Shadow Campaigns: Global Espionage Exploiting SAP and Exchange Flaws

Palo Alto Networks Unit 42 uncovered a coordinated espionage operation dubbed “Shadow Campaigns” that chains together multiple high‑severity vulnerabilities to breach target networks. The actors first compromise Microsoft Exchange servers using the CVE‑2023‑23397 remote code execution flaw, then move laterally to SAP Solution Manager instances, where they exploit a privilege‑escalation bug (CVE‑2022‑22954) to gain administrator rights and exfiltrate sensitive data. Over the past six months the campaign has hit multinational corporations, critical infrastructure providers, and government agencies across five continents, stealing intellectual property and establishing long‑term backdoors.

Defenders must prioritize rapid patching of both Exchange and SAP components, as the attackers rely on a “kill‑chain” approach where each unpatched system becomes a stepping stone. Deploying network segmentation, strict outbound filtering, and continuous monitoring for anomalous lateral movement can break the chain. Early detection of the Exchange web shell activity and the unusual SAP admin commands are key indicators; without them, the threat actors can remain hidden for months, compromising the confidentiality, integrity, and availability of critical assets.

Categories: Vulnerabilities & Exploits, AI Security & Threats, Threat Intelligence

Source: Read original article