must be patched! follow SAP’s security notes release cycle! (New patches are available the second Tuesday of each month) • Do not forget about the audit trails! They will be invaluable in case the worst happens • Make sure your SOC is “SAP Aware” • And finally….. Prevent, Prevent, Prevent, conduct penetration testings regularly, distrust default configurations and always use the least privileged approach when in doubt! It will pay-off in the future! WRAPPING-UP
THAT IS ALL… QUESTIONS? To find out more about SAP, visit us at https://vicxer.com or follow us on Twitter @ J S A N T A R S I E R I@ V I C X E R S E C U R I T Y

Recommended

The CSV File Strikes Back
The CSV File Strikes BackThe CSV File Strikes Back
The CSV File Strikes BackSascha Wenninger
 
DeveloperWeek 2014
DeveloperWeek 2014DeveloperWeek 2014
DeveloperWeek 2014tonytcampbell
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2jvandevis
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016Twan van den Broek
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis Inc.
 

Recommended

The CSV File Strikes Back
The CSV File Strikes BackThe CSV File Strikes Back
The CSV File Strikes BackSascha Wenninger
 
DeveloperWeek 2014
DeveloperWeek 2014DeveloperWeek 2014
DeveloperWeek 2014tonytcampbell
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2jvandevis
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016Twan van den Broek
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis Inc.
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0Cyber Security Alliance
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not EnoughOnapsis Inc.
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
 
Boston Spark User Group - Spark's Role at MediaCrossing - July 15, 2014
Boston Spark User Group - Spark's Role at MediaCrossing - July 15, 2014Boston Spark User Group - Spark's Role at MediaCrossing - July 15, 2014
Boston Spark User Group - Spark's Role at MediaCrossing - July 15, 2014gmalouf678
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018jvandevis
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security ConfigurationsOnapsis Inc.
 
sitNL Security Update from SAP TechEd 2013
sitNL Security Update from SAP TechEd 2013sitNL Security Update from SAP TechEd 2013
sitNL Security Update from SAP TechEd 2013Twan van den Broek
 
SAP inside track NL 2013, SAP Security update
SAP inside track NL 2013, SAP Security updateSAP inside track NL 2013, SAP Security update
SAP inside track NL 2013, SAP Security updatejvandevis
 
Data Lake na área da saúde- AWS
Data Lake na área da saúde- AWSData Lake na área da saúde- AWS
Data Lake na área da saúde- AWSAmazon Web Services LATAM
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects AttacksOnapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...Tunde Ogunkoya
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Twan van den Broek
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating ERPScan
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 

More Related Content

Similar to [CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by Jordan Santarsieri

Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not EnoughOnapsis Inc.
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
 
Boston Spark User Group - Spark's Role at MediaCrossing - July 15, 2014
Boston Spark User Group - Spark's Role at MediaCrossing - July 15, 2014Boston Spark User Group - Spark's Role at MediaCrossing - July 15, 2014
Boston Spark User Group - Spark's Role at MediaCrossing - July 15, 2014gmalouf678
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018jvandevis
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security ConfigurationsOnapsis Inc.
 
sitNL Security Update from SAP TechEd 2013
sitNL Security Update from SAP TechEd 2013sitNL Security Update from SAP TechEd 2013
sitNL Security Update from SAP TechEd 2013Twan van den Broek
 
SAP inside track NL 2013, SAP Security update
SAP inside track NL 2013, SAP Security updateSAP inside track NL 2013, SAP Security update
SAP inside track NL 2013, SAP Security updatejvandevis
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects AttacksOnapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...Tunde Ogunkoya
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Twan van den Broek
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating ERPScan
 

Similar to [CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by Jordan Santarsieri (20)

An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
 
Boston Spark User Group - Spark's Role at MediaCrossing - July 15, 2014
Boston Spark User Group - Spark's Role at MediaCrossing - July 15, 2014Boston Spark User Group - Spark's Role at MediaCrossing - July 15, 2014
Boston Spark User Group - Spark's Role at MediaCrossing - July 15, 2014
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
 
sitNL Security Update from SAP TechEd 2013
sitNL Security Update from SAP TechEd 2013sitNL Security Update from SAP TechEd 2013
sitNL Security Update from SAP TechEd 2013
 
SAP inside track NL 2013, SAP Security update
SAP inside track NL 2013, SAP Security updateSAP inside track NL 2013, SAP Security update
SAP inside track NL 2013, SAP Security update
 
Data Lake na área da saúde- AWS
Data Lake na área da saúde- AWSData Lake na área da saúde- AWS
Data Lake na área da saúde- AWS
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Recently uploaded

Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸mathanramanathan2005
 
Internship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SEInternship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SESaleh Ibne Omar
 
Application of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxApplication of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxRoquia Salam
 
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...university
 
Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Escort Service
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power
 
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxEngaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxAsifArshad8
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationNathan Young
 
proposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerproposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerkumenegertelayegrama
 
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...Henrik Hanke
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRachelAnnTenibroAmaz
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxaryanv1753
 
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.KathleenAnnCordero2
 
Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxChizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxogubuikealex
 
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comSaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comsaastr
 
Early Modern Spain. All about this period
Early Modern Spain. All about this periodEarly Modern Spain. All about this period
Early Modern Spain. All about this periodSaraIsabelJimenez
 
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...漢銘 謝
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMQuality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMCharmi13
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRsarwankumar4524
 

Recently uploaded (19)

Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸
 
Internship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SEInternship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SE
 
Application of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxApplication of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptx
 
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
CHROMATOGRAPHY and its types with procedure,diagrams,flow charts,advantages a...
 
Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
 
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxEngaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism Presentation
 
proposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerproposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeeger
 
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
DGT @ CTAC 2024 Valencia: Most crucial invest to digitalisation_Sven Zoelle_v...
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptx
 
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
 
Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxChizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptx
 
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comSaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
 
Early Modern Spain. All about this period
Early Modern Spain. All about this periodEarly Modern Spain. All about this period
Early Modern Spain. All about this period
 
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMQuality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEM
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
 

[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by Jordan Santarsieri

  • 1.
  • 2. DISCLAIMER • This publication contains references to the products of SAP AG. SAP, R/3, SAP NetWeaver and other SAP products. • Products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany, in the US and in several other countries all over the world. • SAP AG is neither the author nor the publisher of this publication and is not responsible for its content. The SAP Group shall not be liable for errors or omissions with respect to the materials. Vicxer, Inc. Is a registered Trademark. All rights reserved. Reproduction of this presentation without author’s consent is forbidden.
  • 3. JORDAN SANTARSIERI VICXER’S FOUNDER Originally devoted to Penetration Testing, Vulnerability Research & Exploit writing, discovered several vulnerabilities in Oracle, SAP, IBM and many others. Speaker and trainer at Black-Hat, OWASP-US, Hacker Halted, YSTS, Insomni’hack, AusCERT, Sec-T, RootCon, Infosec In the City, Ekoparty, etc. I started researching ERP Software back in 2008. Had the honor to secure more than 1000 SAP implementations all around the globe, including Fortune-500 companies, military institutions and the biggest ONG on the planet. @ J S A N T A R S I E R I
  • 4. CHAPTER 02 Project ARSAP is Born CHAPTER 04 Ransomware and the Weaponization of Weaknesses CHAPTER 01 Brief Introduction to SAP CHAPTER 03 A Traditional Approach to Malware Distribution
  • 5. INTRODUCTION CHAPTER 01 A Brief Introduction to SAP
  • 6. WHAT IS SAP? • SAP stands for Systems Applications and Products in Data Processing. It is a German company founded in 1972 by ex-IBM employees. • SAP counts 98,000+ Employees Worldwide • SAP Has 437,000+ Customers • Is Present in More Than 180 Countries • Dominate the Market With 92% of Forbes Global 2000
  • 7. • SAP ERP (Enterprise Resource Planning) • SAP BI (Business Intelligence) • SAP CRM (Customer Relationship Management) • SAP SRM (Supplier Relationship Management) TWO TYPES OF SAP SOLUTIONS ENTERPRISE SOLUTIONS SUPPORTING SOLUTIONS • SAP GRC (Government Risk and Compliance) • SAP Business Objects • SAP Mobile • SAP Cloud Connectors These Solutions, provide direct services to end users These Solutions support the operations of the Enterprise Solutions
  • 8. SAP NETWEAVER • Netweaver is the framework where SAP is built in. It is the most important technology so far as it synchronizes and regulates the operatory of the different SAP components • Netweaver is service oriented! and it is divided in two different stacks, ABAP & J2EE. Database Operating System SAP Business Logic SAP Application Layer SAP Netweaver System SAP Solution Base Infrastructure
  • 9. SAP NETWEAVER • Each stack counts with different services, some of them are shared between stacks, some others are not • Each one of those services will have its own protocol for communications. Some of them are open, but most of them are proprietary
  • 10. SAP USER CLIENTS • There are MANY ways that a regular user could use to connect to the SAP systems. The most popular ones are: • SAP GUI (SAP proprietary protocol, extra thick client, around 1.4Gb of size) • SAP Web Application Servers (ICM, Java HTTP, XSA)
  • 11. IN A FEW WORDS … • Why would someone attack your SAP implementation? Easy….
  • 12. CHAPTER 02 A NEW BEGINNING “Project ARSAP is Born”
  • 13. ABOUT US WE ARE VICXER! • A company focused in securing the business-critical applications and its adjacent infrastructure (SAP, Oracle Siebel and others) • All of our customers belong to the Fortune-500 Group • We do: Oracle & SAP Penetration Testing Cyber-Security Trainings Vulnerability Assessment and Management SAP Forensics & Many More!
  • 14. PROJECT ARSAP “Sometimes, reinventing the wheel makes sense” - Scenario • As a young company, we had the same challenges that everyone else has when they just start, getting new leads that could end-up in new customers • The approach that most companies take here, is to simply buy a list of businesses that are already running SAP, so they can try to “cold call” the CISO / security managers and pitch what they do • The success rate of this procedure is 1%, same success rate that the spammers get. Coincidence? I think not! • We said to ourselves, this cannot be the best possible way! there must be a more efficient way to tackle this challenge ……. and then the project ARSAP was born!
  • 15. PROJECT ARSAP “Sometimes, reinventing the wheel makes sense” - Scenario • We used search engines like Shodan, Google, Bing, ZoomEye to more “sketchy” and esoteric deep-web resources (deep-web search engines, private forums, etc.) in order to find the different SAP systems (ABAP, Java, Business Objects, HANA) that were already exposed to the Internet • We ended-up creating one “extractor” per each data-source, as we knew since the very beginning that the SAP map that we would obtain would be “alive”, meaning that the discovered SAP systems could come and go every-day (yes, people tend to expose non-productive SAP systems to the Internet too!) • Once we had a list of servers, we also had the necessity of categorizing and tagging the detected SAP systems for further analysis. Fortunately for us, the exposed SAP services were QUITE verbose!
  • 16. PROJECT ARSAP “Sometimes, reinventing the wheel makes sense” - Scenario • At this point, we did not only have the list of exposed SAP systems, but we were also able to classify them per the exposed SAP services, country & continent (of the server hosting the SAP system), SSL support and the different SAP / services version! • We used different techniques to discover what companies / individuals were behind the discovered assets. • Now, of course, we needed a way to prioritize our efforts on which potential clients we would contact first, so what we did offline, was to analyze the detected SAP services versions and compare them to our own vulnerability database. This exercise allowed us to also classify the SAPs per “potential” risk (as we did not actually trigger any attack probes) Are you intrigued about the results?
  • 17. PROJECT ARSAP “ARSAP By the Numbers” • We found more than 14k SAP Services
  • 18. PROJECT ARSAP “ARSAP By the Numbers” • We have identified the owners of 37.86% of the detected assets
  • 19. CODE BLUE EXCLUSIVE! For the very first time and as an exclusive release for Code Blue … • We are releasing our first “SAP Situation Report” • This report contains the number of assets that we found on the Internet, their type, host country, their version and the issues potentially affecting these systems • You can download a fresh copy from https://vicxer.com/events/2019/cblue.zip
  • 20. PROJECT ARSAP “ARSAP By the Numbers” • We also discovered that at least 27% of the detected assets were potentially vulnerable to critical and high criticity vulnerabilities like RCE, Directory Transversal, Arbitrary File uploads / Arbitrary File Reads • We ended up being highly surprised by our discoveries and we immediately started to think that a sufficiently skilled attacker could provoke the “next SAP tragedy” without much effort • How? you say, well, keep watching …
  • 21. YOU GOT EMAIL! CHAPTER 03 “A traditional approach to malware distribution”
  • 22. “A traditional approach to Malware distribution” – Thinking Like an Attacker • Think about it, if you were an attacker who has collected the information that we highlighted on the previous slides, it would be trivial for you to enumerate email addresses from the people that works at the target company • You know that the target organization uses SAP, probably across the board • You know that the target organization has enough resources to acquire and use an SAP system. This indicates that the level of resources belonging to the company are high and the head-count is significant • Almost all the big companies, with good amount of resources and a lot of employees use SSO (Single Sign-on) to facilitate access to SAP YOU GOT EMAIL!
  • 23. “SAP Gui Scripts” • In SAP Words • By default, the execution of SAP GUI scripts is disabled, but in our experience, 90% of corporate users use this functionality to do performance and functional testing YOU GOT EMAIL! “SAP GUI Scripting is an automation interface that enhances the capabilities of SAP GUI. By using this interface, end users may automate repetitive tasks by running macro-like scripts”
  • 24. “SAP Gui Scripts” • The attacker has already harvested some corporate email accounts and is ready to send some malware • The distribution channel will be an email with a malicious SAP GUI Script attached to it • The attacker will leverage the privileges of the victim and use them to completely delete a table containing public debt, Robin Hood Style! YOU GOT EMAIL!
  • 25. WEAPONIZATION “You Got Email!” - Scenario USER’S VLAN SERVER’S VLAN SAP End-User Back-End SAP ABAP System Attacker
  • 26. “SAP Gui Scripts” - Prevention • If your organization is lucky enough to not need SAP Gui scripts, you could disable this functionality by making sure that the sapgui/user_scripting profile parameter is set to FALSE • As we mention before, most organizations cannot afford disabling SAP Gui scripts, but fear not, there is a valid workaround! • Leave the SAP Gui scripts enable and configure the script/user_scripting_per_user parameter to TRUE, then, just assign the authorization object S_SCR with value 16 to (only) the users that are allowed to use this functionality YOU GOT EMAIL!
  • 27. “SAP Gui Scripts” - Prevention • Also, at the client level, make sure you select the “Notify when a script attaches to SAP GUI” option, to get a warning from the SAP GUI whenever a scripts tries to be executed YOU GOT EMAIL!
  • 28. “Ransomware and the weaponization of weaknesses” CHAPTER 04 WEAPONIZATION & PREVENTION
  • 29. WEAPONIZATION “The Ransomware Approach” • One of our recurrent thoughts after having the complete picture of the SAPs that were exposed to the Internet was “If a ransomware hits the SAP systems exposed to the Internet, the results would be catastrophic” • We wanted to help, but before we could recommend some countermeasures, we needed to think how an attacker could try to take over these assets…. (in SAP, that is no easy tasks) • By studying past ransomwares, we discovered that most of them shared some “personality traits” • They were designed to hit hard • Quick lateral movement was gold • Avoiding “making noise” was not a priority • Open to “weaponize” (aka reutilize) previously reported vulnerabilities
  • 30. WEAPONIZATION “The Ransomware Approach” - Scenario DMZ INTERNAL NETWORK Front-End SAP Java Back-End SAP ABAP Attacker
  • 31. WEAPONIZATION “The Ransomware Approach” • The hypothetical malware will be divided in 5 phases • Each action / stage will be complemented with the technical attack / technique and the respective countermeasure • The full Ransomware / Malware wont be distributed for obvious reasons ;-) but we will show some code! Stage Action Intrusion Remote Command Execution via SAP Java Invoker Servlet Credential Gathering Decrypting SAP Secure Storage Lateral Movement Around DMZ SSH / Password Guessing / Brute-force via RFC DMZ Escape / Lateral Movement Around Adjacent Network Credential Reutilization using SOAPRFC / Master Password Ransom & Expansion Encrypt all the things!!! And bonus!
  • 32. WEAPONIZATION “The Ransomware Approach” - Intrusion • As other malwares like WannaCry, we will use a previously reported vulnerability and just weaponize the publicly available exploit. This makes sense as many sophisticated attackers already have “malware frameworks”, they just need a silver bullet and some vulnerable victims • Per our network diagram, on the first phase, we are going to take over the front-end SAP system that is located inside the DMZ • The exploit that we are going to use will allow us to execute operating system commands under the privileges of the operating system user that is running the SAP system. This vulnerability is due to a combination of a default misconfiguration and a security vulnerability in SAP • Modern versions of SAP are not vulnerable to this exploit, but according to our research, finding a vulnerable systems is easy enough (almost 3 out of 10!!!!)
  • 33. PREVENTION “The Ransomware Approach” - Countermeasures • To prevent the abuse of the InvokerServlet and the unauthenticated command execution, SAP Notes 1445998, 1589525 and 1624450 must be implemented on the affected assets • After the SAP security notes have been implemented, you need to be sure that the Invoker Servlet functionality is globally disabled. For that, use the SAP Java config-tool or open the Netweaver administrator webpage (nwa), go to Server Configurations, locate the servlet_jsp option and make sure EnableInvokerServletGlobally is set to False • WARNING !!! There is a known issue / bug in SAP that will prevent old versions to start after implementing this fix. Please read SAP Note 1467771, before disabling the InvokerServlet • Unfortunately, changes will only take effect once you restart your SAP systems
  • 34. WEAPONIZATION “The Ransomware Approach” – Getting some creds! • Once the ransomware’s target has been breached, the first thing that it needs to do is lateral movement • The easiest way to extract credentials from a SAP Java system is by opening an encrypted file called SAP J2EE Secure Storage • In the SAP Java systems, the secure storage is an encrypted container that lays on the file-system. This container is encrypted using 3-DES, a hardcoded key and an user key phrase which is defined at the installation time • The container holds the SAP’s database password and depending on the version, the SAP Java administrator password (which is usually the same one, aka Master Password) • The container is extremely trivial to decrypt ……..
  • 35. PREVENTION “The Ransomware Approach” – Countermeasures • Access to the SAP J2EE Secure Storage must be protected at all cost! • Files: Should only be accessible by the SAP’s operating system user, local administrators and global admins • Our selected encryption key phrase must be different from the SAP master password • The password for the SAP Administrator must be different from the SAP database user • /usr/sap/<SID>/SYS/global/security/data/SecStore.properties, • /usr/sap/<SID>/SYS/global/security/data/SecStore.key
  • 36. WEAPONIZATION “The Ransomware Approach” - Scenario DMZ INTERNAL NETWORK Front-End SAP Java Back-End SAP ABAP Attacker
  • 37. WEAPONIZATION “The Ransomware Approach” – Getting some creds! • The ransomware now has the ability to execute operating system commands under the privileges of the user running the SAP system, has full access to the local database and some important credentials for an eventual brute force • But this is not all….. In order to connect to other SAP systems of “different stacks” the SAP Java systems have a mechanism called JCO Destinations, these destinations might contain sensitive data such as client, username and password for remote systems (inside or outside the DMZ) • Finally, we should always test if the passwords that we got so far correspond to the SAP Master Password. We could do this via SSH or SMB
  • 38. WEAPONIZATION “The Ransomware Approach” – Master Password! • At the installation time, SAP will ask the user if he / she wants to assign a different password for the most important SAP accounts or use a Master Password • By default, the installer suggests the implementation of a Master Password • If the Master Password is selected, the most powerful SAP users like SAP*, DDIC, the SAP’s database user and the SAP OS administrator and the SAP OS service user will all share the same password • 95% of the surveyed companies use the SAP Master Password mechanism • If one password is compromised ….
  • 39. “A Screen that no one wants to see on their SAPs” THE FINAL RESULT
  • 40. PREVENTION “The Ransomware Approach” – Countermeasures • In order to protect your RFC destinations, first ask yourself the following question, do I have a real business need to create an RFC destination with hardcoded credentials? • If the answer is “Yes” because you need to interact with a poorly designed interface (quite common on the SAP world) the least privileged approach must be follow • Avoid the utilization of an SAP Master Password, each key account must have its own password, with such be in compliance to your local password policy • Review your firewall strategy, how are you connecting your SAP systems on the DMZ and from the DMZ to the adjacent network. Allow traffic to ONLY the services that you require and nothing else
  • 41. WEAPONIZATION “The Ransomware Approach” - Scenario DMZ INTERNAL NETWORK Front-End SAP Java Back-End SAP ABAP Attacker
  • 42. WEAPONIZATION “The Ransomware Approach” – Bonus Track • Now is time to leave the DMZ!. One of the most notable characteristics of SAP is that it has been born to be interconnected • We can safely assume that the RFC and the ICM ports will be accepting connections from the already compromised SAP systems on the DMZ • The malware will attack the ICM services on the adjacent network by trying to reutilize the obtained credentials. The attack will target a particularly vulnerable service called SOAPRFC • The malware will send fake messages from the SAP servers on the adjacent network to all the end-users (human beings) pretending to be the SAP administrators • The users will receive a pop-up saying that a new SAP add-on MUST be installed and if they do not proceed with the installation, they will “disrupt the SAP system”
  • 43. P O W E R P O I N T T E M P L A T E WHAT DID WE LEARN TODAY?
  • 44. A Few Take-Aways … • Always ask yourself, do I really need to expose my SAP system to the internet? If the answer is yes, you must ONLY expose the bare minimum • Use an SAP Web-dispatcher to restrict access to ALL the webpages that are not required by the business • Your Internet facing SAP systems must be patched! follow SAP’s security notes release cycle! (New patches are available the second Tuesday of each month) • Do not forget about the audit trails! They will be invaluable in case the worst happens • Make sure your SOC is “SAP Aware” • And finally….. Prevent, Prevent, Prevent, conduct penetration testings regularly, distrust default configurations and always use the least privileged approach when in doubt! It will pay-off in the future! WRAPPING-UP
  • 45. THAT IS ALL… QUESTIONS? To find out more about SAP, visit us at https://vicxer.com or follow us on Twitter @ J S A N T A R S I E R I@ V I C X E R S E C U R I T Y