MS Office Macros: A New Threat to SAP Cybersecurity

Jun 18, '19 by Joerg Schneider-Simon

In the cybersecurity world, one thing is certain: As soon as security testing experts find a new way to penetrate defenses, you can guarantee that cybercriminals are making the same discovery.

A prime example of this phenomenon came to light at the Troopers 2019 cybersecurity conference in Heidelberg, Germany, where a presentation by security research and penetration testing company Outflank highlighted the weaknesses in Microsoft’s Antimalware Scan Interface (AMSI) when it comes to detecting malicious macros.

Shortly thereafter, during the Blackhat Asia conference, Outflank released a toolkit called “Evil Clippy,” designed to aid security and penetration testers with creating malicious MS Office documents. Evil Clippy carries with it the following features:

  • Cross-platform (runs on OSX, Linux, Windows)
  • Hides macros from GUI editor
  • Fools analyst tools by removing module names
  • VBA stomping (p-code abuse)
  • Serves payloads via HTTP templates 

What This Means for SAP

This vulnerability means that it’s possible to fool Microsoft Office applications into seeing one macro … but not the one that will be executed. Imagine a movie scene where the villain sneaks through the gates by hiding behind a larger person, and you have the general idea. Even security tools like those relying on Microsoft’s Anti-Malware Scanning Interface (AMSI) will scan the benign macro, all while the malicious macro lies in wait.

And while this toolkit was designed for benevolent, penetration-testing purposes, it’s a certainty that it will also be used by cyberattackers to try to sneak malware past cybersecurity defenses.

This is bad enough on a regular platform like OSX, Linux, or Windows – all of which typically have varying levels of backup anti-malware protection installed.

With SAP, however, the danger intensifies.

Most organizations do not have separate anti-virus software installed to protect their SAP system. And as we’ve stated on many occasions, regular OS-level anti-virus programs do nothing to protect SAP.

The potential results could be devastating: Human Resources teams could open uploaded resumes, or Accounts Payable clerks could open an attached invoice … only to inadvertently launch malicious macros that quickly infiltrate the company’s entire SAP system, destroying data or shutting down processes. And this risk is far from theoretical: Just a few months ago, a new Emotet Trojan variant was observed — and it has the ability to hide from standard anti-malware programs by using malicious macros. 

Protecting SAP from Macros

Any organization that uses SAP does not want to imagine what would happen if it fell to a cyberattack. But they must keep this possibility in mind, if only to gain the resources and motivation to take the steps needed to protect their SAP applications properly.

Alarmingly, few organizations are already doing this. In bowbridge’s own research and testing, we discovered that 87% of the implementations we tested allowed uploading of Office documents with macros in the old format (CDF, pre-Office 2007) and 33% allowed uploading of documents with macros in the new format (OOXML).

“In 99% of cases, simply blocking any and all macros in uploads into SAP applications is the most efficient option.” says Joerg-Schneider Simon, Chief Technology Officer and co-founder of bowbridge. “The time saved by using macros for task automation is simply not worth the massive risk macros present to your cybersecurity, not just as pertains to SAP, but for your entire system.”

In addition to blocking macros, having an anti-virus solution specifically designed for SAP’s unique structure will provide added protection.

Keeping on top of the never-ending tsunami of threats leveled at SAP may seem like an insurmountable task. But by applying some strict protocols and arming yourself with the right tools, you can keep your organization from falling victim to malevolent macros.

Can SAP E-Recruiting Expose Your Company to Risk?