Top File-Based Threats to SAP Applications

Jan 2, '20 by Joerg Schneider-Simon

A whopping 92% of malware is still delivered by email, according to Verizon’s Breach Investigations report.

The majority of these threats arrive in the form of phishing links. But a sizeable percentage still arrive as email attachments. And we’re not talking about the easily spotted .exe files that were so prevalent years ago. Instead, these are commonplace files that employees upload to SAP every day—namely, Microsoft Word, Excel and PowerPoint files, Adobe PDFs and images.

Sophisticated hackers are sending emails that appear to come from a person or organization that the recipient recognizes and trusts, such as the company CEO, the company’s banker or a company supplier. These spear phishing attacks are effective because 96% of executives worldwide cannot tell the difference between a legitimate email and a malicious one.

Once a recipient opens one of these infected attachments, the code executes. And when that malware breaches SAP systems, the results are dire. According to a survey of close to 200 security leaders at the 2019 RSA Conference, 88% of respondents say that if their ERP systems were breached, the impact would be serious to catastrophic.

The average ERP cybersecurity breach causes US$5 million in damages according to the ERP Cybersecurity 2017 Survey. One-in-three companies say they stand to lose between US$10 million and US$50 million if an SAP breach results in fraud.

Here are the six most common file-based threats, and how to protect your SAP systems against them.

How hackers use files to breach SAP systems

There are six primary ways that hackers exploit files to compromise SAP systems.

  1. Giving malicious files a common extension: SAP’s filters examine filename extensions, aiming at blocking file types that obviously can be dangerous, such as.exe files. Hackers have caught on to this, and simply give their malicious files innocent extensions, such as .docx, .xlsx, .pdf and .jpg to bypass SAP’s built-in filters. Even filtering by the filename’s extension offers very little security value, because browsers determine how to handle a file based on the file’s MIME-type. The application server, however, should determine the MIME-type based on the file’s content, not its extension. And even browser-side MIME-type detection (called “MIME Sniffing”) relies on the content, not the file name.

  2. Embedding active content: Many file types, particularly PDF files and some XML-based graphics formats, allow automation and scripting to be embedded within the files. This active content includes JavaScript, Java Archives, Flash, Silverlight or XSLT. Once these files are downloaded to a PC or laptop, they perform unauthorized tasks and wreak havoc. JavaScript is particularly dangerous. A malicious piece of JavaScript embedded in a PDF attachment can potentially latch onto an existing authenticated session in SAP and start performing tasks on behalf of but unbeknownst to the user. Because the use of JavaScript in those files is actually a legitimate feature, most virus scanners will not flag files with embedded JavaScript or other active content.

  3. Embedding malware in Microsoft Office macros: A macro is a series of commands and instructions grouped together as a single command to accomplish a task automatically. Macros are a helpful and easy way to automate tasks, but they come with considerable risks. Hackers take advantage of the Visual Basic for Applications programming in Microsoft Office macros to spread viruses, worms and other malware.

  4. Embedding malware in PDFs: PDF files can also execute harmful code. Adobe admits that one of the easiest and most powerful ways to customize PDF files is by using JavaScript. And yet hackers exploit this functionality by embedding malware in the scripts, which gets executed when the PDF is opened in a viewer, such as Adobe Reader, or in web browser-plugins displaying PDFs.

  5. Exploiting chameleon files: Chameleon files, also referred to as Polyglot files, are files that meet the criteria for multiple file types. A popular example is a GIFAR file, which is a valid GIF image, which most web-based applications would deem benign, and at the same time, a valid Java-Archive, which most web-applications would not allow to be uploaded.

    Depending on how the file is referenced in the application, either the GIF image will show, or the Java-classes in the Java Archive will be executed. Because these files are not malware by definition, most virus scanners will not even block them.
  1. Compromising SAP archives: SAP administrators inherently trust SAP’s proprietary SAPCAR archive format. SAPCAR is a compress utility (similar to WinZip) that SAP uses to compress and decompress nearly all delivered files. What most SAP administrators don’t know, however, is that virus scanners cannot analyze SAPCAR archives, making these archives a potent target for malware and file-based directory traversal attacks.

How to Protect Your SAP Systems from File-Based Attacks

The way to protect SAP systems from file-based attacks isn’t to deploy traditional anti-virus software at the OS-level of SAP application servers. This is because uploads into SAP applications are usually not written to disk, which means they bypass standard anti-virus applications by design.

Files uploaded to SAP are encrypted in transit and then stored in an SAP-proprietary repository. Operating system anti-virus programs can’t scan these files for threats because SAP’s an anti-virus interface (NW-VSI) is not compatible with regular anti-virus software. The solution is to deploy anti-virus software that is built exclusively for SAP and certified for NW-VSI, such as bowbridge Anti-Virus for SAP Solutions.

Here are some other general best practices for protecting against file-based attacks:

  1. Continue training your people. At least 95% of all successful cyberattacks are the result of human error. Attackers succeed because employees are curious. Employees open emails bearing salacious subject lines. They open email attachments that appear to come from trusted senders. So, continue training your staff on how to recognize and avoid phishing attacks.

  2. Remember that files arrive in other ways: Every PC and every laptop has multiple USB ports. And plenty of staff are prone to insert malware-infected USB drives during business trips and while attending trade shows and conferences. Hackers have even been known to leave infected thumb-drives in the parking lots of corporate office buildings with the goal of infecting the networks inside the building.

  3. Use whitelists for common file types: Limit downloads and uploads to only those file types that are required by individual applications. This automatically blocks files that your users don’t use, reducing your exposure to attack. If you have teams that use uncommon types of files, create exceptions for these teams only.

Every modern computer that is capable of being hacked uses files. And a huge portion of the data that is used by individuals and corporations resides within files. These files—whether Microsoft Office documents, PDF files or images—still offer hackers tremendous potential for reaching their targets.


View our Webinar: SAP Security Threats Hidden in PDF Uploads