Hackers have long targeted systems that hold sensitive and proprietary enterprise data with the intent to make a buck on the black market, but a new exploit proof-of-concept unveiled at the Black Hat security conference in Abu Dhabi on December 6 reveals how hackers may be able to penetrate the heart and soul of an enterprise by manipulating financial accounting systems to directly pilfer funds, and the attacks could take months to discover.
Tom Eston and Brett Kimmell, researchers from security provider SecureState, presented their findings on Project Mayhem, a proof-of-concept tool developed by their colleague Spencer McIntyre and detailed in a whitepaper titled “Cash is King: Who’s Wearing Your Crown?” which explains how an attacker could successfully exfiltrate funds directly from a company’s financial accounts while avoiding automated detection systems.
"Similar to how banking Trojans have targeted banking consumers in recent years, Mayhem is the first type of attack that we know of that targets the accounting systems of a company," Eston wrote.
The proof-of-concept behind Project Mayhem specifically focuses on the Microsoft Dynamics Great Plains application, but the researchers say that other similar systems in use are also potentially vulnerable to the library injection and function hooking techniques employed in the attack, which modifies accounting system entries to fraudulently transfer corporate funds.
"In our research we show how attackers can commit undetectable fraud by manipulating accounting systems... These attacks are quite different than finding and exposing a 0-day in software, as our research is centered on creating attacks (including custom created malware) that specifically targets a company’s accounting processes," said Eston.
The attackers begin by doing some online reconnaissance in order to ascertain the structure and names of the application's database tables, as well as conducting research through social media platforms in an effort to design targeted spear-phishing attacks against employees with access to the systems.
The attack employs malware to allow an attacker access to the system and execute commands specific to the application's user interface. The researchers explain that the malicious code either needs to be injected at run time, or that common patching techniques could be utilized to automatically load the components which intercept function calls and allow the attackers to issue SQL commands in the database as if they were an authorized user, all while avoiding detection.
"This is by far the most unique topic I’ve researched in that we’ve combined penetration testing techniques with ways to commit fraud and more importantly, showing real world accounting fraud prevention," Eston wrote.
Once the attackers have backdoor access to the system, they have complete control of all of the systems functionalities, and are able to fabricate accounting entries to undertake fund transfers to accounts of their choosing. Unless the targeted organization regularly conducts manual reconciliation audits, the manipulation of funds may go undetected for long periods of time.
"If an attacker can control and manipulate the accounting system of the company to commit mass systems fraud, changing or manipulating financial data is just the beginning. As professional penetration testers, we must demonstrate more advanced attacks to show real impact to the business," Eston said in the report.
The impact of such an attack could be devastating to the organizations bottom line, and severely undermine stakeholder confidence. "If hackers were able to manipulate the world’s accounting systems, governments and corporations would be in a frenzy," the researchers stated.
- About Corero
- Investor Relations
- News Room
- Executive Management Team
- Corero Offices
- Contact Us