BianLian and RansomExx Exploit SAP NetWeaver Vulnerability to Deploy PipeMagic Trojan
Date: May 14, 2025
Categories: Ransomware / Vulnerability
Recent reports indicate that at least two cybercrime groups, BianLian and RansomExx, have taken advantage of a newly revealed security vulnerability in SAP NetWeaver, designated as CVE-2025-31324. This suggests that various threat actors are leveraging the flaw for nefarious purposes. Cybersecurity firm ReliaQuest has released an update today, detailing evidence of activity linked to both the BianLian data extortion group and the RansomExx ransomware faction, also known as Storm-2460 by Microsoft. Investigations show BianLian’s involvement in at least one incident, with infrastructure connections to previously identified e-crime IP addresses. “We located a server at 184[.]174[.]96[.]74 running reverse proxy services initiated by the rs64.exe executable,” the firm stated. “This server is associated with another IP, 184[.]174[.]96[.]70, managed by the same hosting provider, which had previously been flagged as a command-and-control (C2) server.”
Categories: Ransomware / Vulnerability
Cybercrime Groups BianLian and RansomExx Exploit SAP NetWeaver Vulnerability to Distribute PipeMagic Trojan On May 14, 2025, cybersecurity experts revealed that two distinct cybercriminal organizations, BianLian and RansomExx, have exploited a recently identified vulnerability in SAP NetWeaver, designated as CVE-2025-31324. This finding underscores a growing trend among threat actors leveraging…
BianLian and RansomExx Exploit SAP NetWeaver Vulnerability to Deploy PipeMagic Trojan
Date: May 14, 2025
Categories: Ransomware / Vulnerability
Recent reports indicate that at least two cybercrime groups, BianLian and RansomExx, have taken advantage of a newly revealed security vulnerability in SAP NetWeaver, designated as CVE-2025-31324. This suggests that various threat actors are leveraging the flaw for nefarious purposes. Cybersecurity firm ReliaQuest has released an update today, detailing evidence of activity linked to both the BianLian data extortion group and the RansomExx ransomware faction, also known as Storm-2460 by Microsoft. Investigations show BianLian’s involvement in at least one incident, with infrastructure connections to previously identified e-crime IP addresses. “We located a server at 184[.]174[.]96[.]74 running reverse proxy services initiated by the rs64.exe executable,” the firm stated. “This server is associated with another IP, 184[.]174[.]96[.]70, managed by the same hosting provider, which had previously been flagged as a command-and-control (C2) server.”
