Hackers Target SAP Vulnerability to Breach Linux Systems and Deploy Auto-Color Malware

July 30, 2025
Vulnerability / Threat Intelligence

Threat actors have been found exploiting a critical SAP NetWeaver vulnerability, now patched, to introduce the Auto-Color backdoor in an April 2025 attack on a U.S.-based chemicals firm. According to a report from Darktrace shared with The Hacker News, the attacker accessed the company’s network over three days, attempted to download suspicious files, and communicated with infrastructure associated with the Auto-Color malware. The vulnerability, identified as CVE-2025-31324, is a severe unauthenticated file upload flaw in SAP NetWeaver that allows remote code execution (RCE) and was fixed by SAP in April. Auto-Color, first reported by Palo Alto Networks Unit 42 in February, operates similarly to a remote access trojan, providing remote access to compromised Linux systems. It has been linked to attacks against universities and government entities in North America and Asia between November and December 2024.

Hackers Exploit SAP Vulnerability to Target U.S. Chemical Company with Auto-Color Malware

On July 30, 2025, cybersecurity experts reported a significant breach involving a critical vulnerability in SAP NetWeaver, previously patched by SAP. In an incident that unfolded over three days in April 2025, threat actors targeted a U.S.-based chemicals company, leveraging the flaw to infiltrate the organization’s network and deploy the Auto-Color backdoor.

The vulnerability at the center of this breach, identified as CVE-2025-31324, is a severe unauthenticated file upload issue that facilitates remote code execution (RCE). This critical flaw was promptly addressed by SAP in April, yet its exploitation highlights the urgency for organizations to implement timely updates and stringent security measures.

According to a report from Darktrace, the hackers not only gained initial access to the chemicals company’s network but also attempted to download multiple suspicious files. Their activities were linked to infrastructure associated with the Auto-Color malware, suggesting sophisticated efforts to maintain persistent access within the compromised network.

Auto-Color, which was first documented by Palo Alto Networks Unit 42 in February 2025, operates similarly to a remote access trojan, granting attackers extensive remote control over compromised Linux systems. Prior to this incident, the malware had already been observed in attacks against various educational and governmental organizations across North America and Asia during late 2024.

The tactics and techniques employed during this attack appear to align with several categories within the MITRE ATT&CK framework. Initial access may have been achieved through exploiting the SAP vulnerability, while the ongoing presence of the Auto-Color backdoor indicates a strategy for persistence within the victim’s network. Furthermore, techniques for privilege escalation could have been utilized to expand the attackers’ control and access rights, enhancing their operational capabilities.

As the cybersecurity landscape continues to evolve, this breach serves as a crucial reminder for businesses, particularly those in sectors handling critical materials, to prioritize vulnerability management and incident response preparedness. The exploitation of known vulnerabilities underlines the necessity of vigilance against emerging threats and the importance of prompt remediation efforts in safeguarding sensitive information.

Organizations should remain alert to similar vulnerabilities and ensure that their systems are routinely updated. Failure to address known issues can lead to significant risks, including unauthorized access and data exfiltration, potentially resulting in severe operational and reputational damage.

Source link

Related Posts

CISA Includes PaperCut NG/MF CSRF Vulnerability in KEV Catalog Due to Ongoing Exploits

 
Date: July 29, 2025
Category: Vulnerability / Software Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security vulnerability affecting PaperCut NG/MF print management software to its Known Exploited Vulnerabilities (KEV) catalog, highlighting its active exploitation. The vulnerability, identified as CVE-2023-2533 (CVSS score: 8.4), is a cross-site request forgery (CSRF) flaw that could lead to remote code execution. CISA warned that this vulnerability may allow attackers to modify security settings or execute arbitrary code in certain scenarios. Widely used in schools, businesses, and government offices, PaperCut NG/MF helps manage print jobs and control network printers. Given that the admin console typically operates on internal web servers, an exploited vulnerability could provide attackers with easy access to larger systems if left unattended.

Wiz Identifies Critical Access Bypass Vulnerability in AI-Driven Base44 Coding Platform

July 29, 2025
LLM Security / Vulnerability

Cybersecurity researchers have revealed a recently patched critical security vulnerability in the popular AI-driven coding platform Base44. This flaw could enable unauthorized access to private applications created by its users. According to a report from cloud security firm Wiz, the vulnerability was alarmingly easy to exploit; an attacker merely needed to provide a non-secret ‘app_id’ at undocumented registration and email verification endpoints to create a verified account for private applications. This breach effectively bypassed all authentication mechanisms, including Single Sign-On (SSO) protections, granting full access to sensitive applications and data. Following responsible disclosure on July 9, 2025, Wix, the company that owns Base44, implemented an official fix within 24 hours. Fortunately, there is no evidence that this vulnerability was ever maliciously exploited in practice.

Google Unveils Open Beta for Device Bound Session Credentials in Chrome, Enhancing Patch Transparency with Project Zero

July 30, 2025
Device Security / AI Security

Google has launched an open beta for its Device Bound Session Credentials (DBSC), a security feature aimed at protecting users from session cookie theft attacks. Initially introduced as a prototype in April 2024, DBSC binds authentication sessions to specific devices, preventing malicious actors from using stolen cookies to access accounts from unauthorized devices. “Available in the Chrome browser on Windows, DBSC enhances security after login by linking session cookies—small files that remember user information—to the device used for authentication,” said Andy Wen, senior director of product management at Google Workspace. This initiative not only secures user accounts post-authentication but also complicates the reuse of session cookies, bolstering session integrity. The company has also…

Serious Security Vulnerabilities in Dahua Cameras Enable Remote Takeover via ONVIF and File Upload Exploits

July 30, 2025
Firmware Security / Vulnerability

Cybersecurity researchers have revealed critical security vulnerabilities within the firmware of Dahua smart cameras, which have since been patched. If left unaddressed, these flaws could allow attackers to take control of affected devices. According to a report from Bitdefender shared with The Hacker News, the vulnerabilities—related to the device’s ONVIF protocol and file upload handlers—enable unauthorized attackers to execute arbitrary commands remotely, effectively seizing control of the device.

Tracked as CVE-2025-31700 and CVE-2025-31701 (CVSS scores: 8.1), the vulnerabilities impact the following device series running firmware versions with build timestamps prior to April 16, 2025:

  • IPC-1XXX Series
  • IPC-2XXX Series
  • IPC-WX Series
  • IPC-ECXX Series
  • SD3A Series
  • SD2A Series
  • SD3D Series
  • SDT2A Series
  • SD2C Series

Users can check their device’s build time by logging into the web interface and navigating to Settings → System Information → Version. Both vulnerabilities are classified as…