Exploits found targeting AWS and PostgreSQL, Microsoft 365 accounts being hijacked, Steam game installs malware and Microsoft patches released...

Welcome to this week's Cyber Security News. Our security team have handpicked the best articles from the around the internet and put them all into one place for you to digest. Subscribe for weekly updates!

New 'whoAMI' Attack Exploits AWS AMI Name Confusion for Remote Code Execution

A new attack, dubbed "whoAMI," targets AWS by exploiting a name confusion vulnerability in the Amazon Machine Image (AMI) system. Attackers can create a malicious AMI with a matching name pattern, tricking developers into using it instead of the legitimate image. This results in remote code execution (RCE) on EC2 instances. The attack, resembling a supply chain exploit, can affect organizations using misconfigured software. AWS has addressed the issue with new security controls, but researchers caution that such vulnerabilities remain a risk if not properly mitigated.

PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks

A vulnerability in PostgreSQL (CVE-2025-1094) has been exploited by attackers in tandem with a BeyondTrust zero-day flaw (CVE-2024-12356) to conduct targeted attacks. This vulnerability affects the PostgreSQL interactive tool psql, allowing SQL injection attacks that lead to arbitrary code execution. The flaw is due to how PostgreSQL handles invalid UTF-8 characters and can be triggered using a meta-command, enabling attackers to execute shell commands. Updates have been released to address the issue, impacting PostgreSQL versions 13-17.

New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations

A new Golang-based backdoor malware has been discovered, leveraging the Telegram Bot API for command-and-control (C2) operations. The malware, still under development, checks for a specific location on the infected machine and uses Telegram to receive commands, allowing attackers to execute PowerShell commands, persist the backdoor, or self-destruct. It is believed to be of Russian origin, as indicated by Russian-language messages in the malware’s commands. This method of using Telegram makes the backdoor more evasive, complicating detection by traditional security measures.

Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts

Microsoft has reported that Russian-linked hackers, identified as Storm-2372, are employing a new phishing method called "device code phishing" to hijack Microsoft 365 accounts. The attackers use messaging apps to build trust with targets and trick them into entering device codes on fake sign-in pages, allowing the attackers to capture authentication tokens and gain unauthorized access. Once inside, the hackers exfiltrate sensitive data and move laterally within networks. This technique has targeted various sectors globally. Microsoft advises organizations to block device code flow, use multi-factor authentication, and follow the principle of least privilege to mitigate risks.

PirateFi Game on Steam Caught Installing Password-Stealing Malware

The free-to-play game PirateFi, available on Steam between February 6 and 12, 2025, was found to be distributing Vidar infostealer malware. Up to 1,500 users may have been impacted by the malicious file, which compromised sensitive data like passwords, session cookies, and cryptocurrency wallets. The game was initially well-received, but once discovered, Steam alerted users to the infection and advised them to reinstall Windows. Security researchers have linked the malware to intentional obfuscation techniques and possible targeting of web3/cryptocurrency enthusiasts. Affected users are urged to change passwords and enable multi-factor authentication.

Microsoft's Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation

Microsoft's February 2025 Patch Tuesday update addresses 63 security vulnerabilities, including two actively exploited flaws. Among them are critical privilege escalation vulnerabilities (CVE-2025-21391 and CVE-2025-21418) affecting Windows components, which attackers can leverage to gain SYSTEM-level privileges. Notably, these flaws are similar to those previously exploited by the Lazarus Group. Additionally, the update fixes several other vulnerabilities, including remote code execution flaws in High Performance Compute Pack and LDAP, with an emphasis on mitigating the risk of widespread network breaches. Organizations are advised to patch systems promptly.

Check out previous editions and find out how we can help your organisation by visiting our website: https://www.d2na.com