Ethical Hacking News
BianLian and RansomExx Exploit SAP NetWeaver Flaw to Deploy PipeMagic Trojan: A Wake-Up Call for Global Cybersecurity
In a recent cybersecurity incident, BianLian and RansomExx successfully exploited the recently disclosed security flaw in SAP NetWeaver, deploying the PipeMagic Trojan to breach various organizations across different continents. The incident highlights the importance of regular patching, vulnerability management practices, and robust cybersecurity defenses in preventing such attacks.
BianLian and RansomExx groups exploited a vulnerability in SAP NetWeaver (CVE-2025-29824) to deploy the PipeMagic Trojan. The exploitation of CVE-2025-29824 allows threat actors to deliver malicious payloads via web shells with relative ease. BianLian and RansomExx have both linked their servers to reverse proxy services initiated by the rs64.exe executable, indicating a common attack vector. The deployment of PipeMagic has been observed in limited attacks targeting entities in the U.S., Venezuela, Spain, and Saudi Arabia. A new vulnerability (CVE-2025-31324) has been actively exploited by Chinese hacking groups, with SAP patch fixes available to address the root cause. Regular patching and vulnerability management practices are essential in preventing such attacks, and companies must stay vigilant to protect themselves against potential cyber threats.
The latest cybersecurity landscape has witnessed a significant escalation in threat actors' tactics, with two prominent groups – BianLian and RansomExx – successfully exploiting the recently disclosed security flaw in SAP NetWeaver. This vulnerability, identified as CVE-2025-29824, has been instrumental in the deployment of the PipeMagic Trojan, which has been used to breach various organizations across different continents.
In a recent update published by ReliaQuest, the cybersecurity firm revealed that both BianLian and RansomExx have taken advantage of this vulnerability. The exploitation of CVE-2025-29824 allows threat actors to deliver the PipeMagic Trojan via web shells, following which they can execute malicious payloads with relative ease.
BianLian, a well-known cybercrime group responsible for various data extortion schemes, has been linked to at least one incident involving the use of the PipeMagic Trojan. ReliaQuest observed that BianLian's servers were hosting reverse proxy services, initiated by the rs64.exe executable, which was closely related to another IP address previously identified as attributed to the e-crime group.
RansomExx, on the other hand, is a ransomware family traced by Microsoft under the moniker Storm-2460. The firm observed that RansomExx's servers were hosting reverse proxy services, initiated by the rs64.exe executable, which was closely related to another IP address previously identified as attributed to the e-crime group.
The deployment of PipeMagic has been observed in limited attacks targeting entities in the U.S., Venezuela, Spain, and Saudi Arabia. In each case, the threat actors exploited a zero-day vulnerability in the Windows Common Log File System (CLFS) to deliver the Trojan via web shells.
It is worth noting that ReliaQuest has identified a new vulnerability – CVE-2025-31324 – which has been actively exploited by multiple Chinese hacking groups tracked as UNC5221, UNC5174, and CL-STA-0048. This vulnerability has also been exploited alongside a deserialization flaw in the same component (CVE-2025-42999).
SAP security company Onapsis revealed that threat actors have also been exploiting CVE-2025-31324 since March 2025, adding the new patch fixes the root cause of CVE-2025-31324.
"The findings come a day after EclecticIQ disclosed that multiple Chinese hacking groups tracked as UNC5221, UNC5174, and CL-STA-0048 are actively exploiting CVE-2025-31324 to drop various malicious payloads," ReliaQuest said in a statement shared with The Hacker News.
"CVE-2025-42999 indicates higher privileges would be required, however, CVE-2025-31324 affords full system access regardless. A threat actor could exploit both vulnerabilities in an authenticated and unauthenticated user in the same way. Therefore, the remediation advice is the same for both CVEs."
This incident highlights the importance of regular patching and vulnerability management practices in preventing such attacks. It also underscores the need for organizations to maintain robust cybersecurity defenses, including intrusion detection systems (IDS) and threat intelligence capabilities.
In light of this development, it is essential for companies to stay vigilant and take immediate action to protect themselves against potential cyber threats.
In conclusion, the BianLian-RansomExx-PipeMagic exploit serves as a wake-up call for global cybersecurity, underscoring the need for timely patching, robust threat intelligence, and comprehensive security measures to prevent such attacks from exploiting vulnerabilities in widely-used software applications.
Related Information:
https://www.ethicalhackingnews.com/articles/BianLian-and-RansomExx-Exploit-SAP-NetWeaver-Flaw-to-Deploy-PipeMagic-Trojan-A-Wake-Up-Call-for-Global-Cybersecurity-ehn.shtml
https://thehackernews.com/2025/05/bianlian-and-ransomexx-exploit-sap.html
https://cybersecsentinel.com/pipemagic-trojan-and-the-zero-day-exploits-targeting-windows-clfs/
https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/
https://www.sentinelone.com/anthology/ransomexx/
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx
Published: Wed May 14 14:30:47 2025 by llama3.2 3B Q4_K_M
