Show me the money. If hackers were able to manipulate the world’s accounting systems, governments and corporations would be in a frenzy. Guess what? Hackers can…and will. In this presentation we describe manipulating the major financial accounting systems used by corporations large and small to show the importance of good Information Security and Accounting controls. In this talk we identify ways to manipulate accounting systems for financial gain demonstrating mass accounting systems fraud. Through our research we will demonstrate multiple ways to manipulate accounting data and misappropriate funds. We will also show information security and accounting controls needed to detect these types of advanced attacks. Tom and Spencer will be releasing and demonstrating new PoC malware and a Metasploit meterpreter extension that targets Microsoft Dynamics GP, one of the most popular accounting systems in the world.
1. Cash is King
Who’s Wearing Your Crown?
Accounting Systems Fraud in the Digital Age
Tom Eston and Spencer McIntyre
DerbyCon 2013
2. Agenda
• Introduction to Accounting Fraud
• Microsoft Dynamics Great Plains
– Vulnerabilities and Attack Vectors
• Attacking the Users of Dynamics GP
• Fraud with Custom Malware (Mayhem)
• The Attacks: How to Commit Fraud
• Accounting Controls to Prevent Fraud
• Conclusions
DerbyCon 2013
11. Who Wants to Create Mayhem?
• “Office Space” IRL (In Real Life)
• Install virus (via floppy disk), infect accounting
system, shave off a fraction of a penny of each
transaction, check account balance, profit!
• Except…we’re not missing any decimal points!
DerbyCon 2013
13. When We Break In
• Penetration Testers and Attackers do this every day!
• Low hanging fruit
(Tomcat/JBoss, Weak Passwords, MS08-067)
• Easy to evade technical security controls
• Find the most sensitive data
– Passwords, SSNs, PCI data, PHI, Proprietary
• Screenshot, Report, Profit, Repeat
• Nothing new here…
DerbyCon 2013
15. What If?
• We could demonstrate real business risk?
• Typically this is financial risk and hits the
bottom line of an organization
• Attack the accounting and financial systems
• We could test the non-technical accounting
controls (not like an “audit”)
DerbyCon 2013
16. Technical Controls 101
• Confidentiality
• Integrity
• Availability
Technical controls can only go so far.
When they fail (and they will) what do you rely on?
DerbyCon 2013
18. The Problem?
• Accounting controls may not be in place
– Or properly implemented
• Limited resources
• Limited skill set
• Limited time
It’s very unlikely that accounting departments
are reconciling every account each month!
DerbyCon 2013
26. Microsoft Dynamics GP
• One of the most popular accounting systems
in the world for medium to large size
businesses
• Microsoft purchased GP from Great Plains
Software for $1.1 Billion in 2000
• Written in Dexterity specifically for GP
• As of 2013: 43,000 companies in the world
use GP
DerbyCon 2013
27. Microsoft Dynamics GP - Users
• No Windows Authentication (Active Directory)
integration available (out of the box)
– User accounts are created, managed and stored
by SQL Server
• SQL Server “SA” account is the most powerful
• DYNSA owns all the GP databases. Performs
privileged actions without the SA account in
GP.
• Regular user accounts perform daily actions
DerbyCon 2013
28. Microsoft Dynamics GP
• Uses “client-server” architecture
• Application runs on the client, not the server
• Web application front end just introduced this year
DerbyCon 2013
30. System Naming Conventions
• Conduct DNS or NETBIOS queries
• Network shares with GP client installation
• Typical names we’ve found on networks:
– GP
– GP-PORTAL
– DYNAMICS
– DYNAMICS_DB
– GREAT PLAINS
– ACCOUNTING
– FINANCE
DerbyCon 2013
31. Additional Recon
• Most Critical: GP SQL Server
• Others systems include:
– The GP client applications (user workstations)
– GP Business Portal (SharePoint)
• Company Intranet
– Usually reveals GP and/or accounting system
documentation
• Network Shares
– Sometimes the GP application is shared on the SQL
server!
DerbyCon 2013
33. Vulnerabilities in GP
• DoS and remote overflow vulnerabilities in GP
version 9 and lower
• Weak cipher for the system password (2010)
– Debunked by Microsoft as a real issue
• Typical SQL Server vulnerabilities and
misconfigurations
– Example: Local Administrator group added to the
“sysadmin” role on the SQL Server
DerbyCon 2013
34. Attacks to Commit Fraud
• #1 Gain access to the GP SQL database directly
• #2 GP user account hijack from the client
• #3 Process injection via custom malware on
the client
DerbyCon 2013
35. Attacking the Database
• Goal: Modify and create GP database entries
to commit fraud
• Easy with direct access to the SQL server
• One problem…
• How do we know what to modify to commit
the fraud?
DerbyCon 2013
36. GP Table Naming Conventions
• GP Tables are not
named with good
descriptions…
• There is good news
though!
DerbyCon 2013
40. Who to Target?
• Accounting Department Users
• Controller
• Bookkeeper
• CFO
• The Accountant
DerbyCon 2013
41. The Goal
• Compromise the user’s workstation
– GP application is installed there!
• GP login and password
• Compromise other workstations, pivot to the
accounting users
• Create backdoor into the user’s workstation(s)
DerbyCon 2013
42. Example Scenario
• Harvest accounting department usernames
and emails via LinkedIn
• Create targeted phishing email
• Link to download malicious attachment
– “Click here to install the latest GP patch!”
• Mayhem ensues…
(more on this in a minute)
DerbyCon 2013
44. Introducing: Mayhem Malware
• Proof of Concept code created by Spencer
McIntyre of the SecureState Research &
Innovation Team
– Full integration with Metasploit / Meterpreter
• https://github.com/zeroSteiner/metasploit-
framework/tree/project-mayhem
DerbyCon 2013
45. How Mayhem Works
• Uses function hooking and library injection to
execute within the context of the GP frontend
• Goal: Open a channel back to the attacker so
commands can be made via the GP frontend
• Mayhem is injected at runtime and hijacks the
legitimate ODBC handle from memory
• No installation or administrative rights
required
DerbyCon 2013
46. How Mayhem Works
1. Start with Meterpreter Session Opened
2. Run install module to infect Dynamics
3. Wait for user to trigger any kind of database
activity
4. Use copied handle from step #3 to execute
evil SQL queries
5. PROFIT!
DerbyCon 2013
47. How Mayhem Works
• Mayhem creates hooks in key locations
– Most important: ODBC32. SQLAllocStmt
• Mayhem monitors this and then allows
injection of SQL commands into the database
as the authenticated user
• A named pipe is opened on the local system
for meterpreter to communicate with
– Conceptually similar to mimikatz
DerbyCon 2013
48. Mayhem Demo
• What we’re going to demo today
– Infecting Dynamics
– Creating a new “evil” vendor
– Paying our vendor
– Creating chaos
• All demos are using MS Dynamics GP 10
DerbyCon 2013
58. Other Fraud Attacks
• Mass Steal Banking Information
• Mass Steal Credit Card Data
• Payroll Information (Includes SSNs)
• Access or Modify Private Financial Records
DerbyCon 2013
59. What about Oracle or SAP?
• Yes, we can attack other ERP systems!
• If the system uses ODBC, you can hijack these
transactions using an attack tool like Mayhem
• You need intimate knowledge of other ERP
systems and how they work
– Highlights the internal threat…
DerbyCon 2013
61. Bank Reconciliation
• Timing is everything
• Bank reconciliation compares the bank
balance with the book balance monthly
DerbyCon 2013
62. Accounting Controls
• Matching Cleared Checks to Paid Invoices
• “Positive Pay”
• Matching Address on Check to Address on
Invoice
• Process for Adding Vendors to System
• Customer On-Boarding Process
• Confirmation of Vendor Banking Information
• Account Reconciliations
DerbyCon 2013
64. What about Technical Controls?
• Never discount “Defense-in-Depth”
• All it takes is for one control to fail!
– GP, SQL server, user permissions/roles, security
awareness, antivirus, IDS, incident response
• This is why the accounting controls are more
important to implement
DerbyCon 2013
65. What Can ERP Vendors Do?
• Do what the gaming community is doing
• “Self-defending” software
• Valve is a great example
– Valve Anti-Cheat (VAC)
• Enterprise software is way behind on this!
• Implement internal fraud and alerting
mechanisms
– Banks use these techniques to detect fraud as it
happens
DerbyCon 2013
66. Final Thoughts
• It is possible to perpetrate fraud against the
accounting system from the outside
• Fraud is much easier for an insider
• Combine malware with legitimate entries =
perfect crime
• Combination of technical and accounting
controls are required to combat modern fraud
DerbyCon 2013
67. More Information
• See our White Paper for details on other
attacks:
– http://bit.ly/mayhem-whitepaper
• Spencer’s Mayhem Metasploit Modules:
– https://github.com/zeroSteiner/metasploit-
framework/tree/project-mayhem
DerbyCon 2013
68. Appendix: SQL Queries
-- Get useful info about the checkbooks
SELECT CHEKBKID, DSCRIPTN, BANKID, CURNCYID, BNKACTNM,
str(CURRBLNC, 19, 5) AS CURRBLNC FROM CM00100;
-- Give vendor "MAYHEM" unlimited credit
UPDATE PM00200 SET CREDTLMT=1 WHERE VENDORID='MAYHEM';
-- Get sensitive info from payroll
SELECT FRSTNAME, MIDLNAME, LASTNAME, SOCSCNUM, BRTHDATE,
EMPLOYID, JOBTITLE FROM UPR00100;
DerbyCon 2013
69. Questions?
• Tom Eston
teston@securestate.com
Twitter: @agent0x0
Blog: Spylogic.net
• Spencer McIntyre
smcintyre@securestate.com
Twitter: @zerosteiner
• Who wants military-grade bottle openers?
– Come up front
DerbyCon 2013