ID: IRCNE2012121698
Date: 2012-12-11
According to "techworld", security researchers have presented proof-of-concept code capable of accessing the database driving a Microsoft ERP system and then diverting funds while avoiding immediate detection.
Tom Eston and Brett Kimmel of vendor SecureState presented the would-be malware this week at the Black Hat Abu Dhabi conference.
Makers of corporate enterprise resource planning (ERP) systems include Oracle and SAP, while Microsoft's Dynamics Great Plains software is for midsize businesses.
What the researchers did was find a way to access the Microsoft SQL Server database through the Great Plains client. Before that can occur, a cybercriminal would have to trick a Great Plains user into clicking on a malicious email attachment or visit a web site capable of downloading the code. Once the code is installed, it can intercept communications over ODBC between the client and the database and also inject commands, Neely said.
"One of the goals [of the research] is to encourage accounting departments to adopt more stringent controls that could detect these attacks," Neely said.
Despite the critical importance of ERP security, the software often goes unpatched for long periods of time, because of the complexity of updating the often highly customised systems.
In May, consulting firm Onapsis released a study showing 95 percent of more than 600 SAP systems tested were vulnerable to attack, mainly because patches had not been applied.
- 2