SAP Client Applications May Be Targets of Malware

For a long time, cybercriminals have been known to utilize advanced information-stealing malware techniques to gain access to corporate networks and endpoints, which results in disrupted operations, as well as stolen or compromised business data, intellectual property, and financial information. A recently discovered malware demonstrates how cybercriminals are using advanced malicious activity to target mission-critical ERP applications, such as SAP.

If you have an SAP (Session Announcement Protocol) application installed on your computer, you may be a target for future Malware attacks. An SAP system involves a type of enterprise resource planning. Essentially, the SAP system is an integrated software solution that incorporates all of the key functions of the business, such as customer payment information.

A new variant of the “Shiz” Trojan, which is a well-known banking malware, has been discovered. The Trojan was originally designed to provide the cybercriminal with remote access to the infected PC and steal confidential data, including passwords and cryptographic certificates linked to online banking.

In order to execute remote commands and obtain confidential data, Shiz develops a backdoor to communicate with a specific domain. The new form of malware, similar to Shiz, includes all of these capabilities, plus searching infected systems for installed SAP applications. This suggests that Malware is being designed to target these applications. Unfortunately, 80% of Fortune 500 companies use SAP products.

SAP client applications on workstations use configuration files that contain the IP addresses of the SAP servers they’re connected to. These are easy to read, and the fear is that the attacker could obtain access to user passwords to set up and approve false payments, or transfer money from a bank account to their own.

In addition, the cybercriminal could launch denial-of-service attacks against the SAP servers, impeding business operation. Even if the stolen credentials don’t contain the information attackers are currently looking for, they can access default administrative credentials that many companies forget to change.

By accessing SAP client software, cybercriminals can steal sensitive data like corporate secrets, customer lists, financial information, or human resources information (such as Social Security numbers). This sensitive data often gets sold to other cybercriminals, or to the target’s competitors.

Needless to say, SAP users’ should be weary, especially considering the size and depth of information that SAP users’ typically store. From corporate secrets to financial information, the data stored on SAP systems must be kept confidential.

In addition, the malware is also a threat to SAProuters, an application that acts as a proxy between the Internet and internal SAP systems. A security patch was released, but only 15% of its users have obtained the patch.

It’s essential that organizations remain on alert and focus on ensuring secure implementation and maintenance of their custom applications, and keep up with the news on cyber attacks.