Welcome to the August 2025 edition of the ConnectWise Cyber Research Unit™ (CRU) Monthly Threat Brief. This report provides a comprehensive look at the most significant cybersecurity developments impacting the MSP and SMB landscape. We break down the month’s top stories, critical vulnerabilities, and prevalent malware families to help you stay informed and prepared in an evolving threat environment. We have also begun adding descriptions of all the new detection signatures added to the ConnectWise SIEM™.
Top stories for August 2025
In the past month, we’ve tracked a significant uptick in Akira ransomware incidents tied to SonicWall SSLVPN appliances, with activity first observed in late July. Early reporting suggested a possible zero-day vulnerability, but SonicWall has since clarified that these attacks are strongly linked to CVE-2024-40766 and poor credential management practices, such as reused passwords during firewall migrations. Research from Arctic Wolf, Huntress, and Google Threat Intelligence Group (GTIG) indicates that the threat actor UNC6148 is leveraging previously stolen credentials and OTP seeds to regain access even after security updates are applied. ConnectWise SOC observations reinforce this assessment, with 15 confirmed Akira incidents over the last 30 days, many involving direct logins through SSLVPN with no failures, pointing toward credential compromise rather than exploitation.
Once inside, the attackers have relied heavily on living-off-the-land techniques, complemented by tools such as NetExec and pypykatz for network and credential harvesting. We’ve also seen deliberate efforts to evade endpoint detection and response (EDR) tools through custom DLLs, drivers, and registry checks, as well as persistence established with AnyDesk, TeamViewer, and MeshAgent. Prior to launching encryption payloads, typically disguised under changing names such as w.exe or Akira.exe, actors deployed utilities such as WinRAR, FileZilla, Rclone, and Cloudflare tunneling for data theft and lateral movement. This campaign continues the broader trend of edge appliance exploitation fueling ransomware activity, underscoring the need for timely patching, enforced password resets, multi-factor authentication (MFA) adoption, and vigilant monitoring of both firewall and endpoint logs across customer environments.
Over the past month, one of the most important advisories came from Microsoft regarding CVE-2025-53786, a critical flaw in hybrid Exchange environments. The vulnerability stems from the long-standing shared service principal architecture, which allows on-premises Exchange servers and Exchange Online to authenticate using the same credentials. If attackers gain admin access to an Exchange server, they can extract OAuth certificates and request service tokens that impersonate hybrid users for up to 24 hours, bypassing conditional access and MFA controls. Although no active exploitation has been reported, Microsoft and CISA view the risk as severe, with CISA issuing Emergency Directive 25-02 mandating immediate mitigations for federal agencies by August 11, 2025.
To address the design flaw, Microsoft is forcing a shift away from shared service principals and toward dedicated hybrid applications in Entra ID, giving each organization its own isolated authentication entity. The company has laid out an aggressive enforcement timeline beginning with temporary service disruptions in August and culminating in a permanent block of legacy authentication on October 31, 2025. MSPs should prioritize patching on-premises Exchange servers, deploying the dedicated hybrid apps, and running health checks to ensure configurations are correct. Beyond the technical risk of domain-wide compromise, the looming service disruptions create business pressure for timely migration, as clients relying on hybrid features, such as free/busy lookups and MailTips, will see outages if they don’t move quickly. For service providers, this is both a pressing security matter and a client communication challenge; one where deadlines, business continuity, and compliance all converge.
In July, a Russian-aligned group, RomCom, was observed exploiting a newly disclosed zero-day in WinRAR (CVE-2025-8088) through targeted phishing campaigns. The flaw, a path traversal vulnerability in how WinRAR handles alternate data streams (ADS), allows attackers to silently extract malicious files into attacker-controlled directories instead of user-specified paths. This technique enabled the delivery of malicious DLLs, LNK files, and executables that established persistence and command-and-control access. ESET researchers documented three distinct execution chains, leveraging tools such as a Mythic agent, a modified PuTTY CAC variant dubbed SnipBot, and RustyClaw/MeltingClaw, each incorporating anti-analysis checks and invalidly signed binaries. Campaigns between July 18 and 21 targeted financial, manufacturing, defense, and logistics organizations in Europe and Canada, though no successful compromises were reported.
RomCom’s exploitation of CVE-2025-8088 marks the group’s third zero-day in two years, following prior use of Microsoft Word and Firefox vulnerabilities. The attack underscores both the sophistication and persistence of the threat actor, who routinely pairs zero-day exploitation with tailored phishing lures. For MSPs, the key concern is that WinRAR lacks automatic updates, requiring manual deployment of the patched version 7.13 across all endpoints. The attack surface extends beyond standalone WinRAR installations to any software using UnRAR.dll, meaning client applications must also be audited for exposure. While this campaign did not result in compromise, the pattern of zero-day use against sectors common to MSP clients reinforces the importance of patch management, monitoring for archive-based attacks, and enhancing email security controls around RAR attachments.
This month, researchers disclosed a new attack technique called **DOM-based Extension Clickjacking**, which abuses how browser extensions inject interface elements into web pages. By making these injected elements invisible, often by setting their opacity to zero, attackers can trick users into interacting with hidden password manager popups or other extension UI elements when clicking on seemingly harmless items like cookie banners or CAPTCHA prompts. Security researcher Marek Toth tested 11 major password managers and found all were vulnerable to at least one variant of the attack, with six leaking complete credit card details and eight exposing personal information under test conditions. The issue extends beyond password managers to any extension that manipulates the DOM, including crypto wallets, note-taking apps, and productivity tools. Some passkey authentication implementations were also shown to be vulnerable due to improper session binding, allowing attackers to hijack authentication flows.
For MSPs, this disclosure underscores the risk posed by browser extensions as an overlooked attack surface. As of August 2025, vendors such as Dashlane, Keeper, NordPass, ProtonPass, and RoboForm have released fixes, while Bitwarden, 1Password, LastPass, Enpass, iCloud Passwords, and others remain exposed, affecting tens of millions of users. Since these attacks operate entirely within the browser, they generate minimal forensic evidence and bypass traditional SIEM and SOC detection. Recommended mitigations include configuring extensions to activate only “on click” rather than persistently, auditing all deployed extensions for UI injection behaviors, and tightening browser extension policies for high-value accounts. This research highlights the need to treat extensions as high-risk software with privileged access, balancing convenience against the security trade-offs they introduce.
Top vulnerability in August 2025
CVE‑2025‑8088 is a high‑severity path traversal zero‑day in the Windows version of WinRAR (and associated components like UnRAR.dll) that allows arbitrary code execution by extracting crafted archives into sensitive directories such as the Startup folder, establishing persistence, and often delivering backdoors automatically. Researchers discovered exploitation beginning July 18, 2025, with the RomCom (also Storm‑0978/Tropical Scorpius/UNC2596) group deploying malware, including SnipBot, RustyClaw, and Mythic Agent via spear‑phishing archives disguised as job applications targeting financial, manufacturing, defense, and logistics firms across Europe, Canada, and organizations linked to humanitarian efforts. WinRAR released a patch in version 7.13 (July 30, 2025), but since the software lacks auto‑update capabilities, users must upgrade manually, which is especially urgent as CISA added this CVE to its Known Exploited Vulnerabilities (KEV) catalog on August 12, 2025, mandating federal remediation by September 2, 2025.
Top malware in August 2025
The Diamond Model
This section leverages the Diamond Model of Intrusion Analysis to structure the examination of recent malware activity, providing a clear analytical framework that links adversary, capabilities, infrastructure, and victimology. By applying the Diamond Model, we can better contextualize malicious behavior, identify patterns across campaigns, and highlight the relationships between threat actors, tools, and targeted entities.
Akira
Akira is a ransomware strain that first emerged in March 2023. It operates under a ransomware‑as‑a‑service (RaaS) model, typically targeting both Windows and Linux systems within small and mid-sized organizations across sectors such as manufacturing, IT, healthcare, finance, professional services, and education. Notable victims include BHI Energy, Nissan Australia, Tietoevry, Stanford University, and potentially the Toronto Zoo. The group employs double‑extortion tactics, exfiltrating sensitive data before encrypting systems and threatening to leak the stolen information.
Starting in July 2025, security researchers observed an uptick in Akira deployments exploiting SonicWall SSL VPN appliances as the initial attack vector. Early speculation pointed to a zero‑day vulnerability, as some breaches occurred on fully patched SonicWall devices, even those protected by MFA and recently rotated passwords. However, further analysis, including official statements from SonicWall, ThreatLocker, S‑RM, and others, suggests that the attacks are tied to a previously disclosed vulnerability, CVE‑2024‑40766, rather than an unknown flaw. Mitigation guidance emphasizes updating to SonicOS7.3.0, resetting migrated local account credentials, disabling or restricting SSLVPN exposure, enforcing MFA (though it may not fully prevent attacks in this case), enabling Botnet Protection and Geo‑IP filtering, and applying strict password hygiene.
Additionally, recent incident response analysis (late July–early August 2025) has uncovered bring‑your‑own‑vulnerable‑driver (BYOVD) techniques used by Akira affiliates. Specifically, two Windows drivers, “rwdrv.sys” (a legitimate ThrottleStop driver) and “hlpdrv.sys” (a malicious helper driver), have been deployed to disable Microsoft Defender and evade antivirus/EDR protections.
Aliases
Infrastructure
