Infostealers: Silent Thieves That Affect SAP Applications

In today’s digital world, our personal information is a valuable commodity. Unfortunately, there are malicious actors lurking online, waiting to steal this data through a type of malware called Infostealers. These programs operate silently in the background, siphoning off sensitive information without you even realizing it. In this article, we’ll delve into the dangers of Infostealers, how this threat is relevant to SAP applications, and why it’s critical to be aware of them. 

For those of you that are not super familiar with the topic, let’s start by the basics:

What Information Do Infostealers Target?

Imagine a digital pickpocket – that’s essentially what an Infostealer is. They target a wide range of sensitive information, including:

  • Login Credentials: Usernames and passwords for email accounts, social media platforms, banking portals, and even online games are prime targets.
  • Financial Details: Credit card numbers, bank account details, and other financial information can be stolen to make fraudulent purchases or drain your accounts.
  • Personal Data: Infostealers can capture your name, address, phone number, and even Social Security number, putting your identity at risk of theft.
  • Cryptocurrency Wallets: With the rise of cryptocurrencies, digital wallets containing valuable assets are also becoming targets for Infostealers.

How Do Infostealers Work?

Infostealers employ various technical methods to steal data:

  • Form Grabbers: These malicious scripts inject themselves into web forms, capturing your login credentials as you type them in.
  • Browser Hooks: Infostealers can “hook” into your browser, monitoring your activity and stealing any login information you enter on various websites.
  • Credential Sniffing: They can sniff out data packets traveling between your device and websites, potentially capturing unencrypted login details.
  • Local File Scanning: Some Info Stealers scan your device for stored logins, cookies, and other sensitive files that might contain valuable information.

Deceptive Delivery: How Infostealers Spread

Infostealers are often cleverly disguised as legitimate software, making them particularly dangerous. Here are some common ways they infiltrate your device:

  • Game Cheats & Cracks: Free hacks or cracks promising an edge in online games might contain Infostealers, stealing your login credentials for the gaming platform or worse, your entire system.
  • Phishing Emails: Deceptive emails designed to look like they’re from trusted sources like banks or software companies may contain links that download Infostealers when clicked. Be wary of emails urging you to click on suspicious links or download attachments.
  • Fake Software Downloads: Free software downloads advertised online, especially from untrusted sources, may contain Infostealers. Always download software from official websites and reputable vendors.
  • Malicious Ads: Even seemingly harmless online advertisements can be hiding Infostealers. Avoid clicking on suspicious ads, especially those that make exaggerated claims or seem too good to be true.

Real-World Example: The Case of the Malicious Application

Imagine you’re a developer looking for a productivity app to boost your performance. You come across a free desktop  application on a third-party website promising to help you manage your resources and increase productivity. However, this seemingly helpful app is actually an Infostealer in disguise. Once downloaded, the app subtly runs in the background, capturing your login credentials for all of your applications and accounts you use on your phone. With your stolen credentials, attackers can hijack your accounts, steal your information or even use your credentials to access other accounts linked to the same email address. This is not only applicable for personal accounts but also for working environments, where that unsafe action is performed on the work computer or even at a personal computer that is often used to open work applications.

Why Addressing Infostealers is Important

Infostealers pose a significant threat because compromised credentials can lead to a domino effect of security issues. Stolen logins can be used to:

  • Hijack Your Accounts: Attackers can use your stolen logins to gain access to your email, bank accounts, social media profiles, and other online accounts.
  • Commit Identity Theft: Stolen personal data can be used to create fake identities for fraudulent purposes, causing significant financial and legal problems for the victim.
  • Sell Your Information on the Dark Web: The stolen data can be sold on underground marketplaces, fueling further cybercrime activities.

A number of times, CISA released alerts highlighting the importance of securing systems against InfoStealers in general, as well as in particular such as ICONICSTEALER and LokiBot.

InfoStealers and SAP Applications

InfoStealers are not necessarily a threat that is specific to SAP or ERP Applications, however it does affect these critical assets. Credentials and sensitive information that are stolen from legitimate users can be used to maliciously access Business Critical Applications. 

If we want to analyze this situation using the MITRE ATT&CK Framework, then Threat Actors are using the “Credential Access” tactic to compile multiple credentials that will be used to ultimately access these applications. Techniques such as T1555.003 (Credentials from Password Stores: Credentials from Web Browsers) or T1539 (Steal Web Session Cookie) will help malicious actors to obtain these credentials and sessions. Ultimately, these techniques are used by the same or other actors as part of the “Initial Access” tactic, through technique T1078 (Valid Accounts) to login to applications that contain sensitive information and can be used to perform financial fraud.

In order to quantify this threat, the Onapsis Research Labs analyzed a dataset compiled by researchers from the security firm Cinta Infinita. Cinta Infinita monitors and compiles compromised credentials that are stolen by infostealers and then shared across multiple telegram forums. 

By analyzing the raw data, it was possible to extract the credentials that point to applications that run on top of SAP technology. The data reveals URLs and their components associated with the stolen credentials, as shown below for related URL Paths: 

PathDescription
/ui5_ui5Applications using SAP OpenUI5.
/webdynproApplications using Web Dynpro SAP Web technology.
/sap/bcApplications running on SAP ABAP and part of SAP Basis Components on the SAP ICM.
/irj/portalPath to the SAP Enterprise Portal Application
/its/webguiPath to the SAP WebGui application, which allows full access to SAP ABAP-based functionality through the browser.

When filtering all credentials, it was possible to extract approximately 1.2 Million credentials that matched to the previously listed paths. This means that as part of the credentials that were captured by InfoStealers and shared across criminal forums and telegram groups, 1.2 Million credentials belong to SAP Applications. Now let’s analyze those credentials to identify specific cases that have special relevance from a security perspective:

Number of CredentialsDescription
4700+Credentials to access the SAP webgui, which could be used to perform sensitive actions in SAP ABAP-based applications
450+Credentials for the user “Administrator”, possibly belonging to a high-privileged user in JAVA systems
250+Credentials including the “basis” word, potentially indicating high privileged and/or generic accounts.
150+Credentials to access the UmeAdminApp, possibly indicating high-privileged users in JAVA systems
20+Credentials for the user SAP*, which is a superuser of SAP ABAP-based applications.

Additionally, it is possible to explore the domains and URL(s) from the dataset, we can see the following associations: 

Number of DomainsDescription
13K+Domains including the /irj/portal path, indicating SAP Enterprise Portal Applications.
6300+Domains including the fiorilaunchpad path, indicating SAP Fiori Applications.
2300+Domains including the .gov on its dns name, potentially indicating SAP Applications supporting government organizations.
400+Domains including the “solman” word in it, potentially indicating Solution Managers
25Domains including the .mil on its dns name, potentially indicating SAP Applications supporting military organizations.

These data points indicate that InfoStealers can be used to obtain access to critical users and critical applications, across the world and regardless of the type of organization.

Addressing the Threat of InfoStealers

There are three major strategies related to addressing the threat of InfoStealers: 

Preventing execution of InfoStealers: First and foremost, preventing the initial compromise in the first place is the best way to avoid any impact when it comes to InfoStealers, and that is achieved by understanding the threat of Infostealers and practicing safe online habits, as you can significantly reduce your risk of falling victim to these silent thieves. Here are some tips to stay safe:

  • Be cautious with downloads: Only download software from official sources and reputable vendors.
  • Beware of phishing emails: Don’t click on suspicious links or attachments in emails, even if they appear to be from legitimate sources.

Strengthening user access: Secondly, it is important to protect accounts so even in the case of credentials being compromised, organizations can prevent those credentials from being used:

  • Enable multi-factor authentication (MFA): MFA adds an extra layer of security to your online accounts, making it more difficult for attackers to gain access even if they steal your password.
  • Use strong and unique passwords: The use of strong passwords is always recommended, however InfoStealers can obtain the credential, irrespectively of its complexity. In this case, the use of unique passwords for different accounts is a good security measure, as it will prevent further lateral movement using the same password through different accounts.

Monitoring user access: In the third place, it is important to monitor accounts, the ones that are critical from a security perspective as well as all other end user accounts, looking for anomalous behavior that may be indicative of a credential compromise.

Monitor critical activity: SAP Applications offers a wide range of interfaces and mechanisms to perform critical actions. Ensure you have visibility into critical actions that are executed on the system. Changes to the system configuration and user authorization are just one example of these types of changes.

Monitor user accounts: Implement monitoring for users, including user login and user actions. Implement detection of anomalous user activity. Ensure this is implemented also for critical service users as well as default accounts.