Cash is King: Who's Wearing Your Crown?

2,742 views
2,523 views

Published on

Show me the money. If hackers were able to manipulate the world’s accounting systems, governments and corporations would be in a frenzy. Guess what? Hackers can…and will. In this presentation we describe manipulating the major financial accounting systems used by corporations large and small to show the importance of good Information Security and Accounting controls. In this talk we identify ways to manipulate accounting systems for financial gain demonstrating mass accounting systems fraud. Through our research we will demonstrate multiple ways to manipulate accounting data and misappropriate funds. We will also show information security and accounting controls needed to detect these types of advanced attacks. Tom and Spencer will be releasing and demonstrating new PoC malware and a Metasploit meterpreter extension that targets Microsoft Dynamics GP, one of the most popular accounting systems in the world.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,742
On SlideShare
0
From Embeds
0
Number of Embeds
153
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cash is King: Who's Wearing Your Crown?

  1. 1. Cash is King Who’s Wearing Your Crown? Accounting Systems Fraud in the Digital Age Tom Eston and Spencer McIntyre DerbyCon 2013
  2. 2. Agenda • Introduction to Accounting Fraud • Microsoft Dynamics Great Plains – Vulnerabilities and Attack Vectors • Attacking the Users of Dynamics GP • Fraud with Custom Malware (Mayhem) • The Attacks: How to Commit Fraud • Accounting Controls to Prevent Fraud • Conclusions DerbyCon 2013
  3. 3. About Your Presenters
  4. 4. Tom Eston • Manager, SecureState Attack & Defense Team • OWASP Contributor • SANS Mentor, Community Instructor • Security Blogger/Researcher: Spylogic.net • Podcast Co-host: Social Media Security Podcast • Speaker: Black Hat, DEF CON, ShmooCon, DerbyCon, SANS, MSI, OWASP AppSec DerbyCon 2013
  5. 5. Spencer McIntyre • SecureState Security Researcher, Exploit Developer • Open Source Contributor: • Speaker: Black Hat Europe, DerbyCon, Toorcon, ThotCon, B-Sides • Metasploit • Scapy • SQLMap • Killerbee DerbyCon 2013
  6. 6. Office Space ©1999 Twentieth Century Fox
  7. 7. Office Space ©1999 Twentieth Century Fox
  8. 8. Office Space ©1999 Twentieth Century Fox
  9. 9. Office Space ©1999 Twentieth Century Fox
  10. 10. $ PROFIT $ Office Space ©1999 Twentieth Century Fox
  11. 11. Who Wants to Create Mayhem? • “Office Space” IRL (In Real Life) • Install virus (via floppy disk), infect accounting system, shave off a fraction of a penny of each transaction, check account balance, profit! • Except…we’re not missing any decimal points! DerbyCon 2013
  12. 12. Introduction to Accounting Fraud
  13. 13. When We Break In • Penetration Testers and Attackers do this every day! • Low hanging fruit (Tomcat/JBoss, Weak Passwords, MS08-067) • Easy to evade technical security controls • Find the most sensitive data – Passwords, SSNs, PCI data, PHI, Proprietary • Screenshot, Report, Profit, Repeat • Nothing new here… DerbyCon 2013
  14. 14. Photo Credit: http://cosine-security.blogspot.com/2011/10/derbycon-retrospective.html
  15. 15. What If? • We could demonstrate real business risk? • Typically this is financial risk and hits the bottom line of an organization • Attack the accounting and financial systems • We could test the non-technical accounting controls (not like an “audit”) DerbyCon 2013
  16. 16. Technical Controls 101 • Confidentiality • Integrity • Availability Technical controls can only go so far. When they fail (and they will) what do you rely on? DerbyCon 2013
  17. 17. Characteristics of Useful Accounting Information • Relevant • Reliable • Consistent • Comparable • Accurate • Timely DerbyCon 2013
  18. 18. The Problem? • Accounting controls may not be in place – Or properly implemented • Limited resources • Limited skill set • Limited time It’s very unlikely that accounting departments are reconciling every account each month! DerbyCon 2013
  19. 19. Traditional Accounting Fraud • Insider Embezzlement • Overstating Profits • External Check Fraud • Insider Fraud – Kickback schemes, skimming, sales fraud, etc. Primary Control: Reconciling Bank Accounts DerbyCon 2013
  20. 20. Accounting Fraud Examples DerbyCon 2013
  21. 21. DerbyCon 2013 "What I did in my youth is hundreds of times easier today. Technology breeds crime." - Frank Abagnale
  22. 22. Microsoft Dynamics Great Plains
  23. 23. DerbyCon 2013
  24. 24. So sorry… You belong to Microsoft now. DerbyCon 2013
  25. 25. What? DerbyCon 2013
  26. 26. Microsoft Dynamics GP • One of the most popular accounting systems in the world for medium to large size businesses • Microsoft purchased GP from Great Plains Software for $1.1 Billion in 2000 • Written in Dexterity specifically for GP • As of 2013: 43,000 companies in the world use GP DerbyCon 2013
  27. 27. Microsoft Dynamics GP - Users • No Windows Authentication (Active Directory) integration available (out of the box) – User accounts are created, managed and stored by SQL Server • SQL Server “SA” account is the most powerful • DYNSA owns all the GP databases. Performs privileged actions without the SA account in GP. • Regular user accounts perform daily actions DerbyCon 2013
  28. 28. Microsoft Dynamics GP • Uses “client-server” architecture • Application runs on the client, not the server • Web application front end just introduced this year DerbyCon 2013
  29. 29. Locating the GP Systems and Database
  30. 30. System Naming Conventions • Conduct DNS or NETBIOS queries • Network shares with GP client installation • Typical names we’ve found on networks: – GP – GP-PORTAL – DYNAMICS – DYNAMICS_DB – GREAT PLAINS – ACCOUNTING – FINANCE DerbyCon 2013
  31. 31. Additional Recon • Most Critical: GP SQL Server • Others systems include: – The GP client applications (user workstations) – GP Business Portal (SharePoint) • Company Intranet – Usually reveals GP and/or accounting system documentation • Network Shares – Sometimes the GP application is shared on the SQL server! DerbyCon 2013
  32. 32. Attack Vectors in GP
  33. 33. Vulnerabilities in GP • DoS and remote overflow vulnerabilities in GP version 9 and lower • Weak cipher for the system password (2010) – Debunked by Microsoft as a real issue • Typical SQL Server vulnerabilities and misconfigurations – Example: Local Administrator group added to the “sysadmin” role on the SQL Server DerbyCon 2013
  34. 34. Attacks to Commit Fraud • #1 Gain access to the GP SQL database directly • #2 GP user account hijack from the client • #3 Process injection via custom malware on the client DerbyCon 2013
  35. 35. Attacking the Database • Goal: Modify and create GP database entries to commit fraud • Easy with direct access to the SQL server • One problem… • How do we know what to modify to commit the fraud? DerbyCon 2013
  36. 36. GP Table Naming Conventions • GP Tables are not named with good descriptions… • There is good news though! DerbyCon 2013
  37. 37. GP Table Prefix Identification Credit: Leslie Vail http://dynamicsconfessions.blogspot.com/2012/05/data-flow-and-table-names.html DerbyCon 2013
  38. 38. GP Table Identifiers • Put the prefix with the identifier to determine the table function • PM1000 = Payables Management Work Table DerbyCon 2013
  39. 39. Attacking the GP User
  40. 40. Who to Target? • Accounting Department Users • Controller • Bookkeeper • CFO • The Accountant DerbyCon 2013
  41. 41. The Goal • Compromise the user’s workstation – GP application is installed there! • GP login and password • Compromise other workstations, pivot to the accounting users • Create backdoor into the user’s workstation(s) DerbyCon 2013
  42. 42. Example Scenario • Harvest accounting department usernames and emails via LinkedIn • Create targeted phishing email • Link to download malicious attachment – “Click here to install the latest GP patch!” • Mayhem ensues… (more on this in a minute) DerbyCon 2013
  43. 43. Creating the Perfect Fraud via Custom Malware
  44. 44. Introducing: Mayhem Malware • Proof of Concept code created by Spencer McIntyre of the SecureState Research & Innovation Team – Full integration with Metasploit / Meterpreter • https://github.com/zeroSteiner/metasploit- framework/tree/project-mayhem DerbyCon 2013
  45. 45. How Mayhem Works • Uses function hooking and library injection to execute within the context of the GP frontend • Goal: Open a channel back to the attacker so commands can be made via the GP frontend • Mayhem is injected at runtime and hijacks the legitimate ODBC handle from memory • No installation or administrative rights required DerbyCon 2013
  46. 46. How Mayhem Works 1. Start with Meterpreter Session Opened 2. Run install module to infect Dynamics 3. Wait for user to trigger any kind of database activity 4. Use copied handle from step #3 to execute evil SQL queries 5. PROFIT! DerbyCon 2013
  47. 47. How Mayhem Works • Mayhem creates hooks in key locations – Most important: ODBC32. SQLAllocStmt • Mayhem monitors this and then allows injection of SQL commands into the database as the authenticated user • A named pipe is opened on the local system for meterpreter to communicate with – Conceptually similar to mimikatz DerbyCon 2013
  48. 48. Mayhem Demo • What we’re going to demo today – Infecting Dynamics – Creating a new “evil” vendor – Paying our vendor – Creating chaos • All demos are using MS Dynamics GP 10 DerbyCon 2013
  49. 49. Mayhem Demo
  50. 50. Next Step • Not everything is Dynamics specific • Execute arbitrary SQL Queries DerbyCon 2013
  51. 51. Next Step • Retrieve ODBC credentials DerbyCon 2013
  52. 52. The Attacks: How Fraud Can be Committed
  53. 53. Manipulating Existing Vendor Records’ Remit-To Address (in GP) DerbyCon 2013
  54. 54. Manipulating Existing Vendor Records’ Remit-To Address (in SQL Server) DerbyCon 2013
  55. 55. Increase Customer Credit Limit DerbyCon 2013
  56. 56. Increase Customer Credit Limit CREDTLMT (Credit Limit) in PM00200: 0 – No Credit, 1 – Unlimited, 2 – Amount DerbyCon 2013
  57. 57. Credit Balance in Customer Account, Get a Refund DerbyCon 2013
  58. 58. Other Fraud Attacks • Mass Steal Banking Information • Mass Steal Credit Card Data • Payroll Information (Includes SSNs) • Access or Modify Private Financial Records DerbyCon 2013
  59. 59. What about Oracle or SAP? • Yes, we can attack other ERP systems! • If the system uses ODBC, you can hijack these transactions using an attack tool like Mayhem • You need intimate knowledge of other ERP systems and how they work – Highlights the internal threat… DerbyCon 2013
  60. 60. Accounting Controls to Prevent Fraud
  61. 61. Bank Reconciliation • Timing is everything • Bank reconciliation compares the bank balance with the book balance monthly DerbyCon 2013
  62. 62. Accounting Controls • Matching Cleared Checks to Paid Invoices • “Positive Pay” • Matching Address on Check to Address on Invoice • Process for Adding Vendors to System • Customer On-Boarding Process • Confirmation of Vendor Banking Information • Account Reconciliations DerbyCon 2013
  63. 63. Conclusions DerbyCon 2013
  64. 64. What about Technical Controls? • Never discount “Defense-in-Depth” • All it takes is for one control to fail! – GP, SQL server, user permissions/roles, security awareness, antivirus, IDS, incident response • This is why the accounting controls are more important to implement DerbyCon 2013
  65. 65. What Can ERP Vendors Do? • Do what the gaming community is doing • “Self-defending” software • Valve is a great example – Valve Anti-Cheat (VAC) • Enterprise software is way behind on this! • Implement internal fraud and alerting mechanisms – Banks use these techniques to detect fraud as it happens DerbyCon 2013
  66. 66. Final Thoughts • It is possible to perpetrate fraud against the accounting system from the outside • Fraud is much easier for an insider • Combine malware with legitimate entries = perfect crime • Combination of technical and accounting controls are required to combat modern fraud DerbyCon 2013
  67. 67. More Information • See our White Paper for details on other attacks: – http://bit.ly/mayhem-whitepaper • Spencer’s Mayhem Metasploit Modules: – https://github.com/zeroSteiner/metasploit- framework/tree/project-mayhem DerbyCon 2013
  68. 68. Appendix: SQL Queries -- Get useful info about the checkbooks SELECT CHEKBKID, DSCRIPTN, BANKID, CURNCYID, BNKACTNM, str(CURRBLNC, 19, 5) AS CURRBLNC FROM CM00100; -- Give vendor "MAYHEM" unlimited credit UPDATE PM00200 SET CREDTLMT=1 WHERE VENDORID='MAYHEM'; -- Get sensitive info from payroll SELECT FRSTNAME, MIDLNAME, LASTNAME, SOCSCNUM, BRTHDATE, EMPLOYID, JOBTITLE FROM UPR00100; DerbyCon 2013
  69. 69. Questions? • Tom Eston teston@securestate.com Twitter: @agent0x0 Blog: Spylogic.net • Spencer McIntyre smcintyre@securestate.com Twitter: @zerosteiner • Who wants military-grade bottle openers? – Come up front DerbyCon 2013

×