1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Hackers hit SAP security bug to send out nasty Linux malware

    From TechnologyDaily@1337:1/100 to All on Wed Jul 30 16:15:07 2025
    Hackers hit SAP security bug to send out nasty Linux malware

    Date:
    Wed, 30 Jul 2025 15:04:00 +0000

    Description:
    SAP NetWeaver bug is still being leveraged to drop nasty backdoors against Linux users.

    FULL STORY ======================================================================A critical flaw in SAP NetWeaver is still being abused, months after patching Researchers saw it used to deploy Auto-Color This backdoor remains dormant when not in use

    A vulnerability in SAP NetWeaver is being exploited to deploy Linux malware capable of running arbitrary system commands and deploying additional payloads, experts have warned.

    Security researchers from Palo Alto Networks Unit 42 discovered a piece of malware called Auto-Color, a Linux backdoor, dubbed for its ability to rename itself after installation.

    The researchers found it was capable of opening reverse shells, executing arbitrary system commands, acting as a proxy, uploading and modifying files, as well as adjusting settings dynamically. It was also discovered that the backdoor remains mostly dormant if its C2 server is unreachable, effectively evading detection by staying inactive until the operator instructions arrive. Salt Typhoon

    However, the researchers werent able to determine the initial infection
    vector - how the malware made it onto target endpoints remained a mystery - until now.

    Responding to an incident in April 2025, cybersecurity experts from Darktrace investigated an Auto-Color infection on a US-based chemicals company. They were able to determine that the initial infection vector was a critical vulnerability in SAP NetWeaver, a technology platform developed that serves
    as the technical foundation for many SAP applications.

    The vulnerability was found in the platforms Visual Composer Metadata
    Uploader element, which was not protected with a proper authorization. As a result, unauthenticated agents were allowed to upload potentially malicious executable binaries that could do severe damage. It is tracked as CVE-2025-31324, and was given a severity score of 9.8/10 - critical.

    SAP fixed the issue in late April 2025, but at the time, multiple security firms were already seeing attacks in the wild. ReliaQuest, Onapsis,
    watchTowr, Mandiant, all reported observing threat actors leveraging this flaw, and among them - Chinese state-sponsored groups, as well.

    Given the destructive potential of the flaw, and the fact that a patch is available for months now, Linux admins are advised to apply it without hesitation and mitigate potential threats.

    Via BleepingComputer You might also like SAP patches recently exploited zero-day in wake of NetWeaver server attacks Take a look at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/hackers-hit-sap-security-bug-to-send-ou t-nasty-linux-malware


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)