Cyberdudebivash

CyberDudeBivash ThreatWire — Breaking Threat Intel (Today)

Executive summary

  • Act now: A newly disclosed WinRAR zero-day (CVE-2025-8088) is under active exploitation by the RomCom group via weaponized archives (job-application lures). Update WinRAR/UnRAR immediately and hunt for archive-driven execution chains. The Hacker NewsWe Live Security+1Infosecurity Magazine
  • Microsoft Exchange (Hybrid): CISA Emergency Directive ED-25-02 mandates rapid mitigations for CVE-2025-53786 across hybrid deployments; enterprises should mirror federal urgency. CISA+2CISA+2
  • Education sector hit: UWA (Australia) forced a mass password reset after a breach; IIT Roorkee (India) exposed >30k records (including financial and demographic data). Expect credential replay and targeted phishing against affected communities. ABCCyber Daily9NewsETGovernment.comThe Economic TimesNavbharat Times

1) WinRAR zero-day (CVE-2025-8088) — in the wild

What’s happening: ESET and multiple outlets confirm active exploitation; lures mimic HR/finance docs. Sectors targeted include financial, defense, manufacturing, logistics in Europe/Canada.
Why it matters: Opening a booby-trapped archive can lead to code execution and quick post-exploitation pivots.
Immediate actions

  • Patch to the latest WinRAR build across endpoints (include UnRAR.dll, CLI/portable installs).
  • Email gateway: temporarily quarantine .rar attachments and detonate archives in sandbox.
  • Hunt: parent = Outlook/Teams/Chrome ⇒ child = rar/unrar; file bursts in %TEMP%; unsigned DLL loads; rapid network egress within 60s. The Hacker NewsWe Live Security+1

2) Exchange Hybrid — CVE-2025-53786

Status: CISA’s ED-25-02 sets strict steps & timelines for US agencies; enterprises with hybrid Exchange should apply the same playbook.
Risk: Post-auth paths in legacy/hybrid configurations can lead to domain compromise.
Actions

  • Apply vendor mitigations/patches; verify hybrid trust; reduce legacy auth.
  • Rotate service principal secrets, OAuth certs, and privileged creds.
  • Monitor for spikes in Exchange Online PowerShell app ID, role/transport rule changes, and anomalous OAuth flows. CISA+2CISA+2

3) Higher-ed incidents: UWA & IIT Roorkee

UWA (Australia): Unauthorized access to password information → forced resets; students/staff temporarily locked out. Expect phishing leveraging reset notices. ABCCyber Daily9News
IIT Roorkee (India): >30,000 students/alumni records (including contact, finance, caste data) reportedly exposed for years; investigation open. High risk of targeted fraud. ETGovernment.comThe Economic TimesNavbharat Times
Actions (both): Enforce MFA, dark-web credential monitoring, domain-typosquat takedowns, and breach-specific awareness campaigns.

Detection & hunting quick hits (copy to SOC)

  • Archive exploitation chain: alert when email client/browser ⇒ rar/unrar ⇒ script/LOLBin; look for rclone, PowerShell download-exec, or AMSI bypass attempts.
  • Exchange hybrid:
    • New/modified ManagementRoleAssignment, mailbox forwarding rules to external domains.
    • Service principal anomalies; unusual consent grants; AAD sign-in geo-impossibles.
  • Edu breaches: sudden spikes in SSPR, VPN lockouts, or mass device enrolments after password resets.

Mitigation checklist (today)

  1. Patch WinRAR/UnRAR everywhere; confirm via software inventory. The Hacker News
  2. Quarantine .rar in mail for 1–2 weeks; sandbox detonation.
  3. Identity hardening: enforce FIDO2/WebAuthn, enable Continuous Access Evaluation in M365, and bind tokens to device posture.
  4. Exchange: execute ED-25-02 steps (disable legacy, rotate secrets, validate Graph migration plan). CISA
  5. Backups: test restore; protect with immutability/offline copies.
  6. Comms: user advisories on archive lures and fake password-reset scams (UWA/IIT themes).

Leave a comment

Design a site like this with WordPress.com
Get started