[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5556090B.5010009@erpscan.com>
Date: Fri, 15 May 2015 17:56:11 +0300
From: Darya Maenkova <d.maenkova@...scan.com>
To: fulldisclosure@...lists.org
Subject: [FD] Chinease attack on USIS using SAP vulnerability – Detailed review and comments
*Intro*
On 11th of May, a security headline broke out in the news, it was about
an attack on USIS (U.S. Investigations Services) conducted potentially
by Chinese state-sponsored hackers via a vulnerability in SAP Software.
Hackers broke into third-party software in 2013 to open personal records
of federal employees and contractors with access to classified
intelligence, according to the government's largest private employee
investigation provider [1].
USIS is a federal contractor which conducts background checks for DHS -
the largest commercial provider of background investigations to the
federal government. It has more than 5,700 employees providing services
in all 50 states and U.S. territories and overseas. As the result of the
breach, more than 27,000 personnel seeking security clearances likely
were affected. Similar hacks also affected servers at the Office of
Personnel Management (OPM), which holds information on security
clearance investigations. Once hackers have a list of employees who
possess government security clearances, they can exploit other aspects
of those employees’ lives for malicious gain.
Within a couple of hours after information that it was a SAP
vulnerability we contacted with journalists of DarkReading and gave them
feedback and some comments.
Now we sharing all comments that were prepared as well as additional
research conducted by us, to tell you what can be the next steps for
organizations to secure their systems and prevent these attacks.
Below you can find the timeline of this attack investigation, the
collection of historical facts from different resources, and our
comments on the topic.
*Attack timeline*
*Late 2013*
Initial Attack against USIS Supplier potentially started [2].
*March 2014*
Attack continued against USIS [3].
Both USIS and OPM were hacked around March 2014, and while the
security controls in place at OPM’s networks shielded employee
information, the networks at USIS were not as secured. At USIS,
hackers deployed spyware designed to capture screenshots when a
background check window was open,
- said Stroz Friedberg, Digital Forensic.
Hackers infiltrated a network belonging to one of USIS’s suppliers that
stored enterprise resource planning software. That network was connected
to USIS’s network.
According to NextGov, “the attacker was able to navigate from the
third-party-managed environment into the USIS network in late (redacted)
by successfully brute-forcing a password on an application server,” -
wrote Padres, referring to a hacking technique that systematically
checks all possible passwords. “Once the attacker was able to log in to
that server, the attacker installed a malicious backdoor.”
*June 05 2014*
USIS reported about the cyberattack to federal authorities on June 5,
more than two months before acknowledging it publicly [4].
*July 09 2014*
It was published, that Chinese hackers in March broke into the computer
networks of some United States government agency that houses the
personal information of all federal employees. But officials also said
that neither the personnel agency nor Homeland Security had identified
any loss of personally identifiable information [5].
*August 06 2014*
USIS published the press release stating that they were hacked. And
potentially it was a state-sponsored attack. They also hired independent
Forensic investigation company - Stroz Friedberg to perform an
investigation [6].
*August 22 2014*
Detailed information about the breach appeared in the news.
The agency has identified some 25,000 employees whose information it
believes were exposed in the breach. While the number of employees
affected is relatively small compared to breaches at retailers such
as Target or Home Depot which have affected tens of millions of
customers, nonetheless quite serious,
– one of DHS officials told Reuters.
Files on background checks contain highly sensitive data that foreign
intelligence agencies could attempt to exploit to intimidate government
workers with access to classified information.
This information includes Social Security numbers, education and
criminal history, birth dates along with information about spouses,
other relatives and friends including their names and addresses. [7]
*November 03 2014*
First detailed information about the attack appeared on Associated Press
website. At this time without any details that attack on SAP ERP System
was used for conducting attack [8].
“A cyberattack similar to previous hacker intrusions from China
penetrated computer networks for months at USIS, the government's
leading security clearance contractor, before the company noticed,
officials and others familiar with an FBI investigation and related
official inquiries.
The breach, first revealed by the company and government agencies in
August, compromised the private records of at least 25,000 employees at
the Homeland Security Department and cost the company hundreds of
millions of dollars in lost government contracts. In addition to trying
to identify the perpetrators and evaluate the scale of the stolen
material, the government inquiries have prompted concerns about why
computer detection alarms inside the company failed to quickly notice
the hackers and whether federal agencies that hired the company should
have monitored its practices more closely,” – told The Associated Press [9].
In the private analysis prepared for USIS by Stroz Friedberg, a digital
risk management firm, managing director Bret A. Padres said the
company's computers had government-approved "perimeter protection,
antivirus, user authentication and intrusion-detection technologies."
But Padres said his firm did not evaluate the strength of USIS'
cybersecurity measures before the intrusion.
So, what we can learn from that statement “government inquiries have
prompted concerns about why computer detection alarms inside the company
failed to quickly notice the hackers”?
As we have mentioned in many reports, SAP Security, much like any
business application security area is rarely covered by traditional
security tools such as vulnerability management and intrusion detection
systems. SAP has very specific vulnerabilities and configuration issues
that should be assessed by high-quality experts. To give you an example,
there are thousands of parameters related to security in each SAP System
just in application server. In addition to that, there were 3300+
vulnerabilities found in SAP from 2001 till 2015. Also, if we continue
to speak about complexity, there are 1200 web services installed by
default on SAP NetWeaver 7.2 (SAP’s application server), each web
service is like a small website. So, you can get an idea of the
complexity of this system and how many issues there can exist. Needless
to say that “complexity kills security”. Even after the latest SAP’s
marketing campaign “SAP is Simple” (which is a great idea), it will take
you years to make it really simple with such amount of legacy systems.
*November 04 2014*
New information appeared in the news [10].
The hackers attacked a vulnerable computer server in a connected but
separate network, managed by a third party not affiliated with USIS,
- said Padres, Forensic Company.
Now we learned, that the actual attack was conducted via separate
network owned by 3rd party, but still nothing special about how exactly
it has happened.
*April 28 2015*
After almost 5 month of silence, finally some new information appeared,
and this was the first resource where we found information that pointed
us to the fact that the initial attack was against ERP System. And this
ERP System was on the separate network managed by separate company. [11]
Hackers infiltrated a network belonging to one of USIS’s suppliers,
which stored enterprise resource planning software. That network was
connected to USIS’s network. [12]
The attacker was able to navigate from the third-party-managed
environment into the USIS network in late (redacted) by successfully
brute-forcing a password on an application server,
– wrote Padres.
When we speak about business applications, we need to consider their
highly interconnected nature. You can’t just implement dozens of
business applications in a company and leave them unconnected. For
example, to automate business processes, your ERP system should be able
to automatically create an invoice in banking system, so these systems
should be somehow connected on application layer even if they are
separated by network. In the real life we see dozens or even hundreds of
connections between different SAP Systems, and some of these connections
(so-called RFC Destinations) store usernames and passwords (according to
our statistics, average number of connections in SAP System is about 50
while 30% of them usually store usernames and passwords).
Once an attacker gets an access to the weakest SAP System, he can easily
get access to connected systems and from them to others, so on and so
forth spreading his access like a spider’s web.
Another way how business applications can be connected is via Enterprise
Service Bus, such as SAP PI, or process integration system, these
systems also have vulnerabilities as reported by ERPScan Research team
during BlackHat 2013 conference.
Finally even direct connections don’t exist, there is a research
conducted by ERPScan Research team, with explanation of SSRF attack that
can be used to bypass firewall restriction and attack systems using
their trust connections [13].
Taking into account those connections, it comes as no surprise that
attackers were able to get access to the connected network of another
company.
Finally we would like to say that those connections can be even more
dangerous if we talk about Manufacturing, Oil and Gas and Nuclear
companies, where SAP can be connected with Field devices and Plant Floor.
*May 10 2015*
From the previous article we may make a decision that this ERP system
was most probably SAP as the most popular one, and the new article
confirmed this fact. NextGov became the first resource to tell that it
was actually SAP.
“That software apparently was an SAP enterprise resource planning
application. It’s unclear if there was a fix available for the program
flaw at the time of the attack. It’s also not clear whether SAP—which
was responsible for maintaining the application—or USIS would have been
responsible for patching the flaw.
But in the end, sensitive details on tens of thousands of national
security personnel were exposed in March 2014.
Assailants infiltrated USIS by piggybacking on an “exploit,” a glitch
that can be abused by hackers, that was “present in a widely used and
highly-regarded enterprise resource planning (‘ERP’) software package,”
an internal investigation obtained by Nextgov found. USIS officials
declined to explicitly name the software application, saying they would
let the report, compiled by Stroz Friedberg, a digital forensics firm
retained by USIS, speak for itself.” [14]
This report also includes a try to look deeper into SAP vulnerabilities
and make a guess what has happened:
During the period of the hacking operation, which began in 2013 and was
exposed in June 2014, 20 to 30 new critical vulnerabilities were
identified in SAP’s enterprise resource planning software [15].
From our point of view, real figures about potential vulnerabilities
are much larger. If we assume that real attack was conducted in 2013,
let’s say on the beginning of the year, the actual number of
vulnerabilities patched by SAP from 2001 to the middle of 2013 were
about 2000, according to the research “SAP Security in figures 2013”
[16] based on information from SAP Support portal about all vulnerabilities.
The number of SAP vulnerabilities would have given attackers many
options to target SAP directly, based on how USIS deployed the ERP
tool,” - said Richard Barger, chief intelligence officer at
ThreatConnect, former Army intelligence analyst.
This is more than true. In addition, more than 2000 potential
vulnerabilities existed in SAP Applications, there also can be some
vulnerabilities in custom programs developed by USIS subcontractor or
even another 3rd party.
It is unclear which vulnerability the intruders exploited. Defects in
programs used by the government and contractors sometimes aren’t fixed
for years after software developers announce a weakness.
*May 11 2015*
Some other details appeared[17].
Lawmakers have been pressing for answers about the breach since last
year. Suspected Chinese hackers got into the USIS systems in late 2013
but weren’t discovered until June 2014. It is totally not surprising us.
Some of the companies that we had a chance to assess don’t have any
visibility to their systems. According to our research, only 10% of
customers really configure and analyze SAP Security logs and other events.
*May 12 2015*
An article from DarkReading where we gave our first comments regarding
this breach.[18]
So now, you can get the full picture of attack, and there is only one
question left – how this attack was conducted. Let’s try to answer it.
*What kind of vulnerability was exploited?*
The news states that the vulnerability is “present in a widely-used and
highly-regarded enterprise resource planning (‘ERP’) software package”
No other details about the vulnerability were provided.
Let’s try to understand what kind of vulnerabilities were used in this
attack, but first of all let’s look at the history. We provide annual
reviews about SAP Vulnerabilities, these reports usually called “SAP
Security in figures”
* 2011.*SAP SECURITY IN FIGURES 2007-2011*[19]
* 2013*SAP SECURITY IN FIGURES 2007-2011*[20]
* 2014*Analysis of 3000 SAP Security notes*[21]
* 2015*Blog post with latest review*[22]
From those reports we can get information about most critical
vulnerabilities. Taking into account that the attack has happened in
late 2013, only the first three reports will be relevant for us.
Another guideline provided by ERPScan Research team is focused on most
popular vulnerabilities, taking into consideration their criticality as
well. So, combining data from these reports we can give an overview of
vulnerabilities that were most probably used in this attack. And even if
this assumption won’t be true, we will anyway get the list of most
critical and popular vulnerabilities affecting SAP ERP Systems. The fact
that we are mostly looking for SAP ERP vulnerabilities also should be
taken into account.
We also excluded most of the vulnerabilities that can be used only with
combination with others, most of the specific vulnerabilities, and those
vulnerabilities that require some user’s actions such as XSS. So finally
we collected 15 vulnerabilities that are most likely were used against
ERP System in this period of time and can give attacker and easy way to
get full access to vulnerable SAP System.
And finally we limited the list of vulnerabilities by publication date
and select only those which were published before Q2 2013.
We add a couple of parameters to each vulnerability to calculate final
likehood that this particular vulnerability was used.
* *Criticality*– Real impact to system, such as full administrative
access or just an information disclosure.
* *Popularity*– Amount of information in public sources such as
presentations, whitepapers, and advisories with vulnerability
description.
* *Ease of exploitation*– If there is a publically available free tool
with exploit, or exploit, or POC, or advisory, or some kind of details.
* *Applicability*– our personal thoughts if this vulnerability is
applicable to particular system that has been used in organization.
* *Likehood*– overall probability that this particular vulnerability
was exploited based on previously mentioned parameters.
*Below is the table with details of our analysis.*
Vulnerability Title Year Likehood Popularity Criticality Ease of
exploitation Applicability CVSSv2 Patch
Default passwords for administrative users ???? 100,00% 5 5 5
5 N/A 1414256
RFC Gateway remote command execution 2007 80,00% 5 5 4 5 7.5
1425765,1408081,1473017,1069911,1480644 ,614971,1525125
SAP/Oracle REMOTE_OS_AUTHENT 2003 40,96% 4 4 4 4 7.5
1622837,1639578
Remote code execution via TH_GREP 2011 38.40% 4 5 3 4 6.0 1620632
Unauthorized access to SAP Management console 2011 38.40% 4 3 4
5 5.6 1439348
SAP Host Control – Code Injection 2012 36,00% 3 5 5 3 10 1341333
SAP Dispatcher – DIAG protocol Buffer Overflow 2012 24,00% 3 5
2 5 9.3 1687910
Authentication bypass through Verb Tampering 2011 20,00% 5 5
5 1 10 1589525, 1624450
Authentication bypass through the Invoker servlet 2011
20,00% 5 5 5 1 10 1585527
SAP Message Server – Buffer Overflow 2012 16,00% 2 5 2 5 10 1649840
SAP NetWeaver DI – Arbitrary file upload 2013 10,24% 2 4 2 4 9.3 10
Message Server Auth Bypass 2008 7,68% 3 4 1 4 7.5 1421005
SAP GRMGApp – XXE and authentication bypass 2013 5,76% 2 3 2 3
7.3 1729293, 1725390
SAP NetWeaver J2EE – DilbertMSG SSRF 2012 4,32% 3 3 3 1 7.3 1707494
Buffer overflow in ABAP Kernel call 2011 3,20% 1 5 1 4 4.8
1487330, 1529807
So, most likely the vulnerability that was used was one of those:
* Default passwords for administrative users
* RFC Gateway remote command execution
* SAP/Oracle REMOTE_OS_AUTHENT
* Remote code execution via TH_GREP
* Unauthorized access to SAP Management console
*Prevention*
We recommend you to implement some of the most critical SAP Security
Notes, which were probably used during this attack, which listed in the
table provided in the previous chapter.
Secondly, follow our guidelines [23] for initial assessment of SAP
NetWeaver ABAP Application server – 33 Most critical security checks.
Thirdly, check this presentation, as well as all other slides and
guidelines [24] about SAP Security and you are also welcome to follow us
during security conferences worldwide. Here isthe list of nearest events
<http://erpscan.com/category/press-center/future-events/>.
*Recommendations*
Since all steps discussed previously require a lot of workforces, we
recommend you to check automatic solutions to assess and secure your
system as soon as possible, as nobody knows, if your system is not under
attack.
*Takeaways for CISOs are*:
As you see, when some researchers start flagging security loopholes by
publishing information about one or another system's security
vulnerability, it's only a matter of time before cyber criminals
actually exploit it. Who will fall victim to be anybody guess. So, apart
from the fact that it's better to take precautionary actions before a
real example surfaces, we started to talk about this 8 years ago.
Our lessons are simply three:
* You can't only trust traditional security solutions when we speak
about advanced cyber attacks.
* You can't be sure that everything is ok in your network unless you
really monitor it from all angles, if we talk about SAP it means
that VA, Custom code security, SOD and event monitoring - all areas
should be on the radar.
* And the most important for business applications is that they are
highly connected within each other, and as you see in this example,
and it's not only the problem of your infrastructure security, it's
also a problem of all your external connections and 3rd party security.
So what it boils down to is that "a system is only as secure as its
weakest link".
*References*
1.http://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/
2.http://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/
3.www.homelandsecuritynewswire.com%2Fdr20150430-breach-of-backgroundchecks-database-may-lead-to-blackmail
<http://erpscan.com/press-center/blog/chinease-attack-on-usis-using-sap-vulnerability-detailed-review-and-comments/www.homelandsecuritynewswire.com%2Fdr20150430-breach-of-backgroundchecks-database-may-lead-to-blackmail>
4.http://www.theblaze.com/stories/2014/11/04/cyberattack-on-top-u-s-govt-security-contractor-went-unnoticed-for-months/
5.http://www.nytimes.com/2014/07/10/world/asia/chinese-hackers-pursue-key-data-on-us-workers.html?_r=0
<http://www.nytimes.com/2014/07/10/world/asia/chinese-hackers-pursue-key-data-on-us-workers.html?_r=0%3Cp%3E6.%20http://www.usis.com/media-release-detail.aspx?dpid=151>
6.http://www.usis.com/media-release-detail.aspx?dpid=151
7.http://www.reuters.com/article/2014/08/22/us-usa-security-contractor-cyberattack-idUSKBN0GM1TZ20140822
8.http://bigstory.ap.org/article/427fbd5d88f5481eab35f5a8bbc534be/security-contractor-breach-not-detected-months
9.http://bigstory.ap.org/article/427fbd5d88f5481eab35f5a8bbc534be/security-contractor-breach-not-detected-months.
<http://bigstory.ap.org/article/427fbd5d88f5481eab35f5a8bbc534be/security-contractor-breach-not-detected-months>
10.http://www.theblaze.com/stories/2014/11/04/cyberattack-on-top-u-s-govt-security-contractor-went-unnoticed-for-months/
11.http://www.ladailypost.com/content/background-checks-database-breach-heightens-blackmail-risk
12.http://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/
13.http://erpscan.com/wp-content/themes/supercms/Publications/SSRF%20vs%20Businness%20critical%20applications%20final%20edit.pdf
14.http://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/
15.http://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/
16.http://erpscan.com/wp-content/themes/supercms/Publications/SAP%20Security%20in%20figures%20-%20A%20global%20survey%202013%20RC.pdf
17.http://thehill.com/policy/cybersecurity/241588-report-hackers-infiltrated-security-contractor-using-third-party
18.http://www.darkreading.com/attacks-breaches/first-example-of-sap-breach-surfaces/d/d-id/1320382
19.http://erpscan.com/wp-content/themes/supercms/Publications/SAP-Security-in-figures-a-global-survey-2007-2011-final.pdf
20.http://erpscan.com/wp-content/themes/supercms/Publications/3000-SAP-notes-Analysis-by-ERPScan.pdf
21.http://erpscan.com/wp-content/themes/supercms/Publications/3000-SAP-notes-Analysis-by-ERPScan.pdf
22.http://erpscan.com/press-center/blog/sap-vulnerabilities-highlighted-in-many-reports-such-as-hp-cyber-risk-report-2015/#more-7858
23.http://erpscan.com/wp-content/themes/supercms/Publications/EASSEC-PVAG-ABAP.pdf
24.http://erpscan.com/white-papers/
--
Darya Maenkova
PR manager
<https://www.linkedin.com/profile/public-profile-settings?trk=prof-edit-edit-public_profile>
<https://twitter.com/d_maenkova>
<http://erpscan.com/>
------------------------------------------------------------------------
e-mail: d.maenkova@...scan.com <mailto:d.maenkova@...scan.com>
address: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
phone: 650.798.5255
erpscan.com <http://erpscan.com>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists