Analysis Summary

A recently disclosed critical vulnerability in SAP NetWeaver Application Server, tracked as CVE-2023-7629, has emerged as a high-value target for Chinese state-sponsored threat actors. The flaw, found in the Internet Communication Manager (ICM) component, allows unauthenticated remote code execution and impacts multiple versions of SAP NetWeaver AS ABAP. Despite emergency patches issued, thousands of SAP systems exposed to the internet remain unpatched, heightening the risk for industries like finance, manufacturing, government, and healthcare that heavily depend on SAP for core business operations.

Initial exploitation attempts have focused on high-value targets, such as financial institutions and manufacturing firms, with the goal of intellectual property theft and operational disruption. Once compromised, attackers establish persistence by modifying SAP service configurations and scheduled jobs. Victims have reported extensive damage, including financial losses and forced shutdowns of critical systems for emergency remediation. The sophistication of the attacks and the targeting of core SAP infrastructure have raised alarms about broader supply chain risks, as compromised systems may be leveraged to infiltrate partners and vendors.

Researchers uncovered that the attackers are deploying a custom malware strain named “SAPphire.” This malware uses encrypted command-and-control channels embedded in legitimate SAP communication protocols, making it stealthy and difficult to detect. Its behavior demonstrates a deep understanding of SAP architecture, including exploitation of memory corruption via crafted HTTP requests that abuse the RFC_READ_TABLE function using malicious SOAP payloads. These payloads inject format string specifiers into the TEXT field, causing memory corruption and initiating a reverse shell for further compromise.

The infection mechanism leverages an advanced HTTP request smuggling technique to bypass input validation and security mechanisms. The attack chain begins with a crafted POST request targeting the /sap/bc/soap/rfc endpoint, leading to memory corruption, code execution, and the establishment of persistent access. Security analysts have warned that the exploitation of such a deeply embedded vulnerability, combined with stealthy post-compromise techniques, indicates a long-term espionage campaign aimed at high-impact targets. Organizations are urged to immediately apply the patches and audit exposed SAP systems for any signs of compromise.

Impact

• Data Exfiltration
• Gain Access
• Code Execution
• Financial Loss
• Operational Disruptions

Indicators of Compromise

CVE

• CVE-2023-7629

IP

• 130.131.160.24
• 135.119.17.221
• 135.233.112.100
• 172.212.216.128
• 20.163.74.20
• 20.168.121.119
• 20.169.105.57
• 40.67.161.44
• 52.248.40.89
• 20.98.152.33
• 51.158.97.138
• 8.210.65.56

MD5

• f8a7ce4a8e2637565b18d6bb29b2bc6f

• 5c7c5ce42b1507c12d71fbaf2488f283

SHA-256

• 888e953538ff668104f838120bc4d801c41adb07027db16281402a62f6ec29ef

• f1e505fe96b8f83c84a20995e992b3794b1882df4954406e227bd7b75f13c779

SHA1

• bfee2fb825a0a813a1243ae59bb0f4c9f3545008

• 9c7aea241aa1a12d7b1abef800fe59ffa21c181c

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Apply SAP patches immediately.
• Isolate exposed SAP systems from the internet until they are fully patched and secured.
• Monitor SAP ICM logs for unusual HTTP POST or SOAP activity, especially targeting /sap/bc/soap/rfc.
• Disable or restrict access to RFC_READ_TABLE if it is not required for business operations.
• Enforce input validation and sanitization for all user inputs received via HTTP and SOAP interfaces.
• Deploy intrusion detection and prevention systems (IDS/IPS) with updated signatures to detect malicious SOAP requests and reverse shell activity.
• Monitor for unusual scheduled jobs or changes in SAP service configurations.
• Use endpoint detection and response (EDR) tools to detect post-exploitation activity such as reverse shells or malware like “SAPphire.”
• Enforce strict authentication and access control policies on all SAP endpoints.
• Implement network segmentation to limit lateral movement from compromised SAP systems.
• Audit and restrict SAP administrative privileges and user roles.
• Conduct a thorough compromise assessment on all SAP systems, including forensic analysis for persistence mechanisms.
• Remove any discovered backdoors, unauthorized jobs, or modified configurations.
• Reset passwords and rotate credentials for SAP service accounts.
• Notify affected partners and stakeholders if there is potential for supply chain compromise.
• Regularly update SAP systems and stay informed through SAP security advisories.
• Conduct frequent vulnerability assessments and penetration tests on enterprise SAP deployments.
• Train SOC and incident response teams specifically on SAP security monitoring and threat hunting.