Project Mayhem Shows Off Security Risks in ERP Systems, Including Microsoft Dynamics

Wisdom among the security community is the only safe computer is one that is turned off, unplugged, and sits untouched in a closet. Obviously, the computer is worthless if you do that, which is the point. If you use a computer, hook it up to a network, and use software, you need to accept that your data could be at risk.

Enterprise accounting and financial systems were always considered one of the safer software packages. Attacks against them have been infrequent. However, that may be changing, after a demonstration at Black Hat Abu Dhabi where researchers presented a proof-of-concept code that could, as Kelly Jackson Higgins at Dark Reading stated, "allow an attacker to basically write himself a check from the victim organization's account."

The researchers, Tom Eston and Brett Kimmel of SecureState, focused on Microsoft Dynamics GP, but noted that any accounting package could be targeted. According to Kaspersky Lab's ThreatPost, "The attack, dubbed Project Mayhem, could enable an attacker to divert funds from a company's accounting and financial systems without immediate detection. In addition to code, the attacker would be relying on the fact that midsized companies in particular, do not have complete control or visibility into financial processes or individual transactions, and are likely to miss fraud at first glance."

Before the hack is noticed, the attacker "could manipulate existing vendor records forcing the system to remit payments to the attacker or a mule, rather than a vendor, or create new vendor entries, new manual check entries, increase customer credit limits, modify accounting records, create negative customer balances that force ...