Cyberdudebivash

Powered by CyberDudeBivash

Executive summary (today)

• Microsoft Patch Tuesday (Aug 2025): ~100+ CVEs fixed, incl. 1 publicly disclosed zero-day in Windows Kerberos (CVE-2025-53779) and ~13 Critical issues. Numbers vary by methodology (107 per BleepingComputer; >100 per SecurityWeek/CrowdStrike). Prioritize domain controllers and Exchange/NTLM/GDI+ fixes. BleepingComputerSecurityWeekCrowdStrike
• Exchange hybrid risk (CVE-2025-53786): Misconfigured/legacy hybrid trust can let an on-prem Exchange admin pivot into M365 with limited cloud logs. CISA issued guidance/Emergency Directive; Microsoft’s Aug updates include support for the Dedicated Hybrid App—config still required. cisa.gov+1TECHCOMMUNITY.MICROSOFT.COM
• WinRAR zero-day (CVE-2025-8088) actively exploited: Path traversal used by RomCom and at least one other actor; patch to WinRAR 7.13 (manual update). CISA added it to KEV on Aug 12. welivesecurity.comHelp Net Securitycisa.gov
• Trend Micro Apex One (on-prem) under active exploitation: Critical RCE (CVE-2025-54948/-54987). Vendor provides a temporary fix tool that disables Remote Install Agent; patch ETA mid-Aug. National CERTs advise urgent mitigation. success.trendmicro.comThe Hacker Newsccb.belgium.be
• Browsers & mobile: Chrome fifth 0-day of 2025 (CVE-2025-6558); Android August update fixes actively exploited Qualcomm flaws—update endpoints. SecurityWeekTechRadar
• OT/ICS Patch Tuesday: Siemens, Schneider, ABB, Honeywell, Aveva, Phoenix Contact ship advisories; several RCEs and auth bypass issues—schedule plant-side maintenance windows. SecurityWeek
• Exploitation in the wild: Citrix NetScaler CVE-2025-6543 actively exploited in NL critical sectors—patch and kill sessions. The Hacker News
• Campaigns & incidents:
  • Charon ransomware hits Middle East public sector & aviation, using DLL side-loading, process injection, BYOVD-style EDR evasion. The Hacker News
  • Interlock gang publishes 43 GB stolen from City of Saint Paul after ransom refusal. The Register
  • Law enforcement: BlackSuit/Royal infrastructure disrupted; ~$1.09M crypto seized; multi-agency action. Department of JusticeBleepingComputerICE
• Macro trend: AI is accelerating both attack and defense; concerns raised at Black Hat/DEF CON about the pace of attacker adoption. Axios

---

Priority patch & mitigation queue (0–24h)

1. Microsoft August 2025
   • Install latest cumulative updates across DCs, file servers, and workstations.
   • CVE-2025-53779 (Kerberos EoP): affects dMSA in Windows Server 2025; patch DCs first; audit dMSA attributes. BleepingComputer
   • High-risk components noted by Krebs: GDI+ RCE (CVE-2025-53766), Word RCE via Preview (CVE-2025-53733), NTLM elevation (CVE-2025-53778). Krebs on Security
2. Exchange hybrid (CVE-2025-53786)
   • Apply Aug 2025 SUs (they include support needed for the Dedicated Exchange Hybrid App).
   • Reconfigure hybrid trust per Microsoft guidance; rotate credentials for the shared service principal; run Exchange Health Checker; validate with Service Principal Clean-Up Mode. TECHCOMMUNITY.MICROSOFT.COMcisa.gov
3. WinRAR (CVE-2025-8088)
   • Update to 7.13 (manual). Hunt for suspicious extractions placing files into Startup/ProgramData or other autorun paths post-RAR extraction; block legacy UnRAR.dll usage. welivesecurity.comBleepingComputer
4. Trend Micro Apex One (on-prem)
   • Deploy the vendor “fix tool” immediately (accepts loss of Remote Install Agent) and restrict console exposure; apply the full patch when released. success.trendmicro.com
5. Chrome/Edge/Firefox & Android
   • Update Chrome beyond 138.0.7204.157 (fixes CVE-2025-6558). Roll out Android Aug 2025 patch level for Qualcomm GPU bugs reported as exploited. NVDTechRadar
6. Citrix NetScaler (CVE-2025-6543)
   • Patch appliances; end active sessions, check for web shells, and review AAA/Gateway configs per vendor/NCSC. support.citrix.comThe Hacker News
7. OT/ICS vendors
   • Siemens CVE-2025-40746 (Simatic RTLS) and others—triage per asset criticality, plan controlled downtime. SecurityWeek
8. Adobe
   • >60 vulns across 13 products (Commerce, Substance, InDesign, FrameMaker, etc.). Patch creative/marketing workstations. SecurityWeek

---

Active campaigns & TTPs to watch

• Charon ransomware (Middle East)
  • Initial access: under investigation; targeted (not spray-and-pray).
  • Execution/Evasion: DLL side-loading via a renamed browser executable to load msedge.dll (SWORDLDR); process injection; EDR disablement with a BYOVD-derived driver (Dark-Kill).
  • Impact: partial encryption, shadow copy deletion, service/process kills.
  • MITRE ATT&CK mappings: T1574.002 (DLL side-loading), T1055 (Process Injection), T1562 (Impair Defenses), T1490 (Inhibit System Recovery), T1486 (Data Encrypted for Impact). The Hacker News
• Interlock vs. City of Saint Paul (US)
  • Double-extortion; leak site post on Aug 11; 43 GB sample data includes sensitive docs; city states resident cloud data unaffected. Continue public-sector posture hardening and comms playbooks. The Register
• NetScaler exploitation (NL)
  • CVE-2025-6543 being used against critical orgs; treat as active incident if exposed. The Hacker News
• Law-enforcement pressure on ransomware
  • BlackSuit/Royal takedown: servers/domains seized + ~$1.09M crypto confiscated; expect rebranding/regrouping (historical pattern). Strengthen extortion-resilience (data minimization, staged backups, leak-site monitoring). Department of JusticeBleepingComputer

---

Detection & hunting tips (practical)

• WinRAR CVE-2025-8088
  • Look for winrar.exe/unrar.exe spawning system utilities and file writes into %ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp\ or other autorun locations immediately after archive extraction; anomalous ADS writes on NTFS. SC Media
• Exchange hybrid abuse (CVE-2025-53786)
  • Hunt for unexpected Azure AD service principal activity tied to hybrid app IDs; anomalous EXO admin operations with on-prem correlated timelines but thin cloud audit trails; verify Hybrid Agent app registration drift. cisa.gov
• Charon TTPs
  • Alerts on signed/legit binaries (e.g., mislabeled Edge/“cookie_exporter.exe”) loading non-Microsoft DLLs from writable paths; kernel-mode driver loads from non-standard publishers soon after EDR tamper events. The Hacker News
• NetScaler CVE-2025-6543
  • Review AAA/Gateway logs around crash/restart windows; look for post-auth suspicious uploads, web shell artifacts in /netscaler/ns_gui/ or custom paths; rotate admin creds and invalidate sessions after patch. The Hacker News

---

Sector impact snapshot

• Public sector/municipal: Ongoing Interlock pressure shows essential-services disruption and data exposure risks; prioritize offline-capable citizen services and MFA for help desks to blunt social engineering. The Register
• Aviation & government (Middle East): Charon adopts APT-grade tradecraft; enforce application control and driver-load policies (WDAC) on ops workstations. The Hacker News
• Industrial/energy: Multiple RCEs in OT stacks—coordinate change windows and verify backup/restore for controllers/HMIs before patching. SecurityWeek
• Healthcare/education: BlackSuit/Royal disruption is good news, but re-emergence likely; keep isolation playbooks warm and E2E ransomware tabletop drills current. ICE

---

24–72 hour action plan (concise)

1. Roll Patch Tuesday with ringed deployment (DCs → servers → clients), monitoring for auth/NTLM regressions. SecurityWeek
2. Exchange hybrid hardening: move to Dedicated Hybrid App, rotate keys, re-run hybrid configuration wizard, and validate with Health Checker. TECHCOMMUNITY.MICROSOFT.COM
3. Push emergency updates for WinRAR 7.13, Chrome 138+, Android Aug patch level, and Adobe apps on creator fleets. MalwarebytesSecurityWeek+1TechRadar
4. Apex One on-prem: apply fix tool, geo-restrict console, and monitor for suspicious agent package tasks. success.trendmicro.com
5. Citrix/NetScaler: patch CVE-2025-6543, end all sessions, sweep for persistence. The Hacker News
6. OT/ICS: import latest advisories into the maintenance queue; document compensating controls where hot-patching isn’t feasible. SecurityWeek
7. Ransomware readiness: verify immutable backups, EDR tamper protection, and lateral-movement detections (LSASS access, PSExec/WMI). (Context: BlackSuit/Royal disruption.) Department of Justice

---

Analyst notes

• Patch counts vary (107 vs. 111 vs. 119) because some vendors include Edge/Chromium & out-of-band items in their totals. Treat risk, not raw counts, as the prioritization driver. BleepingComputerRapid7Qualys
• Expect copycat phishing around WinRAR/Exchange “updates.” Gate admin tools behind enclave jump hosts and continuous user confirmation for high-impact actions.

---

Sources & references (selected)

• Microsoft Patch Tuesday roundups & details: BleepingComputer; Krebs; CrowdStrike; SecurityWeek. BleepingComputerKrebs on SecurityCrowdStrikeSecurityWeek
• CISA: KEV additions (incl. WinRAR CVE-2025-8088); Exchange hybrid CVE-2025-53786 guidance & directive. cisa.gov+2cisa.gov+2
• WinRAR zero-day exploitation: ESET, BleepingComputer, Malwarebytes. welivesecurity.comBleepingComputerMalwarebytes
• Trend Micro Apex One exploitation & mitigations: Trend Micro bulletin; Hacker News; Belgium’s CCB. success.trendmicro.comThe Hacker Newsccb.belgium.be
• Citrix NetScaler active exploitation: Dutch NCSC reporting; vendor advisory/NVD. The Hacker Newssupport.citrix.com
• OT/ICS Patch Tuesday overview: SecurityWeek. SecurityWeek
• Incidents & enforcement: Interlock/Saint Paul (The Register); BlackSuit/Royal disruption (DOJ, ICE, Bleeping). The RegisterDepartment of JusticeICEBleepingComputer
• Macro trend on AI in cyber offense/defense: Axios. Axios