

SANS Stormcast Monday, April 28th: Image Steganography; SAP Netweaver Exploited
Apr 28, 2025
Explore the intriguing world of image steganography, where malware hides within images to bypass network security. Discover a serious vulnerability in SAP NetWeaver, allowing unauthorized file uploads and system access. Recent reports reveal exploitation attempts and the confusion caused by MS Defender's false positives, leading to sensitive document uploads. This episode emphasizes the importance of protecting personal data while navigating malware analysis tools.
AI Snips
Chapters
Transcript
Episode notes
Malware Hidden in Images
- Xavier showed malware using image pixel manipulation to stealthily smuggle executables past network defenses.
- Didier demonstrated Python tools to extract and analyze hidden malware binaries from these altered images.
True Steganography Explained
- True steganography subtly alters image pixels to hide data rather than just appending readable payloads.
- This makes detection difficult without knowing the original file visuals or exact steganography tool used.
SAP NetWeaver Exploitation Incident
- SAP NetWeaver Visual Composer has a decade-old deprecated file upload vulnerability actively exploited for arbitrary uploads.
- ReliaQuest and Onapsis observed webshell deployments using this, despite initial SAP disputing active exploitation claims.