Recently, a new attack campaign has been discovered by the cybersecurity researchers at Aqua Security that exploits Kubernetes RBAC to assemble backdoors and mine cryptocurrency like Monero.
Kubernetes API access control system known as RBAC enables administrators to specify which service accounts or users have access to API operations and resources.
This system provides precise access control and enhances security measures by limiting access to critical resources.
Cyber Attack Via Kubernetes RBAC
Threat actors can establish persistence on compromised clusters even after addressing the initial access misconfiguration by exploiting RBAC to enforce malicious access control policies.
An Aqua Security team named ‘Nautilus’ made a discovery of this new type of attack, which they called ‘RBAC Buster.’ It has been reported that 60 misconfigured Kubernetes clusters were compromised as a result of this campaign.
The threat actor established a powerful and covert persistence by crafting a new ClusterRole with almost full admin privileges, producing a ‘kube-controller’ ServiceAccount within the ‘kube-system’ namespace, and then linking the ClusterRole with the ServiceAccount via a ‘ClusterRoleBinding’.
Here the attacker sought to exploit the AWS access keys exposed in its K8s honeypots to:-
Establish an ongoing foothold in the system.
Extract sensitive information
Evade the cluster’s restrictions
Several existing deployments were also deleted by the attacker in different namespaces, which include:-
kube-secure-fhgxtsjh
kube-secure-fhgxt
api-proxy
worker-deployment
The perpetrator’s last move involved generating a DaemonSet to spread a Docker-hosted container image (“kubernetesio/kube-controller:1.0.1”) on every node as part of the attack.
The cryptocurrency miner is hidden within the container, which has been downloaded over 14,000 times in the last five months. By typosquatting the legitimate ‘kubernetesio’ account, the ‘kuberntesio/kube-controller’ container image deceives users.
The image further imitates the essential ‘kube-controller-manager’ container image, responsible for detecting and addressing node failures, and runs within a Pod on every master node.
Upon examining the configuration file, it became apparent that the perpetrator had already mined 5 XMR and could earn up to $200 annually per worker.
Moreover, RBAC Buster attacks on Kubernetes clusters can result in severe outcomes such as:-
Mitigations
Here below we have mentioned the security measures that are recommended by the experts to mitigate the threat:-
Prohibit unauthenticated requests from anonymous users.
Make sure to secure the API server.
Ensure to employ Role-Based Access Control (RBAC) effectively.
Enforce strict API access policies.
Regularly monitor audit logs.
Make sure to encrypt any secrets with proper encryption.
Always secure the account credentials hosted in the cluster.
Best Buy is offering a limited-time sale on its 5-Series QLED 4K Google TV. The TV is now available for just $299, which is a savings of $100 off its regular price.
This is part of Best Buy’s 3-Day Sale that is going on this weekend, ending on Sunday, April 23 at midnight EST. So get yours before it is gone.
The TCL 5-Series QLED 4K Google TV is a great option for anyone looking for a high-quality, affordable TV. It features a stunning QLED display with Quantum Dot technology, which delivers vibrant colors and deep blacks. The TV also has a powerful processor that makes it fast and responsive, and it comes with Google TV, which gives you access to a wide variety of streaming apps and content.
If you’re looking for a great deal on a new TV, the TCL 5-Series QLED 4K Google TV is a great option. It’s currently on sale for just $299, so be sure to take advantage of this offer while it lasts.
Here are some of the key features of the TCL 5-Series QLED 4K Google TV:
QLED display with Quantum Dot technology
Powerful processor
Google TV
Wide variety of streaming apps and content
Affordable price
If you’re looking for a great TV that won’t break the bank, the TCL 5-Series QLED 4K Google TV is a great option. It’s currently on sale for just $299, so be sure to take advantage of this offer while it lasts.
The TCL 5-Series QLED 4K Google TV is a great choice for anyone looking for a high-quality, affordable TV. It has a stunning display, a powerful processor, and a wide variety of streaming apps and content. It’s currently on sale for just $299, so be sure to take advantage of this offer while it lasts.
It’s no secret that over the past few years, Snapchat has been trying to bring more creators on its platform and compete with short-form video giants like Instagram and TikTok. Now, in line with these efforts, Snapchat has announced the expansion of its revenue-sharing program and new features to help budding creators get going with creating content on the app.
Although Snapchat initially introduced mid-roll ads as a way for Snap Stars to earn money from the platform last year, the company is now expanding the program to include creators with at least 50,000 followers and 25 million monthly Snap views who post at least 10 stories per month.
“We’ve listened to our community, who want more ways to share their creativity with a wider audience, all while keeping Snapchat the best place for their real friends,” says Snap.
However, the success of the program will depend on Snapchat’s TikTok competitor, Spotlight, which has 350 million monthly users. Therefore, if a creator has a large following on Spotlight, they will have more story views, which increases their chances of earning more money. And unlike other platforms, Snapchat’s earnings for creators are also not limited by a creator fund.
Public-facing stories and more
Besides the revenue-sharing platform, Snapchat is also adding new public-facing profiles and Stories for users over the age of 18. This will allow creators to share both private “friend” content and publicly viewable Stories from the same account, thus helping them grow as creators and become Snap Stars. Additionally, the platform is making it easier for users to discover new creators by integrating their Spotlight content into Snap Map and allowing creators to schedule their Stories and add a Linktree to their bio.
While these new features are a step in the right direction for Snap to grow as a platform for creators, they are far from the platform’s original promise of being a messaging app for “real friends.” Moreover, it’s also unclear if Snapchat’s revenue-sharing program will be successful, as other short-form video platforms like TikTok have struggled to share ad revenue due to the limitations of the format.
A new leak has surfaced which highlights some key details about the specs of ASUS’s rumored ROG Phone 7D series phones, including RAM, storage and more. While ASUS itself has not yet confirmed these devices exist, or that it will be making them in the future, this most recent leak isn’t the first. Nor it will likely be the last.
Last year, ASUS began making a “D” series of its popular ROG Phone. In concept, they’re not too different from the likes of Google’s Pixel A series phones. They’re more budget-friendly options that scale back the price just a little by using less expensive components. But without compromising too much on the way the phones perform. It looks like ASUS will be continuing with this trend for the ROG Phone 7 and ROG Phone 7 Ultimate that launched earlier this month.
The interesting thing is that with the ROG Phone 7D series, there will be different RAM options between the standard and high-end models. With the ROG Phone 7 and ROG Phone 7 Ultimate, RAM and storage are the same across the board.
The ROG Phone 7D will come with less RAM than the ‘Ultimate’ model
With its new ROG Phone series ASUS did something a little different this year. It used the same amount of RAM in both the ROG Phone 7 and ROG Phone 7 Ultimate. totaling out at 16GB. With the ROG Phone 6 series, the ROG Phone 6 Pro had 18GB while the standard model only had 16GB.
It seems with the ROG Phone 7D and ROG Phone 7D Ultimate will follow that path. According to the leak, the 7D Ultimate will come with 16GB of RAM. While the standard 7D will only have 12GB. The storage is also going to be different if the leak is accurate. With 256GB in the 7D and 512GB in the 7D Ultimate, which matches both the 7 and 7 Ultimate models.
When it comes to the other specs, the leak also mentions both devices will likely use the MediaTek Dimensity 9200+ chipsets. While coming with a 6.78-inch AMOLED display. The phone is rumored to be coming out in China in August of this year, and other regions a bit later.
Sling TV has just added another 8 channels to its Freestream service. That’s their FAST service, with over 300 channels of free live TV. And about 41,000 on-demand titles, all for free.
The new channels added to Sling’s Freestream service today, are mostly sports related. You’ll find them all down below:
Ace TV
Pickle TV
The Red Green Channel
B – FidoTV
Lacrosse TV
MotoAmerica TV
Broadway on Demand
World Poker Tour
These aren’t the big sports like the NBA, NFL, NHL and others. These are instead a bit more niche and those that likely can’t garner a huge media rights deal like the NBA or NFL. But hey if you’re into these sports, they are not free.
What is Sling Freestream?
You might be wondering what is Freestream? It’s a free service from Sling TV, that has a bunch of great content on well over 300 channels that are streaming 24/7. From sports, to news (and local news), to entertainment and everything in between, it’s all here on Freestream.
This is just the latest for FAST channels. Which are Free Ad-Support TV channels. Basically, this is all the content that no one else wanted to license for their ad-supported services, and so now Sling TV (among other providers) can license it onto Freestream. It’s free because it is ad-supported, so they make money from the ads to pay for the licensing and to make a profit. It’s a new thing that we’re seeing a lot of services do, including Pluto TV, Tubi and others.
It’s a pretty good service, with a lot of content available. Sure, the majority of it is not new content, and is generally quite older. But this is free content, so it’s pretty hard to complain here. But it’s a good way to add more content to your TV watching, without forking over more money.
WhatsApp has announced via a blog post a new feature that allows users to save disappearing messages before they vanish. The feature will give users a chance to keep important messages that they may want to refer back to later.
Disappearing messages is a feature that WhatsApp introduced back in 2020, which allows users to set their messages to automatically delete after a specified amount of time, ranging from 24 hours to 7 days. While this feature was meant to help users keep their chats private and reduce clutter, it was difficult for users to hold onto messages that they wanted to keep.
With the new feature, called “Keep In Chat,” users can now select messages in a chat and save them by tapping on the bookmark icon. Once a message has been saved, it will no longer disappear after seven days. Users can also un-save messages by tapping on the bookmark icon again.
Sender notification and consent will be required before proceeding, and without their permission, the message will automatically delete itself after the allotted time has passed. Both the sender and the receiver will be able to see the bookmark icon next to any messages that can be stored in the WhatsApp conversation and the saved messages will be conveniently stored in a designated “Kept Messages” folder.In this approach, WhatsApp’s implementation of its Keep In Chat function does not undermine the security and privacy afforded by disappearing messages and the decision to store a message ultimately rests with the sender. The new feature is currently rolling out to both individual and group chats. However, users can only save messages that have not already disappeared. Once a message has disappeared, it cannot be saved.
This update comes after WhatsApp’s recent controversy over its privacy policy changes, which led many users to switch to other messaging apps such as Signal and Telegram. The addition of the save disappearing messages feature may help to win back some users who were concerned about the privacy and security of their conversations on the platform.
Anime dominates several forms of media like TV shows, comic books, and, unfortunately, movies (we’re all still reeling from DragonBall Evolution). It also dominates the gaming world with all sorts of games based on anime characters across multiple platforms. There’s a healthy number of Anime Android games, and here’s a list of the top 10.
This is a list of games that star some of your favorite anime characters from popular shows. We’re only going to talk about games based on existing franchises rather than games that are anime-inspired; sorry, Genshin Impact. Without further ado, let’s see which apps will get your chakra flowing.
Top 10 Best Anime Android Games – April 2023
Below is a quick rundown of the games that are on this list. It shows the download cost of the game and any in-app purchases.
Game
Download Cost
In-app cost (per item)
EDENS ZERO Pocket Galaxy
✕
$0.99 – $79.99
GUNDAM BREAKER MOBILE
✕
✕
MHA: The Strongest Hero
✕
$0.99 – $99.99
NARUTO X BORUTO NINJA VOLTAGE
✕
$0.99 – $79.99
My Hero Ultimate Impact
✕
$0.99 – $79.99
The Seven Deadly Sins
✕
$0.99 – $79.99
Pokémon Masters EX
✕
$0.99 – $79.99
Pokemon Go
✕
$0.99 – $99.99
One Punch Man – The Strongest
✕
$0.99 – $99.99
Beyblade Burst Rivals
✕
$0.99 – $38.99
Top 10 Best Anime Android Games –
April 2023
Below is a little more information on each app, and a direct link for easy downloading.
All download links go to the app’s Google Play Store listing. Users are always recommended to download apps from Google Play or an authorized app store.
EDENS ZERO Pocket Galaxy
Download Cost: Free
In-App Cost: $0.99 – $79.99
Size: 543MB
Google Play Rating: 4 stars out of 5
EDENS ZERO Pocket Galaxy is based on the popular manga and anime series that premiered in recent years. It’s an action RPG game that takes the series’ core characters and pits them against hordes of enemies.
The gameplay is pretty simple. It’s a fully 3D game so you’re free to roam around as you fight off the baddies. You use the digital joystick on the left side of the screen to move and the buttons on the right to attack. You’ll be able to use different powered attacks to inflict more damage.
This is a pretty straightforward action-packed game for fans of the franchise. It’s free to play, and the in-app purchases don’t get in the way of the gameplay.
This game will be perfect for you if you’re into older anime. Gundam is one of the older anime franchises, and there are a ton of games out for it. GUNDAM BREAKER MOBILE brings the game to your mobile device.
The game is a fun and action-packed game that puts you into the cockpit of a mobile suit. When you start a level, you’ll be put up against waves of enemy robots. You’ll need to fight your way through these using your melee attacks and blasters.
The game is separated into levels, and you’ll have simple cutscenes in between each level to bring a bit of story into the mix. If you’re a Gundam fan, then this game is a must!
There’s no shortage of games centering around My Hero Academia, and this is one of the most ambitious ones. MHA: The Strongest Hero is a major game that was developed by Crunchyroll Games LLC. If you’re looking for an immersive MHA experience, then you should get this game.
It follows the story of Deku, the main character in the series, as he begins his journey to and through the special academy for gifted students. It follows the anime pretty faithfully with the addition of some side stories.
What makes this game interesting is that it has fully-voiced cutscenes complete with sound effects. So, it’s a fun game to play and a treat for the ears.
NARUTO X BORUTO NINJA VOLTAGE takes your favorite characters from both Naruto and Boruto and lets you use them in battle. You’ll run through expansive stages and fight through hordes of ninja enemies en route to the end.
The combat is typical for most mobile beat’em ups. You use the joystick on the left of the screen to move, and the buttons on the right to attack. You have your basic attack button, but you can also the accompanying powered attacks to deal more damage.
One of the main draws to this game is the cast of popular characters from the anime series’. You can draw and collect your favorite characters from the Naruto and Boruto franchises to use in battle.
My Hero Academia fans will love this turn-based RPG about the popular series. As you can imagine, you can use the cast of characters from the show and fight your way through different enemies. You’ll collect these characters as you progress.
This game uses its own aesthetic with stylized character models. They’re more cartoonish than the characters on the show, but they still retain their original charm. It makes for an overall good-looking game.
Seven Deadly Sins is an RPG developed by Netmarble, and it follows the main characters of the show. It uses classic turn-based combat, and you attack with a team of at least three people.
You’ll progress through a cinematic storyline with fully-voiced cutscenes. Also, the visuals are amazing with very well-modeled and expressive characters. It’s a great game to play if you want to feel like you’re watching the actual anime.
There are several Pokemon games on the mobile market, but this one stands out due to its RPG gameplay mechanics. You’ll start the game by customizing your character and picking a name. After that, you’ll meet Misty and Brock and start your journey.
What also makes this game stand out is the three-on-three battle. Each character will spawn a Pokemon, and you’ll embark on turn-based combat. It’s different from other games on the Google Play Store, but it’s still familiar if you play the console games. It’s a great game to play if you love Pokemon games.
Pokemon Go is six years old at this point, but it’s still one of the most popular mobile games on the market. If you’re not familiar with the game, it’s an AR (augmented reality) game that lets you go out into the world and catch Pokemon.
The Pokemon will pop up in your area and you’ll be able to catch it. Just like in the classic games, you’ll be able to collect a ton of different pokemon and use them for battle Also, you can evolve them. Along with that, you can also go to different locations to receive different items.
One Punch Man – The Strongest is a turn-based RPG with the characters from the popular anime. You travel from location to location fighting your way through the enemies and upgrading your characters.
In case you’re wondering, you can’t really play as the titular character. However, he did pop up from time to time. True to his name, he defeats all enemies with only one punch.
This game takes the popular spin top battle game and adds its own spin. It follows characters from the popular anime, and it lets you battle them in Beyblade arenas.
The gameplay is a bit different from what most people would expect. Instead of swiping to launch the tops, this is actually a match-3 game. Animations of the tops will play in the background and your game board will sit in the foreground.
You’ll want to match as many of the tiles as you can before the timer runs out. Different tiles have different effects when they’re matched. Some will increase the attack while others increase stamina. And, we can’t forget about tiles that deliver special attacks.
Acer held its recent device summit today and at the showcase it revealed its collection of new gaming hardware for 2023, which includes four new gaming laptops powered by NVIDIA 40-series GPUs. Ranging from the 4050 all the way up to the 4090.
There seems to be something for everyone here with configurations and components ranging from mid-grade all the way up to the high-end. The new laptops are part of the Predator Triton and Predator Helios series’, and include the Triton 17 X, Helios Neo 16, Triton 14, and Helios 3D 15. Giving consumers a set of options that spans a decent range of sizes depending on what they need or want.
Acer is also beefing up the laptops with new CPUs from Intel’s 13th generation chipsets. The Predator Triton 17 X for instance comes with an Intel Core i9-13900HX CPU and an NVIDIA GeForce RTX 4090 GPU. All four laptops also come with mini-LED displays. Though resolution options will vary based on the laptop model.
Additionally, there will be options for storage up to 4TB and RAM up to 64GB on the Triton 17 X, and up to 2TB of storage and 32GB of RAM on the other models.
Acer GeForce RTX 40-series gaming laptops will launch from May
Acer plans to launch its new 40-series gaming laptops starting in May. At that time, only the Triton 17 X, Helios Neo 16, and Triton 14 will be available for purchase. With prices starting at $3,799, $1,199, and $1,499 respectively. Then in June the company plans to launch the Helios 3D 15 starting at $3,499.
The prices for the Triton 17 X and the Helios 3D 15 are certainly steep. But that’s not too surprising given the features and tech used to build both laptops. You can find out more about each of the four new laptops, including additional specs and features in Acer’s official blog post.
Twitter recently began adding a “government-funded” and “state-affiliated” label to media accounts that it considered as having received either partial or full financial support from a government agency. Although practical for accounts that were clearly 100% funded by a foreign government, the practice drew heavy criticism when it was applied to popular news organizations, such as NPR or PBS, that claimed they were editorially independent.
The backlash was such that it culminated in Twitter deciding to remove the label altogether. Reportedly, as noted by Engadget, Twitter took the step after receiving criticism that the label could be used to manipulate public opinion and the departure from Twitter of some of the affected accounts.
The label was first created in an attempt to curb the spread of misinformation and to ensure that users are not misled. Such has been the case with foreign governments, such as that of China, that have been known to use social media platforms to spread propaganda and promote its own interests. According to a Twitter spokesperson, the decision to remove the government-funded label was made after the company conducted a review of its policies, and added that Twitter remains committed to ensuring that its platform is not used to spread misinformation or propaganda.
The move has been welcomed by many who see it as a positive step in the fight against the spread of false information. However, some critics have raised concerns about the impact that the move could have on freedom of speech. This also follows the removal of several legacy verification checkmarks from notable accounts that have opted not to pay for Twitter Blue, except those that Elon Musk has decided to pay for himself, such as that belonging to Stephen King and Lebron James, among others.
Twitter has been under pressure in recent years to take a more active role in the fight against fake news and misinformation. The new management, helmed by Elon Musk, has in turn rolled out a number of measures to address this issue, however, they almost always feel like a trial just to see what “sticks”. Hopefully, Twitter can come out of this transition unscathed and can finalize a set of rules and regulations that everyone can abide by without worrying about volatile last minute changes.
Two new critical flaws have been found in Alibaba Cloud’s popular services, ApsaraDB and AnalyticDB.
Both of them were in support of PostgreSQL. Wiz security research team has termed this vulnerability as #BrokenSesame.
One of these vulnerabilities performs Supply-Chain attacks on the database services leading to an RCE.
Another was potential unauthorized access to Alibaba’s Cloud customers’ PostgreSQL databases.
Critical Flaws
The critical flaws in Alibaba Cloud services existed in the Kubernetes Clusters (K8s).
K8s node compromised – Researchers found that K8s applications were not appropriately isolated, leading to a few insecure behaviors.
They performed a privilege escalation with a cronjob task which elevated their privileges inside the container to root.
As a root user, they tried to do a lateral move to another container on their pod by exploiting a shared PID namespace which led to escaping to the K8s node.
Once they went to the node, they used Kubelet credentials to access secrets, service accounts, and pods.
Supply chain due to write permissions on container image registry – When accessing the pods on the nodes, Wiz’s research team found that it was a shared node with pods belonging to other tenants on the node.
They also found a private image registry and tested some credentials which led to the discovery of write permissions on the container images.
This write permission can be used for supply-chain attacks due to a compromised k8s node.
These attacks were possible on ApsaraDB and AnalyticDB for PostgreSQL on Alibaba Cloud.
Handling multiple containers can be a tedious job. Hence, having better security implications in place is recommended.
These critical flaws show that the isolation of containers needs to be much more securely configured without letting these kinds of escapes to the k8s.
Researchers demonstrated vulnerability exploitation in AnalyticDB for PostgreSQL and ApsaraDB RDS for PostgreSQL could result in unauthorized cross-tenant access to customers’ PostgreSQL databases and a supply-chain attack.
You can read a complete technical analysis here at Wiz.
