EvilBit Threat Digest - Cloudy with a Chance of Backups: State Actors, Zero-Days, and the RMM Ruckus
Security roundup on cloud backup breaches, critical CVEs, and malware trends, urging patching, credential rotation, MFA, and immutable backups.
Another week, another frantic dash to patch the perimeter before it falls over. It seems state-sponsored actors have decided that stealing firewall backups directly from the cloud is the new hotness, while the rest of the world’s ne’er-do-wells have rediscovered their love for abusing remote management tools. As my dear husband UncleSp1d3r put it, “It’s like they found the admin password to the admin passwords.”
To which I can only say, it is a fact little understood by management, that a network once secure yesterday may today be laid bare by the vanity of a single click. This week, we got all three in spades.
Let's dive in.
The "Check Your Backups, Then Rotate Everything" Section
First up, the big one. SonicWall has confirmed that a state-sponsored threat actor gained access to its MySonicWall cloud environment via an API call and made off with firewall configuration backups. If you have ever used the cloud backup feature, you are considered impacted. While SonicWall, with assistance from Mandiant, says the breach was limited to this specific cloud environment and did not affect firmware or other systems, the implications are serious. Those backups contain your firewall’s secrets—encrypted, yes, but now in the hands of a determined adversary. The clear and urgent guidance is to log into your MySonicWall portal, use their provided tools, and begin the joyous festival of rotating every last credential, key, and certificate in those configs.
In a similar vein, Japanese media giant Nikkei disclosed a breach of its internal Slack workspace. The cause? Malware on a single employee's PC stole their Slack credentials. The result? Potential exposure of names, emails, and chat histories for over 17,000 users. It’s a stark reminder that the keys to the kingdom often aren't taken by force, but simply lifted from an unlocked drawer. Enforce MFA on your collaboration tools, folks.
And for a masterclass in incident response lessons, look no further than the State of Nevada's after-action report on its August ransomware incident. The intrusion started way back in May with a trojanized IT admin tool downloaded from a malicious search ad. The attackers tunneled in, lived off the land with RDP, snagged credentials from a password vault, and then, months later, deleted the backups and encrypted the servers. The state refused to pay the ransom and recovered ~90% of its data, but the incident underscores the critical importance of application allowlisting, egress monitoring, and truly immutable backups.
Patch Tuesday Came Early: The CVE Parade
It was a brutal week for internet-facing infrastructure and developer tools. Prioritize these patches.
Cisco Firewalls Under Active Attack: Cisco has been wrestling with a critical RCE in its ASA and FTD firewall software for a bit, but the situation has escalated. The company now confirms active exploitation of CVE-2025-20333, an authenticated vulnerability in the VPN web server. Worse, a new attack variant is causing unpatched devices to simply fall over and reload, resulting in a denial-of-service. There are no workarounds. If you’re running a vulnerable version, you need to upgrade immediately. CISA has also added the CVE to its KEV catalog, so the clock is ticking.
Cl0p Hammers Oracle E-Business Suite: The Cl0p ransomware syndicate is reportedly exploiting a pre-authentication RCE in Oracle E-Business Suite (CVE-2025-61882) for data theft and extortion. This bug affects the BI Publisher integration in EBS versions 12.2.3 through 12.2.14. Both Oracle and Google/Mandiant have published alerts with IOCs and detailed exploit paths. If you have EBS exposed to the internet, you are on borrowed time. Patching is critical. We've talked about this before, but it seems to be the gift that keeps on giving.
More Patching Headaches:
- React Native CLI: A critical OS command injection vulnerability (
CVE-2025-11953) was found in the React Native Community CLI's Metro dev server. It allows an unauthenticated network attacker to execute commands, a particularly nasty flaw given the server binds to external interfaces by default. Devs, update to version20.0.0or later. - Django SQLi: The Django web framework patched a high-severity SQL injection (CVE-2025-64459) and a Windows-specific DoS flaw. Upgrade to versions
5.2.8,5.1.14, or4.2.26. - Dell CloudLink: A restricted shell escape (
CVE-2025-45378) in Dell CloudLink could allow a privileged user to gain full system control. Dell has released version 8.2 to fix the issue.
Malware Roundup: Gootloader's Back, and Vidar Wants Your Cloud Creds
The malware authors have been busy little bees.
Gootloader Returns with Vexing New Tricks: After a seven-month hiatus, the Gootloader access-as-a-service crew is back in business. They're still using SEO poisoning with legal-themed lures, but have added a clever evasion technique: a malformed ZIP file that unpacks a malicious JavaScript file in Windows Explorer, but a benign text file in most sandboxing tools. They’ve also swapped their persistence from scheduled tasks to .lnk files in the Startup folder. Huntress observed these new campaigns quickly leading to hands-on-keyboard activity by actors linked to Vanilla Tempest (Rhysida ransomware).
Vidar Stealer Targets Azure: An excellent technical analysis from Ontinue shows that the Vidar Stealer has been completely re-architected to target Azure credentials. The new version specifically hunts for MSAL token caches (msal.cache) and Azure CLI configuration files (%USERPROFILE%/.azure), bundling them up as "Azure Reader" before exfiltration. This is a significant pivot towards cloud-native credentials and a sign of things to come.
Iranian APTs Lean on Legitimate RMMs: Proofpoint has a great write-up on a campaign by an Iranian-linked group they call UNK_SmudgedSerpent. Targeting academics and policy experts, the group would pivot from benign-looking phishing emails to delivering MSI installers for legitimate RMM tools like PDQConnect and ISL Online, giving them persistent, interactive access that blends in with normal IT traffic.
From the Research Desk: AI Shenanigans and Broken Mitigations
Finally, a couple of nerdy deep-dives for the connoisseurs.
Google's Project Zero published a fascinating post on how KASLR on 64-bit Android devices is effectively broken by design. Due to the removal of linear map randomization for memory hotplug compatibility, and the fact that some devices (like Google's own Pixel) load the kernel at a fixed physical address, an attacker with a read/write primitive can reliably calculate kernel virtual addresses without needing an info leak. It’s a stellar example of how two seemingly innocuous design choices can conspire to neuter a critical security mitigation.
And on the AI front, Google's Threat Intelligence Group has confirmed the first operational use of "just-in-time" AI in malware. Families like PROMPTSTEAL (used by APT28) and others are now using LLM APIs during execution to dynamically generate commands and obfuscate code. It's no longer theoretical. The robot apocalypse may not be here yet, but the robots are definitely writing malware now.
That’s a wrap. Stay on top of your patches, assume your cloud backups are a target, and for goodness sake, keep an eye out for legitimate tools being used in illegitimate ways. It’s a jungle out there.
— KryptoKat & UncleSp1d3r