Researchers have unveiled a unique proof-of-concept exploit dubbed “Project Mayhem†which demonstrates how hackers could manipulate enterprise financial accounting systems and steal corporate funds while the illicit transactions remain undetected by traditional network defenses.
Through our research we have seen that there is nothing that has been developed like Mayhem to target accounting systems to commit fraud.
Tom Eston, manager, profiling and penetration team, SecureState
The attack was designed specifically for the Microsoft Dynamics Great Plains (GP) accounting platform, targeting the application on several fronts, from the backend configuration to the user interface. Using the exploit, an attacker can add and remove database entries to transfer funds to accounts of their choosing, including ones set up to pilfer funds. The exploit works on one of the most popular systems with small and medium sized businesses, but is theoretically relevant to a number of similar applications.
The tool was engineered by Spencer McIntyre, a staff consultant with security provider SecureState, and the exploit was outlined in a whitepaper titled “Cash is King: Who's Wearing Your Crown?†authored by colleagues Tom Eston and Brett Kimmell, which was delivered in a presentation at the at the Black Hat security conference in Abu Dhabi on Dec. 6.
“You could theoretically create similar malware to target any accounting system including Oracle Financial or SAP. Through our research we have seen that there is nothing that has been developed like Mayhem to target accounting systems to commit fraud,†said Eston, manager of the profiling and penetration team at Cleveland-based SecureState.
The attack penetrates the application by injecting a malicious DLL into the target process which contains code that acts as replacement functions for the hooks that are installed. Hooks are the message-handling mechanisms which allow applications to install a subroutine and monitor operating system messages for queues to respond.
The exploit uses the hooks to intercept actions from the application which then allows an attacker to proceed with manipulating data by issuing SQL commands directly to the database, which responds as if they are an authorized user, negating system defenses designed to detect fraudulent activities.Â
“Essentially what we're doing is using a popular malware technique to force the application to do something we need it to do when it thinks it's doing something else. This gives us immense power over the application, but is very technically complicated to execute properly,†McIntyre said.
Because the Mayhem malware uses process hooking, all that is required to conduct the attack is for a company to have GP installed on a network. When a user simply runs the application as normal, the malware hijacks the processes already initiated by the GP application.
The Mayhem exploit code was not developed as a means of showing how attackers could gain access to protected systems, but is instead meant to illustrate how an attacker who already has penetrated a network could remain active and operate undetected over a long period of time.
“We chose this method of manipulation because we wanted to focus on the worst case scenario, and that is not the attack vector but rather the manner in which access could be maintained. This is why the proof-of-concept code that we produced is not helpful in gaining access,†McIntyre explained. “As it is right now however our code hasn't been fully weaponized. Our goal was to show the potential for an attacker to maintain access.â€
The greatest risk to a targeted organization from this technique is that an attacker can siphon off funds by manipulating the accounting records over a long period of time, rather than performing more of a smash-and grab-style attack which would be easier to notice and track.
“That is the beauty of this attack, and it would be very hard to detect from a technical perspective. This is the big reason we focus on the non-technical accounting controls. You can compare this to how customer focused banking Trojans in the past have been difficult to fight from a user perspective. We've taken this now to the accounting world, targeting systems that have not been targeted before by malware,†Eston said.
A primary aspect of the Project Mayhem research is the team's desire to expose the technical elements required to commit accounting fraud so that companies have the opportunity to review their non-technical accounting controls for fraud prevention. Only through manual audits can this type of attack be detected, the researchers point out.
“We show the different types of fraud and either by manipulating the database tables directly via the SQL Server or by using Mayhem malware, the fraud can now be more easily committed. It's our hope that our research drives further discussion on how to protect sensitive financial systems like Microsoft Dynamics GP and others,†Eston said.