Blog

BlackCat Ransomware, ZingoStealer & BumbleBee Loader

This month, the Cisco Umbrella team – in conjunction with Talos – has witnessed the rise of complex cyberattacks. In today’s edition of the Cybersecurity Threat Spotlight, we unpack the tactics, techniques, and procedures used in these attacks.

Want to see how Cisco Umbrella can protect your network? Sign up for a free trial today!

BlackCat Ransomware

Threat Type: Ransomware

Attack Chain:

Graphic that shows the attack chain for BlackCat Ransomware. The attack chain is as follows: Initial Access to Defense Evasion to Persistence with Reverse SSH to Credential access to Lateral Movement to Command and Control to Data Exfiltration to BlackCat Ransomware. The graphic indicates that Cisco Secure protects users from Initial Access and Persistence With Reverse SSH.

Description: BlackCat – also known as “ALPHV”- is a ransomware which uses ransomware-as-a-service model and double ransom schema (encrypted files and stolen file disclosure). It first appeared in November 2021 and, since then, targeted companies have been hit across the globe.

BlackCat Spotlight: BlackCat ransomware has quickly gained notoriety for being used in double ransom (encrypted files and stolen file disclosure) attacks against companies. While it targets companies across the globe, more than 30% of the compromises happened to companies based in the U.S.

There is a connection between the BlackCat, BlackMatter and DarkSide ransomware groups, recently confirmed by the BlackCat representative. Attack kill chain follows the blueprint of other human-operated ransomware attacks: initial compromise, followed by an exploration and data exfiltration phase, then attack preparation and finally, the ransomware execution. The key aspect of such attacks is that adversaries take time exploring the environment and preparing it for a successful and broad attack before launching the ransomware. Some of the attacks took up to two weeks from the initial to final stage, so it is key to have capabilities to detect such activities to counter them.

Target Geolocations: U.S., Canada, EU, China, India, Philippines, Australia
Target Data: Sensitive Information, Browser Information
Target Businesses: Any
Exploits: N/A

Mitre ATT&CK for BlackCat

Initial Access:
Valid Accounts: Local Accounts

Discovery:
Account Discovery
System Information Discovery
Network Service Discovery
File and Directory Discovery
Security Software Discovery
ADrecon
Sofperfect Network Scanner

Persistence:
Scheduled Task
Image File Execution Options Injection
Reverse SSH Tunnel

Evasion:
Disable System Logs
Disable Endpoint Protection
Gmer

Credential Access:
OS Credential Dumping: LSASS Memory
Credentials from Password Stores: Credentials from Web Browsers

Command and Control:
Reverse SSH Tunnel
Impacket

Lateral Movement:
Lateral Tool Transfer
Impacket
Remote Services: SSH, RDP, Poershell, Psexec

Impact:
Group Policy
Netlogon Share
Data Encrypted for Impact
Inhibit System Recovery

IOCs

Domains:
windows[.]menu

IPs:
52.149.228[.]45
20.46.245[.]56

Additional Information:
From BlackMatter to BlackCat: Analyzing two attacks from one affiliate

Which Cisco Products Can Block:
Cisco Secure Endpoint
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella

ZingoStealer

Threat Type: Information Stealer

Attack Chain:

Graphic that shows the attack chain of ZingoStealer, which is as follows: Trojanized Application Download to ZingoStealer Malware to Data Exfiltration to Command and Control to Additional Payloads. The graphic indicates that Cisco Secure products protect users from Trojanized Application Download, ZingoStealer Malware, Data Exfiltration and Command and Control.

Description: ZingoStealer is an information stealer released by a threat actor known as “Haskers Gang.” The malware leverages Telegram chat features to facilitate malware executable build delivery and data exfiltration. The malware can exfiltrate sensitive information like credentials, steal cryptocurrency wallet information, and mine cryptocurrency on victims’ systems. ZingoStealer has the ability to download additional malware such as RedLine Stealer and the XMRig cryptocurrency mining malware.

ZingoStealer Spotlight: Cisco Talos recently observed a new information stealer, called “ZingoStealer” that has been released for free by a threat actor known as “Haskers Gang.” This information stealer, first introduced to the wild in March 2022, is currently undergoing active development and multiple releases of new versions have been observed recently. In many cases, ZingoStealer is being distributed under the guise of game cheats, cracks and code generators.

The stealer is an obfuscated .NET executable which downloads files providing core functionality an attacker-controlled server. The malware can exfiltrate sensitive information like credentials, steal cryptocurrency wallet information, and mine cryptocurrency on victims’ systems. The malware is also used as a loader for other malware payloads, such as RedLine Stealer and the XMRig cryptocurrency mining malware.

Target Geolocations: CIS
Target Data: User Credentials, Browser Data, Financial and Personal Information, Cryptocurrency Wallets, Data From Browser Extensions
Target Businesses: Any
Exploits: N/A

Mitre ATT&CK for ZingoStealer

Initial Access:
Trojanized Applications

Credential Access:
Credentials from Password Stores
Steal Web Session Cookie
Unsecured Credentials
Credentials from Password Stores: Credentials from Web Browsers

Discovery:
Account Discovery
Software Discovery
Process Discovery
System Time Discovery
System Service Discovery
System Location Discovery

Persistence:
Registry Run Keys/Startup Folder
Scheduled Task/Job: Scheduled Task

Privilege Escalation:
N/A

Execution:
User Execution
Command and Scripting Interpreter: PowerShell

Evasion:
Obfuscated Files or Information

Collection:
Archive Collected Data: Archive via Utility
Data Staged: Local Data Staging

Command and Control:
Application Layer Protocol: Web Protocols

Exfiltration:
Exfiltration Over C2 Channel

IOCs

Domains:
nominally[.]ru

Additional Information:
Threat Spotlight: “Haskers Gang” Introduces New ZingoStealer

Which Cisco Products Can Block:
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

BumbleBee Loader

Threat Type: Loader

Attack Chain:

A graphic showing the attack chain of BumbleBee Loader, which is as follows: Malspam to Malicious URL or HTML Attachment to Download Malicious ISO File to Fingerprinting to BumbleBee Loader to Command and Control to CobaltStrike. The graphic indicates that Cisco Secure products protect users from malspam, malicious URL or HTML attachment, command and control, and Cobalt Strike.

Description: BumbleBee is a loader that has anti-virtualization checks and loader capabilities. The goal of the malware is to take a foothold in the compromised system to download and execute additional payloads. BumbleBee was observed to load Cobalt Strike, shellcode, Sliver and Meterpreter malware.

BumbleBee Spotlight: Security researchers noticed the appearance of the new malware being used by Initial Access Brokers, which previously relied on  BazaLoader and IcedID malware. Dubbed BumbleBee due to presence of unique User-Agent “bumblebee” in early campaigns, this malware appears to be in active development.

It already employs complex anti-virtualization techniques, as well as uses asynchronous procedure call (APC) injection to launch the shellcode and LOLBins to avoid detections. Delivery chain relies on user interaction to follow the links and open malicious ISO or IMG file. Loader achieves persistence via scheduled task which launches Visual Basic Script to load BumbleBee DLL. Afterwards, the execution malware communicates with the Command-and-Control server and downloads additional payloads such as Cobalt Strike, shellcode, Sliver and Meterpreter. Threat actors using such payloads have been linked to ransomware campaigns.

Target Geolocations: Canada, U.S., Japan
Target Data: N/A
Target Businesses: Any
Exploits: N/A

Mitre ATT&CK for BumbleBee

Initial Access:
Malspam

Persistence:
Scheduled Task/Job

Execution:
Scheduled Task/Job: Scheduled Task
Command and Scripting Interpreter: Virtual Basic
User Execution: Malicious File

Evasion:
System Binary Proxy Execution: Rundll32
Virtualization/Sandbox Evasion: System Checks
Process Injection: Asynchronous Procedure Call

Discovery:
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery

Collection:
N/A

Command and Control:
Application Layer Protocol

Exfiltration:
N/A

IOCs

Domains:
hxxps://www.transferxl[.]com/download/00zs2K2Njx25cf         hxxps://www.transferxl[.]com/download/00mP423PZy3Qb
hxxps://www.transferxl[.]com/download/00jmM0qhpgWydN  hxxps://www.transferxl[.]com/download/00jGC0dqWkf3hZ
hxxps://www.transferxl[.]com/download/00D6JXf66HJQV
hxxps://www.transferxl[.]com/download/006wWqw66ZHbP
hxxps://storage.googleapis[.]com/vke8rq4dfj4fej.appspot.com/sh/f/pub/m/0/fg6V6Rqf7gJNG.html

CS Domains:
hojimizeg[.]com
notixow[.]com
rewujisaf[.]com

IPs:
23.82.19[.]208
192.236.198[.]63
45.147.229[.]177

Additional Information:
This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming
Orion Threat Alert: Flight of the BumbleBee

Which Cisco Products Can Block:
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

Source :
https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackcat-ransomware-zingostealer-bumblebee-loader

Cisco Umbrella Named a 2022 SC Awards Finalist for Best SME Security Solution

SC Awards from SC Media are known for honoring the best people, products and companies in cybersecurity. One of the industry’s most respected media outlets, SC Media enlists a select pool of experts from the information security community to review more than 800 entries in 35+ categories.

Last year Cisco Umbrella took home SC’s top award for Best SME Security Solution, and we are thrilled to be a finalist again this year – with the winner to be announced in August.

Small and mid-size enterprises need an effective, easy-to-deploy security solution

We firmly believe small and medium-sized businesses deserve big protection. The chilling statistic that 60% of small- and medium-sized businesses go out of business within six months of a cyberattack1 underscores the need for an effective and easy to implement security solution for companies that are likely to have little or no dedicated IT staff.

Blocking threats before they reach the network, endpoints, and end users, Umbrella enables even small IT teams to monitor and respond to threats effectively – like it does for Cape Air.

Cape Air uses Cisco Umbrella to simplify operations and improve security

Headquartered in Hyannis, Massachusetts, Cape Air is a regional airline that provides service to some of the world’s most beautiful destinations.  But when frequent malware infections disrupt core services and the customer experience, the brand reputation suffers. For Cape Air, service delays due to malware infections became a common challenge.

Brett Stone, Cape Air’s network operations manager needed to stop threats before they caused service outages. He recognized that Cisco Umbrella could help Cape Air reduce infections since it blocks malware, phishing, command-and-control requests, and other threats at the DNS layer before a connection is even established.

He configured Umbrella within 30 minutes — and saw immediate results:

“From the moment we deployed Umbrella, it was like night and day in the number of tickets we had open because of infections and PCs that kept getting compromised in the past. We were amazed because the next day we didn’t have to fix these problems anymore. Then we could do all those other things that were important to us; we finally had time for them.” – Brett Stone

Stone recalls how malware remediation used to consume all of Cape Air’s network technicians’ time. “Before Umbrella, I had three technicians working 40 hours a week, and all they did for a year was fix malware infections and reimage computers,” Stone recalls. “Thankfully, those days are gone. Now we have zero, or rarely one, malware infection. I don’t remember the last time something got through Cisco Umbrella within the last year or two.”

Want to learn more about how Cisco Umbrella serves small-to-midsize businesses?

Threats are never going to stop coming. But with simple deployment and powerful protection, visibility, and performance, Cisco Umbrella can provide the big protection you need.

Check out our ebook Big Threats to Small Business to learn more about how we meet the unique cybersecurity needs of small and medium sized businesses. And if you’re ready to see our solution in action, check out a free Cisco Umbrella Live Demo.

Source :
https://umbrella.cisco.com/blog/cisco-umbrella-named-2022-sc-awards-finalist-best-sme-security-solution

Cloudflare’s approach to handling BMC vulnerabilities

In recent years, management interfaces on servers like a Baseboard Management Controller (BMC) have been the target of cyber attacks including ransomware, implants, and disruptive operations. Common BMC vulnerabilities like Pantsdown and USBAnywhere, combined with infrequent firmware updates, have left servers vulnerable.

We were recently informed from a trusted vendor of new, critical vulnerabilities in popular BMC software that we use in our fleet. Below is a summary of what was discovered, how we mitigated the impact, and how we look to prevent these types of vulnerabilities from having an impact on Cloudflare and our customers.

Background

A baseboard management controller is a small, specialized processor used for remote monitoring and management of a host system. This processor has multiple connections to the host system, giving it the ability to monitor hardware, update BIOS firmware, power cycle the host, and many more things.

Access to the BMC can be local or, in some cases, remote. With remote vectors open, there is potential for malware to be installed on the BMC from the local host via PCI Express or the Low Pin Count (LPC) interface. With compromised software on the BMC, malware or spyware could maintain persistence on the server.

According to the National Vulnerability Database, the two BMC chips (ASPEED AST2400 and AST2500) have implemented Advanced High-Performance Bus (AHB) bridges, which allow arbitrary read and write access to the physical address space of the BMC from the host. This means that malware running on the server can also access the RAM of the BMC.

These BMC vulnerabilities are sufficient to enable ransomware propagation, server bricking, and data theft.

Impacted versions

Numerous vulnerabilities were found to affect the QuantaGrid D52B cloud server due to vulnerable software found in the BMC. These vulnerabilities are associated with specific interfaces that are exposed on AST2400 and AST2500 and explained in CVE-2019-6260. The vulnerable interfaces in question are:

  • iLPC2AHB bridge Pt I
  • iLPC2AHB bridge Pt II
  • PCIe VGA P2A bridge
  • DMA from/to arbitrary BMC memory via X-DMA
  • UART-based SoC Debug interface
  • LPC2AHB bridge
  • PCIe BMC P2A bridge
  • Watchdog setup

An attacker might be able to update the BMC directly using SoCFlash through inband LPC or BMC debug universal async receiver-transmitter (UART) serial console. While this might be thought of as a usual path in case of total corruption, this is actually an abuse within SoCFlash by using any open interface for flashing.

Mitigations and response

Updated firmware

We reached out to one of our manufacturers, Quanta, to validate that existing firmware within a subset of systems was in fact patched against these vulnerabilities. While some versions of our firmware were not vulnerable, others were. A patch was released, tested, and deployed on the affected BMCs within our fleet.

Cloudflare Security and Infrastructure teams also proactively worked with additional manufacturers to validate their own BMC patches were not explicitly vulnerable to these firmware vulnerabilities and interfaces.

Reduced exposure of BMC remote interfaces

It is a standard practice within our data centers to implement network segmentation to separate different planes of traffic. Our out-of-band networks are not exposed to the outside world and only accessible within their respective data centers. Access to any management network goes through a defense in depth approach, restricting connectivity to jumphosts and authentication/authorization through our zero trust Cloudflare One service.

Reduced exposure of BMC local interfaces

Applications within a host are limited in what can call out to the BMC. This is done to restrict what can be done from the host to the BMC and allow for secure in-band updating and userspace logging and monitoring.

Do not use default passwords

This sounds like common knowledge for most companies, but we still follow a standard process of changing not just the default username and passwords that come with BMC software, but disabling the default accounts to prevent them from ever being used. Any static accounts follow a regular password rotation.

BMC logging and auditing

We log all activity by default on our BMCs. Logs that are captured include the following:

  • Authentication (Successful, Unsuccessful)
  • Authorization (user/service)
  • Interfaces (SOL, CLI, UI)
  • System status (Power on/off, reboots)
  • System changes (firmware updates, flashing methods)

We were able to validate that there was no malicious activity detected.

What’s next for the BMC

Cloudflare regularly works with several original design manufacturers (ODMs) to produce the highest performing, efficient, and secure computing systems according to our own specifications. The standard processors used for our baseboard management controller often ship with proprietary firmware which is less transparent and more cumbersome to maintain for us and our ODMs. We believe in improving on every component of the systems we operate in over 270 cities around the world.

OpenBMC

We are moving forward with OpenBMC, an open-source firmware for our supported baseboard management controllers. Based on the Yocto Project, a toolchain for Linux on embedded systems, OpenBMC will enable us to specify, build, and configure our own firmware based on the latest Linux kernel featureset per our specification, similar to the physical hardware and ODMs.

OpenBMC firmware will enable:

  • Latest stable and patched Linux kernel
  • Internally-managed TLS certificates for secure, trusted communication across our isolated management network
  • Fine-grained credentials management
  • Faster response time for patching and critical updates

While many of these features are community-driven, vulnerabilities like Pantsdown are patched quickly.

Extending secure boot

You may have read about our recent work securing the boot process with a hardware root-of-trust, but the BMC has its own boot process that often starts as soon as the system gets power. Newer versions of the BMC chips we use, as well as leveraging cutting edge security co-processors, will allow us to extend our secure boot capabilities prior to loading our UEFI firmware by validating cryptographic signatures on our BMC/OpenBMC firmware. By extending our security boot chain to the very first device that has power to our systems, we greatly reduce the impact of malicious implants that can be used to take down a server.

Conclusion

While this vulnerability ended up being one we could quickly resolve through firmware updates with Quanta and quick action by our teams to validate and patch our fleet, we are continuing to innovate through OpenBMC, and secure root of trust to ensure that our fleet is as secure as possible. We are grateful to our partners for their quick action and are always glad to report any risks and our mitigations to ensure that you can trust how seriously we take your security.

Source :
https://blog.cloudflare.com/bmc-vuln/

How we improved DNS record build speed by more than 4,000x

Since my previous blog about Secondary DNS, Cloudflare’s DNS traffic has more than doubled from 15.8 trillion DNS queries per month to 38.7 trillion. Our network now spans over 270 cities in over 100 countries, interconnecting with more than 10,000 networks globally. According to w3 stats, “Cloudflare is used as a DNS server provider by 15.3% of all the websites.” This means we have an enormous responsibility to serve DNS in the fastest and most reliable way possible.

Although the response time we have on DNS queries is the most important performance metric, there is another metric that sometimes goes unnoticed. DNS Record Propagation time is how long it takes changes submitted to our API to be reflected in our DNS query responses. Every millisecond counts here as it allows customers to quickly change configuration, making their systems much more agile. Although our DNS propagation pipeline was already known to be very fast, we had identified several improvements that, if implemented, would massively improve performance. In this blog post I’ll explain how we managed to drastically improve our DNS record propagation speed, and the impact it has on our customers.

How DNS records are propagated

Cloudflare uses a multi-stage pipeline that takes our customers’ DNS record changes and pushes them to our global network, so they are available all over the world.

The steps shown in the diagram above are:

  1. Customer makes a change to a record via our DNS Records API (or UI).
  2. The change is persisted to the database.
  3. The database event triggers a Kafka message which is consumed by the Zone Builder.
  4. The Zone Builder takes the message, collects the contents of the zone from the database and pushes it to Quicksilver, our distributed KV store.
  5. Quicksilver then propagates this information to the network.

Of course, this is a simplified version of what is happening. In reality, our API receives thousands of requests per second. All POST/PUT/PATCH/DELETE requests ultimately result in a DNS record change. Each of these changes needs to be actioned so that the information we show through our API and in the Cloudflare dashboard is eventually consistent with the information we use to respond to DNS queries.

Historically, one of the largest bottlenecks in the DNS propagation pipeline was the Zone Builder, shown in step 4 above. Responsible for collecting and organizing records to be written to our global network, our Zone Builder often ate up most of the propagation time, especially for larger zones. As we continue to scale, it is important for us to remove any bottlenecks that may exist in our systems, and this was clearly identified as one such bottleneck.

Growing pains

When the pipeline shown above was first announced, the Zone Builder received somewhere between 5 and 10 DNS record changes per second. Although the Zone Builder at the time was a massive improvement on the previous system, it was not going to last long given the growth that Cloudflare was and still is experiencing. Fast-forward to today, we receive on average 250 DNS record changes per second, a staggering 25x growth from when the Zone Builder was first announced.

The way that the Zone Builder was initially designed was quite simple. When a zone changed, the Zone Builder would grab all the records from the database for that zone and compare them with the records stored in Quicksilver. Any differences were fixed to maintain consistency between the database and Quicksilver.

This is known as a full build. Full builds work great because each DNS record change corresponds to one zone change event. This means that multiple events can be batched and subsequently dropped if needed. For example, if a user makes 10 changes to their zone, this will result in 10 events. Since the Zone Builder grabs all the records for the zone anyway, there is no need to build the zone 10 times. We just need to build it once after the final change has been submitted.

What happens if the zone contains one million records or 10 million records? This is a very real problem, because not only is Cloudflare scaling, but our customers are scaling with us. Today our largest zone currently has millions of records. Although our database is optimized for performance, even one full build containing one million records took up to 35 seconds, largely caused by database query latency. In addition, when the Zone Builder compares the zone contents with the records stored in Quicksilver, we need to fetch all the records from Quicksilver for the zone, adding time. However, the impact doesn’t just stop at the single customer. This also eats up more resources from other services reading from the database and slows down the rate at which our Zone Builder can build other zones.

Per-record build: a new build type

Many of you might already have the solution to this problem in your head:

Why doesn’t the Zone Builder just query the database for the record that has changed and propagate just the single record?

Of course this is the correct solution, and the one we eventually ended up at. However, the road to get there was not as simple as it might seem.

Firstly, our database uses a series of functions that, at zone touch time, create a PostgreSQL Queue (PGQ) event that ultimately gets turned into a Kafka event. Initially, we had no distinction for individual record events, which meant our Zone Builder had no idea what had actually changed until it queried the database.

Next, the Zone Builder is still responsible for DNS zone settings in addition to records. Some examples of DNS zone settings include custom nameserver control and DNSSEC control. As a result, our Zone Builder needed to be aware of specific build types to ensure that they don’t step on each other. Furthermore, per-record builds cannot be batched in the same way that zone builds can because each event needs to be actioned separately.

As a result, a brand new scheduling system needed to be written. Lastly, Quicksilver interaction needed to be re-written to account for the different types of schedulers. These issues can be broken down as follows:

  1. Create a new Kafka event pipeline for record changes that contain information about the changed record.
  2. Separate the Zone Builder into a new type of scheduler that implements some defined scheduler interface.
  3. Implement the per-record scheduler to read events one by one in the correct order.
  4. Implement the new Quicksilver interface for the per-record scheduler.

Below is a high level diagram of how the new Zone Builder looks internally with the new scheduler types.

It is critically important that we lock between these two schedulers because it would otherwise be possible for the full build scheduler to overwrite the per-record scheduler’s changes with stale data.

It is important to note that none of this per-record architecture would be possible without the use of Cloudflare’s black lie approach to negative answers with DNSSEC. Normally, in order to properly serve negative answers with DNSSEC, all the records within the zone must be canonically sorted. This is needed in order to maintain a list of references from the apex record through all the records in the zone. With this normal approach to negative answers, a single record that has been added to the zone requires collecting all records to determine its insertion point within this sorted list of names.

Bugs

I would love to be able to write a Cloudflare blog where everything went smoothly; however, that is never the case. Bugs happen, but we need to be ready to react to them and set ourselves up so that next time this specific bug cannot happen.

In this case, the major bug we discovered was related to the cleanup of old records in Quicksilver. With the full Zone Builder, we have the luxury of knowing exactly what records exist in both the database and in Quicksilver. This makes writing and cleaning up a fairly simple task.

When the per-record builds were introduced, record events such as creates, updates, and deletes all needed to be treated differently. Creates and deletes are fairly simple because you are either adding or removing a record from Quicksilver. Updates introduced an unforeseen issue due to the way that our PGQ was producing Kafka events. Record updates only contained the new record information, which meant that when the record name was changed, we had no way of knowing what to query for in Quicksilver in order to clean up the old record. This meant that any time a customer changed the name of a record in the DNS Records API, the old record would not be deleted. Ultimately, this was fixed by replacing those specific update events with both a creation and a deletion event so that the Zone Builder had the necessary information to clean up the stale records.

None of this is rocket surgery, but we spend engineering effort to continuously improve our software so that it grows with the scaling of Cloudflare. And it’s challenging to change such a fundamental low-level part of Cloudflare when millions of domains depend on us.

Results

Today, all DNS Records API record changes are treated as per-record builds by the Zone Builder. As I previously mentioned, we have not been able to get rid of full builds entirely; however, they now represent about 13% of total DNS builds. This 13% corresponds to changes made to DNS settings that require knowledge of the entire zone’s contents.

When we compare the two build types as shown below we can see that per-record builds are on average 150x faster than full builds. The build time below includes both database query time and Quicksilver write time.

From there, our records are propagated to our global network through Quicksilver.

The 150x improvement above is with respect to averages, but what about that 4000x that I mentioned at the start? As you can imagine, as the size of the zone increases, the difference between full build time and per-record build time also increases. I used a test zone of one million records and ran several per-record builds, followed by several full builds. The results are shown in the table below:

Build TypeBuild Time (ms)
Per Record #16
Per Record #27
Per Record #36
Per Record #48
Per Record #56
Full #134032
Full #233953
Full #334271
Full #434121
Full #534093

We can see that, given five per-record builds, the build time was no more than 8ms. When running a full build however, the build time lasted on average 34 seconds. That is a build time reduction of 4250x!

Given the full build times for both average-sized zones and large zones, it is apparent that all Cloudflare customers are benefitting from this improved performance, and the benefits only improve as the size of the zone increases. In addition, our Zone Builder uses less database and Quicksilver resources meaning other Cloudflare systems are able to operate at increased capacity.

Next Steps

The results here have been very impactful, though we think that we can do even better. In the future, we plan to get rid of full builds altogether by replacing them with zone setting builds. Instead of fetching the zone settings in addition to all the records, the zone setting builder would just fetch the settings for the zone and propagate that to our global network via Quicksilver. Similar to the per-record builds, this is a difficult challenge due to the complexity of zone settings and the number of actors that touch it. Ultimately if this can be accomplished, we can officially retire the full builds and leave it as a reminder in our git history of the scale at which we have grown over the years.

In addition, we plan to introduce a batching system that will collect record changes into groups to minimize the number of queries we make to our database and Quicksilver.

Does solving these kinds of technical and operational challenges excite you? Cloudflare is always hiring for talented specialists and generalists within our Engineering and other teams.

Source :
https://blog.cloudflare.com/dns-build-improvement/

How to Fix WordPress 404 Page Not Found Error – A Detailed Guide

It is common that you come across the WordPress 404 or “WordPress site permalinks not working” error on your website if it is not maintained properly. But there are times when your website is under maintenance and your visitors will be automatically directed to a 404 error page.

Are you facing a WordPress 404 error or a “WordPress page not found” error? Don’t freak out! We have a solution for you.Table of Contents

What is a WordPress 404 Error?

The 404 error is an HTTP response code that occurs when a user clicks on a link to a missing page or a broken link. The web hosting server will automatically send the user an error message that says, for example, “404 Not Found”.

The error has some common causes:

  • You’ve newly migrated your site to a new host
  • You have changed your post/page slug but haven’t redirected the old URL
  • You don’t have file permission
  • You have opened an incorrect URL
  • Poorly coded plugin/theme

Many WordPress themes offer creative layout & content options to display the 404 error page. Cloudways’s 404 error has custom design and layout too:

404 error Cloudways landing page

Managed WordPress Hosting Starting from $10/month.

Enjoy hassle-free hosting on a cloud platform with guaranteed performance boosts.Try Now

How to Fix WordPress 404 Error in 8 Simple Steps

In this tutorial, I am going to show you how to easily fix the WordPress “404 not found” error on your website. So let’s get started!

1. Clear Browser History & Cookies

The very first troubleshooting method that I perform is clearing the browser cache and cookies. Or you can try to visit your site incognito.

If, apart from your homepage, your other WordPress website pages give you a 404 page not found error, you can follow these steps to resolve the issue.

  • Log in to your WordPress Dashboard
  • Go to Settings → Permalinks
  • Select the Default settings
  • Click Save Changes button
  • Change the settings back to the previous configuration (the once you selected before Default). Put the custom structure back if you had one.
  • Click Save Settings

Note: If you are using a custom structure, then copy/paste it in the Custom Base section.

custom structure setting

This solution could fix the WordPress 404 not found or “WordPress permalinks not working” error. If it doesn’t work, you’ll need to edit the .htaccess file in the main directory of your WordPress installation (where the main index.php file resides). 404 errors are also usually due to misconfigured .htaccess file or file permission related issues.

3. Restore Your .httaccess File

.htaccess is a hidden file, so you must set all files as visible in your FTP.

Note: It’s alway recommended to backup your site before editing any files or pages.

First login to your server using FTP. Download the .htaccess file which is located in the same location as folders like /wp-content/ wp-admin /wp-includes/.

Next, open this file in the text editor of your choice.

Visit the following link and copy/paste the version of the code that is most suitable for your website. Save the .htaccess file and upload it to the live server.

public folder

For example, if you have Basic WP, use the code below.

  1. # BEGIN WordPress
  3. RewriteEngine On
  5. RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  7. RewriteBase /
  9. RewriteRule ^index\.php$ – [L]
  11. RewriteCond %{REQUEST_FILENAME} !-f
  13. RewriteCond %{REQUEST_FILENAME} !-d
  15. RewriteRule . /index.php [L]
  17. # END WordPress

4. Setup a 301 Redirect

If you have changed the URL of any specific page and haven’t redirected it yet, it’s time to redirect the old URL to your new URL. There are two easy ways to redirect your old post/page: via plugin and htaccess file.

If you are comfortable working with htaccess, add the following code to your htaccess file. Don’t forget to replace the URLs with your own website.

  1. Redirect 301 /oldpage.html https://www.mywebsite.com/newpage.html

For an easier way, install the Redirection Plugin and go to WordPress Dashboard > Tools > Redirection. Complete the setup and Add new redirection.

Redirection

5. Disabling Plugins/Theme

It’s possible that an un-updated or poorly coded plugin is causing the 404 error on your WordPress site. To check this, you need to deactivate all our plugins.

Access your WordPress files using an FTP like FileZilla. Go to public_html > wp-content and change the plugins folder name to something like myplugins.

Disabling Plugins

Now go back to your browser to check if the website starts working or not. If the error has been resolved then one of the plugins is the culprit.

Note: If it’s not resolved then simply change the myplugins folder name to plugins and move to the next troubleshoot method.

If it’s resolved, change the myplugins folder name to plugins and open your WordPress dashboard to find the culprit. Go to Plugins > Installed Plugins. Activate each plugin one by one and check if your website is working. This way you can find the problematic plugin and resolve your WordPress 404 error.

plugins

6. Change and Update WordPress URL in Database

Maybe you’re seeing this error on your WordPress website.

“The requested URL was not found on this server. If you entered the URL manually, please check your spelling and try again.”

Update WordPress URL

Go to your PHPMyAdmin, navigate to your database name, and select wp-option. For example, blog > wp-option.

PHPMyAdmin

Now change the URL. For example, from https://www.abc.com/blog/ to http://localhost/blog.

change the URL

7. Fix WordPress 404 Error on Local Servers

Many designers and developers install WordPress on their desktops and laptops using a local server for staging purposes. A common problem with local server installations of WordPress is the inability to get permalink rewrite rules to work. You might try to change the permalinks for posts and pages, but eventually the website shows the WordPress “404 Not Found” error.

Fixing Errors is Easier With Cloudways

Try Our managed cloud hosting for a hassle-free experience

Start Free!

In this situation, turn on the rewrite module in your WAMP, XAMPP, or MAMP installation. For the purpose of this tutorial, I am using WAMP. Navigate to the taskbar and find the WAMP icon. After that navigate to Apache → Apache modules.

Fixing Errors

It will enable a long list of modules that you can toggle on and off. Find the one called “rewrite_module” and click it so that it is checked.

apache

Then check out whether your permalinks are working or not again.

8. Alternative Method

Navigate to the local server. Find the Apache folder, then go to the “conf” folder. Navigate to httpd.conf file. Search for a line which looks like:

#LoadModule rewrite_module modules/mod_rewrite.so

Just remove the “#” sign so it looks like this:

LoadModule rewrite_module modules/mod_rewrite.so

Conclusion

I hope you find this guide helpful and that you were able to solve your “WordPress 404 page error” or “WordPress permalinks not working” problem. Have you figured out any other way to get rid of this problem? Please share your solutions with us in the provided comment section below.

Frequently Asked Questions

Q. Why am I getting a 404 error?

WordPress 404 errors usually occur when you have removed certain pages from your website and haven’t redirected them to other pages that are live. Sometimes, WordPress 404 page errors can also occur when you have changed a URL of a specific page.

Q. How do I test a 404 error?

There are multiple tools you can use to test WordPress 404 errors, like Deadlinkchecker.

Q. How to redirect WordPress 404 pages?

On your WordPress dashboard, navigate to Tools > Redirection. There you can apply redirection by pasting the broken URL in the source box and the new URL in the Target box.

Q. How to edit a WordPress 404 page?

On your WordPress dashboard, navigate to Appearance > Theme Editor. Find the file named “404.php file” and edit the file yourself or using the help of a WordPress developer.

Source :
https://www.cloudways.com/blog/wordpress-404-error/

Trend Micro’s One Vision, One Platform

The world moves fast sometimes. Just two years ago, organizations were talking vaguely about the need to transform digitally, and ransomware began to make headlines outside the IT media circle. Fast forward to 2022, and threat actors have held oil pipelines and critical food supply chains hostage, while many organizations have passed a digital tipping point that will leave them forever changed. Against this backdrop, CISOs are increasingly aware of running disjointed point products’ cost, operational, and risk implications.

That’s why Trend Micro is transforming from a product- to a platform-centric company. From the endpoint to the cloud, we’re focused on helping our customers prepare for, withstand, and rapidly recover from threats—freeing them to go further and do more. Analysts seem to agree.

Unprecedented change

The digital transformation that organizations underwent during the pandemic was, in some cases, unprecedented. It helped them adapt to a new reality of remote and now hybrid working, supply chain disruption, and rising customer expectations. The challenge is that these investments in cloud infrastructure and services are broadening the corporate attack surface. In many cases, in-house teams are drowning in new attack techniques and cloud provider features. This can lead to misconfigurations which open the door to hackers.

Yet even without human error, there’s plenty for the bad guys to target in modern IT environments—from unpatched vulnerabilities to accounts protected with easy-to-guess or previously breached passwords. That means threat prevention isn’t always possible. Instead, organizations are increasingly looking to augment these capabilities with detection and response tooling like XDR to ensure incidents don’t turn into large-scale breaches. It’s important that these tools are able to prioritize alerts. Trend Micro found that as many as 70% of security operations (SecOps) teams are emotionally overwhelmed with the sheer volume of alerts they’re forced to deal with.

SecOps staff and their colleagues across the IT function are stretched to the limit by these trends, which are compounded by industry skills shortages. The last thing they need is to have to swivel-chair between multiple products to find the right information.

What Gartner says

Analyst firm Gartner is observing the same broad industry trends. In a recent report, it claimed that:

  • Vendors are increasingly divided into “platform” and “portfolio” providers—the latter providing products with little underlying integration
  • By 2025, 70% of organizations will reduce to a maximum of three the number of vendors they use to secure cloud-native applications
  • By 2027, half of the mid-market security buyers will use XDR to help consolidate security technologies such as endpoint, cloud, and identity
  • Vendors are increasingly integrating diverse security capabilities into a single platform. Those which minimize the number of consoles and configuration planes, and reuse components and information, will generate the biggest benefits

The power of one

This is music to our ears. It is why Trend Micro introduces a unified cybersecurity platform, delivering protection across the endpoint, network, email, IoT, and cloud, all tied together with threat detection and response from our Vision One platform. These capabilities will help customers optimize protection, detection, and response, leveraging automation across the key layers of their IT environment in a way that leaves no coverage gaps for the bad guys to hide in.

There are fewer overheads and hands-on decisions for stretched security teams with fewer vendors to manage, a high degree of automation, and better alert prioritization. Trend Micro’s unified cybersecurity platform vision also includes Trend Micro Service One for 24/7/365 managed detection, response, and support—to augment in-house skills and let teams focus on higher-value tasks.

According to Gartner, the growth in market demand for platform-based offerings has led some vendors to bundle products as a portfolio despite no underlying synergy. This can be a “worst of all worlds,” as products are neither best-of-breed nor do they reduce complexity and overheads, it claims.

We agree. That’s why Trend Micro offers a fundamentally more coherent platform approach. We help organizations continuously discover an ever-changing attack surface, assess risks and then take streamlined steps to mitigate that risk—applying the right security at the right time. That’s one vision, one platform, and total protection.

To find out more about Trend Micro One, please visit: https://www.trendmicro.com/platform-one

Source :
https://www.trendmicro.com/en_us/research/22/e/platform-centric-enterprise-cybersecurity-protection.html

Windows 11 KB5014019 update fixes app crashes, slow copying

Microsoft has released optional cumulative update previews for Windows 11, Windows 10 version 1809, and Windows Server 2022, with fixes for Direct3D issues impacting client and server systems.

The updates are part of Microsoft’s scheduled April 2022 monthly “C” updates, allowing Windows users to test the fixes released on June 15th as part of next month’s Patch Tuesday.

Unlike regular Patch Tuesday Windows updates, scheduled non-security preview updates are optional. They are issued to test bug fixes and performance improvements before the general release, and they don’t provide security updates.

Cumulative updates released today include:

To install the updates, you have to go to Settings > Windows Update and manually ‘Check for updates.’ Windows will not install them until you click the ‘Download now’ button because they’re optional updates.

You can also manually download and install these cumulative update previews from the Microsoft Update Catalog.

“The preview update for other supported versions of Windows 10 will be available in the near term,” Microsoft said.

Windows 11 KB5014019 update
Windows 11 KB5014019 update (BleepingComputer)

KB5014019 fixes Direct3D app crashes

Today’s Windows optional updates come with fixes for issues that might cause some applications to crash or trigger various problems.

As Microsoft explained, KB5014019 “addresses an issue that might affect some apps that use d3d9.dll with certain graphics cards and might cause those apps to close unexpectedly.”

The same cumulative update also fixes a known issue affecting specific GPUs and could “cause apps to close unexpectedly or cause intermittent issues that affect some apps that use Direct3D 9.”

This update also fixes an issue that might cause file copying to be slower and another one preventing BitLocker from encrypting when using the silent encryption option.

KB5014019 addresses a known issue impacting the Trusted Platform Module (TPM) driver that might increase the system’s startup time.

What’s new in today’s Windows updates

After installing the KB5014019 non-security cumulative update preview, Windows 11 will have the build number changed to 22000.708.

The Windows 11 update preview includes dozens of quality improvements and fixes, including:

  • Addresses an issue that causes blurry app icons in Search results when the display’s dots per inch (dpi) scaling is greater than 100%.
  • New! Windows spotlight on the desktop brings the world to your desktop with new background pictures. With this feature, new pictures will automatically appear as your desktop background. This feature already exists for the lock screen. To turn on this feature, go to Settings > Personalization > Background > Personalize your background. Choose Windows spotlight.
  • Addresses an issue that fails to maintain the display brightness after changing the display mode.

    Source :
    https://www.bleepingcomputer.com/news/microsoft/windows-11-kb5014019-update-fixes-app-crashes-slow-copying/

Windows 11 KB5014019 breaks Trend Micro ransomware protection

This week’s Windows optional cumulative update previews have introduced a compatibility issue with some of Trend Micro’s security products that breaks some of their capabilities, including the ransomware protection feature.

“The UMH component used by several Trend Micro endpoint and server protection products is responsible for some advanced features such as ransomware protection,” the antivirus vendor revealed.

“Trend Micro is aware of an potential issue where customers who apply the optional Microsoft Windows 11 or Windows 2022 optional preview patches (KB5014019) and reboot would then find that the Trend Micro UMH driver would stop.”

The known issue affects the User Mode Hooking (UMH) component used by several Trend Micro endpoint solutions, including Apex One 2019, Worry-Free Business Security Advanced 10.0, Apex One as a Service 2019, Deep Security 20.0, Deep Security 12.0, and Worry-Free Business Security Services 6.7.

The Japanese cybersecurity company is now working on a fix to address this issue before the update previews are pushed to all Windows customers as part of the June 2022 Patch Tuesday.

How to restore Trend Micro endpoint solution capabilities

Luckily, unlike regular Patch Tuesday Windows updates, this week’s preview updates are optional and they were issued to test bug fixes and performance improvements before the general release.

Windows users have to manually check for them from Settings > Windows Update. They will not be installed until you click the ‘Download now’ button, limiting the number of potentially impacted users.

Impacted Windows platforms include both client and server versions with the problems experienced on systems running Windows 11, Windows 10 version 1809, and Windows Server 2022.

Trend Micro customers who have installed the optional Windows optional patch may either uninstall the patch temporarily or reach out to support to get a UMH debug module that should revive their security solution’s capabilities.

Windows users can remove the preview updates using the following commands from an Elevated Command Prompt.

Windows 10 1809: wusa /uninstall /kb:5014022 
Windows 11: wusa /uninstall /kb:5014019
Windows Server 2022: wusa /uninstall /kb:5014021

Source :
https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/

Why you should act like your CEO’s password is “qwerty”

A poor password at the highest levels of an organisation can cost a company millions in losses.

Recent findings show that half of IT leaders store passwords in shared documents. On top of that, it seems that folks at executive level are not picking good passwords either. Researchers from NordPass combed through a large list of CEO and business owner breaches. Their findings should renew considerations for additional security measures at executive level.

The findings

The five most common passwords among C-level executives, managers, and business owners were “123456”, “password”, “12345”, “123456789”, and our old friend “qwerty”. Terrifyingly, but perhaps not surprisingly, this looks exactly like every other list of the most frequently used passwords, suggesting no extra precautions are in place (or enforced) at the top.

Executives really love to use the names “Tiffany”, “Charlie”, Michael”, and “Jordan” for their passwords. I was curious to know if these are the names of executives’ name their kids. My entirely unscientific trawl for the names of CEO’s children turned up list of CEOs themselves. Henry, William, Jack, James, and David are all very popular names. This doesn’t match up with our list of password names. However, there is one list which claims that the Michaels of this world are most likely to become CEOs. Are CEOs naming their passwords after themselves? I’d like to think not, but then I probably wouldn’t have expected to be writing about “123456” either.

Animals and mythical creatures are popular choices. When not naming passwords after themselves, dragons and monkeys are both incredibly popular and also incredibly easy to guess.

Breaking and entering

Common ways corporate breaches and basic passwords spill all over the floor are issues we’ve covered at length. We recently highlighted recommendations from the Cybersecurity and Infrastructure Security Agency which deal with most of the causes of CEO password loss.

A combination of weak and reused passwords, and risky password-sharing habits make up the majority of hits on the “these passwords can lead to nothing good” indicator.

What happens when you combine bad password practices with human error and poor security infrastructure? These weak and obvious passwords just help to bring the whole thing crashing down that little bit faster.

There are some very smart attacks and compromises out there. Clever attackers can exfiltrate data from a network for weeks or months before making a more overt move. You’d expect people hijacking CEO data to be made to really work for it at every level. Sadly this research seems to suggest the opposite is happening in a lot of cases.

If nothing else, I’d love to see the actual response on the part of the criminals. What do they think when pulling down a C-Level executive’s data and discovering their email password is “sandwich”? Are they surprised? Is it business as usual? Do they think it can’t possibly be real, and they’re staring down the wrong end of a prank or law enforcement bust?

Is the CEO password sky falling? A word of caution…

There are some caveats here. The research doesn’t go into detail with regard to additional security measures in place. Yes, a CEO may have the worst password you’ve ever seen. That doesn’t mean the business has been popped right open.

Maybe they had two-factor authentication (2FA) set up. The password may be gone, but unless the attacker also has access to the CEO’s authentication app on their phone, it may not be much use. The CEO may use a hardware authentication token plugged into their desktop. Admins may have set up that one machine specifically for use by the CEO, for all CEO-related activity. It may not be usable remotely, and could be tied to a VPN an added precaution.

Having said all of that

Manager? Use a password manager

If we’re talking purely about fixing the short, terrible, obvious passwords, then some additional work is required. 2FA, lockouts, and hardware tokens are great. Ultimately they’re fixing a myriad of additional problems regardless of whether the password is good or bad.

To fix bad password practices, we need to look to tools which can improve them and help keep them a bit more secure at the same time. I am talking about password managers, of course.

A password manager is a software application that gets around the twin evils of poor passwords and password reuse by creating strong, random passwords and then remembering them.

They can function online, so they are accessible via the web and can sync passwords between devices, or they can work entirely offline. Offline password managers are arguably more secure. Online components can add additional risk factors and a way for someone to break in via exploits. The important part is to keep the master password to access your vault secure, and to use 2FA if available for an additional layer of protection. Make your master password long and complex—don’t use “qwerty”.

Password managers with browser extensions can help deter phishing. Your password manager will object to entering a password into the wrong website, no matter how convincing it looks. No more risk of accidental logins!

Some password manager tools allow you to share logins with other users in a secure fashion. They don’t show or display the password to the other users, rather they just grant a form of access managed by the tool or app itself. If your CEO has no option but to share a password with somebody else, this is the only safe way to do it.

There’s never been a better time to wean ourselves away from shared password documents and the name “Michael” as the digital keys to an organisation’s kingdom. It’s perhaps time for CEOs and other executives to lead from the front where security is concerned.

Source :
https://blog.malwarebytes.com/malwarebytes-news/2022/05/why-you-should-act-like-your-ceos-password-is-querty/

WordPress 6.0: A major release with major improvements

It’s only been 4 months since the previous major release but we’re already excited to welcome WordPress 6.0. Of course, as with every other major release, you can expect loads of loads of improvements and exciting new features. This new version is no different. WordPress 6.0 continues to refine and iterate on the tools and features introduced in earlier releases. Let’s dive deeper into what WordPress 6.0 brings to your table!

For starters, this release will include all the great new features, enhancements and gains from Gutenberg 12.0 and 13.0. At the same time, developers and contributors continue to work on bug fixes and improvements that significantly impact the overall user experience on WordPress. This translates to over 400 updates, 500 bug fixes, and 91 new features in just one release, which is huge!

We’re getting an improved list view experience, style theme variations, additional templates, new blocks, new enhancements to the block editors and many more. Since there are many new things coming in this release, we’d like to bring your attention to some of the features and improvements that will likely have an impact on the way you use WordPress.

Full site editing enhancements and new features

Full site editing was the talk of the town when this major feature was introduced in previous releases. WordPress 6.0 continues to build upon the groundwork laid in 5.9 and further improves on what you can do with full site editing. You will need to use a block-based theme such as WordPress’s Twenty-Twenty-Two to take advantage of full site editing.

Style variations and global style switcher

Many people in the WordPress community are excited about this feature in the Site editor. You’ll be able to use theme variations derived from one single theme using various color and font combinations. It’s kind of like having several child themes but integrated into one single theme. And it’s incredibly easy to apply a new style variation across your entire site. From now on, you’ll be able to change the look and feel of your website with just a click.

Easily change the look and feel of your site using style variations

Theme export capability

Another huge improvement to full site editing specifically and the WordPress platform as a whole is the ability to export block themes. Any templates, layouts and style changes you made can be saved and exported to a .zip file. This feature is huge because it’s paving the way for visual theme building. You can create a WordPress theme just by purely using Gutenberg blocks. And of course, no coding knowledge is required!

To export your theme, go to your Site editor and click on the 3 dots icon in your top right corner. There should appear a menu with the option to download your theme.

New templates

Being able to use and customize templates to build your website content is great because it helps you to save time. We had templates to work with in previous WordPress versions, but the options were limited. WordPress 6.0 expands on this and introduces several new templates for specific functions. These include templates for displaying posts from a specific author, category, date, tag, or taxonomy.

New template options in the site editor

List view enhancements

When you access the list view in WordPress 6.0, you will see that your blocks are grouped together and collapsed instead of showing everything like in previous versions. This will make navigating the list view much easier. Next to this, when you’re working on a page with the list view open and you click anywhere on the page, it will highlight precisely where you are in the list view. Anyone who regularly works on complex pages should appreciate this enhancement.

The improved list view experience in WordPress 6.0

Block editor enhancements

New core blocks

WordPress 6.0 will ship with several new blocks including post author biography, avatar, no result in query loop and read more. We want to point you to the new comment query loop block because it further ‘blockifies’ the comment section of your post. With this new block, you’ll get plenty of customization options to design the comment section the way you want to.

The comment query loop block lets you customize your comment section

More features and enhancements

There are quite a lot of improvements and enhancements to the block editor that we can’t cover everything in this post. Instead, we will mention a few that we think will be the most beneficial for you.

The first new enhancement in the block editor we want to introduce is block locking. Moving forward, you’ll be able to lock a block so it can’t be moved and/or edited. A locked block will display a padlock when you click on it. And when you open the list view, you’ll also see the padlock indicating a locked block. This feature is especially useful if you work a lot with reusable blocks and don’t want anyone messing around with those blocks. It’s also beneficial for preserving design layouts when you’re creating templates or working with clients.

The new block locking UI

Next to that, in WordPress 6.0, when you customize a button and then add a new button using the plus button, it will have the same style as the one you’ve just customized. Before, you would need to redo all the customization if you want to add several buttons with the same style.

Another cool feature in this new version is style retention. It’s now possible to keep a block’s style when transforming certain blocks from one type to another and vice versa. It works with quite a few blocks, ranging from quote, list, code, heading, pullquote, verse, etcetera.

Lastly, the cover block can now dynamically grab your featured image and set it as the background for the cover block. All you have to do is select the ‘use featured image‘ setting and WordPress will do the rest.

The cover block can now dynamically grab your post’s featured image and use it as a background

Writing improvements

You can expect several notable writing improvements in this new version of WordPress. They are not major changes by any means, but you’ll definitely notice and appreciate the refinement in your overall writing experience.

Have you ever tried selecting text from 2 separate blocks and got annoyed because it automatically selected all the text from both blocks? Well, you won’t be bothered by that anymore. From WordPress 6.0 onwards, you can easily select text across blocks and edit it to your liking. This is definitely a quality of life improvement.

You can conveniently select text across blocks in WordPress 6.0

Also coming your way is a new link completer shortcut. You can access this shortcut anytime by typing “[[” and it will show you a list of links on your site. This feature can be handy when you’re doing internal linkings, for instance.

Lastly, WordPress will remind you to add tags and categories as the last step before you can publish a post. When you publish a lot of posts, it can be easy to forget this step so this is quite a neat feature for forgetful folks.

Design and layout tools

We won’t be diving too much into the improvements in design and layout tools, but we do think the following two features deserve a mention.

The first one is transparency control for background, which is very useful when you want to use a background with columns. You’ll surely elevate your post design if you can make use of this feature. The next fun addition to WordPress 6.0 is gap support for the gallery block. This just means you have more control over the spacing of your images, giving you a bit more freedom on how you want to display your image gallery. Anyone can take advantage of these 2 new features, but photography and fashion website runners can probably appreciate them the most.

Source :
https://yoast.com/wordpress-6-0/