New Trojan tweaked to target SAP servers
A new variant of the well-known Shiz remote access trojan (RAT) has been tweaked to search for the existence of SAP client applications. Unlike previous versions that were designed simply to compromise Windows PCs with a backdoor and stealing confidential data, the latest variant might have been developed as a first step to hook into corporate ERP systems to either steal data or cause disruption, says a security expert.
In a blog entry by Dana Tamir, director of enterprise security at Trusteer elaborates: "SAP provides workstation client software that communicates with its application servers. These clients serve as the entry point to a wide range of business SAP applications. She reasons that hackers with remote access to an infected PC would be able to read (SAP) configuration files, GUI automation scripts or even hook onto application processes on the SAP server.
"SAP applications provide an integrated view of business processes that range from finance and accounting to extended supply chain operations. Large enterprises and global companies rely on these mission-critical applications to provide accurate, up-to-the-minute operations and financial information," she writes. "Attacks against SAP applications that cause downtime or result in data leakage can put businesses at significant risk."
According to The Register, SAP is aware of this Trojan and is currently investigating it. They also noted that this variant is detectable by existing antivirus products.
The Fierce Take: The move to specifically target business applications is a departure from traditional malware tactics, and should be closely watched. Indeed, substantial damage that can be inflicted by a SAP login with a sufficiently high level of access rights. On this front, businesses should seriously consider the use of two-factor authentication and tighter access control restrictions on their business application servers.