DigiCert’s Open-Source Intelligence (OSINT) Report – August 8 – August 14,2025

Over 3,000 NetScaler Devices Left Unpatched Against CitrixBleed 2 Bug

(TLP: CLEAR) A critical vulnerability in Citrix NetScaler ADC and Gateway devices, dubbed “CitrixBleed 2” (CVE-2025-5777), continues to pose severe security risks with over 3,000 reported internet-exposed devices remaining unpatched weeks after patches became available. The vulnerability, scoring 9.3 on the CVSS scale, stems from an uninitialized variable in the authentication function that leads to memory disclosure. Attackers can exploit this flaw remotely without authentication by sending specially crafted requests to the /p/u/doAuthentication.do endpoint with malformed parameters, causing the server to leak sensitive stack memory containing session tokens. These tokens can subsequently be used to hijack authenticated sessions and bypass multi-factor authentication (MFA), providing attackers with unauthorized access to VPN services, internal networks, and critical enterprise resources. Additionally, intelligence reporting indicates active exploitation began as early as June 23, 2025, nearly two weeks before public proof-of-concept code emerged on July 4. GreyNoise honeypots detected targeted attacks from IP addresses geolocated in China specifically seeking Citrix NetScaler appliances, suggesting deliberate reconnaissance rather than opportunistic scanning. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-5777 to its Known Exploited Vulnerabilities catalog on July 10, mandating federal agencies to remediate the vulnerability immediately. Post-exploitation activities mirror those observed during the original CitrixBleed campaign, including the creation of backdoor administrator accounts, configuration dumps with persistence mechanisms, and deployment of remote access tools.

(TLP: CLEAR) Comments: The persistence of unpatched NetScaler appliances reflects a concerning pattern in enterprise patch management, particularly for critical network infrastructure. The vulnerability’s exploitation timeline reveals threat actors were weaponizing the flaw before security researchers published technical details, indicating potential insider knowledge or advanced vulnerability research capabilities. Additionally, the ability to bypass MFA through memory leaks fundamentally undermines zero-trust architectures that rely on NetScaler for secure remote access. Organizations leveraging Citrix ADC/Gateway should prioritize immediate patching and session invalidation to prevent token replay attacks.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet’s resilience. As with many Internet protocols, DNS was not built to withstand abuse from bad actors’ intent on causing harm. ‘Protective DNS’ (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) Digicert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a recursive/resolver DNS server that receives DNS queries either via forwarding from on-network resolvers or via an endpoint client. It then uses blocklists, domain categories, artificial intelligence, or a defined policy to determine if the domain should be allowed or blocked. Blocked user traffic is then sent to a sinkhole.

Sources: https://www.bleepingcomputer.com/news/security/over-3-000-netscaler-devices-left-unpatched-against-actively-exploited-citrixbleed-2-flaw/

New HTTP/2 ‘MadeYouReset’ Flaw Enables Massive DDoS Attacks

(TLP: CLEAR) A critical vulnerability has been recently revealed in HTTP/2 implementations, dubbed MadeYouReset (CVE-2025-8671), that enables threat actors to conduct massive distributed denial-of-service (DDoS) attacks by exploiting the protocol’s stream reset mechanism. Unlike the 2023 Rapid Reset vulnerability that relied on client-initiated RST_STREAM frames, MadeYouReset manipulates servers into resetting their own streams by sending specially crafted malformed frames that trigger PROTOCOL_ERROR conditions. This server-side reset behavior bypasses mitigations implemented after Rapid Reset, allowing attackers to create unbounded concurrent work on target servers while the stream count remains below the MAX_CONCURRENT_STREAMS limit of 100. Reporting suggests the vulnerability affects multiple major implementations including Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), Netty (CVE-2025-55163), H2O, and Swift-NIO-HTTP2. Furthermore, historical attacks have demonstrated that threat actors require minimal resources, only sufficient bandwidth to send frames, while forcing servers to expend significant CPU, memory, and I/O resources processing phantom requests. Most affected systems experience complete DDoS symptoms, with some implementations suffering out-of-memory crashes. The coordinated disclosure process involved over 100 vendors through CERT/CC, with patches now available for affected products.

(TLP: CLEAR) Comments: MadeYouReset represents a sophisticated evolution in HTTP/2 protocol abuse that highlights the ongoing cat-and-mouse game between defenders and attackers in exploiting legitimate protocol features. The vulnerability’s ability to circumvent Rapid Reset mitigations demonstrates that point fixes without comprehensive protocol review leave systems vulnerable to variant attacks. The impact potential rivals the original Rapid Reset attacks that peaked at 398 million requests per second, with the added concern that MadeYouReset’s resource exhaustion patterns make it particularly effective against smaller organizations lacking robust DDoS infrastructure. The widespread adoption of HTTP/2—now powering the majority of modern web services—means this vulnerability affects virtually every organization’s web presence.
(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Develop an organization DDoS response plan. The response plan should guide your organization through identifying, mitigating, and rapidly recovering from DDoS attacks. All internal stakeholders—including your organization’s leaders and network defenders—and service providers should understand their roles and responsibilities through all stages of a DDoS attack. At a minimum, the plan should include understanding the nature of a DDoS attack, confirming a DDoS attack, deploying mitigations, monitoring and recovery.

(TLP: CLEAR) Digicert: Digicert’s, Digicert UltraDDoS Protect, is a purpose-built DDoS mitigation solution that offers comprehensive protection through on-premises hardware, cloud-based DDoS mitigation, or hybrid approaches. Tailored to meet any organizational need, Digicert’s array of DDoS Protection services include blocking DDoS attacks, redirecting DDoS attacks, and cloud DDoS prevention, ensuring the broadest and most adaptable DDoS defense services available. 

Source: https://www.securityweek.com/madeyoureset-http2-vulnerability-enables-massive-ddos-attacks/

New Win-DDoS Flaws Let Attackers Turn Public Domain Controllers into DDoS Botnet via RPC, LDAP

(TLP: CLEAR) Recent reporting has highlighted a collection of critical vulnerabilities in Windows Domain Controllers that enable threat actors to weaponize public-facing domain controllers (DCs) into a massive distributed denial-of-service (DDoS) botnet without authentication or code execution. The Win-DDoS technique exploits fundamental flaws in how Windows handles LDAP referrals and RPC communications, allowing attackers to manipulate the URL referral process to redirect domain controllers to repeatedly query victim servers. The attack begins when an attacker sends specially crafted RPC calls that trigger DCs to act as CLDAP clients, which then connect to an attacker-controlled LDAP server that responds with referrals pointing to the target victim. The DCs continue sending LDAP queries even after TCP connections are reset, creating a powerful amplification effect.

Four specific vulnerabilities enable these attacks: CVE-2025-32724 (CVSS 7.5) allows uncontrolled resource consumption in Windows LSASS with no limits on referral list sizes; CVE-2025-26673 (CVSS 7.5) enables DoS through Windows LDAP resource exhaustion; CVE-2025-49716 (CVSS 7.5) affects Windows Netlogon service allowing unauthenticated crashes; and CVE-2025-49722 (CVSS 5.7) targets the Windows Print Spooler requiring only adjacent network access. Microsoft patched these vulnerabilities in April, June, and July 2025 security updates. The research, presented at DEF CON 33, demonstrates how tens of thousands of public domain controllers worldwide could be conscripted into a botnet with massive bandwidth capabilities, all without purchasing infrastructure or leaving forensic traces.
(TLP: CLEAR) Comments: The Win-DDoS discovery fundamentally challenges assumptions about Windows domain security architecture by demonstrating that DCs themselves can become attack infrastructure. The technique’s elegance lies in exploiting the implicit trust that client-side components place in server responses—a blind spot that exists because developers assume clients choose their servers and therefore trust returned data. The ability to create a global botnet from misconfigured or intentionally exposed DCs without any malware deployment represents a paradigm shift in DDoS capabilities. Organizations often expose DCs for legitimate business reasons such as partner integrations or cloud hybrid deployments, making complete isolation impractical. The attack’s use of legitimate protocols makes detection extremely challenging, as LDAP and RPC traffic appears normal until correlation reveals the amplification pattern. State-sponsored actors could leverage this technique for both disruption and diversion, using DDoS attacks to mask more targeted intrusions.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) Digicert: Digicert’s, Digicert UltraDDoS Protect, is a purpose-built DDoS mitigation solution that offers comprehensive protection through on-premises hardware, cloud-based DDoS mitigation, or hybrid approaches. Tailored to meet any organizational need, Digicert’s array of DDoS Protection services include blocking DDoS attacks, redirecting DDoS attacks, and cloud DDoS prevention, ensuring the broadest and most adaptable DDoS defense services available.

Source: https://thehackernews.com/2025/08/new-win-ddos-flaws-let-attackers-turn.html

PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks

(TLP: CLEAR) A sophisticated malware campaign, dubbed “PS1Bot”, has been recently discovered, leveraging malicious advertisements to deliver multi-stage, fileless payloads that execute in memory. The campaign, identified by Cisco Talos researchers, targets enterprise users through compromised ad networks and fake software update notifications. PS1Bot’s attack chain begins with malvertising that redirects victims to landing pages hosting obfuscated JavaScript, which subsequently downloads PowerShell scripts masquerading as legitimate software installers. The malware employs multiple evasion techniques including AMSI bypass, constrained language mode escapes, and reflective DLL injection to maintain persistence while avoiding traditional antivirus detection. According to researchers, once establishing connectivity, PS1Bot conducts extensive network reconnaissance, harvesting credentials from browsers and memory, enumerating network resources, and establishing encrypted command-and-control channels using domain fronting techniques. The malware’s modular architecture allows operators to deploy additional payloads including cryptocurrency miners, information stealers, and ransomware precursors. Security researchers further revealed that the infrastructure overlaps with established cybercrime groups, suggesting PS1Bot may be offered as Malware-as-a-Service to multiple threat actors. The campaign has been observed targeting financial services, healthcare, and technology sectors across North America and Europe.

(TLP: CLEAR) Comments: The PS1Bot’s targeting of enterprise environments through fake software updates exploits common user behaviors and the pressure to maintain updated systems. Furthermore, PS1Bot exemplifies the maturation of living-off-the-land techniques that abuse legitimate Windows components to evade detection. The campaign’s use of malvertising as an initial vector bypasses email security gateways and exploits user trust in legitimate websites, highlighting the limitations of perimeter-based security models. The malware’s PowerShell-centric approach aligns with broader trends toward fileless attacks that leave minimal forensic artifacts. Organizations face a particular challenge as PowerShell remains essential for legitimate administration, making wholesale blocking impractical.

(TLP: CLEAR) Recommended best practices/regulations:  NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users.  This can be done via a protective DNS or forward web proxy solution with website categories feeds.

(TLP: CLEAR) Digicert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Source: https://www.infosecurity-magazine.com/news/malvertising-powershell-malware/

Russian Hackers Exploit WinRAR Zero-Day

(TLP: CLEAR) Recent intelligence reporting indicates Russian-linked advanced persistent threat (APT) groups have been exploiting a critical zero-day vulnerability in WinRAR (CVE-2025-XXXX) for several weeks before public disclosure, targeting government agencies and critical infrastructure in NATO countries. The vulnerability, residing in WinRAR’s archive parsing engine, allows attackers to achieve arbitrary code execution when victims open specially crafted archive files. The flaw affects all WinRAR versions prior to 6.24 and can be triggered through multiple archive formats including RAR, ZIP, and 7Z. Exploitation requires no user interaction beyond opening the malicious archive, with code execution occurring during the file enumeration phase before extraction. Further analysis highlghts the campagns connection to at least two Russian APT groups based on infrastructure overlap, targeting patterns, and malware signatures consistent with previous operations. The threat actors distributed malicious archives through spear-phishing emails impersonating government communications, compromised legitimate websites, and popular development forums. Post-exploitation payloads include custom backdoors providing persistent access, credential stealers targeting password managers and browsers, and reconnaissance tools for mapping internal networks. Victims span the energy sector, government agencies, defense contractors, and telecommunications providers across Europe and North America. Lastly, the targeting alignment suggests intelligence collection objectives supporting Russian strategic interests.

(TLP: CLEAR) Comments: WinRAR remains a favored attack vector for state-backed attackers due to its ubiquity and user trust. The exploitation pattern mirrors previous WinRAR bugs weaponized by Russian APTs (e.g., Turla, APT28). Organizations should accelerate patching and consider deploying content disarm and reconstruction (CDR) for archive handling. The targeting of critical sectors underscores the alignment of this campaign with espionage objectives, while opportunistic cybercriminals are likely to adopt this zero-day in the near future.

(TLP: CLEAR) Recommended best practices/regulations:  Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following: 

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy. 
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) Digicert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers.
Source: https://arstechnica.com/security/2025/08/high-severity-winrar-0-day-exploited-for-weeks-by-2-groups/

Help Desk at Risk: Scattered Spider Shines Light on Overlook Threat Vector

(TLP: CLEAR) Scattered Spider, a financially motivated threat group, has been exploiting help desk interactions to bypass MFA and gain unauthorized access to corporate environments. Recent intelligence reporting reveals that the group has refined its social engineering tactics which they use to target help desk personnel in order to bypass security controls and gain unauthorized access to enterprise networks. The group’s methodology involves extensive reconnaissance to gather employee information from social media, data breaches, and public records, which is then weaponized during vishing (voice phishing) calls to IT support staff. Attackers impersonate employees experiencing technical difficulties, leveraging psychological manipulation techniques including urgency, authority, and rapport building to convince help desk agents to reset passwords, register new MFA devices, or provide temporary access credentials. The group’s recent cyber campaigns have demonstrated sophisticated operational security, with attackers using voice modulation software, displaying spoofed caller IDs matching internal phone systems, and referencing specific internal projects or systems to enhance credibility. Once initial access is obtained, Scattered Spider rapidly escalates privileges using tools like Mimikatz and CobaltStrike, exfiltrates sensitive data to cloud storage services, and deploys ransomware for double extortion. The group has successfully compromised major organizations across telecommunications, hospitality, and retail sectors, with losses exceeding hundreds of millions of dollars. Analysis reveals help desk compromises now account for over 40% of initial access vectors in ransomware incidents, highlighting this critical security gap.

(TLP: CLEAR) Comments: Scattered Spider’s focus on help desk exploitation represents a fundamental challenge to identity and access management strategies that prioritize technical controls over human factors. The group’s success demonstrates that sophisticated social engineering can neutralize even robust MFA implementations when the human element becomes the bypass mechanism. Help desk staff face an impossible balance between providing responsive customer service and maintaining security vigilance, particularly during high-pressure situations. The group’s evolution from SIM swapping to enterprise targeting shows increasing sophistication and understanding of organizational weaknesses. Their use of native English speakers and cultural knowledge makes detection significantly more challenging than traditional overseas-based social engineering attempts. The emergence of “Help Desk as a Service” offerings on criminal forums suggests this vector will see increased exploitation across the threat landscape.

(TLP: CLEAR) Recommended best practices/regulations:  PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.

(TLP: CLEAR) Digicert:  Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses: 

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars. 
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click. 
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature. 
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR. 

Source: https://www.securityweek.com/help-desk-at-risk-scattered-spider-shines-light-on-overlook-threat-vector/