Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.
In customer guidance released Thursday, Microsoft said it is investigating two reported zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the second zero-day vulnerability — CVE-2022-41082 — which allows remote code execution (RCE) when PowerShell is accessible to the attacker.
Microsoft said Exchange Online has detections and mitigation in place to protect customers. Customers using on-premises Microsoft Exchange servers are urged to review the mitigations suggested in the security advisory, which Microsoft says should block the known attack patterns.
Vietnamese security firm GTSC on Thursday published a writeup on the two Exchange zero-day flaws, saying it first observed the attacks in early August being used to drop “webshells.” These web-based backdoors offer attackers an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser.
“We detected webshells, mostly obfuscated, being dropped to Exchange servers,” GTSC wrote. “Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management. We suspect that these come from a Chinese attack group because the webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese.”
GTSC’s advisory includes details about post-compromise activity and related malware, as well as steps it took to help customers respond to active compromises of their Exchange Server environment. But the company said it would withhold more technical details of the vulnerabilities for now.
Granted, the zero-day flaws that powered that debacle were far more critical than the two detailed this week, and there are no signs yet that exploit code has been publicly released (that will likely change soon). But part of what made last year’s Exchange Server mass hack so pervasive was that vulnerable organizations had little or no advance notice on what to look for before their Exchange Server environments were completely owned by multiple attackers.
Microsoft is quick to point out that these zero-day flaws require an attacker to have a valid username and password for an Exchange user, but this may not be such a tall order for the hackers behind these latest exploits against Exchange Server.
Steven Adair is president of Volexity, the Virginia-based cybersecurity firm that was among the first to sound the alarm about the Exchange zero-days targeted in the 2021 mass hack. Adair said GTSC’s writeup includes an Internet address used by the attackers that Volexity has tied with high confidence to a China-based hacking group that has recently been observed phishing Exchange users for their credentials.
In February 2022, Volexity warned that this same Chinese hacking group was behind the mass exploitation of a zero-day vulnerability in the Zimbra Collaboration Suite, which is a competitor to Microsoft Exchange that many enterprises use to manage email and other forms of messaging.
Ubuntu 22.10, code name ‘Kinetic Kudu’, is now in beta stage. The final release expected on October 20, 2022. See what’s new in the next release of the popular Linux distribution.
Ubuntu 22.10 features Linux Kernel 5.19 with new hardware support. The default desktop environment is GNOME 43, that features a new flat system menu.
Ubuntu 22.10 new system menu
The ‘Background’ settings tab has been removed from Gnome Control Center. Instead, user can choose wallpaper using the ‘Appearance’ tab. And, a new ‘Ubuntu Desktop’ tab is present for the dock and desktop icons settings.
New Ubuntu Desktop settings tab
Files app (aka Nautilus) has been ported to GTK4 plus LibAdwaita, so it has adaptive UI that show/hide left sidebar automatically according to app window size. In addition, the “undo” pop up has been moved to bottom in file manager, which no longer interrupt your workflow. Context (right-click) menu, file properties, and about dialog have been redesigned with touch-friendly UI.
Ubuntu 22.10 Desktop finally uses Pipewire as default sound server instead of Pulseaudio. WebP image format is supported out-of-the-box. And, gedit has been replaced with GNOME Text Editor.
Other changes in Ubuntu 22.10 include:
Files (Nautilus file manager) now support Undo/Redo actions.
Support light/dark wallpaper in Appearance settings page.
No longer pre-install GNOME To Do, and remove Gnome-books from system repository.
Click app icon on dock to switch windows if multiple instances opened.
New icon in top-right system menu to launch screenshot UI
Compare to Ubuntu 22.04 LTS, Ubuntu 22.10 runs apparently faster and smoother, especially when switching light and dark theme and accent colors. It however has only 9 months of life as a short term release.
Download Ubuntu 22.10:
Ubuntu 22.10 desktop and server .iso images are available to download at the link below:
Ubuntu 22.04 users can now upgrade to this Beta by following the official guide. Though, it’s recommended to disable third-party repositories, PPAs, and uninstall proprietary drivers before doing the upgrade process.
Yesterday, data breach notification website Leakbase said someone allegedly hacked the Swachhata Platform in India and stole 16 million user records.
Security researchers at CloudSEK , reported the news as they discovered a post by Leakbase sharing data samples containing personally identifiable information (PII), including email addresses, hashed passwords and user IDs.
Earlier this week, an advisory published by CloudSEK reported that 6GB of compromised data from the Swachhata Platform – an initiative in association with the Ministry of Housing and Urban Affairs of India – is being shared via a popular file–hosting platform.
“[Leakbase is] previously known from providing reliable information and data breaches from companies around the world,” wrote CloudSEK. “[Threat actors on the platform] often operate for financial gain and conduct sales on their marketplace forum Leakbase.”
The platform in 2017 was at the center of a massive data breach at Taringa, a Reddit–like social network website for Latin American users.
Further to this, CloudSEK said Leakbase users often offer access to admin panels and servers of several content management systems (CMSs), allegedly gained via unauthorized means and sold for monetary profit.
“This information can be aggregated to further be sold as leads on cybercrime forums,” the company wrote.
In addition, the security experts said the data could be harvested by threat actors to conduct phishing, smishing and social engineering attacks.
In order to mitigate the impact of attacks like this, CloudSEK recommended system administrators to implement a strong password policy and enable multi–factor authentication (MFA) across logins.
It’s recommended that vulnerable and exploitable endpoints should be patched, and user account anomalies that could indicate possible account takeovers monitored regularly.
To conclude, CloudSEK said companies should monitor cybercrime forums to keep up with the latest tactics employed by threat actors.
How To Download Music Directly To iPod Without iTunes
Description: In this article, we’ll show you step by step how to download music directly to your iPod quickly and easily.
How do I put music directly on my iPod?
The 2019 launch of the new iPod caused havoc. People from all over the globe took a trip down memory lane to recall their iPods and brought them back to life. Even though the iPod is no longer available, it remains a formidable competitor to other MP3 and media players. You might be one of those people who still cherish and treasure your iPods, or just recently bought a new one. If so, you may be searching for ways to add music to the iPod without iTunes.
Despite iTunes being popular in its day due to the limited number of iOS tools, it is not as preferred today. It comes with many complicated steps and takes a lot of time, making audio and video conversions and transfers simple.
iTunes is not available on all devices, and it can be confusing for even the most tech-savvy. This software was removed from Mac users. Only Windows PC owners can access the features offered by it. Even Windows users are urging you to avoid iTunes as it is becoming more time-consuming and inefficient.
But don’t worry! We have some great news for you who want music on your iPod, but don’t trust iTunes or any other unreliable tool!
Do you want to find out what we are talking about? Continue reading!
How can you put music on your iPod without iTunes?
Softorino, a US-based tech company can help you to put music on your iPod without using iTunes.
It works on both Windows PCs and Macs. The software makes file conversion and transfers simple, efficient, and easy. WALTR PRO is more reliable than iTunes and other unreliable online tools. It produces the highest quality output possible in the shortest time.
Download and install WALTR PRO:
Download the WALTR PRO trial from Softorino on your Mac or Windows PC. Once your download is completed, follow the on-screen instructions to install the software on the laptop. After the app has been installed, launch WALTR Pro for the first time. You’ll be prompted by an onboarding video to show you everything about the desktop tool.
Next, enter your email address to receive your trial code. After you have entered your email address, your trial key will be sent to you. Once it arrives, enter the key into the appropriate field.
Time to connect your iPod to your Mac or Windows PC:
You will need a USB cable to connect your iPod to your computer. You don’t have to do this again. If your devices are connected to the same network, you can transfer files via Wi-Fi.
After you have connected your iPod to the computer using the USB cable, go to the WALTR PRO settings window and choose the Enable WiFi connectivity option. You can then send all files to your iPod using WALTR PRO via Wi-Fi.
Drag, Drop, Relax:
You don’t have to go to Select Files to manually search your computer for music files that you wish to convert or transfer to your iPod. Instead, drag and drop them into the WALTR Pro window.
Drag and drop files to be transferred and the process will start immediately. You can also choose your iPod from the available devices and click the Convert and Transmit buttons.
WALTR PRO Features
WALTR PRO has many customization options
It features an easy drag-and-drop mechanism
Many useful features are available at a low cost
Editing your output file’s destination is easy
This tool allows wireless transfers between all iOS devices
Someone has recently created a large number of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. It’s not clear who’s behind this network of fake CISOs or what their intentions may be. But the fabricated LinkedIn identities are confusing search engine results for CISO roles at major companies, and they are being indexed as gospel by various downstream data-scraping sources.
If one searches LinkedIn for the CISO of the energy giant Chevron, one might find the profile for a Victor Sites, who says he’s from Westerville, Ohio and is a graduate of Texas A&M University.
The LinkedIn profile for Victor Sites, who is most certainly NOT the CISO of Chevron.
Of course, Sites is not the real CISO of Chevron. That role is currently occupied by Christopher Lukas of Danville, Calif. If you were confused at this point, you might ask Google who it thinks is the current Chief Information Security Officer of Chevron. When KrebsOnSecurity did that earlier this morning, the fake CISO profile was the very first search result returned (followed by the LinkedIn profile for the real Chevron CISO).
Helpfully, LinkedIn seems to be able to detect something in common about all these fake CISO profiles, because it suggested I view a number of them in the “People Also Viewed” column seen in the image above. There are two fake CISO profiles suggested there, including one for a Maryann Robles, who claims to be the CISO of another energy giant — ExxonMobil.
Maryann’s profile says she’s from Tupelo, Miss., and includes a quaint description of how she became a self-described “old-school geek.”
“Since playing Tradewars on my Tandy 1000 with a 300 baud modem in the early ’90s, I’ve had a lifelong passion for technology, which I’ve carried with me as Deputy CISO of the world’s largest health plan,” her profile reads.
However, this description appears to have been lifted from the profile for the real CISO at the Centers for Medicare & Medicaid Services in Baltimore, Md.
Interestingly, Maryann’s LinkedIn profile was accepted as truth by Cybercrime Magazine’s CISO 500 listing, which claims to maintain a list of the current CISOs at America’s largest companies:
The fake CISO for ExxOnMobil was indexed in Cybercrime Magazine’s CISO 500.
Rich Mason, the former CISO at Fortune 500 firm Honeywell, began warning his colleagues on LinkedIn about the phony profiles earlier this week.
“It’s interesting the downstream sources that repeat LinkedIn bogus content as truth,” Mason said. “This is dangerous, Apollo.io, Signalhire, and Cybersecurity Ventures.”
Google wasn’t fooled by the phony LinkedIn profile for Jennie Biller, who claims to be CISO at biotechnology giant Biogen (the real Biogen CISO is Russell Koste). But Biller’s profile is worth mentioning because it shows how some of these phony profiles appear to be quite hastily assembled. Case in point: Biller’s name and profile photo suggest she is female, however the “About” description of her accomplishments uses male pronouns. Also, it might help that Jennie only has 18 connections on LinkedIn.
Again, we don’t know much about who or what is behind these profiles, but in August the security firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.
None of the profiles listed here responded to requests for comment (or to become a connection).
In a statement provided to KrebsOnSecurity, LinkedIn said its teams were actively working to take these fake accounts down.
“We do have strong human and automated systems in place, and we’re continually improving, as fake account activity becomes more sophisticated,” the statement reads. “In our transparency report we share how our teams plus automated systems are stopping the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scam.”
LinkedIn could take one simple step that would make it far easier for people to make informed decisions about whether to trust a given profile: Add a “created on” date for every profile. Twitter does this, and it’s enormously helpful for filtering out a great deal of noise and unwanted communications.
The former CISO Mason said LinkedIn also could experiment with offering something akin to Twitter’s verified mark to users who chose to validate that they can respond to email at the domain associated with their stated current employer.
“If I saw that a LinkedIn profile had been domain-validated, then my confidence in that profile would go way up,” Mason said, noting that many of the fake profiles had hundreds of followers, including dozens of real CISOs. Maryann’s profile grew by a hundred connections in just the past few days, he said.
“If we have CISOs that are falling for this, what hopes do the masses have?” Mason said.
Mason said LinkedIn also needs a more streamlined process for allowing employers to remove phony employee accounts. He recently tried to get a phony profile removed from LinkedIn for someone who falsely claimed to have worked for his company.
“I shot a note to LinkedIn and said please remove this, and they said, well, we have to contact that person and arbitrate this,” he said. “They gave the guy two weeks and he didn’t respond, so they took it down. But that doesn’t scale, and there needs to be a mechanism where an employer can contact LinkedIn and have these fake profiles taken down in less than two weeks.”
Pithos, native Linux client for Pandora Radio, got a new release update few days ago. Here’s how to install it in Ubuntu 22.04, Ubuntu 20.04 & Ubuntu 18.04 via PPA.
It’s been almost 2 years since the last release update. The new Pithos 1.6.0 now uses the GNOME style client-side decorations (CSD) for its header bar, instead of the old title bar. So, the app UI will look like the screenshot below:
This release also adds Ctrl+r shortcut to open stations popover, removes access to host keyring when in flatpak. And, libappindicator is no longer required as dependency as it now supports status notifier directly.
How to Install Pithos 1.6.0 in Ubuntu:
For current 3 Ubuntu LTS releases and their based systems, I’ve uploaded the software package into this unofficial Ubuntu PPA.
1. First, press Ctrl+Alt+T key combination on keyboard to open terminal. When it opens, run the command below to add the PPA:
sudo add-apt-repository ppa:ubuntuhandbook1/apps
Type user password when it asks (no asterisk feedback) and hit Enter to continue.
2. Then, run command to fresh the package cache for old Ubuntu 18.04 and Linux Mint:
sudo apt update
3. Finally, install or update the lightweight Pandora Radio client to listen online music:
sudo apt install pithos
As the application does not update frequently, you may also download & install the .deb package directly from this page.
To remove the Ubuntu PPA, open terminal and run command:
XFCE desktop environment is one of the popular desktop environments for the Linux-based operating system. XFCE desktop environment is a lightweight desktop environment. In this tutorial, we will show you the methods to install XFCE in Linux Mint 21.
Install XFCE In Linux Mint 21
Go through the following steps to install the XFCE desktop environment in Linux Mint 21.
Run the update command so that your Linux Mint 21 is updated.
sudo apt update
Now, run the following command to install the XFCE Desktop on Linux Mint 21
sudo apt install xfce4
Now, run the following command to switch your desktop environment from your current DE to the XFCE desktop environment. You can switch the XFCE environment by executing the following command shown below:
sudo systemctl set-default graphical.target
Now, you are ready to use the XFCE desktop environment on Linux Mint 21. Meanwhile, if you want to remove the XFCE desktop environment from your Linux Mint 21 then run the following command.
A symbolic link (also known as soft link) is a kind of shortcut to another file. It’s heavily used in Linux for shared libraries.
But how do you know to which original file the link points to?
You can use the ls command for this purpose. Surprised? Don’t be. The long listing ls -l displays where a symbolic link points:
ls -l /path/to/file
For example, I’ve created a soft link named MyTorrents that targets another disk so my command will be:
ls -l /home/sagar/Symbolics/MyTorrents
However, this is not a foolproof way to follow the symbolic link to the original file because if it’s a multilayer link (a link pointing to another link that points to a file), the ls command won’t display the source file.
How to Find Target File of Symbolic Link in Linux
It’s a no-brainer that with enough skills, you do have multiple ways of accomplishing the same thing, especially if we consider Linux.
So I’ll be utilizing the following command line utilities to follow symbolic links:
Are you deploying software using containers? Are you using Podman? Do you want to up your security game by running containers with as little privilege as possible? Boy, do I have an article for you!
What is Podman?
Podman is a Red Hat product aimed as a replacement for Docker. For 99% of tasks, it is indeed a true Docker replacement. A few of its features are support for root-less containers, uses the fork/exec model to start containers, is daemon-less, and more.
The advantages of a rootless container are obvious. If it can be prevented from running as root, you run it without root privileges.
With this article, I hope to help remove some hurdles that may crop up when you use Podman to deploy rootless containers.
Podman in rootless execution
If you are a seasoned IT professional, you might have committed either one of the following crimes:
Running the docker command using sudo, escalating its privileges
Adding your user non-root user to the docker group. big oof
As you might have realized by now, this is a terrible security practice. You are giving the Docker daemon root access to your machine. That exposes two methods of exploitation:
The Docker daemon (dockerd) runs as root. If dockerd has a security vulnerability, your entire system is compromised because dockerd is a process owned by the root user.
An image that you use might have vulnerabilities. What if the vulnerable imgae is used by a container that is running as a process of the root user? An attacker can use the vulnerable image to gain access to your entire system.
The solution is simple, don’t run everything as root, even if you trust it. Remember, nothing is 100% secure. I present to you Podman’s ability to manage containers without root access.
If you start a container using Podman as a non-root user, said container does not gain any additional privileges, nor will Podman ask you for a sudo password.
Below are the benefits Podman provides when you use it for root-less containers (without any super-user privileges):
You can isolate a group of common containers per local user. (e.g., run Nextcloud and MariaDB under user nextcloud_user and containers Gitea and PostgreSQL under the user gitea_user)
Even if a container/Podman gets compromised, it can not get complete control over the host system, since the user executing the container is not root. But yes, the user under which the exploited container is running might as well be considered as user gone rogue.
Limits of root-less Podman
When you use root-full Podman/Docker, you are giving Podman/Docker super-user level privileges. That is certainly very bad, but it also means that all of the advertised functionalities work as intended.
Instead, when you run Podman containers without root privileges, it has some limits. Some of the major ones are as follows:
Container images can not be shared across users. If user0 pulls the ‘nginx:stable-alpine‘ image, user1 will have to separately pull the ‘nginx:stable-alpine‘ image for themselves. There is no way [at least not yet] that allows you to share images between users. But, you can copy images from one user to another user, refer to this guide by Red Hat.
If you specify a UID in root-less Podman container, any UID that is not mapped to a pre-existing container may fail. Best to execute Podman from an existing user shell. Or better yet, create a systemd service to auto-start it.
Getting started with root-less Podman
Before you get started with the rootless execution of containers, there are a few prerequisites that need to be met.
Make sure you have slirp4netns installed
The slirp4netns package is used to provide user-mode networking for unprivileged network namespaces. This is a necessary if you want your root-less container to interact with any kind of network.
You can install the slirp4netns package on Debian/Ubuntu based Linux distributions using the apt package manager like so:
sudo apt install slirp4netns
On Fedora/RHEL based Linux distributions, use the dnf package manager to install slirp4netns like so:
sudo dnf install slirp4netns
You Arch Linux users know how to do it with pacman, but regardless, below is the command you might be looking for:
sudo pacman -Sy slirp4netns
Make sure that your subuid and subgid are properly configured
Since root-less Podman containers are run by an existing user on the system, said non-root users need permission to run a root-less container as a UID that is not their own UID. This also applies to the GID.
Each user is given a range of UIDs that it is allowed to use. This is specified in the /etc/subuid file; and the /etc/subgid file is for the GIDs a user is allowed to use.
The format of this file is as following:
username:initial UID/GID allocated to user:range/size of allowd UIDs/GIDs
So, let us say my user, pratham wants 100 UIDs for himself and krishna wants 1000 UIDs for himself. Below is how the /etc/subuid file would look like:
What this effectively means is that the user pratham can use UIDs between ‘100000’ and ‘100100’. Meanwhile, user krishna can use UIDs between ‘100100’ and ‘101100’.
Usually, this is already set up for each user you create. And usually, this range is set to ‘65536’ usable GIDs/UIDs. But in some cases, this needs to be done manually.
But hold on, if this is not already done for your user, you do not need to do this by hand for each user. You can just use the usermod command for this. Below is the command syntax to do so:
Replace the strings START, RANGE and USERNAME according to your needs.
Make sure that the permissions for files /etc/subuid and /etc/subgid are set to 644 and is owned by root:root.
Want to bind Ports less than 1024?
If you are using a reverse proxy for SSL, you will know that ports 80 and 443 need to be accessible by a certificate provider like Let’s Encrypt.
If you try to bind ports lower than 1024 to a root-less container managed by Podman, you will notice that it is not possible. Well, it is possible, but that is not configured out of the box.
A non-root user is not allowed to bind anything on ports less than port 1024.
So, how do I bind ports lower than 1024 in root-less Podman? To do that, first determine the lowest port that you need. In my case, to deploy SSL, I need ports 80 and 443. So the lowest port that I need is port 80.
Once that is determined, add the following line to the /etc/sysctl.conf file:
Essentially, you are changing the value of net.ipv4.ip_unprivileged_port_start to the lowest port you need. If I substitute YOUR_PORT_NUMBER with 80, I can bind port 80 with Podman in a root-less container.
WHERE ARE MY IMAGES?
No need to scream at me buddy. I was going to tell you, eventually…
As I pointed out earlier, a limitation of Podman is that it can not share images between users. They either need to be pulled for each user or be copied from one user to another user. Both of these take up 2x/3x/4x space (depending on how many duplicates exist).
The image for any user is stored in their home directory. Specifically, they are stored inside the ~/.local/share/containers/storage/ directory.
Give it a try!
Once all the prerequisites are satisfied, you can run the podman run command from a non-user’s shell and start a container.
Since I use Caddy Server for my SSL, I will use that in this tutorial. To run Caddy Server as a root-less container using Podman, while binding it ports lower than 1024, I will simply run the following command:
$ podman run -d --name=prathams-caddy -p 80:80 -p 443:443 caddy:alpine
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e6ed67eb90e6 docker.io/library/caddy:alpine caddy run --confi... 2 seconds ago Up 2 seconds ago 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp prathams-caddy
$ ps aux | grep caddy
pratham 3022 0.0 0.0 85672 2140 ? Ssl 06:53 0:00 /usr/bin/conmon --api-version 1 -c e6ed67eb90e6d0f3475d78b287af941bc873f6d62db60d5c13b1106af80dc5ff [...]
pratham 3025 0.1 0.3 753060 32320 ? Ssl 06:53 0:00 caddy run --config /etc/caddy/Caddyfile --adapter caddyfile
As you can see, the user pratham is not root and also that I did not use the sudo command to escalate privileges of the user pratham. I was able to run the Caddy Server container with root-less privileges using Podman.
The output of ps command shows that the PID 3022 is of a process owned by the pratham user. This process is the Caddy Server container (I have trimmed the output). The PID 3025 is a child process of PID 3022 which is also under the pratham user.
Did I not address your issue?
I apologize if I did not cover your issue with root-less Podman containers. Since Podman is new (in software years), it will have some unexpected issues.
Fret not. I have included the official troubleshooting guide below. Refer to that when in doubt. It is also the one that will be updated frequently.
In this article I demonstrate how you can get started with managing root-less container using Podman. I talk about the necessary software that enables this functionality. I go over common issues you may face with root-less Podman containers and how to mitigate them. I also link to the official documentation where you might get a more technical troubleshooting guide.