malicious links Archives

Winsage

April 14, 2025

No, it’s not OK to delete that new inetpub folder

Microsoft has introduced a new inetpub folder located at %systemdrive%inetpub on user devices as part of the April Patch Tuesday updates to enhance system protection. This folder is associated with Internet Information Services (IIS), which is not installed by default. Microsoft advises that this folder should not be deleted, regardless of whether IIS is active. The vulnerability CVE-2025-21204 allows an authenticated attacker to elevate privileges locally, enabling them to perform file management operations on the victim machine. The "link following flaw" refers to inadequate prevention of filename linking to unintended resources, and mitigating this risk involves denying access to specific files and setting appropriate folder permissions. The inetpub folder serves as a protective measure against potential exploitation of vulnerabilities.

Tech Optimizer

April 3, 2025

1,500+ PostgreSQL Servers Compromised With Fileless Malware Attack

A cryptojacking campaign has targeted over 1,500 organizations by exploiting inadequately secured PostgreSQL database servers. The attackers, identified as JINX-0126, use advanced techniques including credential brute-forcing and fileless execution to deploy Monero (XMR)-mining malware. Approximately 30% of cloud-hosted PostgreSQL servers are affected due to weak or default credentials. The attackers execute commands using PostgreSQL’s COPY FROM PROGRAM function, bypassing standard detection mechanisms. They have been linked to three cryptocurrency wallets with around 550 active mining workers, generating a hashrate of 4.04 GH/s and approximately €10.40 per hour in XMR revenue. The attack begins with credential spraying against default accounts, followed by an SQL injection to fetch the payload. The malware operates in memory, modifies PostgreSQL’s configuration to maintain persistence, and creates cron jobs for reactivation. The campaign reveals significant security gaps in cloud environments, with recommendations for improved access controls and monitoring.

Tech Optimizer

April 1, 2025

This Antivirus Software Is So Strong That It Will Humiliate The Bad Guys Of The Cyber World (50% Off)

Bitdefender offers comprehensive protection against current and emerging online threats with a lightweight design that maintains device performance. It is currently providing a 50% discount on its multi-device bundles, including the Total Security bundle, which covers up to five devices across various platforms for an introductory price. The Internet Security and Antivirus Plus bundles are also available at discounted rates for Windows PCs. All bundles include features like File Shredder, Social Network Protection, and safe online banking through Safepay. Bitdefender utilizes advanced AI technology to predict and neutralize threats while optimizing device performance.

AppWizard

March 28, 2025

PJobRAT Android RAT as Dating & Instant Messaging Apps Attacking Military Personnel

PJobRAT is an Android Remote Access Trojan (RAT) that re-emerged in 2023 with improved capabilities and a refined targeting strategy, previously known for attacking Indian military personnel in 2021. It is now targeting users in Taiwan through social engineering tactics, disguising itself as legitimate dating and messaging apps. The malware is distributed via compromised WordPress sites hosting fake applications like “SaangalLite” and “CChat.” The infection footprint is small, indicating highly targeted attacks rather than widespread campaigns. PJobRAT retains its core functionality of exfiltrating sensitive information, including SMS messages, contacts, and media files, while enhancing command execution capabilities. Upon installation, the malicious apps request extensive permissions to operate continuously in the background. The malware uses a dual-channel communication infrastructure, with Firebase Cloud Messaging (FCM) as the primary command channel and a secondary HTTP-based channel for data exfiltration to a command-and-control server. The campaign appears to have concluded, but the evolution of PJobRAT highlights the ongoing threat of sophisticated mobile malware targeting high-value individuals.

Tech Optimizer

March 27, 2025

Do Macs need antivirus? Debunking the security myth

Many users believe that Macs are immune to cybersecurity threats, leading them to neglect protective measures. This perception originated from Apple's marketing and the historical lower targeting of Macs due to their smaller market share. However, as the popularity of Macs has increased, so has the development of malware aimed at macOS. Reports indicate that malware targeting Macs has now outpaced that targeting Windows on a per-device basis. While macOS includes strong security features like XProtect, Gatekeeper, and System Integrity Protection, these are not foolproof. XProtect only defends against known malware, leaving users vulnerable to new threats. Macs are susceptible to various types of malware, including adware, Trojans, and phishing attacks. Antivirus software is important for Macs as it protects against evolving malware, shields users from phishing and online scams, enhances privacy protection, and prevents cross-platform threats.

Winsage

March 26, 2025

New Windows 0-Day Vulnerability Let Remote Attackers Steal NTLM Credentials

A critical vulnerability affecting various Windows operating systems, including Windows 7, Server 2008 R2, Windows 11 v24H2, and Server 2025, allows attackers to capture NTLM authentication credentials through interactions with malicious files in Windows Explorer. Exploitation can occur when users open shared folders, insert USB drives with malicious files, or view downloaded files. The vulnerability is similar to a previously patched flaw (CVE-2025-21377) but has not been fully documented. Security researchers have developed micropatches available for free until Microsoft releases a permanent fix. These micropatches support a wide range of Windows versions, including legacy and currently supported systems. The micropatches have been automatically distributed to affected systems with the 0patch Agent installed.

Winsage

March 26, 2025

New Windows 0-Day Vulnerability Let Remote Attackers Steal NTLM Credentials

A critical vulnerability affects all Windows operating systems from Windows 7 to Windows 11 v24H2 and Server 2025, allowing attackers to capture NTLM authentication credentials through malicious files viewed in Windows Explorer. Exploitation can occur when users open shared folders, insert USB drives with malicious files, or view previously downloaded files. The vulnerability is similar to a previously patched flaw (CVE-2025-21377) but has not been publicly documented. Security researchers have developed micropatches through 0patch to temporarily mitigate the issue, which will be available at no cost until Microsoft releases a permanent solution. The micropatches support various Windows versions, including legacy and currently supported systems, and can be automatically deployed without requiring system reboots.

Winsage

March 26, 2025

Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code

Russian threat actors are exploiting a zero-day vulnerability in the Microsoft Management Console (MMC), identified as CVE-2025-26633, allowing them to bypass security features and execute harmful code. The hacking group Water Gamayun, also known as EncryptHub and Larva-208, is behind this campaign, using a weaponized version of the vulnerability called “MSC EvilTwin” to deploy various malicious payloads, including information stealers and backdoors. The vulnerability affects multiple Windows versions, particularly older systems like Windows Server 2016. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-26633 to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch affected systems by April 1, 2025. Microsoft included this vulnerability in its March 2025 Patch Tuesday update. Recommended mitigations include applying security patches, restricting network access to MMC ports, and monitoring for unusual MMC activity.

Winsage

March 24, 2025

New Browser-Based RDP for Secure Remote Windows Server Access

Cloudflare has launched a clientless, browser-based Remote Desktop Protocol (RDP) solution that enhances its Zero Trust Network Access (ZTNA) capabilities for secure access to Windows servers. This solution eliminates the need for traditional RDP clients and utilizes IronRDP, a high-performance RDP client developed in Rust, which operates within the browser. The implementation secures RDP sessions using TLS-based WebSocket connections and integrates with Cloudflare Access for authentication through JSON Web Tokens (JWT). The system supports modern security standards, including Single Sign-On (SSO), Multi-Factor Authentication (MFA), and device posture checks. Cloudflare plans to add session monitoring, data loss prevention features, and pursue FedRAMP High certification for compliance with government standards.

AppWizard

March 20, 2025

Signal Messenger Exploited in Targeted Attacks on Defense Industry Employees

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned about targeted cyberattacks against employees in the defense-industrial complex and members of the Defense Forces of Ukraine, which have been ongoing since at least summer 2024 and have intensified recently. Attackers are using the Signal messenger app to distribute malicious files by compromising trusted contacts' accounts. In March 2025, CERT-UA observed that attackers were sending archived messages through Signal, which included a PDF and an executable file called DarkTortilla, designed to activate the DarkCrystal RAT (DCRAT) software. The focus of these deceptive messages has shifted to critical topics like unmanned aerial vehicles (UAVs) and electronic warfare equipment. CERT-UA has labeled this activity UAC-0200 and advises reporting any suspicious messages immediately. They have also compiled indicators related to the attacks, including specific file hashes, IP addresses, and URLs linked to the attackers' infrastructure.