Full Report
Multiple firms are tracking the zero-day attacks on Europe’s top software firm. The post SAP cyberattack widens, drawing Salt Typhoon and Volt Typhoon comparisons appeared first on CyberScoop.
Analysis Summary
# Incident Report: Global Exploitation of SAP NetWeaver Zero-Days
## Executive Summary
A widespread cyberattack targeted SAP NetWeaver systems globally, exploiting previously unknown zero-day vulnerabilities, leading to hundreds of confirmed victims, predominantly in critical infrastructure sectors. Initial exploitation, traced back to January, allowed sophisticated actors to achieve remote access similar to the SolarWinds incident, execute arbitrary code, and exfiltrate data, necessitating urgent patching and system reboots. The campaign has escalated, with ransomware gangs now believed to be leveraging the disclosed exploits.
## Incident Details
- Discovery Date: Late April (when public disclosure/tracking began); Exploitation confirmed as early as **March** (Google TI) and **January 20** (Onapsis).
- Incident Date: Initial exploitation traced back to **January 20**.
- Affected Organization: Europe’s biggest software manufacturer (SAP) as the source of the vulnerability; Hundreds of global customers using SAP NetWeaver are victims.
- Sector: Oil and Gas, Medical Device Manufacturing, Water and Waste Management, Government Agencies (Critical Infrastructure focus).
- Geography: Primarily United States, United Kingdom, and Saudi Arabia.
## Timeline of Events
### Initial Access
- Date/Time: As early as **January 20**.
- Vector: Exploitation of unknown zero-day vulnerabilities (CVE-2025-31324 and a second, patched May 13) in **SAP NetWeaver**.
- Details: Attacks achieved remote command execution *without* necessarily dropping traditional web shells, allowing for stealthy execution.
### Lateral Movement
- Details: Exploitation grants access to the "middleware" layer of SAP infrastructure, enabling broad administrative control, similar to the SolarWinds Orion compromise. Attackers could modify/delete data, turn off logging, and add new administrators. Targeted espionage related to U.S. tariff negotiations was suggested for the January activity.
### Data Exfiltration/Impact
- Details: Actors successfully executed commands, posted files/web shells, and **exfiltrated data**. The level of compromise allows for full remote access to the SAP system environment.
### Detection & Response
- Detection: Public awareness began in late April. Tracking by firms like Onapsis, EclecticIQ, etc., identified hundreds of victims. Google TI confirmed successful exploitation in March.
- Response actions taken: SAP issued initial patches on **April 24, 2025**, and a second patch on **May 13, 2025**. Vendors developed open-source detection tools.
## Attack Methodology
- Initial Access: Exploitation of SAP NetWeaver Zero-Days (CVE-2025-31324).
- Persistence: Indicated by the ability to add new administrators and potentially deploy code executables onto the platform (Orion-like).
- Privilege Escalation: Not explicitly detailed, but exploitation grants high-level system control (full remote access).
- Defense Evasion: Attacks demonstrated the ability to execute commands without deploying standard web shells, increasing stealth. Attackers also disabled logging.
- Credential Access: Not explicitly detailed, but total system access implies potential credential compromise.
- Discovery: Unspecified, but common post-exploitation activity given the access level.
- Lateral Movement: Control over the SAP middleware layer allows extensive internal manipulation.
- Collection: Attackers were successful in gathering data prior to exfiltration.
- Exfiltration: Confirmed data extraction occurred.
- Impact: Data integrity manipulation (modify/delete data), system espionage, and operational disruption if ransomware gangs exploit the flaw.
## Impact Assessment
- Financial: Estimated costs are unknown, but the scale (potentially thousands of victims) suggests high remediation costs.
- Data Breach: Data type unknown, but includes sensitive operational information processed by SAP systems.
- Operational: Exploitation requires a full system reboot to fully remediate via patching, posing significant risk for manufacturing and financial systems.
- Reputational: Negative impact on SAP due to widespread zero-day exposure affecting critical infrastructure globally.
## Indicators of Compromise
- *Note: Specific IoCs were omitted as they are actively exploited and information was derived from vendors/news.*
- Behavioral indicators: Commands executed without web shell artifacts; Disabling of native logging configurations; Unauthorized creation of administrative accounts on SAP NetWeaver systems.
## Response Actions
- Containment measures: Identification of vulnerable systems; Application of security patches provided by SAP (April 24 and May 13).
- Eradication steps: Full reboot of SAP systems required to finalize patch implementation; thorough investigation for unauthorized administrative accounts or deployed executables.
- Recovery actions: Verification that logging functions are restored and data integrity is confirmed across affected business processes.
## Lessons Learned
- Key takeaways: The long dwell time (exploitation starting in January before public awareness in April) highlights slow detection capabilities against fileless malware techniques. Zero-day vulnerability disclosure rapidly broadens the threat landscape (from nation-state actors to ransomware gangs).
- What could have been done better: Faster patching turnaround by customer organizations, particularly given the dependency on high-stakes system reboots for critical infrastructure.
## Recommendations
- Prevention measures for similar incidents: Immediately apply SAP Security Notes patches (April 24 and May 13) to all SAP NetWeaver instances. Conduct comprehensive internal security auditing focusing on deviations from baseline logging configurations on mission-critical systems. Mandate quarterly operational change windows to accommodate high-impact security reboots.