Social Items

Pwned Passwords is Have I Been Pwned's database of real world passwords previously exposed in data breaches, which according to reports, is now going open-source courtesy of the .NET Foundation.

While Have I been Pwned is making available its password codebase to GitHub, the data that powers Pwned Passwords is already available in the public domain via the downloadable hash sets. And there is also a promise to open source the codebase for monitoring emails and phone numbers in data breaches in the near future.

Troy Hunt, the creator of have I been Pwned, made the decision to make the entire project open source last year, and it's still something that will take some time.

What does Open Sourcing Pwned Passwords actually mean?



Pwned Passwords going open source is a pretty straightforward move which which means that anybody can run their own Pwned Passwords instance if they so choose.



Also, it will encourage greater adoption of the service both due to the confidence that people can also "roll their own" if they choose and the transparency that opening the code base brings with it. And as it's entirely non-commercial without any Enterprise services or API costs like other parts of HIBP, it requires community efforts to thrive.

The .NET Foundation has been saddled with the responsibility of managing the open source project, establishing the licencing model, coordinating where the community invests effort, redesign the release process and take contributions. Above all, Pwned Passwords needs to be successful is aggregating fresh passwords as they become compromised, and this is where the FBI comes in, as the FBI is involved in all manner of digital investigations.

What the FBI brings to open-sourced Pwned Passwords?



The FBI plays a major role in the combating of bad actors, from ransomware to child abuse to terrorism and in the course of their investigations, they are bound to come across compromised passwords.

So, the FBI is provided an avenue to feed compromised passwords into HIBP and surface them via the Pwned Passwords feature. The compromised passwords will be provided in SHA-1 and NTLM hash pairs which perfectly aligns with the current storage constructs in Pwned Passwords, not available in plain text.

The overall goal here is to protect people from account takeovers by proactively warning them when their password has been compromised.

Open Sourcing Pwned Passwords: What does it actually mean?

AnyDesk is a popular remote desktop application boasting of over 300 million users worldwide; but as reported by security researchers, a trojanized version of the software is being distributed through a malvertising campaign.

According to the CrowdStrike Falcon Complete team, the malvertising campaign incorporates a malicious file that masquerades as setup executable for AnyDesk with “AnyDeskSetup.exe” format, and upon execution, it downloads a PowerShell implant that exfiltrate system data.

Interestingly, the rather clever malvertising campaign with a weaponized AnyDesk installer was being delivered via Google ad, with targeted searches for the “anydesk” keyword.

How Falcon Complete detected the Malvertising Campaign targeting AnyDesk?



The CrowdStrike Falcon platform detected an executable which appeared to have been manipulated to evade detection and attempts to launch a PowerShell script with the following command line: "C:\Intel\rexc.exe" -exec bypass \Intel\g.ps1" during a review of the process tree.



However, the “rexc.exe” extension appeared to be a renamed PowerShell binary in an attempt to bypass detection. And on further reviewing, “AnydeskSetup.exe” was discovered running from the user’s Downloads directory.

The script has multiple functions that resembled an implant as well as hardcoded domain (zoomstatistic[.]com) to “POST” reconnaissance information like user name, hostname, operating system, IP address and the current process name. And the script also had a specific user-agent string and URI to connect.

How the Threat actors utilized malicious Google ads (Malvertising)?



The threat actor served this malicious ads to people using Google search, with the “AnyDesk” keyword since at least April 21, 2021. The malvertising campaign uses intermediary websites that then redirect to a page hosted at the following URL: https[:]//domohop[.]com/anydesk-download/ which a clone of the legitimate AnyDesk website.

The researchers observed that the ads may have been targeted at specific geographic regions, such as the ad not being consistently delivered depending on the region where the search request originated.

CrowdStrike’s data suggests that 40% of clicks on this malicious ad resulted to installations of this trojanized AnyDesk binary, while 20% of installations included hands-on-keyboard activity.

However, it remains unknown what percentage of searches for AnyDesk resulted in clicks, albeit 40% Trojanized app installation rate from an ad click shows that this is a successful method of gaining a wide range of potential targets.

Trojanized AnyDesk Installer spreading via Malvertising

Cryptocurrency exchanges have become targets for cybercriminals, with the hacker group affiliated with North Korea behind a slew of recent attacks as revealed by ClearSky researchers.

According to ClearSky researchers, the latest attack campaign against crypto-exchange companies dubbed CryptoCore has been ongoing for about three years, with the hackers focusing mainly on the theft of cryptocurrency wallets.

Other names associated with this Crypto attack campaign include: CryptoMimic, Dangerous Password and Leery Turtle; and the campaign is attributed to a specific cyber-threat actor – North Korea’s LAZARUS APT Group, also known as Hidden Cobra.

How the LAZARUS GROUP were traced to CryptoCore Attacks?



The campaign dubbed "CryptoCore" which targeted crypto exchanges in Japan, Israel, Europe, and the U.S., resulting to the theft of millions of dollars worth of cryptocurrency was traced with "medium-high" likelihood to the Lazarus Group, also known as APT38 or Hidden Cobra, by researchers from Israeli cybersecurity firm ClearSky.



Interestingly, the LAZARUS GROUP was not known to attack Israeli targets, this is perhaps the first. ClearSky researchers based their attribution on two stages of research, with the first stage connecting all research documents to the same campaign: a comparative study of all the research documents trying to prove they are all referring to the same campaign.

While the second stage adopted F-SECURE’s attribution to LAZARUS GROUP, reaffirmed by comparing the attack tools found in this campaign to other Lazarus campaigns with strong similarities.

The Lazarus group was believed to have stolen an estimated $200 million, according to a report published in June 2020, which linked CryptoCore to five targets located in Japan, the U.S., and Middle East. The latest research, however shows that the operations were more widespread than previously documented.

Since entering the scene in 2009, the Lazarus group have used their offensive cyber capabilities to carry out cyber-espionage and cryptocurrency heists against western businesses and critical infrastructure.

CryptoCore Attacks traced to North Korean Cyber-threat groups

Mozilla, the Firefox-maker has rolled out a new Site Isolation feature for Firefox browser in nightly and beta channels to protect users against the so-called side-channel attacks.

While the Site Isolation security mechanism initially was targeted at mitigating Spectre-like attacks which leads to data leaks from given renderer process, Firefox's Site Isolation architecture extends it further by creating operating system process-level boundaries for websites loaded in Firefox for Desktop browser.

The aim is to load each site separately in its own operating system process, which as a result, will prevent malicious code from rogue websites from accessing confidential information stored in the other websites.

How Site Isolation can be effective against Side-channel attacks?



Site Isolation is relatively capable of handling severe attacks whereby the renderer process is compromised through security bugs, like the bugs related to memory corruption or UXSS logic errors.



Spectre and Meltdown vulnerabilities which were publicly disclosed way back in January 2018, is a case in point, as it forced browser vendors and chipmakers to incorporate built-in defenses in their respective platforms to mitigate attacks that could break boundaries between the different applications to allow hackers access to passwords, encryption keys, and other sensitive information directly from a computer's kernel memory.

Mozilla, however, was clear that with the evolving techniques of malicious actors on the web, it needed to redesign Firefox browser to mitigate any future variations of such vulnerabilities and to keep users safe when browsing the web.

Thus, the fundamental redesigning of Firefox’s Security architecture which extends current security mechanisms by creating operating system process-level boundaries, and isolating each site into a separate operating system process to make it even harder for malicious sites to read another site’s secret or private data.

How to enable Site Isolation on Firefox Nightly?



If you'd like to give the feature a spin, you can follow these steps to enable Site Isolation on Firefox Nightly:

Navigate to about:preferences#experimental
Check the “Fission (Site Isolation)” checkbox to enable.
Restart Firefox.
To enable Site Isolation on Firefox Beta or Release:
Navigate to about:config.
Set `fission.autostart` pref to `true`.
Restart Firefox.


But note that Firefox’s Site Isolation feature is currently rolling out and Mozilla is only allowing a subset of users to benefit from this new security architecture on its Nightly and Beta channels with plans to roll out to more users later this year.

Mozilla's New Firefox Site Isolation architecture

Bizarro is a relatively new banking Trojan which spreads via Microsoft Installer (MSI) packages that originated from Brazil but now finding its way into other regions of the world.

According to Kaspersky researchers, Bizarro uses affiliates or recruiting money mules to operationalize attacks, cashing out or simply helping with transfers. And so far, mostly people located in Spain, Portugal, France and Italy are targeted, with attempts made at stealing credentials from customers of about 70 banks from the different European countries.

The threat actors behind Bizzaro employs servers hosted on Azure and Amazon (AWS) with compromised WordPress servers to store malware and collect telemetry.

How Bizarro Spreads and Steals Banking Credentials?



Bizarro spreads via Microsoft Installer (MSI) packages and sources identified so far are spam emails, while the attackers also use social engineering to lure victims into downloading malicious apps. The major infections have been detected in South American countries of Brazil, Argentina, and Chile; with European countries like Germany, Spain, Portugal, France, and Italy also making up the numbers.



The Trojan starts by first killing all browser processes in order to terminate existing sessions with online banking sites, and once a user restarts the browsers, the malware will force re-entering of the banking credentials, which it then captures. Bizarro also takes other steps to get more banking details by disabling autocomplete in the browser.

Once Bizarro initializes the screen capturing module, it loads the magnification.dll library to get the address of the deprecated MagSetImageScalingCallback API function. And with its help, it can capture the screen and also constantly monitor the system clipboard, looking for not only banking details, but also Bitcoin wallet addresses, which it replaces with a wallet belonging to the malware authors.

Bizarro, like other banking Trojans such as Ghimob, focuses on stealing credentials from customers of banks and when a victim gets the malware on their system, it uses money mules to operationalize the attacks, cashing out, or simply to help with transfers.

How to Detect and Mitigate against Bizarro Banking Trojan?



Threat actors continue to adopt various evasive techniques to complicate malware analysis and detection, with social engineering tricks that lure victims to give up their online banking data, getting more pervasive.

Therefore, the most important advice is for users not to click on links that come from any unknown source. Also, always double check the destination bitcoin addresses before sending out funds, albeit this isn’t the only malware that employs the clipboard to replace bitcoin addresses, there are certainly no do-overs with bitcoin.

New Banking Trojan, Bizarro sweeping across Europe

Google touted a new feature coming to Chrome for Android within the password manager that could enable users to change compromised password automatically with just a tap.

While Chrome leverages on Duplex on the Web technology to power this feature, which technology was first introduced in 2019 to enable Google Assistant to complete tasks on the web, such as booking of hotels and buying of movie tickets. Duplex on the Web, which has now been expanded, will allow Chrome users to quickly fix password issues and create a strong password when it determines your credentials have been leaked online.

Google had earlier made available a plugin dubbed Password Checkup, which alert users if their login credentials have been compromised, and whose information is found in their recent “Collections” leak.

How Chrome fixes Password issues; not just prompting a warning for users to update their information?



Chrome comes with a strong password manager built-in, which checks for the safety of users passwords. It examines the username and password combinations saved in Chrome to be able to report on the authentication of the pairings whether it has been compromised in any third-party data breach made public.



Now, Chrome doesn't only detect a breach, it can also fix any compromised passwords quickly, and safely. Chrome will help you change your passwords with just a tap, whenever Chrome finds a password may have been compromised, you will see a "Change password" button from Assistant. If you tap the button, Chrome will navigate to the site and help you go through the entire process of changing your password.

The feature is part of a number of new security measures announced at Google I/O developer event, including a Privacy Dashboard in Android 12 that brings a pie chart view of permission settings like microphone, location, and camera, along with "what data is being accessed, how often and by which apps."

How Chrome for Android users can get the new feature?



The feature is currently rolling out to Chrome for Android users in the U.S. who have opted to sync their passwords, albeit only a small number of websites and apps are supported for now, it's expected to become generally available in more countries in the coming months.

But, it is recommended that you update your Chrome browser to the latest version to enjoy the new features.

Chrome leverages on Duplex on the Web technology to fix Password issues

In December 2020, Trend Micro researchers uncovered a malware campaign that distributed a credential stealer written in (AutoHotkey) AHK, which activity was traced to early 2020.

Now, Morphisec Labs researchers have discovered a unique and ongoing RAT delivery campaign which started in February of 2021, that heavily relies on the AutoHotKey scripting languages. According to the researchers, there has been at least four different versions of the campaign spotted since February 2021.

Irrespective of the attack chain scenario, it begins with an AHK executable that drops and execute different VBScripts which eventually load the RAT on a compromised machine.

How AutoHotkey-based RAT Loader are Increasingly employed in Malware Campaigns?



Threat actors have generally used scripting language that has no built-in compiler on victims' operating system, and which can’t be executed without its compiler, such as AutoIT, Python, and AutoHotkey (AHK) scripting language.



The first attack detected on March 31 shows that the adversary behind the campaign encapsulated the dropped RAT with an AHK executable, disabling Microsoft Defender using a Batch script and a shortcut (.LNK) file pointing to the script. While in the second attack scenario, the malware block connections to popular antivirus solutions through the altering of the victim's hosts file, which denies the DNS resolution for these domains by resolving the localhost IP address in place of the real one.

Similarly, another AHK loader chain observed on April 26 delivered the LimeRAT through an obfuscated VBScript, which then is decoded into a PowerShell command which retrieves a C# payload containing the final-stage executable from a sharing platform service called "stikked.ch." And the last attack chain discovered on April 21 employed an AHK script to execute a legitimate app, and drops a VBScript that runs an in-memory PowerShell script to install AsyncRAT and fetch the HCrypt malware loader.

How to Safeguard against AutoHotkey-Based Malware Attacks



Threat actors develop techniques to bypass and evade modern security conventions, but the tactical goals had remained the same. Even as the technique changes to bypass passive security controls, common denominator among these evasive techniques is the abuse of process memory which is a static and predictable target for the adversary.

Therefore, we still need the baseline security controls to keep the automated attacks at bay and as the innovative attackers like the current scenarios require a modern approach to security.

AutoHotkey-Based Malware Attacks are on the rise

Bodhi Linux is a lightweight Linux distribution based on Ubuntu, that uses the Moksha window manager and minimal base system which allow users to add software.

While Bodhi Linux is tailored for older systems, it offers a unique experience with the Moksha desktop environment. Now, there is a major Bodhi Linux release after over a year hiatus, with Bodhi Linux 6.0 bringing numerous improvements and a refreshed new look to the Linux distribution.

Bodhi Linux 6.0 is coming on the heels of v5.1 which was based on Ubuntu 18.04 LTS; the latest version brings the latest Ubuntu 20.04 LTS which automatically offers all the perks that comes with Ubuntu 20.04 LTS.

What's New in Bodhi Linux 6.0 Release?



Besides the on-boarding of Ubuntu 20.04 LTS, Bodhi Linux 6.0 brings several core enhancements such as the continuation with development of Enlightenment 17 desktop, which serves as a new choice for colors and subtle visual improvements.



Moksha window manager allows you to add applications like LibreOffice suite, VCL Media Player, Geany editor, and other applications, which you can download the AppPack ISO when you need it.

The Arc-Green theme is now revamped with an animated background, updated splash screen, and numerous other tweaks. And the BL6 login screen now has an elegant slick greeter, with also the new Plymouth theme. The Moksha desktop environment is also not left out on the list of improvements, as it has undergone numerous improvements with few newly added features.

Bodhi Linux offers essential applications like Chromium web browser, Synaptic package manager and many more.

How to Download or Upgrade to Bodhi Linux 6.0?



Bodhi Linux 6.0 is available for download, and you can get the ISO from the official download page. Also, there is a legacy release that supports the aged 32-bit systems, based on Debian.

As expected, the ISO file size is minimized for easy download as possible without needing unnecessary pre-installed tools.

Bodhi Linux 6.0 Release: Lightweight Linux Distro with Moksha window manager

Python language already runs fast, starting from alternate runtimes to wrapping modules written in C/C++; however, none of these involves the speeding up CPython, the so-called reference implementation of Python, which is perhaps the most widely used version of the language.

Now, an alternate version of the Python runtime, Pyston has released version 2.2 with a very significant new feature: full source code is made available as an open source project under the original Python licensing. Pyston 2.2 offers roughly 30 per cent speed improvement compared to standard CPython, and the software employs just-in-time compilation and other techniques to speed execution.

Albeit, Pyston is significantly different from the other major alternate Python runtime, PyPy, which uses just-in-time compilation to also achieve significant performance improvements.

What the Open sourcing of the Pyston Project means for developers?



The aim of the Pyston project is first to produce a drop-in replacement for the standard Python runtime which can speed up other existing Python deployments without additional effort.



It will make innovation possible in Pyston which can be upstreamed back into Python itself, if the core Python team offers to do so. And the new version of Pyston uses a different approach to achieve this; the base CPython code is altered to help improve performance without breaking the backward compatibility.

The major alternate Python runtime, PyPy remains a large and complex project which has long struggled with being fully compatible with Python, even with Python extensions also written in C. Pyston solves this complexity, starting with changes in the CPython codebase to retain compatibility with it.

How to get Started with the Pyston Project?



The open sourced Pyston v2.2 is available on GitHub, so you can head over there if you are a developer and want to contribute with getting Pyston packaged for additional platforms.

Otherwise, if you want to use Pyston into your projects, it is promised to be as easy as replacing “python” with “pyston” - but if that’s not the case, you can still give Pyston a try and see that it really means to speed up your Python code.

Faster Python promised with the open sourcing of Pyston project

TeaBot is a relatively new Android banking Trojan that was discovered in January 2021 by the Threat Intelligence and Incident Response (TIR) team at Cleafy, a cybersecurity company.

While the main goal of TeaBot is to steal victim’s banking credentials and SMS messages which enables the threat actors to carry out frauds against a predefined list of banks, mainly European banks numbering over 60 targeted banks. TeaBot, once successfully installed in the victim’s device, allow the attackers to obtain a live stream of the device screen (on demand) and interact with the device through Android Accessibility Services.

Albeit, the malware is still in its early stage of development, with the attacks fully commencing in late March 2021, which was followed by a series of infiltration in the first week of May on Belgium and Netherlands banks.

How TeaBot Android banking Trojan steals users' credentials?



TeaBot seems to have all the capabilities of modern Android banking Trojan such as ability to abuse the Accessibility Services to perform Overlay attacks against multiple banks apps to steal users login credentials and credit card information.



It also has the ability to send / intercept / hide SMS messages, thus enabling key logging functionalities and stealing of Google Authentication codes, with full remote control access to any infected Android device through Accessibility Services and real-time screen-sharing capabilities.

Additionally, TeaBot has the capabilities of disabling Google Play Protect and accessing Google Authenticator 2FA codes, with the collected information exfiltrated every 10 seconds to a remote server controlled by the attacker.

The TeaBot technical analysis reveals that the initial app name used by the malware was “TeaTV” - but as at last month the app name was changed to the following: “VLC MediaPlayer”, “Mobdro”, “DHL”, “UPS” and “bpost”, which are all the same decoy also used by the infamous banker Flubot/Cabassous.

How to Mitigate against TeaBot Banking Trojan



Given that TeaBot employs the same evasive techniques as Flubot by posing as innocuous apps helps it to stay under the radar. Therefore, it is recommended that Android users should always scrutinize the permissions granted to apps installed on their device.

If there is any unusual notifications and screen activities on your Android device, or you suspect a malware-infected app, quickly uninstall the app from your device, and always make sure the operating system and apps are up to date.

TeaBot Android Trojan targeting users of financial apps in Europe

There is an ongoing cyberespionage campaign dubbed 'TunnelSnake' that targets diplomatic entities in Southeast Asia and Africa, which has more than 9 high profile victims to date, mostly those located in South Asia.

According to Kaspersky researchers, the advanced persistent threat (APT) campaign, has been active since 2019, with the attackers deploying a previously unknown rootkit dubbed Moriya, a malware with nearly absolute power over the operating system, and enables the threat actors to intercept network traffic and conceal malicious commands.

The threat actors have the capabilities to evolve and tailor its toolset to target different environments and infiltrate high-profile organizations in South Asia and Africa with an evasive Windows rootkit.

How the Moriya Rootkit Infiltrates Networks of High-Profile Organizations?



Moriya first emerged in November 2020, when Kaspersky researchers discovered the stealthy implant in the networks of inter-governmental organizations operating in South Asia and Africa.



While the malicious activity associated with the operation dates back to 2019, with the rootkit infiltrating the victims networks for several months after the initial infection. The rootkit is particularly evasive thanks to the two traits of it been able to intercept and inspect network packets in transit from Windows kernel’s address space.

The Windows kernel’s address space is a memory region where the operating system’s kernel resides and typically, only privileged and trusted code are able to run within it. It allows the malware to drop unique malicious packets which are delivered before they are processed by the system’s network stack, which enabled the attackers to avoid detection by security solutions.

The rootkit was mostly deployed via a compromised web server within the targets’ organizations, for instance, there is one in which the attackers infected a server with the China Chopper webshell, a malicious code that allow remote control of the infected server.

How Organizations can be protected from such advanced persistent threats?



TunnelSnake campaign once again demonstrates the level of sophistication of threat actors who are now investing significant resources in designing evasive toolset to infiltrating networks of high-profile organizations without been detected.

Therefore, it is recommended that organizations should perform regular security audits of its IT infrastructure to reveal possible vulnerabilities in their systems. Also, they should ensure that anti-APT and EDR solutions are installed on the systems, as it will enable threat discovery and detection, for timely remediation before actual attacks.

Additionally, the SOC team within the organization should be provided with access to the latest threat intelligence and regularly up-skilled with relevant professional training.

TunnelSnake Cyberespionage targets diplomatic entities in Southeast Asia

Buer is a Malware Loader offered as malware-as-a-service on underground forums and often employed as a first-stage downloader in delivering additional payloads, with initial compromise of target systems allowing the attacker to establish a remote access to further their malicious activity.

According to Proofpoint researchers, there is a new variant of the Buer malware loader which is distributed via emails masquerading as shipping notices starting in early April. While Buer was first observed in 2019, several malware operators including those behind Ryuk ransomware were found to be using the Buer malware dropper as an initial access vector against unnamed victims.

The ongoing phishing campaign by the Rusted-based Beur, dubbed "RustyBuer" is propagated via emails masquerading as shipping notices from DHL Support, and it's believed to have affected more than 200 organizations across over 50 verticals since early April.

How the Rust-based variant of Buer Malware Loader is more evasive?



The researchers observed a series of malicious campaigns that delivered the Buer malware loader, which campaigns generally used DHL-themed phishing emails to distribute malicious Word or Excel documents. The campaigns distributed two variants of the Buer malware: one written in C and the other rewritten in the Rust programming language.



The new variant written in Rust is dubbed RustyBuer, as Rust is an efficient and easy-to-use programming language that's becoming increasingly popular, it enables the threat actor to better evade existing Buer detection capabilities.

The RustyBuer campaigns were observed delivering Cobalt Strike Beacon as a second-stage payload in some campaigns and the threat actors may have also established a foothold with the Buer loader to sell access to other threat actors, known as “access-as-a-service.”

Why Cybercriminals are increasingly paying attention to Rust programming language?



Rust is a programming language that is similar to the C++ language, but provides better memory safety which ensures higher performance.

RustyBuer is perhaps the latest in a series of efforts by cybercriminals to add extra layer of opacity, by employing the versatile language in the hope that it will enable the attackers to evade most security defenses. Also, the rewritten malware in Rust could enable the threat actor to evade already existing Buer detection techniques tied to the features of the old malware written in C.

Albeit, the malware authors programmed RustyBuer in a way that it still maintains compatibility with all the existing Buer backend C2 servers.

Rust-based variant of Buer Malware Loader gets more evasive

Microsoft has released a preview of Azure Web PubSub, a service based on its Azure Cloud for building real-time web applications using WebSocket, which will enable developers to focus on application logic for real-time connected experience.

While WebSocket is a standardized protocol which offers full-duplex communication and serves as a key to building efficient real-time web interactions, and supported by all the major browsers as well as Web servers. Azure Web PubSub will enable developers to use WebSockets and the publish-subscribe pattern to build real-time web applications, including live real-time location on maps, monitoring dashboards, cross-platform live chat, and many more.

Also, Azure Web PubSub comes integrated with Azure Functions which is best for building serverless applications in Python, C#, JavaScript, and Java; while developers can also use the Azure Functions to process location data and use Azure Web PubSub to broadcast the location data to dashboard clients or visualize real-time location information.

How Azure Web PubSub will enable developers to use WebSockets and a publish-subscribe pattern?



The implementation of a WebSocket-based real-time experience demands that a developer would first have to set up infrastructure for handling client connections, and ensure the setup would be able to meet business SLA requirements by establishing mechanisms to scale it on demand. And this infrastructure management tasks leaves a developer no time to focus on end-user experiences, which Azure Web PubSub service wants to solve this infrastructure challenge issue.



Azure Web PubSub service offers built-in support for large-scale client connections with highly available architectures so that developers can focus on the application logic that delivers real-time connected experiences.

Additionally, the service supports a wide variety of programming languages such as C#, Python, and Java through WebSocket APIs, which gives developers the flexibility to build real-time cross-platform applications, and also to easily migrate their existing WebSocket-based applications. Besides the native WebSocket support, it also offers the json.webpubsub.azure.v1 subprotocol, which enables clients to do publish-subscribe effectively without routing data between service and backend server code.

How to Get Started with Azure Web PubSub?



The Azure Web PubSub service is currently available as a developer preview, therefore to get started with Azure Web PubSub, developers should go to docs.microsoft.com and to learn more about the service, visit the Azure Web PubSub service page, or check out the preview documentation.

However, you'll need a free Azure account and follow this Quickstart using the free tier or standard tier of Azure Web PubSub. The free tier is designed for dev/test so that you can easily get started with one unit and create applications with up to 20 connections per unit and 20,000 messages per unit per day. Also, check out some code samples here that showcases real-time apps you can build with the service.

Azure Web PubSub: Build real-time Web applications using WebSocket

The Azure Defender for IoT security research group, known as Microsoft’s Section 52, recently uncovered a series of critical memory allocation vulnerabilities in IoT and OT devices which could be exploited to bypass security controls to execute malicious code.

While the flaws are collectively called "BadAlloc" as the vulnerabilities stem from usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and many more. The vulnerabilities cover more than 25 CVEs and affects a wide range of critical domains, ranging from consumer and medical IoT to Industrial IoT, Operational Technology, and industrial control systems.

BadAlloc is rooted in memory allocation functions spanning widely used C standard library (libc) implementations, real-time operating systems (RTOS), and embedded software development kits (SDKs).

How BadAlloc Flaws affects IoT and OT Devices?



Microsoft research shows that memory allocation implementations written as part of IoT devices and embedded software haven't incorporated proper input validations. And without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on target devices.



The vulnerabilities can be invoked by calling the memory allocation function, such as malloc(VALUE), with the VALUE parameter derived from external input dynamically and being large enough to trigger an integer overflow or wraparound.

And the successful exploitation of these vulnerabilities could result in unexpected scenarios such as a remote code execution or injection, or even system crash, as stated by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in a security advisory released on April 29, 2021.

How Organizations can secure their Systems from exploitation?



Though, there is no evidence of these vulnerabilities being exploited in the wild, but the availability of the patches could allow bad actors to use a technique known as "patch diffing" to reverse engineer the fixes to leverage on it to potentially weaponize any vulnerable versions of the software.

Therefore, CISA recommends that organizations should apply vendor updates as soon as possible, and set up firewall barriers, and isolate critical system networks from business network, to curtail exposure of control systems to ensure they remain inaccessible from the internet.

Microsoft warns on BadAlloc Flaws affecting a wide-range of IoT Devices

Subscribe to: Posts (Atom)