Malicious File Uploads: The Wolves in Sheeps’ Clothing

Jul 12, '17 by Joerg Schneider-Simon

Sharing files is a common part of any company’s day. Documents are shared between departments, invoices are sent from suppliers, and resumes are sent from candidates. Departments such as Accounts Receivable, HR, Procurement, and more all handle large volumes of file uploads.

Unfortunately, cyberattacks are often lurking in the files that we recognize, trust, and open daily. What kind of files? The ones we tend to trust most: Microsoft Office files, images, and PDFs.

These are our invoices, our resumes, our receipts, our purchase orders — all the documents we access and use every day, and that we upload to SAP every day.

Once uploaded to SAP, whether it’s E-Recruiting, ERP, or any other relevant application, the damage can move quickly and be devastating. In fact, according to the ERP Cybersecurity 2017 Survey, the average ERP cybersecurity breach causes $5 million USD in damages. And, a third of the companies surveyed would stand to lose $10 million to $50 million if their SAP system were breached and fraud resulted.

How does this happen?

In the quest for efficiency and ease, companies have made it possible for external parties to upload files to their SAP system. As an example, with the E-Recruiting application, job applicants can upload their resume, where screening and selection tools make it easier for HR to quickly work through a large volume of applicants.

However, this convenience comes with a caveat: by allowing unknown upload files from untrusted devices, it becomes much easier for an attacker to slip a malicious file through the gates.

How Cyberattacks Hide in Files

There are several different ways in which seemingly harmless files can act as a Trojan Horse for cyberattacks.

Simple file-type changes: SAP’s existing filters rely on the filename extension. And even if the filter rules are set up to use MIME types, it’s still determined by mapping the filename extension. By simply renaming a malicious file and giving it an innocent extension of docx, pdf, or jpg, the file dons an effective disguise and slips through SAP’s built-in filters undetected.

Embedded active content: Many file types allow automation or scripting, which does make tasks easier. It also, however, makes cyberattacks easier. Active content like JavaScript, Java Archives, Flash and Silverlight can all be easily integrated into innocuous-looking files, where once uploaded, they perform unauthorized tasks and wreak havoc. A malicious JavaScript in a pdf file can even latch on to an existing authenticated session in SAP and start performing tasks.

Microsoft Office files with macros: Macros are an efficient way to automate tasks, but as with embedded active content, these macros can be misused to launch very legitimate-appearing dialogues that then release damaging and persistent malware.

PDF exploits: PDF files are commonly considered to be very secure. However, cyberattackers can include malware using JavaScript, which then gets executed through the PDF viewer’s launch function.

Chameleon files: Chameleon files meet the identification requirements of more than one file type. Depending on how it’s referenced, it can be something like a simple image file, or could alternately be a Java archive that brings bad karma to your SAP application.

Archive-based attacks: Especially in the SAP context, the proprietary SAPCAR archive format is inherently trusted by administrators. Unbeknownst to most, virus scanners cannot analyze the content of SAPCAR archives, making them a potent threat vector for malware and file-based directory traversal attacks.

How to Prevent a Malicious File Upload

Many, if not most companies, feel that they have effective safeguards in place. They usually have an anti-virus solution and a policy in place regarding what types of files they will allow or block.

While this sounds good on paper, it’s not as effective as they hope. Anti-virus solutions deployed at the OS-level of the SAP application servers will not help at all. As uploads into SAP applications are usually not written to disk, they bypass the standard Anti-Virus pretty much “by design”.

And enforcing file-type policies? That’s a task at which many companies falter, simply because they don’t have the tools in place to effectively analyze and screen the files that come through their virtual doors.

At the barest minimum, enterprises should have the following two safeguards in place:

  1. Anti-virus/anti-malware scanning
  2. MIME integrity checking to ensure that the file content is accurately represented by the extension.

Implementing those safeguards to block a malicious file upload from happening is only possible with add-on solutions like those provided by bowbridge.

Other Best SAP Cybersecurity Practices

  • Take a Whitelist approach and limit uploads to file types required by individual applications. This will automatically block any type of file that you wouldn’t normally use anyway, helping reduce your risk. If one particular team needs a specific file type, create the exception only for those team members.
  • Block chameleon files and files that do not pass the MIME integrity screening.
  • Analyze and evaluate whether files containing any kind of active content should be allowed to be uploaded.
  • Quarantine files that have been blocked instead of just deleting them. By doing so, your organization retains forensic evidence and/or the ability to reconstruct data. Ensure the quarantine is adequately protected (i.e. with encryption and passwords), so malicious files blocked by the security solution cannot be inadvertently accessed.

At bowbridge, we’re happy to discuss these and other security options with your team to ensure that your SAP system has the perfect mix of functionality and cybersecurity.

Want to know more about how attackers use PDF files to damage businesses — and how to protect your company? Stay ahead of attackers with our in-depth webinar.  


View our Webinar: SAP Security Threats Hidden in PDF Uploads