cash is king: who's wearing your crown?
DESCRIPTION
Show me the money. If hackers were able to manipulate the world’s accounting systems, governments and corporations would be in a frenzy. Guess what? Hackers can…and will. In this presentation we describe manipulating the major financial accounting systems used by corporations large and small to show the importance of good Information Security and Accounting controls. In this talk we identify ways to manipulate accounting systems for financial gain demonstrating mass accounting systems fraud. Through our research we will demonstrate multiple ways to manipulate accounting data and misappropriate funds. We will also show information security and accounting controls needed to detect these types of advanced attacks. Tom and Spencer will be releasing and demonstrating new PoC malware and a Metasploit meterpreter extension that targets Microsoft Dynamics GP, one of the most popular accounting systems in the world.TRANSCRIPT
Cash is KingWho’s Wearing Your Crown?
Accounting Systems Fraud in the Digital Age
Tom Eston and Spencer McIntyre
DerbyCon 2013
Agenda
• Introduction to Accounting Fraud
• Microsoft Dynamics Great Plains– Vulnerabilities and Attack Vectors
• Attacking the Users of Dynamics GP
• Fraud with Custom Malware (Mayhem)
• The Attacks: How to Commit Fraud
• Accounting Controls to Prevent Fraud
• Conclusions
DerbyCon 2013
About Your Presenters
Tom Eston
• Manager, SecureState Attack & Defense Team
• OWASP Contributor
• SANS Mentor, Community Instructor
• Security Blogger/Researcher: Spylogic.net
• Podcast Co-host: Social Media Security Podcast
• Speaker: Black Hat, DEF CON, ShmooCon, DerbyCon, SANS, MSI, OWASP AppSec
DerbyCon 2013
Spencer McIntyre
• SecureState Security Researcher, Exploit Developer
• Open Source Contributor:
• Speaker: Black Hat Europe, DerbyCon, Toorcon, ThotCon, B-Sides
• Metasploit• Scapy
• SQLMap• Killerbee
DerbyCon 2013
Office Space ©1999 Twentieth Century Fox
Office Space ©1999 Twentieth Century Fox
Office Space ©1999 Twentieth Century Fox
Office Space ©1999 Twentieth Century Fox
$ PROFIT $
Office Space ©1999 Twentieth Century Fox
Who Wants to Create Mayhem?
• “Office Space” IRL (In Real Life)
• Install virus (via floppy disk), infect accounting system, shave off a fraction of a penny of each transaction, check account balance, profit!
• Except…we’re not missing any decimal points!
DerbyCon 2013
Introduction to Accounting Fraud
When We Break In
• Penetration Testers and Attackers do this every day!
• Low hanging fruit (Tomcat/JBoss, Weak Passwords, MS08-067)
• Easy to evade technical security controls
• Find the most sensitive data
– Passwords, SSNs, PCI data, PHI, Proprietary
• Screenshot, Report, Profit, Repeat
• Nothing new here…
DerbyCon 2013
Photo Credit: http://cosine-security.blogspot.com/2011/10/derbycon-retrospective.html
What If?
• We could demonstrate real business risk?
• Typically this is financial risk and hits the bottom line of an organization
• Attack the accounting and financial systems
• We could test the non-technical accounting controls (not like an “audit”)
DerbyCon 2013
Technical Controls 101
• Confidentiality
• Integrity
• Availability
Technical controls can only go so far. When they fail (and they will) what do you rely on?
DerbyCon 2013
Characteristics of Useful Accounting Information
• Relevant
• Reliable
• Consistent
• Comparable
• Accurate
• Timely
DerbyCon 2013
The Problem?
• Accounting controls may not be in place
– Or properly implemented
• Limited resources
• Limited skill set
• Limited time
It’s very unlikely that accounting departments are reconciling every account each month!
DerbyCon 2013
Traditional Accounting Fraud
• Insider Embezzlement
• Overstating Profits
• External Check Fraud
• Insider Fraud
– Kickback schemes, skimming, sales fraud, etc.
Primary Control: Reconciling Bank Accounts
DerbyCon 2013
Accounting Fraud Examples
DerbyCon 2013
DerbyCon 2013
"What I did in my youth is hundreds of times easier today. Technology breeds crime."
- Frank Abagnale
Microsoft Dynamics Great Plains
DerbyCon 2013
So sorry…You belong to Microsoft now.
DerbyCon 2013
What?
DerbyCon 2013
Microsoft Dynamics GP
• One of the most popular accounting systems in the world for medium to large size businesses
• Microsoft purchased GP from Great Plains Software for $1.1 Billion in 2000
• Written in Dexterity specifically for GP
• As of 2013: 43,000 companies in the world use GP
DerbyCon 2013
Microsoft Dynamics GP - Users
• No Windows Authentication (Active Directory) integration available (out of the box)– User accounts are created, managed and stored
by SQL Server
• SQL Server “SA” account is the most powerful
• DYNSA owns all the GP databases. Performs privileged actions without the SA account in GP.
• Regular user accounts perform daily actions
DerbyCon 2013
Microsoft Dynamics GP
• Uses “client-server” architecture• Application runs on the client, not the server• Web application front end just introduced this yearDerbyCon 2013
Locating the GP Systems and Database
System Naming Conventions
• Conduct DNS or NETBIOS queries• Network shares with GP client installation• Typical names we’ve found on networks:
– GP– GP-PORTAL– DYNAMICS– DYNAMICS_DB– GREAT PLAINS– ACCOUNTING– FINANCE
DerbyCon 2013
Additional Recon
• Most Critical: GP SQL Server
• Others systems include:– The GP client applications (user workstations)
– GP Business Portal (SharePoint)
• Company Intranet– Usually reveals GP and/or accounting system
documentation
• Network Shares– Sometimes the GP application is shared on the SQL
server!
DerbyCon 2013
Attack Vectors in GP
Vulnerabilities in GP
• DoS and remote overflow vulnerabilities in GP version 9 and lower
• Weak cipher for the system password (2010)
– Debunked by Microsoft as a real issue
• Typical SQL Server vulnerabilities and misconfigurations
– Example: Local Administrator group added to the “sysadmin” role on the SQL Server
DerbyCon 2013
Attacks to Commit Fraud
• #1 Gain access to the GP SQL database directly
• #2 GP user account hijack from the client
• #3 Process injection via custom malware on the client
DerbyCon 2013
Attacking the Database
• Goal: Modify and create GP database entries to commit fraud
• Easy with direct access to the SQL server
• One problem…
• How do we know what to modify to commit the fraud?
DerbyCon 2013
GP Table Naming Conventions
• GP Tables are not named with good descriptions…
• There is good news though!
DerbyCon 2013
GP Table Prefix Identification
Credit: Leslie Vailhttp://dynamicsconfessions.blogspot.com/2012/05/data-flow-and-table-names.html
DerbyCon 2013
GP Table Identifiers
• Put the prefix with the identifier to determine the table function
• PM1000 = Payables Management Work TableDerbyCon 2013
Attacking the GP User
Who to Target?
• Accounting Department Users
• Controller
• Bookkeeper
• CFO
• The Accountant
DerbyCon 2013
The Goal
• Compromise the user’s workstation
– GP application is installed there!
• GP login and password
• Compromise other workstations, pivot to the accounting users
• Create backdoor into the user’s workstation(s)
DerbyCon 2013
Example Scenario
• Harvest accounting department usernames and emails via LinkedIn
• Create targeted phishing email
• Link to download malicious attachment
– “Click here to install the latest GP patch!”
• Mayhem ensues… (more on this in a minute)
DerbyCon 2013
Creating the Perfect Fraud via Custom Malware
Introducing: Mayhem Malware
• Proof of Concept code created by Spencer McIntyre of the SecureState Research & Innovation Team
– Full integration with Metasploit / Meterpreter
• https://github.com/zeroSteiner/metasploit-framework/tree/project-mayhem
DerbyCon 2013
How Mayhem Works
• Uses function hooking and library injection to execute within the context of the GP frontend
• Goal: Open a channel back to the attacker so commands can be made via the GP frontend
• Mayhem is injected at runtime and hijacks the legitimate ODBC handle from memory
• No installation or administrative rights required
DerbyCon 2013
How Mayhem Works
1. Start with Meterpreter Session Opened
2. Run install module to infect Dynamics
3. Wait for user to trigger any kind of database activity
4. Use copied handle from step #3 to execute evil SQL queries
5. PROFIT!
DerbyCon 2013
How Mayhem Works
• Mayhem creates hooks in key locations
– Most important: ODBC32. SQLAllocStmt
• Mayhem monitors this and then allows injection of SQL commands into the database as the authenticated user
• A named pipe is opened on the local system for meterpreter to communicate with
– Conceptually similar to mimikatz
DerbyCon 2013
Mayhem Demo
• What we’re going to demo today
– Infecting Dynamics
– Creating a new “evil” vendor
– Paying our vendor
– Creating chaos
• All demos are using MS Dynamics GP 10
DerbyCon 2013
Mayhem Demo
Next Step• Not everything is Dynamics specific
• Execute arbitrary SQL Queries
DerbyCon 2013
Next Step• Retrieve ODBC credentials
DerbyCon 2013
The Attacks: How Fraud Can be Committed
Manipulating Existing Vendor Records’Remit-To Address (in GP)
DerbyCon 2013
Manipulating Existing Vendor Records’Remit-To Address (in SQL Server)
DerbyCon 2013
Increase Customer Credit Limit
DerbyCon 2013
Increase Customer Credit Limit
CREDTLMT (Credit Limit) in PM00200:
0 – No Credit, 1 – Unlimited, 2 – Amount
DerbyCon 2013
Credit Balance in Customer Account, Get a Refund
DerbyCon 2013
Other Fraud Attacks
• Mass Steal Banking Information
• Mass Steal Credit Card Data
• Payroll Information (Includes SSNs)
• Access or Modify Private Financial Records
DerbyCon 2013
What about Oracle or SAP?
• Yes, we can attack other ERP systems!
• If the system uses ODBC, you can hijack these transactions using an attack tool like Mayhem
• You need intimate knowledge of other ERP systems and how they work
– Highlights the internal threat…
DerbyCon 2013
Accounting Controls to Prevent Fraud
Bank Reconciliation
• Timing is everything
• Bank reconciliation compares the bank balance with the book balance monthly
DerbyCon 2013
Accounting Controls
• Matching Cleared Checks to Paid Invoices
• “Positive Pay”
• Matching Address on Check to Address on Invoice
• Process for Adding Vendors to System
• Customer On-Boarding Process
• Confirmation of Vendor Banking Information
• Account Reconciliations
DerbyCon 2013
Conclusions
DerbyCon 2013
What about Technical Controls?
• Never discount “Defense-in-Depth”
• All it takes is for one control to fail!
– GP, SQL server, user permissions/roles, security awareness, antivirus, IDS, incident response
• This is why the accounting controls are more important to implement
DerbyCon 2013
What Can ERP Vendors Do?
• Do what the gaming community is doing
• “Self-defending” software
• Valve is a great example– Valve Anti-Cheat (VAC)
• Enterprise software is way behind on this!
• Implement internal fraud and alerting mechanisms– Banks use these techniques to detect fraud as it
happens
DerbyCon 2013
Final Thoughts
• It is possible to perpetrate fraud against the accounting system from the outside
• Fraud is much easier for an insider
• Combine malware with legitimate entries = perfect crime
• Combination of technical and accounting controls are required to combat modern fraud
DerbyCon 2013
More Information
• See our White Paper for details on other attacks:
– http://bit.ly/mayhem-whitepaper
• Spencer’s Mayhem Metasploit Modules:
– https://github.com/zeroSteiner/metasploit-framework/tree/project-mayhem
DerbyCon 2013
Appendix: SQL Queries
-- Get useful info about the checkbooks
SELECT CHEKBKID, DSCRIPTN, BANKID, CURNCYID, BNKACTNM,
str(CURRBLNC, 19, 5) AS CURRBLNC FROM CM00100;
-- Give vendor "MAYHEM" unlimited credit
UPDATE PM00200 SET CREDTLMT=1 WHERE VENDORID='MAYHEM';
-- Get sensitive info from payroll
SELECT FRSTNAME, MIDLNAME, LASTNAME, SOCSCNUM, BRTHDATE,
EMPLOYID, JOBTITLE FROM UPR00100;
DerbyCon 2013
Questions?• Tom Eston
[email protected]: @agent0x0Blog: Spylogic.net
• Spencer [email protected]: @zerosteiner
• Who wants military-grade bottle openers?– Come up front
DerbyCon 2013