Telephone: 1-844-NETIZEN
Tel: 1-844-NETIZEN
Email: team (at) Netizen.net
slider

Netizen: Monday Security Brief (8/11/2024)

Posted on 11 Aug 2025 at https://www.Netizen.net/news Source Link: https://blog.netizen.net

Today’s Topics:

  • Threat Actor RomCom Exploits WinRAR Zero-Day in Targeted Espionage Campaign
  • Over 29,000 Microsoft Exchange Servers Remain Unpatched for High-Severity Hybrid Cloud Exploit
  • How can Netizen help?

Threat Actor RomCom Exploits WinRAR Zero-Day in Targeted Espionage Campaign

A Russia-linked threat group known as RomCom, also tracked as Storm-0978, Tropical Scorpius, and UNC2596, has been caught exploiting a newly discovered WinRAR zero-day vulnerability, CVE-2025-8088, in cyberespionage operations targeting organizations in Europe and Canada.

CVE-2025-8088 is a path traversal flaw in WinRAR involving the use of alternate data streams. It allows attackers to craft malicious archive files that extract contents to attacker-controlled paths rather than the user-specified directory. This can be abused to overwrite critical files or plant malicious payloads without user awareness.

The vulnerability was reported to WinRAR by ESET, which observed active exploitation beginning July 18, 2025. A beta fix was released on July 25, just one day after disclosure, and the final patch was issued on July 30.

RomCom leveraged spearphishing emails to deliver the malicious archives, disguising them as resumes to increase credibility. The targeting was precise, indicating prior reconnaissance. Intended victims included organizations in the financial, defense, manufacturing, and logistics sectors across Canada and Europe.

While ESET confirmed that none of the targeted organizations were successfully compromised, the payloads were designed to install a range of backdoors, including SnipBot, RustyClaw, and Mythic Agent.

RomCom has a history of combining cyberespionage with opportunistic cybercrime and is known for exploiting zero-days against high-value targets in Europe and North America. This activity underscores the group’s ability to pivot quickly to new vulnerabilities and weaponize them in targeted campaigns.

ESET noted that CVE-2025-8088 shares similarities with CVE-2025-6218, another WinRAR path traversal bug patched earlier this year. Russian security firm Bi.zone reported that both flaws have been exploited in recent operations, including attacks by a group it tracks as Paper Werewolf against Russian organizations such as an equipment manufacturer.

Organizations using WinRAR are advised to update immediately to the latest version to close CVE-2025-8088 and related vulnerabilities. Security teams should also review spearphishing defenses, enhance email filtering for malicious attachments, and monitor for the delivery of suspicious archive files.

Over 29,000 Microsoft Exchange Servers Remain Unpatched for High-Severity Hybrid Cloud Exploit

More than 29,000 Microsoft Exchange servers exposed to the internet have not been patched against CVE-2025-53786, a high-severity vulnerability that could enable attackers to escalate privileges within hybrid cloud environments and potentially achieve full domain compromise.

This flaw affects Exchange Server 2016, Exchange Server 2019, and Microsoft Exchange Server Subscription Edition in hybrid configurations. An attacker with administrative access to an on-premises Exchange server could exploit CVE-2025-53786 to forge or manipulate trusted tokens and API calls, moving laterally into the connected cloud environment. The activity leaves minimal traces, making detection difficult.

Microsoft addressed the vulnerability in April 2025 with a hotfix released as part of its Secure Future Initiative, introducing a dedicated hybrid app to replace the insecure shared identity model previously used between on-premises Exchange and Exchange Online. Although Microsoft has not observed active exploitation, it rated the flaw as “Exploitation More Likely” due to the potential for consistent exploit development.

According to scans by Shadowserver, as of August 10, 2025, there were 29,098 unpatched Exchange servers online. Over 7,200 were located in the United States, 6,700 in Germany, and 2,500 in Russia. The remaining vulnerable servers are distributed across other regions, all at risk of compromise if exploited.

Following Microsoft’s disclosure, CISA issued Emergency Directive 25-02, mandating all Federal Civilian Executive Branch agencies to mitigate CVE-2025-53786 by August 11, 2025, at 9:00 AM ET. Agencies were instructed to:

  • Inventory Exchange environments using Microsoft’s Health Checker script.
  • Disconnect unsupported, public-facing Exchange servers from the internet.
  • Apply the April 2025 hotfix and update to the latest cumulative updates (CU14 or CU15 for Exchange 2019, CU23 for Exchange 2016).

CISA warned that failing to patch could result in a “hybrid cloud and on-premises total domain compromise.”

Although the directive applies only to federal agencies, CISA urged all organizations, public and private, to apply the same mitigations. The agency emphasized that the risk extends to “every organization and sector using this environment,” regardless of industry.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

News and Updates

Sign up to get the latest news and threat briefs:

Get in Touch

Telephone: 1-844-NETIZEN
Email: Team (at) Netizen.net
Office Locations:
Allentown, PA (Headquarters)
 Arlington, VA (DC Region)
 Charleston, SC (Southeast Region)

Connect With Us

    Facebook
    Twitter
    LinkedIn
    Instagram
    GitHub

Copyright © Netizen Corporation. All Rights Reserved.