SlideShare a Scribd company logo

SAP Business Objects Attacks

Onapsis Inc.
Onapsis Inc.

SAP systems provides Business Intelligence platforms, which can be a promising target for business espionage. Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised? What if an attacker has poisoned the system and changed the key indicators? SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence. In this presentation we will discuss our recent research on SAP BusinessObjects security. Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.

Technology
1 of 45
Download to read offline
SAP BusinessObjects Attacks Juan Perez-Etchegoyen jppereze@onapsis.com February 2014 IT-Defense Security Conference Will Vandevanter wvandevanter@onapsis.com
2SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Disclaimer This publication is copyright 2014 Onapsis, Inc. – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.
3SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Who is Onapsis, Inc.?  Company focused in protecting ERP systems from cyber-attacks. SAP®, Siebel®, Oracle® E-Business SuiteTM, PeopleSoft®, JD Edwards® …  Trusted by Global Fortune-100 and large governmental organizations.  What does Onapsis do?  Innovative ERP security software (Onapsis X1, Onapsis Bizploit, Onapsis IA).  ERP security consulting services.  Trainings on business-critical infrastructure security. Who are we?  Juan Perez-Etchegoyen, CTO at Onapsis.  Will Vandevanter, Security Researcher at Onapsis.
4SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Agenda  SAP BusinessObjects Landscape  The attacker lifecycle  Abusing the Business Intelligence Process  Conclusions
5SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved SAP BusinessObjects Landscape
6SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved What is SAP? ● Largest provider of business management solutions in the world. ● More than 140.000 implementations around the globe. ● More than 90.000 customers in 120 countries. ● Used by Global Fortune-1000 companies, governmental organizations and defense agencies to run their every-day business processes. ● Such as Revenue / Production / Expenditure business cycles. SALES PRODUCTION FINANCIAL PLANNING INVOICING PROCUREMENT TREASURY LOGISTICS PAYROLL BILLING
7SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved SAP BusinessObjects ● Purchased by SAP in 2007 ● Business Analysis and Intelligence is the Core Functionality ● Produces Reports, Dashboards and KPI consumed by decision makers ● Simplifies analysis of data for users ● Usually pulling information from products such as ERP or CRM
8SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Impact of a breach to an SAP system While for traditional SAP systems (ERP,CRM,SCM…) it is easier to understand the impact of a security breach... ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. SABOTAGE: Paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information, etc. FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.
9SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Impact of a breach to a BO System In a BusinessObjects implementation it is more difficult to understand the impact of a security breach... FINANCIAL STATEMENT: Incorrect reporting to authorities such as SEC. Access the information in advance. BUDGETING AND STAFFING: Incorrect allocating of resources for the achievement of targets. SALES FORECAST: Critical to determine the budget and to understand how much the company will grow, quantity of products to be produced, purchasing requirements… LIQUIDITY PLANNING: Affect the understanding of the available cash that the company will have during a period of time.
10SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Business Intelligence
11SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved  BW is an analytical, reporting and data warehousing product  Structured by layers. ETL (Extract, Transform, Load) is probably the most important layer  The process of extracting data from other SAP Systems is usually performed by RFC Function Calls. BO/BI/BW  SAP BusinessObjects are usually connected to SAP BW
12SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved
13SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved
14SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved VIP Services ● Central Management Server ● File Repository Server ● Report Templates ● Resulting Reports ● Server Intelligence Agent ● Client Endpoints ● Web Applications: Central Management Console ● Web Services
15SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Communication ● From the Client browser tier to the Application tier, SOAP and HTTP are the most common methods of communication (REST is also available) ● Most of the Inter “Process” communication is done using CORBA on the BO Service Bus
16SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Communication – CORBA ● Standard defined by OMG (“Similar” to JAVA RMI) ● Uses IIOP Network Protocol ● Uses IDL to define interfaces exposed ● Designed to facilitate the communication of systems that are deployed on diverse platforms. Source: Wikipedia
17SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Client to Server Communication - CORBA ● Interoperable Object Reference (IOR) ● Reference to a remote object ● Provided by the server, consumed by the client to communicate using remote object ● Example Components ● “IDL:Hello/HelloWorld” ● “Host: www.remotecorba.com” ● “Port: 4678”
18SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved BO Communication – CORBA ● Each BO server has a number of services available via CORBA ● A client needs to know the IOR of the remote service to initiate communication ● They also need to know (or reverse engineer) the IDL to communicate meaningfully
19SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved BO CORBA Example – Client to CMS Client “aps” CMS Client IOR:010000003500……. CMS Client {object} CMS Parse IOR to obtain IP/Port, Object Key,…
20SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved BO and the Attacker Lifecycle
21SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Quick Note on Attackers ● Many Different Types of attackers ● Internal/External ● Advanced/Script kiddies ● Just for fun/Criminal organizations ● Identifying the threat actor is an obvious key to defense ● Define monitoring processes ● Define configuration and security standards
22SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Default Ports (Reconnaissance)
23SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Reconnaissance ● In default state, 15 other listening ports ● Example Use Case ● One service needs to know the IP:PORT of another service. How does it get this information? ● Asks the CMS via CORBA
24SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Demo
25SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Note on Defense As discussed in the Administrators guide, limiting network access to every BusinessObjects component is the best method to protect against pulling information from these services.
26SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Account Types ● Enterprise ● SAP ● LDAP ● WindowsAD
27SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Default Accounts (Reconnaissance)
28SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Note on Defense It is critically important to apply the most up to date security notes. Furthermore, disabling unused web applications and services limits the attack surface.
29SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Major Version Info (Reconnaissance) ● What Web Interfaces are available? ● Web Services also has valuable information
30SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved A Warning About MITM ● Communication is Unencrypted by default ● An Attacker can hijack a Session via HTTP or CORBA
31SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Poisoning and Intercepting Business Intelligence
32SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved “Post Exploitation” ● We are discussing an attacker that wishes to access or poison the Business Intelligence Process ● See “Actions on Objectives” in the Intrusion Kill Chain ● Intercepting vs. Poisoning ● How we discuss “Data” is important
33SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved ● Information disclosure – Any information in the data sources – Generated Reports ● Information Tampering – Switching data source system – Changes on the business data – Changes on the generated reports ● … Business-oriented Attack Vectors
34SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved ● BO processes and groups information from many systems (ERP, SCM, CRM, HR, etc). ● By compromising BO/BW/BI the attacker will have almost all of the company critical information in a central repository. ● Access to Business Reports ● Access to Financial Statements BI ERP SCM HR CRM Information Disclosure
35SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Information Tampering ● Change data source – Point to a different SAP system (ERP,BW…) – Changing Infoproviders (Infoset, SAP Queries…) ● Modify BO contents – Reports – Dashboards – KPI
36SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Demo
37SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Impacting BO BI – Client Side ● Commonly an attacker will focus on a client with access ● Obvious ways to access data ● Check the FS ● Browser cookies ● How else?
38SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Impacting BO BI – Client Side ● Network Sniffing ● Active Traffic is best ● But, the Client will auto ping the Server on a set schedule ●SESSION_ID is given in the ping
39SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Demo
40SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Impacting BO BI – Client Side ●Power Shell ● Made available in the Client or Server BusinessObjects installation ● SDK Like functionality ● Reporting Access ● InfoQuery ● Session Handling
41SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Impacting BO BI – Server Side ● File Repository Server ● Input ● Output ● What is a report to BO? ● File on the Filesystem ● Entry in the InfoStore ● Not all files will stay overwritten
42SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Demo
43SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Conclusion ● Read the Admin Guide! ● Many of these attacks can be prevented or detected ● Keep the systems updated! ● Enable Auditing ● Periodically scan/monitor the systems ● Secure the system and the critical data
44SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Questions? jppereze@onapsis.com wvandevanter@onapsis.com
45SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Thank you! www.onapsis.com Follow us! @onapsis

Recommended

Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsOnapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksOnapsis Inc.
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthIgor Igoroshka
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security ConfigurationsOnapsis Inc.
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
 

Recommended

Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsOnapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksOnapsis Inc.
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthIgor Igoroshka
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security ConfigurationsOnapsis Inc.
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsOnapsis Inc.
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsOnapsis Inc.
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedOnapsis Inc.
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerOnapsis Inc.
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSOnapsis Inc.
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis Inc.
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
 
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsOnapsis Inc.
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatn|u - The Open Security Community
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not EnoughOnapsis Inc.
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...Onapsis Inc.
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
 

More Related Content

What's hot

Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsOnapsis Inc.
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsOnapsis Inc.
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedOnapsis Inc.
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerOnapsis Inc.
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSOnapsis Inc.
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis Inc.
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)Onapsis Inc.
 
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsOnapsis Inc.
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not EnoughOnapsis Inc.
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...Onapsis Inc.
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
 

What's hot (20)

Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwards
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the Jewels
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information Exposed
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMS
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP Backdoors
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
 
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based Deployments
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
 

Similar to SAP Business Objects Attacks

SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
 
Suite on hana ile iş süreçlerinize hız katın
Suite on hana ile iş süreçlerinize hız katınSuite on hana ile iş süreçlerinize hız katın
Suite on hana ile iş süreçlerinize hız katınitelligence TR
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerOnapsis Inc.
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNoSuchCon
 
The Future of Finance
The Future of FinanceThe Future of Finance
The Future of FinanceSAP Ariba
 
Open Source in Entperprises - A Presentation by SAP at OSCON 2014 Confernece
Open Source in Entperprises - A Presentation by SAP at OSCON 2014 ConferneceOpen Source in Entperprises - A Presentation by SAP at OSCON 2014 Confernece
Open Source in Entperprises - A Presentation by SAP at OSCON 2014 Confernecesanjay4sap
 
ProAppSys Software Company Overview Case studies and expertise.
ProAppSys Software Company Overview Case studies and expertise.ProAppSys Software Company Overview Case studies and expertise.
ProAppSys Software Company Overview Case studies and expertise.Pradeep Gudipati
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
Sap presentation session
Sap presentation sessionSap presentation session
Sap presentation sessionAhmed Naeem
 
Sap fundamentals overview_for_sap_minors
Sap fundamentals overview_for_sap_minorsSap fundamentals overview_for_sap_minors
Sap fundamentals overview_for_sap_minorsCenk Ersoy
 
2009 06 worldtour_sme5_sap_fr
2009 06 worldtour_sme5_sap_fr2009 06 worldtour_sme5_sap_fr
2009 06 worldtour_sme5_sap_frSomayeh Jabbari
 
SAP Strata-Hadoop Asia Pacific Breakout Presentation, December, 2015
SAP Strata-Hadoop Asia Pacific Breakout Presentation, December, 2015SAP Strata-Hadoop Asia Pacific Breakout Presentation, December, 2015
SAP Strata-Hadoop Asia Pacific Breakout Presentation, December, 2015Paul Marriott
 
Be the Data Hero in Your Organization with SAP and CA Analytic Solutions
Be the Data Hero in Your Organization with SAP and CA Analytic SolutionsBe the Data Hero in Your Organization with SAP and CA Analytic Solutions
Be the Data Hero in Your Organization with SAP and CA Analytic SolutionsCA Technologies
 
SAP HANA Data Center Intelligence Overview
SAP HANA Data Center Intelligence OverviewSAP HANA Data Center Intelligence Overview
SAP HANA Data Center Intelligence OverviewSAP Technology
 
Sap fundamentals
Sap fundamentalsSap fundamentals
Sap fundamentalsZiko2K7
 
Ciber SAP Tech Ed 2013 takeaway presentation
Ciber SAP Tech Ed 2013 takeaway presentationCiber SAP Tech Ed 2013 takeaway presentation
Ciber SAP Tech Ed 2013 takeaway presentationsvleuken
 

Similar to SAP Business Objects Attacks (20)

SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
 
Suite on hana ile iş süreçlerinize hız katın
Suite on hana ile iş süreçlerinize hız katınSuite on hana ile iş süreçlerinize hız katın
Suite on hana ile iş süreçlerinize hız katın
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
 
The Future of Finance
The Future of FinanceThe Future of Finance
The Future of Finance
 
Open Source in Entperprises - A Presentation by SAP at OSCON 2014 Confernece
Open Source in Entperprises - A Presentation by SAP at OSCON 2014 ConferneceOpen Source in Entperprises - A Presentation by SAP at OSCON 2014 Confernece
Open Source in Entperprises - A Presentation by SAP at OSCON 2014 Confernece
 
Sap investor symposioum
Sap investor symposioumSap investor symposioum
Sap investor symposioum
 
ProAppSys Software Company Overview Case studies and expertise.
ProAppSys Software Company Overview Case studies and expertise.ProAppSys Software Company Overview Case studies and expertise.
ProAppSys Software Company Overview Case studies and expertise.
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
 
Sap presentation session
Sap presentation sessionSap presentation session
Sap presentation session
 
Sap fundamentals overview_for_sap_minors
Sap fundamentals overview_for_sap_minorsSap fundamentals overview_for_sap_minors
Sap fundamentals overview_for_sap_minors
 
2009 06 worldtour_sme5_sap_fr
2009 06 worldtour_sme5_sap_fr2009 06 worldtour_sme5_sap_fr
2009 06 worldtour_sme5_sap_fr
 
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
 
SAP Strata-Hadoop Asia Pacific Breakout Presentation, December, 2015
SAP Strata-Hadoop Asia Pacific Breakout Presentation, December, 2015SAP Strata-Hadoop Asia Pacific Breakout Presentation, December, 2015
SAP Strata-Hadoop Asia Pacific Breakout Presentation, December, 2015
 
Be the Data Hero in Your Organization with SAP and CA Analytic Solutions
Be the Data Hero in Your Organization with SAP and CA Analytic SolutionsBe the Data Hero in Your Organization with SAP and CA Analytic Solutions
Be the Data Hero in Your Organization with SAP and CA Analytic Solutions
 
SAP HANA Data Center Intelligence Overview
SAP HANA Data Center Intelligence OverviewSAP HANA Data Center Intelligence Overview
SAP HANA Data Center Intelligence Overview
 
Sap fundamentals
Sap fundamentalsSap fundamentals
Sap fundamentals
 
Ciber SAP Tech Ed 2013 takeaway presentation
Ciber SAP Tech Ed 2013 takeaway presentationCiber SAP Tech Ed 2013 takeaway presentation
Ciber SAP Tech Ed 2013 takeaway presentation
 
Nikhil sap fico training ppt
Nikhil sap fico training pptNikhil sap fico training ppt
Nikhil sap fico training ppt
 

Recently uploaded

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

SAP Business Objects Attacks

  • 1. SAP BusinessObjects Attacks Juan Perez-Etchegoyen jppereze@onapsis.com February 2014 IT-Defense Security Conference Will Vandevanter wvandevanter@onapsis.com
  • 2. 2SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Disclaimer This publication is copyright 2014 Onapsis, Inc. – All rights reserved. This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.
  • 3. 3SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Who is Onapsis, Inc.?  Company focused in protecting ERP systems from cyber-attacks. SAP®, Siebel®, Oracle® E-Business SuiteTM, PeopleSoft®, JD Edwards® …  Trusted by Global Fortune-100 and large governmental organizations.  What does Onapsis do?  Innovative ERP security software (Onapsis X1, Onapsis Bizploit, Onapsis IA).  ERP security consulting services.  Trainings on business-critical infrastructure security. Who are we?  Juan Perez-Etchegoyen, CTO at Onapsis.  Will Vandevanter, Security Researcher at Onapsis.
  • 4. 4SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Agenda  SAP BusinessObjects Landscape  The attacker lifecycle  Abusing the Business Intelligence Process  Conclusions
  • 5. 5SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved SAP BusinessObjects Landscape
  • 6. 6SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved What is SAP? ● Largest provider of business management solutions in the world. ● More than 140.000 implementations around the globe. ● More than 90.000 customers in 120 countries. ● Used by Global Fortune-1000 companies, governmental organizations and defense agencies to run their every-day business processes. ● Such as Revenue / Production / Expenditure business cycles. SALES PRODUCTION FINANCIAL PLANNING INVOICING PROCUREMENT TREASURY LOGISTICS PAYROLL BILLING
  • 7. 7SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved SAP BusinessObjects ● Purchased by SAP in 2007 ● Business Analysis and Intelligence is the Core Functionality ● Produces Reports, Dashboards and KPI consumed by decision makers ● Simplifies analysis of data for users ● Usually pulling information from products such as ERP or CRM
  • 8. 8SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Impact of a breach to an SAP system While for traditional SAP systems (ERP,CRM,SCM…) it is easier to understand the impact of a security breach... ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, etc. SABOTAGE: Paralyze the operation of the organization by shutting down the SAP system, disrupting interfaces with other systems and deleting critical information, etc. FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.
  • 9. 9SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Impact of a breach to a BO System In a BusinessObjects implementation it is more difficult to understand the impact of a security breach... FINANCIAL STATEMENT: Incorrect reporting to authorities such as SEC. Access the information in advance. BUDGETING AND STAFFING: Incorrect allocating of resources for the achievement of targets. SALES FORECAST: Critical to determine the budget and to understand how much the company will grow, quantity of products to be produced, purchasing requirements… LIQUIDITY PLANNING: Affect the understanding of the available cash that the company will have during a period of time.
  • 10. 10SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Business Intelligence
  • 11. 11SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved  BW is an analytical, reporting and data warehousing product  Structured by layers. ETL (Extract, Transform, Load) is probably the most important layer  The process of extracting data from other SAP Systems is usually performed by RFC Function Calls. BO/BI/BW  SAP BusinessObjects are usually connected to SAP BW
  • 12. 12SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved
  • 13. 13SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved
  • 14. 14SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved VIP Services ● Central Management Server ● File Repository Server ● Report Templates ● Resulting Reports ● Server Intelligence Agent ● Client Endpoints ● Web Applications: Central Management Console ● Web Services
  • 15. 15SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Communication ● From the Client browser tier to the Application tier, SOAP and HTTP are the most common methods of communication (REST is also available) ● Most of the Inter “Process” communication is done using CORBA on the BO Service Bus
  • 16. 16SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Communication – CORBA ● Standard defined by OMG (“Similar” to JAVA RMI) ● Uses IIOP Network Protocol ● Uses IDL to define interfaces exposed ● Designed to facilitate the communication of systems that are deployed on diverse platforms. Source: Wikipedia
  • 17. 17SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Client to Server Communication - CORBA ● Interoperable Object Reference (IOR) ● Reference to a remote object ● Provided by the server, consumed by the client to communicate using remote object ● Example Components ● “IDL:Hello/HelloWorld” ● “Host: www.remotecorba.com” ● “Port: 4678”
  • 18. 18SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved BO Communication – CORBA ● Each BO server has a number of services available via CORBA ● A client needs to know the IOR of the remote service to initiate communication ● They also need to know (or reverse engineer) the IDL to communicate meaningfully
  • 19. 19SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved BO CORBA Example – Client to CMS Client “aps” CMS Client IOR:010000003500……. CMS Client {object} CMS Parse IOR to obtain IP/Port, Object Key,…
  • 20. 20SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved BO and the Attacker Lifecycle
  • 21. 21SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Quick Note on Attackers ● Many Different Types of attackers ● Internal/External ● Advanced/Script kiddies ● Just for fun/Criminal organizations ● Identifying the threat actor is an obvious key to defense ● Define monitoring processes ● Define configuration and security standards
  • 22. 22SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Default Ports (Reconnaissance)
  • 23. 23SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Reconnaissance ● In default state, 15 other listening ports ● Example Use Case ● One service needs to know the IP:PORT of another service. How does it get this information? ● Asks the CMS via CORBA
  • 24. 24SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Demo
  • 25. 25SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Note on Defense As discussed in the Administrators guide, limiting network access to every BusinessObjects component is the best method to protect against pulling information from these services.
  • 26. 26SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Account Types ● Enterprise ● SAP ● LDAP ● WindowsAD
  • 27. 27SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Default Accounts (Reconnaissance)
  • 28. 28SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Note on Defense It is critically important to apply the most up to date security notes. Furthermore, disabling unused web applications and services limits the attack surface.
  • 29. 29SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Major Version Info (Reconnaissance) ● What Web Interfaces are available? ● Web Services also has valuable information
  • 30. 30SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved A Warning About MITM ● Communication is Unencrypted by default ● An Attacker can hijack a Session via HTTP or CORBA
  • 31. 31SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Poisoning and Intercepting Business Intelligence
  • 32. 32SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved “Post Exploitation” ● We are discussing an attacker that wishes to access or poison the Business Intelligence Process ● See “Actions on Objectives” in the Intrusion Kill Chain ● Intercepting vs. Poisoning ● How we discuss “Data” is important
  • 33. 33SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved ● Information disclosure – Any information in the data sources – Generated Reports ● Information Tampering – Switching data source system – Changes on the business data – Changes on the generated reports ● … Business-oriented Attack Vectors
  • 34. 34SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved ● BO processes and groups information from many systems (ERP, SCM, CRM, HR, etc). ● By compromising BO/BW/BI the attacker will have almost all of the company critical information in a central repository. ● Access to Business Reports ● Access to Financial Statements BI ERP SCM HR CRM Information Disclosure
  • 35. 35SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Information Tampering ● Change data source – Point to a different SAP system (ERP,BW…) – Changing Infoproviders (Infoset, SAP Queries…) ● Modify BO contents – Reports – Dashboards – KPI
  • 36. 36SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Demo
  • 37. 37SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Impacting BO BI – Client Side ● Commonly an attacker will focus on a client with access ● Obvious ways to access data ● Check the FS ● Browser cookies ● How else?
  • 38. 38SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Impacting BO BI – Client Side ● Network Sniffing ● Active Traffic is best ● But, the Client will auto ping the Server on a set schedule ●SESSION_ID is given in the ping
  • 39. 39SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Demo
  • 40. 40SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Impacting BO BI – Client Side ●Power Shell ● Made available in the Client or Server BusinessObjects installation ● SDK Like functionality ● Reporting Access ● InfoQuery ● Session Handling
  • 41. 41SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Impacting BO BI – Server Side ● File Repository Server ● Input ● Output ● What is a report to BO? ● File on the Filesystem ● Entry in the InfoStore ● Not all files will stay overwritten
  • 42. 42SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Demo
  • 43. 43SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Conclusion ● Read the Admin Guide! ● Many of these attacks can be prevented or detected ● Keep the systems updated! ● Enable Auditing ● Periodically scan/monitor the systems ● Secure the system and the critical data
  • 44. 44SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Questions? jppereze@onapsis.com wvandevanter@onapsis.com
  • 45. 45SAP BusinessObjects Attacks www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved Thank you! www.onapsis.com Follow us! @onapsis