Cash is King: Who's Wearing Your Crown?
1 like3,517 views
The presentation discusses accounting fraud vulnerabilities in Microsoft Dynamics Great Plains (GP) and explores how attackers can exploit these weaknesses. It highlights the importance of both technical and accounting controls to prevent fraud, emphasizing that insider threats are particularly dangerous and that combining malware with legitimate entries can facilitate fraud. The presenters also share examples of how fraud can be executed and propose solutions to enhance the security of accounting systems.
Cash is King: Who's Wearing Your Crown?
- 1. Cash is King Who’s Wearing Your Crown? Accounting Systems Fraud in the Digital Age Tom Eston and Spencer McIntyre DerbyCon 2013
- 2. Agenda • Introduction to Accounting Fraud • Microsoft Dynamics Great Plains – Vulnerabilities and Attack Vectors • Attacking the Users of Dynamics GP • Fraud with Custom Malware (Mayhem) • The Attacks: How to Commit Fraud • Accounting Controls to Prevent Fraud • Conclusions DerbyCon 2013
- 4. Tom Eston • Manager, SecureState Attack & Defense Team • OWASP Contributor • SANS Mentor, Community Instructor • Security Blogger/Researcher: Spylogic.net • Podcast Co-host: Social Media Security Podcast • Speaker: Black Hat, DEF CON, ShmooCon, DerbyCon, SANS, MSI, OWASP AppSec DerbyCon 2013
- 5. Spencer McIntyre • SecureState Security Researcher, Exploit Developer • Open Source Contributor: • Speaker: Black Hat Europe, DerbyCon, Toorcon, ThotCon, B-Sides • Metasploit • Scapy • SQLMap • Killerbee DerbyCon 2013
- 6. Office Space ©1999 Twentieth Century Fox
- 7. Office Space ©1999 Twentieth Century Fox
- 8. Office Space ©1999 Twentieth Century Fox
- 9. Office Space ©1999 Twentieth Century Fox
- 10. $ PROFIT $ Office Space ©1999 Twentieth Century Fox
- 11. Who Wants to Create Mayhem? • “Office Space” IRL (In Real Life) • Install virus (via floppy disk), infect accounting system, shave off a fraction of a penny of each transaction, check account balance, profit! • Except…we’re not missing any decimal points! DerbyCon 2013
- 12. Introduction to Accounting Fraud
- 13. When We Break In • Penetration Testers and Attackers do this every day! • Low hanging fruit (Tomcat/JBoss, Weak Passwords, MS08-067) • Easy to evade technical security controls • Find the most sensitive data – Passwords, SSNs, PCI data, PHI, Proprietary • Screenshot, Report, Profit, Repeat • Nothing new here… DerbyCon 2013
- 15. What If? • We could demonstrate real business risk? • Typically this is financial risk and hits the bottom line of an organization • Attack the accounting and financial systems • We could test the non-technical accounting controls (not like an “audit”) DerbyCon 2013
- 16. Technical Controls 101 • Confidentiality • Integrity • Availability Technical controls can only go so far. When they fail (and they will) what do you rely on? DerbyCon 2013
- 17. Characteristics of Useful Accounting Information • Relevant • Reliable • Consistent • Comparable • Accurate • Timely DerbyCon 2013
- 18. The Problem? • Accounting controls may not be in place – Or properly implemented • Limited resources • Limited skill set • Limited time It’s very unlikely that accounting departments are reconciling every account each month! DerbyCon 2013
- 19. Traditional Accounting Fraud • Insider Embezzlement • Overstating Profits • External Check Fraud • Insider Fraud – Kickback schemes, skimming, sales fraud, etc. Primary Control: Reconciling Bank Accounts DerbyCon 2013
- 20. Accounting Fraud Examples DerbyCon 2013
- 21. DerbyCon 2013 "What I did in my youth is hundreds of times easier today. Technology breeds crime." - Frank Abagnale
- 22. Microsoft Dynamics Great Plains
- 23. DerbyCon 2013
- 24. So sorry… You belong to Microsoft now. DerbyCon 2013
- 26. Microsoft Dynamics GP • One of the most popular accounting systems in the world for medium to large size businesses • Microsoft purchased GP from Great Plains Software for $1.1 Billion in 2000 • Written in Dexterity specifically for GP • As of 2013: 43,000 companies in the world use GP DerbyCon 2013
- 27. Microsoft Dynamics GP - Users • No Windows Authentication (Active Directory) integration available (out of the box) – User accounts are created, managed and stored by SQL Server • SQL Server “SA” account is the most powerful • DYNSA owns all the GP databases. Performs privileged actions without the SA account in GP. • Regular user accounts perform daily actions DerbyCon 2013
- 28. Microsoft Dynamics GP • Uses “client-server” architecture • Application runs on the client, not the server • Web application front end just introduced this year DerbyCon 2013
- 29. Locating the GP Systems and Database
- 30. System Naming Conventions • Conduct DNS or NETBIOS queries • Network shares with GP client installation • Typical names we’ve found on networks: – GP – GP-PORTAL – DYNAMICS – DYNAMICS_DB – GREAT PLAINS – ACCOUNTING – FINANCE DerbyCon 2013
- 31. Additional Recon • Most Critical: GP SQL Server • Others systems include: – The GP client applications (user workstations) – GP Business Portal (SharePoint) • Company Intranet – Usually reveals GP and/or accounting system documentation • Network Shares – Sometimes the GP application is shared on the SQL server! DerbyCon 2013
- 32. Attack Vectors in GP
- 33. Vulnerabilities in GP • DoS and remote overflow vulnerabilities in GP version 9 and lower • Weak cipher for the system password (2010) – Debunked by Microsoft as a real issue • Typical SQL Server vulnerabilities and misconfigurations – Example: Local Administrator group added to the “sysadmin” role on the SQL Server DerbyCon 2013
- 34. Attacks to Commit Fraud • #1 Gain access to the GP SQL database directly • #2 GP user account hijack from the client • #3 Process injection via custom malware on the client DerbyCon 2013
- 35. Attacking the Database • Goal: Modify and create GP database entries to commit fraud • Easy with direct access to the SQL server • One problem… • How do we know what to modify to commit the fraud? DerbyCon 2013
- 36. GP Table Naming Conventions • GP Tables are not named with good descriptions… • There is good news though! DerbyCon 2013
- 37. GP Table Prefix Identification Credit: Leslie Vail http://dynamicsconfessions.blogspot.com/2012/05/data-flow-and-table-names.html DerbyCon 2013
- 38. GP Table Identifiers • Put the prefix with the identifier to determine the table function • PM1000 = Payables Management Work Table DerbyCon 2013
- 39. Attacking the GP User
- 40. Who to Target? • Accounting Department Users • Controller • Bookkeeper • CFO • The Accountant DerbyCon 2013
- 41. The Goal • Compromise the user’s workstation – GP application is installed there! • GP login and password • Compromise other workstations, pivot to the accounting users • Create backdoor into the user’s workstation(s) DerbyCon 2013
- 42. Example Scenario • Harvest accounting department usernames and emails via LinkedIn • Create targeted phishing email • Link to download malicious attachment – “Click here to install the latest GP patch!” • Mayhem ensues… (more on this in a minute) DerbyCon 2013
- 43. Creating the Perfect Fraud via Custom Malware
- 44. Introducing: Mayhem Malware • Proof of Concept code created by Spencer McIntyre of the SecureState Research & Innovation Team – Full integration with Metasploit / Meterpreter • https://github.com/zeroSteiner/metasploit- framework/tree/project-mayhem DerbyCon 2013
- 45. How Mayhem Works • Uses function hooking and library injection to execute within the context of the GP frontend • Goal: Open a channel back to the attacker so commands can be made via the GP frontend • Mayhem is injected at runtime and hijacks the legitimate ODBC handle from memory • No installation or administrative rights required DerbyCon 2013
- 46. How Mayhem Works 1. Start with Meterpreter Session Opened 2. Run install module to infect Dynamics 3. Wait for user to trigger any kind of database activity 4. Use copied handle from step #3 to execute evil SQL queries 5. PROFIT! DerbyCon 2013
- 47. How Mayhem Works • Mayhem creates hooks in key locations – Most important: ODBC32. SQLAllocStmt • Mayhem monitors this and then allows injection of SQL commands into the database as the authenticated user • A named pipe is opened on the local system for meterpreter to communicate with – Conceptually similar to mimikatz DerbyCon 2013
- 48. Mayhem Demo • What we’re going to demo today – Infecting Dynamics – Creating a new “evil” vendor – Paying our vendor – Creating chaos • All demos are using MS Dynamics GP 10 DerbyCon 2013
- 49. Mayhem Demo
- 50. Next Step • Not everything is Dynamics specific • Execute arbitrary SQL Queries DerbyCon 2013
- 51. Next Step • Retrieve ODBC credentials DerbyCon 2013
- 52. The Attacks: How Fraud Can be Committed
- 53. Manipulating Existing Vendor Records’ Remit-To Address (in GP) DerbyCon 2013
- 54. Manipulating Existing Vendor Records’ Remit-To Address (in SQL Server) DerbyCon 2013
- 55. Increase Customer Credit Limit DerbyCon 2013
- 56. Increase Customer Credit Limit CREDTLMT (Credit Limit) in PM00200: 0 – No Credit, 1 – Unlimited, 2 – Amount DerbyCon 2013
- 57. Credit Balance in Customer Account, Get a Refund DerbyCon 2013
- 58. Other Fraud Attacks • Mass Steal Banking Information • Mass Steal Credit Card Data • Payroll Information (Includes SSNs) • Access or Modify Private Financial Records DerbyCon 2013
- 59. What about Oracle or SAP? • Yes, we can attack other ERP systems! • If the system uses ODBC, you can hijack these transactions using an attack tool like Mayhem • You need intimate knowledge of other ERP systems and how they work – Highlights the internal threat… DerbyCon 2013
- 60. Accounting Controls to Prevent Fraud
- 61. Bank Reconciliation • Timing is everything • Bank reconciliation compares the bank balance with the book balance monthly DerbyCon 2013
- 62. Accounting Controls • Matching Cleared Checks to Paid Invoices • “Positive Pay” • Matching Address on Check to Address on Invoice • Process for Adding Vendors to System • Customer On-Boarding Process • Confirmation of Vendor Banking Information • Account Reconciliations DerbyCon 2013
- 64. What about Technical Controls? • Never discount “Defense-in-Depth” • All it takes is for one control to fail! – GP, SQL server, user permissions/roles, security awareness, antivirus, IDS, incident response • This is why the accounting controls are more important to implement DerbyCon 2013
- 65. What Can ERP Vendors Do? • Do what the gaming community is doing • “Self-defending” software • Valve is a great example – Valve Anti-Cheat (VAC) • Enterprise software is way behind on this! • Implement internal fraud and alerting mechanisms – Banks use these techniques to detect fraud as it happens DerbyCon 2013
- 66. Final Thoughts • It is possible to perpetrate fraud against the accounting system from the outside • Fraud is much easier for an insider • Combine malware with legitimate entries = perfect crime • Combination of technical and accounting controls are required to combat modern fraud DerbyCon 2013
- 67. More Information • See our White Paper for details on other attacks: – http://bit.ly/mayhem-whitepaper • Spencer’s Mayhem Metasploit Modules: – https://github.com/zeroSteiner/metasploit- framework/tree/project-mayhem DerbyCon 2013
- 68. Appendix: SQL Queries -- Get useful info about the checkbooks SELECT CHEKBKID, DSCRIPTN, BANKID, CURNCYID, BNKACTNM, str(CURRBLNC, 19, 5) AS CURRBLNC FROM CM00100; -- Give vendor "MAYHEM" unlimited credit UPDATE PM00200 SET CREDTLMT=1 WHERE VENDORID='MAYHEM'; -- Get sensitive info from payroll SELECT FRSTNAME, MIDLNAME, LASTNAME, SOCSCNUM, BRTHDATE, EMPLOYID, JOBTITLE FROM UPR00100; DerbyCon 2013
- 69. Questions? • Tom Eston [email protected] Twitter: @agent0x0 Blog: Spylogic.net • Spencer McIntyre [email protected] Twitter: @zerosteiner • Who wants military-grade bottle openers? – Come up front DerbyCon 2013