Weekly Top 10: 08.18.2025: The Rise of Native Phishing: Microsoft 365 Apps Abused in Attacks; WinRAR Vulnerability Exploited by Two Different Groups; Cisco Warns of CVSS 10.0 FMC RADIUS Flaw, and More.

WEEKLY TOP TEN: August 18, 2025, 16:00 GMT

1. Cisco Warns of CVSS 10.0 FMC RADIUS Flaw
   
   Cisco has released updates for a serious vulnerability (CVSS 10.0) in Secure Firewall Management Center (FMC), where the RADIUS system does not properly manage input during login, which could let attackers run code remotely. This flaw affects versions 7.0.7 and 7.7.0 if RADIUS is enabled—no workarounds exist beyond applying Cisco’s updates.
2. The Rise of Native Phishing: Microsoft 365 Apps Abused in Attacks
   
   Attackers are increasingly deploying “native phishing,” exploiting trusted Microsoft 365 tools like OneNote to deliver malicious links or files that bypass typical email scanning. By compromising one internal user, adversaries use built-in, default-trusted M365 capabilities—often alongside AI and no-code platforms—to deliver phishing content without raising alarms.
3. New HTTP/2 ‘MadeYouReset’ Vulnerability Enables Large-Scale DoS Attacks
   
   A new HTTP/2 attack technique dubbed MadeYouReset can overwhelm servers by bypassing the standard limit of 100 concurrent requests per connection, allowing thousands of malicious requests that may crash systems or consume resources. It affects multiple platforms—like Apache Tomcat, F5 BIG-IP, and Netty—by exploiting protocol edge cases tied to RST_STREAM frames.
4. CISA Warns N-able Bugs Under Attack, Patch Now
   
   CISA has added two critical vulnerabilities in N-able’s RMM product N-central—CVE-2025-8875 (deserialization, CVSS 9.4) and CVE-2025-8876 (improper input validation)—to its Known Exploited Vulnerabilities catalog, noting active exploitation. Patches are available in version 2025.3.1, and customers are advised to update immediately, especially within federal systems.
5. Hackers Found Using CrossC2 to Expand Cobalt Strike Beacon’s Reach to Linux and macOS
   
   Threat actors are employing a tool called CrossC2—a Cobalt Strike C2 extension—to target Linux and macOS systems. Detected by JPCERT/CC in attacks from September to December 2024, the campaign used a Nim-based loader called ReadNimeLoader that had tricks to avoid detection, allowing it to run shellcode quietly in memory.
6. New Malvertising Attack Spreads Crypto-Stealing PS1Bot Malware
   
   Cisco Talos uncovered a malvertising campaign delivering PS1Bot, a stealthy PowerShell-based malware that steals crypto wallet seed phrases, passwords, browser cookies, and more by running entirely in memory to evade detection. It spreads via SEO-poisoned ads and compressed archives—such as FULL DOCUMENT.js—masquerading as legitimate downloads.
7. WinRAR Vulnerability Exploited by Two Different Groups
   
   A flaw in WinRAR (CVE-2025-8088) was used by two different hacker groups—RomCom, which focused on businesses in Europe and Canada, and Paper Werewolf, which targeted organizations in Russia—letting them place files into startup folders through harmful archives in phishing campaigns. The bug has been patched in version 7.13, and users are urged to update immediately.
8. Ransomware Crews Don’t Care About Your EDR—They’ve Already Killed It
   
   ​At least a dozen ransomware groups now deploy kernel-level “EDR killers”—tools like custom versions of RealBlindingEDR—that disable endpoint detection and response systems from vendors including Sophos, Cisco, Malwarebytes, and others. These tools often exploit signed vulnerable drivers (Bring Your Own Vulnerable Driver technique) or misused utilities to bypass defenses before deploying ransomware.
9. Taiwan Web Servers Breached by UAT-7237 Using Customized Open-Source Hacking Tools
   
   A Chinese-speaking APT, UAT-7237 (linked to UAT-5918), has been breaching Taiwanese web infrastructure since at least 2022 using modified open-source tools. The group installs bespoke loaders (SoundBill), employs Cobalt Strike, and deploys SoftEther VPN, RDP, JuicyPotato, and Mimikatz, even embedding Mimikatz into SoundBill—indicating a stealthy, multi-layered campaign focused on credential theft and maintaining persistent access.
10. Taming Shadow IT: What Security Teams Can Do About Unapproved Apps and Extensions
    
    The Gunra ransomware operation has expanded its capabilities with a new Linux variant dubbed Nimble. This variant focuses on encrypting servers and NAS devices using efficient file-targeting methods, signaling a growing trend of Linux-focused ransomware targeting infrastructure.