advisory Archives

Tech Optimizer

April 3, 2025

1,500+ PostgreSQL Servers Compromised With Fileless Malware Attack

A cryptojacking campaign has targeted over 1,500 organizations by exploiting inadequately secured PostgreSQL database servers. The attackers, identified as JINX-0126, use advanced techniques including credential brute-forcing and fileless execution to deploy Monero (XMR)-mining malware. Approximately 30% of cloud-hosted PostgreSQL servers are affected due to weak or default credentials. The attackers execute commands using PostgreSQL’s COPY FROM PROGRAM function, bypassing standard detection mechanisms. They have been linked to three cryptocurrency wallets with around 550 active mining workers, generating a hashrate of 4.04 GH/s and approximately €10.40 per hour in XMR revenue. The attack begins with credential spraying against default accounts, followed by an SQL injection to fetch the payload. The malware operates in memory, modifies PostgreSQL’s configuration to maintain persistence, and creates cron jobs for reactivation. The campaign reveals significant security gaps in cloud environments, with recommendations for improved access controls and monitoring.

AppWizard

March 31, 2025

Avoid Downloading Apps From Untrusted Sources, Google Warns Android Users

Google warns Android users about the risks of downloading apps from sources outside the Google Play Store, noting that such apps are 50 times more likely to contain malware. In 2023, Google removed around 2.3 million suspicious apps from the Play Store and banned over 300 apps that circumvented Android's security measures, which had over 60 million downloads and were involved in deceptive advertising and phishing schemes. Google is enhancing its Play Protect Live Threat Detection system to combat fake and dangerous apps. Recommendations for protecting phones include downloading apps only from the Google Play Store, checking reviews and ratings, installing security updates, and avoiding unknown links.

AppWizard

March 28, 2025

Ahead of Signal leak, Pentagon warned of app’s weaknesses

The Pentagon has issued a warning about the security of the messaging application Signal, advising against its use for any communications, including unclassified ones, due to concerns over hacking vulnerabilities following a significant leak. This advisory reflects an increased awareness of cybersecurity threats and the need for robust security measures in communications, prompting individuals and organizations to reconsider their reliance on Signal and explore alternatives.

Winsage

March 28, 2025

Windows Server 2025 freezing after February patch

Microsoft has issued a cautionary note about a problematic patch released in February 2025 that affects Remote Desktop sessions on Windows Server 2025. Users may experience freezing issues shortly after connecting, particularly after installing the February 2025 Security update (KB5051987) and subsequent updates. The advisory states that after installing this update, Remote Desktop sessions may freeze, causing mouse and keyboard inputs to become unresponsive. Microsoft has not provided a timeline for a resolution. Additionally, a similar issue was reported with Windows 11 version 24H2, where UDP-based Remote Desktop sessions would disconnect after 65 seconds when connecting to Windows Server 2016 or earlier. This issue was resolved with updates released on March 27, 2025 (KB5053656) and later. For enterprise-managed devices with the March 27 update or later, no Known Issue Rollback (KIR) or special Group Policy is needed to fix the disconnection issue. Microsoft has no further comments regarding the situation with Windows Server 2025 at this time.

Winsage

March 28, 2025

Mozilla warns Windows users of critical Firefox sandbox escape flaw

Mozilla released Firefox version 136.0.4 to address a critical security vulnerability, CVE-2025-2857, which could allow attackers to escape the browser's sandbox on Windows systems. This flaw, identified by developer Andrew McCreight, affects both standard and extended support releases of Firefox. Mozilla patched this issue in Firefox 136.0.4 and Firefox ESR versions 115.21.1 and 128.8.1. The vulnerability is similar to a recent zero-day exploit in Google Chrome, CVE-2025-2783, which was used in cyber-espionage campaigns against Russian entities. Additionally, Mozilla previously addressed another zero-day vulnerability, CVE-2024-9680, exploited by the RomCom cybercrime group, allowing code execution within Firefox's sandbox. Earlier in the year, Mozilla responded to two zero-day vulnerabilities exploited during the Pwn2Own Vancouver 2024 hacking competition.

Winsage

March 27, 2025

Recent Windows Server 2025 updates cause Remote Desktop freezes

Microsoft has acknowledged a significant issue affecting Remote Desktop functionality on Windows Server 2025 systems, which arose after the installation of security updates released since February 2025. Users may experience freezes in Remote Desktop sessions shortly after connecting, with unresponsive mouse and keyboard inputs requiring a disconnect and reconnect to regain functionality. This issue also affects Windows 11 24H2 systems, but Microsoft addressed it for Windows 11 users with an optional update (KB5052093) released on February 25. A fix for Windows Server 2025 devices is planned for an upcoming update. Additionally, Microsoft has implemented Known Issue Rollback (KIR) to reverse problematic non-security updates related to Remote Desktop and Remote Desktop Services (RDS) connection issues from Windows 11 24H2 updates since January 2025. Users may experience Remote Desktop Protocol (RDP) disconnections lasting up to 65 seconds when connecting from Windows 11 24H2 devices to RDS hosts on Windows Server 2016 systems. A permanent fix for RDP disconnection issues is planned for next month's cumulative updates. Microsoft is also investigating connection errors on Windows 11 24H2 systems related to restoring data from SMB network shares or Backup & Replication servers.

Winsage

March 26, 2025

Auth bypass CVE-2025-22230 impacts VMware Windows Tools

Broadcom has addressed a critical authentication bypass vulnerability, CVE-2025-22230, affecting VMware Tools for Windows, rated with a CVSS score of 9.8. This vulnerability allows low-privileged local attackers to escalate their privileges within vulnerable VMs, potentially leading to unauthorized access. It affects VMware Tools versions 12.x.x and 11.x.x across Windows, Linux, and macOS platforms. VMware Tools version 12.5.1 has been released to fix this issue. Additionally, Broadcom issued updates for three zero-day vulnerabilities in VMware ESX products (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226), which were confirmed to be actively exploited and represent a "VM Escape" scenario.

Winsage

March 26, 2025

Update VMware Tools for Windows NOW: High-Severity Flaw Lets Hackers Bypass Authentication

Broadcom has advised users of VMware Tools for Windows to update to the latest version due to a high-severity vulnerability (CVE-2025-22230) that is being exploited by cybercriminals. This vulnerability affects versions 11.x.x and 12.x.x and is classified as an "authentication bypass vulnerability," allowing a malicious actor with non-administrative privileges on a Windows guest to perform high-privilege operations within that VM. The flaw stems from inadequate access control mechanisms. The vulnerability has a CVSS score of 7.8 and does not require user interaction for exploitation. It was discovered by Sergey Bliznyuk of Positive Technologies. Broadcom has patched the vulnerability in version 12.5.1, and users are urged to update immediately, as no workarounds are available.

AppWizard

March 26, 2025

Days after the Signal leak, the Pentagon warned the app was the target of hackers

A Pentagon advisory warns against using the messaging application Signal for any communications, even unclassified ones, due to a vulnerability exploited by Russian hacking groups. This follows an incident where a journalist was inadvertently included in a Signal chat about military operations in Yemen. The advisory, dated March 18, indicates that Signal is not authorized for processing or storing non-public unclassified information, despite previous guidance allowing its use for unclassified accountability exercises. A 2023 Department of Defense memo also prohibited using mobile applications for controlled unclassified information. The accidental inclusion of a journalist in sensitive discussions is termed “spillage,” which can endanger military careers. Signal's spokesman stated that the memo does not reflect concerns about the app's inherent security but emphasizes vigilance against phishing attacks.

Winsage

March 26, 2025

Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code

Russian threat actors are exploiting a zero-day vulnerability in the Microsoft Management Console (MMC), identified as CVE-2025-26633, allowing them to bypass security features and execute harmful code. The hacking group Water Gamayun, also known as EncryptHub and Larva-208, is behind this campaign, using a weaponized version of the vulnerability called “MSC EvilTwin” to deploy various malicious payloads, including information stealers and backdoors. The vulnerability affects multiple Windows versions, particularly older systems like Windows Server 2016. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-26633 to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch affected systems by April 1, 2025. Microsoft included this vulnerability in its March 2025 Patch Tuesday update. Recommended mitigations include applying security patches, restricting network access to MMC ports, and monitoring for unusual MMC activity.