Critical vulnerabilities in SAProuter, the SAP module used to connect users of the enterprise resource planning (ERP) software with SAP’s update services, could be compromising their security, according to Alexander Polyakov, chief technology officer of ERPScan.
According to Polyakov, there are around 5,000 instances of SAProuter connected to the internet (based on SAP Security in Figures 2013 report) and theoretically capable of taking a connection.

Although SAP belatedly issued a patch for the application 6 months ago, about 85 per cent of the instances scanned by ERPScan remain unpatched.

The issue has gained added urgency since anti-virus software vendors spotted a new version of the old Trojan.iBank malware that is capable of scanning for the existance of SAP software on client PCs within organisations.
“The Trojan is focused on stealing banking information, and takes keys and passwords. But recently, our colleagues at anti-virus software companies sent us an example of a new modification, which looks for an SAP client on the workstation,” said Polyakov.
It is unknown, at this stage, whether the Trojan is capable of downloading a special attack module
According to Polyakov, the information gleaned from compromised machines will typically be sold on to organised criminals who will seek to use it to transfer money from corporate bank accounts.
Polyakov warns that SAP is becoming a potential target for cybercriminals and adds that the news that 85 per cent of SAProuter modules are unpatched should be a matter of concern.
“If somebody creates malware that can attack all those unpatched routers they will get access to company networks of most of the world biggest companies,” he says.

Leave a Reply