Every item on this page was hand-picked by a House Beautiful editor. We may earn commission on some of the items you choose to buy.It may not always seem like it, but the holidays are all about balance: A balance between giving and receiving. A balance between an all-out decorating effort and taking a few shortcuts to make things easier on yourself. Balance on a ladder as you hang lights on your house and balance again when you take them down mere weeks later. Sometimes frustrating, always time-consumingbut this is the way its always been and will always be.Or maybe not. Is there another way to deck your house in Christmas lightswithout fear of falling, electrocution, or losing your mind? Turns out, permanent holiday-style lights are an option being considered by a growing number of people.Related StoriesHow Do Permanent Lights Work?Permanent lights like these popular ones from Govee are meant to stay on your house year round, requiring just one installation for up to 50,000 hours worth of festive lighting. The lights are controlled by Google Assistant or Alexa, and can be changed depending on the season. Users can choose from 75 different scene modes and over 16 million color combinations. So you can have warm white lights for the holidays, an orange and purple light display for Halloween, or a full rainbow set up on your home for Pride monthjust change the lights any time you want through the app. These permanent light kits come in lengths of 100 or 200 feet with black or white cords, and the cost starts around $400 if youre installing them yourself.Courtesy of GoveeA house with permanent decorative lights by Govee.Are Permanent Lights A New Phenomenon?Permanent lights have become more popular in the past decade, with more and more festive light companies offering an array of options. Some Reddit users noted that the cost of these lights have gone up since gaining traction during the Covid-19 lockdown, when some cities started to put up lights many months before the holidays in an effort to bolster pandemic-dampened spirits.Are They Actually Worth It?While some reviews commend these permanent lights for durability, ease of set up, and clear instructions, others remained unconvinced that the lights were as functional as they would have liked. A few houses have them around me, wrote one Reddit user. Instead of the distinct lights, theres just this glow. I think it looks tacky. Reviewers on Amazon complained that the app didnt always connect on their phones, making it difficult to control the different functions on a regular basis.Still, Lifehacker noted that after reviewing several different brands, these permanent lights were mostly a win. You install them once, and leave them up all year. They don't look exactly like normal holiday string lights, but the effect is largely the same: a festive, colorful display. The lights are installed under your eaves or gutters and project light back onto the house. If you like, you can face them out like standard holiday lightson your roof, for instance; they'll work fine that way too. Moreover, the impact made by permanent lights puts most incandescent or LED lights to shame."Any Drawbacks to Permanent Lights?The main downfall to adding permanent lights to your home appears to be the upfront cost. Perhaps unsurprisingly, the initial installation cost is a bit of an investment, especially if you have these lights put in by a professional. This can run you anywhere from $2,500 to $5,500 for a standard home installation.This might sound like a lot, but fortunately it is just a one-time price. And think about the money youll save on hospital bills by not falling off a ladder and breaking your leg. It could well be worth it in the end.Follow House Beautiful on Instagram and TikTok.

When a young couple decided on a gut renovation of their 1920s Mediterranean-style home in Los Angeles, they enlisted interior designer Mandy Cheng to give the property to bring everything up to date without sacrificing its original spirit. But there was a bit of a caveat: The clients taste for furniture and decor leaned much more contemporary, which was a challenge for me to blend seamlessly with the architectural details, says the founder of Mandy Cheng Design.Chengs solution to bridge the styles? Custom built-ins. In the family room, an entertainment center spans a full wall, with arches and integrated windows that warm up the sunny space. The feature pairs nicely with of-the-moment items like a white boucle armchair and globe sconce.Beyond built-ins, Cheng reconfigured the four-bedroom, three-bathroom home into a five bedroom, five bath. Upstairs, the original layout had one oversized bedroom, one smaller room, and a narrow, shared bathroom that was due for an update, Cheng explains. The clients requested separate bathrooms for each childthey have a boy and a girland a refreshed primary suite. By reconfiguring some walls, we were able to add a bathroom, giving each child an en-suite.On the main floor, the couple wanted a more spacious kitchen and a sightline to the family room. So Cheng reoriented the kitchen and removed walls to create an open layout, allowing them to see their kids while they prepare meals. But perhaps the most captivating kitchen addition are the hand-painted tiles sourced from Tabarka, a coastal town in Tunisia. This was a tile-focused project, which was very challenging because they were ordered during the height of the pandemic when everything was stuck at the port, Cheng says.The resulting 3,500-square-foot home is "livable, easy, and fit for play dates and dinner parties alike," Cheng says. While well-suited for modern day living, its original spirit lives on.Family RoomMadeline TolleMadeline Tolle"Figuring out the arches and integrating the windows into the full-wall entertainment center was a process that had such a great payoff," Cheng says. "I love that light comes through that wall, which is uncommon for full-wall built-ins."Sofa: Clad Home. Armchair: Article. Rug: West Elm. Sconce: Arteriors. Millwork: custom, by LA Design Build. Ottoman: custom.Living RoomMadeline TolleA variety of seating, from a blue Maiden Home sofa to a Serena & lily hanging chair, ensures the living room is well equipped for elevated entertaining and for the kids to play games or read.Chandelier: Meadow Blu. Coffee table: One Kings Lane. Rug: Lulu & Georgia. Dining table: CB2. Dining chairs: Crate & Barrel.KitchenMadeline Tolle "By backing the bench upagainst the island, we saved a little space in navigability," Cheng says. "And I love the flexibility and ease that this table offers."Pendants: Visual Comfort. Fixtures: Brizo. Counters: Vadara Quartz. Dining table: RH. Chairs: Hati Home. Bench: Jas Becker.Madeline TolleMadeline Tolle "The arched shroud for the exhaust vent, the tiles with the terracotta-colored grout, the mix of painted and stain-grade cabinets, and the unique corner shelfit all comes together so nicely," Cheng says.Tile: Tabarka Studio. Cabinetry paint: Troubador, Portola Paints. Cabinetry hardware: RH.Dining RoomMadeline Tolle "This is one of the first rooms you see when you enter the house through the front door, and the custom 10-foot table is stunning," Cheng says. "Made for gatherings, I cant imagine a better space to hang out with friends and family."Table: custom, by Estuary Home. Chairs: Design Within Reach. End chairs: Rove Concepts. Rug: Rejuvenation. Light fixture: Park Studio. Wall art: clients own.Primary BathroomMadeline Tolle"The tiles for the primary bath were hand-painted in Mexico," Cheng says.Pool HouseMadeline Tolle "We completely re-imaged the backyard and converted a dusty and somewhat dilapidated garage into a beautiful ADU/pool house, Cheng says, noting the transformation involved "rotating the pitch of the roof, adding a pergola, and opening it up to the newly installed pool."Madeline Tolle While the guest suite includes an efficient kitchen for family and friends who stay over, it also operates as a pool house on sunny days. Cabinetry paint: Hamilton Blue, Benjamin Moore. Cabinetry hardware: Schoolhouse. Tile: Tabarka Studio. Sconces: Illuminate Vintage. Fixtures: Brizo. Sofa: Clad Home. Coffee table: The Vintage Rug Shop.Follow House Beautiful on Instagram and TikTok.

Amsterdam-based startup CarbonX has secured 4mn to industrialise a new anode material that could help Europe reduce its reliance on China for graphite, a substance which makes up half the weight of a typical lithium-ion battery.Netherlands-based VC Energy Transition Fund Rotterdam led the round. Its an extension on CarbonXs 10mn capital injection announced in February, capping off the funding round at a cosy 14mn.Graphite is the go-to material for lithium-ion battery anodes, which is the negative electrode responsible for storing and releasing electrons during the charging and discharging process. Its found in batteries that power everything from EVs to smartphones. The EU imports almost 100% of its graphite from China, which recently imposed restrictions on exports of the carbon-based material amid rising political tensions between Bejing and the West.Watch Back NowA resilient battery supply chain is crucial for global electrification, said CarbonXs co-founder Rutger van Raalten. Yet, we dont see sufficient alternatives for locally sourcing critical raw materials such as graphite.CarbonX wants to offer European and American battery makers a way to source a graphite alternative that is not just locally-made, but greener and better performing.Spun out from Delft University of Technology in 2014, the company has developed an emulsion feedstock technology that takes carbon black a fine, black powder made mostly of pure carbon and processes it into a material with a complex 3D porous structure.Similar to graphite, this hexagonal formation creates spaces where lithium ions can insert themselves during charging. However, CarbonX says that its material has even more little crevices for the lithium ions to hide. That equals faster charging and longer-lasting batteries.CarbonXs unique 3D porous network structure improves electron and lithium-ion transfer, while it is still highly compressible to achieve high energy densities, explained Daniela Sordi, CTO and co-founder of CarbonX.CarbonXs feedstock technology purportedly consumes much less energy compared to synthetic or natural graphite production. This equals lower costs and less carbon emissions, it said.The companys carbon anode material is currently undergoing late-stage qualifications with several top 10 global battery cell manufacturers. It expects to secure its first offtake agreements halfway into 2025.Graphite demand is expected to rise by 20-25 times between 2020 to 2040, according to the International Energy Agency (IEA).To cater to this enormous market pull, CarbonX plans to scale up quickly. CarbonX is currently planning its first high-capacity facility at an existing carbon black factory in the Port of Rotterdam. Its tech can plug-in to existing carbon black factories, using their current equipment, so theres no need to build new plants.The company is also undergoing a feasibility study for a 20,000 ton per annum production line in both Europe and US, it said.The founders of CarbonX found an answer to the developing Chinese export ban on graphite, commented Jesse In t Velt, investment manager of Energy Transition Fund Rotterdam. Story by Sin Geschwindt Sin is a climate and energy reporter at TNW. From nuclear fusion to escooters, he covers the length and breadth of Europe's clean tech ecos (show all) Sin is a climate and energy reporter at TNW. From nuclear fusion to escooters, he covers the length and breadth of Europe's clean tech ecosystem. He's happiest sourcing a scoop, investigating the impact of emerging technologies, and even putting them to the test. Sin has five years journalism experience and holds a dual degree in media and environmental science from the University of Cape Town, South Africa. Get the TNW newsletterGet the most important tech news in your inbox each week.Also tagged with

At TNW, we are all about supporting and elevating startups and entrepreneurs who are doing epic stuff with tech. When Red Bull reached out to talk about their innovation competition, my first thought was what on Earth do we have in common with an energy drink company that has people jumping off cliffs and surfing really large waves? Apart from fuelling in different ways founders and developers across the world, of course. (Although, I guess, building a company could be considered an extreme sport.)Next generation of innovationTurns out, when it comes to supporting young minds that could change the world with their ideas quite a lot. Red Bull Basement is the beverage giants recurring innovation competition that, in the companys words, empowers the next generation of innovators to develop and launch outstanding ideas and disrupt todays status quo. The 2024 edition took place across 39 countries, and received over 110,000 submissions.The of EU techThe latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!The local winners were all flown out to Tokyo for a global final across three days over the past week. They got to take part in workshops on business modelling, utilising AI as a founder, creating a successful pitch, forming strategic partnerships, brand development, media relations, etc.Sophia Lick from Germany built an app to help athletes with their mental training. Credit: Suguru Saito / Red Bull Content PoolThe top 10 got to pitch their ideas to the panel of global judges and an auditorium of a few hundred people on the 45th floor, in front of a backdrop of Tokyo lit up at night. The prize for the global winner was an all-expenses-paid three-week trip to San Francisco to be mentored by Silicon Valley-based Plug and Play VC.Building something bigger than oneselfPart of the appeal for us as a media organisation was of course access to the judges, including Head of Microsoft for Startups Hans Yang, Plug and Play early-stage investor Letizia Royo-Villanova, and digital economy business mentor Jun Yuh, to pick their brains on how they identify winning startups and exceptional founders (and I did, all of which will follow in another article). However, what really moved me was the ingenuity, drive, and enthusiasm of the next generation of entrepreneurs. Ideas included a bone conduction device to help people with Parkinsons walk more securely built by Cambridge student Jonathan Fisher, whose father suffers from the disease. I figured, if something is important enough, you should try, even if the odds are against you, because you never know what will happen, Fisher told TNW.Another device built by Stanford students in the US wants to give the visually impaired their sight back. There were also water-saving AI-supported gadgets from Greece and Egypt, wild-fire warning systems from South Africa, AI tools to help students connect with mentors and scholarship opportunities from Ireland and Spain or democratise access to high-level sports coaching from Belgium. Other innovations included early illness detection from Kosovo, brain fitness tracking from the Czech Republic, and an athlete mental training app from Germany just to name a few.Soi Gamayon beat over 110,000 submitted innovations to become the Red Bull Basement 2024 global winner with AgriConnect. Credit: Jason Hayako / Red Bull Content PoolThe winner of the global final was Soi Gamayon from the Philippines with his AgriConnect startup. The AI-powered app, inspired by watching his uncles struggle farming rice, allows farmers to monitor their crops, build resilience, and increase their yield.My purpose is really to build something bigger than myself, said Gamayon. Im doing this for Filipino farmers. This wasnt just about competing or winning. Its about sharing moments and memories with people who are like-minded. I share this with all the other teams who are here.Dutch finalist looking for the positive side of techThe Dutch finalist, fresh out of graduate studies in Strategic Management at the Erasmus University in Rotterdam, was Bram van Peursem, with an app called Hubster. He made it all the way to the top 10.Based on his own experience of losing hours of precious time to mindless social media scrolling while managing his own schedule as a student, Van Peursem designed Hubster to help people transform their phone usage from a time sink into motivation to act on the things they hope to achieve in life. Hubster, still under development, will let you enter the interests and ambitions that are currently most important to you. Van Peursem gives the examples of running a marathon, understanding more about tech stocks, and learning German. As you embark on a scrolling session that will surely end half an hour later with the yucky feeling of but I was only going to check the app will instead prompt you with notifications such as Its currently great weather for a 5k recovery run, AMD just announced a chip update, read more about it here and link to an article, or Nutzen sie ihre zeit so optimal? with your language learning app of choice.The Netherlands Bram van Peursem wants his app to make people use tech for good in their lives. Credit: Jason Hayako / Red Bull Content PoolIt is really focused on making tech positive, van Peursem told TNW. Because I think we often forget that our phone is a tool which has all the information in the world, very accessible in your pocket, but nobody uses it like that.The desire to build something has been there from the start. I have always wanted to be a founder, van Peursem, both of whose parents are entrepreneurs, says. Ive always had these ideas but I never really acted on them. And that was also the thing I was most scared about I want to be an entrepreneur, but what if I never act on it? So Im really grateful to Red Bull and Microsoft for this opportunity [to make the idea concrete].Personally, I always feel honoured to tell the stories of people who have ideas and work hard to bring them to reality, striving to impact the world in positive ways. Us journalists only observe and write about it entrepreneurs are the ones actually building stuff. Mostly just fuelled by pure drive and passion, but sometimes like when running a startup bootcamp marathon by copious amounts of caffeine. Story by Linnea Ahlgren Linnea is the senior editor at TNW, having joined in April 2023. She has an Ma in international relations and covers quantum, AI, and the ev (show all) Linnea is the senior editor at TNW, having joined in April 2023. She has an Ma in international relations and covers quantum, AI, and the evolving concept of 'technological sovereignty'. Dabbles in gaming and fitness wearables. But first, coffee. Get the TNW newsletterGet the most important tech news in your inbox each week.

Bloombergs Mark Gurman reported earlier today that Apple has been working on a new HomePod mini for next year. While the report is focused on mentioning Apples new wireless chip, my only request is that Apple brings Apple Intelligence support to its future HomePod models.HomePod and Apple IntelligenceI have HomePods all over my house, and although theyre quite convenient due to their integration with AirPlay and Apple TV, theres no denying that the Siri experience is still quite frustrating. Except for setting timers, Siri constantly gets things wrong, even when it comes to playing songs or podcasts the main function of a HomePod.This week, with the release of iOS 18.2 to the public, Apple confirmed that Apple Music is getting a discreet but important update. It will now use natural language search to better understand what users want to find. This search is handled online on Apples servers, which means its also available to Siri on the HomePod.This alone should make the experience of using Siri on HomePod to change songs much better, but we need more. Apple has promised a brand new Siri capable of understanding your personal context, and this experience will be available next year for iPhone, iPad, and the Mac. But the essence of HomePod is Siri, and it needs that experience too.The product would be much more useful if I could use it to ask questions about my day even when my iPhone isnt around.Currently, HomePods are powered by the same SoCs found in the Apple Watch, which means that they arent powerful enough to run Apple Intelligence. According to rumors, Apple has been working on a HomePad that will have a large screen and a chip capable of running AI features. However, I also expect Apple to bring a more advanced chip to regular HomePods as well.But what about you? Do you also think that Apple Intelligence for the HomePod would be a game-changer? Let me know in the comments section below.Add 9to5Mac to your Google News feed. FTC: We use income earning auto affiliate links. More.Youre reading 9to5Mac experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Dont know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Skip to main contentApple WatchButterfly puts Bluesky on your Apple Watch with a beautiful app Zac Hall|Dec 12 2024 - 3:00 pm PTWant the latest social network thats popping off to be available on your Apple Watch? Leave it up to indie developers to always find a way. The latest is an all-new client for Bluesky called Butterfly no relation to MacBook butterfly keyboards, fortunately.Reuben Catchpole, the developer behind the Instagram client for watchOS called Lens, has turned their attention to Bluesky with todays launch of Butterfly for Apple Watch. Heres the app description:Butterfly for Bluesky puts Bluesky on your watch. Scroll through your feeds, engage with posts, view and send messages, check your notifications and even write your own posts-all from your wrist.And heres how it looks:Butterfly for Bluesky works as expected. Its an Apple Watch-only app with no iPhone client needed. Install it directly on your Apple Watch, then log in with your watch keyboard, password keychain, or iPhone keyboard. Once signed in, the app instantly presents your Discover or Following timeline with controls for notifications, messaging, new posts, and viewing search, profile, and accounts.Butterfly is free to download for browsing your timelines, and an optional in-app purchase unlocks messaging, posting, and other functionality. Butterfly is a great solution from someone with experience porting social networks to tiny screens on our wrists. Check it out today if youre a Bluesky enthusiast. Follow Zac: X, Bluesky, Instagram / Shop Apple on Amazon to support my work Add 9to5Mac to your Google News feed. FTC: We use income earning auto affiliate links. More.Youre reading 9to5Mac experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Dont know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel Featuredfrom 9to5Mac9to5Mac Logo Manage push notificationsAllPost

Content warning: this story discusses sexual abuse, self-harm, suicide, eating disorders and other disturbing topics.Earlier this week, Futurism reported that two families in Texas had filed a lawsuit accusing the Google-backed AI chatbot company Character.AI of sexually and emotionally abusing their school-aged children.The plaintiffs alleged that the startup's chatbots encouraged a teenage boy to cut himself and sexually abused an 11-year-old girl.The troubling accusations highlight the highly problematic content being hosted on Character.AI.Chatbots hosted by the company,we've found in previous investigations,have engaged underage users on alarming topics including pedophilia,eating disorders,self-harm, andsuicide.Now, seemingly in reaction to the latest lawsuit, the company has promised to prioritize "teen safety." In a blog post published today, the venture says that it has "rolled out a suite of new safety features across nearly every aspect of our platform, designed especially with teens in mind."Character.AI is hoping to improve the situation by tweaking its AI models and improving its "detection and intervention systems for human behavior and model responses," in addition to introducing new parental control features.But whether these new changes will prove effective remains to be seen.For one, the startup's track record isn't exactly reassuring. It issued a "community safety update" back in October, vowing that it "takes the safety of our users very seriously and we are always looking for ways to evolve and improve our platform."The post was in response to a previous lawsuit, which alleged that one of the company's chatbots had played a role in the tragic suicide of a 14-year-old user.Not long after, Futurism found that the company was still hosting dozens of suicide-themed chatbots, indicating the company was unsuccessful in its efforts to strengthen its guardrails.Then in November, Character.AI issued a "roadmap," promising a safer user experience and the rollout of a "separate model for users under the age of 18 with stricter guidelines."Weeks later, Futurism discovered that the company was still hosting chatbots encouraging its largely underage user base to engage in self-harm and eating disorders.Sound familiar? Now Character.AI is saying it's rolled out a "separate model specifically for our teen users." "The goal is to guide the model away from certain responses or interactions, reducing the likelihood of users encountering, or prompting the model to return, sensitive or suggestive content," reads the announcement."This initiative has resulted in two distinct models and user experiences on the Character.AI platform one for teens and one for adults."The company is also planning to roll out "parental controls" that will give "parents insight into their child's experience on Character.AI, including time spent on the platform and the Characters they interact with most frequently."The controls will be made available sometime early next year, it says.The company also promised to inform users when they've spent more than an hour on the platform and issue regular reminders that its chatbots "are not real people.""We have evolved our disclaimer, which is present on every chat, to remind users that the chatbot is not a real person and that what the model says should be treated as fiction," the announcement reads.In short, whether Character.AI can successfully reassure its user base that it can effectively moderate the experience for underage users remains unclear at best.It also remains to be seen whether the company's distinct model for teens will fare any better or if it'll stop underage users from starting new accounts and listing themselves as adults.Meanwhile, Google has attempted to actively distance itself from the situation, telling Futurism that the two companies are "completely separate" and "unrelated."But that's hard to believe. The search giant poured a whopping $2.7 billion into Character.AI earlier this year to license its tech and hire dozens of its employees including both its cofounders, Noam Shazeer and Daniel de Freitas.More on Character.AI: Character.AI Was Google Plays Best with AI App of 2023Share This Article

Image by Patrick T. Fallon / AFP via Getty / FuturismCongress is pushing to break up the nation's biggest insurance monopolies after UnitedHealthcare CEO Brian Thompson's murder last week sparked widespread anger.As theNew York Times reports, a pair ofbipartisan bills seek to force insurers and other healthcare companies to sell off their so-called "pharmacy benefit managers" or PBMs which companies and government agencies use to manage their employees' prescription benefits within the next three years.Named the Patients Before Monopolies Act, the Senate bill, sponsored by Senators Elizabeth Warren (D-MA) and Josh Hawley (R-MO), has a sister proposal introduced in the House of Representatives.Though neither bill names any companies specifically, the NYT indicated that along with UnitedHealth Group the parent company of UHC and its PBM Optum Rx CVS' Caremark and Cigna's Express scripts collectively account for 80 percent of all prescriptions in the United States.Crucially, these bills represent the first legislation targeting the insurance industry after Thompson's assassination last week.In a handwritten manifesto, suspected assassin Luigi Mangione railed against the American healthcare industry and asserted that "these parasites" meaning, it seems, insurance executives like Thompson "had it coming."Though none of the Congress members involved in the introduction of these bills cited Mangione or Thompson in their statements about the legislation, Warren suggested in aHuffPost interview earlier this week that the public reaction to the CEO's murder represented a boiling point for the American people."The visceral response from people across this country who feel cheated, ripped off, and threatened by the vile practices of their insurance companies should be a warning to everyone in the health care system," the former presidential candidate said."Violence is never the answer," she continued, "but people can be pushed only so far."As of now, it's unclear whether the bill has any chance of passing, especially in the lame-duck Congressional sessionduring which it was introduced.Still, it's a pretty big deal that it's making the rounds at all and especially while Thompson's body has barely had time to cool.More on insurance anger: Leaked Video Shows Insurance CEO Gloating About Denying Care, Calling Critics DelusionalShare This Article

Dec 12, 2024Ravie LakshmananVulnerability / Cloud SecurityCybersecurity researchers are warning that thousands of servers hosting the Prometheus monitoring and alerting toolkit are at risk of information leakage and exposure to denial-of-service (DoS) as well as remote code execution (RCE) attacks."Prometheus servers or exporters, often lacking proper authentication, allowed attackers to easily gather sensitive information, such as credentials and API keys," Aqua security researchers Yakir Kadkoda and Assaf Morag said in a new report shared with The Hacker News.The cloud security firm also said that the exposure of the "/debug/pprof" endpoints used for determining heap memory usage, CPU usage, and others, could serve as a vector for DoS attacks, rendering the servers inoperable.As many as 296,000 Prometheus Node Exporter instances and 40,300 Prometheus servers have been estimated to be publicly accessible over the internet, making them a huge attack surface that could put data and services at risk.The fact that sensitive information, such as credentials, passwords, authentication tokens, and API keys, could be leaked through internet-exposed Prometheus servers has been documented previously by JFrog in 2021 and Sysdig in 2022."Unauthenticated Prometheus servers enable direct querying of internal data, potentially exposing secrets that attackers can exploit to gain an initial foothold in various organizations," the researchers said.In addition, it has been found that the "/metrics" endpoint can not only reveal internal API endpoints, but also data about subdomains, Docker registries, and images -- all valuable information for an attacker conducting reconnaissance and looking to expand their reach within the network.That's not all. An adversary could send multiple simultaneous requests to endpoints like "/debug/pprof/heap" to trigger CPU and memory-intensive heap profiling tasks that can overwhelm the servers and cause them to crash.Aqua further called out a supply chain threat that involves using repojacking techniques to leverage the name associated with deleted or renamed GitHub repositories and introduce malicious third-party exporters.Specifically, it discovered that eight exporters listed in Prometheus' official documentation are vulnerable to RepoJacking, thereby allowing an attacker to recreate an exporter with the same name and host a rogue version. These issues have since been addressed by the Prometheus security team as of September 2024."Unsuspecting users following the documentation could unknowingly clone and deploy this malicious exporter, leading to remote code execution on their systems," the researchers said.Organizations are recommended to secure Prometheus servers and exporters with adequate authentication methods, limit public exposure, monitor "/debug/pprof" endpoints for any signs of anomalous activity, and take steps to avoid RepoJacking attacks.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome, marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns."BoneSpy and PlainGnome target former Soviet states and focus on Russian-speaking victims," Lookout said in an analysis. "Both BoneSpy and PlainGnome collect data such as SMS messages, call logs, phone call audio, photos from device cameras, device location, and contact lists."Gamaredon, also called Aqua Blizzard, Armageddon, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder, is a hacking group affiliated with Russia's Federal Security Service (FSB).Last week, Recorded Future's Insikt Group revealed the threat actor's use of Cloudflare Tunnels as a tactic to conceal its staging infrastructure hosting malicious payloads such as GammaDrop.It's believed that BoneSpy has been operational since at least 2021. On the other hand, PlainGnome emerged only earlier this year. Targets of the campaign possibly include Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan based on VirusTotal submissions of the artifacts. There is no evidence at this stage that the malware was used to target Ukraine, which has been the group's sole focus.Back in September 2024, ESET also disclosed that Gamaredon unsuccessfully attempted to infiltrate targets in several NATO countries, namely Bulgaria, Latvia, Lithuania, and Poland in April 2022 and February 2023. Lookout has theorized that the targeting of Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan "may be related to worsening relations between these countries and Russia since the outbreak of the Ukraine invasion."The attribution of the new malware to Gamaredon stems from the reliance on dynamic DNS providers and overlaps in IP addresses that point to command-and-control (C2) domains used in both mobile and desktop campaigns.BoneSpy and PlainGnome share a crucial difference in that the former, derived from the open-source DroidWatcher spyware, is a standalone application, whereas the latter acts as a dropper for a surveillance payload embedded within it. PlainGnome is also a custom-made malware but one that requires the victim to grant it permission to install other apps through REQUEST_INSTALL_PACKAGES.Both surveillance tools implement a broad range of functions to track location, gather information about the infected device, and collect SMS messages, call logs, contact lists, browser history, audio recordings, ambient audio, notifications, photos, screenshots, and cellular service provider details. They also attempt to gain root access.The exact mechanism by which the malware-laced apps are distributed remains unclear, but it's suspected to involve targeted social engineering, masquerading themselves as battery charge monitoring apps, photo gallery apps, a fake Samsung Knox app, and a fully functional-but-trojanized Telegram app."While PlainGnome, which first surfaced this year, has many overlaps in functionality with BoneSpy, it does not appear to have been developed from the same code base," Lookout said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.