Can Your SAP Application Spread Malware Like Facebook Did?

Jan 3, '17 by Joerg Schneider-Simon

In late November 2016, the low-tech ransomware program “Locky” began spreading via scalable vector graphics (SVG) images sent through Facebook Messenger.

Internet security expert Peter Kruse was one of the first to confirm the attack:

Peter Kruse's Twitter post on Locky

Why SVG Files?

An SVG file is an XML-based format for rendering two-dimensional graphics in browsers.

Because these vector graphics render to the maximum available resolution, they’re ideal for ensuring images like corporate logos look great on websites, regardless of the browser, device, operating system or screen resolution used. In fact, you’ll find SVGs operating safely on many Web sites—including bowbridge’s!

The SVG format also supports interactive elements and simple animations, which are created with embedded JavaScript. Rendering the image can trigger the code to launch the functionality automatically.

The ability to directly embed code is what makes SVG files so useful – and so attractive to hackers. In the case of Locky, the cybercriminals inserted a few lines of JavaScript that direct victims to a malicious web page and download prompt.

How Does Locky Spread?

For the victim, it simply looks as if a friend sent them an image via Facebook Messenger. When opened, the victim is sent to a website that appears to be YouTube, where a pop-up window asks the victim to install a codec (presented as a Chrome extension) to play the video.

Instead, the codec installs Locky, which sets off a chain of actions:

  • The malware encrypts the victim’s data – including videos, images, application files and even data on unmapped networks. Locky also removes shadow copies, such as live backup snapshots, making it harder to retrieve the encrypted data.
  • The attackers demand a ransom, usually .5 to 1 bitcoins, to decrypt them. (1 bitcoin was valued at nearly $780 on Dec. 13, 2016).
  • Attackers are also able to take control of browser windows, masking any data on the websites they visit.
  • Details on current web sessions are exfiltrated to the attacker, which allows the attackers to collect the victim’s user credentials or even capture (or modify) the victim’s application inputs.

Previously, Locky had spread via malicious macros in Word documents and spam emails. With the recent Facebook attack, the cybercriminals seized control of the victim’s Facebook account and messaged all of the victim’s Facebook friends with the same corrupt SVG image file.

Your SAP application may be at risk of spreading malware just as Facebook Messenger did.

Protect Your SAP Application from Causing Damage

For your SAP applications, as with any other web-based application, it’s vital that you block active content in file uploads – including the JavaScript in SVG files. This prevents a hacker from uploading malicious SVG files to your SAP application, which could then be executed within the security context of the application and infect other users with malware (like Locky).

Fortunately, SAP’s Virus Scan Interface (NW-VSI) combined with bowbridge’s SAP-certified antivirus solution detects and blocks active content in file transfers. Users can safely open files and simply see beautifully rendered SVG images, without the risk of infection or worse.

As the only vendor to focus exclusively on SAP security, bowbridge is prepared to protect your business against threats like viruses and malware from uploaded files. Are you prepared? Learn more about your security options by contacting us today.


Download our Solution Brief: Protecting SAP E-Recruiting from Hackers and Malware Uploads