Patch Wars: Russian APT Evasions, Chinese Espionage, and the Critical Windows SMB Flaw

Show Notes

CISA is ringing the alarm on actively exploited Windows SMB flaws while Chinese threat actors leverage a recently patched SharePoint vulnerability for espionage. We also detail how the Russian APT Star Blizzard rapidly changed tactics after researchers exposed their prior malware, and review critical vulnerabilities affecting TP-Link Omada Gateways.

Transcript

Welcome back to Cyber Scoops & Digital Shenanigans, the podcast dedicated to tracking the latest threats and vulnerabilities impacting your enterprise. I’m your host, Mike Housch, and we’ve got a packed agenda today, focused heavily on patching urgencies and evolving nation-state tradecraft. It seems the bad guys are busier than ever.

We start today with a major alert coming straight from CISA regarding active exploitation in the wild. If you run Windows systems, listen up. CISA has issued a warning about hackers actively exploiting a high-severity privilege escalation vulnerability in Windows Server Message Block, or SMB. This is tracked as CVE-2025-33073, and it carries a significant CVSS score of 8.8.

Why is this so crucial? Because this flaw allows attackers to gain SYSTEM-level privileges on unpatched systems. The vulnerability impacts pretty much everything in your environment: all versions of Windows Server, Windows 10, and Windows 11 systems up to and including Windows 11 24H2. Microsoft actually patched this specific flaw way back during its June 2025 Patch Tuesday.

The exploitation method is a bit tricky: an attacker needs to convince a victim to connect to a malicious application server they control, such as an SMB server, which then compromises the protocol. CISA emphasizes that active hacking is the "first great reason to patch your Windows OS". They are so serious about this that they are mandating that Federal Civilian Executive Branch (FCEB) agencies secure their systems by November 10, 2025, in accordance with Binding Operational Directive (BOD) 22-01. For the rest of us, the message is clear: immediately apply those June 2025 security updates to all affected Windows systems. Hackers simply do not care that patching is a hassle—they will exploit the flaws you leave fixed.

Moving across the geopolitical threat landscape, we shift focus to China-based threat actors and their intense interest in Microsoft SharePoint. Just weeks after Microsoft released its July patch, Chinese threat actors were observed exploiting the ToolShell security vulnerability. This flaw, identified as CVE-2025-53770, is a patch bypass for two prior vulnerabilities and affects on-premise SharePoint servers, potentially allowing for authentication bypass and remote code execution.

Who were they hitting? The victims are highly strategic targets. We saw a telecommunications company in the Middle East breached. Attacks also targeted government departments in an African country, government agencies in South America, and a university in the U.S.. The malicious activity suggests the attackers are heavily interested in stealing credentials and establishing persistent, stealthy access to victim networks, indicating an espionage objective.

Multiple Chinese threat groups were involved, including Linen Typhoon (Budworm), Violet Typhoon (Sheathminer), and Storm-2603, which has previous links to LockBit and Babuk ransomware deployment. Salt Typhoon, also known as Glowworm, leveraged the ToolShell flaw specifically to deploy tools like Zingdoor, ShadowPad, and KrustyLoader against the telecom entity and two African government bodies. KrustyLoader itself is a Rust-based loader previously linked to the UNC5221 espionage group. This activity underscores how quickly sophisticated threat actors weaponize disclosed and patched flaws.

Now, let’s talk about adaptation. Russian state-sponsored actors, known as Star Blizzard—also tracked as ColdRiver, Callisto, and Seaborgium—demonstrated incredibly rapid tactical changes after their previous operations were exposed by researchers. Following a public report in June detailing their LostKeys malware and ClickFix technique, Star Blizzard completely stopped deploying LostKeys and shifted strategies within days.

They moved to new malware families: NoRobot, which Zscaler calls BaitSwitch, and the subsequent payload, MaybeRobot, tracked as SimpleFix. They also abandoned the PowerShell infection chain. Now, they rely on victims executing a malicious DLL via rundll32 after being lured to pages masquerading as information resources for members of civil society and think tanks in Russia—still utilizing that initial ClickFix technique.

MaybeRobot, deployed via NoRobot, is likely built to replace the earlier, more limited YesRobot backdoor. It offers increased flexibility for executing files, commands, and PowerShell blocks, though it still requires an operator for complex operations. Google reports that between May and September 2025, Coldriver (Star Blizzard) made multiple changes focused on evasion, simplifying their infection chain and implementing basic evasion techniques like rotating infrastructure and changing file naming conventions. This is a textbook example of how quickly nation-state groups pivot to defeat public detection efforts.

Shifting gears to network hardware, TP-Link has issued urgent advisories concerning critical vulnerabilities in their Omada gateways. More than a dozen ER, G, and FR series product models are affected.

The most severe flaw here is CVE-2025-6542, scoring a massive CVSS of 9.3. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary OS commands on the targeted system. While not vendor-confirmed, vulnerabilities of this type typically allow full control of the impacted device. Another critical flaw, CVE-2025-7850, is a command injection issue, but this one requires the attacker to have admin access to the web portal. TP-Link advises customers to not only update the firmware but also to change the device password. It's worth remembering that threat actors frequently exploit TP-Link product vulnerabilities.

Finally, let’s look at a supply chain concern involving code libraries. A vulnerability was discovered in the popular Rust crate async-tar, which subsequently affected the fast uv Python package manager.

The vulnerability stems from an error in the header parsing code. It involves how the code handles ustar and pax headers in a tar archive; if a file entry has both, the code advances the stream based on the ustar size, which might be zero, instead of the correct pax size. This allows attackers to hide additional files, enabling file overwriting and supply chain attacks via exploitation of build systems and package managers.

While the vulnerability was disclosed, the situation is messy due to multiple forks of the original crate. The team that discovered the flaw had trouble contacting the maintainers of the most popular forks, as neither the tokio-tar nor async-tar project had a public contact method or SECURITY.md file. Here’s the punchline: While async-tar and the fork used by uv, called astral-tokio-tar, have been patched, the most popular fork, tokio-tar, which has over 7 million downloads, remains unfixed and is believed to be abandonware. The recommendation is to switch away from the unpatched forks. This also serves as a sharp reminder that writing software in Rust is not a guarantee of safety; while it prevents memory issues, it does nothing to prevent logic errors like this header parsing flaw.

So, whether you are dealing with CISA-mandated Windows patching, sophisticated Chinese espionage targeting SharePoint, or Russian APTs adapting their toolkit daily, the message remains constant: Prioritize, patch, and pivot. Your cyber hygiene is the first defense against these digitally mischievous activities.

That wraps up this episode of Cyber Scoops & Digital Shenanigans. Stay safe out there, and we'll catch you next time.