Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Narinder Bains
Infrastructure Manager, National Farmers' Union (Guest Contributor)
Share
12
Sep 2022
The National Farmers' Union (NFU) is the largest farmers’ organization in England and Wales, representing more than 46,000 farming businesses and over 80,000 members. We champion farmers across the country and represent them in Europe, negotiating with governments and other organizations from our Brussels office.
Despite the wide scope of our operations, our IT team consists of only 15 individuals. Because of this, we began looking for a security solution which could bolster our small team and its capacity to monitor our organization without complicating our security efforts.
Revealing NFU’s Environment with AI
We were satisfied that our firewalls and other older security tools were doing all that they could to protect our perimeter security. These tools could be working perfectly, but we would still lack the ability to know whether attacks were unfolding under the radar within our network. In other words, we needed visibility when there were already hackers inside.
Even with the best perimeter protection we could buy, this remained a blind spot, and the numerous high-profile stories in the news regarding successful ransomware attacks over last few years left the team increasingly on edge.
We also knew that attackers weren’t just probing in one area – we needed coverage over our entire digital estate, including our endpoint devices and Microsoft 365 activity. These were the areas that were the most difficult to get visibility over, but also the newest parts of our digital estate and the most vulnerable to attacks.
When we were introduced to Darktrace, we quickly saw its potential: the visibility it gave us across our digital estate was unparalleled, and its Autonomous Response technology was something we knew could be a huge benefit for NFU.
Previously, we’d lost hours sifting through data in an attempt to respond to attacks, and that’s only after dealing with numerous emails and false positives from our old security solutions. Once Darktrace was implemented, it covered everything, allowing us to view our entire organization from a single platform, and it dealt with threats 24/7 without requiring any input from us.
Taking action on a pre-infected endpoint
NFU’s adoption of hybrid working brought the importance of endpoint security to the forefront of our team’s minds. The dispersion of company devices across the country made it harder than ever for the team to monitor logs with their existing manpower, and we were constantly worried that an employee at home – whether or not they were connected to the company VPN – might inadvertently open us up to an attack like ransomware.
Because it bases its detection on an understanding of the digital estate’s ‘normal’ behaviors, we hadn’t expected that Darktrace would be able to spot threats in pre-infected environments. As soon as we deployed Darktrace/Endpoint, however, it spotted a user trying to make root level changes to one of our servers from a company laptop without permission, and immediately blocked the activity while allowing the user to continue legitimate business operations. Its ability to differentiate between benign and risky activity was impressive.
A straightforward threat summary delivered to our security team allowed us to understand the situation quickly and easily. Seeing this technology not only spotting dangerous activity, but quickly taking the necessary steps to stop it and strengthen our security posture in its wake, has really given us that extra peace of mind.
Enhancing existing tools with AI
Adding something to your security stack can often mean taking one step forward and two steps back, as the incorporation of a new solution can damage the ability of an old one. For example, creating two VPNs: while it seems like it might provide greater security, the two networks often disrupt one another and only make protection more difficult.
Darktrace, however, augments existing endpoint solutions, utilizing the data they gather in its investigations. By implementing the technology, we weren’t replacing our existing security tools but enhancing them. The way we see it, the greater the depth and breadth of information we feed into Darktrace’s AI, the greater its understanding and the better its decision-making; ultimately, the better it can protect our organization.
In addition to our endpoint devices, Darktrace now works across our Microsoft 365 environments and the network. It uses data from all three areas to draw conclusions about emerging threats and can take action against attacks wherever and whenever they emerge in the digital environment. Knowing this allows us to finally feel confident in our security posture, and to focus our efforts on the rest of our business operations.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Narinder Bains
Infrastructure Manager, National Farmers' Union (Guest Contributor)
How Darktrace Could Have Stopped a Surprise DDoS Incident
Learn how Darktrace could revolutionize DDoS defense, enabling companies to stop threats without 24/7 monitoring. Read more about how we thwart attacks!
Tracking CVE-2025-31324: Darktrace’s detection of SAP Netweaver exploitation before and after disclosure
Introduction: Exploiting SAP platforms
Global enterprises depend extensively on SAP platforms, such as SAP NetWeaver and Visual Composer, to run critical business processes worldwide. These systems; however, are increasingly appealing targets for well-resourced adversaries:
In March 2025, CISA issued an alert confirming active exploitation of a 2017 SAP NetWeaver vulnerability (CVE‑2017‑12637), enabling attackers to perform directory traversal and exfiltrate sensitive files, including credentials, from internet-facing systems
CVE-2025-31324 affects SAP’s NetWeaver Visual Composer, a web-based software modeling tool. SAP NetWeaver is an application server and development platform that runs and connects SAP and non-SAP applications across different technologies [2]. It is commonly used by process specialists to develop application components without coding in government agencies, large enterprises, and by critical infrastructure operators [4].
CVE-2025-31324 affects SAP’s Netweaver Visual Composer Framework 7.1x (all SPS) and above [4]. The vulnerability in a Java Servlet (/irj/servlet_jsp) would enable an unauthorized actor to upload arbitrary files to the /developmentserver/metadatauploader endpoint, potentially resulting in remote code execution (RCE) and full system compromise [3]. The issue stems from an improper authentication and authorization check in the SAP NetWeaver Application Server Java systems [4].
What is the severity rating of CVE-2025-31324?
The vulnerability, first disclosed on April 24, 2025, carries the highest severity rating (CVSS v3 score: 10.0) and could allow remote attackers to upload malicious files without requiring authentication [1][5]. Although SAP released a workaround on April 8, many organizations are hesitant to take their business-critical SAP NetWeaver systems offline, leaving them exposed to potential exploitation [2].
How is CVE-2025-31324 exploited?
The vulnerability is exploitable by sending specifically crafted GET, POST, or HEAD HTTP requests to the /developmentserver/metadatauploader URL using either HTTP or HTTPS. Attackers have been seen uploading malicious files (.jsp, .java, or .class files to paths containing “\irj\servlet_jsp\irj\”), most of them being web shells, to publicly accessible SAP NetWeaver systems.
External researchers observed reconnaissance activity targeting this vulnerability in late January 2025, followed by a surge in exploitation attempts in February. The first confirmed compromise was reported in March [4].
Multiple threat actors have reportedly targeted the vulnerability, including Chinese Advanced Persistent Threats (APTs) groups Chaya_004 [7], UNC5221, UNC5174, and CL-STA-0048 [8], as well as ransomware groups like RansomEXX, also known as Storm-2460, BianLian [4] or Qilin [6] (the latter two share the same indicators of compromise (IoCs)).
Following the initial workaround published on April 8, SAP released a security update addressing CVE-2025-31324 and subsequently issued a patch on May 13 (Security Note 3604119) to resolve the root cause of the vulnerability [4].
Darktrace’s coverage of CVE-2025-31324 exploitation
Darktrace has observed activity indicative of threat actors exploiting CVE-2025-31324, including one instance detected before the vulnerability was publicly disclosed.
In April 2025, the Darktrace Threat Research team investigated activity related to the CVE-2025-31324 on SAP devices and identified two cases suggesting active exploitation of the vulnerability. One case was detected prior to the public disclosure of the vulnerability, and the other just two days after it was published.
Early detection of CVE 2025-31324 by Darktrace
Figure 1: Timeline of events for an internet-facing system, believed to be a SAP device, exhibiting activity indicative of CVE-2025-31324 exploitation.
On April 18, six days prior to the public disclosure of CVE-2025-31324, Darktrace began to detect unusual activity on a device belonging to a logistics organization in the Europe, the Middle East and Africa (EMEA) region. Multiple IoCs observed during this incident have since been linked via OSINT to the exploitation of CVE-2025-31324. Notably, however, this reporting was not available at the time of detection, highlighting Darktrace’s ability to detect threats agnostically, without relying on threat intelligence.
The device was observed making domain name resolution request for the Out-of-Band Application Security Testing (OAST) domain cvvr9gl9namk9u955tsgaxy3upyezhnm6.oast[.]online. OAST is often used by security teams to test if exploitable vulnerabilities exist in a web application but can similarly be used by threat actors for the same purpose [9].
Four days later, on April 22, Darktrace observed the same device, an internet-facing system believed to be a SAP device, downloading multiple executable (.exe) files from several Amazon Simple Storage Service (S3). Darktrace’s Threat Research team later found these files to be associated with the KrustyLoader malware [23][24][25].
KrustyLoader is known to be associated with the Chinese threat actor UNC5221, also known as UTA0178, which has been reported to aggressively target devices exposed to the internet [10] [14] [15]. It is an initial-stage malware which downloads and launches a second-stage payload – Sliver C2. Sliver is a similar tool to Cobalt Strike (an open-source post-exploitation toolkit). It is used for command-and-control (C2) connections [11][12]13]. After its successful download, KrustyLoader deletes itself to evade detection. It has been reported that multiple Chinese APT groups have deployed KrustyLoader on SAP Netweaver systems post-compromise [8].
The actors behind KrustyLoader have also been associated with the exploitation of zero-day vulnerabilities in other enterprise systems, including Ivanti devices [12]. Notably, in this case, one of the Amazon S3 domains observed (abode-dashboard-media.s3.ap-south-1.amazonaws[.]com ) had previously been investigated by Darktrace’s Threat Research team as part of their investigation into Ivanti Connect Secure (CS) and Policy Secure (PS) appliances.
In addition to the download of known malicious files, Darktrace also detected new IoCs, including several executable files that could not be attributed to any known malware families or previous attacks, and for which no corresponding OSINT reporting was available.
Post-CVE publication detection
Exploit Validation
Between April 27 and 29, Darktrace observed unusual activity from an SAP device on the network of a manufacturing customer in EMEA.
Figure 2: Darktrace / NETWORK’s detection of an SAP device performing a large volume of suspicious activity between April 27 and April 29.
The device was observed making DNS requests for OAST domains (e.g. aaaaaaaa.d06qqn7pu5a6u25tv9q08p5xhbjzw33ge.oast[.]online and aaaaaaaaaaa.d07j2htekalm3139uk2gowmxuhapkijtp.oast[.]pro), suggesting that a threat actor was testing for exploit validation [9].
Figure 3: Darktrace / NETWORK’s detection of a SAP device making suspicious domain name resolution requests for multiple OAST domains.
Privilege escalation tool download attempt
One day later, Darktrace observed the same device attempting to download an executable file from hxxp://23.95.123[.]5:666/xmrigCCall/s.exe (SHA-1 file hash: e007edd4688c5f94a714fee036590a11684d6a3a).
Darktrace / NETWORK identified the user agents Microsoft-CryptoAPI/10.0 and CertUtil URL Agent during the connections to 23.95.123[.]5. The connections were made over port 666, which is not typically used for HTTP connections.
Multiple open-source intelligence (OSINT) vendors have identified the executable file as either JuicyPotato or SweetPotato, both Windows privilege escalation tools[16][17][18][19]. The file hash and the unusual external endpoint have been associated with the Chinese APT group Gelsemium in the past, however, many threat actors are known to leverage this tool in their attacks [20] [21].
Figure 4: Darktrace’s Cyber AI Analyst’s detection of a SAP device downloading a suspicious executable file from hxxp://23.95.123[.]5:666/xmrigCCall/s.exe on April 28, 2025.
Darktrace deemed this activity highly suspicious and triggered an Enhanced Monitoring model alert, a high-priority security model designed to detect activity likely indicative of compromise. As the customer was subscribed to the Managed Threat Detection service, Darktrace’s Security Operations Centre (SOC) promptly investigated the alert and notified the customer for swift remediation. Additionally, Darktrace’s Autonomous Response capability automatically blocked connections to the suspicious IP, 23.95.123[.]5, effectively containing the compromise in its early stages.
Figure 5: Actions taken by Darktrace’s Autonomous Response to block connections to the suspicious external endpoint 23.95.123[.]5. This event log shows that the connections to 23.95.123[.]5 were made over a rare destination port for the HTTP protocol and that new user agents were used during the connections.
Conclusion
The exploitation of CVE-2025-31324 to compromise SAP NetWeaver systems highlights the persistent threat posed by vulnerabilities in public-facing assets. In this case, threat actors leveraged the flaw to gain an initial foothold, followed by attempts to deploy malware linked to groups affiliated with China [8][20].
Crucially, Darktrace demonstrated its ability to detect and respond to emerging threats even before they are publicly disclosed. Six days prior to the public disclosure of CVE-2025-31324, Darktrace detected unusual activity on a device believed to be a SAP system, which ultimately represented an early detection of the CVE. This detection was made possible through Darktrace’s behavioral analysis and anomaly detection, allowing it to recognize unexpected deviations in device behavior without relying on signatures, rules or known IoCs. Combined with its Autonomous Response capability, this allowed for immediate containment of suspicious activity, giving security teams valuable time to investigate and mitigate the threat.
Credit to Signe Zaharka (Principal Cyber Analyst), Emily Megan Lim, (Senior Cyber Analyst) and Ryan Traill (Analyst Content Lead)
Appendices
List of IoCs
23.95.123[.]5:666/xmrigCCall/s.exe - URL- JuicyPotato/SweetPotato - high confidence
29274ca90e6dcf5ae4762739fcbadf01- MD5 file hash - JuicyPotato/SweetPotato - high confidence
Breaking Silos: Why Unified Security is Critical in Hybrid World
Hybrid environments demand end-to-end visibility to stop modern attacks
Hybrid environments are a dominant trend in enterprise technology, but they continue to present unique issues to the defenders tasked with securing them. By 2026, Gartner predicts that 75% of organizations will adopt hybrid cloud strategies [1]. At the same time, only 23% of organizations report full visibility across cloud environments [2].
That means a strong majority of organizations do not have comprehensive visibility across both their on-premises and cloud networks. As a result, organizations are facing major challenges in achieving visibility and security in hybrid environments. These silos and fragmented security postures become a major problem when considering how attacks can move between different domains, exploiting the gaps.
For example, an attack may start with a phishing email, leading to the compromise of a cloud-based application identity and then moving between the cloud and network to exfiltrate data. Some attack types inherently involve multiple domains, like lateral movement and supply chain attacks, which target both on-premises and cloud networks.
Given this, unified visibility is essential for security teams to reduce blind spots and detect threats across the entire attack surface.
Risks of fragmented visibility
Silos arise due to separate teams and tools managing on-premises and cloud environments. Many teams have a hand in cloud security, with some common ones including security, infrastructure, DevOps, compliance, and end users, and these teams can all use different tools. This fragmentation increases the likelihood of inconsistent policies, duplicate alerts, and missed threats. And that’s just within the cloud, not even considering the additional defenses involved with network security.
Without a unified security strategy, gaps between these infrastructures and the teams which manage them can leave organizations vulnerable to cyber-attacks. The lack of visibility between on-premises and cloud environments contributes to missed threats and delayed incident response. In fact, breaches involving stolen or compromised credentials take an average of 292 to identify and contain [3]. That’s almost ten months.
The risk of fragmented visibility runs especially high as companies undergo cloud migrations. As organizations transition to cloud environments, they still have much of their data in on-premises networks, meaning that maintaining visibility across both on-premises and cloud environments is essential for securing critical assets and ensuring seamless operations.
Unified visibility is the solution
Unified visibility is achieved by having a single-pane-of-glass view to monitor both on-premises and cloud environments. This type of view brings many benefits, including streamlined detection, faster response times, and reduced complexity.
This can only be accomplished through integrations or interactions between the teams and tools involved with both on-premises security and cloud security.
AI-driven platforms, like Darktrace, are especially well equipped to enable the real-time monitoring and insights needed to sustain unified visibility. This is because they can handle the large amounts of data and data types.
Darktrace accomplishes this by plugging into an organization’s infrastructure so the AI can ingest and analyze data and its interactions within the environment to form an understanding of the organization’s normal behavior, right down to the granular details of specific users and devices. The system continually revises its understanding about what is normal based on evolving evidence.
This dynamic understanding of normal means that the AI engine can identify, with a high degree of precision, events or behaviors that are both anomalous and unlikely to be benign. This helps reduce noise while surfacing real threats, across cloud and on-prem environments without manual tuning.
In this way, given its versatile AI-based, platform approach, Darktrace empowers security teams with real-time monitoring and insights across both the network and cloud.
Unified visibility in the modern threat landscape
As part of the Darktrace ActiveAI Security Platform™,Darktrace / CLOUD works continuously across public, private, hybrid, and multi-cloud deployments. With real-time Cloud Asset Enumeration and Dynamic Architecture Modeling, Darktrace / CLOUD generates up-to-date architecture diagrams, giving SecOps and DevOps teams a unified view of cloud infrastructures.
It is always on the lookout for changes, driven by user and service activity. For example, unusual user activity can significantly raise the asset’s score, prompting Darktrace’s AI to update its architectural view and keep a living record of the cloud’s ever-changing landscape, providing near real-time insights into what’s happening.
This continuous architectural awareness ensures that security teams have a real-time understanding of cloud behavior and not just a static snapshot.
Figure 1. Darktrace / CLOUD’s unified view of AWS and Azure cloud posture and compliance over time.
With this dynamic cloud visibility and monitoring, Darktrace / CLOUD can help unify and secure environments.
Real world example: Remote access supply chain attacks
Sectop Remote Access Trojan (RAT) malware, also known as ‘ArchClient2,’ is a .NET RAT that contains information stealing capabilities and allows threat actors to monitor and control targeted computers. It is commonly distributed through drive-by downloads of illegitimate software via malvertizing.
Darktrace has been able to detect and respond to Sectop RAT attacks using unified visibility and platform-wide coverage. In one such example, Darktrace observed one device making various suspicious connections to unusual endpoints, likely in an attempt to receive C2 information, perform beaconing activity, and exfiltrate data to the cloud.
This type of supply chain attack can jump from the network to the cloud, so a unified view of both environments helps shorten detection and response times, therefore mitigating potential impact. Darktrace’s ability to detect these cross-domain behaviors stems from its AI-driven, platform-native visibility.
Conclusion
Organizations need unified visibility to secure complex, hybrid environments effectively against threats and attacks. To achieve this type of comprehensive visibility, the gaps between legacy security tools across on-premises and cloud networks can be bridged with platform tools that use AI to boost data analysis for highly accurate behavioral prediction and anomaly detection.
![Actions taken by Darktrace’s Autonomous Response to block connections to the suspicious external endpoint 23.95.123[.]5. This event log shows that the connections to 23.95.123[.]5 were made over a rare destination port for the HTTP protocol and that new user agents were used during the connections.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/685069596b6d07de173a8b51_Screenshot%202025-06-16%20at%2011.58.25%E2%80%AFAM.png)
