EvilBit Threat Digest - Edge of Chaos: Firewall Flaws and Cloud Fumbles

Another week, another series of reminders that the digital world is built on a complex, often fragile, foundation. It’s KryptoKat here. While half the internet was holding its breath during Monday's AWS outage in us-east-1, the other half was apparently busy finding new and exciting ways to punch holes in perimeter security devices. It’s a testament to the importance of fundamentals—resilience in the cloud, integrity on your edge.

UncleSp1d3r here. Couldn't have said it better. While a good cloud outage is a fine spectator sport, I prefer my chaos a little more hands-on. And this week delivered a delightful pile of firewall vulnerabilities, proving once again that the crunchy outer shell is often softer than you think.

Let's get into it.

Firewall Follies: A Rough Week for the Edge

It seems like it was a banner week for finding holes in the very boxes meant to keep the bad stuff out. First up, WatchGuard is having a bad time. Researchers found a critical unauthenticated RCE (CVE-2025-9242) in the Fireware OS iked process. As reported by BleepingComputer, an attacker can take over a vulnerable Firebox device by sending a specially crafted IKEv2 packet, provided it's configured with a dynamic gateway peer. With Shadowserver seeing around 75,000 vulnerable devices on the internet, this is a big deal. WatchGuard has confirmed active exploitation and provided indicators of attack, so if you're running one of these, patch. Now.

Not to be outdone, Zyxel dropped a pair of their own advisories. The first, CVE-2025-8078, is a post-authentication command injection that allows an admin to gain root OS execution. The researcher at Rainpwn found a neat way to use curly braces to bypass input filters and pop a reverse shell. The second, CVE-2025-9133, is an authorization bypass that allows a partially authenticated user (someone who has passed only the first factor of 2FA) to dump the device's entire running configuration just by chaining commands with a semicolon. Leaking VPN PSKs and other secrets from a firewall? Classic. Zyxel has issued fixes in ZLD v5.41, so get to it.

Malware Bazaar: From the Cloud to the Blockchain

It is a truth universally acknowledged that an advanced adversary in possession of a good toolkit, must be in want of a replacement when the old one gets burned. KryptoKat here, and Google's Threat Intelligence group brings us a perfect example. They report that the Russian state-aligned group COLDRIVER (aka Star Blizzard/UNC4057) has retired its LOSTKEYS malware in favor of a new three-stage implant system. The new chain starts with NOROBOT, a DLL downloader delivered via fake CAPTCHA pages, which leads to either a Python-based backdoor (YESROBOT) or its successor, a PowerShell-based tool called MAYBEROBOT. The Record notes it’s a typical cat-and-mouse game, but Google’s report includes a wealth of IOCs and YARA rules for defenders.

Speaking of novel tradecraft, the crew at Synacktiv published a fantastic analysis of a real-world eBPF-based rootkit they call "LinkPro." Deployed in a compromised AWS EKS cluster after initial access via a vulnerable Jenkins instance, this malware is impressively stealthy. It uses eBPF programs to hide its own processes and network activity, waiting for a "magic packet" to activate its backdoor. It even has a fallback persistence mechanism using LD_PRELOAD in case it can't install the eBPF components. Time to start monitoring for suspicious eBPF program loads and locking down CAP_SYS_ADMIN in your clusters.

Finally, in "Why make it easy when you can make it complicated?" news, VMRay found the SharkStealer infostealer using the BNB Smart Chain Testnet as a C2 dead-drop. The malware makes JSON-RPC eth_call requests to a smart contract to fetch an encrypted blob, which it then decrypts to get the real C2 address. It's a clever way to abuse public infrastructure to make takedowns and blocking much harder. Defenders should start asking themselves if their endpoints really need to be making calls to blockchain testnets.

Breaches, Bugs, and Bad News

Keeping with our theme of "check your sources," the official Xubuntu website was briefly compromised this week. The team discovered that a download link for torrenting the OS had been hijacked to serve a malicious ZIP file containing a Windows executable. The payload was a clipboard-hijacker designed to swap cryptocurrency addresses. While the core ISOs on Canonical's mirrors were unaffected, it's a stark reminder to always verify checksums and GPG signatures for your downloads. The site is clean now, but trust, once broken, is hard to mend.

In other news, an iOS exploit developer (formerly of Trenchant/L3Harris) received a notification from Apple that his iPhone may have been targeted by state-sponsored spyware, reports TechCrunch. While initial forensics didn't find a smoking gun, it's a fun bit of irony. Poacher, meet gamekeeper. For high-risk individuals, this is your regular reminder to enable Lockdown Mode and keep your devices updated.

And while we're on the subject of Apple, researchers at Dataflow Security published a deep dive on an out-of-bounds write in the IOGPUFamily driver (CVE-2025-24257). The bug, fixed in iOS/iPadOS 18.4, could allow a malicious app to corrupt kernel memory, leading to privilege escalation. As always, Apple's patch notes are light on detail, but the write-up provides excellent root cause analysis for those of us who like to know why we're patching.

Finally, a vulnerability in Netty's SMTP codec (CVE-2025-59419) allows for classic CRLF injection. This could let an attacker abuse a trusted server to generate forged emails that pass SPF/DKIM/DMARC checks, making them perfect for high-credibility phishing. Check the GitHub security advisory for patched versions and sanitize those inputs.

For the Researchers in the Back

This one's for the real nerds in the room. UncleSp1d3r here. First, Prelude Security has an absolutely fantastic technical walkthrough of Windows ARM64 Pointer Authentication (PAC). PAC is a hardware-level mitigation against memory corruption exploits, specifically Return-Oriented Programming (ROP), by signing and validating return addresses on the stack. This post gets into the nitty-gritty of kernel and user-mode keys, the /guard:signret compiler flag, and how HyperGuard protects it all. It’s a must-read for anyone developing or defending on Windows on ARM.

And if you're looking for a new trick for your next engagement, there's a great tutorial on tunneling WireGuard over HTTPS using wstunnel. This lets you wrap your VPN traffic in a standard WebSocket, making it look like regular HTTPS traffic that can bypass many network egress filters. The post provides configs for everything from Docker to Caddy. Naturally, this is a dual-use tool. For my blue team friends, this is a good opportunity to hunt for long-lived WebSocket connections with high data volume going to unusual places.

On Fundamentals and Time Itself

I'll wrap us up with a couple of notes on the basics. I already mentioned the AWS outage, which was ultimately traced to DNS issues affecting DynamoDB. It wasn't a malicious attack, but it was a masterclass in the operational impact of single-region dependencies. Test your failover, people.

And finally, the SANS Internet Storm Center took a look at the accuracy of the pool.ntp.org service amidst claims of attacks on time services. Their conclusion is that the pool is generally accurate to the millisecond, but for high-assurance environments, you should be curating your own list of trusted, authenticated NTP sources. Time is fundamental to everything from logs to Kerberos; it's worth getting it right.

That’s all for this edition. Go patch your firewalls, check your checksums, and maybe take a look at your NTP config. It’s probably been a while.

— KryptoKat & UncleSp1d3r