Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Stuxnet - most sophisticated piece of malware in history?

Go to solution
Former Member

‎10-07-2010 4:27 PM

0 Kudos

Hi guys

This is not directly about SAP NW security. But if you are into security you will have heard of Stuxnet, here is some info for those who haven't:

[Wikipedia -Stuxnet|http://en.wikipedia.org/wiki/Stuxnet]

Stuxnet is a Windows-specific computer worm first discovered in June 2010 by VirusBlokAda, a security firm based in Belarus. It is the first discovered worm that spies on and reprograms industrial systems...
Furthermore, the worm's probable target has been said to have been high value infrastructures in Iran using Siemens control systems. According to news reports the infestation by this worm might have damaged Iran's nuclear facilities in Natanz and eventually delayed the start up of Iran's Bushehr Nuclear Power Plant.

[Langner Communications GmbH about Stuxnet|http://www.langner.com/en/]

[Symantec - W32.Stuxnet Dossier|http://www.symantec.com/connect/de/blogs/w32stuxnet-dossier]

What do you think about it? What does this all imply for our SAP systems? What will happen when such an elaborated trojan hits RFC, unencrypted HTTP/SAPGui connections?

Obviously Stuxnet is operating on a much larger scale than any trojan targeting our systems would ever be. But on the other hand we are very soft and weak targets...

Please share your thoughts, if mods feel this should be moved to the Coffee Corner, by my guest.

Cheers Michael

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎10-08-2010 9:29 AM

0 Kudos

Hi Michael,

I agree with your comment about being soft and weak targets. SAP traditionally being hidden within the depths of corporate networks has led to much of the industry being ignorant to many threats that are not from end users or complaints from auditors.

My opinion is that Stuxnet has blown open the common argument that the relative obscurity of SAP gives it a good deal of protection. Anyone with the sophistication to target specific process control networks has the ability to do the same for SAP. As an industry we have to up our game and stop treating security as something that starts and ends with SAP roles.

9 REPLIES 9

Go to solution
Former Member

‎10-08-2010 9:29 AM

0 Kudos

Hi Michael,

I agree with your comment about being soft and weak targets. SAP traditionally being hidden within the depths of corporate networks has led to much of the industry being ignorant to many threats that are not from end users or complaints from auditors.

My opinion is that Stuxnet has blown open the common argument that the relative obscurity of SAP gives it a good deal of protection. Anyone with the sophistication to target specific process control networks has the ability to do the same for SAP. As an industry we have to up our game and stop treating security as something that starts and ends with SAP roles.

Go to solution
former_member251938
Explorer

‎10-08-2010 10:36 AM

0 Kudos

For reasons like the one you mentioned (but also others) SAP has launched its Security Patchday on Sep 14th and also recently handed out a whitepaper on how to better secure ABAP based systems.... Some of the recommendations are rather old, but as many SAP customers have been quite reluctant to implement them this was another attempt to direct some attention to these measures on how to better protect application servers.

Go to solution
Former Member
In response to former_member251938

‎10-08-2010 4:08 PM

0 Kudos

" As an industry we have to up our game and stop treating security as something that starts and ends with SAP roles." - Exactly Alex.

The same thing that we are trying to to say for our customers.

As for the stuxnet we were working on one project named sapsploit/saptrojan which was done for automation of penetration testing SAP systems for our customers.

sapsploit is a tool (web page) where collected all exploits for SAP Frontend ActiveX controls. If user is vulnerable then sapsploit loads the saptrojan that was written on vbs and using RFC API reads saplogon.ini and try to connect to SAP servers with default passwords, passwords in shortcuts and bruteforce. After all it loads a tables such as USER02 KNA1 and other and transmit it to our server. This information we show to our customers to prove that systems are vulnerable.

looks similar to stuxnet isnt it? except that it is not a worm, just a trojan but it is easy to add replication function and here we will se a SAPSTUXNET ))

More on this you can see in this awareness http://erpscan.com/awareness.php

or if you interested on technical details you can look at my talk at conference HACK IN THE BOX http://dsecrg.com/pages/pub/show.php?id=27

Also at HITB Malasya i will talk more about it. http://conference.hackinthebox.org/hitbsecconf2010kul/?page_id=992

Go to solution
Former Member
In response to former_member251938

‎10-08-2010 7:25 PM

0 Kudos

> USER02

There is no such table in SAP...

There are however a number of other goodies where this could provide vectors and double-stack systems are the first which come to mind.

Cheers,

Julius

Go to solution
Former Member
In response to former_member251938

‎10-11-2010 5:39 PM

0 Kudos

Hi Alexander,

Good that this discussion is started. For some time I have tried to raise awareness but it's 'better' that some real vulnerabilities are being expoited to make people aware. Although stuxnet is not aiming at SAP systems there are many, many vulnerabilities in an 'out-of-the-box' installed system. As Birger Toedtmann says, unfortunately there is little attention for the SAP security guides.

As you said there are some major risks in the several components that make a SAP infrastructure. The SAP GUI is just one of them. But there are many more on the server side, DB, OS and network level. Some great people like you are researching this and let's hope that more and more customers will pick this up and start securing their businesses.

Please also see the whitepaper that we just recently released on the history and trends of vulnerabilities in SAP systems: http://www.erp-sec.com/index.php?option=com_content&view=article&id=4&Itemid=4

Grtz,

Joris

Go to solution
former_member251938
Explorer
In response to former_member251938

‎10-14-2010 3:03 PM

0 Kudos

And, again, please also see the whitepaper that was released by SAP on similar topics a month ago: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0d2445f-509d-2d10-6fa7-9d3608950...

Go to solution
Former Member

‎11-29-2010 7:57 AM

0 Kudos

[Blog on stuxnet|/people/paul.aschmann/blog/2010/10/20/how-secure-is-your-enterprise-data]

Cheers Michael

Go to solution
Former Member
In response to Former Member

‎11-29-2010 8:52 AM

0 Kudos

There is also [this article|http://www.computerworld.com/s/article/9197840/Is_SAP_afraid_of_a_Stuxnet_style_attack_?taxonomyId=18&pageNumber=1] from Jeremy Kirk @ IDG that I was fortunate enough to participate in.

 http://www.computerworld.com/s/article/9197840/Is_SAP_afraid_of_a_Stuxnet_style_attack_

Go to solution
Former Member

‎01-04-2011 2:45 PM

0 Kudos

Thanks for the participation, i as far as i am concerned stuxnet has not arrived in the SAP ecosystem so far. Let's see where the ride goes...

Still i can recommend the [langner blog|http://www.langner.com/en/blog/] a very interesting read.

Keep your systems save! Best regards, Michael