Are you sure your ERP is not a crypto mining farm?

Hackers are not walking past the hype. While cryptocurrency becomes a new hot topic in the financial world, hackers are said to start using vulnerable systems for cryptocurrency mining.

Mining malware is distributed to victim servers through various vulnerabilities. For example, unpatched Oracle WebLogic servers can work for perfect loopholes to be exploited with Monero mining applications. By now, some group of cybercriminals has already managed to net 666.286 XMR in cryptocurrency worth from $220,000 to $350,000 depending on the rate of exchange. Figure 1 depicts the payment history of cryptocurrency mining malware.

Figure 1. Payment history of cryptocurrency mining malware

Still, we can see that the balance was replenished once again. It means that many companies haven’t noticed an attack yet.

A new malware – RubyMiner – was also found on the Internet. It helps to mine cryptocurrency by scanning and identifying Linux and Windows servers that run outdated software.

Earlier, attackers used hacked systems to conduct DDoS attacks or to distribute so-called “ransomware” to servers and blackmailed companies. Nowadays, there is another way for hackers to make money. They simply create crypto-mining farms on hacked systems. ERP systems and servers make a great payoff for malefactors as they are more productive than common PCs. Such incident refers to mass attacks, and they are intended to infect as many systems as possible. After a breach, hacked systems expect commands from attackers.

An infection with cryptocurrency mining malware turns to be less critical for business than targeted attacks. In most cases, targeted attacks aim to steal critical business data, such as HR information, business, sales and financial data. The consequences might be the worst-case scenario for any company. In our whitepaper “Hardcore SAP Penetration Testing”, we detailed the ways in which an attacker can conduct targeted attacks on SAP systems with the help of a 0-day vulnerability chain. Previously, we made a research that described how to execute a remote command on SAP system anonymously. It is essential, but insufficient, as an attack requires other steps. You can find them in the whitepaper.

Figure 2. The malicious request to the target system

Therefore, an attacker can execute malicious code on the targeted system. Instead of a calculator, there may be a cryptocurrency mining malware.

Figure 3. Executing code on the target system

It is not a secret that ERP systems have many vulnerabilities, and developers constantly release updates and patches to close them.

Figure 4 illustrates the growing number of detected vulnerabilities in SAP solutions. The graph depicts the total number of SAP Security Notes. Each of them may include a patch for more than one loophole. Just imagine how much work it takes to perform hundreds of security checks!

Figure 4. Cumulative total of SAP Security Notes

Customers sometimes seem reluctant to install necessary patches, because they need to conduct numerous checks before installing a patch in a production system. This means that 1-day vulnerabilities always exist in production systems.

On top of vulnerabilities, ERP systems have various settings, and nothing prevents errors during the process of setting them up. Therefore, systems become vulnerable.

Keep in mind various types of attackers. They may be outside the company and black-hat hackers, who found 0-day vulnerabilities in ERP systems. Former employees that know critical data of ERP systems can also perform a breach as well as Worker of a victim organization – be it programmer, administrator or another staff member with access to ERP servers. For example, programmers can add backdoors to a source code and administrators can install malware to the systems.


As protection measures from cryptocurrency mining malware, it is recommended to:

  • monitor outbound connections to a mining pool (but attackers can use the proxy);
  • carefully analyze processes with high and constant CPU consumption (but attackers can launch their malware during off-hours);
  • check energy consumption for abnormal magnification (but it is difficult to determine for large companies).

While all the mentioned methods are important, they contain disadvantages and in order to have a complex approach, it is recommended to enquire with regular Security Audit to detect vulnerabilities on systems and identify configuration errors. Proper code analysis can also help to detect backdoors in source code.

The post Are you sure your ERP is not a crypto mining farm? appeared first on ERPScan.

*** This is a Security Bloggers Network syndicated blog from Blog – ERPScan authored by Research Team. Read the original post at: