Cyber Threat Weekly – #90
The week of August 4th through August 10th, roughly 370 cyber news articles were reviewed. A moderate amount of cyber threat trends and adversarial behavior news to share. Been thinkin about adversarial behavior, it is the battle ground.
Really, it’s been the battle ground for years, many just didn’t know it until the living of the land attack methodology became so commonplace. Cyber criminals are within one to two years of nation state level capabilities and many with a ton of resources too. We live in the age of persistent threats, even malware is focused on persistence.
Let’s start with the weekly open-source repository attack stories. Malware deployed via WinRAR zero-day exploit. Threat actor behavior around the SharePoint ‘ToolShell’ exploitation. Hybrid Exchange deployments are at risk.
The latest research on SocGholish deployment. EDR killer tools still prevalent. Deep dive into a Bumblebee campaign turned ransomware. Scams and fraud from the VexTrio web. CISA shares a malware analysis report of SharePoint bugs.
Researchers share BadSuccessor technique and a novel detection strategy. Bugs in Adobe Experience Manager Forms, exploit chain released. Cursor AI remote code execution bug. Top techniques H1 2025 – Top Threats Report.
Newly discovered ‘Plague’ Linux malware. CrowdStrike’s 2025 Threat Hunting Report.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – August 4th to August 10th:
CVE-2020-25078 – D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability:
Could allow for remote administrator password disclosure. The devices could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2020-25079 – D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability:
The products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2022-40799 – D-Link DNR-322L Download of Code Without Integrity Check Vulnerability:
Could allow an authenticated attacker to execute OS level commands on the device. The product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Open-Source Repository Attacks
This is the weekly collection of open-source repository attacks. This is a topic is repeated consistently so keeping them in a single thread.
https://socket.dev/blog/60-malicious-ruby-gems-used-in-targeted-credential-theft-campaign
https://thehackernews.com/2025/08/malicious-go-npm-packages-deliver-cross.html
Zero-Day in WinRAR Exploited to Deliver Malware
The bug tracked as CVE-2025-8088 was abused to install RomCom malware. Unix and Android versions of RAR are not affected. Researchers observed spear phishing emails delivering RAR files using this bug.
Tools and Behavior Around SharePoint ‘ToolShell’ Exploitation
This is a great writeup providing detection opportunities and an understanding of the current on-prem SharePoint attacks. Question everything exposed to the Internet, does it need to be? If so, network segmentation can reduce the risk of lateral movement.
High Risk Bug in Hybrid Exchange Deployments
There is a bug that allows lateral movement from on-prem Exchange servers to cloud based Exchange servers running in hybrid mode. The service principal is the same in hybrid configurations for both servers.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786
Observations of SocGholish Behavior
Researchers share a deep dive into the threat actors operating model. Also known as ‘FakeUpdates’, this malware family was first spotted around early 2018, and has evolved into an initial access broker for cybercriminals.
https://thehackernews.com/2025/08/socgholish-malware-spread-via-ad-tools.html
https://www.silentpush.com/blog/socgholish/
Multiple Threat Groups Abuse EDR Killer Tool
The bring your own vulnerable driver technique was first abused by nation-state threat actors. Since than cybercriminals have created multiple EDR Killer tools using the same technique. Multiple ransomware groups are using different builds of an EDR killer tool.
https://news.sophos.com/en-us/2025/08/06/shared-secret-edr-killer-in-the-kill-chain/
Observations of a Bumblebee Campaign Ending with Ransomware
The DFIR Report provides the gold standard in intrusion reports, offering detection opportunities and indicators of compromise. This is a walk-through of a campaign that was roughly 44 hours from initial access to ransomware.
The VexTrio Web of Fraud and Scams
An interesting look at how spammers eventually moved to ad tech to scale their scams and fraud. Researchers share how big their web of crime really is.
https://www.darkreading.com/threat-intelligence/vextrio-cybercrime-outfit-legit-ad-tech
https://blogs.infoblox.com/threat-intelligence/vextrios-origin-story-from-spam-to-scam-to-adtech/
CISA – Malware Analysis Report – SharePoint Bugs
Analysis on six files related to Microsoft SharePoint bugs CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. Yara rules and SIGMA rules are shared.
https://www.cisa.gov/news-events/analysis-reports/ar25-218a
Windows Server 2025 – BadSuccessor Technique
Researchers share the technique and explore how adversaries can use it to compromise the domain. The footprints of BadSuccessor activity and a novel detection strategy are also shared.
https://unit42.paloaltonetworks.com/badsuccessor-attack-vector/
Adobe Experience Manager Forms Bugs – Exploit Chain Released
This one is for tacking purposes, with an exploit chain released, we’ll see if adversaries take a shot.
Remote Code Execution Bug in Cursor AI
The bug is tracked as CVE-2025-54136, dubbed MCPoison. This one showcase how when we move too fast, bad things can happen. Keeping up with all the AI attack vectors is going to be tough. In addition, several other attack vectors are shared.
https://thehackernews.com/2025/08/cursor-ai-code-editor-vulnerability.html
2025 Threat Detection Report H1
Most interesting was the top techniques with several cloud techniques and a couple of new ones added. Number one was cloud accounts with PowerShell coming in second. Several living off the land techniques are in the top 10 as well.
https://redcanary.com/blog/threat-detection/2025-threat-detection-report-midyear/
New Stealthy Persistent Linux Malware – Plague
Recently discovered and highly evasive, this malware allows for persistent SSH access. It can survive system updates, scrubs traces of its malicious activities leaving little to no forensic evidence.
https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/
CrowdStrike’s 2025 Threat Hunting Report
A couple of highlights: 81% of interactive intrusions were malware free (living off the land), cloud intrusions increased 136%, eCrime represented 73% of interactive intrusions, and interactive intrusions increased 27% year over year.
https://www.darkreading.com/remote-workforce/threat-actors-leaning-genai-tools
https://www.crowdstrike.com/explore/2025-threat-hunt-report
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
