remote access Archives

Tech Optimizer

February 21, 2025

Serious PostgreSQL flaw exploited in US Treasury zero-day attack

Security researchers have identified a zero-day vulnerability in PostgreSQL, labeled CVE-2025-1094, which is believed to have contributed to the cyber breach of the US Treasury in December. The breach was initially attributed to the command injection vulnerability CVE-2024-12356 in the BeyondTrust Remote Support platform. Successful exploitation of CVE-2024-12356 required prior exploitation of CVE-2025-1094. Although BeyondTrust issued a patch for CVE-2024-12356 in December 2024, it did not resolve the underlying issue of CVE-2025-1094, leaving it a zero-day vulnerability until reported to PostgreSQL. Chinese hackers reportedly gained remote access to multiple workstations within the US Treasury, potentially compromising unclassified documents. The details of the accessed documents and the number of workstations involved are not disclosed. This incident is part of a broader pattern of cyber attacks linked to Chinese state-sponsored actors.

Tech Optimizer

February 20, 2025

PostgreSQL vulnerability exploited in US Treasury attack

In December 2024, suspected state-sponsored Chinese hackers executed a sophisticated cyber attack on U.S. Treasury employees' workstations, utilizing a dual vulnerability strategy involving CVE-2024-12356 and CVE-2025-1094. CVE-2024-12356 is an unauthenticated command injection flaw in BeyondTrust Remote Support SaaS, while CVE-2025-1094 is a PostgreSQL zero-day vulnerability that allows SQL injection attacks through the psql tool. The PostgreSQL team released a fix for CVE-2025-1094 on February 13, 2025, and BeyondTrust issued patches in December 2024 to mitigate the vulnerabilities. PostgreSQL users are advised to upgrade to fixed versions: 17.3, 16.7, 15.11, 14.16, or 13.19, and BeyondTrust users should implement the December 2024 fix. Rapid7 has provided advisories and indicators of compromise related to these vulnerabilities.

Tech Optimizer

February 18, 2025

Microsoft Discovers Return Of Alarming MacOS Malware With Sinister New Tricks

The XCSSET malware, discovered in 2020, allows cybercriminals remote access to developers' MacBooks and has led to a reassessment of macOS security measures. A new variant of XCSSET has been identified, specifically targeting macOS systems and exploiting vulnerabilities, particularly in keychains, to steal sensitive information like usernames and passwords. This variant spreads through Xcode projects and features enhanced functionality that makes detection and removal more challenging. It employs increased randomization in payload generation and uses both xxd and Base64 encoding. The malware can remain undetected, targeting Xcode projects for payload insertion and extracting data from cryptocurrency wallets and the Notes app. Microsoft has confirmed that its Defender for Endpoint on Mac can detect both the old and new variants of XCSSET, but developers are advised to exercise caution by downloading only from trusted sources, using the latest software versions, inspecting Xcode projects before opening them, and avoiding third-party applications.

Winsage

February 18, 2025

5 reasons you shouldn’t use Windows as a NAS OS

The author transformed a mini PC into a basic Network Attached Storage (NAS) solution using a standard Windows installation. While Windows can work for simple setups, it is generally inefficient for NAS due to its resource usage, lack of native ZFS support, forced updates, complicated Docker and VM management, and clunky remote access. Windows runs unnecessary background services that consume RAM and storage, while dedicated NAS software optimizes performance. Windows does not support ZFS natively, which is beneficial for data integrity and features like compression and encryption. Windows updates can disrupt services due to their unpredictable nature, unlike dedicated NAS systems that allow for scheduled updates. Managing Docker containers or virtual machines is more complex on Windows compared to Linux, which is better suited for these tasks. Remote access on Windows requires cumbersome setups, while Linux offers easier SSH access and web interfaces for management.

Tech Optimizer

February 17, 2025

A PostgreSQL zero-day was also exploited in US Treasury hack (CVE-2025-1094)

The US Treasury workstations were breached by suspected state-sponsored Chinese hackers using two zero-day vulnerabilities. The first vulnerability, CVE-2024-12356, is an unauthenticated command injection flaw in BeyondTrust's Remote Support SaaS, which requires prior exploitation of CVE-2025-1094. CVE-2025-1094 is related to the PostgreSQL interactive tool, psql, and allows SQL injection attacks due to improper handling of invalid byte sequences. This vulnerability can lead to arbitrary code execution through the execution of meta-commands. Fixes for CVE-2025-1094 were issued by the PostgreSQL team on February 13, 2025, and BeyondTrust released patches in December 2024 that also mitigate risks associated with this vulnerability. PostgreSQL users are advised to upgrade to specific fixed versions, and BeyondTrust users should implement the December 2024 fix. Rapid7 has provided technical details and indicators of compromise for the vulnerabilities.

Tech Optimizer

February 15, 2025

Simplify database authentication management with the Amazon Aurora PostgreSQL pg_ad_mapping extension

Authentication is essential for security in enterprise environments, protecting sensitive data and resources from unauthorized access. Kerberos authentication is utilized for Amazon Aurora PostgreSQL-Compatible Edition with AWS Directory Service for Microsoft Active Directory, particularly through the pg_ad_mapping extension, which enhances access control management. Aurora PostgreSQL supports multiple authentication methods, including password authentication, AWS Identity and Access Management (IAM) database authentication, and Kerberos authentication. By default, password authentication is enabled, while IAM and Kerberos can be used independently. Users are assigned specific roles based on the authentication method: rds_iam for IAM, rds_ad for Kerberos, and no specific roles for password authentication. Kerberos authentication integrates with Microsoft Active Directory, allowing centralized authentication and single sign-on (SSO) capabilities. With versions 14.10 and 15.5, Aurora PostgreSQL introduced the pg_ad_mapping extension, which allows administrators to manage access through Active Directory (AD) security groups instead of provisioning individual users. This extension checks AD group memberships upon user login and assigns corresponding database roles, prioritizing roles based on assigned weights. The pg_ad_mapping extension includes functions such as pgadmap_set_mapping to add mappings between AD security groups and database roles, pgadmap_read_mapping to list existing mappings, and pgadmap_reset_mapping to delete or reset mappings. To deploy the solution, a CloudFormation stack is used to create necessary resources, including an AWS Managed Microsoft AD server, an Aurora PostgreSQL database cluster, and a Windows EC2 instance. Users can be added to AD groups, and roles can be mapped to facilitate access management. Security best practices for Aurora PostgreSQL include using IAM policies for resource management, implementing security groups for database access control, utilizing encryption for data protection, and employing Transport Layer Security (TLS) for secure connections. For auditing, the pg_stat_gssapi view can be used to identify authenticated users, and enabling the log_connections parameter will log session establishments, including AD user identities.

Tech Optimizer

February 14, 2025

Rapid7 Discovers High-Severity SQL Injection Vulnerability – Australian Cyber Security Magazine

Cybersecurity firm Rapid7 has identified a SQL injection vulnerability, CVE-2025-1094, affecting the PostgreSQL interactive tool, psql. This vulnerability was discovered during an investigation into another vulnerability, CVE-2024-12356, which poses unauthenticated remote code execution risks. Successful exploitation of CVE-2024-12356 requires prior exploitation of CVE-2025-1094. Although BeyondTrust patched CVE-2024-12356 in December 2024, it did not address the root cause of CVE-2025-1094, leaving it as a zero-day until reported by Rapid7. All supported versions prior to PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are vulnerable, with a CVSS 3.1 base score of 8.1, indicating high severity. The vulnerability arises from flawed assumptions about PostgreSQL’s string escaping routines, allowing SQL injection under certain conditions. An attacker could exploit this vulnerability to execute arbitrary code via meta-commands in the psql tool. Users are advised to upgrade to PostgreSQL versions 17.3, 16.7, 15.11, 14.16, or 13.19 to mitigate risks.

Tech Optimizer

February 14, 2025

PostgreSQL Terminal Tool Injection Vulnerability Allows Remote Code Execution

Researchers have identified a SQL injection vulnerability, CVE-2025-1094, in PostgreSQL's interactive terminal tool, psql. This vulnerability is linked to another vulnerability, CVE-2024-12356, related to remote code execution in BeyondTrust's products. CVE-2025-1094 arises from a flawed assumption about the security of escaped untrusted input and allows attackers to inject malicious SQL statements due to the processing of invalid UTF-8 characters. It has a CVSS 3.1 base score of 8.1, indicating high severity, and can lead to arbitrary code execution through psql's meta-command functionality. The vulnerability affects all supported PostgreSQL versions prior to 17.3, 16.7, 15.11, 14.16, and 13.19. Users are advised to upgrade to these patched versions to mitigate risks. A Metasploit module targeting this vulnerability has been developed, emphasizing the urgency for organizations to implement patches.

Tech Optimizer

February 14, 2025

High-severity SQL vulnerability found in PostgreSQL tool

Rapid7 has identified a SQL injection vulnerability, CVE-2025-1094, affecting all supported PostgreSQL versions prior to 17.3, 16.7, 15.11, 14.16, and 13.19, with a CVSS 3.1 base score of 8.1. This vulnerability is linked to another vulnerability, CVE-2024-12356, which allows unauthenticated remote code execution in BeyondTrust's solutions. Exploiting CVE-2024-12356 requires prior exploitation of CVE-2025-1094. The issue arises from flawed assumptions in PostgreSQL's string escaping routines, particularly in handling invalid UTF-8 characters, which can lead to SQL injection through the psql tool. Attackers can execute arbitrary SQL statements and operating system shell commands under certain conditions. Users are advised to upgrade to secure PostgreSQL versions to mitigate risks. A Metasploit exploit module for CVE-2025-1094 is also available for vulnerable BeyondTrust systems.

Tech Optimizer

February 14, 2025

Rapid7 discovers ‘high-severity’ PostgreSQL injection zero-day vulnerability

A significant vulnerability has been found in the open-source SQL database PostgreSQL, identified as CVE-2025-1094. This SQL injection vulnerability was discovered during an investigation of another vulnerability, CVE-2024-12356, related to BeyondTrust's solutions. Successful exploitation of CVE-2025-1094 allows for arbitrary code execution (ACE) through the use of meta-commands in PostgreSQL. Despite a patch for CVE-2024-12356, the root cause of CVE-2025-1094 remains unaddressed, making it a zero-day vulnerability. Rapid7 recommends that PostgreSQL users upgrade to versions 17.3, 16.7, 15.11, 14.16, or 13.19 to protect against potential exploitation.