Following the global cyber-attack this week in which over 200.000 PC’s and servers in 150 countries were infected with ransom software (ransomware), many SAP professionals might wonder whether ERP applications like SAP could also get infected. SAP systems form the backbone of businesses worldwide and are therefore juicy targets for attackers looking to make some money. As the trend is for organisations to open up more SAP systems to the internet the risks rise.
A ransom-type cyber-attack like this, specifically targeting SAP systems could have disastrous consequences. For example, the demanded ransom amount could be many times higher as the $300-600 demanded in last week’s cyber-attack. In addition, there are not that many companies that would survive without the use of their ERP system(s) for longer than a week.
Technically such attacks are certainly possible. We already adressed the possibilities of SAP ransoware during last year CyberSecurityAlliance Security conference and developed a Proof of concept SAP Ransomware as can be found on slide 26 of the presentation.
How SAP systems can get infected
There are many ways SAP systems can get infected by ransomware. In the application layer alone there are serious design flaws like the RFC Gateway, there might be SAP default accounts left that can give full access and there are often missing critical SAP Security notes that can lead to a full compromise of your SAP application. Furthermore there are means to gain access to your SAP systems via the Operating system layer and the Database layer. These are often overlooked but play an important part in operating an SAP system and can give full access as well if not properly secured.
As a practical example on how to get malicious code into SAP systems via vulnerabilities in SAP’s transport mechanism, we refer to our white paper called: “2013 – Security in SAP Transport management” that can be downloaded from here.
Typically the goal of ransomware is not only to infect systems, but to ransom critical data as leverage. This means critical data needs to be encrypted, the user login must be prevented and a message must be displayed to users that logon with the ransom sum and the payment method. In addition, a decrypting method must be run after the payment has been made and the decryption password has been received. This could all be done with (ABAP) programs that are native to SAP systems.
Restore and Recovery
Should such an attack occur, the most logical first response would be to restore and recover the SAP system from backup media to an earlier point in time (provided you would know with 100% certainty the exact date and time your system(s) became infected).
However SAP systems these days are no longer stand-alone systems and are typically part of an ecosystem of other critical applications such as: other SAP systems, middleware, CRM-, HR-applications, etc. This means that this complete ecosystem would also have to be restored and recovered to the same point in time to preserve the consistency between these systems. Any transactions that took place after the point in time to which the systems have been restored would then have to be re-executed.
For very large companies, this might prove to be a near-impossible task. A restore and recovery of all production systems and connected applications (provided these have the capability of restore and recovery) is not exactly an event that you would ever hope to have to deal with.
Compared to the total and overall costs of the investigation, restore and recovery and the removal of the inconsistencies between all the critical systems in the complete IT infrastructure, actually paying the demanded ransom sum might seem to be a less risky and cheaper solution for many.
To sum up the above: there are many ways to infect SAP systems and they are an extremely interesting target as they contain mission-critical data for organisations. To prevent scenario’s that you don’t want to be part of, organisations must be prepared. Specifically to stop ransomware this often means to patch, patch and patch your software. Not only your SAP application, but also Operating systems, Databases, 3rd party products, middleware and components like webdispatchers and SAProuters and the frontend components like SAPgui.