Full Report
At least two different cybercrime groups BianLian and RansomExx are said to have exploited a recently disclosed security flaw in SAP NetWeaver, indicating that multiple threat actors are taking advantage of the bug. Cybersecurity firm ReliaQuest, in a new update published today, said it uncovered evidence suggesting involvement from the BianLian data extortion crew and the RansomExx ransomware
Analysis Summary
# Incident Report: Multiple Threat Actors Exploiting SAP NetWeaver Flaw
## Executive Summary
Multiple threat actors, specifically the BianLian data extortion crew and the RansomExx ransomware group (tracked as Storm-2460), exploited a recently disclosed security flaw (CVE-2025-31324) in SAP NetWeaver to gain initial access. The attackers deployed the PipeMagic trojan and, in some observed cases, utilized the Brute Ratel C2 framework, indicating a multi-stage attack aimed at potential data exfiltration or ransomware deployment.
## Incident Details
- **Discovery Date:** May 14, 2025 (Date of the relevant update/reporting)
- **Incident Date:** Exploitation activity reported as ongoing, occurring around or subsequent to the patch release for the vulnerability.
- **Affected Organization:** Not explicitly named; multiple organizations targeted globally.
- **Sector:** Unspecified (Implied Enterprise/Organizations running SAP systems)
- **Geography:** Targeted entities observed in the U.S., Venezuela, Spain, and Saudi Arabia (related to subsequent PipeMagic use).
## Timeline of Events
### Initial Access
- **Date/Time:** Since March 2025 (or related to the disclosure of CVE-2025-31324/CVE-2025-42999).
- **Vector:** Exploitation of the SAP NetWeaver security flaw, specifically **CVE-2025-31324**.
- **Details:** Attackers used the vulnerability to drop web shells for initial persistent access.
### Lateral Movement
- **Date/Time:** Post-Infection.
- **Vector:** In one observed case, exploitation of the **Windows CLFS LPE zero-day (CVE-2025-29824)** via a `dllhost.exe` process spawned via inline assembly.
- **Details:** This second stage allowed for privilege escalation following initial access.
### Data Exfiltration/Impact
- **Data Exfiltration:** BianLian is associated with data extortion, suggesting data theft as a goal.
- **Impact:** Deployment of the **PipeMagic trojan** and use of **Brute Ratel C2**, indicating preparation for deeper compromise or ransomware deployment (RansomExx association).
### Detection & Response
- **Detection:** Uncovered by Cybersecurity firm ReliaQuest, based on infrastructure links (domain/IP analysis) and observation of post-exploitation activity.
- **Response Actions:** Response actions taken by customers/organizations are not detailed, but vendors like ReliaQuest published updates.
## Attack Methodology
- **Initial Access:** Exploitation of SAP NetWeaver vulnerability (CVE-2025-31324).
- **Persistence:** Deployment of web shells and the PipeMagic trojan.
- **Privilege Escalation:** Exploitation of Windows CLFS vulnerability (CVE-2025-29824) via inline assembly execution.
- **Defense Evasion:** Use of C2 frameworks like Brute Ratel; potential custom evasion techniques by BianLian/RansomExx.
- **Credential Access:** Not explicitly detailed, but typically implied in these stages.
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Implied via the use of escalation techniques (CVE-2025-29824).
- **Collection:** PipeMagic trojan deployment suggests data gathering.
- **Exfiltration:** Expected activity for BianLian operations.
- **Impact:** Deployment of secondary malware payloads and ransomware preparation (RansomExx).
## Impact Assessment
- **Financial:** Not quantified.
- **Data Breach:** High potential for organizational data theft given BianLian's involvement in data extortion.
- **Operational:** Potential for system disruption due to C2 activity and ransomware deployment (RansomExx).
- **Reputational:** Significant reputational damage for organizations running vulnerable SAP systems.
## Indicators of Compromise (Defanged)
- **Network Indicators:** Server IP `184[.]174[.]96[.]74` (hosting reverse proxy via `rs64.exe`). C2 IP `184[.]174[.]96[.]70`.
- **File Indicators:** `rs64.exe`, PipeMagic trojan, Brute Ratel C2 artifacts.
- **Behavioral Indicators:** Spawned `dllhost.exe` process signaling CLFS exploitation attempt; use of inline MSBuild task execution.
## Response Actions
- **Containment:** (Not publicly detailed, but would require isolation of compromised SAP servers and endpoints exhibiting CLFS exploitation activity.)
- **Eradication:** (Not publicly detailed, but would require removal of web shells, PipeMagic, and Brute Ratel components.)
- **Recovery:** (Not publicly detailed, but would involve patching SAP NetWeaver and Windows systems).
## Lessons Learned
- **Key Takeaways:** Critical vulnerabilities in core enterprise systems like SAP NetWeaver (CVE-2025-31324) are immediately weaponized by multiple, diverse threat groups (RansomExx and BianLian). Exploitation chains often involve chaining multiple vulnerabilities (SAP flaw + Windows LPE) for maximum impact.
- **What could have been done better:** Swift patching of known vulnerabilities, especially when linked closely to active exploitation disclosures.
## Recommendations
- Immediately apply patches for SAP NetWeaver vulnerabilities, particularly CVE-2025-31324 and CVE-2025-42999.
- Implement enhanced monitoring around SAP systems and Windows operating systems for signs of LPE attempts (e.g., suspicious `dllhost.exe` behavior or MSBuild execution).
- Review network segmentation to limit connectivity between external-facing services and critical internal assets targeted by ransomware groups.