¡Alerta Roja! Chinese Hackers Exploiting SAP – Your Critical Systems at Risk!

¡Oye, mi gente! Your cybersecurity compadre is back, and today, ¡Ay Dios mío!, we have some serious chisme from the digital trenches. A big report just dropped – “Global Critical Infrastructure Under Siege” – and it’s a caliente situation about how Chinese state-backed hackers and some ransomware opportunists have been making a fiesta out of SAP vulnerabilities. This is not just some small-time stuff; we’re talking about our critical infrastructure, the things that keep our lights on and water flowing!

El Resumen Ejecutivo – The Big Picture, Quick Quick!

So, in May 2025, the alarm bells went ringing. Turns out, some very naughty groups, some backed by the Chinese state and others just looking for quick cash (ransomware crews), found some juicy holes in SAP NetWeaver Visual Composer. These are CVE-2025-31324 and CVE-2025-42999, ¡memorize these numbers! They used these to attack big, important sectors worldwide – energy, utilities, manufacturing, even government. SAP is like the heart of many of these businesses, often connected to the Operational Technology (OT), the machines doing the real work.

These hackers were not playing games. They used sophisticated TTPs (Tactics, Techniques, and Procedures) like deploying web shells for a backdoor party and executing code from afar (Remote Code Execution, or RCE). Hundreds of systems got compromised. ¡Qué desastre! This means data could be stolen, spies could be watching, and in the worst case, physical stuff could be messed up. The scary part? These vulnerabilities were weaponized super fast, showing these hackers are very quick to turn a disclosed vulnerability into a weapon. They are targeting SAP because it’s often the bridge between the IT (Information Technology – the office computers) and the OT (Operational Technology – the factory controls).

La Crisis de SAP – How it All Unfolded

Imagine, May 11, 2025, the news breaks: Chinese state hackers are exploiting SAP. ¡Un escándalo! SAP NetWeaver Visual Composer was their way in. Why this component? Because it’s a development tool, so if you control it, you can get deep into the business systems. And guess what? It looks like they were using it as a “zero-day” – meaning they knew about the holes before SAP or the good guys did. That’s pro-level hacking, mi gente.

Deep Dive into SAP Vulnerabilities – The Nitty-Gritty

Two main CVEs were the culprits here:

1. CVE−2025−31324: This one is a beast. It’s an unauthenticated file upload vulnerability in the Metadata Uploader of SAP NetWeaver Visual Composer (version 7.50).
   • CVSS Score: SAP gave it a 10.0 – Critical! That’s the maximum, meaning it’s easy to exploit and gives full control.
   • Impact: An attacker, without needing any password, could upload bad files (like JSP web shells) to the /developmentserver/metadatauploader endpoint. Boom! RCE, and they own your SAP server.
   • Discovery: ReliaQuest found it in the wild on April 22, 2025. SAP patched it on April 24 with Security Note 3594142.
2. CVE−2025−42999: Another critical one, a deserialization flaw in the same Visual Composer component.
   • CVSS Score: 9.1 (Critical).
   • Impact: By itself, a privileged user could upload bad stuff. But, the real danger was when chained with CVE−2025−31324. This combo let unauthenticated attackers run commands remotely. ¡Muy inteligente!
   • Exploitation Context: Onapsis saw them using both together as early as March 2025. First, the file upload (CVE−2025−31324) to get in, then the deserialization (CVE−2025−42999) for more power.
   • Disclosure: SAP disclosed this on May 13, 2025, with Security Note 3604119.

Timeline of the Fiesta (Not a Good One)

• January 20, 2025: Onapsis saw attackers testing things out. They knew about this way before us!
• March 12, 2025: Mandiant sees the first exploitation.
• Late March 2025: Web shells being deployed. Attackers making themselves at home.
• April 22, 2025: ReliaQuest spots CVE−2025−31324 being used as a zero-day.
• April 24, 2025: SAP releases the first patch.
• Late April 2025: CISA adds CVE−2025−31324 to its Known Exploited Vulnerabilities (KEV) list.
• April 29, 2025: Forescout sees “Chaya_004” group busy exploiting. C2 traffic is lighting up.
• April 30, 2025: Original attackers go quiet, but then a “second wave” of opportunists starts using the already planted web shells.
• May 13, 2025: SAP patches CVE−2025−42999.

Here’s a little table, my friends, to make it clearer:

CVE ID	Vulnerability Description	CVSS v3.1 Score	Affected SAP Component	Key Exploitation Vector	SAP Security Note(s)
CVE−2025−31324	Unauthenticated file upload in Metadata Uploader of Visual Composer	10.0	SAP NetWeaver Visual Composer Framework (ver 7.50)	RCE via malicious file upload to /developmentserver/metadatauploader	3594142
CVE−2025−42999	Deserialization vulnerability in SAP NetWeaver Visual Composer	9.1	SAP NetWeaver Visual Composer	Chained with CVE−2025−31324 for unauthenticated RCE	3604119

Attribution – Who Are These Guys? (Los Actores)

This wasn’t just one crew; it was a party of bad actors.

• Chinese State-Nexus Threat Actors: Many big security companies (EclecticIQ, Forescout, Mandiant, Palo Alto Networks) point fingers at Chinese state groups, possibly linked to their Ministry of State Security (MSS). Their game? Cyber espionage, stealing data, and getting long-term access to critical places.
  • Chaya_004: Seen using CVE−2025−31324 from April 29. Used servers on Chinese cloud platforms (Alibaba, Tencent, Huawei) for their “SuperShell” backdoor. They even used fake SSL certificates that looked like Cloudflare’s. Their tools had Chinese names, like “服务数据_20250427_212229.txt”.
  • UNC5221, UNC5174, CL-STA-0048: Also linked to China’s MSS.
    • UNC5221: Known for hitting edge devices (like VPNs). Used KrustyLoader (Rust-based) to drop Sliver backdoors.
    • UNC5174: Also likes edge devices. Used SNOWLIGHT loader for VShell (Go-based RAT) and GOREVERSE backdoors.
    • CL-STA-0048: Targets South Asia. Tried to set up reverse shells to known C2 IPs. Uses PlugX backdoor.
• Opportunistic Exploitation – The Ransomware Vultures: After the state actors did their thing, ransomware groups like BianLian and RansomEXX (Storm-2460) jumped in, using the same holes, probably on systems already opened up.
  • BianLian: Linked to a server (184.174.96.74) doing reverse proxy stuff.
  • RansomEXX: Seen deploying ‘PipeMagic’ backdoor.

Anatomy of the Attacks – How They Did It (El Modus Operandi)

1. Initial Access: Main door was CVE−2025−31324, often combined with CVE−2025−42999 for more powerful RCE. Some attackers were so good they could run commands without dropping web shells, making them harder to detect.
2. Web Shell Deployment & C2: Uploaded JSP web shells like coreasp.js (using AES/ECB encryption, similar to Behinder toolkit) and forwardsap.jsp. Their Command and Control (C2) servers were often on Chinese cloud platforms, using those fake Cloudflare SSL certs to look legit.
3. Post-Exploitation: Once inside, they looked around (reconnaissance), tried to move to other systems (lateral movement), and steal data (exfiltration). They were very interested in backup details and system metadata. They even tried to reach cloud stuff like AWS and Microsoft Entra ID. CL-STA-0048 used ping for DNS beaconing to sneak out data.
4. Malware and Tools:
   • SuperShell: Go-based reverse shell (Chaya_004).
   • KrustyLoader: Rust-based loader for Sliver backdoors (UNC5221).
   • SNOWLIGHT, VShell, GOREVERSE: Malware chain used by UNC5174.
   • Brute Ratel C4: Commercial red-teaming tool.
   • PipeMagic: Backdoor linked to RansomEXX.
   • Nuclei: Open-source scanner to find vulnerable SAP systems.
   • And other common tools like Cobalt Strike, SoftEther VPN.

Global Impact – Who Got Hit and How Bad (El Daño)

SAP is everywhere, so this was global.

• Targeted Sectors:
  • Energy: UK natural gas, US oil & gas.
  • Utilities: UK water and waste management.
  • Manufacturing: US medical devices.
  • Government: Saudi Arabian ministries.
  • Also: Pharma, retail, media. Hundreds of SAP systems compromised. EclecticIQ found 581 breached SAP NetWeaver instances.
• Geographical Scope: Main hits in US, UK, Saudi Arabia. CL-STA-0048 also points to South Asia. Shadowserver found over 400 SAP NetWeaver servers just open on the internet. ¡Ay, qué fácil se lo ponen algunos!
• The Critical Nexus – SAP and OT: This is the scary part. SAP systems like ERP, SCM, MII (Manufacturing Integration and Intelligence), and PCo (Plant Connectivity) are often connected to Industrial Control Systems (ICS) and SCADA.
  • SAP MII links ERP to factory floor systems.
  • SAP PCo talks directly to industrial devices using protocols like OPCUA,MQTT,Modbus.
  • If SAP is hacked, attackers can jump from IT to OT. This can lead to industrial espionage, stealing operational data, messing up physical processes, or even causing physical damage. The report says compromised SAP systems were often highly connected to ICS networks. This lack of segmentation is a big, big problem.

Experts compare this to other big campaigns like Volt Typhoon and Salt Typhoon, also linked to China and targeting critical infrastructure. It seems the goal is to get in, stay quiet, and be ready for future actions.

Response and Remediation – What’s Being Done (La Lucha)

• SAP’s Actions:
  • April 24: Security Note 3594142 for CVE−2025−31324.
  • May 1: Updated patch for more NetWeaver versions.
  • May 13: Security Note 3604119 for CVE−2025−42999, addressing the root cause.
  • SAP told everyone: PATCH YOUR SYSTEMS!
• Government and Agency Responses:
  • CISA (US): Added CVE−2025−31324 to KEV catalog. Federal agencies had to patch by May 20.
  • NCSC (UK): Issued alerts, told people to follow vendor advice.
  • Chinese Embassy (London): Denied everything, standard procedure. “Not us, we are victims too, stop politicizing.” Ya, ya, we heard that one.
• Industry Collaboration: Security firms like Onapsis, EclecticIQ, Mandiant, etc., did amazing work tracking and sharing info. Mandiant and Onapsis even released an open-source tool to find Indicators of Compromise (IoCs) for CVE−2025−31324. ¡Bravo!

Strategic Implications – What This Means for Tomorrow (El Futuro)

• Enterprise Apps are Big Targets: SAP, Oracle, Salesforce… if it’s big and important, hackers want it.
• IT/OT Convergence Risk: This is a huge danger zone. Hacking IT can lead to OT nightmares. This isn’t just about stealing data anymore; it’s about potential physical disruption.
• Software Supply Chain: While this was about vulnerabilities in SAP itself, it shows how much we trust big software. If that software has a hole, we all suffer.
• Future Actions: Expect more of this. China-linked groups will keep targeting enterprise apps and edge devices. Opportunists will pile on unpatched systems. Those who got in and went “dark” might be waiting for the right moment to act.

Comprehensive Recommendations – What YOU Need To Do (¡Pónganse las Pilas!)

Okay, mi gente, no time for siestas. Here’s your homework:

1. Immediate Actions – Patch, Patch, Patch!:
   • Apply SAP Security Notes 3594142 and 3604119. ¡Ahora mismo!
   • Internet-facing SAP systems first!
   • Use CISA’s KEV catalog to prioritize.
   • If you can’t patch right away, use SAP’s workarounds (carefully, check latest advice!). Maybe disable Visual Composer if you don’t need it or restrict network access to that /developmentserver/metadatauploader.
2. Network Security & Segmentation (IT/OT) – Build Walls!:
   • Strictly segment IT and OT networks. Use a DMZ. This is CRITICAL.
   • Isolate OT from the internet. No direct connections!
   • Secure remote access to OT with VPNs, strong MFA (Multi-Factor Authentication), and least privilege.
3. Enhanced Monitoring, Detection, Incident Response – Watch Like a Hawk!:
   • Use the Mandiant/Onapsis IoC scanner.
   • Monitor for weird access to /developmentserver/metadatauploader.
   • Look for suspicious files (JSP shells) in SAP directories.
   • Monitor for C2 traffic (those fake Cloudflare certs, known bad IPs, Chinese cloud IPs).
   • Have good logs for SAP and everything around it.
   • Have an OT-specific Incident Response plan. And practice it!
   • Can you run your OT manually if hackers shut down the computers? You better be able to.
4. SAP-Specific Security Hardening – Lock Down SAP!:
   • Review SAP security configurations.
   • Use least privilege for users.
   • Disable unused SAP services.
5. Long-Term Cybersecurity Posture – Stay Strong!:
   • Invest in EDR (Endpoint Detection and Response) and NDR (Network Detection and Response).
   • Do regular vulnerability scans and penetration tests, especially for SAP and its OT connections.
   • Manage your software supply chain risk.
   • Train your people! Cybersecurity culture is key.

Here’s a quick table for your CISO:

Recommendation Category	Specific Action	Priority	Responsible Teams
Patch Management	Apply SAP Notes 3594142 & 3604119	High	SAP Basis/Security, IT Ops
Network Security	Segment IT/OT, implement DMZ for IT/OT	High	Network Security, OT Engineering, IT Architecture
	Isolate OT from public internet	High	Network Security, OT Engineering
Monitoring & Detection	Use Mandiant/Onapsis IoC scanner	High	SOC, CSIRT
	Monitor for anomalous access & suspicious files	High	SOC, SAP Security Team
Incident Response	Develop/Test OT-specific IR plan, including manual OT operation	High	CSIRT, SOC, OT Engineering, SAP Basis
SAP Hardening	Disable unused Visual Composer, conduct config reviews	Medium	SAP Basis/Security
Long-Term Improvements	Invest in EDR/NDR, improve software supply chain risk management	Medium	CISO, IT/Security Leadership, Procurement, Devs

Conclusion – The Big Takeaway

This whole SAP NetWeaver vulnerability mess, exploited by Chinese state actors and ransomware crews, is a serious wake-up call. It’s not just about data; it’s about our critical infrastructure. These attackers are smart, fast, and they are targeting the heart of many businesses, potentially reaching into the physical world of OT.

We cannot just sit back and wait. We need to be proactive. Patching is step one, but it’s not enough. We need strong network segmentation (especially IT/OT), constant monitoring, specific hardening for critical apps like SAP, and solid incident response plans. The bad guys aren’t stopping, so neither can we. Stay vigilant, mi gente! ¡Y parchen esos sistemas! (And patch those systems!)