China-Linked Hackers Target SAP and SQL Server Vulnerabilities in Attacks Across Asia and Brazil

May 30, 2025
Vulnerability / Threat Intelligence

A China-linked threat group has been identified as the source of recent attacks exploiting a critical security flaw in SAP NetWeaver, part of a larger campaign against organizations in Brazil, India, and Southeast Asia that began in 2023. According to Trend Micro security researcher Joseph C. Chen, the attackers primarily exploit SQL injection vulnerabilities in web applications to infiltrate SQL servers of targeted entities. “The actor also leverages various known vulnerabilities to compromise public-facing servers,” Chen noted in a recent analysis. Key targets have included Indonesia, Malaysia, the Philippines, Thailand, and Vietnam. Trend Micro is tracking this activity under the name Earth Lamia, which shows some overlap with threat clusters reported by Elastic Security Labs as REF0657, Sophos as STAC6451, and Palo Alto Networks’ Unit 42.

China-Linked Hackers Exploit Vulnerabilities in SAP and SQL Server Across Asia and Brazil

May 30, 2025

In a concerning development for global cybersecurity, a China-linked threat actor has been identified as the driving force behind a significant exploitation of a critical vulnerability in SAP NetWeaver. This incident is part of a wider campaign targeting organizations across Brazil, India, and Southeast Asia since 2023. According to an analysis this week by Trend Micro security researcher Joseph C. Chen, the cybercriminals are particularly adept at exploiting SQL injection vulnerabilities found in web applications, which allows them to penetrate the SQL servers of their chosen targets.

The adversarial group’s activities are not limited to Brazil; they have also been reported to focus on nations such as Indonesia, Malaysia, the Philippines, Thailand, and Vietnam, indicating a comprehensive approach to their attacks. Trend Micro is monitoring these operations under the alias Earth Lamia, noting that their tactics show notable overlap with threat clusters recognized by various cybersecurity organizations. These include Elastic Security Labs’ REF0657, Sophos’ STAC6451, and Palo Alto Networks’ Unit 42.

The exploitation of web applications via SQL injection techniques allows attackers to leverage existing vulnerabilities in public-facing servers. This approach not only gains them access to sensitive data but also lays the groundwork for further malicious activities. The attackers’ methods may involve initial access techniques, including the use of phishing or stolen credentials, followed by persistence strategies to ensure ongoing access to compromised systems.

In line with the MITRE ATT&CK Matrix, the tactics employed in this campaign suggest a sequence of well-planned maneuvers. Following the initial compromise, the threat actor could escalate privileges to gain higher-level access within the network. This capability enables them to navigate through various systems undetected, further compounding the risk to targeted organizations. Additionally, they might employ lateral movement techniques to spread within an organization’s infrastructure, maximizing the impact of their attack.

Given the significance of these developments, business owners, especially those overseeing IT and cybersecurity strategies, must remain vigilant. Understanding the tactics and techniques highlighted in the MITRE framework serves as a vital tool in defensive planning. Organizations should prioritize patch management and the implementation of robust security protocols to mitigate the risk posed by such sophisticated adversaries.

As cyber threats evolve, the imperative for businesses to stay informed and responsive cannot be overstated. With the increasing complexity of attacks like those orchestrated by Earth Lamia, adopting a proactive cybersecurity posture is essential for safeguarding sensitive data and maintaining operational integrity.

Source link

Related Posts

Over 100,000 WordPress Sites Vulnerable to Critical CVSS 10.0 Flaw in TI WooCommerce Wishlist Plugin

May 29, 2025 Vulnerability / Website Security

Cybersecurity experts have revealed a severe, unpatched security vulnerability affecting the TI WooCommerce Wishlist plugin for WordPress. This flaw can be exploited by unauthenticated attackers to upload arbitrary files. The TI WooCommerce Wishlist, with over 100,000 active installations, allows e-commerce customers to save their favorite products and share their lists on social media.

According to Patchstack researcher John Castro, “The plugin is susceptible to an arbitrary file upload vulnerability, enabling attackers to upload malicious files to the server without any authentication.” Identified as CVE-2025-47577, this vulnerability has a CVSS score of 10.0 and affects all versions up to and including 2.9.2, released on November 29, 2024. Currently, no patch is available. The website security firm pointed out that the vulnerability is linked to a function called “tinvwl_upload_file_wc_fields_factory,” which utilizes another native WordPress…

Qualcomm Resolves Three Zero-Day Vulnerabilities Targeting Android Devices Through Adreno GPU

June 02, 2025
Spyware / Vulnerability

Qualcomm has released security updates to address three zero-day vulnerabilities that have been exploited in limited, targeted attacks. These flaws, responsibly disclosed by the Google Android Security team, include:

  • CVE-2025-21479 and CVE-2025-21480 (CVSS score: 8.6): Two incorrect authorization vulnerabilities in the Graphics component that could lead to memory corruption due to unauthorized command execution in GPU microcode during specific command sequences.

  • CVE-2025-27038 (CVSS score: 7.5): A use-after-free vulnerability in the Graphics component that may result in memory corruption while rendering graphics using Adreno GPU drivers in Chrome.

According to Qualcomm’s advisory, the Google Threat Analysis Group has indicated that CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038 might be under limited, targeted exploitation. Patches have been issued to resolve the vulnerabilities affecting the Adreno graphics architecture.

Security Flaws in Preinstalled Apps on Ulefone and Krüger&Matz Phones Allow Unauthorized Device Resets and PIN Theft

Three security vulnerabilities have been identified in preloaded Android applications on Ulefone and Krüger&Matz smartphones. These flaws enable any installed app to factory reset the device and potentially encrypt other applications. Key details of the vulnerabilities include:

  • CVE-2024-13915 (CVSS score: 6.9): A pre-installed “com.pri.factorytest” app on Ulefone and Krüger&Matz devices exposes a service that permits any app to execute a factory reset.

  • CVE-2024-13916 (CVSS score: 6.9): The “com.pri.applock” app on Krüger&Matz smartphones allows users to encrypt apps using a PIN or biometric data. This app also exposes a method that lets malicious apps access sensitive fingerprint data.

Urgent Chrome Zero-Day Vulnerability Being Actively Exploited; Google Releases Emergency Patch

June 3, 2025
Browser Security / Vulnerability

On Monday, Google announced emergency fixes for three security vulnerabilities in its Chrome browser, including a critical flaw currently being exploited in the wild. This high-severity issue, tracked as CVE-2025-5419 (CVSS score: 8.8), pertains to an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. According to the National Vulnerability Database (NVD), “Out-of-bounds read and write in V8 in Google Chrome prior to version 137.0.7151.68 allowed remote attackers to potentially exploit heap corruption via a specially crafted HTML page.” The flaw was identified and reported by Clement Lecigne and Benoît Sevens of Google’s Threat Analysis Group (TAG) on May 27, 2025, and was promptly addressed the following day with a configuration update to the Stable version of Chrome across all platforms. As is typical, the advisory provides limited details concerning the…