SANS Stormcast Monday, April 28th: Image Steganography; SAP Netweaver Exploited
Update: 2025-04-28
Description
Example of a Payload Delivered Through Steganography
Xavier and Didier published two diaries this weekend, building on each other. First, Xavier showed an example of an image being used to smuggle an executable past network defenses, and second, Didier showed how to use his tools to extract the binary.
https://isc.sans.edu/diary/Example%20of%20a%20Payload%20Delivered%20Through%20Steganography/31892
SAP Netweaver Exploited CVE-2025-31324
An arbitrary file upload vulnerability in SAP s Netweaver product is actively exploited to upload webshells. Reliaquest discovered the issue. Reliaquest reports that they saw it being abused to upload the Brute Ratel C2 framework. Users of Netweaver must turn off the developmentserver alias and disable visual composer, and the application was deprecated for about 10 years. SAP has released an emergency update for the issue.
https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
Any.Run Reports False Positive Uploads
Due to false positives caused by MS Defender XDR flagging Adobe Acrobat Cloud links as malicious, many users of Any.Run s free tier uploaded confidential documents to Any.Run. Anyrun blocked these uploads for now but reminded users to be cautious about what documents are being uploaded.
https://x.com/anyrun_app/status/1915429758516560190
Comments
In Channel
Download from Google Play
Download from App Store
United States00:00
00:00
1.0x
