Windows Subsystem for Linux (WSL) was introduced by Microsoft in 2016 as a supplemental feature that runs Linux image in a near-native environment on Windows, without the over-head of a virtual machine.

According to Black Lotus Labs, several malicious files written in Python and compiled in the Linux binary format ELF (Executable and Linkable Format) for the Debian operating system, has been recently identified targeting WSL. These malicious files act as loaders running a payload that's retrieved from a remote server and then injected into a running process using Windows API calls.

While this approach was not particularly a novelty, but it marks the first instance where threat actors have been found to abuse WSL to install payloads; and using an ELF loader for the WSL environment makes the technique rather evasive to security detection.

How the Malware Evade Detection on Windows Subsystem for Linux?



The researchers at Black Lotus Labs identified a series of samples uploaded every two to three weeks, from as early as May 3, through to August 22, 2021, that target the WSL environment.



And these samples are compiled with Python 3.9 using PyInstaller for the Debian operating system version 8.3.0-6. With some containing lightweight payloads which could have been generated from open-source tools such as MSFVenom or Meterpreter.

While the Meterpreter framework is well known in the industry, that hasn't helped to stop cybercrime and ransomware groups from using it in the past. And it would be rather easy for the operator to swap out the Meterpreter payload for more advanced tools such as Cobalt Strike or a custom agent.

The ELF to Windows binary file execution path was different in various files, for some, PowerShell was used to inject and execute the shellcode; and for others, Python ctypes was used to resolve Windows APIs. The malicious files attempted to download shellcode from a remote C2 and uses ctypes to call Windows APIs, in addition to employing PowerShell to perform subsequent actions on the host machine.

As the boundaries between operating systems continue to narrow down, threat actors will definitely take advantage of the new attack surfaces. Therefore, it is advised that users should enable WSL to ensure proper logging in order to detect this type of threats.

Windows Subsystem for Linux targeted in New Malware Attacks

The third point version of Kali Linux 2021 series, Kali Linux 2021.3 has been released, with a number of major improvements along with some new tools.

Kali Linux 2021.3 comes with a bevy of new hacking tools and updated core packages, and also makes the experience of virtualization even more seamless when setting up a virtual environment. The information domain Kali-Tools has also be refreshed with a clean interface, to provide a concise overview of tools and faster system.

Kali didn't forget about KDE, as one of its favorite desktop environments; Kali Linux 2021.3 brings improvement to the layout for Xfce and Gnome editions.

What's New in Kali Linux 2021.3 Release?



Aside from the updated core packages, with Kali Linux 2021.3, OpenSSL has now been configured for wider compatibility to allow Kali to talk to as many services as possible.



While legacy protocols such as TLS 1.0 and TLS 1.1 and older ciphers are now enabled by default, which will help to improve Kali’s ability to talk to older, obsolete systems and servers that are still using these older protocols. And among the Kali Tools added to Kali Linux 2021.3 Release fleet are:

  • Subjack: Subdomain takeover
  • RouterKeygenPC: Generate default WPA/WEP Wi-Fi keys
  • WPA_Sycophant: Evil client portion of EAP relay attack
  • HostHunter: Recon tool for discovering hostnames using OSINT techniques
  • EAPHammer: Targeted evil twin attacks against WPA2-Enterprise Wi-Fi networks
  • CALDERA: Scalable automated adversary emulation platform
  • Berate_ap: Orchestrating MANA rogue Wi-Fi Access Points


Furthermore, Kali has partnered with Ampere to have its ARM package building machines running on Ampere’s hardware, which means that Kali will benefit from the burst in speed.

How to Download or Upgrade to Kali Linux 2021.3



For those who are new to Kali, simply grab the new Kali 2021.3 ISO images which are now available for download with support for several platforms.

If you’re an existing Kali Linux user and want to upgrade from the previous version to Kali Linux 2021.3, you can easily upgrade your system by following the updating Kali guide.

Kali Linux 2021.3 Release: Brings Improvements to Kali Live VM Support

MSHTML (also known as Trident) is a proprietary browser engine for the Windows version of Internet Explorer, developed by Microsoft.

According to Microsoft Threat Intelligence Center (MSTIC), a number of attacks have attempted to exploit a remote code execution vulnerability in MSHTML, which vulnerability is tracked as CVE-2021-40444, using specially crafted Microsoft Office documents.

As part of an initial campaign that distributed custom Cobalt Strike Beacon loaders, these attackers communicated with an infrastructure that Microsoft associates with multiple cyber-criminal campaigns, including human-operated ransomware.

How Windows MSHTML Zero-Day was Exploited to Deploy Cobalt Strike Beacon in targeted systems?



The attack vector relies on a malicious ActiveX control which could be loaded by MSHTML using a malicious Office document.



Microsoft customers who enabled attack surface reduction rules to block Office from creating child processes are not impacted by the exploitation technique used in the attacks. The attackers leveraged on the vulnerability to access entry point devices to run highly-privileged code, with the secondary actions taken by the attackers relying on stealing credentials that could result organization-wide impact.

Again, this attack illustrates the importance of implementing attack surface reduction, credential hygiene, and lateral movement mitigations.

How to Mitigate against the MSHTML Zero-Day Exploit



Microsoft has already rolled out a fix for the MSHTML vulnerability as part of its Patch Tuesday updates on September 14.

Therefore, customers are advised to apply the security patch for CVE-2021-40444 to fully mitigate this vulnerability. Also, Microsoft has confirmed that the attack surface reduction rule blocks activity associated with exploitation of the MSHTML Zero-Day.

MSHTML Zero-Day Exploited to deploy Cobalt Strike Beacon in targeted Windows machine

Azure Container Instances (ACI) service allows users to run containers directly in a serverless cloud environment, requiring no virtual machines or clusters.

While Palo Alto Networks' Unit 42 threat intelligence team has disclosed a vulnerability in ACI service that could have been exploited by an attacker to access other customers' information. The vulnerability dubbed "Azurescape" involves how a malicious actor can leverage the cross-tenant technique to escape a rogue ACI container, escalate privileges, and take over an impacted containers by executing malicious code.

Microsoft, however, has issued a patch shortly after the disclosure and there is no known information on Azurescape exploit in the wild.

How Azurescape could have been exploited by a Malicious actor to access customers' information?



Azure Container Instances (ACI) offers a Container-as-a-Service (CaaS) that enables customers to run containers on Azure without managing the underlying servers.



The CaaS offering is notoriously hard to access, and users are only exposed to their container environment, and local network access is disabled through firewalls. But the researchers created WhoC, a container image that reads the container runtime executing it. It's based on a rarely discussed design flaw in Linux containers that allow them to read the underlying host's container runtime.

Deploying WhoC to ACI, enabled the researchers to retrieve the container runtime used in the platform and unsurprisingly, they were able to find runC, the industry standard container runtime.

RunC v1.0.0-rc2 which was released in 2016, was vulnerable to at least two container breakout CVEs. The presence of this old version of runC in ACI, allowed the researchers to successfully broke out of their container and gained a reverse shell running as root on the underlying host, which turned out to be a Kubernetes node.

Albeit, the node's Kubelet only allowed anonymous access, the researchers tried to access Kubelets on neighboring nodes, but all attempted requests to access neighboring nodes timed out, probably due to a firewall configuration that prevented communication between worker nodes. The researchers deployed a few breakout containers which landed on different Kubernetes clusters, with unique cluster IDs ranging between 1-125 and these cluster IDs indicated that each location (e.g. West Europe) hosted a few dozen clusters.



As ACI was hosted on clusters running either Kubernetes v1.8.4, v1.9.10 or v1.10.9, which versions were released between November 2017 and October 2018 and are vulnerable to multiple publicly known vulnerabilities. The researchers started going over past Kubernetes issues, searching for ones that would allow their compromised node to escalate privileges or gain access to other nodes and CVE-2018-1002102 was identified as promising.

The CVE-2018-1002102 marks a security issue in how the api-server communicated with Kubelets, it accept redirects. And by redirecting the api-server's requests to another node's Kubelet, a malicious Kubelet can spread in the cluster.

Again, this discovery highlights the need for cloud users to take a 'defense-in-depth' approach to securing their cloud infrastructure that includes continuous monitoring for threats, inside and outside the cloud platform.

Azurescape Vulnerability: Cross-Account Container takeover in Azure Container Instances

There is an ongoing malware campaign spearheaded by a network of websites that acts as a “dropper as a service” which serves up a variety of unrelated malware together in a single dropper.

According to Sophos, these networks employ search engine optimization to push a “bait” webpage to the first page of search results for queries seeking “crack” versions of popular software products; and a variety of information stealers, including clickfraud bots and other malware were delivered through the sites.

These network of sites targets those seeking “cracked” versions of popular software packages with link that redirect the victims to the payload designed for their platform.

How Popular Pirated software are used as lure to serve up Malware droppers?



On clicking the bait pages, victims are directed to a download site that hosts a packaged archive containing malware, while others are steered to browser plugins or applications that fall in a potentially unwanted grey area.



The downloads contained a variety of potentially unwanted applications and malware, including Stop ransomware, the Glupteba backdoor, and a variety of malicious cryptocurrency miners in addition to Raccoon Stealer. Several of the malware campaigns that hosted the “cracked” software were powered in part by InstallUSD, an advertising network based in Pakistan which promises a payment of up to $5 US for every software install delivered.

The researchers also found a number of other such services that, instead of offering their own malware delivery networks, act as "go-betweens" to established malvertising networks that pay website publishers for traffic.

Many of these services advertise on the same boards where criminal affiliates can set up accounts quickly, but most require a deposit paid in Bitcoin before they can begin distributing installers.



All of these delivery methods dropped packages with same basic characteristics; the download was a .zip archive file named after the alleged “cracked” product sought by the target and inside, the archives contained an additional .zip archive and a file with “password” in its name.

As the malicious payloads are in password-protected archives–and in formats that cannot be opened natively by Windows Explorer, they cannot be scanned by endpoint security tools during download.

Dropper packages and the malware delivery platforms have been around for a long time, and they continue to thrive because of the same sort of market dynamics as those that make stealers as a service so profitable.

Popular Pirated software used as lure to serve up Malware droppers

GCToolkit is a set of libraries for analyzing Java garbage collection (GC) log files, that parses log files into discrete events and offers an API for aggregating data from the events.

Microsoft’s Java Engineering Group announced the open-sourcing of GCToolkit, and the availability on GitHub, offered under the MIT license. While the tool comprises of three Java modules including the API, garbage collection log file parsers, and a message backplane based on the Vert.x toolkit for building apps on the JVM.

The API serves as the entry point into the toolkit, concealing the details of using the parser to analyze a garbage collection log file into a method calls; with the parser module as a collection of regular code developed to be a robust garbage collection log parser.

How the open-sourcing of GCToolkit will impact the Development ecosystem?



As GCToolkit parses GC log files into discrete events and provides an API for aggregating data from those events, it allows developers to create arbitrary and complex analyses of the state of managed memory in the Java Virtual Machine (JVM).



The management of memory in the JVM comprises of 3 main pieces, namely: memory buffers also known as Java heap, allocators which works on getting data into Java heap, and garbage collection (GC).

GC is responsible for recovering memory in Java heap that is no longer in use, which term is often used as a euphemism for memory management and tuning GC or tuning the collector are used with the understanding of tuning the JVM’s memory management subsystem.

How to Get Started with Microsoft GCToolkit?



GCToolkit is currently aailable on GitHub and offered under the MIT license, if you're interested in contributing.

But if you only want to follow along, you can join the community discussions at github.com/microsoft/gctoolkit/discussions.

Microsoft open-sources GCToolkit Java garbage collection analyzer

FIN7, a Russian advanced persistent threat group which has primarily targeted the U.S. since 2015 is using Windows 11 Alpha-Themed Docs to drop JavaScript backdoor against retail and hospitality sectors located in the U.S.

According to Anomali Threat Research, six malicious Windows 11 Alpha-themed Word documents with Visual Basic macros are being used to drop JavaScript payloads, including a JavaScript backdoor. While the attack vector for this activity remains unknown, it strongly suggests an email phishing or spearphishing campaign.

The activity likely took place around late-June to late-July 2021, based on the file names in this campaign observed by the researchers.

How FIN7 ATP Group is Using Windows 11 Themed Documents to drop Javascript Backdoor?



Anomali Threat Research analysis conducted on malicious Microsoft Word documents themed after Windows 11 Alpha, disclosed with moderate confidence that the Word documents were part of a malware campaign conducted by the threat group FIN7.



The attack chain began with a Microsoft Word document (.doc) containing a decoy image claiming to have been made with Windows 11 Alpha. And on analyzing the file, it was discovered to be a VBA macro populated with junk data as comments. Given that junk data is a common tactic used by threat actors to impede analysis, but once this junk data is removed, we are left with a VBA macro.

The VBScript will take encoded values from a hidden table inside the .doc file, an after deobfuscating the VBA macro, language checks carried out. If these languages are detected, the function me2XKr is called which deletes the table and stops running, also the script checks for Virtual Machines, which if detected it stops running as well.

Interestingly, the attack stops after detecting Russian, Ukrainian, or several other Eastern European languages, albeit there is no solid attribution, but the language check function and table it scores against indicate a likely geographic location for the creator of this malicious doc file.

The reason is not far-fetched, as it is an almost unofficial policy that cybercriminals based in the Commonwealth of Independent States (CIS) are generally left alone if they do not target interests or individuals within the respective borders, thus the VBA macro checking the target system language against a list including common CIS languages will terminate the infection when found to match.

However, the addition of Serbian, a minority German Slavic language, Estonian, Slovenian and Slovak remains unusual as these are not languages considered for exclusion but maybe would be considered as a ‘fair game.’

Windows 11 Alpha-themed Word docs used to drop malicious payloads

LockFile is a new family of ransomware that exploits the ProxyShell vulnerabilities to breach targets with unpatched, on premises Microsoft Exchange servers.

According to Sophos, the new ransomware family emerged in July 2021 after the discovery of the ProxyShell vulnerabilities in Microsoft Exchange servers, followed by a PetitPotam NTLM relay attack to seize control of the domain. It employs “intermittent encryption” to evade detection by ransomware protection solutions, as an encrypted document appears statistically similar to the unencrypted original.

Interestingly, LockFile doesn't encrypt the first few blocks, but instead, it encrypts every other 16 bytes of a document, which means that a file like text document will remain partially readable and looks statistically like the original.

How LockFile bypasses Ransomware Protection using Intermittent Encryption?



LockFile uses memory mapped input/output (I/O) to encrypt a file, which technique allows the ransomware to transparently encrypt cached documents in memory and causes the system to write the encrypted documents, with minimal disk I/O that could be spotted by detection technologies.



It renames encrypted documents to lower case with a .lockfile file extension, while its HTA ransom note looks very similar to that of LockBit 2.0. and LockFile doesn’t need to connect to a command-and-control center to communicate, which also helps to keep its activities under the detection radar.

The ransomware also terminatea critical processes associated with virtualization software and databases through the Windows Management Interface (WMI), before proceeding to encrypt critical files and objects, and display a ransomware note that bears stylistic similarities with that of LockBit 2.0.

And the ransomware deletes itself from the system after successful encryption of all the documents on the machine, which makes it difficult for incident responders or antivirus software to find or clean up.

What sets LockFile apart is that it doesn’t encrypt the first few blocks. Instead, it encrypts every other 16 bytes of a document. That means that a text document, for instance, remains partially readable. And there is an intriguing advantage to taking this approach: intermittent encryption skews statistical analysis which in turn confuses some protection technologies.

LockFile Ransomware evades detection using Intermittent Encryption

FMWhatsApp, a popular WhatsApp mod was detected to employ third-party ad module that includes a Trojan, known as Triada.

According to cybersecurity firm Kaspersky, the Trojan Triada is snuck into one of the modified versions of WhatsApp known as FMWhatsApp version 16.80.0 along with the advertising software development kit (SDK). While FMWhatsApp was supposed to be a custom build of WhatsApp, which allows users to tweak the app with different personalize icons; and comes with features not available in the original app, such as deactivating of video calling features.

The trojanized FMWhatsApp is fully capable of intercepting text messages, display full-screen ads, and serve malicious payloads, even signing up device owners for unwanted premium subscriptions without their consent.

How the Trojanized FMWhatsApp was spotted Installing Triada Trojan?



Researchers at Kaspersky discovered that the trojanized FMWhatsApp comes with such capabilities as ability to gather unique device identifiers, which it sends to a remote server for a link to a payload that's downloaded, decrypted, and launched by the Triada trojan.



The Triada Trojan performs an intermediary function, firstly it collects data about the device, and then, based on the information gathered, it downloads another Trojan. FMWhatsApp downloads several types of the Triada malware, including:

  • Trojan.AndroidOS.MobOk.i, a Trojan that signs up for paid subscriptions
  • Trojan-Downloader.AndroidOS.Helper.a, which downloads and runs the installer module of the xHelper Trojan and runs invisible ads in the background
  • Trojan-Downloader.AndroidOS.Gapac.e, which downloads and runs other malicious modules and can also display full-screen ads at unexpected moments
  • Trojan-Downloader.AndroidOS.Agent.ic, a Trojan that downloads and runs other malicious modules
  • Trojan.AndroidOS.Whatreg.b, the most complex Trojan in the list, signs in to the WhatsApp account on the victim’s phone, intercepting the login confirmation text


All these malware will ultimately turn the device into a spot for various types of illegal activities such as malvertising, spam distribution and illicit trading services.

How to mitigate against Triada attacks?



Most importantly, Android users should avoid installing apps from unofficial sources and always make use of their device’s privacy and security settings to deny sensitive permissions to installed apps.

And they should desist from using mods, rather they should use only the official version of the apps, downloaded from the official app stores, which certainly will mean the apps are malware-free.

FMWhatsApp mod for WhatsApp installs Trojans on Android phones

ProxyShell is one of the trio of exploit chains that include ProxyLogon and ProxyOracle, which the later concerns remote code execution flaws that could expose a user's password in plaintext format.

There is an active exploitation of the ProxyShell vulnerabilities which were earlier patched this May on Microsoft Exchange Servers, along with the deployment of LockFile ransomware on the compromised systems.

According to Huntress Labs, the vulnerabilities could enable attackers to bypass ACL controls, with elevated privileges on the Exchange PowerShell backend, which effectively permits the attacker to perform remote code execution.

How the ProxyShell Flaws are exploited in Microsoft Exchange Server?



Hackers exploits the vulnerabilities in Microsoft Exchange, which is dubbed ProxyShell, to install a backdoor for unauthenticated access and later exploitation.



The attack involves three chained Exchange vulnerabilities, namely: CVE-2021-31207, CVE-2021-34523 and CVE-2021-34473. The researchers at Huntress Labs claims that attackers are actively exploiting these vulnerabilities against vulnerable Microsoft Exchange Servers, with over 100 incident reports related to this exploit sent on August 17 and 18.

Attackers get remote access to the compromised servers through Web shells, however it isn't clear exactly the extent to which all the flaws were used. Over 140 Web shells have been detected across no fewer than 1,900 unpatched Exchange Servers to date, according to Huntress Labs.

How to Mitigate Against the Active Exploitation of ProxyShell Vulnerabilities?



The ProxyShell Vulnerabilities could be exploited to execute arbitrary code on a vulnerable machine.

Therefore, it is highly recommended that organizations should identify vulnerable systems on their networks and apply Microsoft's Security Update from May 2021, which updates remediates all three ProxyShell vulnerabilities and protect against the attacks.

ProxyShell Flaws actively exploited in Microsoft Exchange Attacks

The Zorin team has announced a new release, Zorin OS 16 which is one of the most advanced and popular release based on Ubuntu 20.04.3 LTS.

While Zorin OS is a Linux distribution designed for users new to the Linux platforms, with built-in features that allow users to change the UI to resemble any of the familiar Microsoft Windows or MacOS systems.

The latest release, Zorin OS 16 offers a “Pro” edition which replaces the “Ultimate” edition that comes preloaded with a few apps and a couple of layouts. But the base edition, Zorin OS 16 “Core” remains free, which also includes all the essential features.

What's New in Zorin OS 16 Linux distro?



Zorin OS is one of the most beautiful Linux distribution and the latest release, Zorin OS 16 brings several cosmetic features to the distribution, like Jelly Mode which adds an engaging animation when the window on your screen is minimized.



Other highlighted key updates in Zorin OS 16 includes:

  • Flatpak Enabled
  • New Touchpad Gestures
  • New Sound Recorder & Photos apps
  • Telemetry and tracking Disabled in Firefox browser for better privacy
  • Jelly mode that enables a macOS-like animation on minimizing or opening applications
  • Active directory domain option in the installer
  • More Enhanced taskbar


Additionally, Flathub has been enabled by default with Zorin OS 16, you can now find plenty of apps, including Flatpak packages within the Software manager.

How to Upgrade to Zorin OS 16?



The Pro edition of Zorin OS 16 is available at $39, and the Pro-lite edition is available for older computers.

However, you can also download Zorin OS 16 Core for free, albeit the free lite edition and the pro lite version are not yet available.

Zorin OS 16 Linux distro arrives based on Ubuntu 20.04.3 LTS

AdLoad is an adware loader that was discovered in 2017, which capabilities includes backdooring compromised systems to download and install potentially unwanted programs (PUPs), and steal sensitive information from the victim's machine.

According to SentinelOne, there is a new variant of AdLoad targeting macOS with about 150 unique samples discovered in 2021 alone; while Apple's XProtect, the built-in security control for malware detection, though containing around 11 signatures for different AdLoads, the new variant involved in this campaign remains undetected by any of the rules.

Apple's on-device malware scanner failed to detect the new variant as well and even, it is signed by the notarization service, which goes to show the extent malicious software have gone in attempts to adapt and evade detection.

How the New AdLoad Variant bypasses Apple's XProtect to target macOS Systems?



The old AdLoad variant was reported in 2019, which Apple now has some partial protection against it; though XProtect has around 11 different signatures for AdLoad, the variant involved in this new campaign is undetected by any of those rules.



The new version of AdLoad leverages on persistence and executable names with different file extension pattern, such as .system or .service, thus enabling the malware to get around traditional security protections incorporated by Apple. And the installation of a persistence agent, in turn, triggers the attack chain that deploys malicious droppers as a fake Player.app to install malware.

Interestingly, the droppers share the same pattern as Bundlore/Shlayer droppers, as they use a fake Player.app mounted in a DMG with several of them signed with a valid signature; in some cases, even notarized.

How to Mitigate against the New AdLoad Variant?



AdLoad is one of the malware families, similar to Shlayer, known to effectively bypass XProtect and the fact that a well documented adware variant has been circulating for about 10 months and still remain undetected by Apple's malware scanner underscores the necessity of implementing further endpoint security controls to devices.

Apple itself has noted that malware on macOS is a problem that they are struggling with, and recently, the company addressed a zero-day flaw actively exploited in its Gatekeeper service by the Shlayer operators to deploy adware on compromised systems.

Apple's macOS targeted by New Variant of AdLoad

Debian 11, codenamed Bullseye has finally arrived after about two years of development; and as the latest release of the universal operating system, it will be supported for the next five years.

While Debian, also known as Debian GNU/Linux, is a free and open-source software, developed by the community-supported Debian Project and it boasts as the oldest operating systems based on the Linux kernel.

Debian 11 release includes over 11294 new packages which takes the total to over 59551 packages, with over 42821 software packages having newer versions. Also, there are over 9519 packages removed from the distribution.

What's New in Debian 11 ‘Bullseye’ Linux Distro?



Debian 11 offers newer versions of popular applications like GIMP, LibreOffice, Emacs, and other various core applications. It features Kernel 5.10 which is the latest version, and serves as a long term support (LTS) release.



The new kernel means better support for newer hardware along with improved performance, such as support for the exFAT filesystem. And as for the desktop environments, though not the latest version of desktop environments, but newer versions are available for Debian 11 ‘Bullseye’ Linux Distro. Other major changes includes:

  • Systemd journal logs are persistent by default
  • New open command to automatically open files from command-line with a certain app (GUI or CLI)8
  • Password hashing for local system accounts now uses yescrypt by default instead of SHA-512 for improved security
  • New Fcitx 5 input method for Japanese, Chinese, Korean and several other languages
  • Systemd defaults to using control groups v2 (cgroupv2)


Additionally, the new package ipp-usb is now available for Debian 11, which uses the vendor-neutral IPP-over-USB protocol supported by modern printers. Also, SANE driverless backend will allow using scanners effortlessly.

How to Upgrade to Debian 11?



For exisiting users, you can upgrade from previous Debian version, by first updating your /etc/apt/sources.list and running the commands:

sudo apt clean
sudo apt update
sudo apt upgrade
sudo apt dist-upgrade
sudo apt autoremove


And for a fresh install, Debian 11 is available for download from the official website. Note that apart from 32-bit and 64-bit PC, Debian 11 also supports 64-bit ARM (arm64), and IBM System z (s390x), along with several others.

Debian 11 ‘Bullseye’ Linux Distro: What's New?

There is a critical bug in managed DNS from providers like Amazon and Google that could allow hackers to intercept a portion of worldwide dynamic DNS traffic.

According to researchers at Wiz, leveraging the DNS vulnerability they “wiretapped” the internal network traffic of about 15,000 organizations, including millions of devices. The exfiltrated data of valuable intel such as computer names, employee names and other details about organizations’ domains with entry points were exposed to the internet.

DNS vulnerabilities are increasingly critical because remote works are becoming overstretched and leaving new holes in the fabric of this decades-old protocol which puts billions of devices around the world at risk.

How managed DNS works & How the DNS bug was exploited to spy on DNS Traffic?



DNS host is responsible for hosting DNS records and domain registrar is where domain names are purchased. There are DNS hosting providers that also offer domain registration and vice versa, so the two services shouldn't be confused.



The DNS hosting providers offer a self-service platform that allow customers to update their domain name and the name servers. Also, customers can add domain name because it’s not supposed to have impact on the web traffic as they’re not the authoritative domain registrar.

The assumption is that there is total isolation between you and other customers. But Route53 doesn’t verify that I own, for instance, amazon.com because nothing that I register on my DNS is supposed to have any impact on other customers.

Now, here lies the loophole; the researchers discovered that registering certain "special" domains, specifically name of the name server itself, has unexpected effect on all other customers using the name server. It actually breaks the isolation between tenants and they successfully registered one type of special domain, but there could be many others.

Technically, they created a new “hosted zone” inside AWS name server ns-1611.awsdns-09.co.uk and named it “ns-852.awsdns-42.net”, and whenever a domain is added to Route53, four different DNS servers are selected to manage the domain. And any new nameserver registered by them on the platform falls under the management of the same server.

They now partially control the hosted zone, so they can point it to their IP address. Whenever a DNS client queries this name server about itself, which thousands of devices automatically does to update their IP address within their managed network, the traffic goes directly to their IP address.

After analyzing it, they learned that it was dynamic DNS traffic from Windows machines which were querying the hijacked name server about itself; the Dynamic DNS keeps DNS records automatically up to date when an IP address changes.

Thus, the dynamic DNS traffic that was “wiretapped” came from over 15,000 organizations, with several Fortune 500 companies, including 45 U.S. government agencies and 85 other international government agencies. The data exposed valuable intel like internal and external IP addresses, computer names, employee names and office locations.

The research team also released a tool that could allow organizations to test if their internal DDNS updates were being leaked to malicious actors. Meanwhile, Amazon and Google have both issued patches for their respective software.

Critical DNS Bug exposes Organizations' Sensitive Data to Attackers

The long wait is finally over, as what's perhaps the most anticipated Linux distro, elementary OS 6 has finally been released.

While elementary OS is a Linux distro that's targeted at non-technical users, and serves a privacy-focused replacement for macOS and Windows, with a so-called pay-what-you-want model. This latest version is based on Ubuntu 20.04 LTS and comes with loads of improvements and security enhancements.

Ubuntu 20.04 LTS was released on April 23, 2020 and the most notable feature is support for Linux kernel 5.4 which offers the latest kernel capabilities, such as lockdown mode and exFAT support.

What's New in elementary OS 6 ‘Odin’ final release?



Among the loads of enhancements to privacy and security, elementary OS 6 offers Flatpak apps out-of-the-box, lockdown mode and exFAT support.



And for both touch screen and touchpad users, elementary OS 6 offers some exciting new gesture interactions which can be easy to navigate through the system. Also, elementary OS has its own AppCenter Flatpak repository now, with some default applications baked in as Flatpak packages and all apps listed in AppCenter available as Flatpaks as well.

That means all applications will stay isolated from each other without accessing users sensitive data. Other major changes in elementary OS 6 ‘Odin’ final release, includes the following:

  • Dark Style & Accent Color
  • Multi-Touch Gestures
  • First-Party Flatpak Apps & Permissions View
  • New Tasks App
  • Improved Desktop Workflow & Screenshot Utility
  • Online account integration


Additionally, there is a new installer with improved disk detection and error handling, which makes the installation process seamless.

How to Download or Upgrade to elementary OS 6 ‘Odin’ final release?



If you’re new to elementary OS and need a fresh installation, you can download the latest ISO image from the official site.

For more details on the latest release, you can refer to the official announcement to explore more about elementary OS 6.

elementary OS 6 ‘Odin’ final release is now available for Download

Prometheus TDS is a malware-as-a-service model available in underground markets that distributes malicious files and redirects visitors to malicious sites, in which an attacker can configure necessary parameters to carry out a malicious campaign.

According to researchers at Group-IB, Prometheus TDS has been available in underground markets since August 2020, and for $250 a month, the Prometheus TDS administrative panel, allowing an attacker to download malicious files, and configure restrictions on users' geolocation, browser version, and operating system.

The service is a Traffic Direction System (TDS) designed to distribute malware-laced Microsoft Word and Excel documents, and redirect users to phishing and malicious sites.

How Cybercriminals are Leveraging Prometheus TDS Malware Service?



Group-IB report revealed that over 3,000 email addresses were singled out via malicious campaigns in which Prometheus TDS was employed to send malicious files, with financial, energy and mining, healthcare, IT, and insurance emerging as the prominent verticals targeted by the attacks.



The campaign commences with an email containing a HTML file, a web shell that redirects users to a specified URL, or link to a Google Doc embedded with an URL that redirects users to the malicious link which when opened or clicked leads the recipient to the infected website.

The malware-as-a-service (MaaS) solution distributes a wide range of malicious software via campaigns that result in the deployment of payloads such as IcedID, QBot, and Buer Loader, against high profile individuals and corporations in the United States and some other western countries.

And besides distributing malicious files, Prometheus TDS also redirect users to specific sites, like the fake site of a well-known VPN provider located at hXXps://huvpn[.]com/free-vpn/, which on clicking the download button initiates the download of a malicious EXE file.

The Group-IB report contains several unrelated malware campaigns carried out by different hacker groups using Prometheus TDS, and this finding supports the assumption that Prometheus TDS is a MaaS solution.

Prometheus TDS: Rise of Malware-as-a-Service (MaaS) model

Apple recently announced a new set of child safety features coming to its devices, including the iPhone, to help limit the spread of Child Sexual Abuse Material (CSAM).

According to Apple, the next iOS and iPadOS update will bring new capabilities for devices to use new apps of cryptography to help limit the spread of CSAM online, with user privacy in focus.

However, privacy advocates perceives the CSAM detection as rather Apple rolling out a "mass surveillance" features, by surveillance of every image sent on the platform.

How Apple intends to detect CSAM on its platform?



Apple is harping on what it calls "NeuralHash", a system powered by a cryptographic technology known as private set intersection, which scans iCloud photos automatically, when a user turns on iCloud photo sharing.



The CSAM detection involves on-device matching of images using a database of known CSAM image hashes provided by the National Center for Missing and Exploited Children (NCMEC) and perhaps, other child safety organizations before uploading to the cloud.

Also, the Messages app will use on-device machine learning to warn about sensitive content, while keeping communications unreadable by Apple.


Additionally, the virtual assistant, Siri will get an update to enable it provide parents and children expanded information and Search will intervene when users search for CSAM-related topics.

Apple, finally will use another cryptographic technology called threshold secret sharing to "interpret" the contents when an iCloud Photos account passes a threshold of known child abuse mark, after which the content will be manually reviewed to confirm there is actually a match, and if so, Apple will disable the user's account, with the material reported to NCMEC, and passed to law enforcement.

Why Privacy furore over Apple's plan to scan devices for CSAM?



As noble as the intention may be, privacy advocates are of the fear that it could be manipulated to detect other kinds of content for political and personal safety implications, or even employed to frame innocent individuals by sending inappropriate images designed to appear as matches for child sexual content.

Albeit, Apple users who feels that their account has been mistakenly flagged can file an appeal to have the issue resolved and their account reinstated.

Privacy furore over Apple's plan to scan devices for Child Abuse Content

Copilot is a Visual Studio Code extension developed by GitHub in collaboration with OpenAI that employs machine learning to suggest functions or lines of code as developers write their software.

While the Free Software Foundation has raised some salient questions about the legality and legitimacy of GitHub’s AI-driven coding assistant, citing lack of fairness and therefore unacceptable and unjust, from their perspective.

According to the foundation, Copilot requires the running of a software that is not free, that is, Visual Studio, or a part of Visual Studio Code, and it serves as a Software Substitute which raises many other questions which require deeper examination.

Why GitHub Copilot is ‘unacceptable and unjust’ according to the Free Software Foundation?



The Free Software Foundation stated that Copilot's use of freely licensed software has many implications for an incredibly large portion of the free software community.



And there are many inquiries about its position on questions such as “Developers wanting to know if training a neural network on their software can be considered fair use. Others who want to use Copilot wonder if the code snippets copied from GitHub-hosted repositories could result in copyright infringement?"

Even if everything is legally copacetic, activists imagine if there isn’t something fundamentally unfair about a proprietary software company building a service off their work. While all topics related to Copilot's effect on free software may be in scope, the following questions are of particular interest:

  • Is Copilot's training on public repositories infringing copyright? Is it fair use?
  • How likely is the output of Copilot to generate actionable claims of violations on GPL-licensed works?
  • How can developers ensure that any code to which they hold the copyright is protected against violations generated by Copilot?
  • Is there a way for developers using Copilot to comply with free software licenses like the GPL?
  • If Copilot learns from AGPL-covered code, is Copilot infringing the AGPL?
  • If Copilot generates code which does give rise to a violation of a free software licensed work, how can this violation be discovered by the copyright holder on the underlying work?
  • Is a trained artificial intelligence (AI) / machine learning (ML) model resulting from machine learning a compiled version of the training data, or is it something else, like source code that users can modify by doing further training?
  • Is the Copilot trained AI/ML model copyrighted? If so, who holds that copyright?
  • Should ethical advocacy organizations like the FSF argue for change in copyright law relevant to these questions?


The Free Software Foundation is offering $500 for white papers on the topic submitted by developers that it publishes and requests for funding to do further research leading to a later paper. And submissions are open until Monday, August 23, with guidelines for the papers available at fsf.org.

GitHub, on its part, has responded by expressing its willingness to be open about any issues, stating that this is a new space, and they are keen to engage in a discussion with developers on these topics and lead the industry in setting appropriate standards for training AI models.

GitHub Copilot: What's the legal questions on the AI-driven coding assistant?

Hitherto, Microsoft was unfriendly to open source; but now, the company is crediting the increased adoption of the .NET software to open source, according to a post on its official blog.

While the Windows Compatibility Pack was released in 2017, with 20,000 APIs added to .NET Core for Windows, Linux, and macOS, making it easy for developers to move code from Windows-oriented .NET Framework to cross-platform .NET Core.

As .NET Core enables web apps that can easily scale and run on Linux, the addition of the .Net Framework APIs made it even more resourceful.

How Microsoft .NET adoption gets bolstered by open source?



The .NET framework originally ran only on Windows, before Microsoft first considered sharing the .NET Core on GitHub. At the time, GitHub was a relatively unknown platform for many of its developers, who obviously had a lot of questions about how the platform worked.



Now, several .NET customers who historically composed their apps using Microsoft-supplied libraries, which were closed-source, are comfortable depending on non-Microsoft libraries, which are typically open source.

Therefore, open source is the most sustainable way to build a stack with wider support, over an ever changing development landscape of operating systems and architectures.

Why open source is important for the .NET project?



Admittedly, modern developer stack needs to be cross platform, as open source is the most sustainable way to build a stack and enables anyone to view, debug, and contribute to the runtime used to build their application.

Thus, open Source has helped ensure that the .NET project is fully available beyond a single vendor, that is, Microsoft.

Microsoft looks to open source to bolster .NET adoption

Internet Explorer, the erstwhile Microsoft browser was recently exploited by hackers to deliver a VBA-based remote access Trojan (RAT) with capabilities of accessing and downloading files stored in targeted Windows systems, including the execution of malicious payloads.

According to researchers at Malwarebytes Labs, a suspicious document named “Манифест.docx” (“Manifest.docx”) was discovered that downloads and executes two templates, with one that is macro-enabled and the other, an html object containing an Internet Explorer exploit.

Both techniques rely on template injection leveraging the IE exploit (CVE-2021-26411) previously used by the Lazarus APT to drop a full-featured Remote Access Trojan.

How Hackers Exploited IE Bug to Deploy VBA Malware on Targeted Windows systems?



The unidentified hackers rely on template injection leveraging the IE exploit, with the remote template embedded in settings.xml.rels containing a full featured VBA Rat that performs the following actions: ability to collect victim’s information, executes shell-codes and ability to read disk and file systems information.



The shell-code once executed deploys the same VBA Rat loaded using remote template injection, and the malicious document loads a decoy document in Russian language after loading the remote templates. The malicious document is purported to be a statement from a group within Crimea opposition to Russia.

And the remote template contains Document_Open and Document_Close which are activated upon opening and closing the document. Interestingly, the VBA RAT is capable of identifying antivirus products running on the target system and execute commands from the attacker-controlled server.

How to Mitigate against the Microsoft IE Bug?



Microsoft had promptly released a patch for the IE Bug as part of its Patch Tuesday updates for March, and users are advised o update their browser in order to mitigate the exploit.

Among the security issues addressed with the update are a clutch of flaws known as ProxyLogon (CVE-2021-26855, 2021-26857, CVE-2021-26858, and CVE-2021-27065) which allowed attackers to break into Microsoft Exchange Servers and subsequently, install unauthorized web-based backdoors for long-term access.

Microsoft IE Bug exploited by Hackers to deploy VBA Malware

Package Hunter is a free and open-source tool by GitLab that scans for malicious code, and monitors for unexpected behavior in the dependencies, which it installs in a sandbox environment to detect any anomalies.

While these packages are supposed to be thoroughly vetted before being included in a program, but this is certainly not feasible in practice due to the sheer number of dependency code needing review and the lack of existing tools to help with dependency code vetting.

Now, GitLab's Package Hunter is perhaps an important addition that could help in securing every software package, as threat actors are increasingly using public package registries as a distribution channel for their malicious code.

How GitLab’s Package Hunter Will Detect Malicious Code?



Package Hunter analyzes a program's dependencies for malicious code, with suspicious system calls reported to the developer for further examination.



It integrates seamlessly with GitLab and Package Hunter has been in use internally to test GitLab's dependencies since November 2020; currently, it supports testing NodeJS modules and Ruby Gems. The aim is to enable other projects to easily detect malicious code in their dependencies before any harm could be caused, which increases users' confidence in open source supply chains.

And it makes it possible for developers to quickly build apps, as this facilitates the reuse of code to achieve the task faster, with the “trust” that the dependencies doesn't need separate review.

How to get started with GitLab's Package Hunter?



Package Hunter is currently available as a free and open-source project on GitLab, and if you wish to get started, use the GitLab CI template to add a job to your project and follow the instructions for setting up a Package Hunter server.

Kindly note that Package Hunter currently supports testing of NodeJS modules and Ruby Gems, you can refer to the official documentations for more technical details.

GitLab Package Hunter detects Malicious code in dependency package

DuckDuckGo’s email protection feature allow users to create an alias email that helps to block creepy email trackers that come with email messaging.

While DuckDuckGo emphasizes on protecting web searchers' privacy and avoiding the filter bubble of personalized search results, it distinguishes itself from other search engines by not profiling users and displaying the same search results to all users for a given search query.

Now, its foray into email protection means that the same privacy standard is coming to the email system and it affords users addresses belonging to the unique domain, duck.com, owned by DuckDuckGo itself, for instance you can get an address like [email protected]

How DuckDuckGo Email Protection works?



DuckDuckGo Email Protection is launching into beta, as a new feature in its apps that will protect users' email privacy without having them switch email services.



They can generate unique private email addresses in the DuckDuckGo app, and extension which can’t be tracked, with such addresses as [email protected] email address. And emails sent to it is automatically forwarded to your regular inbox, with no creepy email trackers to worry about. Even DuckDuckGo will never save your email.

If perhaps you use email services like Gmail or Yahoo, the emails sent to your private Duck Address will arrive as usual to your normal inbox so that you can read your email as you normally do, be it in app or on the web.

How to Join the private beta waitlist?



DuckDuckGo Email Protection feature has been released into beta while access to the beta requires that you join the private waitlist.

And the process is simple and straightforward, just Download DuckDuckGo for iOS or Android; Open Settings > Beta Features > Email Protection and Click “Join the Private Waitlist." Once you've got a Personal Duck Address, you can expect DuckDuckGo to support it long-term so you can confidently share it.

DuckDuckGo Email Protection helps to Block Email Trackers

There is an active cryptojacking campaign targeting Linux-based machines running weak SSH credentials, with the attackers goal mainly to deploy the Monero mining malware, albeit their toolbox could allow for other attacks.

According to Bitdefender security researchers who discovered the cryptojacking attacks, it has been active since at least 2020 and the attackers are believed to be a threat group likely based in Romania. The attackers exploited Linux Systems with previously undocumented SSH brute-forcer written in Golang, with their toolset dubbed "Diicot brute" which is a password cracking tool supposed to be available via a software-as-a-service model.

The stealthy part isn't necessarily the brute-forcing of those credentials, but that the hackers does it in a way that lets them go completely undetected.

How the Linux Cryptojacking Attackers target Linux Systems?



While exploitation of weak SSH credentials isn't quite uncommon to Linux Systems, the method employed by the threat group involves obfuscating Bash scripts by compiling them with a shell script compiler (shc) and using Discord to report back the information.



The toolkit used by the threat actors includes traditional tools such as masscan and zmap, and as distributed on an as-a-service model, each threat actor supplies their own API key in their scripts. And like most tools in this kit, the brute force tool has a mix of Romanian and English languages in its interface.

Once the attackers finds a Linux device with inadequate SSH credentials, they'll deploy and execute the loader, as in the current campaign, they employed .93joshua, though they have a couple of others such as .purrple and .black. However, all the loaders are obfuscated via shc and the loader gathers system information and relays to the attacker using an HTTP POST through a Discord webhook.

Albeit, there's no shortage of Linux machines with weak SSH credentials, and the only way to find out is through scanning.

As a mitigation strategy, it is recommended that Linux users should resort to runtime cloud security as an important last line of defense if they detect malicious code injections and other threats that took place after a vulnerability has been exploited by an attacker.

Cryptojacking Campaign targeting Linux Systems on the Rise

Google's Threat intelligence researchers discovered four zero-day exploits used as part of three different campaigns, which vulnerabilities affects the major browsers, including Chrome, Internet Explorer and Apple Safari.

While the WebKit (Safari) zero-day is a Use-After-Free vulnerability in QuickTimePluginReplacement, tracked as CVE-2021-1879, which was discovered on March 19, 2021, and recently exploited by a likely Russian government-backed actors.

The campaign targeting Apple iOS devices also coincided with campaigns from same actor targeting users on Windows devices with the aim to deliver Cobalt Strike, a remote access software designed to execute targeted attacks.

How the Apple WebKit Zero-day was exploited in the wild?



The Apple WebKit Zero-day was exploited in the wild with attackers using LinkedIn Messaging to target officials from Western European countries by specially crafted malicious links.



Once the target victim visits the link from any iOS device, it would redirect to the attacker-controlled domain which served the next stage payloads. And through several validation checks to ensure the iOS device was a real device, the final payload which exploits CVE-2021-1879 would be served to the device.

This exploit turns off Same-Origin-Policy protections to be able to collect authentication cookies from popular websites, such as Google, LinkedIn, Facebook, which it then sends to an attacker-controlled IP via WebSocket. Albeit, not all attacks need chaining multiple zero-day exploits to be successful, the campaign mirrors a wave of targeted attacks carried out by Russian hackers tracked as Nobelium, that was found to abuse the vulnerability to strike Western government agencies.

How to Mitigate against the Apple WebKit Zero-day?



The WebKit flaw could be exploited by adversaries to process maliciously crafted web content to carry out a universal cross-site scripting attack.

However, Apple had promptly patched the flaw on March 26, 2021 with the release of iOS 14.4.2 and iPadOS 14.4.2, therefore users of affected Apple devices should update their devices in order to mitigate the Apple WebKit Zero-day.

Apple WebKit Zero-day actively exploited in the wild

The Solus team has released a new version of Solus 4 ‘Fortitude’ series, Solus 4.3 which follows on the heels of the previous version 4.2 with updates for the software stacks and hardware enablement.

While Solus is an independently developed Linux distribution for the x86-64 architecture featuring the homegrown Budgie desktop environment, GNOME, MATE or KDE Plasma as desktop environment. Solus 4.3 features Linux Kernel 5.13, which brings a huge array of hardware support such as AMD GPU FreeSync/Adaptive-Sync HDMI support and AMD Aldebaran accelerator support.

Along with several bug fixes, Solus 4.3 also offers the most important updates like the upgrade to the Gnome 40 stack (GNOME 40.2) and fixes to Budgie panel applets and tracking of various window state.



What's New in Solus 4.3 Release?



The introduction of Linux Kernel 5.13 boasts of support for M1 powered Apple Macs, and also, preliminary support for Alder Lake-S GPUs; coupled with the hugely improved RISC-V support, RISC-V been a fully open-source CPU architecture, that serves as free alternative to the proprietary arm chips used in smartphones.

Solus 4.3 offers these other improvements:

  • Basic Apple M1 Support
  • Preliminary Alder Lake S GPU Support
  • AMD GPU FreeSync/Adaptive-Sync HDMI support
  • AMD Aldebaran accelerator support
  • New Generic USB display driver
  • Much better RISC-V support


Additionally, Solus 4.3 has all the latest apps including Firefox 89.0.2, LibreOffice 7.1.4.2 and Thunderbird 78.11.0. And the flagship edition, Budgie, haven been upgraded to Budgie 10.5.3, also received lots of improvements.

How to Download or Upgrade to Solus 4.3



For existing Solus users, you'll automatically receive the latest update and then, you can simply update your system.

And if you're new to Solus and want to try out the latest version Solus 4.3, you can download the ISO image from their official download page.

Solus 4.3 Release: brings new Kernel and improved Hardware support

Macro malware was common some years ago as a result of macros running automatically when a document is opened, however, malware authors now have to convince target victims to turn on macros so that their malware can run.

Malware authors are increasingly devising new tricks using non-malicious documents to disable macro security warnings prior to executing code to infect computers. According to researchers at McAfee Labs, there is a novel tactic used by hackers that "downloads and executes malicious DLLs (ZLoader) without any malicious code present in the initial spammed attachment macro."

The researchers discovered that ZLoader infections which propagated using this mechanism was started with phishing email that contains a Microsoft Word document attachment, that if opened, downloads a password-protected Microsoft Excel file from a remote server.

How Hackers uses the New Trick to Disable Macro Warnings in Malicious Office Files?



ZLoader infections primarily targeted victims in the U.S., Canada, Japan, and Spain, and was a descendant of the infamous banking trojan, ZeuS, that is known for aggressively employing macro-enabled Office documents as initial attack vector to steal personally identifiable information from users of financial institutions.



After downloading the XLS file, it reads the cell contents from the XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions, and once the macros are written and ready, the Word document sets the policy in the registry to 'Disable Excel Macro Warning' which invokes the malicious macro function from the Excel file.



While macros are needed to be enabled in the Word document to trigger the download itself, but simply turning off the security warning, the attackers were able to stay undetected, and the obfuscation techniques used by these attackers have been evolving over the years.

Interestingly, the malware did not only lure users into enabling macros, but also have embedded files containing XLM macros which download and execute malicious second-stage payload that is retrieved from a remote server.

New Evasive Trick used by attackers to disable Macro Security Warnings

KaOS is a Linux distribution with specific focus on Qt and KDE, offering better flexibility and usability, with the latest update KaOS 2021.06 having packages such as the new Plasma 5.22 with Adaptive Transparency.

While the new Plasma 5.22 Adaptive Transparency feature means that the panel widgets will be translucent, and if there are any maximized windows, it will be entirely opaque.

The latest KaOS version also offers other new functionalities, such as support for JPEG XL, an upgrade to the JPEG format, and Plasma Wayland session now supports Activities, allowing users to keep their main work separate from other tasks.

What's New in KaOS 2021.06 Release?



Besides the desktop environment upgrade, KaOS 2021.06 comes with LibreOffice, replacing Calligra as the default office suite. And the latest Plasma packages are built on Qt 5.15.2+, including Plasma 5.22.2, Frameworks 5.83.0 and KDE applications 21.04.2.



Other new and updated core tools in KaOS 2021.06 includes:

  • KWin Wayland now supports Present Windows effect
  • Maliit virtual keyboard packages now Added
  • Fosshost is now the default mirror, utilizes Fastly CDN to deliver content
  • Calamares installer now offers two new QML modules
  • KSysguard replaces Plasma System Monitor


Further more, there is no need to adjust a mirror list to install/update to KaOS anymore, with Fosshost as the default mirror.

How to Download or Upgrade to KaOS 2021.06 Release?



For existing KaOS user, simply use the following command to upgrade your current system to KaOS 2021.06:

sudo pacman -Syu


And for a fresh installation, you can download the ISO images from the official site, but note that the welcome screen can now display text or other info as a QML file in the Calamares window.

KaOS 2021.06 Release: Brings Plasma 5.22 with Adaptive Transparency

Microsoft Edge has a security flaw, which stems from the universal cross-site scripting (UXSS) triggered when translating web pages via Microsoft Translator, the browser's built-in feature.

While UXSS is an attack that exploits client-side vulnerabilities in a browser or browser extensions to generate an XSS condition to execute malicious code; the Edge flaw tracked as CVE-2021-34506 has CVSS score of 5.4 and the discovery credited to Ignacio Laurence, Vansh Devgan and Shivam Kumar Singh of CyberXplore.

Microsoft, however, has already rolled out updates for the Edge browser with fixes for the issue and subsequently awarded the researchers $20,000 as part of its bug bounty program.

How the Edge Browser Flaw Could have allowed anyone to Steal Your Private Data?



Microsoft Translator Which comes pre-installed on Edge browser has a vulnerable code which takes any html tags having an “>img tag without sanitising the input or converting payload to text while translating so that internal translator was taking “>img src=x onerror=alert(1)> payload and executing it as JavaScript as no proper validation check which does sanitization or convert DOM into text and then process it for translation.



As the translation feature failed to sanitize input, it could allow an attacker to insert malicious JavaScript code in any web page and subsequently execute it if the user clicks on the prompt in the address bar to translate the page.

Also, web based applications on Windows store may be vulnerable to this kind of attack as Windows stores ships apps with Microsoft Translator which was responsible for triggering the Universal XSS (UXSS) attack.

What Edge Browser users Need to do Right away



Microsoft has fixed the issue with the latest Edge update, version 91.0.864.59 now available for download.

Therefore, it is recommended that Edge users should promptly update their browser by going to Settings and more > About Microsoft Edge (edge://settings/help) to initiate the update, if not done automatically.

Edge Browser flaw exposes users Personal Data to any website

Rocky Linux is perhaps the most anticipated CentOS alternative for 2021, and it has finally arrived, with the first stable release v8.4, codenamed Green Obsidian, now available to the public.

While Rocky Linux is intended to serve as a complete binary-compatible release using the Red Hat Enterprise Linux source code, the project aims to provide a community-supported and production-grade enterprise operating system.

The first stable release, Rocky Linux 8.4 is based on Red Hat Enterprise Linux 8.4, with a conversion tool (migrate2rocky) that has been made available to help users easily migrate their existing Linux system to Rocky Linux.

What's the Major Features of Rocky Linux 8.4?



Rocky Linux 8.4 is based on Red Hat Enterprise Linux 8.4, and also feature some great security improvements, like the IPsec VPN by Libreswan which has been improved with TCP encapsulation support and security labels for IKEv2 protocol.



Also, there are several other updates which improve the memory management, along with technical changes that improves the memory allocation. Such as the slab memory controller that brings improvement in slab utilization, enabling shift in the memory accounting from the page level to object level.

Other upgraded features in Rocky Linux 8.4 include:

  • Redis 6
  • Python 3.9
  • PostgreSQL 13
  • SWIG 4.0
  • Subversion 1.14


Additionally, the compiler tool sets have all been updated in Rocky Linux 8.4 and there is also support Error Detection and Correction (EDAC) kernel module that work with Intel 8th and 9th gen processors.

How to Download and Install Rocky Linux 8.4?



Rocky Linux 8.4 is now available for download from the official website, you can also choose from the container images available on the Docker Hub and Quay.io.

But note that the first ISO doesn't come with Secure Boot support, however, a new ISO is expected for release later which will include the Secure Boot.

Rocky Linux 8.4 Stable Release takes on CentOS as Alternative

Apple's latest software update for its iPhone and iPad brought several security patches, including a weakness in Wi-Fi-connected devices which could expose users to nearby hackers.

But according to Zhi Zhou, a security engineer at Ant Financial Light-Year Security Labs, there is a wireless network naming bug affecting Apple's iOS which could effectively disable iPhone's ability to connect to Wi-Fi networks. The bug was first spotted by Carl Schou, who discovered that his iPhone's Wi-Fi functionality gets disabled on joining a Wi-Fi network with the name "%p%s%s%s%s%n" even after rebooting the phone.

Carl Schou noted that after joining the WiFi with the SSID “%p%s%s%s%s%n” his iPhone's WiFi functionality permanently got disabled and neither rebooting nor changing SSID could fix it.

Analysis of the SSID Format String Bug



The bug stems from the manner Apple's iOS parses the SSID input, which triggers a denial of service in the process; it concatenate the SSID to a format string and pass it to WFLog:message: method. With the destination as 3 so it was the second xref of CFStringCreateWithFormatAndArguments that triggered the denial of service.



It could have had some serious implications in an instance that bad actors exploit the issue to plant fraudulent Wi-Fi hotspots with the name to break a device's wireless networking features. But for the exploitability, the rest of the parameters doesn't quite seem likely to be controllable, thus making this case inexploitable.

After all, you'll need to connect to that WiFi to trigger this bug, where the SSID is visible to the victim and a phishing Wi-Fi portal page might be even more effective.

How to Mitigate the iPhone Wi-Fi naming bug?



If perhaps, you experimented with it and your iPhone has been affected by the bug, you would need to have the iOS network settings reset by going to Settings > General > Reset > Reset Network Settings and confirm.

Albeit, it rarely looks like a format string bug which is seen nowadays, but luckily, Android devices are not affected.

Apple's iOS susceptible to Wi-Fi network naming bug

Of course, you want the fastest and the best Internet connection. Every one of the 4.66 billion active Internet users across the globe wants the same thing. By ensuring that your Mac, iPad or iPhone automatically prioritizes and connects to the strongest available Wi-Fi network is going to help you with blazing fast browsing speed.

Regardless of whether you have multiple access points in your house or got a bunch of saved networks in an area, you can get the best connection at all times by simply setting network priority. It is important to know that isn’t an option or button on your Apple devices that just lets you set a Wi-Fi network on priority. This is because your device will connect to one of the available networks automatically and it is typically the one with the best strength.

But, the problem arises when you are in areas with multiple Wi-Fi networks. Then your device might get connected to any one of the saved networks and it might not necessarily be the fastest one. But, you can manually manipulate this. Are you looking to set the Wi-Fi network priority on your Apple devices? Read on to know what you have to do.

Wi-Fi Network on Priority in Macs



macOS is all about user-friendliness and one of the features that are often ignored by Mac users is the ability of their device to prioritize saved networks by the order in which you want Mac to connect to them. This allows you to define which network has a higher priority so that your Mac will connect to them when they’re available and even if you’re working on a different network, your device will switch to the prioritized network when it becomes available.



If your Mac is connected to multiple networks, you can simply delete a Wi-Fi network that isn’t useful to you anymore. This will make sure that your device doesn’t get connected to a network that doesn’t offer you the speed and signal strength that you are looking for. Also, you can forget all of the accumulated networks and add them back again one by one. Remember that the last network which you add is going to be the high priority one.

Next, you can follow these steps:

  • You can access the feature in your Mac that helps you prioritize Wi-Fi by clicking on the Wi-Fi icon in the menu bar and go to Open Network Preferences or you can go to Settings and then to the Network preference pane.
  • From the Network preference pane, make sure that you have selected Wi-Fi in the left sidebar and then from the right sidebar, you have to click on the ‘Advanced’ button which you can find toward the bottom.
  • In the next window, you’ll be presented with a column titled ‘Preferred Networks’ where you’ll find all of your remembered networks and it will be listed. You will notice a ‘+’ and ‘-‘ buttons below that window and these buttons will help you to move the networks up and down according to your preference. So, the networks that you place on top of the list are going to be the high-priority ones and your device will first connect to them if they’re available. To lower the preference of the network, you just need to move it down the list.


When you’re done, simply click OK and your Mac will save those settings.

Wi-Fi Network Priority on Apple iOS



  • Manually connect to a Wi-Fi network – Even though your device will probably automatically connect to a network, but if that is not your preferred network, you can always manually connect. You can do this on iPad, iPhone, and also Mac. On your iPad or iPhone, you can switch Wi-Fi networks from the Control Center or the Settings app. From the Control Center, you have to go to the Wi-Fi icon and from the list of available networks, select one that you prefer.
  • Sync network priority from Mac to iPhone/iPad – If you own a Mac, you can set the Wi-Fi priority there (as mentioned before) and then sync the settings with your iPhone or iPad. You will have to be signed in with the same Apple ID on both the systems and also keep the iCloud keychain turned on. You can check these settings on System Preferences on your macOS and click on the Apple ID. Then make sure that the Keychain box is clicked. On your iPad or iPhone, you have to go to iCloud and then Keychain to ensure that it is toggled on. When both these settings are turned on, it means that you are ready to sync.


In conclusion, prioritizing Wi-Fi networks will most definitely help to bring better connection speed and range. Therefore, you can go ahead and try these hacks out if you want to have a more smoother experience.

How to Set Wi-Fi Network Priority on Apple devices - iPhone, iPad, and Mac?