<ciso brief/>
Cybersecurity Brief

Erlang SSH Exploits, WinRAR Zero-Day, and Israeli Phishing

Coverage: 11 Aug 2025 (UTC)
< view all daily briefs >

Patches

Active exploitation and urgent updates defined today’s patch landscape. In a new analysis by Unit 42, researchers detail real-world attacks on CVE-2025-32433, a critical SSH server flaw in Erlang/OTP rated CVSS 10.0. The bug allows unauthenticated clients to send SSH connection protocol messages before completing authentication, enabling command execution. Telemetry shows a surge in attempts between May 1–9, with pronounced spikes on May 3, 6, 8 and 9; of 3,376 observed signature triggers, about 70% originated from firewalls protecting operational technology networks. Scans identified hundreds of exposed services across multiple countries. Observed payloads include reverse shells using file descriptor binding and interactive Bash sessions, with out-of-band verification via randomized lookups under dns.outbound.watchtowr[.]com. Recommended actions include immediate upgrades to OTP-27.3.3, OTP-26.2.5.11 or OTP-25.3.2.20 (or later), disabling the SSH server if feasible, restricting access to trusted sources, and deploying updated IDS/IPS signatures (notably signature 96163). Indicators include dns.outbound.watchtowr[.]com, 194.165.16[.]71 and 146.103.40[.]203.

Separately, research from ESET documents exploitation of a Windows WinRAR zero-day, CVE-2025-8088. The path traversal flaw abuses NTFS alternate data streams to hide multiple malicious files inside an archive that appears to contain a single benign entry; when opened in vulnerable builds or via affected UnRAR components, these contents can be extracted silently to locations such as %TEMP% and the Startup folder, providing persistence. ESET observed RomCom using weaponized archives in targeted spearphishing from July 18–21 against finance, manufacturing, defense and logistics organizations in Europe and Canada. Payloads included a Mythic agent loader (with AES-decrypted shellcode and dynamichttp C2), a SnipBot variant (triggered by ApbxHelper.exe with anti-analysis), and behavior linked to RustyClaw/MeltingClaw. WinRAR released a patched beta on July 24 followed by version 7.13 on July 30 after disclosure. Immediate mitigation is to update WinRAR and any software that links to UnRAR.dll or the UnRAR source, and to use the published indicators and samples for detection and hunting.

Incidents

Fortinet describes a high-severity intrusion campaign that leveraged compromised internal email accounts at multiple Israeli organizations to distribute tailored phishing messages. The lure referenced a mentoring session on wartime conditions and medical/pharmaceutical supplies and redirected recipients to a spoofed Microsoft Teams page, where they were instructed to paste and run an obfuscated PowerShell loader. The chain concatenated Base64 fragments and retrieved a second-stage script from hxxps[:]//pharmacynod[.]com/Fix, which then decoded and decompressed a payload to launch a PowerShell-based RAT entirely in memory. The implant communicated over HTTPS to a single C2 on pharmacynod[.]com, registered victims to /16625 with transformed host metadata, and polled persistently with randomized sleeps. Numeric-coded commands such as 7979, 5322, 4622, and 2474 enabled reinitialization, file download, beacon timing changes, and arbitrary command execution, with compressed result exfiltration to /17361. Operators used layered obfuscation (double GZip, Base64, string reversal, URL-safe substitutions) and native APIs to avoid dropping binaries. Some tactics overlap with MuddyWater, but the bespoke full-PowerShell tooling and other divergences leave attribution unconfirmed. Fortinet notes platform detections (including signature PowerShell/Agent.PH!tr) and recommends monitoring for these patterns, layered controls, and incident response where needed.

Platforms

Responding to new research on speculative execution, AWS outlines why the Nitro System and Nitro Hypervisor are not at risk from the technique dubbed L1TF Reloaded, which combines half-Spectre gadgetry with L1 Terminal Fault to transiently leak guest data from vulnerable hypervisors. AWS emphasizes architectural resilience rather than a single mitigation: the hypervisor excludes non-essential components to reduce attack surface, and secret hiding via eXclusive Page Frame Ownership removes guest memory from the hypervisor’s virtual address space. Nitro extends the model to guest CPU context by saving registers and sensitive state in process-local mappings, and similar principles are applied to legacy Xen-based instances through Xen-on-Nitro. Defense-in-depth measures, including L1 data cache flushing and core scheduling, complement secret hiding. AWS notes coordinated disclosure and advises customers to continue isolating workloads by instance, enclave, or function boundaries in line with public guidance.

For teams that analyze malware in the cloud, a separate post from AWS provides practical architecture guidance for secure detonation environments. The approach balances isolation and visibility: analysts connect through AWS Systems Manager Session Manager; EC2 detonation instances run in private subnets within dedicated, isolated VPCs with no outbound connectivity; and samples reside in encrypted S3 buckets reachable only through VPC gateway endpoints. The guidance stresses disabling DNS and avoiding NAT or internet gateways unless explicitly required, enforcing least privilege with IAM permission boundaries and Organizations SCPs, hardening instances, and using immutable, short-lived hosts to reduce lateral movement and contamination risk. Centralized logging and detection—via CloudTrail, GuardDuty, and aggregated secure logs—support accountability. Operational practices include strict tagging, cost controls, hardened AMIs, and automated orchestration to create, test, and destroy environments, backed by a checklist that covers policy, account structure, VPC design, instance configuration, storage and logging, monitoring, IAM, and lifecycle management.

Research

CrowdStrike examines how data leakage during model development can inflate performance and weaken real-world detection, and compares random splits with blocked (grouped) splits that keep correlated observations together. In experiments on process-behavior classification using tree-based binary classifiers, 80% of labeled data were used for five-fold cross-validation and 20% held out from new blocks and later time. Purely random partitioning overestimated performance, while blocked cross-validation produced a more realistic estimate but highlighted how hard extrapolation to new machines or blocks can be. Early stopping behavior differed substantially: with a blocked validation split, boosting halted around iteration 198, whereas a random split appeared to improve beyond 1,000 rounds, reflecting leakage-driven overfitting. On the held-out test set, the random-split model reached AUC 0.966 versus 0.948 for the blocked-split model, underscoring the trade-off that blocking reduces leakage but may limit predictor coverage and risk underfitting. The post situates these findings in the broader literature and frames partitioning strategy as a practical safeguard: prioritize evaluation fidelity and continuous assessment when the goal is robust detection against novel threats.

These and other news items from the day:

Mon, August 11, 2025

Erlang/OTP SSH RCE: CVE-2025-32433 Exploitation Wave

#Active Exploitation #Auth Bypass #Erlang OTP #Exploit Detected #Patch #RCE #Security Advisory #Threat Report

⚠️ Unit 42 details active exploitation of CVE-2025-32433, a critical (CVSS 10.0) unauthenticated RCE in the Erlang/OTP SSH daemon that processes SSH protocol messages prior to authentication. Researchers reproduced and validated the bug and observed exploit bursts from May 1–9, 2025, with payloads delivering reverse shells and DNS-based callbacks to randomized subdomains. Immediate remediation is to upgrade to OTP-27.3.3, OTP-26.2.5.11 or OTP-25.3.2.20 (or later); temporary measures include disabling SSH, restricting access and applying Unit 42 signature 96163.

read more →

Mon, August 11, 2025

WinRAR zero-day (CVE-2025-8088) exploited by RomCom

#Active Exploitation #Path Traversal #RomCom #WinRAR #Zero-Day

🔒 ESET researchers disclosed a previously unknown WinRAR zero-day, CVE-2025-8088, actively exploited by the Russia-aligned group RomCom. The flaw is a path-traversal vulnerability that leverages NTFS alternate data streams (ADS) to conceal malicious files in RAR archives, which are silently deployed on extraction. Observed payloads included a Mythic agent, a SnipBot variant, and RustyClaw (MeltingClaw), targeting organizations in finance, manufacturing, defense and logistics. Users and vendors relying on WinRAR, UnRAR.dll or its source must update to the July 30, 2025 patched release immediately.

read more →

Mon, August 11, 2025

WinRAR zero-day (CVE-2025-8088) used in RomCom attacks

#Exploit Detected #RomCom #WinRAR #Zero-Day

🔒 ESET researchers uncovered a previously unknown WinRAR vulnerability, tracked as CVE-2025-8088, that is being actively exploited by the Russia-aligned actor RomCom in targeted spearphishing campaigns. The Windows path traversal flaw enables execution of arbitrary code when victims open crafted archives. Users should update to WinRAR 7.13 immediately and consult ESET's video and blogpost for indicators and mitigation.

read more →

Mon, August 11, 2025

Full PowerShell RAT Campaign Targets Israeli Organizations

#Active Exploitation #Backdoor Found #Data Exfil via Tools #PowerShell

🔒 The FortiMail Workspace Security team uncovered a targeted intrusion campaign that abused compromised internal email to deliver a multi-stage, fully PowerShell-based Remote Access Trojan targeting Israeli organizations. Phishing links redirected users to a spoofed Microsoft Teams page that instructed victims to press Windows+R, paste an obfuscated Base64 loader, and execute a PowerShell IEX fetch from a hard-coded C2 (hxxps[:]//pharmacynod[.]com), which in turn staged scripts and a compressed, in-memory RAT. The operation uses layered obfuscation, native Windows APIs, and living-off-the-land techniques to enable remote access, surveillance, persistence, lateral movement, and data exfiltration; Fortinet protections detect and block this activity.

read more →

Mon, August 11, 2025

AWS Nitro protections shield EC2 from L1TF Reloaded

#AWS EC2 #Cross-Tenant Access #Data Leak #Disclosure #Security Advisory

🔒 AWS confirms that guest data on instances running on the Nitro System and Nitro Hypervisor is not at risk from the research known as L1TF Reloaded, and no additional customer action is required. The researchers demonstrate that the technique chains half-Spectre gadgets with L1 Terminal Fault (L1TF) to transiently leak data on some hypervisors, but Nitro’s security-first architecture prevented data extraction. Nitro’s design relies on eXclusive Page Frame Ownership (XFPO) secret hiding, a minimal hypervisor footprint, and layered mitigations; AWS also notes coordinated disclosure and that it sponsored part of the research.

read more →

Mon, August 11, 2025

Preventing ML Data Leakage Through Strategic Splitting

#AI Data Leakage #AI Security #Dataset Integrity #Model Evaluation Coverage #Training Pipeline Security

🔐 CrowdStrike explains how inadvertent 'leakage' — when dependent or correlated observations are included in training — can inflate machine learning performance and undermine threat detection. The article shows that blocked or grouped data splits and blocked cross-validation produce more realistic performance estimates than random splits. It also highlights trade-offs, such as reduced predictor-space coverage and potential underfitting, and recommends careful partitioning and continuous evaluation to improve cybersecurity ML outcomes.

read more →

Mon, August 11, 2025

Malware Analysis on AWS: Building Secure Isolated Sandboxes

#AWS #AWS EC2 #AWS IAM #AWS KMS #AWS S3 #Encryption at Rest #Encryption in Transit #Least Privilege #Sandbox Escape #VM Escape

🔒 This AWS blog explains how security teams can run malware analysis in the cloud while complying with AWS policies and minimizing risk. It recommends an architecture that uses an isolated VPC with no internet egress, ephemeral EC2 detonation hosts accessed via AWS Systems Manager Session Manager, and secure S3 storage via VPC gateway endpoints with encryption. The post emphasizes strong IAM and SCP guardrails, immutable hosts, automated teardown, centralized logging, and monitoring with CloudTrail and GuardDuty to maintain visibility and lifecycle control.

read more →

< all cybersecurity news >