General security

SAP Risks - Fraud

Alexander Polyakov
February 20, 2017 by
Alexander Polyakov

Welcome to the latest part of SAP Risks. After we finished with Espionage and Sabotage, let's eat the last piece of this "sweet cake" dubbed Fraud.

In my opinion, fraud is the most common issue in ERP System and other business applications. Most of Segregation of Duties scenarios are about fraud –if an attacker or malicious insider gains access to more privileges than needed to accomplish his work, he or she can commit fraudulent actions in the system. Every industry has its own examples related to this risk. According to the Association of Certified Fraud Examiners (ACFE), losses to internal fraud constitutes 7 % of profit (!) on average.

To make it easier to embrace the examples, let's digest several subdivisions based on the object the fraud deals with:

  • Assets fraud, i.e. falsification of business-critical data to spend more money when it is not required;
  • Row materials fraud, i.e. manipulation with bill of materials;
  • Finished goods fraud, i.e. stealing goods from warehouse or changing their price;
  • Funds fraud, i.e. transferring money to unintended bank account;
  • Financial Reports fraud, i.e. tampering prices;
  • Payroll fraud, i.e. changing salaries.

Now let's consider the real fraud examples of each category and see how it can be carried out in SAP.

Assets Fraud

Asset management is a backbone for every large company, and EAM (Enterprise Asset Management) is intended for this purpose. As we know from the previous part, SAP Risks – Sabotage, EAM systems are usually integrated with CBM (Condition Based Maintenance) systems for better business processes optimization. In case of malicious actions within these systems, the data about equipment health can be modified. For example, an attacker may change data passing from CMB in the way the different elements of facilities would require replacement thus forcing the company to spend extra money and time on new equipment. Perpetrators are also able to purchase necessary facilities in collusion with an equipment supplier or create a fictitious vendor with this intention.

Row materials fraud

Most of the companies use ERP for material resource management.

In industry, there is a list called BOM (Bill of Materials) that holds the information about components and the quantity of materials needed to manufacture a product according to the regulation. Manipulation of this data, as changing the prescription, results in raw materials surpluses to steal.

Another example of an attack is actually manipulation of data on the quantity of material resources in stock or delivery and pilfer from warehouses conspiring with the employees entrusted with a stock. This attack can be executed by direct modification of tables, which supply data about material quantity. Information about tables and their relationships can be found in open sources quite easily.

Finished goods fraud

In reality, fraud with finished goods is more common than one with raw materials so there are some examples of how and what exactly can happen.

  • Unauthorized Product price modifications

    One of the SAP ECC modules is MM (Material Management) that stores actual data of material resources and goods' price. Obtaining access to it, an attacker can manipulate the data of this price (by using transaction MR21). A malicious insider can decrease the price and then buy goods with high discount by creating a fake vendor in the system.

  • Changing limits for operations

    Access to MM module may allow a perpetrator to change the tolerance limits for the operations of price and quantity change. Disabling tolerance limits makes it possible to manage unlimited operations in purchasing and selling.

Financial fraud

Financial fraud, or a kind of fraud where attackers steal not goods but money, is more widespread among insiders due to the opportunity to immediately reap the benefit. However, it is, therefore, flawed in that having relative detection simplicity. A few examples are provided below.

  • Theft of funds. Corruption

    Unauthorized access to SAP SCM (Supply Chain Management) can cause the reducing of company income or even transferring money to a different organization. For example, a company employee in connivance with a third party organization engages in theft of funds by the difference between the real cost of services and the cost deceptively entered in the SAP SCM with unauthorized access.[3]. Also, funds could be transferred to a false vendor. A well-known example of such an attack is that of "a surreptitious vendor having bagged an order for bomb detectors with a total cost of 55 million dollars by Iraq. As it turned out, this operation was a fraud". [4]

    In addition to SAP SCM system, the same attack is possible if an attacker accesses the SD (Sales and Distribution) module of SAP ECC. An attacker has a chance to create a fake vendor in the system by using transaction VD01 and generate sales order for this vendor via transaction VA01 afterward. It will allow him to embezzle money from the company.


  • Product cost manipulation

    With access to SD module, a perpetrator is likely to change the data used for product price assignment process. Setting a price is processed automatically in SAP products based on monetary value of the transaction, the type of customer, season, discounts, markups, etc. The actions are controlled by transactions VK11, VK12, VK14. Bear in mind that the price being calculated automatically involves processes that could be outside of executors' reach, so product cost manipulation could remain unnoticed.

Financial reports fraud

Well, we will shift to more business-oriented scenarios. What about financial reports and other high-level data traditionally used by CxOs? They mostly refer to Business Intelligence systems, let's say, SAP Business Objects. There are at least three attack vectors:

  • Unauthorized data modification of financial reports. One can divert the management's attention by causing problems with the auditors and leading to drying up of Return on Investment of projects.
  • Tangible and intangible resources unauthorized data modification. Improper estimates from the incorrect data on the spending of resources and workload of employees could lead to the misuse of funds and cause direct and indirect losses.
  • Unauthorized data modification of sales reports can lead to wrong conclusions about pricing strategy and, as a result, lost profits.

From a technical point of view, SAP BI system is based on SAP Business Objects platform with 80 vulnerabilities found, and the number of security issues is growing every year. This number may not seem so looming but take into account that a single vulnerability is enough to get access to all business-critical data.

Payroll Fraud

Access to the SAP HR system, a Payroll module, in particular, allows insiders to change their wages. Since the direct modification can be easily detected, the risk lies in changing the number of additional working hours to be processed, which affects the total wages. In this case, the fraud is extremely difficult to detect. There are tax exemptions and other values that can affect total wages as well.

Conclusion

You have seen a rash of fraud examples in different SAP systems ranging from fraud assets to trivial money embezzlement. All these examples are a small part of what a perpetrator could do after gaining unauthorized access to an SAP system. Typical SoD matrices intended to identify users with rights enabling to wage such attacks involve approximately 200 examples apart from specific cases for different verticals. We consider a lot more, and with the help of even perfectly configured SoD rights, there is a possibility to repeat any of the scenarios described above by exploiting a common SAP vulnerability and gaining administrator rights.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

The next articles will shed light on the vulnerabilities a malicious actor could exploit to access to SAP systems.

Alexander Polyakov
Alexander Polyakov

Alexander Polyakov is the founder of ERPScan and President of the EAS-SEC.org project. Recognized as an R&D professional and Entrepreneur of the year, his expertise covers the security of enterprise business-critical software like ERP, CRM, SRM and industry specific solutions for Oil and Gas, Manufacturing, Retail and Banking; as well as other verticals developed by enterprise software companies such as SAP and Oracle. He has received numerous accolades and published over 100 vulnerabilities.

Alexander has also published a book about Oracle Database security, numerous white papers, such the award winning annual "SAP Security in Figures”; plus surveys devoted to information security research in SAP.

Alexander has presented his research on SAP and ERP security at more than 50 conferences and trainings in 20+ countries in all continents. He has also held trainings for the CISOs of Fortune 2000 companies, and for SAP SE itself.

He is the author of numerous whitepapers and surveys devoted to information security research in SAP like "SAP Security in figures." Alexander was invited to speak and train at international conferences such as BlackHat, RSA, HITB and 30 others around globe as well as in internal workshops for SAP and Fortune 500 companies.