{"id":10409,"date":"2025-07-30T12:28:20","date_gmt":"2025-07-30T05:28:20","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10409"},"modified":"2026-02-05T12:29:02","modified_gmt":"2026-02-05T05:29:02","slug":"auto-color-ma-doc-moi-loi-dung-lo-hong-sap-de-chiem-quyen-dieu-khien-tu-xa","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/30\/auto-color-ma-doc-moi-loi-dung-lo-hong-sap-de-chiem-quyen-dieu-khien-tu-xa\/","title":{"rendered":"Auto-Color: M\u00e3 \u0111\u1ed9c m\u1edbi l\u1ee3i d\u1ee5ng l\u1ed7 h\u1ed5ng SAP \u0111\u1ec3 chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n t\u1eeb xa"},"content":{"rendered":"<p><b>V\u00e0o th\u00e1ng 4\/2025, m\u1ed9t chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng m\u1ea1ng tinh vi \u0111\u00e3 b\u1ecb ph\u00e1t hi\u1ec7n khi \u0111ang nh\u1eafm v\u00e0o m\u1ed9t c\u00f4ng ty h\u00f3a ch\u1ea5t c\u00f3 tr\u1ee5 s\u1edf t\u1ea1i Hoa K\u1ef3. K\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 l\u1ee3i d\u1ee5ng l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng trong ph\u1ea7n m\u1ec1m SAP NetWeaver \u0111\u1ec3 c\u00e0i \u0111\u1eb7t m\u00e3 \u0111\u1ed9c Linux Auto-Color.<\/b><\/p>\n<div style=\"text-align: center\">\n<div class=\"bbImageWrapper  js-lbImage\" title=\"1753866787112.png\" data-src=\"https:\/\/whitehat.vn\/attachments\/1753866787112-png.17403\/\" data-lb-sidebar-href=\"\" data-lb-caption-extra-html=\"\" data-single-image=\"1\"><img fetchpriority=\"high\" decoding=\"async\" class=\"bbImage\" title=\"1753866787112.png\" src=\"https:\/\/whitehat.vn\/attachments\/1753866787112-png.17403\/\" alt=\"1753866787112.png\" width=\"650\" height=\"364\" data-url=\"\" data-zoom-target=\"1\" \/><\/div>\n<\/div>\n<p>Auto-Color l\u00e0 m\u1ed9t m\u00e3 \u0111\u1ed9c d\u1ea1ng backdoor tr\u00ean n\u1ec1n t\u1ea3ng Linux. M\u00e3 \u0111\u1ed9c n\u00e0y c\u00f3 kh\u1ea3 n\u0103ng:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">Th\u1ef1c thi l\u1ec7nh t\u00f9y \u00fd t\u1eeb xa<\/li>\n<li data-xf-list-type=\"ul\">Ch\u1ec9nh s\u1eeda v\u00e0 thay th\u1ebf t\u1eadp tin h\u1ec7 th\u1ed1ng<\/li>\n<li data-xf-list-type=\"ul\">Thi\u1ebft l\u1eadp k\u1ebft n\u1ed1i v\u1ecf l\u1ec7nh \u0111\u1ea3o ng\u01b0\u1ee3c (reverse shell) \u0111\u1ec3 chi\u1ebfm to\u00e0n quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n<\/li>\n<li data-xf-list-type=\"ul\">Chuy\u1ec3n ti\u1ebfp l\u01b0u l\u01b0\u1ee3ng m\u1ea1ng (proxy traffic)<\/li>\n<li data-xf-list-type=\"ul\">T\u1ef1 c\u1eadp nh\u1eadt c\u1ea5u h\u00ecnh t\u1eeb xa<\/li>\n<li data-xf-list-type=\"ul\">\u1ea8n m\u00ecnh kh\u1ecfi c\u00e1c c\u00f4ng c\u1ee5 b\u1ea3o m\u1eadt th\u00f4ng qua module rootkit<\/li>\n<\/ul>\n<p>K\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 l\u1ee3i d\u1ee5ng l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng CVE-2025-31324 trong SAP NetWeaver \u0111\u1ec3 tri\u1ec3n khai Auto-Color. L\u1ed7 h\u1ed5ng n\u00e0y cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng kh\u00f4ng c\u1ea7n x\u00e1c th\u1ef1c (unauthenticated) t\u1ea3i l\u00ean m\u00e3 \u0111\u1ed9c th\u1ef1c thi v\u00e0 chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n h\u1ec7 th\u1ed1ng t\u1eeb xa (RCE). SAP \u0111\u00e3 ph\u00e1t h\u00e0nh b\u1ea3n v\u00e1 trong th\u00e1ng 4\/2025, tuy nhi\u00ean nhi\u1ec1u h\u1ec7 th\u1ed1ng v\u1eabn ch\u01b0a c\u1eadp nh\u1eadt k\u1ecbp th\u1eddi.<\/p>\n<div style=\"text-align: center\">\n<div class=\"bbImageWrapper  js-lbImage\" title=\"1753867135199.png\" data-src=\"https:\/\/whitehat.vn\/attachments\/1753867135199-png.17405\/\" data-lb-sidebar-href=\"\" data-lb-caption-extra-html=\"\" data-single-image=\"1\"><img decoding=\"async\" class=\"bbImage\" title=\"1753867135199.png\" src=\"https:\/\/whitehat.vn\/attachments\/1753867135199-png.17405\/\" alt=\"1753867135199.png\" width=\"1588\" height=\"782\" data-url=\"\" data-zoom-target=\"1\" \/><\/div>\n<p>\u200b<\/p><\/div>\n<p>C\u00e1c chuy\u00ean gia Darktrace ph\u00e1t hi\u1ec7n v\u1ee5 vi\u1ec7c trong qu\u00e1 tr\u00ecnh \u0111i\u1ec1u tra m\u1ed9t s\u1ef1 c\u1ed1 b\u1ea3o m\u1eadt v\u00e0o cu\u1ed1i th\u00e1ng 4\/2025. M\u00e3 \u0111\u1ed9c Auto-Color \u0111\u01b0\u1ee3c x\u00e1c \u0111\u1ecbnh \u0111\u00e3 x\u00e2m nh\u1eadp h\u1ec7 th\u1ed1ng v\u00e0o ng\u00e0y 27\/4, hai ng\u00e0y sau khi cu\u1ed9c t\u1ea5n c\u00f4ng b\u1eaft \u0111\u1ea7u. M\u1ed9t t\u1eadp tin th\u1ef1c thi d\u1ea1ng ELF (Linux Executable) \u0111\u00e3 \u0111\u01b0\u1ee3c c\u00e0i l\u00ean h\u1ec7 th\u1ed1ng m\u1ee5c ti\u00eau.<\/p>\n<p><i>(Darktrace l\u00e0 m\u1ed9t c\u00f4ng ty an ninh m\u1ea1ng h\u00e0ng \u0111\u1ea7u c\u00f3 tr\u1ee5 s\u1edf ch\u00ednh t\u1ea1i V\u01b0\u01a1ng qu\u1ed1c Anh, n\u1ed5i ti\u1ebfng v\u1edbi vi\u1ec7c \u1ee9ng d\u1ee5ng tr\u00ed tu\u1ec7 nh\u00e2n t\u1ea1o (AI) v\u00e0 machine learning \u0111\u1ec3 ph\u00e1t hi\u1ec7n v\u00e0 ph\u1ea3n \u1ee9ng v\u1edbi c\u00e1c m\u1ed1i \u0111e d\u1ecda m\u1ea1ng trong th\u1eddi gian th\u1ef1c).<\/i><\/p>\n<p>\u1ede phi\u00ean b\u1ea3n m\u1edbi, Auto-Color \u0111\u00e3 \u0111\u01b0\u1ee3c c\u1ea3i ti\u1ebfn \u0111\u1ec3 v\u01b0\u1ee3t qua c\u1ea3 m\u00f4i tr\u01b0\u1eddng ph\u00e2n t\u00edch sandbox ho\u1eb7c h\u1ec7 th\u1ed1ng air-gapped (c\u00f4 l\u1eadp m\u1ea1ng). N\u1ebfu m\u00e3 \u0111\u1ed9c kh\u00f4ng th\u1ec3 k\u1ebft n\u1ed1i t\u1edbi m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n (C2 server), n\u00f3 &#8220;\u0111\u00f3ng b\u0103ng ho\u1ea1t \u0111\u1ed9ng&#8221;, gi\u1ea3 v\u1edd nh\u01b0 kh\u00f4ng l\u00e0m g\u00ec, khi\u1ebfn c\u00e1c nh\u00e0 ph\u00e2n t\u00edch kh\u00f3 ph\u00e1t hi\u1ec7n h\u00e0nh vi th\u1ef1c s\u1ef1. C\u00e1c chuy\u00ean gia nh\u1eadn \u0111\u1ecbnh r\u1eb1ng, \u0111i\u1ec1u n\u00e0y gi\u00fap m\u00e3 \u0111\u1ed9c tr\u00e1nh b\u1ecb \u0111\u1ea3o ng\u01b0\u1ee3c (reverse engineering), khi\u1ebfn qu\u00e1 tr\u00ecnh ph\u00e2n t\u00edch tr\u1edf n\u00ean v\u00f4 c\u00f9ng kh\u00f3 kh\u0103n.<\/p>\n<p>K\u1ef9 thu\u1eadt \u1ea9n m\u00ecnh tr\u01b0\u1edbc \u0111\u00f3 bao g\u1ed3m:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">\u0110i\u1ec1u ch\u1ec9nh h\u00e0nh vi d\u1ef1a tr\u00ean quy\u1ec1n ng\u01b0\u1eddi d\u00f9ng<\/li>\n<li data-xf-list-type=\"ul\">S\u1eed d\u1ee5ng t\u00ean t\u1eadp tin tr\u00f4ng h\u1ee3p ph\u00e1p<\/li>\n<li data-xf-list-type=\"ul\">Hook c\u00e1c h\u00e0m th\u01b0 vi\u1ec7n libc \u0111\u1ec3 can thi\u1ec7p h\u1ec7 th\u1ed1ng<\/li>\n<li data-xf-list-type=\"ul\">\u1ea8n t\u1ec7p log b\u1eb1ng th\u01b0 m\u1ee5c gi\u1ea3<\/li>\n<li data-xf-list-type=\"ul\">K\u1ebft n\u1ed1i C2 th\u00f4ng qua giao th\u1ee9c b\u1ea3o m\u1eadt TLS<\/li>\n<li data-xf-list-type=\"ul\">T\u1ea1o hash ri\u00eang bi\u1ec7t cho m\u1ed7i bi\u1ebfn th\u1ec3<\/li>\n<li data-xf-list-type=\"ul\">C\u00f3 c\u01a1 ch\u1ebf \u201ckill switch\u201d \u0111\u1ec3 ng\u1eaft ho\u1ea1t \u0111\u1ed9ng khi c\u1ea7n<\/li>\n<\/ul>\n<p>V\u1ee5 vi\u1ec7c \u1edf c\u00f4ng ty h\u00f3a ch\u1ea5t M\u1ef9 ch\u1ec9 l\u00e0 m\u1ed9t l\u00e1t c\u1eaft trong b\u1ee9c tranh t\u1ed5ng th\u1ec3. Tr\u01b0\u1edbc \u0111\u00f3, Unit 42 \u0111\u00e3 ghi nh\u1eadn Auto-Color t\u1ea5n c\u00f4ng c\u00e1c tr\u01b0\u1eddng \u0111\u1ea1i h\u1ecdc v\u00e0 t\u1ed5 ch\u1ee9c ch\u00ednh ph\u1ee7 t\u1ea1i B\u1eafc M\u1ef9 v\u00e0 ch\u00e2u \u00c1. \u0110\u1ebfn th\u00e1ng 5\/2025, c\u00e1c nh\u00f3m hacker Trung Qu\u1ed1c v\u00e0 c\u1ea3 nh\u00f3m ransomware \u0111\u00e3 tham gia khai th\u00e1c l\u1ed7 h\u1ed5ng CVE-2025-31324, cho th\u1ea5y m\u1ed1i \u0111e d\u1ecda \u0111ang lan r\u1ed9ng tr\u00ean quy m\u00f4 to\u00e0n c\u1ea7u.<\/p>\n<p>Th\u1eadm ch\u00ed, c\u00e1c d\u1ea5u hi\u1ec7u khai th\u00e1c l\u1ed7 h\u1ed5ng n\u00e0y d\u01b0\u1edbi d\u1ea1ng zero-day \u0111\u00e3 xu\u1ea5t hi\u1ec7n t\u1eeb gi\u1eefa th\u00e1ng 3\/2025, tr\u01b0\u1edbc c\u1ea3 khi c\u00f3 b\u1ea3n v\u00e1 ch\u00ednh th\u1ee9c.<\/p>\n<p>Auto-Color kh\u00f4ng ph\u1ea3i m\u00e3 \u0111\u1ed9c ph\u1ed5 th\u00f4ng, n\u00f3 l\u00e0 c\u00f4ng c\u1ee5 t\u00f9y ch\u1ec9nh chuy\u00ean bi\u1ec7t cho c\u00e1c chi\u1ebfn d\u1ecbch gi\u00e1n \u0111i\u1ec7p v\u00e0 ph\u00e1 ho\u1ea1i d\u00e0i h\u1ea1n. L\u1ed7 h\u1ed5ng SAP NetWeaver (CVE-2025-31324) l\u00e0 l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng c\u1ea5p \u0111\u1ed9 cao, cho ph\u00e9p chi\u1ebfm to\u00e0n quy\u1ec1n h\u1ec7 th\u1ed1ng t\u1eeb xa.<\/p>\n<p>C\u00e1c chuy\u00ean gia khuy\u1ebfn c\u00e1o c\u1ea5p b\u00e1ch ng\u01b0\u1eddi d\u00f9ng, c\u1ea7n:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">C\u1eadp nh\u1eadt ngay c\u00e1c b\u1ea3n v\u00e1 t\u1eeb SAP, \u0111\u1eb7c bi\u1ec7t l\u00e0 b\u1ea3n v\u00e1 th\u00e1ng 4\/2025 li\u00ean quan \u0111\u1ebfn CVE-2025-31324.<\/li>\n<li data-xf-list-type=\"ul\">Ki\u1ec3m tra log h\u1ec7 th\u1ed1ng SAP v\u00e0 m\u00e1y ch\u1ee7 Linux \u0111\u1ec3 ph\u00e1t hi\u1ec7n c\u00e1c ho\u1ea1t \u0111\u1ed9ng b\u1ea5t th\u01b0\u1eddng, c\u00e1c k\u1ebft n\u1ed1i C2 ho\u1eb7c h\u00e0nh vi thay \u0111\u1ed5i ld.so.preload.<\/li>\n<li data-xf-list-type=\"ul\">S\u1eed d\u1ee5ng gi\u1ea3i ph\u00e1p EDR v\u00e0 h\u1ec7 th\u1ed1ng gi\u00e1m s\u00e1t m\u1ea1ng c\u00f3 kh\u1ea3 n\u0103ng ph\u00e2n t\u00edch h\u00e0nh vi (behavioral detection) thay v\u00ec ch\u1ec9 d\u1ef1a v\u00e0o signature truy\u1ec1n th\u1ed1ng.<\/li>\n<li data-xf-list-type=\"ul\">Kh\u00f4ng c\u00f4 l\u1eadp ph\u00e2n t\u00edch m\u1eabu Auto-Color n\u1ebfu kh\u00f4ng th\u1ec3 k\u1ebft n\u1ed1i m\u1ea1ng, v\u00ec m\u00e3 \u0111\u1ed9c s\u1ebd kh\u00f4ng k\u00edch ho\u1ea1t \u0111\u1ea7y \u0111\u1ee7 ch\u1ee9c n\u0103ng \u2013 g\u00e2y nh\u1ea7m l\u1eabn r\u1eb1ng h\u1ec7 th\u1ed1ng an to\u00e0n.<\/li>\n<\/ul>\n<p>Auto-Color l\u00e0 minh ch\u1ee9ng r\u00f5 r\u00e0ng cho cu\u1ed9c \u0111ua v\u0169 trang c\u00f4ng ngh\u1ec7 gi\u1eefa hacker v\u00e0 gi\u1edbi ph\u00f2ng th\u1ee7. T\u1eeb vi\u1ec7c khai th\u00e1c l\u1ed7 h\u1ed5ng SAP t\u1edbi vi\u1ec7c \u1ea9n m\u00ecnh trong m\u00f4i tr\u01b0\u1eddng ph\u00e2n t\u00edch, m\u00e3 \u0111\u1ed9c n\u00e0y \u0111ang \u0111\u1eb7t ra m\u1ed9t chu\u1ea9n m\u1ef1c m\u1edbi v\u1ec1 m\u1ee9c \u0111\u1ed9 tinh vi.<\/p>\n<p>Trong b\u1ed1i c\u1ea3nh h\u1ec7 th\u1ed1ng Linux v\u00e0 c\u00e1c n\u1ec1n t\u1ea3ng ERP nh\u01b0 SAP \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng r\u1ed9ng r\u00e3i trong doanh nghi\u1ec7p, m\u1ecdi s\u1ef1 ch\u1eadm tr\u1ec5 trong v\u00e1 l\u1ed7i hay thi\u1ebfu gi\u00e1m s\u00e1t \u0111\u1ec1u c\u00f3 th\u1ec3 tr\u1edf th\u00e0nh \u201copen-door\u201d cho nh\u1eefng k\u1ecbch b\u1ea3n x\u00e2m nh\u1eadp nguy hi\u1ec3m.<\/p>\n<div style=\"text-align: right\"><b><i>Theo Bleeping Computer<\/i><\/b>\u200b<\/div>\n<div style=\"text-align: right;margin-top: 16px\"><i>Theo: <a href=\"https:\/\/whitehat.vn\/threads\/auto-color-ma-doc-moi-loi-dung-lo-hong-sap-de-chiem-quyen-dieu-khien-tu-xa.18615\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/whitehat.vn\/threads\/auto-color-ma-doc-moi-loi-dung-lo-hong-sap-de-chiem-quyen-dieu-khien-tu-xa.18615\/<\/a><\/i><\/div>\n","protected":false},"excerpt":{"rendered":"<p>V\u00e0o th\u00e1ng 4\/2025, m\u1ed9t chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng m\u1ea1ng tinh vi \u0111\u00e3 b\u1ecb ph\u00e1t hi\u1ec7n khi \u0111ang nh\u1eafm v\u00e0o m\u1ed9t c\u00f4ng ty h\u00f3a ch\u1ea5t c\u00f3 tr\u1ee5 s\u1edf t\u1ea1i Hoa K\u1ef3. K\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 l\u1ee3i d\u1ee5ng l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng trong ph\u1ea7n m\u1ec1m SAP NetWeaver \u0111\u1ec3 c\u00e0i \u0111\u1eb7t m\u00e3 \u0111\u1ed9c Linux Auto-Color. Auto-Color l\u00e0 m\u1ed9t [&hellip;]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10409","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10409","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10409"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10409\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10409"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10409"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10409"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}