The long expected elementary OS 6 release is taking shaping nicely with beta 2 release which is now available for public testing, for those who are seeking for a sneak peek into a variety of features that are in store for the final release.

As the second beta release, elementary OS 6 Beta 2 contains some ambitious plans which the development team has for the stable release, which includes serving as an open and privacy-focused replacement for macOS and Windows, with the so-called pay-what-you-want model.

And what's perhaps the major highlight in elementary OS 6 Beta 2 is the addition of first party Flatpak applications; transitioning to Flatpak packages for any pre-installed apps is now a work-in-progress.

What's New in elementary OS 6 Beta 2?



The addition of Flatpak applications means that more first-party applications will now embrace Flatpak packaging, and also, it will make its way to third-party applications that are available in the App Center which developers can copy to make their own applications available as a Flatpak package.



Besides the addition of first party Flatpak applications, elementary OS 6 beta 2 brings some key upgrades along with several under-the-hood improvements. Such as the few UI tweaks to the installer for a cleaner look and also made available is a subtle animation with the installation progress instead of just a static icon.

Additionally, this release brings the ability to add online accounts from System settings, allowing users to add mail and calendar accounts, with IMAP and CalDav standards fully supported. And added accounts shows up in apps like Tasks, Calendar, and Mail making the experience rather seamless.

How to Download elementary OS 6 Beta 2?



If you're already running the first beta, you'll need to re-install Beta 2 for proper testing and the installer window size remains the same. You ou can get the elementary OS 6 Beta 2 for public testing from its official builds page.

But note that this release is only meant for testing and development purposes, so don't install it on your main production system.

elementary OS 6 is taking shape nicely with beta 2 release

Polkit (PolicyKit) is a toolkit that controls system-wide privileges in Unix-like operating systems, offering an organized way for non-privileged processes to communicate with privileged ones.

While a privilege escalation vulnerability has been discovered in the Polkit service that could be exploited by an unprivileged attacker to bypass authorization and escalate permissions as a root user.

The vulnerability which is tracked as CVE-2021-3560 (with CVSS score of 7.8) affects Polkit versions 0.113 to 0.118 and was discovered by Kevin Backhouse, GitHub security researcher, who stated that the issue was introduced in a code commit made in 2013.

How the Polkit Flaw allow Unprivileged Linux users Root Access?



The function `polkit_system_bus_name_get_creds_sync` is employed to get the uid and pid of the process requesting the action, and it does this by sending the unique bus name of the requesting process, typically something like ":1.96", to `dbus-daemon`.



These unique names are assigned and managed by `dbus-daemon` and cannot be forged, so this is a good way to check the privileges of the requesting process. The vulnerability happens if the requesting process disconnects from `dbus-daemon` before the call to `polkit_system_bus_name_get_creds_sync` begins.

In this instance, the unique bus name is no longer valid, so `dbus-daemon` sends back an error reply, which error case is handled in `polkit_system_bus_name_get_creds_sync` by setting the value of the `error` parameter, but it still returns `TRUE`, rather than `FALSE`.

This means that all callers of `polkit_system_bus_name_get_creds_sync` need to carefully check whether an error was set.

How to Mitigate against the Polkit Vulnerability?



Some of the popular Linux distributions affected by the polkit vulnerability includes Fedora 21 (or later), RHEL 8, Debian "Bullseye," and Ubuntu 20.04; albeit the issue has been fixed in Polkit version 0.119, released on June 3.

Therefore, Linux users are advised to update their Linux installations in order to mitigate any potential risk that may arise from the Polkit flaw.

Polkit Vulnerability grant Attackers Root Access on Linux Systems

ImgDownloader is a versatile all-in-one image downloading engine for automatic downloading of images and thus, helping content creators to curate contents easily.

It presents to you a very powerful image downloader tool that enables you to download all images from any site, including Pinterest and Instagram Images which are know to be hard nuts to crack. And ImgDownloader doesn't stop at just images, you can also get videos and MP4 files instantly.

Imagine the sheer possibility of downloading your entire image results in bulk, that is what you get by using ImgDownloader, you can even enter your desired image keyword and preview the images returned through Google’s index, and easily download all or specific image with a single click.

Major Websites that You can download Images in Bulk using ImgDownloader



ImgDownloader works across all websites, including the popular ones listed below which seems to restrict easy download of images.



  • Instagram Image Downloader: Downloading an image from Instagram does not come easy, as the platform makes it very difficult to download and safe images from it. But with ImgDownloader downloading your favorite celebrities images is an simple as a breeze.
  • Google Image Downloader: Are the type that requires bulk image curation from Google and don't know how to go about it? ImgDownloader allows you to download images in bulk using google search engine.
  • Pinterest Image Downloader: Here you can easily download images from Pinterest in just one click.



Additionally, you are not restricted to just these mentioned major image sources, as ImgDownload works across all websites, simply paste the image URL and ImgDownloader will automatically fetch all the images within the web address. It even retrieve images hidden in the CSS/JS files and you can preview all the images, download each of them or use the "Download All" button to get all of them in one click.

How to Download Bulk Images from Instagram using ImgDownloader?



ImgDownloader as a powerful bulk image downloader allows you to easily download images from any Instagram profile. Find the steps to follow in downloading your favorite images from Instagram below:

Step 1:

Go to imgdownloader.com, and you will find the Instagram tab at homepage, simply select it and enter your search keywords.

Step 2:

Then click on the search button to fetch images related to the keyword. Alternatively, you can copy the Instagram Image URL and paste it direct into the website to fetch all the images.

Step 3:

If you choose either approach, you'll be presented with a preview of 10-12 images with the ability to load more by simply clicking the button below. You can load as many images or all, by selecting the Download All button to download all the images.

Finally, you will see a message "Packaging and Downloading" which depending on your network speed, may take a few minutes. After which, you will get a zip file of all images. You can follow similar process to download images from Google search.

ImgDownloader Review: Download and Save Images with one Online Tool

The internet standard, TLS (Transport Layer Security), secure the communication between the servers and clients over the internet, and designed to be application layer independent, allowing many diverse communication protocols.

While ALPACA is an application layer protocol content confusion attack, which exploits TLS servers with different protocols that uses compatible certificates, like wildcard certificates. And attackers can also redirect traffic from one subdomain to the other, resulting a valid TLS session.

According to a group of researchers from Ruhr University Bochum, M√ľnster University and Paderborn University, the attack breaks the authentication of TLS making cross-protocol attacks possible where the behavior of a protocol service could compromise the other at the application layer.

How ALPACA Attack takes advantage of TLS Flaw for Cross-Protocol Attacks?



The general TLS flaw behind ALPACA is found within the server authentication, which potentially affects all TLS servers that have compatible certificates with other TLS services, therefore making all the servers vulnerable.



There are three possible ways an attacker can use cross-protocol attacks against webservers and Email servers exploiting vulnerable FTP, namely: the Upload Attack, the Download Attack and the Reflection Attack, whereby the attacker executes a reflected XSS in context of the victim site.

But the success of the ALPACA attack depends on many preconditions which need to be fulfilled, like the generic attack requires a MitM attacker to intercept and divert the victim's traffic at the TCP/IP layer. And the potential consequences of ALPACA attack are dependent on the interactions of two unknown protocols, with a number of undesirable behaviors possible.

How Can Admins mitigate these TLS attacks?



There are two extensions that can provide some protection to the application layer protocol in TLS, namely: SNI and ALPN. While SNI is the client that allow the server to know about the hostname it needs to connect to, and also useful in virtual hosting configurations. And the SNI standard allows the server to terminate the connection when the hostname doesn't match that of the server, which could prevent ALPACA attacks in practice. However, this strict behavior is rarely implemented, even among the best web servers.

But the good news is that many vendors have updated their servers to remove exploitation vectors and adding countermeasures in the application layer and/or TLS implementation. With the TLS library maintainers haven reviewed the ALPN and SNI implementations and updated their code and documentation to allow implementation of countermeasures by developers.

ALPACA Attack: TLS Flaw exposes Secure Sites to Cross-Protocol Attacks

If you've ever desired having eye-catching photos on social media, then what you need is Photo Effects by Vertexshare, which includes filters, black and white photo effects to make your photo feel a bit old.

While blurring photos editor add contrast to colors and highlight subject, Photo Effect takes things a notch higher with advanced algorithms to enhance your photos quality.

In fact, it has never been so easy to add effects and filters to photos, as with Photo Effects, you can even enhance your photo using a gallery of stunning imagery.

What are the Main Features of Photo Effects?



Photo Effects is perhaps a great boon to photo editors or creators, especially those on a shoestring budget. With such advanced features as listed below:



  • Smart DRC: Use the smart DRC for dynamic range compression and contrast enhancement of digital images.
  • Tone Mapping: Change the tone mapping of your photo to make flat HDR images more punchy and full of details.
  • Shadows and Highlights: Provide special algorithm to change the highlights, shadows and tonal width.
  • Exposure: Easily Adjust the photo exposure including lightness, contrast and saturation.
  • Local Contrast: Local contrast enhancement increases "local" contrast in smaller portions while protecting large-scale s/h details.
  • Sharpness: Sharpen and enhance the edge to create incredible effects. Make the photo clear.
  • White Balance: Adjust the color temperature and correct color casts that result from certain lighting situations.
  • Noise Reduction: Get rid of the noises from the photo that taken by digital camera. Enhance and improve photo quality.


Additionally, there are capabilities such as Channel Mixer, Soft light, Vignette and Presets, among others.

How to use Photo Effects preset filters with one click



It is pretty easy to create your own filters and effects manually using Photo Effects, with over 15 preset effects available.



Step 1:

Using sliders to get customized effects
This is a very straightforward process, as you can move the sliders to create natural tones and colours and get the results instantly.

Step 2:

Using the inbuilt preset effects to enhance photo automatically.

You've been availed with more than 15 filters that you can easily apply, including FortisEnhanced, Freya, Namaewa, StrongHold, VignetFairye and so on.

Conclusion



Photo Effects is a freemium professional photo effect editor, packed with various tuners that allows you to apply adjustments to your photo to make it look amazing in an instant.

And the minimalist design and AI enhanced intuitive settings ensure the app can be easily mastered by both newcomers and experts. If perhaps, you really want to improve the quality of your photos, then you won't fail to try out Photo Effects absolutely free.

Photo Effects for Windows and Mac: Create cool photo effects easily

N3Cr0m0rPh Malware, also known as Necro Python, is a family of botnet written in Python which was discovered in 2015, with Windows systems often the initial targets.

Now, both Linux and Windows devices are targets, with active exploits recorded at the start of 2021, which malware campaign dubbed "FreakOut" exploits vulnerabilities in network-attached storage (NAS) devices running on Linux machines.

It co-opt the Linux machines into a botnet useful for launching DDoS (distributed denial-of-service) attacks and Monero cryptocurrency mining.

How N3Cr0m0rPh Malware Family gets Upgraded with New Evasive tricks?



According to researchers at Cisco Talos, there is a newly discovered malware campaign that utilizes the Necro Python bot with new functionality and improved chances running undetected on infected vulnerable systems.



The upgraded botnet contains exploits for over 10 different web apps, including the SMB protocol. It combines RAT-like and DDoS functionalities to download and launch more payloads; with stealth in mind it installs a rootkit that hides the malware presence on the system.

Additionally, the botnet injects malicious code to execute a JavaScript-based miner from a remote server in HTML and PHP files stored on the infected systems.

What Organizations Need to Do to Mitigate such Malware Attacks?



While the core functionality had remained the same, with IRC for communicating with the C2 server and commands for launching DDoS, backdoor and stealing and exfiltrating data; it has increased chances of spreading and infecting more systems.

And notably, it exploits vulnerabilities in Vesta Control Panel, VMWare vSphere, SCO OpenServer, and other related products; which makes it mandatory for users to ensure that these products are up-to-date and always apply patches for their devices to shut off vulnerabilities.

N3Cr0m0rPh Malware Family Upgraded with New Evasive tricks

openSUSE Leap's clear advantage is the provision of at least 18 months of updates for each release; with openSUSE Leap 15.2 released last year to close the gap between SUSE Linux Enterprise (SLE) having the same binary packages in the enterprise version.

The latest version, openSUSE Leap 15.3 recently released is built not just from SUSE Linux Enterprise source code like in the previous versions, but with the exact same binary packages, thus strengthening the flow between Leap and SLE. And it comes as a rock-solid addition to the openSUSE 15.x series which carries all the attributes of its predecessors, making it hugely beneficial for migration projects and user acceptance testing.

Besides having the same binary packages as in SUSE Enterprise Linux, openSUSE Leap 15.3 comes with several other major changes that makes it a really exciting release.

What's New in openSUSE Leap 15.3 Release?



openSUSE Leap already runs great on several architectures, but this new release brings support for IBM Z and LinuxONE (s390x) systems, and directly uses binary packages from SLE for aarch64, powerpc64, and x86_64, which users can find the images on get.opensuse.org.



There is also the visual changes, with major new features in Xfce 4.16 including new icons and palette, as Xfce shines out of the box. And the Settings Manager has received a visual refresh of its filter box, which can be hidden permanently too. Also, the DNF package manager will be updated to version 4.7.0 that provides new features in the whole stack and expected improvements, with the DNF Python API stable and supported.

Additionally, there are security several updates like containerd, podman, kubeadm and cri-o. And openSUSE Leap 15.3 will offer users more power to develop, ship and deploy containerized applications with the newer container technologies maintained in the distribution. As Kubernetes gives a huge boost to container orchestration capabilities, allowing automated deployments, scale, and management of containerized applications.

How to Download or Upgrade to openSUSE Leap 15.3?



If you are a new user and want to have a feel of openSUSE Leap, you can get the latest ISO from the official download website.

However, if you're an existing user, you will have to make sure that you are running Leap 15.2 before upgrading to Leap 15.3. You can find a more detailed information about the upgrade process in the official release notes.

openSUSE Leap 15.3 strengthens the flow between Leap and SLE

Google has rolled out Chrome 91 on the stable channel, with the latest version of the browser bringing tons of features including the super-fast non-optimizing Sparkplug compiler, that compiles bytecode to machine code.

While Google had earlier introduced a two-tier compiler system in the V8 engine made up of Ignition and Turbofan for JavaScript execution in Chrome browser. The Ignition is responsible for executing the JavaScript while Turbofan optimizes the code for maximum performance, these compilers make tradeoffs during the different phases of JavaScript execution.

As part of Chrome’s V8 JavaScript/WebAssembly engine, Sparkplug will be nestled between the Ignition interpreter and the TurboFan optimizing compiler; thus filling the gap between the JavaScript execution tradeoffs.

How Sparkplug compiler will ensure faster performance in Chrome?



Sparkplug does not depend on gathered information while executing JavaScript for generating machine native codes, which allows for quicker execution and generating high-performance codes.



It compiles directly from bytecode instead of JavaScript source; thus Sparkplug compiles functions already compiled to bytecode, and the bytecode compiler having done work such as determining if parentheses are arrow functions, variable resolution, and desugaring destructuring statements.

And given that it compiles directly to machine code through a single linear pass over the bytecode, it emits code that matches the execution of that bytecode.

How to Download or Upgrade to Chrome 91?



Google updates for Chrome happens in the background, and also, users can install the latest version manually, by clicking on "About Google Chrome" from the Help menu; with the result tab display showing if the browser has been updated or the download-and-upgrade button.

Apart from the Sparkplug compiler feature, the new update also brings many performance improvement under the hood, which according to Google, Chrome 91 is 23 percent faster than the previous version.

Chrome Sparkplug compiler to boost JavaScript performance

AlmaLinux is a free Linux distribution, a complete binary-compatible release running the Red Hat Enterprise Linux (RHEL) operating system source code.

While the first stable release of AlmaLinux, v 8.3 was introduced on March 30, 2021; initially built by CloudLinux experts, AlmaLinux is now being owned and governed by the community. The latest release, AlmaLinux 8.4 brings a lot of security improvements such as Secure Boot which is now fully supported and OpenSCAP security profiles ready for production.

AlmaLinux 8.4 is coming one short week after the release of RHEL 8.4, and as a production ready, stable release and ready to power all your computing needs and workloads.

What's New in AlmaLinux 8.4 Release?



AlmaLinux 8.4 biggest change is perhaps the most requested feature, Secure Boot, which is now fully supported in this latest release.



Other changes include new module streams and compiler updates, with the release of a devel repo. More detailed changes can be found below:

  • PowerTools repo is now disabled by default
  • OpenSCAP security profiles are now ready for production
  • Secure Boot is now fully supported
  • devel repo released with extra packages and build dependencies


You can also find link to the upstream release notes here, which will provide you with a complete list of changes and updates to this release.

How to Download or Upgrade to AlmaLinux 8.4?



AlmaLinux 8.4 is available in three installation ISO images, AlmaLinux-8.4-x86_64-boot.iso, AlmaLinux-8.4-x86_64-minimal.iso, and AlmaLinux-8.4-x86_64-dvd.iso; but it is recommended to download ISO images using the torrent links.

Alternatively, you can get a mirror from the list on mirrors.almalinux.org website closest to your geographic area, as local mirrors will be a lot faster than using repo.almalinux.org and download a suitable ISO image from the 8.4/isos/x86_64/ directory.

AlmaLinux 8.4 Release: CentOS-like distro based as a precise RHEL clone

Pwned Passwords is Have I Been Pwned's database of real world passwords previously exposed in data breaches, which according to reports, is now going open-source courtesy of the .NET Foundation.

While Have I been Pwned is making available its password codebase to GitHub, the data that powers Pwned Passwords is already available in the public domain via the downloadable hash sets. And there is also a promise to open source the codebase for monitoring emails and phone numbers in data breaches in the near future.

Troy Hunt, the creator of have I been Pwned, made the decision to make the entire project open source last year, and it's still something that will take some time.

What does Open Sourcing Pwned Passwords actually mean?



Pwned Passwords going open source is a pretty straightforward move which which means that anybody can run their own Pwned Passwords instance if they so choose.



Also, it will encourage greater adoption of the service both due to the confidence that people can also "roll their own" if they choose and the transparency that opening the code base brings with it. And as it's entirely non-commercial without any Enterprise services or API costs like other parts of HIBP, it requires community efforts to thrive.

The .NET Foundation has been saddled with the responsibility of managing the open source project, establishing the licencing model, coordinating where the community invests effort, redesign the release process and take contributions. Above all, Pwned Passwords needs to be successful is aggregating fresh passwords as they become compromised, and this is where the FBI comes in, as the FBI is involved in all manner of digital investigations.

What the FBI brings to open-sourced Pwned Passwords?



The FBI plays a major role in the combating of bad actors, from ransomware to child abuse to terrorism and in the course of their investigations, they are bound to come across compromised passwords.

So, the FBI is provided an avenue to feed compromised passwords into HIBP and surface them via the Pwned Passwords feature. The compromised passwords will be provided in SHA-1 and NTLM hash pairs which perfectly aligns with the current storage constructs in Pwned Passwords, not available in plain text.

The overall goal here is to protect people from account takeovers by proactively warning them when their password has been compromised.

Open Sourcing Pwned Passwords: What does it actually mean?

AnyDesk is a popular remote desktop application boasting of over 300 million users worldwide; but as reported by security researchers, a trojanized version of the software is being distributed through a malvertising campaign.

According to the CrowdStrike Falcon Complete team, the malvertising campaign incorporates a malicious file that masquerades as setup executable for AnyDesk with “AnyDeskSetup.exe” format, and upon execution, it downloads a PowerShell implant that exfiltrate system data.

Interestingly, the rather clever malvertising campaign with a weaponized AnyDesk installer was being delivered via Google ad, with targeted searches for the “anydesk” keyword.

How Falcon Complete detected the Malvertising Campaign targeting AnyDesk?



The CrowdStrike Falcon platform detected an executable which appeared to have been manipulated to evade detection and attempts to launch a PowerShell script with the following command line: "C:\Intel\rexc.exe" -exec bypass \Intel\g.ps1" during a review of the process tree.



However, the “rexc.exe” extension appeared to be a renamed PowerShell binary in an attempt to bypass detection. And on further reviewing, “AnydeskSetup.exe” was discovered running from the user’s Downloads directory.

The script has multiple functions that resembled an implant as well as hardcoded domain (zoomstatistic[.]com) to “POST” reconnaissance information like user name, hostname, operating system, IP address and the current process name. And the script also had a specific user-agent string and URI to connect.

How the Threat actors utilized malicious Google ads (Malvertising)?



The threat actor served this malicious ads to people using Google search, with the “AnyDesk” keyword since at least April 21, 2021. The malvertising campaign uses intermediary websites that then redirect to a page hosted at the following URL: https[:]//domohop[.]com/anydesk-download/ which a clone of the legitimate AnyDesk website.

The researchers observed that the ads may have been targeted at specific geographic regions, such as the ad not being consistently delivered depending on the region where the search request originated.

CrowdStrike’s data suggests that 40% of clicks on this malicious ad resulted to installations of this trojanized AnyDesk binary, while 20% of installations included hands-on-keyboard activity.

However, it remains unknown what percentage of searches for AnyDesk resulted in clicks, albeit 40% Trojanized app installation rate from an ad click shows that this is a successful method of gaining a wide range of potential targets.

Trojanized AnyDesk Installer spreading via Malvertising

Cryptocurrency exchanges have become targets for cybercriminals, with the hacker group affiliated with North Korea behind a slew of recent attacks as revealed by ClearSky researchers.

According to ClearSky researchers, the latest attack campaign against crypto-exchange companies dubbed CryptoCore has been ongoing for about three years, with the hackers focusing mainly on the theft of cryptocurrency wallets.

Other names associated with this Crypto attack campaign include: CryptoMimic, Dangerous Password and Leery Turtle; and the campaign is attributed to a specific cyber-threat actor – North Korea’s LAZARUS APT Group, also known as Hidden Cobra.

How the LAZARUS GROUP were traced to CryptoCore Attacks?



The campaign dubbed "CryptoCore" which targeted crypto exchanges in Japan, Israel, Europe, and the U.S., resulting to the theft of millions of dollars worth of cryptocurrency was traced with "medium-high" likelihood to the Lazarus Group, also known as APT38 or Hidden Cobra, by researchers from Israeli cybersecurity firm ClearSky.



Interestingly, the LAZARUS GROUP was not known to attack Israeli targets, this is perhaps the first. ClearSky researchers based their attribution on two stages of research, with the first stage connecting all research documents to the same campaign: a comparative study of all the research documents trying to prove they are all referring to the same campaign.

While the second stage adopted F-SECURE’s attribution to LAZARUS GROUP, reaffirmed by comparing the attack tools found in this campaign to other Lazarus campaigns with strong similarities.

The Lazarus group was believed to have stolen an estimated $200 million, according to a report published in June 2020, which linked CryptoCore to five targets located in Japan, the U.S., and Middle East. The latest research, however shows that the operations were more widespread than previously documented.

Since entering the scene in 2009, the Lazarus group have used their offensive cyber capabilities to carry out cyber-espionage and cryptocurrency heists against western businesses and critical infrastructure.

CryptoCore Attacks traced to North Korean Cyber-threat groups

Mozilla, the Firefox-maker has rolled out a new Site Isolation feature for Firefox browser in nightly and beta channels to protect users against the so-called side-channel attacks.

While the Site Isolation security mechanism initially was targeted at mitigating Spectre-like attacks which leads to data leaks from given renderer process, Firefox's Site Isolation architecture extends it further by creating operating system process-level boundaries for websites loaded in Firefox for Desktop browser.

The aim is to load each site separately in its own operating system process, which as a result, will prevent malicious code from rogue websites from accessing confidential information stored in the other websites.

How Site Isolation can be effective against Side-channel attacks?



Site Isolation is relatively capable of handling severe attacks whereby the renderer process is compromised through security bugs, like the bugs related to memory corruption or UXSS logic errors.



Spectre and Meltdown vulnerabilities which were publicly disclosed way back in January 2018, is a case in point, as it forced browser vendors and chipmakers to incorporate built-in defenses in their respective platforms to mitigate attacks that could break boundaries between the different applications to allow hackers access to passwords, encryption keys, and other sensitive information directly from a computer's kernel memory.

Mozilla, however, was clear that with the evolving techniques of malicious actors on the web, it needed to redesign Firefox browser to mitigate any future variations of such vulnerabilities and to keep users safe when browsing the web.

Thus, the fundamental redesigning of Firefox’s Security architecture which extends current security mechanisms by creating operating system process-level boundaries, and isolating each site into a separate operating system process to make it even harder for malicious sites to read another site’s secret or private data.

How to enable Site Isolation on Firefox Nightly?



If you'd like to give the feature a spin, you can follow these steps to enable Site Isolation on Firefox Nightly:

Navigate to about:preferences#experimental
Check the “Fission (Site Isolation)” checkbox to enable.
Restart Firefox.
To enable Site Isolation on Firefox Beta or Release:
Navigate to about:config.
Set `fission.autostart` pref to `true`.
Restart Firefox.


But note that Firefox’s Site Isolation feature is currently rolling out and Mozilla is only allowing a subset of users to benefit from this new security architecture on its Nightly and Beta channels with plans to roll out to more users later this year.

Mozilla's New Firefox Site Isolation architecture

Bizarro is a relatively new banking Trojan which spreads via Microsoft Installer (MSI) packages that originated from Brazil but now finding its way into other regions of the world.

According to Kaspersky researchers, Bizarro uses affiliates or recruiting money mules to operationalize attacks, cashing out or simply helping with transfers. And so far, mostly people located in Spain, Portugal, France and Italy are targeted, with attempts made at stealing credentials from customers of about 70 banks from the different European countries.

The threat actors behind Bizzaro employs servers hosted on Azure and Amazon (AWS) with compromised WordPress servers to store malware and collect telemetry.

How Bizarro Spreads and Steals Banking Credentials?



Bizarro spreads via Microsoft Installer (MSI) packages and sources identified so far are spam emails, while the attackers also use social engineering to lure victims into downloading malicious apps. The major infections have been detected in South American countries of Brazil, Argentina, and Chile; with European countries like Germany, Spain, Portugal, France, and Italy also making up the numbers.



The Trojan starts by first killing all browser processes in order to terminate existing sessions with online banking sites, and once a user restarts the browsers, the malware will force re-entering of the banking credentials, which it then captures. Bizarro also takes other steps to get more banking details by disabling autocomplete in the browser.

Once Bizarro initializes the screen capturing module, it loads the magnification.dll library to get the address of the deprecated MagSetImageScalingCallback API function. And with its help, it can capture the screen and also constantly monitor the system clipboard, looking for not only banking details, but also Bitcoin wallet addresses, which it replaces with a wallet belonging to the malware authors.

Bizarro, like other banking Trojans such as Ghimob, focuses on stealing credentials from customers of banks and when a victim gets the malware on their system, it uses money mules to operationalize the attacks, cashing out, or simply to help with transfers.

How to Detect and Mitigate against Bizarro Banking Trojan?



Threat actors continue to adopt various evasive techniques to complicate malware analysis and detection, with social engineering tricks that lure victims to give up their online banking data, getting more pervasive.

Therefore, the most important advice is for users not to click on links that come from any unknown source. Also, always double check the destination bitcoin addresses before sending out funds, albeit this isn’t the only malware that employs the clipboard to replace bitcoin addresses, there are certainly no do-overs with bitcoin.

New Banking Trojan, Bizarro sweeping across Europe

Google touted a new feature coming to Chrome for Android within the password manager that could enable users to change compromised password automatically with just a tap.

While Chrome leverages on Duplex on the Web technology to power this feature, which technology was first introduced in 2019 to enable Google Assistant to complete tasks on the web, such as booking of hotels and buying of movie tickets. Duplex on the Web, which has now been expanded, will allow Chrome users to quickly fix password issues and create a strong password when it determines your credentials have been leaked online.

Google had earlier made available a plugin dubbed Password Checkup, which alert users if their login credentials have been compromised, and whose information is found in their recent “Collections” leak.

How Chrome fixes Password issues; not just prompting a warning for users to update their information?



Chrome comes with a strong password manager built-in, which checks for the safety of users passwords. It examines the username and password combinations saved in Chrome to be able to report on the authentication of the pairings whether it has been compromised in any third-party data breach made public.



Now, Chrome doesn't only detect a breach, it can also fix any compromised passwords quickly, and safely. Chrome will help you change your passwords with just a tap, whenever Chrome finds a password may have been compromised, you will see a "Change password" button from Assistant. If you tap the button, Chrome will navigate to the site and help you go through the entire process of changing your password.

The feature is part of a number of new security measures announced at Google I/O developer event, including a Privacy Dashboard in Android 12 that brings a pie chart view of permission settings like microphone, location, and camera, along with "what data is being accessed, how often and by which apps."

How Chrome for Android users can get the new feature?



The feature is currently rolling out to Chrome for Android users in the U.S. who have opted to sync their passwords, albeit only a small number of websites and apps are supported for now, it's expected to become generally available in more countries in the coming months.

But, it is recommended that you update your Chrome browser to the latest version to enjoy the new features.

Chrome leverages on Duplex on the Web technology to fix Password issues

In December 2020, Trend Micro researchers uncovered a malware campaign that distributed a credential stealer written in (AutoHotkey) AHK, which activity was traced to early 2020.

Now, Morphisec Labs researchers have discovered a unique and ongoing RAT delivery campaign which started in February of 2021, that heavily relies on the AutoHotKey scripting languages. According to the researchers, there has been at least four different versions of the campaign spotted since February 2021.

Irrespective of the attack chain scenario, it begins with an AHK executable that drops and execute different VBScripts which eventually load the RAT on a compromised machine.

How AutoHotkey-based RAT Loader are Increasingly employed in Malware Campaigns?



Threat actors have generally used scripting language that has no built-in compiler on victims' operating system, and which can’t be executed without its compiler, such as AutoIT, Python, and AutoHotkey (AHK) scripting language.



The first attack detected on March 31 shows that the adversary behind the campaign encapsulated the dropped RAT with an AHK executable, disabling Microsoft Defender using a Batch script and a shortcut (.LNK) file pointing to the script. While in the second attack scenario, the malware block connections to popular antivirus solutions through the altering of the victim's hosts file, which denies the DNS resolution for these domains by resolving the localhost IP address in place of the real one.

Similarly, another AHK loader chain observed on April 26 delivered the LimeRAT through an obfuscated VBScript, which then is decoded into a PowerShell command which retrieves a C# payload containing the final-stage executable from a sharing platform service called "stikked.ch." And the last attack chain discovered on April 21 employed an AHK script to execute a legitimate app, and drops a VBScript that runs an in-memory PowerShell script to install AsyncRAT and fetch the HCrypt malware loader.

How to Safeguard against AutoHotkey-Based Malware Attacks



Threat actors develop techniques to bypass and evade modern security conventions, but the tactical goals had remained the same. Even as the technique changes to bypass passive security controls, common denominator among these evasive techniques is the abuse of process memory which is a static and predictable target for the adversary.

Therefore, we still need the baseline security controls to keep the automated attacks at bay and as the innovative attackers like the current scenarios require a modern approach to security.

AutoHotkey-Based Malware Attacks are on the rise

Bodhi Linux is a lightweight Linux distribution based on Ubuntu, that uses the Moksha window manager and minimal base system which allow users to add software.

While Bodhi Linux is tailored for older systems, it offers a unique experience with the Moksha desktop environment. Now, there is a major Bodhi Linux release after over a year hiatus, with Bodhi Linux 6.0 bringing numerous improvements and a refreshed new look to the Linux distribution.

Bodhi Linux 6.0 is coming on the heels of v5.1 which was based on Ubuntu 18.04 LTS; the latest version brings the latest Ubuntu 20.04 LTS which automatically offers all the perks that comes with Ubuntu 20.04 LTS.

What's New in Bodhi Linux 6.0 Release?



Besides the on-boarding of Ubuntu 20.04 LTS, Bodhi Linux 6.0 brings several core enhancements such as the continuation with development of Enlightenment 17 desktop, which serves as a new choice for colors and subtle visual improvements.



Moksha window manager allows you to add applications like LibreOffice suite, VCL Media Player, Geany editor, and other applications, which you can download the AppPack ISO when you need it.

The Arc-Green theme is now revamped with an animated background, updated splash screen, and numerous other tweaks. And the BL6 login screen now has an elegant slick greeter, with also the new Plymouth theme. The Moksha desktop environment is also not left out on the list of improvements, as it has undergone numerous improvements with few newly added features.

Bodhi Linux offers essential applications like Chromium web browser, Synaptic package manager and many more.

How to Download or Upgrade to Bodhi Linux 6.0?



Bodhi Linux 6.0 is available for download, and you can get the ISO from the official download page. Also, there is a legacy release that supports the aged 32-bit systems, based on Debian.

As expected, the ISO file size is minimized for easy download as possible without needing unnecessary pre-installed tools.

Bodhi Linux 6.0 Release: Lightweight Linux Distro with Moksha window manager

Python language already runs fast, starting from alternate runtimes to wrapping modules written in C/C++; however, none of these involves the speeding up CPython, the so-called reference implementation of Python, which is perhaps the most widely used version of the language.

Now, an alternate version of the Python runtime, Pyston has released version 2.2 with a very significant new feature: full source code is made available as an open source project under the original Python licensing. Pyston 2.2 offers roughly 30 per cent speed improvement compared to standard CPython, and the software employs just-in-time compilation and other techniques to speed execution.

Albeit, Pyston is significantly different from the other major alternate Python runtime, PyPy, which uses just-in-time compilation to also achieve significant performance improvements.

What the Open sourcing of the Pyston Project means for developers?



The aim of the Pyston project is first to produce a drop-in replacement for the standard Python runtime which can speed up other existing Python deployments without additional effort.



It will make innovation possible in Pyston which can be upstreamed back into Python itself, if the core Python team offers to do so. And the new version of Pyston uses a different approach to achieve this; the base CPython code is altered to help improve performance without breaking the backward compatibility.

The major alternate Python runtime, PyPy remains a large and complex project which has long struggled with being fully compatible with Python, even with Python extensions also written in C. Pyston solves this complexity, starting with changes in the CPython codebase to retain compatibility with it.

How to get Started with the Pyston Project?



The open sourced Pyston v2.2 is available on GitHub, so you can head over there if you are a developer and want to contribute with getting Pyston packaged for additional platforms.

Otherwise, if you want to use Pyston into your projects, it is promised to be as easy as replacing “python” with “pyston” - but if that’s not the case, you can still give Pyston a try and see that it really means to speed up your Python code.

Faster Python promised with the open sourcing of Pyston project

TeaBot is a relatively new Android banking Trojan that was discovered in January 2021 by the Threat Intelligence and Incident Response (TIR) team at Cleafy, a cybersecurity company.

While the main goal of TeaBot is to steal victim’s banking credentials and SMS messages which enables the threat actors to carry out frauds against a predefined list of banks, mainly European banks numbering over 60 targeted banks. TeaBot, once successfully installed in the victim’s device, allow the attackers to obtain a live stream of the device screen (on demand) and interact with the device through Android Accessibility Services.

Albeit, the malware is still in its early stage of development, with the attacks fully commencing in late March 2021, which was followed by a series of infiltration in the first week of May on Belgium and Netherlands banks.

How TeaBot Android banking Trojan steals users' credentials?



TeaBot seems to have all the capabilities of modern Android banking Trojan such as ability to abuse the Accessibility Services to perform Overlay attacks against multiple banks apps to steal users login credentials and credit card information.



It also has the ability to send / intercept / hide SMS messages, thus enabling key logging functionalities and stealing of Google Authentication codes, with full remote control access to any infected Android device through Accessibility Services and real-time screen-sharing capabilities.

Additionally, TeaBot has the capabilities of disabling Google Play Protect and accessing Google Authenticator 2FA codes, with the collected information exfiltrated every 10 seconds to a remote server controlled by the attacker.

The TeaBot technical analysis reveals that the initial app name used by the malware was “TeaTV” - but as at last month the app name was changed to the following: “VLC MediaPlayer”, “Mobdro”, “DHL”, “UPS” and “bpost”, which are all the same decoy also used by the infamous banker Flubot/Cabassous.

How to Mitigate against TeaBot Banking Trojan



Given that TeaBot employs the same evasive techniques as Flubot by posing as innocuous apps helps it to stay under the radar. Therefore, it is recommended that Android users should always scrutinize the permissions granted to apps installed on their device.

If there is any unusual notifications and screen activities on your Android device, or you suspect a malware-infected app, quickly uninstall the app from your device, and always make sure the operating system and apps are up to date.

TeaBot Android Trojan targeting users of financial apps in Europe

There is an ongoing cyberespionage campaign dubbed 'TunnelSnake' that targets diplomatic entities in Southeast Asia and Africa, which has more than 9 high profile victims to date, mostly those located in South Asia.

According to Kaspersky researchers, the advanced persistent threat (APT) campaign, has been active since 2019, with the attackers deploying a previously unknown rootkit dubbed Moriya, a malware with nearly absolute power over the operating system, and enables the threat actors to intercept network traffic and conceal malicious commands.

The threat actors have the capabilities to evolve and tailor its toolset to target different environments and infiltrate high-profile organizations in South Asia and Africa with an evasive Windows rootkit.

How the Moriya Rootkit Infiltrates Networks of High-Profile Organizations?



Moriya first emerged in November 2020, when Kaspersky researchers discovered the stealthy implant in the networks of inter-governmental organizations operating in South Asia and Africa.



While the malicious activity associated with the operation dates back to 2019, with the rootkit infiltrating the victims networks for several months after the initial infection. The rootkit is particularly evasive thanks to the two traits of it been able to intercept and inspect network packets in transit from Windows kernel’s address space.

The Windows kernel’s address space is a memory region where the operating system’s kernel resides and typically, only privileged and trusted code are able to run within it. It allows the malware to drop unique malicious packets which are delivered before they are processed by the system’s network stack, which enabled the attackers to avoid detection by security solutions.

The rootkit was mostly deployed via a compromised web server within the targets’ organizations, for instance, there is one in which the attackers infected a server with the China Chopper webshell, a malicious code that allow remote control of the infected server.

How Organizations can be protected from such advanced persistent threats?



TunnelSnake campaign once again demonstrates the level of sophistication of threat actors who are now investing significant resources in designing evasive toolset to infiltrating networks of high-profile organizations without been detected.

Therefore, it is recommended that organizations should perform regular security audits of its IT infrastructure to reveal possible vulnerabilities in their systems. Also, they should ensure that anti-APT and EDR solutions are installed on the systems, as it will enable threat discovery and detection, for timely remediation before actual attacks.

Additionally, the SOC team within the organization should be provided with access to the latest threat intelligence and regularly up-skilled with relevant professional training.

TunnelSnake Cyberespionage targets diplomatic entities in Southeast Asia

Buer is a Malware Loader offered as malware-as-a-service on underground forums and often employed as a first-stage downloader in delivering additional payloads, with initial compromise of target systems allowing the attacker to establish a remote access to further their malicious activity.

According to Proofpoint researchers, there is a new variant of the Buer malware loader which is distributed via emails masquerading as shipping notices starting in early April. While Buer was first observed in 2019, several malware operators including those behind Ryuk ransomware were found to be using the Buer malware dropper as an initial access vector against unnamed victims.

The ongoing phishing campaign by the Rusted-based Beur, dubbed "RustyBuer" is propagated via emails masquerading as shipping notices from DHL Support, and it's believed to have affected more than 200 organizations across over 50 verticals since early April.

How the Rust-based variant of Buer Malware Loader is more evasive?



The researchers observed a series of malicious campaigns that delivered the Buer malware loader, which campaigns generally used DHL-themed phishing emails to distribute malicious Word or Excel documents. The campaigns distributed two variants of the Buer malware: one written in C and the other rewritten in the Rust programming language.



The new variant written in Rust is dubbed RustyBuer, as Rust is an efficient and easy-to-use programming language that's becoming increasingly popular, it enables the threat actor to better evade existing Buer detection capabilities.

The RustyBuer campaigns were observed delivering Cobalt Strike Beacon as a second-stage payload in some campaigns and the threat actors may have also established a foothold with the Buer loader to sell access to other threat actors, known as “access-as-a-service.”

Why Cybercriminals are increasingly paying attention to Rust programming language?



Rust is a programming language that is similar to the C++ language, but provides better memory safety which ensures higher performance.

RustyBuer is perhaps the latest in a series of efforts by cybercriminals to add extra layer of opacity, by employing the versatile language in the hope that it will enable the attackers to evade most security defenses. Also, the rewritten malware in Rust could enable the threat actor to evade already existing Buer detection techniques tied to the features of the old malware written in C.

Albeit, the malware authors programmed RustyBuer in a way that it still maintains compatibility with all the existing Buer backend C2 servers.

Rust-based variant of Buer Malware Loader gets more evasive

Microsoft has released a preview of Azure Web PubSub, a service based on its Azure Cloud for building real-time web applications using WebSocket, which will enable developers to focus on application logic for real-time connected experience.

While WebSocket is a standardized protocol which offers full-duplex communication and serves as a key to building efficient real-time web interactions, and supported by all the major browsers as well as Web servers. Azure Web PubSub will enable developers to use WebSockets and the publish-subscribe pattern to build real-time web applications, including live real-time location on maps, monitoring dashboards, cross-platform live chat, and many more.

Also, Azure Web PubSub comes integrated with Azure Functions which is best for building serverless applications in Python, C#, JavaScript, and Java; while developers can also use the Azure Functions to process location data and use Azure Web PubSub to broadcast the location data to dashboard clients or visualize real-time location information.

How Azure Web PubSub will enable developers to use WebSockets and a publish-subscribe pattern?



The implementation of a WebSocket-based real-time experience demands that a developer would first have to set up infrastructure for handling client connections, and ensure the setup would be able to meet business SLA requirements by establishing mechanisms to scale it on demand. And this infrastructure management tasks leaves a developer no time to focus on end-user experiences, which Azure Web PubSub service wants to solve this infrastructure challenge issue.



Azure Web PubSub service offers built-in support for large-scale client connections with highly available architectures so that developers can focus on the application logic that delivers real-time connected experiences.

Additionally, the service supports a wide variety of programming languages such as C#, Python, and Java through WebSocket APIs, which gives developers the flexibility to build real-time cross-platform applications, and also to easily migrate their existing WebSocket-based applications. Besides the native WebSocket support, it also offers the json.webpubsub.azure.v1 subprotocol, which enables clients to do publish-subscribe effectively without routing data between service and backend server code.

How to Get Started with Azure Web PubSub?



The Azure Web PubSub service is currently available as a developer preview, therefore to get started with Azure Web PubSub, developers should go to docs.microsoft.com and to learn more about the service, visit the Azure Web PubSub service page, or check out the preview documentation.

However, you'll need a free Azure account and follow this Quickstart using the free tier or standard tier of Azure Web PubSub. The free tier is designed for dev/test so that you can easily get started with one unit and create applications with up to 20 connections per unit and 20,000 messages per unit per day. Also, check out some code samples here that showcases real-time apps you can build with the service.

Azure Web PubSub: Build real-time Web applications using WebSocket

The Azure Defender for IoT security research group, known as Microsoft’s Section 52, recently uncovered a series of critical memory allocation vulnerabilities in IoT and OT devices which could be exploited to bypass security controls to execute malicious code.

While the flaws are collectively called "BadAlloc" as the vulnerabilities stem from usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and many more. The vulnerabilities cover more than 25 CVEs and affects a wide range of critical domains, ranging from consumer and medical IoT to Industrial IoT, Operational Technology, and industrial control systems.

BadAlloc is rooted in memory allocation functions spanning widely used C standard library (libc) implementations, real-time operating systems (RTOS), and embedded software development kits (SDKs).

How BadAlloc Flaws affects IoT and OT Devices?



Microsoft research shows that memory allocation implementations written as part of IoT devices and embedded software haven't incorporated proper input validations. And without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on target devices.



The vulnerabilities can be invoked by calling the memory allocation function, such as malloc(VALUE), with the VALUE parameter derived from external input dynamically and being large enough to trigger an integer overflow or wraparound.

And the successful exploitation of these vulnerabilities could result in unexpected scenarios such as a remote code execution or injection, or even system crash, as stated by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in a security advisory released on April 29, 2021.

How Organizations can secure their Systems from exploitation?



Though, there is no evidence of these vulnerabilities being exploited in the wild, but the availability of the patches could allow bad actors to use a technique known as "patch diffing" to reverse engineer the fixes to leverage on it to potentially weaponize any vulnerable versions of the software.

Therefore, CISA recommends that organizations should apply vendor updates as soon as possible, and set up firewall barriers, and isolate critical system networks from business network, to curtail exposure of control systems to ensure they remain inaccessible from the internet.

Microsoft warns on BadAlloc Flaws affecting a wide-range of IoT Devices

The Red Hat owned Enterprise Linux (RHEL) platform is solely targeted at enterprise market, as it restricts free re-distribution of officially supported versions, though the source code is still freely provided.

Now, the upcoming upgrade to Red Hat Enterprise Linux, RHEL 8.4, which will be generally available in the coming weeks, is bringing edge computing capabilities with the addition of container deployment geared at supporting edge usage. While RHEL 8.3 brought a number of new changes, including system roles for logging, system metrics, disk encryption, and bootloader, to help users to manage large installations through consistent and repeatable configurations at scale.

RHEL 8.4 builds on these capabilities, coupled with standardization and control across Linux container images, starting with updates to Red Hat’s Podman container engine, for managing containers from a single point across the hybrid cloud.

What features to expect in the Upcoming RHEL 8.4 update?



The upgrade to RHEL 8.4 will include the Red Hat Universal Base Image (UBI), which is currently available in a lightweight, micro image for building cloud-native applications that are redistributable, on a RHEL foundation without full kernel deployment.



Also, RHEL 8.4 aims for greater flexibility for cloud applications, with more “holistic” view of subscription deployment via the Red Hat Insights Subscriptions with improved support for the Red Hat Cloud Access. As RHEL serves as the baseline of the Red Hat Edge initiative, it is intended to extend the capabilities of the Red Hat hybrid cloud to edge computing, with support for applications from enterprise devices and automobiles.

Additionally, RHEL 8.4 brings extended security features, including the addition of a RHEL system role for cryptocurrency policies and network-bound disk encryption offered as a container, and automated system configuration and management via RHEL Web Console updates and the Tracer utility.

How to Upgrade to Red Hat Enterprise Linux (RHEL) 8.4?



RHEL 8.4 is scheduled for release in the coming weeks, then you can download it directly from Red Hat’s Portal. If you're a new user who wants to try out RHEL 8.4, you can download it from developer.redhat.com as part of the no-cost Red Hat Enterprise Linux Developer Subscription.

And if you want to try out the latest RHEL 8.4 beta release which is accessible for subscription holders via the Red Hat Customer Portal, you can obtain a subscription by joining the Red Hat Developer Program.

Upcoming RHEL 8.4 update to bring Edge Computing capabilities

Gatekeeper is a security feature in Apple Mac which is supposed to allow only trusted apps to run on the system by ensuring that the application has been signed and cleared via an automated process known as "app notarization" which scans the app for malicious content.

The security feature, by default, accepts all software directly from Apple's own Mac App Store, as well as apps "signed" by developers approved by Apple, which it assume to be safe. But there is a flaw in Gatekeeper, tracked as CVE-2021-30657, which vulnerability was reported by Cedric Owens, a security engineer on March 25, 2021.

Apple had promptly released an update to macOS operating systems to address the vulnerability which could be exploited to circumvent all security protections, allowing unapproved applications to run on Macs.

How Hackers could have Exploited the Gatekeeper Flaw to Attack macOS Computers?



The Gatekeeper flaw uncovered by Owens could allow an adversary to craft rogue applications to deceive the Gatekeeper service and get executed without triggering security warnings, by packaging a malicious shell script as a "double-clickable app" of which the malware could be double-clicked and run like an app.



As the malware is run as an app in the sense that you can double click it and have macOS view it as an app when you right click, it's also shell script in that shell scripts aren't checked by Gatekeeper even if the quarantine attribute is present.

Given that unsigned, unnotarized, script-based proof of concept application could trivially and reliably sidestep all of macOS's security mechanisms (including Gatekeeper and Notarization Requirements), even on a fully patched M1 macOS system, with such a capability malware authors could succeed in their proven methods of infecting macOS users.

In a previous Gatekeeper flaw, hackers exploited it to sneak in malicious code to run as "signed" software, by inserting malware into the code libraries, or dylibs, that most large applications share; while the second, bundle malware into compressed installer packages (.dmg files) for signed software.

Albeit, Apple's attempt to patch the vulnerability by including verification of dylibs to block the first exploit, was too narrow to contain the flaw. It remains clear that Gatekeeper still doesn't block every piece of unsigned software, only the most obvious ones get blocked.

Mac users are thereby recommended to update their system to the latest versions of macOS to mitigate the risk associated with the Gatekeeper flaws.

Gatekeeper Flaw actively exploited in attacks on macOS Computers

The popular instant messaging platform, Telegram, has enjoyed a surge in usage as a result of the controversial privacy policy changes made by its rival, WhatsApp.

While Telegram has surpassed 500 million monthly active users, cybercriminals are finding it a lot more appealing, and malware authors are increasingly using it as a ready-made command and control (C&C) system for their malicious activities, and distributing malware within organizations that would then be used to capture sensitive information from targeted systems.

According to Check Point Research (CPR), there has been over 130 attacks using a new multi-functional remote access trojan (RAT) known as ‘ToxicEye’ which spreads via phishing emails and managed by attackers over Telegram, using it to communicate with the C&C server and exfiltration of data.

How Cybercriminals use Telegram Messenger to control ToxicEye Malware?



ToxicEye spreads via phishing emails containing a malicious .exe file, which when the user opens, installs itself on the victim’s machine with the ability to perform a range of exploits without the victim’s knowledge, such as data stealing, deleting or transferring files, among other malicious activities.



First, the attacker creates a Telegram account and bot, which Telegram bot account serves as a special remote account with which users can interact by chat or by simply adding them to a Telegram group, or by sending direct requests from the input field by typing the bot’s Telegram username and followed by a query.

Then, the Telegram bot is embedded in the ToxicEye RAT configuration file, which is compiled into an executable file and if a victim is infected with the malicious payload, it can be controlled via the Telegram bot, as it connects the victim’s device to the attacker’s C&C via Telegram.

How to Identify Infected system and tips to keep your System protected



Obviously, every remote access Trojan (RAT) using this method has its own key capabilities that characterize most of the recent attacks, such as ransomware and data stealing features – as the RAT can locate and steal passwords, computer information, browser history and cookies.

Therefore, if you want to ensure that your system is not infected, search for a file called C:\Users\ToxicEye\rat.exe which if this file exists on your PC, means you've been infected and need to immediately contact your organization's help desk and make sure to erase this file from your system.

Additionally, you should monitor the traffic generated from PCs in your organization to a Telegram C&C, if such traffic exists, and Telegram isn't installed as an enterprise solution, it is a possible indicator of compromise.

Hackers using Telegram to send Malicious commands remotely

Mozilla's Python-in-the-browser project, Pyodide is an experimental project to create a full Python data science stack that runs entirely in the browser.

While Pyodide is the offshoot of another Mozilla project, known as Iodide, which is a tool for data science experimentation and communication based on state-of-the-art web technologies. Now, Mozilla has spin out Pyodide into an independent, community-driven project.

Going forward, the project will be maintained by community of volunteers and Mozilla has published a governance document with a project roadmap, which outlines what the goals are, such as reducing download sizes, better performance of Python code, and simplification of package loading.

Pyodide aim to Bring the scientific Python stack to the browser



JavaScript, the common browser language doesn’t have a mature suite of data science libraries, and missing a number of features that are necessary for numerical computing, like operator overloading.



Pyodide is designed to perform data science computation within the browser rather than a remote kernel, it gives you a full, standard Python interpreter that runs entirely in the browser, with access to the browser’s Web APIs. Also, Pyodide can install Python packages with a pure Python wheel directly from PyPi, the Python Package Index.

Pyodide includes a foreign function interface which exposes Python packages to JavaScript and the browser UI, including the DOM, to Python, making several Python scientific packages, including Matplotlib, SciPy, NumPy, Pandas, and Scikit-learn, available in the browser.

What does the Community-driven development for Pyodide means?



The Community-driven development for Pyodide means that control of the development process, resources and decision making authority will now come directly from groups in the community.

Therefore, developers are invited to try out Pyodide in a REPL in their browser, even as Mozilla has recently announced the release of Pyodide 0.17, bringing major improvements, and a redesign of central APIs, with elimination of error and memory leaks.

Mozilla's Python-in-the-browser project now Community-driven

Malvertising groups infiltrates the advertising ecosystem as media buyers, with an ongoing campaign tracked as "Tag Barnakle" resulting to the breach of over 120 ad servers in an attempt to serve their malicious ads.

The Tag Barnakle campaign is able to bypass the initial scrutiny by going straight for the jugular, that is, mass compromise of ad serving infrastructure, to inject code in order to serve malicious advertisements that redirect users to rogue websites, and exposing victims to malware.

According to security researchers at Confiant, Tag Barnakle is now able to push mobile targeted campaigns, whereas they were happy to take only desktop traffic last year.

How 120 Ad Servers were Compromised to Target Millions of Internet Users?



The threat actors behind Tag Barnakle were able to compromise nearly 60 ad servers in April 2020, primarily targeting an open-source ad server called Revive.



Now, the latest attacks aren't any different, albeit the actors seems to have upgraded their working tools to target even more ecosystem, such as mobile devices. As it currently pushes mobile targeted campaigns, and given that Revive is used by a sizable number of ad companies, Confiant believes the reach of Tag Barnakle should be in the range of "tens if not hundreds of millions" of devices.

Over the last 12 months, Confiant has identified over 120 revive instances that bear some attribution markers of Tag Barnakle related compromise with several still impacted today.

Tag Barnakle's interesting Pivot towards Mobile



Tag Barnakle’s targeting criteria now includes a WebGL debug parameters that are consistent with mobile devices, with many of these campaigns meant to lure the victim to the app store listing for obscure Security / Safety / VPN apps with hidden subscription costs or just to siphon off traffic for nefarious ends.

However, it is incredibly difficult to calculate the full reach of Tag Barnakle’s malvertisements, even though the compromise appears to impact several of long-tail websites, the list of which includes a sizable amount of ad companies that have built their technical stack on Revive.

Mass compromise of Ad serving infrastructures for malvertising

There is an ongoing spear-phishing attack campaign, which is believed to be carried out by the advanced persistent threat group, the Lazarus Group, a North Korean threat actor targeting its southern counterpart.

According to researchers at Malwarebytes, the APT group conceal its malicious code in a bitmap (.BMP) image file which it then uses to drop a remote access trojan (RAT) capable of stealing personal data and other sensitive information.

Lazarus Group is perhaps the most sophisticated and notorious of the North Korean Threat Actors and has been active since 2009; known to majorly target South Korea, but also includes several other countries.

How the APT hackers conceals malicious code within BMP image to spread its RAT?



The attack scenario follows distributing of phishing emails weaponized with a malicious document, which document shows a blue theme in Korean requesting that the user should enable the macro to view the document.



Once the macro is enabled, a message will pop up and on clicking the message the final lure will be loaded onto the system, as the document is weaponized with a macro that is executed upon opening. It starts by calling MsgBoxOKCancel function, which function pops up a message box to the user with a message that claims to be an older version of Microsoft Office.

Then after execution, it converts the image in PNG format into BMP format by calling WIA_ConvertImage. And since the BMP file format is an uncompressed graphics file format, converting PNG file format into BMP file format will automatically decompress the malicious zlib object embedded from PNG to BMP.

This clever method used by the threat actor enables them to bypass security mechanisms which can detect embedded objects within images and because the document having the zlib malicious object is compressed it can't be detected by any static detection system.

APT Hackers using BMP images to conceal RAT malware

Logica is an open source logic programming language developed by Google to “solve problems of SQL” using syntax of mathematical propositional logic instead of natural language.

While Google had earlier introduced Yedalog language, Logica is replacing it as a logic language to serve data scientists, and other specialists; which compiles code to SQL and runs on the Google BiqQuery, with experimental support for PostgreSQL and SQLite.

Logica is a more concise language and supports reusable abstraction mechanisms that SQL lacks, with modules and imports support as well; it can be used from interactive Python notebook and even makes testing of queries more natural and easy.

How Logica Programming language solves SQL flaws?



Albeit, SQL is widely adopted by developers, yet it is not flawless. As statements constructed from long chains of English words can be very verbose, with a single query spanning hundreds of lines is a routine occurrence. But, the main flaw of SQL lies in its very limited support for abstraction.



Thus, Logic programming languages tend to solve these problems of SQL by using syntax of mathematical propositional logic instead of natural English language. And the language of formal logic designed by mathematicians specifically is to make expression of complex statements easier and it suits the purpose much better than natural language.

Logica extends classical Logic programming syntax further, notably with aggregation, as the name stands for Logic + Aggregation. SQL operates with relations, which are sets of rows, with logic programming the analog of a relation is a predicate, which in turn is a set of rows, but think of it as a logical condition, which describes the rows of a relation.

However, there is much more to Logica, you can start with this tutorial here to learn more about Logica. Besides using it in your next project, the learning of a new powerful language could open your mind to new ideas and perspectives on data processing and computing in general.

What is Logica? Google's Logic programming language for solving SQL flaws

Microsoft’s creation of dotnet/csharpstandard completes the move of C# standardization work to open source, providing a public space for the ongoing work to document the latest C# language versions.

While the C# compilers have been open source since 2014, now available in the dotnet/roslyn repository, but the dotnet/csharplang split off provides a dedicated public space for the innovation and evolution of the C# language. And the dotnet/csharpstandard repo now available on GitHub will be the working space for the ECMA C# standards committee, TC-49-TG2 which is still responsible for creating the proposed standard for the C# language.

Thus, the C# language innovation and feature design through to implementation and standardization will now take place in the “open” with the contributions all public.

Innovation and evolution of the C# Programming language



Microsoft had earlier open sourced C# compilers, and now, there are now about three such repos dedicated to the C# programming language:





The move means that developers can now see the work in progress and work to incorporate features also as it is taking place.

And it'll be easier to ask questions among the design team, the compiler implementers, and the committee; as the conversations will also be public. The changes planned for the coming months include: Issues in csharplang and dotnet/docs for the spec text will move to the new dotnet/csharpstandard repo.

The C# spec on docs.microsoft.com is going to be replaced with the version from the standards committee. And the C# 6 draft spec removed from the dotnet/csharplang repo, once the proposed C# 6 draft is published on docs.microsoft.com.

Open Source C# gets a home on GitHub for documentation