code execution Archives

Tech Optimizer

March 31, 2025

Fileless XMRig-C3 Cryptominer Targets PostgreSQL Servers

Wiz Threat Research has reported a new variant of a malicious campaign targeting misconfigured and publicly exposed PostgreSQL servers, attributed to the threat actor JINX-0126. This actor exploits vulnerable PostgreSQL instances with weak login credentials to gain unauthorized access and deploy XMRig-C3 cryptominers. The campaign has evolved to include advanced evasion techniques, such as using unique hashes for binaries and executing payloads in a fileless manner to avoid detection. The analysis indicates that the threat actor assigns unique mining workers to each victim, with three distinct wallets identified, suggesting over 1,500 affected victims. Nearly 90% of cloud environments host PostgreSQL instances, with about one-third publicly exposed. The threat actor scans for poorly configured services, exploiting default weak credentials to gain access and execute malicious payloads. Upon successful login, the actor performs reconnaissance and executes a dropper script to deploy an obfuscated Golang binary, which contains an encrypted configuration with critical system information. The malware establishes persistence by creating cron jobs and modifying access controls. The actor also creates high-privilege roles for continued access and weakens the default admin user. The analysis identified three wallets associated with the campaign, with each wallet having around 550 workers. The Wiz Dynamic Scanner can identify exposed PostgreSQL services, while the Wiz Runtime Sensor detects malicious activities associated with this threat. The report includes specific wallet addresses, a file hosting service, and file hashes related to the malware. Techniques used by the malware align with various MITRE ATT&CK® techniques, including credential access, defense evasion, and resource hijacking.

Winsage

March 28, 2025

Mozilla warns Windows users of critical Firefox sandbox escape flaw

Mozilla released Firefox version 136.0.4 to address a critical security vulnerability, CVE-2025-2857, which could allow attackers to escape the browser's sandbox on Windows systems. This flaw, identified by developer Andrew McCreight, affects both standard and extended support releases of Firefox. Mozilla patched this issue in Firefox 136.0.4 and Firefox ESR versions 115.21.1 and 128.8.1. The vulnerability is similar to a recent zero-day exploit in Google Chrome, CVE-2025-2783, which was used in cyber-espionage campaigns against Russian entities. Additionally, Mozilla previously addressed another zero-day vulnerability, CVE-2024-9680, exploited by the RomCom cybercrime group, allowing code execution within Firefox's sandbox. Earlier in the year, Mozilla responded to two zero-day vulnerabilities exploited during the Pwn2Own Vancouver 2024 hacking competition.

Winsage

March 26, 2025

Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code

Russian threat actors are exploiting a zero-day vulnerability in the Microsoft Management Console (MMC), identified as CVE-2025-26633, allowing them to bypass security features and execute harmful code. The hacking group Water Gamayun, also known as EncryptHub and Larva-208, is behind this campaign, using a weaponized version of the vulnerability called “MSC EvilTwin” to deploy various malicious payloads, including information stealers and backdoors. The vulnerability affects multiple Windows versions, particularly older systems like Windows Server 2016. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-26633 to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch affected systems by April 1, 2025. Microsoft included this vulnerability in its March 2025 Patch Tuesday update. Recommended mitigations include applying security patches, restricting network access to MMC ports, and monitoring for unusual MMC activity.

Winsage

March 26, 2025

The latest Windows 10 update causes headaches for some users

On March 11, the Windows 10 22H2 Patch Tuesday security update, KB5053606, was released to address 15 vulnerabilities, including two critical remote code execution flaws. Users have reported significant issues, with many experiencing installation difficulties and receiving the error code 0x80070020. Those who managed to install the update faced problems such as blue and black screens, random crashes, disappearing app icons, and reverted desktop customizations. Professional users reported issues with program crashes, Citrix functionality, and slow Print Spooler operations. The update includes support for DST changes in Paraguay, updates to Country and Operator Settings profiles, fixes for Desktop Window Manager not responding, resolves issues with the Open Secure Shell service, and addresses various Chinese IME-related issues. Systems post-installation will reflect Build 19045.5608. Windows 10 is scheduled to reach its end of life on October 14, 2025.

Winsage

March 24, 2025

New Browser-Based RDP for Secure Remote Windows Server Access

Cloudflare has launched a clientless, browser-based Remote Desktop Protocol (RDP) solution that enhances its Zero Trust Network Access (ZTNA) capabilities for secure access to Windows servers. This solution eliminates the need for traditional RDP clients and utilizes IronRDP, a high-performance RDP client developed in Rust, which operates within the browser. The implementation secures RDP sessions using TLS-based WebSocket connections and integrates with Cloudflare Access for authentication through JSON Web Tokens (JWT). The system supports modern security standards, including Single Sign-On (SSO), Multi-Factor Authentication (MFA), and device posture checks. Cloudflare plans to add session monitoring, data loss prevention features, and pursue FedRAMP High certification for compliance with government standards.

Winsage

March 19, 2025

Multi-year exploitation of Windows zero-day conducted by state-backed hackers

Nearly a dozen state-sponsored threat operations have been exploiting a zero-day vulnerability in Windows shortcuts, identified as ZDI-CAN-25373, since 2017. Groups such as Mustang Panda, Kimsuky, Evil Corp, and SideWinder have been involved in these attacks, primarily targeting organizations in the Americas, Europe, East Asia, and Australia. The vulnerability allows for arbitrary code execution on vulnerable Windows systems by concealing malicious command-line arguments within .LNK shortcut files. Trend Micro researchers noted that crafted data in an .LNK file can make harmful content invisible to users inspecting the file through the Windows user interface, enabling attackers to execute code in the context of the current user. Microsoft is currently evaluating potential fixes for this vulnerability.

Winsage

March 19, 2025

Hitachi Energy’s upgrade to Windows 11 on 89% of desktops

Hitachi Energy has migrated over 40,000 desktops to Windows 11 across 12 countries, starting with a pilot of 500 devices in November 2023 and full rollout beginning in March 2024, expected to complete by October 2024. The company assessed 45,335 devices, with 43,568 suitable for upgrade, and found 2,330 out of 3,034 applications compatible with Windows 11, achieving a 76% compatibility rate. Approximately 40,600 devices, nearly 90%, successfully transitioned to Windows 11, while the rest were upgraded to Windows 10. The migration utilized ManagementStudio integrated with various platforms for efficiency, with nearly 10,000 devices upgraded in May 2024. A pilot program tested the new OS with selected users to identify issues before broader deployment. Transitioning is crucial as Windows 10 approaches end-of-support, with Microsoft addressing numerous vulnerabilities in its updates.

Winsage

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

Microsoft's Windows Defender Application Control (WDAC) has become a target for cybersecurity researchers, with bug bounty payouts for successful bypasses. IBM's X-Force team reported various outcomes from WDAC bypass submissions, including successful bypasses that lead to potential bounties, those added to the WDAC recommended block list, and submissions without recognition. Notable contributors like Jimmy Bayne and Casey Smith have made significant discoveries, while the LOLBAS Project has documented additional bypasses, including the Microsoft Teams application. The X-Force team successfully bypassed WDAC during Red Team Operations using techniques such as utilizing known LOLBINs, DLL side-loading, exploiting custom exclusion rules, and identifying new execution chains in trusted applications. Electron applications, which can execute JavaScript and interact with the operating system, present unique vulnerabilities, as demonstrated by a supply-chain attack on the MiMi chat application. In preparation for a Red Team operation, Bobby Cooke's team explored the legacy Microsoft Teams application, discovering vulnerabilities in signed Node modules that allowed them to execute shellcode without triggering WDAC restrictions. They developed a JavaScript-based C2 framework called Loki C2, designed to operate within WDAC policies and facilitate reconnaissance and payload deployment. A demonstration of Loki C2 showcased its ability to bypass strict WDAC policies by modifying resources of the legitimate Teams application, allowing undetected code execution. The ongoing development of techniques and tools by the X-Force team reflects the evolving cybersecurity landscape and the continuous adaptation required to counter emerging threats.

Winsage

March 13, 2025

Microsoft Patches a Whopping Seven Zero-Days in March

Microsoft's March Patch Tuesday revealed over 50 new vulnerabilities, including seven zero-day vulnerabilities, six of which are currently being exploited. Key vulnerabilities include: - CVE-2025-26633: Security feature bypass in Microsoft Management Console, CVSS score 7.0. - CVE-2025-24993: Remote code execution (RCE) vulnerability in Windows NTFS, CVSS score 7.8. - CVE-2025-24991: Information disclosure vulnerability in Windows NTFS, CVSS score 5.5. - CVE-2025-24985: RCE vulnerability in Windows Fast FAT File System Driver, CVSS score 7.8. - CVE-2025-24984: Information disclosure vulnerability in Windows NTFS, CVSS score 4.6. - CVE-2025-24983: Elevation of privilege (EoP) vulnerability in Windows Win32 Kernel Subsystem, CVSS score 7.0. - CVE-2025-26630: RCE vulnerability in Microsoft Access, CVSS score 7.8. This month's patch list includes 23 EoP and 23 RCE vulnerabilities, with all six critical vulnerabilities being RCEs. Notably, CVE-2025-24084 affects the Windows Subsystem for Linux (WSL2) kernel, and CVE-2025-26645 impacts the remote desktop client (RDP), allowing attackers to achieve remote code execution on vulnerable clients.

Winsage

March 12, 2025

CISA Warns of Microsoft Windows Win32 Kernel Subsystem Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has identified a vulnerability in the Microsoft Windows Win32 kernel subsystem, designated as CVE-2025-24983. This use-after-free vulnerability in the Win32k component could allow an authorized attacker to elevate privileges locally. It is categorized under Common Weakness Enumeration (CWE) 416. CISA recommends users apply Microsoft’s mitigation instructions, follow Binding Operational Directive (BOD) 22-01 for cloud services, and discontinue use of affected products if necessary. The deadline for addressing this vulnerability is April 1, 2025.