Article Details
Scrape Timestamp (UTC): 2025-07-30 07:51:56.383
Source: https://thehackernews.com/2025/07/hackers-exploit-sap-vulnerability-to.html
Original Article Text
Click to Toggle View
Hackers Exploit SAP Vulnerability to Breach Linux Systems and Deploy Auto-Color Malware. Threat actors have been observed exploiting a now-patched critical SAP NetWeaver flaw to deliver the Auto-Color backdoor in an attack targeting a U.S.-based chemicals company in April 2025. "Over the course of three days, a threat actor gained access to the customer's network, attempted to download several suspicious files and communicated with malicious infrastructure linked to Auto-Color malware," Darktrace said in a report shared with The Hacker News. The vulnerability in question is CVE-2025-31324, a severe unauthenticated file upload bug in SAP NetWeaver that enables remote code execution (RCE). It was patched by SAP in April. Auto-Color, first documented by Palo Alto Networks Unit 42 earlier this February, functions akin to a remote access trojan, enabling remote access to compromised Linux hosts. It was observed in attacks targeting universities and government organizations in North America and Asia between November and December 2024. The malware has been found to hide its malicious behavior should it fail to connect to its command-and-control (C2) server, a sign that the threat actors are looking to evade detection by giving the impression that it's benign. It supports various features, including reverse shell, file creation and execution, system proxy configuration, global payload manipulation, system profiling, and even self-removal when a kill switch is triggered. The incident detected by Darktrace took place on April 28, when it was alerted to the download of a suspicious ELF binary on an internet-exposed machine likely running SAP NetWeaver. That said, initial signs of scanning activity are said to have occurred at least three days prior. "CVE-2025-31324 was leveraged in this instance to launch a second-stage attack, involving the compromise of the internet-facing device and the download of an ELF file representing the Auto-Color malware," the company said. "From initial intrusion to the failed establishment of C2 communication, the Auto-Color malware showed a clear understanding of Linux internals and demonstrated calculated restraint designed to minimize exposure and reduce the risk of detection."
Daily Brief Summary
Threat actors exploited a critical SAP NetWeaver vulnerability, CVE-2025-31324, facilitating a malware attack on a U.S.-based chemicals company.
The Auto-Color malware, resembling a remote access trojan, targeted the company in April 2025, enabling unauthorized remote access to Linux systems.
SAP patched the vulnerability in the same month as the attack, emphasizing the prompt need for system updates to mitigate such security risks.
The malware exhibited capabilities for reverse shell access, file management, and avoidance measures, including disappearing if connection to its control server failed.
The intrusion was first detected by Darktrace due to a suspicious file download three days after the initial network scan, underscoring the importance of continuous monitoring.
The attack's sophistication included manipulation of system settings and potential for self-removal, highlighting the advanced capabilities of Auto-Color malware.
This incident marks a significant breach, with implications for security practices in industries with critical infrastructure.