New Accounting System Hack Could Cause ‘Mayhem’

Attacks against massive and proprietary enterprise accounting systems, in particular financial software such as SAP and Oracle, have been few and far between. That changed at this week’s Black Hat Abu Dhabi conference where a pair of researchers presented proof-of-concept code that could change the dynamic of the financially motivated attack landscape.

Accounting systemsAttacks against massive and proprietary enterprise accounting systems, in particular financial software such as SAP and Oracle, have been few and far between. That changed at this week’s Black Hat Abu Dhabi conference where a pair of researchers presented proof-of-concept code that could change the dynamic of the financially motivated attack landscape.

The attack, dubbed Project Mayhem, could enable an attacker to divert funds from a company’s accounting and financial systems without immediate detection. In addition to code, the attacker would be relying on the fact that midsized companies in particular, do not have complete control or visibility into financial processes or individual transactions, and are likely to miss fraud at first glance.

“Getting caught depends on the skills and resources available and whether an audit is performed or not,” wrote Tom Eston and Brett Kimmel of SecureState in a white paper explaining Project Mayhem in detail.

Eston and Kimmel’s presentation at Black Hat focused on Microsoft Dynamics Great Plains software, in particular targeting Dynamics’ SQL database, SQL server, or hijacking an account via a process injection attack. Microsoft Dynamics is used primarily in midsized companies. The duo said their motivation in developing this attack was to help penetration testers efforts in examining the defenses of these systems. SecureState is a consultancy provide security services such as pen-testing.

“If an attacker can control and manipulate the accounting system of the company to commit mass systems fraud, changing or manipulating financial data is just the beginning. As professional penetration testers, we must demonstrate more advanced attacks to show real impact to the business,” said Eston.

The key to the attack is to stealthily modify entries in the accounting system to commit fraud, i.e., transfer funds to an outside account. They began by doing some reconnaissance online to learn the names and structures of the Dynamics GP software’s database tables, as well as other pertinent identifiers in the tables. Knowing this helps an attacker target a particular segment of the database, the paper said.

An attacker could also hijack accounts by targeting GP users, again by doing reconnaissance online in social networks or searches in LinkedIn profiles, and then crafting a spear phishing attack that would convince the target to either visit a site hosting the Project Mayhem malware, or open an attachment infected with the code. The malware is then used to pivot internally to target GP processes.

The proof-of-concept code, developed by SecureState researcher Spencer McIntyre, uses function hooking and library injection to exploit the application’s front end.

“The goal is for the malware to open a channel back to a malicious attacker and allow them to issue commands specific to GP through the Dynamics GUI front end,” the white paper said. “The proof of concept code needs to be injected at run time but well known patching techniques could be employed to have the necessary components loaded automatically at run time.”

The malware hooks in to key locations, the paper said, and intercepts function calls, in particular those to the ODBC32 library; the malware creates function calls that interact with the database, a valid copy of legitimate handles that can inject malicious SQL commands as a legitimate user. Using a backdoor to the attacker’s server, SQL commands can be issued without detection and without the need for a password.

Once inside and manipulating the system, an attacker could manipulate existing vendor records forcing the system to remit payments to the attacker or a mule, rather than a vendor, or create new vendor entries, new manual check entries, increase customer credit limits, modify accounting records, create negative customer balances that force automated refunds, or simply steal credit card data, customer data or private financial records.

Such an attack against a financial system puts money and customer records at risk, but implicates compliance requirements, company reputation and harms customer relationships.

“Even with proper bank reconciliation, funds can be diverted without immediate detection. Fraud attacks like the ones described in our talk and whitepaper could last for months or years. Uncovering a fraud depends on the skills and resources available and whether an audit is performed or not,” said Kimmell.

Suggested articles

Discussion

  • Vikas Bhatia on

    As valid, and important, as securing enterprise applications such as SAP and Oracle the security profession is still plauged with organizations that have inadequate controls to a) be aware of their technology estate, b) mitigate risks by implementing an enterprise wide vulnerability management program and c) educate the non-technical end users about business impacting cyber risks.

    @notjust4squares

  • Anonymous on

    Well, once again, the attackers have their work already done for them!  The computer "security" people have shown them how to attack accounting software--Great Plains in particular.  The computer "security" people are serving as a development lab for the malware guys.  A recent look at exploit development determined that the Black Hole Exploit kit development is not very original and relies on work done by so-called computer "security" people.  They are creating their own work!  Why don't they just go to work for the malware industry?

    Regards,

     

     

     

  • Anonymous on

    >The computer "security" people are serving as a development lab for the malware guys.

    You must be new here, hi let me welcome you fellow Anon to the infosec industry

    >Why don't they just go to work for the malware industry?

    Sometimes they do, sometimes they don't. Blackhats working in industry has always and will continue always happen.

    This is how the industry works, there is no need to point it out...we all work under the guise of improving security. When in realtiy the work we do as pen-testers and security researchs does next-to-nothing to improve the state of world-wide IT security. But it results in a multi-billion dollar industry, so that's it and you can't really change it....DealWithIt.gif

  • Anonymous on

    ^ QFT

  • www.ukdipg.org.uk on

    Hi there! I know this is kind of off-topic but I needed to ask. Does building a well-established blog such as yours require a lot of work? I am brand new to operating a blog however I do write in my diary daily. I'd like to start a blog so I can easily share my experience and thoughts online. Please let me know if you have any ideas or tips for new aspiring blog owners. Thankyou!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.