Full Report
Multiple firms are tracking the zero-day attacks on Europe’s top software firm. The post SAP cyberattack widens, drawing Salt Typhoon and Volt Typhoon comparisons appeared first on CyberScoop.
Analysis Summary
# Incident Report: Global Exploitation of SAP NetWeaver Zero-Days
## Executive Summary
This incident involves widespread, zero-day exploitation against SAP NetWeaver software, first observed in January 2025, leading to compromise of hundreds of global organizations, including critical infrastructure entities. Attackers gained deep access, comparable to the SolarWinds breach, allowing for remote code execution, data modification, and exfiltration. Remediation has been complicated by the necessity of full system reboots required to apply patches.
## Incident Details
- Discovery Date: Late April 2025 (Public awareness)
- Incident Date: Initial exploitation traced back to January 20, 2025
- Affected Organization: Europe’s biggest software manufacturer (SAP) and hundreds of their customers globally.
- Sector: Oil and Gas, Medical Device Manufacturing, Water/Waste Management, Government Agencies (Critical Infrastructure focused).
- Geography: Primarily United States, United Kingdom, and Saudi Arabia.
## Timeline of Events
### Initial Access
- Date/Time: Extends back as early as January 20, 2025.
- Vector: Exploitation of undisclosed zero-day vulnerabilities (CVE-2025-31324 and a second undisclosed vulnerability) in SAP NetWeaver.
- Details: Attackers achieved command execution without necessarily deploying traditional artifacts like web shells, making detection via standard methods difficult (stealthy deployment).
### Lateral Movement
- Details: Given the deep access gained in the middleware layer (SAP NetWeaver), attackers achieved remote access comparable to the SolarWinds Orion platform compromise, allowing them to move throughout the SAP environment.
### Data Exfiltration/Impact
- Details: Attackers were successful in command execution, deploying artifacts, and exfiltrating data. They could also modify, delete, or insert data into SAP unchecked, turn off logging, and create new administrators.
### Detection & Response
- Detected By: Various security firms including Onapsis, EclecticIQ, ReliaQuest, and Mandiant.
- Response Actions: SAP issued patches for the vulnerabilities (April 24, 2025, and May 13, 2025). Vendors collaborated to create an open-source detection tool.
## Attack Methodology
- Initial Access: Zero-day exploitation of SAP NetWeaver vulnerabilities.
- Persistence: Implied through the ability to add new administrators and deploy code executables.
- Privilege Escalation: Effectively achieved full remote access/control similar to administrator elevation rights within the SAP system.
- Defense Evasion: Ability to execute commands without deploying detectable web shells. Attackers also disabled logging capability.
- Credential Access: Not explicitly detailed, but full control likely negated the need for traditional credential theft.
- Discovery: Implied internal reconnaissance facilitated by system-level compromise.
- Lateral Movement: Within the SAP application infrastructure hierarchy.
- Collection: Modification, deletion, insertion, and exfiltration of data.
- Exfiltration: Capability confirmed by security firms viewing successful data theft.
- Impact: System manipulation, data loss/theft, potential espionage (linked to U.S. tariff negotiations).
## Impact Assessment
- Financial: Unknown, but scope compared to "Typhoon" size breaches suggests high cost.
- Data Breach: Data modification, theft, and potential espionage data related to critical infrastructure operators. Thousands of victims suspected.
- Operational: Disruption due to complex patching requirements involving full system reboots of sensitive manufacturing and financial SAP systems.
- Reputational: Significant damage to confidence in SAP infrastructure security.
## Indicators of Compromise
- Network indicators: (Not provided in the text, would require looking up specific CVE exploitation patterns).
- File indicators: Successful deployment of web shells observed in some instances.
- Behavioral indicators: Command execution without web shell presence; disabling of system logging; addition of new administrative accounts.
## Response Actions
- Containment measures: Applying patches released by SAP (requires full system reboot).
- Eradication steps: Unknown, but involves cleanup of malicious artifacts and confirmed backdoors.
- Recovery actions: Restoring services after mandatory reboots of critical SAP systems.
## Lessons Learned
- Zero-days targeting deep-seated middleware like SAP NetWeaver pose systemic risks comparable to major supply chain compromises (e.g., SolarWinds).
- The required complexity of patching (full reboot) severely delays mitigation efforts for critical systems.
- Attackers leveraged the vulnerabilities for significant dwell time (estimated 3 months from detection to exploit public).
## Recommendations
- Immediately apply all vendor patches for SAP NetWeaver vulnerabilities, prioritizing critical systems despite the required downtime.
- Implement enhanced, non-signature-based monitoring (behavioral analysis) around SAP environments to detect command execution that bypasses traditional web shell detection.
- Review incident response plans to account for mandatory outage/reboot procedures when zero-day patching involves core system restarts.