{"id":3714,"date":"2025-05-16T12:20:22","date_gmt":"2025-05-16T04:20:22","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=3714"},"modified":"2025-05-16T12:31:17","modified_gmt":"2025-05-16T04:31:17","slug":"%e3%80%90%e8%b3%87%e5%ae%89%e8%ad%a6%e7%a4%ba%e3%80%91bianlian-%e8%88%87-ransomexx-%e5%88%a9%e7%94%a8-sap-netweaver-%e6%bc%8f%e6%b4%9e%e9%83%a8%e7%bd%b2-pipemagic-%e6%9c%a8%e9%a6%ac%e7%a8%8b%e5%bc%8f","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=3714","title":{"rendered":"\u3010\u8cc7\u5b89\u8b66\u793a\u3011BianLian \u8207 RansomExx \u5229\u7528 SAP NetWeaver \u6f0f\u6d1e\u90e8\u7f72 PipeMagic \u6728\u99ac\u7a0b\u5f0f"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"693\" height=\"389\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2025\/05\/image-7.png\" alt=\"\" class=\"wp-image-3715\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2025\/05\/image-7.png 693w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2025\/05\/image-7-300x168.png 300w\" sizes=\"auto, (max-width: 693px) 100vw, 693px\" \/><figcaption class=\"wp-element-caption\">Photo Credit: SAP<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>\u8fd1\u671f\uff0c\u5169\u500b\u77e5\u540d\u7684\u52d2\u7d22\u8edf\u9ad4\u96c6\u5718\u2014\u2014<strong>BianLian<\/strong> \u8207 <strong>RansomExx<\/strong>\uff0c\u88ab\u767c\u73fe\u6b63\u5728\u6feb\u7528 SAP NetWeaver \u5e73\u53f0\u7684\u4e00\u9805\u91cd\u5927\u6f0f\u6d1e\uff08<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-31324\">CVE-2025-31324<\/a>\uff09\uff0c\u4e26\u85c9\u6b64\u90e8\u7f72\u65b0\u578b\u6728\u99ac\u7a0b\u5f0f <strong>PipeMagic<\/strong>\u3002\u9019\u9805\u767c\u73fe\u518d\u6b21\u8b49\u660e\u4e86\u9ad8\u50f9\u503c\u4f01\u696d\u61c9\u7528\u7cfb\u7d71\uff08\u5982 SAP\uff09\u5c0d\u9032\u968e\u6301\u7e8c\u6027\u5a01\u8105\uff08APT\uff09\u7d44\u7e54\u5177\u6709\u9ad8\u5ea6\u5438\u5f15\u529b\uff0c\u4e26\u4e14\u6b63\u88ab\u591a\u65b9\u60e1\u610f\u52e2\u529b\u540c\u6642\u91dd\u5c0d\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>\u6f0f\u6d1e\u6982\u6cc1\uff1aCVE-2025-31324 <\/strong><strong>\u8207 PipeMagic <\/strong><strong>\u7684\u95dc\u806f<\/strong><\/p>\n\n\n\n<p>\u6839\u64da\u8cc7\u5b89\u516c\u53f8 <strong>ReliaQuest<\/strong><strong>\u5728<\/strong> 5\u670814\u65e5\u767c\u5e03\u4e86\u7814\u7a76\u5831\u544a\u7684<a href=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise\/\">\u66f4\u65b0<\/a>\uff0c\u4ed6\u5011\u767c\u73fe\u4e86\u4f86\u81ea <strong>BianLian <\/strong><strong>\u52d2\u7d22\u96c6\u5718<\/strong> \u548c <strong>RansomExx <\/strong><strong>\u52d2\u7d22\u5bb6\u65cf\uff08\u5fae\u8edf\u7a31\u5176\u70ba Storm-2460<\/strong><strong>\uff09<\/strong> \u7684\u653b\u64ca\u8b49\u64da\u3002\u7814\u7a76\u5718\u968a\u8ffd\u8e64\u5230\u8207\u904e\u5f80 BianLian \u67b6\u69cb\u6709\u95dc\u806f\u7684 IP \u4f4d\u5740\uff0c\u9032\u4e00\u6b65\u8b49\u5be6\u8a72\u7d44\u7e54\u53c3\u8207\u4e86\u81f3\u5c11\u4e00\u8d77\u4e8b\u4ef6\u3002<\/p>\n\n\n\n<p>\u5831\u544a\u6307\u51fa\uff0c\u4e00\u53f0 IP \u70ba 184[.]174[.]96[.]74 \u7684\u4f3a\u670d\u5668\u6b63\u5728\u904b\u884c\u7531 rs64.exe \u555f\u52d5\u7684\u53cd\u5411\u4ee3\u7406\u670d\u52d9\uff0c\u8a72\u4f3a\u670d\u5668\u6240\u4f7f\u7528\u7684 SSL \u6191\u8b49\u8207\u57e0\u865f\u8207\u5148\u524d BianLian \u7684 C2 \u57fa\u790e\u8a2d\u65bd\u76f8\u540c\uff0c\u53e6\u4e00\u500b IP 184[.]174[.]96[.]70 \u4e5f\u88ab\u78ba\u8a8d\u7531\u540c\u4e00\u8a17\u7ba1\u670d\u52d9\u5546\u7ba1\u7406\uff0c\u5f37\u5316\u4e86 BianLian \u6d89\u6848\u7684\u53ef\u4fe1\u5ea6\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>PipeMagic <\/strong><strong>\u6728\u99ac\u53ca\u96f6\u6642\u5dee\u6f0f\u6d1e\u7684\u653b\u64ca\u93c8<\/strong><\/p>\n\n\n\n<p>\u503c\u5f97\u8b66\u60d5\u7684\u662f\uff0cReliaQuest \u767c\u73fe\u6b64\u6ce2\u653b\u64ca\u4e0d\u50c5\u91dd\u5c0d SAP\uff0c\u9084\u642d\u914d\u90e8\u7f72\u4e86\u4e00\u500b\u540d\u70ba <strong>PipeMagic<\/strong> \u7684\u6a21\u7d44\u5316\u6728\u99ac\u7a0b\u5f0f\u3002\u8a72\u6728\u99ac\u8fd1\u671f\u66fe\u88ab\u7528\u65bc\u653b\u64ca Windows CLFS \u7cfb\u7d71\u7684\u4e00\u9805\u6b0a\u9650\u63d0\u5347\u6f0f\u6d1e\uff08<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-29824\">CVE-2025-29824<\/a>\uff09\uff0c\u4e26\u5df2\u5f71\u97ff\u5230\u7f8e\u570b\u3001\u59d4\u5167\u745e\u62c9\u3001\u897f\u73ed\u7259\u8207\u6c99\u70cf\u5730\u963f\u62c9\u4f2f\u7b49\u570b\u7684\u6a5f\u69cb\u3002<\/p>\n\n\n\n<p>\u99ed\u5ba2\u5728\u5229\u7528 SAP NetWeaver \u6f0f\u6d1e\u6210\u529f\u690d\u5165 web shell \u5f8c\uff0c\u900f\u904e\u9019\u4e9b\u5f8c\u9580\u50b3\u9001 PipeMagic\u3002\u96d6\u7136\u9996\u6b21\u5617\u8a66\u90e8\u7f72\u672a\u9042\uff0c\u4f46\u5f8c\u7e8c\u653b\u64ca\u5247\u900f\u904e <strong>MSBuild <\/strong><strong>\u7684 inline <\/strong><strong>\u4efb\u52d9\u57f7\u884c\u529f\u80fd<\/strong> \u90e8\u7f72 <strong>Brute Ratel C2 <\/strong><strong>\u7ba1\u7406\u6846\u67b6<\/strong>\uff0c\u4e26\u4f34\u96a8\u89f8\u767c dllhost.exe \u7684\u7570\u5e38\u884c\u70ba\uff0c\u660e\u78ba\u986f\u793a\u4e86\u653b\u64ca\u8005\u6b63\u5728\u91cd\u8907\u5229\u7528 CVE-2025-29824 \u7684 CLFS \u6f0f\u6d1e\u9032\u884c\u6ef2\u900f\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>\u4e2d\u570b\u99ed\u5ba2\u7d44\u7e54\u4ea6\u4ecb\u5165\u6f0f\u6d1e\u5229\u7528<\/strong><\/p>\n\n\n\n<p>\u5c31\u5728 ReliaQuest \u516c\u5e03\u8abf\u67e5\u7d50\u679c\u524d\u4e00\u5929\uff0c<strong>EclecticIQ<\/strong> \u4e5f<a href=\"https:\/\/blog.eclecticiq.com\/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\">\u6307\u51fa<\/a>\uff0c\u6578\u500b\u4e2d\u570b\u80cc\u666f\u7684 APT \u7d44\u7e54\uff0c\u5305\u62ec <strong>UNC5221<\/strong><strong>\u3001UNC5174 <\/strong><strong>\u8207 CL-STA-0048<\/strong>\uff0c\u7686\u5df2\u91dd\u5c0d CVE-2025-31324 \u5c55\u958b\u5927\u898f\u6a21\u653b\u64ca\u884c\u52d5\uff0c\u6563\u64ad\u5404\u5f0f\u60e1\u610f\u7a0b\u5f0f\u8f09\u8377\u3002<\/p>\n\n\n\n<p>\u6b64\u5916\uff0c\u8cc7\u5b89\u696d\u8005Onapsis \u8b49\u5be6\uff0c\u81ea 2025 \u5e74 3 \u6708\u8d77\uff0c\u653b\u64ca\u8005\u5df2\u540c\u6642\u5229\u7528 CVE-2025-31324 \u53ca\u4e00\u500b\u8207\u5176\u76f8\u95dc\u7684\u7269\u4ef6\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CVE-2025-42999\uff09\u9032\u884c\u5165\u4fb5\u884c\u52d5\u3002\u5e78\u597d\uff0cSAP \u6700\u65b0\u767c\u5e03\u7684\u4fee\u88dc\u7a0b\u5f0f\u5df2\u4fee\u6b63\u9019\u5169\u9805\u6f0f\u6d1e\u7684\u6839\u672c\u539f\u56e0\u3002<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>\u5c08\u5bb6\u5efa\u8b70\uff1a\u52d9\u5fc5\u76e1\u901f\u66f4\u65b0\u4fee\u88dc\uff0c\u9632\u6b62\u6301\u7e8c\u6ef2\u900f<\/strong><\/p>\n\n\n\n<p>ReliaQuest \u8868\u793a\uff1a\u300c\u96d6\u7136 CVE-2025-42999 \u5728\u6280\u8853\u4e0a\u9700\u8981\u8f03\u9ad8\u6b0a\u9650\u624d\u80fd\u5229\u7528\uff0c\u4f46 CVE-2025-31324 \u537b\u80fd\u8b93\u653b\u64ca\u8005\u5728\u7121\u9a57\u8b49\u7684\u72c0\u614b\u4e0b\u7372\u5f97\u5b8c\u6574\u7cfb\u7d71\u63a7\u5236\u6b0a\uff0c\u5169\u8005\u5e7e\u4e4e\u6c92\u6709\u5be6\u8cea\u5dee\u7570\uff0c\u9632\u79a6\u63aa\u65bd\u61c9\u76f8\u540c\u8655\u7406\u3002\u300d<\/p>\n\n\n\n<p>\u91dd\u5c0d\u6b64\u6ce2\u5a01\u8105\uff0c\u6211\u5011\u5efa\u8b70\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u7acb\u5373\u6aa2\u67e5\u4e26\u66f4\u65b0 SAP NetWeaver <\/strong><strong>\u7cfb\u7d71\u81f3\u6700\u65b0\u7248\u672c<\/strong><\/li>\n\n\n\n<li><strong>\u76e3\u63a7\u662f\u5426\u6709\u7570\u5e38\u7684 MSBuild <\/strong><strong>\u57f7\u884c\u884c\u70ba\u6216 DLL <\/strong><strong>\u88dd\u8f09\u60c5\u6cc1<\/strong><\/li>\n\n\n\n<li><strong>\u52a0\u5f37\u5c0d\u53cd\u5411\u4ee3\u7406\u8207 C2 <\/strong><strong>\u901a\u8a0a\u7684\u5075\u6e2c\u898f\u5247<\/strong><\/li>\n\n\n\n<li><strong>\u5c01\u9396\u5df2\u77e5\u6d89\u6848 IP<\/strong><strong>\u3001\u6191\u8b49\u8207\u7279\u5fb5\u78bc<\/strong><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>\u7d50\u8a9e<\/strong><\/p>\n\n\n\n<p>\u6b64\u6b21\u4e8b\u4ef6\u986f\u793a\uff0c\u5373\u4f7f\u662f\u9ad8\u5ea6\u5c08\u696d\u3001\u4f01\u696d\u7b49\u7d1a\u7684\u61c9\u7528\u5e73\u53f0\u5982 SAP\uff0c\u4e5f\u96e3\u4ee5\u907f\u514d\u6210\u70ba\u653b\u64ca\u76ee\u6a19\u3002\u5c24\u5176\u7576\u591a\u500b\u653b\u64ca\u7d44\u7e54\u540c\u6642\u76ef\u4e0a\u540c\u4e00\u6f0f\u6d1e\u6642\uff0c\u66f4\u986f\u793a\u51fa\u8a72\u6f0f\u6d1e\u7684\u9ad8\u98a8\u96aa\u6027\u8cea\u3002\u4f01\u696d\u8207\u653f\u5e9c\u55ae\u4f4d\u52d9\u5fc5\u5f37\u5316\u88dc\u4e01\u7ba1\u7406\u6d41\u7a0b\uff0c\u63d0\u5347\u5a01\u8105\u7375\u6355\u8207\u7aef\u9ede\u5075\u6e2c\u53cd\u61c9\uff08EDR\uff09\u80fd\u529b\uff0c\u907f\u514d\u6210\u70ba\u4e0b\u4e00\u500b PipeMagic \u7684\u53d7\u5bb3\u8005\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u8fd1\u671f\uff0c\u5169\u500b\u77e5\u540d\u7684\u52d2\u7d22\u8edf\u9ad4\u96c6\u5718\u2014\u2014BianLian \u8207 RansomExx\uff0c\u88ab\u767c\u73fe\u6b63\u5728\u6feb\u7528 SAP NetWea <a class=\"read-more\" href=\"https:\/\/blog.billows.com.tw\/?p=3714\">READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[174,239],"class_list":["post-3714","post","type-post","status-publish","format-standard","hentry","category-6","tag-news","tag-patch"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3714","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3714"}],"version-history":[{"count":2,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3714\/revisions"}],"predecessor-version":[{"id":3717,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3714\/revisions\/3717"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3714"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3714"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3714"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}