Cybersecurity Today: Final Draft Malware Attacks Using Outlook

Hosted by Jim Love | Released on February 18, 2025

1. PostgreSQL Vulnerability Exploited in US Treasury Breach

In December 2024, a sophisticated cyberattack targeted the US Treasury, leveraging a newly discovered vulnerability in PostgreSQL. Jim Love opens the episode by highlighting the complexity of the breach, which was only possible through the exploitation of two critical vulnerabilities. Rapid7's security team identified CVE-2025-1094, a severe SQL injection flaw with a score of 8.1, which, when combined with the previously known Beyond Trust zero-day vulnerability (CVE-2024-12356), facilitated the breach.

Key Insights:

• Vulnerability Details: The PostgreSQL bug stems from flawed string escaping routines, permitting malicious input execution under specific conditions. This flaw affects all versions of PostgreSQL's interactive tool, PSQL, potentially allowing arbitrary code execution.
• Rapid7's Analysis: Caitlin Condon, Rapid7's Director of Vulnerability Intelligence, emphasized the attackers' deep understanding of the target technology. At [05:30], Condon remarks, "It's clear that adversaries who perpetuated the December attack really knew the target technology." She further warns of a disturbing trend in zero-day exploits that Rapid7 has been monitoring since 2023.
• Response and Recommendations: The PostgreSQL team responded promptly by releasing patches on February 13th. Jim Love advises listeners to "update to the latest PostgreSQL version immediately and review all psql tool usage in your production environment" ([08:45]). The incident underscores the necessity of addressing root causes in vulnerabilities, as patching one component may not mitigate all security risks.

2. Russian Hackers Storm 2372 Exploit Device Code Authentication

Jim Love transitions to discuss a novel method employed by Russian state-sponsored hackers, identified by Microsoft as Storm 2372. Since August 2024, this group has been targeting critical sectors such as defense, healthcare, and energy across Africa, Europe, the Middle East, and North America.

Key Insights:

• Attack Technique: Storm 2372 exploits device code authentication—a legitimate Microsoft feature intended for devices incapable of interactive logins. The attackers trick victims into entering device codes on genuine Microsoft sign-in pages, thereby acquiring access tokens without needing passwords.
• Persistence and Lateral Movement: Once inside, the hackers maintain persistent access and navigate laterally within organizations, searching for sensitive information using keywords like "password," "admin," or "ministry."
• Advanced Tactics: As of February 13, Storm 2372 has enhanced their methods by exploiting the Microsoft Authentication Broker to obtain refresh tokens. This allows them to register their devices with enterprise IDs, gaining deeper access to organizational resources. Additionally, they utilize regionally appropriate proxies to obscure their activities, increasing detection difficulty.

Jim Love notes, "The technique could enable persistent access as long as the tokens remain valid, making this attack technique attractive to threat actors" ([15:20]). Microsoft has reported specific high-profile targets, including the U.S. State Department and the European Union Parliament, indicating the group's strategic objectives.

3. Final Draft: A New Malware Exploiting Microsoft Outlook

The episode delves into the emergence of a sophisticated malware family named Final Draft, which utilizes Microsoft Outlook as its primary command center. Discovered by Elastic Security Labs, Final Draft represents a significant evolution in malware tactics, particularly in evading traditional detection methods.

Key Insights:

• Operational Mechanics: Final Draft leverages Microsoft's Graph API to communicate through Outlook email drafts, disguising its activities within legitimate Microsoft services. The malware begins with a lightweight Windows executable called pathloader, which serves as the initial breach point.
• Capabilities: Once deployed, Final Draft activates a comprehensive toolkit comprising 37 command handlers. These handlers facilitate various malicious activities, ranging from basic file manipulation to advanced process injection.
• Cross-Platform Presence: Notably, Final Draft has a Linux variant, suggesting the threat actors' intention to broaden their impact across different operating systems. This necessitates robust, cross-platform security strategies for both government and enterprise environments.

Elastic Security Labs commented on the threat's sophistication, stating, "By abusing legitimate Microsoft services and implementing sophisticated evasion techniques, Final Draft demonstrates how threat actors are adapting to bypass traditional security measures" ([22:10]). The malware’s ability to create a covert communication channel by manipulating Outlook drafts effectively turns Microsoft's email server into a clandestine command and control hub.

4. BBC's Initiative to Combat Fake News with Content Credentials

Shifting focus from offensive cybersecurity threats to defensive measures, Jim Love discusses the BBC's pioneering effort to counter digital misinformation through a new tool called Content Credentials. This open technology aims to provide viewers with verifiable information about the authenticity of news content.

Key Insights:

• Test Implementation: One of the BBC's first applications involved analyzing viral TikTok footage of a massive prison break in Haiti, which resulted in the release of 4,700 inmates. Using Content Credentials, BBC analysts confirmed the footage's location but detected that gunfire audio had been artificially inserted post-recording. These findings were digitally signed, ensuring future viewers could trust the analysis.
• Coalition and Industry Support: Content Credentials is part of the Coalition for Content Provenance and Authenticity (C2PA), which has gained significant traction over the past year. Prominent tech giants like Amazon, Google, Meta, and OpenAI are part of the steering committee, while major camera manufacturers such as Canon, Leica, Sony, and Samsung are integrating the technology into their devices.
• Future Vision: Christian Paguin, Principal Research Software Engineer at Microsoft, envisions a future where "this technology is baked into a lot of the trusted news and hardware ecosystem," enabling "trust signals to differentiate what's real and what's not" ([30:55]).

Technical Overview: The technology operates by generating a tamper-evident digital signature that combines media data with a manifest tracking every modification made to the content. For example, any alterations like cropping, lightening, or compression are recorded in the credentials audit trail. Major AI companies are already utilizing this system to identify AI-generated images, enhancing the reliability of visual media.

Conclusion

This episode of Cybersecurity Today underscores the evolving landscape of cyber threats and the corresponding advancements in defensive technologies. From the exploitation of underlying database vulnerabilities and innovative hacking techniques to sophisticated malware leveraging legitimate services, the discussions highlight the critical need for robust, multi-faceted cybersecurity strategies. Additionally, the BBC's efforts in combating misinformation through Content Credentials illustrate the importance of transparency and authenticity in the digital age. As cyber threats become increasingly complex, both organizations and individuals must stay vigilant and proactive in securing their digital environments.