How PDF Files Can Endanger Your SAP Cybersecurity

Dec 20, '17 by Joerg Schneider-Simon

Companies around the globe choose SAP to streamline and standardize their everyday activities like workflows, purchasing, and staffing, saving an enormous amount of time and effort.

However, SAP is also a preferred target for cyberattacks.

And one of the main vehicles? The innocuous-looking PDF file.

Cyberattacks transmitted through SAP have the potential to inflict massive amounts of damage. In one cautionary case, the firm USIS ended up filing for bankruptcy after they lost a $2 billion contract. Why? Because a cyberattacker infiltrated one of their SAP applications and stole private background check information about government personnel with classified clearance.

Not something that any IT or SAP professional wants to have happen on their watch.

To know how to stop it, you first need to know how it happens. 

How Malware Hides in PDF Files

Even though the average layperson might think of PDF files as a static type of file with no moving parts, several types of automated tasks can be embedded in PDF files. One of those tasks is JavaScript. When used for its original purpose, the ability to insert JavaScript into PDF files is helpful. For example, JavaScript can update the dates on a form when the file is opened, create a checkbox that updates a text field and perform other useful automated tasks.

However, as we know, not all JavaScript is used for good. Malicious JavaScript, once active, can leverage an authenticated SAP session to submit requests or information to the application. It can launch harmful applications, install ransomware, steal data and spy on keystrokes, take over sessions, erase records or compromise user and applications in many other ways.

To disguise this malicious JavaScript, PDF files are often used as a costume. Your team may have blocked uploads of certain file extensions into SAP, to reduce the odds of harmful files coming into the system. However, in our research, we were alarmed to discover that 60% of the companies we tested allowed restricted files to pass through as long as the extension was changed. So that harmless-looking .pdf? It could really be an .exe file – and one that is ready to do as much damage to your company as possible.

 What About Anti-Virus?

A robust anti-malware system does an excellent job of blocking damaging viruses and malware from getting into your everyday operating systems.

But SAP is different.

The problem is that because of the way file upload and storage works in SAP, traditional anti-malware programs aren’t as effective. For example, files that are uploaded to SAP E-Recruiting are stored in SAP’s database, not on the drives where the rest of your company’s files and programs are stored. Anti-virus software can’t look inside SAP’s database, so there’s no way to scan and detect malware. And that perfect-looking resume could sit in the database, full of malware, just waiting for its moment to shine.

SAP’s developers are well aware of its security vulnerabilities. So, they introduced the Virus Scan Interface in 2004. This interface is a port where anti-malware programs can attach to it and provide that extra security. However, traditional anti-virus software is not compatible with this interface.

Fortunately, there are some SAP-specific solution providers out there, bowbridge being one of them. By using anti-virus and application security solutions made specifically to work around SAP’s unusual structure, your team can eliminate the ugly threats hidden not only in PDF files but in any content uploads.

Want to learn more about how to protect your SAP system from malware hidden in PDF files? Watch our webinar, The Enemy Within: SAP Security Threats Hidden in PDF Uploads


View our Webinar: SAP Security Threats Hidden in PDF Uploads