Cybercrime Groups BianLian and RansomExx Exploit SAP NetWeaver Vulnerability to Distribute PipeMagic Trojan
On May 14, 2025, cybersecurity experts revealed that two distinct cybercriminal organizations, BianLian and RansomExx, have exploited a recently identified vulnerability in SAP NetWeaver, designated as CVE-2025-31324. This finding underscores a growing trend among threat actors leveraging the same security flaw for their malicious activities.
Research conducted by the cybersecurity firm ReliaQuest uncovered significant evidence linking both groups to this vulnerability. Specifically, BianLian, known for its data extortion tactics, and RansomExx, associated with ransomware attacks and identified by Microsoft as Storm-2460, appear to be capitalizing on this weakness. ReliaQuest’s investigations suggest that BianLian has been involved in at least one incident, traced back to infrastructure connections with specific IP addresses tied to the criminal organization.
In its analysis, ReliaQuest pinpointed a server located at 184.174.96.74, which was hosting reverse proxy services initiated by a file named rs64.exe. Notably, this server is linked to another IP address, 184.174.96.70, also managed by the same hosting provider, which had previously been flagged as part of a command-and-control (C2) operation. This connection further solidifies the suspicion of BianLian’s involvement in coordinating activities aimed at exploiting the SAP vulnerability.
Given the nature of the attacks, it is likely that the perpetrators employed several tactics from the MITRE ATT&CK framework. The initial access to the vulnerable systems could have been achieved through exploitation techniques inherent to the SAP NetWeaver flaw. Once inside, the attackers may have established persistence to maintain control, coupled with privilege escalation methods to gain unauthorized access to sensitive resources.
The attack’s implications are concerning for businesses that rely on SAP NetWeaver, placing their data integrity and operational security at risk. Organizations must remain vigilant, understanding that the exploitation of such vulnerabilities can result in significant financial and reputational damage. The evolving tactics used by cybercriminals like BianLian and RansomExx underscore the urgent need for robust cybersecurity measures and proactive vulnerability management to safeguard against potential threats.
As the landscape of cyber threats continues to expand, business owners are advised to stay informed about vulnerabilities affecting their systems and adopt comprehensive strategies to mitigate risk. Understanding the mechanisms behind these attacks, as detailed in the MITRE ATT&CK framework, can provide valuable insights into strengthening defenses against this growing tide of cybercrime.
