analysis Archives

Tech Optimizer

February 22, 2025

How Mindbody improved query latency and optimized costs using Amazon Aurora PostgreSQL Optimized Reads

Mindbody utilizes a cloud-based platform for the fitness and wellness industry, offering services such as client booking, scheduling, payments, marketing, and analytics. Their email marketing platform is built on an Aurora PostgreSQL cluster, currently at version 13.8, with a size of approximately 17 TB and a workload distribution of 80% reads and 20% writes. Mindbody faced scaling and performance challenges due to architectural limitations and increasing data demands, leading to all workloads being directed to the writer node. The average BufferCacheHitRatio was below 80%, indicating frequent disk access rather than cache hits, contributing to higher query latencies and I/O costs. To address these issues, Mindbody adopted Aurora Optimized Reads, which enhances caching capacity and improves latency and throughput for I/O-intensive workloads. Transitioning required upgrading the database cluster to version 14.9 or higher, and extensive testing was conducted in a proof-of-concept environment. The upgrade process involved a blue/green deployment strategy to minimize production disruption. After implementing Aurora Optimized Reads, Mindbody experienced significant performance improvements, including a 50% reduction in average daily CPU utilization and a 90% reduction in ReadIOPS. The AuroraOptimizedReadsCacheHitRatio indicated that 85% of read requests were served from the optimized cache. Cost analysis revealed a 23% reduction in monthly Aurora costs post-transition, with potential for further savings by downsizing instances.

Tech Optimizer

February 20, 2025

PostgreSQL flaw exploited as zero-day in BeyondTrust breach

Rapid7's vulnerability research team reported that a security flaw in PostgreSQL was exploited as a zero-day vulnerability to infiltrate BeyondTrust's network in December, involving two zero-day vulnerabilities, CVE-2024-12356 and CVE-2024-12686, along with a stolen API key, leading to unauthorized access to 17 Remote Support SaaS instances. In early January, the U.S. Treasury Department disclosed a compromise of its network, with attackers using the stolen API key to access its BeyondTrust instance, linked to the Silk Typhoon cyber-espionage group. The attackers targeted critical offices within the Treasury, including CFIUS and OFAC, and accessed the Office of Financial Research systems. CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog on December 19, mandating federal agencies to secure their networks. On January 27, Rapid7 uncovered another zero-day vulnerability in PostgreSQL, CVE-2025-1094, which allows SQL injection attacks due to mishandling of invalid UTF-8 characters. Rapid7 found that exploiting CVE-2024-12356 for remote code execution requires CVE-2025-1094, and while BeyondTrust classified CVE-2024-12356 as command injection, Rapid7 suggests it is an argument injection vulnerability. They identified a method to exploit CVE-2025-1094 for remote code execution in BeyondTrust systems independently of CVE-2024-12356, noting that BeyondTrust's patch for CVE-2024-12356 does not resolve the root cause of CVE-2025-1094 but prevents exploitation of both vulnerabilities.

Winsage

February 20, 2025

Clues in Windows 11 suggest Microsoft has a nifty plan to help you move all your stuff from an old PC to a new computer more easily and conveniently

A new 'Migration' tool has been introduced in Windows 11, integrated within the Backup app, allowing users to wirelessly transfer files and settings between two PCs connected to the same Wi-Fi network. This feature, discovered through code analysis and community collaboration, is expected to utilize Nearby Sharing, similar to Apple's AirDrop, facilitating direct local transfers without relying on cloud storage. The Migration tool is still in the conceptual phase and not yet available for testing, but it aims to enhance the Backup app's capabilities by providing a more efficient transfer process. There is potential for the Migration feature to support third-party software, broadening its utility for users.

TrendTechie

February 20, 2025

Хакеры заражали гаджеты российских пользователей криптомайнером под видом игр-симуляторов

Experts from Kaspersky GReAT have identified a scheme where cybercriminals distribute malware disguised as free versions of popular computer games via torrent trackers. This malware downloads a modified version of the XMRig cryptocurrency miner onto users' devices. The distribution began on December 31, 2024, and continued until the end of January 2025, with the first infected files appearing on torrent sites in the previous autumn. Affected countries include Russia, Belarus, Kazakhstan, Brazil, and Germany. The XMRig miner exploits the computational power of infected devices to mine Monero and was embedded in files associated with games like BeamNG.drive, Dyson Sphere Program, Universe Sandbox, Plutocracy, and Garry’s Mod. Kaspersky reported that 70.5% of users encountered infected versions of BeamNG.drive. The malware causes overheating, decreased performance, and increased electricity consumption without immediate signs of infection. Tatyana Shishkova from Kaspersky noted that the timing of the campaign coincided with the holiday season and that gaming applications were targeted due to their high performance. She advised users to avoid downloading software from unreliable sources.

Tech Optimizer

February 20, 2025

EDB Postgres® AI Significantly Outperforms Oracle, SQL Server, MongoDB, and MySQL in New Benchmark Study

EnterpriseDB (EDB) has released findings from a benchmark study by McKnight Consulting Group, showing that EDB Postgres AI outperforms Oracle, SQL Server, MongoDB, and MySQL in various workloads, including transactional, analytical, and AI tasks. Key performance metrics include being 150 times faster than MongoDB in processing JSON data, 4 times faster than MySQL in handling insert operations, and outperforming Oracle by 17% and SQL Server by 30% in processing New Orders Per Minute (NOPM). EDB Postgres AI also offers 7 times better price performance than Oracle and 6 times better than SQL Server. The study highlights the challenges enterprises face with legacy systems consuming 55% of IT budgets, which hampers modernization efforts. EDB Postgres AI aims to address these challenges by streamlining data infrastructure, reducing total cost of ownership, and facilitating AI capabilities in a secure environment.

Winsage

February 20, 2025

5 most useful SysInternals tools for optimizing your Windows PC

SysInternals is a suite of 74 utilities from Microsoft designed to enhance the performance and reliability of Windows PCs. Users can download the entire suite or select individual tools from the Microsoft SysInternals Learn page. 1. AutoRuns: Identifies unnecessary background processes and obsolete registry entries, providing detailed information about each entry. It allows users to review installed drivers and spot potentially harmful entries. Launched via Start menu or by typing Autoruns.exe in the Run dialog. 2. TCPView: Monitors all TCP and UDP connections in real-time, categorizing them by version and displaying ports and connection timestamps. It helps identify bandwidth-hogging processes. Launched via Start menu or by typing tcpview.exe in the Run dialog. 3. RamMap: Provides an in-depth analysis of memory consumption across processes, helping identify memory-hogging applications and diagnose memory leaks. It offers options to clear memory, including emptying working sets, standby lists, and modified lists. Launched via Start menu or by typing rammap.exe in the Run dialog. 4. DiskView: Offers detailed insights into hard drive usage with a color-coded map of disk sectors, helping users identify fragmentation and unused space. Launched via Start menu or by typing diskview.exe in the Run dialog. 5. CacheSet: Optimizes the Windows file system cache by allowing users to adjust cached data management settings and clear the cache with a single click. Launched by typing cacheset.exe in the Run dialog. The SysInternals Suite is cost-free, effective, and compatible with Windows Recovery mode, making it a practical choice for users looking to enhance their PC's performance.

AppWizard

February 20, 2025

Russian Groups Target Signal Messenger in Spy Campaign

Multiple Russian threat groups are targeting the Signal Messenger application, focusing on individuals likely to engage in sensitive military and governmental communications during the conflict in Ukraine. Researchers from Google's Threat Intelligence Group have identified these attacks as primarily aimed at individuals of interest to Russian intelligence services. The two main cyber-espionage groups involved are UNC5792 (tracked by Ukraine's CERT as UAC-0195) and UNC4221 (UAC-0185). Their goal is to deceive victims into linking their Signal accounts to devices controlled by the attackers, granting access to incoming messages. UNC5792 uses invitations that resemble legitimate Signal group invites with malicious QR codes, while UNC4221 employs a phishing kit that mimics Ukraine's Kropyva app and includes harmful QR codes on fake sites. Other Russian and Belarusian groups, including Sandworm (APT44) and Turla, are also targeting Signal Messenger in various ways, such as stealing messages from databases or local storage. Additionally, Belarus-linked group UNC1151 uses the Robocopy tool to duplicate Signal messages for future theft. The increased activity against Signal reflects a broader interest in secure messaging apps used by individuals in espionage and intelligence roles. These apps' strong security features make them attractive to at-risk individuals and communities but also high-value targets for adversaries. Russian groups are also targeting Telegram and WhatsApp, with a recent report detailing attacks by the Russian group Star Blizzard on WhatsApp accounts of government officials and diplomats.

Tech Optimizer

February 19, 2025

Chinese hackers abuse Microsoft tool to get past antivirus and cause havoc

Trend Micro's Threat Hunting team has identified a new tactic used by the Chinese hacking group Earth Preta (Mustang Panda), which employs the Microsoft Application Virtualization Injector to evade antivirus detection. The malware checks for ESET antivirus on the target system and, if absent, exploits the waitfor.exe function to inject malicious code into legitimate processes. Earth Preta uses Setup Factory to deliver its payloads, utilizing MAVInject.exe to inject harmful code. After injection, the malware connects to a command and control (C2) server controlled by the attackers. The attack shares similarities with previous campaigns, supporting attribution to Earth Preta.

Winsage

February 19, 2025

Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots

Cybersecurity experts at FortiGuard Labs have identified a new variant of the Snake Keylogger, known as AutoIt/Injector.GTY!tr, which targets Windows users and has blocked over 280 million infection attempts worldwide, particularly in China, Turkey, Indonesia, Taiwan, and Spain. The malware spreads primarily through phishing emails with malicious attachments or links and focuses on popular web browsers to steal sensitive information by logging keystrokes, capturing credentials, and monitoring clipboard activity. It exfiltrates data to its command-and-control server via email and Telegram bots. The malware uses AutoIt scripting to create standalone executables that evade antivirus detection. It installs itself by dropping "ageless.exe" in the %Local_AppData%supergroup folder and "ageless.vbs" in the %Startup% folder to ensure persistence. The malware employs process hollowing to inject its payload into a legitimate .NET process, allowing it to hide from detection. Additionally, the Snake Keylogger can retrieve the victim’s geolocation and extract sensitive information from browser autofill systems, including credit card details. It utilizes various techniques for data collection, credential access, defense evasion, and exfiltration, posing a significant threat to Windows users.

Winsage

February 19, 2025

New Snake Keylogger infects Windows using AutoIt freeware

A new variant of the Snake Keylogger is targeting Windows users in Asia and Europe, utilizing the AutoIt scripting language for deployment to evade detection. This malware, built on the Microsoft .NET framework, infiltrates systems through spam email attachments, logging keystrokes, capturing screenshots, and collecting clipboard data to steal sensitive information like usernames, passwords, and credit card details from browsers such as Chrome, Edge, and Firefox. The keylogger transmits stolen data to its command-and-control server using methods like SMTP email, Telegram bots, and HTTP POST requests. The executable file is an AutoIt-compiled binary that unpacks and executes the keylogger upon opening. The keylogger replicates itself in the %Local_AppData%supergroup directory as ageless[.]exe and places a file named ageless[.]vbs in the Startup folder to ensure it runs automatically on system reboot. This persistence mechanism allows continued access to the infected machine without requiring administrative privileges. Once activated, the keylogger injects its payload into a legitimate .NET process, specifically targeting RegSvcs.exe through process hollowing. It logs keystrokes using the SetWindowsHookEx API with a low-level keyboard hook, capturing sensitive information. Additionally, it retrieves the victim's public IP address by pinging hxxp://checkip[.]dyndns[.]org for geolocation purposes.