investigation Archives

Tech Optimizer

February 20, 2025

PostgreSQL vulnerability exploited in US Treasury attack

In December 2024, suspected state-sponsored Chinese hackers executed a sophisticated cyber attack on U.S. Treasury employees' workstations, utilizing a dual vulnerability strategy involving CVE-2024-12356 and CVE-2025-1094. CVE-2024-12356 is an unauthenticated command injection flaw in BeyondTrust Remote Support SaaS, while CVE-2025-1094 is a PostgreSQL zero-day vulnerability that allows SQL injection attacks through the psql tool. The PostgreSQL team released a fix for CVE-2025-1094 on February 13, 2025, and BeyondTrust issued patches in December 2024 to mitigate the vulnerabilities. PostgreSQL users are advised to upgrade to fixed versions: 17.3, 16.7, 15.11, 14.16, or 13.19, and BeyondTrust users should implement the December 2024 fix. Rapid7 has provided advisories and indicators of compromise related to these vulnerabilities.

AppWizard

February 18, 2025

Elon Musk Is Trying to Hinder Anti-Trump Whistleblowers

Elon Musk has blocked links to the encrypted messaging app Signal on his platform, X, causing concerns about the selective application of free speech. Cybersecurity researchers reported that accessing Signal links results in a warning page, although users can still proceed. Donald Trump is advocating for leniency towards Andrew Tate, who, along with his brother, faces serious legal charges in Romania but has temporarily blocked his indictment and remains under investigation. Musk's DOGE initiative seeks access to sensitive taxpayer information from the IRS, prompting ethical and security concerns among officials. Musk has also expressed support for Trump's criticisms of CBS’s 60 Minutes, reflecting a growing alignment with Trump's narrative against mainstream media. The Associated Press is in conflict with the Trump administration over the renaming of the Gulf of Mexico to the "Gulf of America," resulting in the revocation of its access to significant areas like the Oval Office and Air Force One.

AppWizard

February 17, 2025

If you’ve ever wished Phoenix Wright was a witcher then do I have the game for you

The Urban Myth Dissolution Center is a puzzle game developed by Hakababunko, featuring a university student named Azami Fukurai, who has the ability to perceive echoes of past inhabitants in spaces. Players take on the role of Azami as a psychic detective, investigating urban myths by gathering clues through a fictional social media platform and interacting with witnesses. The gameplay involves clicking on evidence and piecing together narratives, with a focus on maintaining a brisk pace. Players can retreat to Azami's mind palace to assemble information and solve mysteries, culminating in theatrical reveals of the urban myths. The game is available for demo on Steam.

AppWizard

February 15, 2025

Berkeley Twp Man Used Kik Messaging App To Send, Receive Child Porn: Prosecutor

Mario Calabrese, a resident of Berkeley Township, is under investigation for the distribution and possession of child pornography. He was reportedly sending and receiving illicit images through a KiK Messenger account. A court-authorized search warrant was executed at his residence on February 13, where forensic experts confirmed the presence of the Kik Messenger app on his devices. Calabrese was arrested without incident and faces charges of possession and two counts of distribution of child pornography. He is currently held at the Ocean County Jail awaiting a detention hearing.

Tech Optimizer

February 14, 2025

Rapid7 Discovers High-Severity SQL Injection Vulnerability – Australian Cyber Security Magazine

Cybersecurity firm Rapid7 has identified a SQL injection vulnerability, CVE-2025-1094, affecting the PostgreSQL interactive tool, psql. This vulnerability was discovered during an investigation into another vulnerability, CVE-2024-12356, which poses unauthenticated remote code execution risks. Successful exploitation of CVE-2024-12356 requires prior exploitation of CVE-2025-1094. Although BeyondTrust patched CVE-2024-12356 in December 2024, it did not address the root cause of CVE-2025-1094, leaving it as a zero-day until reported by Rapid7. All supported versions prior to PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are vulnerable, with a CVSS 3.1 base score of 8.1, indicating high severity. The vulnerability arises from flawed assumptions about PostgreSQL’s string escaping routines, allowing SQL injection under certain conditions. An attacker could exploit this vulnerability to execute arbitrary code via meta-commands in the psql tool. Users are advised to upgrade to PostgreSQL versions 17.3, 16.7, 15.11, 14.16, or 13.19 to mitigate risks.

Tech Optimizer

February 14, 2025

Experts discovered PostgreSQL flaw chained with BeyondTrust zeroday in targeted attacks

Researchers from Rapid7 have identified a significant SQL injection vulnerability in PostgreSQL, designated as CVE-2025-1094. This flaw was discovered during an investigation into another vulnerability, CVE-2024-12356, which was patched by BeyondTrust in December 2024. The patch for CVE-2024-12356 did not resolve the underlying issue of CVE-2025-1094, allowing it to remain a zero-day vulnerability until reported by Rapid7. CVE-2025-1094 has a CVSS score of 8.1 and is caused by improper handling of quoting syntax in PostgreSQL’s libpq functions. Versions of PostgreSQL prior to 17.3, 16.7, 15.11, 14.16, and 13.19 are vulnerable. The exploitation of CVE-2025-1094 allows attackers to inject malicious SQL commands and execute arbitrary code through psql meta-commands. PostgreSQL has released updates to address this vulnerability in the aforementioned versions. The discovery was made by Stephen Fewer, a principal Security Researcher at Rapid7.

Winsage

February 14, 2025

REF7707 Hackers Attacking Windows & Linux Machines Using FINALDRAFT Malware

A hacking campaign named “REF7707” has been targeting Windows and Linux systems with malware families including FINALDRAFT, GUIDLOADER, and PATHLOADER. It originated in late November 2024, when Elastic Security Labs detected alerts from the Foreign Ministry of a South American nation. The attackers used Microsoft’s certutil application to download files and had valid network credentials for lateral movement. FINALDRAFT, a key component of the campaign, exploits the Windows-signed debugger CDB.exe and uses a Scheduled Task for persistence. It employs Microsoft’s Graph API for command and control, utilizing cloud services and domains like support.vmphere[.]com and update.hobiter[.]com. The campaign highlights the need for improved security measures across different operating systems.

Tech Optimizer

February 14, 2025

High-severity SQL vulnerability found in PostgreSQL tool

Rapid7 has identified a SQL injection vulnerability, CVE-2025-1094, affecting all supported PostgreSQL versions prior to 17.3, 16.7, 15.11, 14.16, and 13.19, with a CVSS 3.1 base score of 8.1. This vulnerability is linked to another vulnerability, CVE-2024-12356, which allows unauthenticated remote code execution in BeyondTrust's solutions. Exploiting CVE-2024-12356 requires prior exploitation of CVE-2025-1094. The issue arises from flawed assumptions in PostgreSQL's string escaping routines, particularly in handling invalid UTF-8 characters, which can lead to SQL injection through the psql tool. Attackers can execute arbitrary SQL statements and operating system shell commands under certain conditions. Users are advised to upgrade to secure PostgreSQL versions to mitigate risks. A Metasploit exploit module for CVE-2025-1094 is also available for vulnerable BeyondTrust systems.

Tech Optimizer

February 14, 2025

Rapid7 discovers ‘high-severity’ PostgreSQL injection zero-day vulnerability

A significant vulnerability has been found in the open-source SQL database PostgreSQL, identified as CVE-2025-1094. This SQL injection vulnerability was discovered during an investigation of another vulnerability, CVE-2024-12356, related to BeyondTrust's solutions. Successful exploitation of CVE-2025-1094 allows for arbitrary code execution (ACE) through the use of meta-commands in PostgreSQL. Despite a patch for CVE-2024-12356, the root cause of CVE-2025-1094 remains unaddressed, making it a zero-day vulnerability. Rapid7 recommends that PostgreSQL users upgrade to versions 17.3, 16.7, 15.11, 14.16, or 13.19 to protect against potential exploitation.

Winsage

February 12, 2025

Russian military hackers deploy malicious Windows activators in Ukraine

The Sandworm group, a Russian military cyber-espionage entity, has intensified attacks on Windows users in Ukraine by distributing trojanized Microsoft Key Management Service (KMS) activators and counterfeit Windows updates since late 2023. Threat analysts at EclecticIQ have linked these activities to Sandworm through overlapping infrastructure and consistent tactics. The attackers use a BACKORDER loader to deploy DarkCrystal RAT (DcRAT) malware, with evidence of Russian military involvement indicated by debug symbols from a Russian-language build environment. Seven distinct malware distribution campaigns have been cataloged, with the latest incident on January 12, 2025, involving DcRAT during data exfiltration attacks. The counterfeit KMS tool installs a deceptive activation interface while secretly loading malware and disabling Windows Defender. The malware captures sensitive information, including keystrokes and saved credentials, and transmits it to the attackers' servers. Sandworm exploits the prevalence of pirated software in Ukraine, posing a significant threat to national security and critical infrastructure. The group has been active since at least 2009 and operates under Military Unit 74455 of the GRU, focusing on disruptive attacks against Ukraine.