A critical PostgreSQL bug is used in a U. S. Treasury hack, Russian hackers exploit device code authentication, a new malware hijacks outlook drafts, and the BBC tests truth marks to combat fake news recordings. This is Cybersecurity Today. I'm your host, Jim Love. A newly discovered PostgreSQL vulnerability played a crucial role in December's U. S. Treasury breach. Security researchers revealed it was a combination of two vulnerabilities that made the entire attack possible.
Rapid7's security team has unveiled CVE 2025 1094, a high severity SQL injection vulnerability scoring 8. 1, which works in tandem with a previously known Beyond trust zero day CVE 2024 1, 2, 3, 5, 6. Now, While Beyond Trust patched their zero day in December 2024, that fix didn't address the root cause of the PostgresQL issue, which remained undiscovered until Rapid7's investigation.
The bug exploits a flaw in PostgresQL's string escaping routines, allowing malicious input to be executed under specific conditions. The vulnerability affects all versions of PostgreSQL's interactive tool, PSQL, and can lead to arbitrary code execution. KCaitlin Condon, Rapid 7's Director of Vulnerability Intelligence, said, It's clear that adversaries who perpetuated the December attack really knew the target's technology.
Condon highlighted a concerning trend in zero day exploits that the company has been tracking since 2023. The PostgreSQL team has responded swiftly, releasing patches on February 13th. It is highly recommended to update to the latest PostgreSQL version immediately, and review all PSQL tool usage in your production environment.
The incident serves as a stark reminder that complex attacks often rely on multiple vulnerabilities working in concert, and that patching one component may not fully address the underlying security risks. Russian state sponsored hackers have discovered a clever way to bypass traditional password security using device code authentication to compromise government and private organizations worldwide.
Microsoft has identified the group dubbed Storm 2372, targeting critical sectors, including defense, healthcare, and energy since August of 2024. The attack exploits a legitimate authentication feature designed for devices that can't handle interactive login screens. The hackers convince victims to enter device codes on genuine Microsoft sign in pages, gaining access tokens that allow them to infiltrate accounts without passwords.
Once inside, they can maintain persistent access and move laterally through organizations specifically searching for sensitive keywords like password, admin, or, if they're hacking governments, ministry. The technique could enable persistent access as long as the tokens remain valid, making this attack technique attractive to threat actors, according to Microsoft.
The campaign has already reached organizations across Africa, Europe, the Middle East and North America with Valexity reporting specific targets including the U. S. State Department and the European Union Parliament. The attackers have recently upgraded their tactics. As of February 13th, they've begun exploiting Microsoft Authentication Broker to obtain refresh tokens, allowing them to register their own devices with Entra ID and gain deeper access to organizational resources.
The group further uses regionally appropriate proxies to mask their activity, making detection particularly challenging. A sophisticated new malware family has been discovered using Microsoft Outlook as its command center, demonstrating an innovative approach to evading detection while targeting government institutions in South America and Southeast Asia. The malware kit named Final Draft leverages Microsoft's own graph API.
To communicate through Outlook email drafts, making it particularly difficult to detect since it uses legitimate Microsoft services. Elastic Security Labs uncovered the threat while investigating attacks on a South American nation's foreign ministry, revealing a comprehensive post exploitation toolkit that works on both Windows and Linux systems. At the heart of the operation is PathLoader, a lightweight Windows executable that serves as the initial breach point.
Once installed, Final Draft deploys an extensive array of 37 command handlers capable of everything from basic file manipulation to sophisticated process injection. The malware creates a covert communication channel by manipulating email drafts in Outlook, effectively turning Microsoft's email server into a command and control center. This represents a concerning evolution in malware tactics, says Elastic Security Labs in their report.
By abusing legitimate Microsoft services and implementing sufficient sophisticated evasion techniques, Final Draft demonstrates how threat actors are adapting to bypass traditional security measures. The discovery of Final Draft's Linux variant suggests the threat actors are expanding their reach signaling a need for comprehensive cross platform security strategies in government and enterprise environment. The BBC has done a major test of a new tool to fight against digital misinformation.
Content credentials is an open technology that lets viewers view the authenticity of news content. One of the first test cases involved footage from Haiti's massive prison break. BBC analysts use content credentials to examine viral TikTok footage of the March prison raid that freed 4, 700 inmates.
Using the technology, they verified the video's location while discovering that gunfire audio had been added after the fact, then digitally signed their findings so future viewers could trust the analysis, this implementation is part of a broader initiative by the Coalition for Content Provenance and Authenticity, C2PA, which has gathered impressive momentum in the past year.
Tech giants Amazon, Google, Meta, and OpenAI have joined the steering committee, while major camera manufacturers including Canon, Leica, Sony, and Samsung are integrating the technology into their devices. Christian Pagwin, Principal Research Software Engineer at Microsoft says, you can imagine the situation in five to 10 years with this technology is baked in a lot of the trusted news and hardware ecosystem. We can really have trust signals to differentiate what's real and what's not.
The technology works by creating a tamper evident digital signature that combines media data with a manifest tracking every modification made to the content. For instance, if a photo is. Cropped, lightened, or compressed, each change is recorded in the Credentials audit trail. Most major AI companies, including OpenAI, Meta, and Microsoft, are already using the system to mark AI generated images. And that's our show.
You can reach me with comments, suggestions, or tips at editorial at technewsday. ca. Because of the holiday, we'll be doing two shows this week, Tuesday and Thursday, and we'll have our regular weekend show on Saturday. I'm your host, Jim Love. Thanks for listening.