Are you sure your ERP is not a crypto mining farm?

Hackers are not walking past the hype. While cryptocurrency is becoming a new hot topic in the financial world, hackers are said to start using vulnerable systems for cryptocurrency mining.

Mining malware is distributed to victim servers through various vulnerabilities. For example, unpatched Oracle WebLogic servers can work as perfect loopholes to be exploited with Monero mining applications. By now, some group of cybercriminals has already managed to net 666.286 XMR in cryptocurrency worth from $220,000 to $350,000 depending on the rate of exchange. Figure 1 depicts the payment history of cryptocurrency mining malware.

Figure 1. Payment history of cryptocurrency mining malware

Still, we can see that the balance was replenished once again. It means that many companies haven’t noticed an attack yet.

A new malware – RubyMiner – was also found on the Internet. It helps to mine cryptocurrency by scanning and identifying Linux and Windows servers that run outdated software.

Earlier, attackers used hacked systems to conduct DDoS attacks or to distribute the so-called “ransomware” to servers and blackmailed companies. Nowadays, there is another way for hackers to make money. They simply create crypto-mining farms on hacked systems. ERP systems and servers make a great payoff for malefactors as they are more productive than common PCs. This type of incidents refers to mass attacks, and they are intended to infect as many systems as possible. After a breach, hacked systems expect commands from attackers.

An infection with cryptocurrency mining malware turns out to be less critical for businesses than targeted attacks. In most cases, targeted attacks aim to steal critical business data, such as HR information, business, sales and financial data. The consequences might be the worst-case scenario for any company. In our whitepaper “Hardcore SAP Penetration Testing”, we detailed the ways in which an attacker can conduct targeted attacks on SAP systems with the help of a 0-day vulnerability chain. Previously, we made a research that describes how to execute a remote command on SAP system anonymously. It is essential, but insufficient, as an attack requires other steps. You can find them in the whitepaper.

Figure 2. The malicious request to the target system

Therefore, an attacker can execute malicious code on the targeted system. Instead of a calculator, there may be a cryptocurrency mining malware.

Figure 3. Executing code on the target system

It is not a secret that ERP systems have many vulnerabilities, and developers constantly release updates and patches to close them.

Figure 4 illustrates the growing number of detected vulnerabilities in SAP solutions. The graph depicts the total number of SAP Security Notes. Each of them may include a patch for more than one loophole. Just imagine how much work it takes to perform hundreds of security checks!

Figure 4. Cumulative total of SAP Security Notes

Customers sometimes seem reluctant to install necessary patches because they need to conduct numerous checks before installing a patch in a production system. This means that 1-day vulnerabilities always exist in them.

On top of vulnerabilities, ERP systems have various settings, and nothing prevents errors during the process of setting them up. Therefore, systems become vulnerable.

Keep in mind various types of attackers. They may be outside the company and black-hat hackers who found 0-day vulnerabilities in ERP systems. Former employees that know critical data of ERP systems as well as current employees – be it a programmer, an administrator or any other staff member with access to ERP servers – can perform a breach. For example, programmers can leave source code backdoors and administrators can install malware to the systems.


As for the protection measures from cryptocurrency mining malware, we recommend to:

  • monitor outbound connections to a mining pool (though attackers can use proxy);
  • carefully analyze processes with high and constant CPU consumption (though attackers can launch their malware during off-hours);
  • check energy consumption for abnormal magnification (difficult to determine for large companies).

While all the methods mentioned above are important, they have their disadvantages. To have a complex approach, it is recommended to conduct regular Security Audits to detect vulnerabilities and identify configuration errors. Proper code analysis can also help to detect backdoors in source code.

    Do you want more?

    Subscribe me to your mailing list