Anatomy of a C2 Incident on SAP

Onapsis Research Labs Report

It is important for CISOs to understand that we have now crossed a threshold, a point of no return.

As part of our ongoing research, Onapsis released a report–CH4TTER–in April 2024 in coordination with Flashpoint that focused on how cybercriminals are increasingly seeing the value in targeting SAP applications.

This research delves into a recent real world example of SAP systems being compromised and using the systems to launch attacks on other systems. This report aims to showcase that it is now more important than ever to be engaged and ensure proper security processes and measures are in place.

On Demand Webinar

Anatomy of an Attack: Breaking Down a C2 Incident on SAP

Onapsis Research Labs observed and analyzed malicious activity detected though our global threat intelligence cloud. A system running SAP was compromised and turned into a command and control bot by injecting a malicious file via an SAP vulnerability. The C2 initiated a distributed denial of service attack involving Cloudflare.

Our team will review the details of this attack including source IP addresses, the malicious file, the installation of midnight commander, and cover the commands that were executed on the host system that included an assessment of the compromised SAP system during this session.

Report TL;DR

SAP systems are targeted for many reasons, including the critical data they hold, the infrastructure they run on, and the organizations that use this technology.

New and old SAP vulnerabilities are still leveraged today in compromising SAP systems.

SAP vulnerabilities are now being exploited for use in ransomware attacks.

Onapsis Research Labs routinely runs penetration tests for customers and continues to uncover IT departments struggling to patch regularly.

Stay protected with the Onapsis Platform primed with the Onapsis Research Labs.

Dive Deeper – Access the Full Report

For the full, in-depth report, please fill out the form here to download.

In this paper we will review the details of this attack including source IP addresses, the malicious file, the installation of midnight commander, and cover the commands that were executed on the host system that included an assessment of the compromised SAP system.

Onapsis Ch4tter Report Download the report

CH4TTER: Threat Actors Attacking SAP for Profit

Onapsis and Flashpoint have joined forces to level the playfield, revealing how threat actors are attacking SAP applications. This report details new intelligence to protect SAP from ransomware and data breaches.

Learn More

Ready to eliminate your SAP cyber security blindspot?

Let us show you how simple it can be to protect your business applications.

Safeguarding Tomorrow: Empowering SAP Customers with Advanced Cyber Risk Management

Securing Your Future: Preparing for a Successful SAP RISE Transformation

Executive Threat Overview: Reported SAP Cyber Attack Severely Impacts Business Operations, Compromises Data at Global Manufacturer

Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)

10 Reasons Why More Companies Choose Onapsis