CyberDudeBivash ThreatWire — 11-08-2025

 

Executive summary (today)

• Act now: A WinRAR zero-day (CVE-2025-8088) is being actively exploited by the RomCom group against targets in Europe and Canada. Patch/update immediately. welivesecurity.comHelp Net SecuritySecurityWeekThe Hacker News

• Microsoft Exchange hybrid: CISA’s Emergency Directive ED-25-02 set a hard mitigation deadline by 9:00 AM EDT on Aug 11, 2025 for CVE-2025-53786—still a high-risk item across enterprises. CISAArctic Wolf

• Fresh education-sector breaches/outages reported in India (IIT Roorkee) and Australia (UWA). The Economic TimesNews.com.au

• Macro trend: Credential theft up ~160% in 2025; healthcare remains highly targeted per new studies. Tighten identity defenses. IT ProHelp Net Security

---

Breaking incidents & key details

1) WinRAR 0-day (CVE-2025-8088) under active exploitation

• What’s new: ESET and others confirm in-the-wild exploitation; RomCom attributed. Targets include financial, defense, manufacturing, logistics. Distribution via weaponized archives (e.g., “job application” lures). welivesecurity.comSecurityWeek

• Risk: Code execution on open; broad user footprint.

• Fix/mitigation (immediate):

  • Update WinRAR/UnRAR to the latest patched build today (admins: include UnRAR.dll, CLI tools, portable builds). The Hacker News

  • Block risky attachment types at the email gateway, detonate archives in sandbox.

  • Hunt for unusual rar.exe/unrar.exe spawns from email clients, downloads, temp paths; check for script/LOLBin pivots.

  • Review IOCs and attack chains provided by threat intel posts. SOCRadar® Cyber Intelligence Inc.

2) Microsoft Exchange Hybrid — CVE-2025-53786 (post-auth)

• Status: CISA Emergency Directive ED-25-02 required US Federal agencies to mitigate by Aug 11, 2025; enterprises should treat as priority one if hybrid is in play. CISA

• Risk: Domain compromise via legacy trust/misconfig paths in hybrid Exchange.

• Actions:

  • Apply vendor guidance/patches; disable legacy trusts, rotate creds/secrets, and verify AAD Connect hardening. Arctic Wolf

  • Review sign-in logs for anomalous OAuth/device code + Exchange PowerShell usage.

3) Universities hit

• IIT Roorkee (India): Data exposure of 30,000+ students/alumni (phones, finance, caste data) reportedly accessible for years; investigation ongoing. The Economic Times

• UWA (Australia): Compromised password info forced a campus-wide reset; outage/disruption acknowledged; incident team engaged. News.com.au

• Guidance: Force global password resets, enforce MFA, rotate API keys, and run dark-web credential checks for reuse.

4) Retail ops fallout (UK)

• Marks & Spencer restored click-and-collect service after a cyberattack; early estimates suggest £300M impact. Useful reminder to stress-test retail ops recovery. The Times

---

Trends & telemetry to watch (today)

• Credential theft spike: Now ~1 in 5 breaches involves compromised creds; 160% YoY increase in 2025 → double-down on FIDO2/passkeys, CAE, and token binding. IT Pro

• Healthcare risk outlook: Ransomware and vendor compromises persist with multi-million-dollar extortion demands; resilience gaps despite budget growth. Help Net Security

---

Detection & hunting notes (quick wins)

• WinRAR chain:

  • Look for rar/unrar spawned by Outlook/Teams/Chrome; creation of suspicious files in %TEMP%; unsigned DLL loads right after archive extraction.

  • EDR rule: parent = email client or browser → child = rar/unrar → network egress within 60s.

• Exchange hybrid:

  • Unusual New-ManagementRoleAssignment, Set-Mailbox, Add-ADGroupMember from service principals; spikes in Exchange Online PowerShell app ID.

  • Alert on mailbox rule creation with external forwards and transport rule changes.

• Universities/edu:

  • Monitor for mass auth failures followed by global resets; geo-impossible logins; sudden spikes in self-service password reset flows.

---

Mitigation checklist (share with IT right now)

1. Patch: WinRAR/UnRAR across endpoints; verify via software inventory. The Hacker News

2. Identity: Enforce MFA everywhere, roll out phishing-resistant auth (FIDO2), enable Continuous Access Evaluation. IT Pro

3. Email/WEB: Block known malicious archive lures; detonate archives; strip macros; enforce Mark-of-the-Web.

4. Exchange hybrid: Follow ED-25-02 guidance; rotate credentials; validate hybrid trust paths; audit elevated roles. CISA

5. Backups: Verify offline, immutable backups for critical apps/data.

6. Comms: Notify users about targeted archive lures; run a focused password hygiene campaign this week.

7. IR prep: Pre-stage playbooks for archive-delivered malware and credential-theft response (SSPR surge, token revocation).

---

IOC/Reference Pack (today)

• WinRAR CVE-2025-8088: technical overviews & IOCs (RomCom targeting). SOCRadar® Cyber Intelligence Inc.

• CISA ED-25-02: deadlines + mitigation steps for CVE-2025-53786. CISA