WebKit suffers from an HTMLSelectElement use-after-free vulnerability.

WebKit HTMLSelectElement Use-After-Free

Auth. (subscriber+) Broken Access Control vulnerability in David Cole Simple SEO plugin <= 1.8.12 on WordPress allows attackers to create or delete sitemap.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

*   Nonce Security!
*   Generates META tags automatically.
*   Works out-of-the-box. Just install!
*   You can override any title and set any META description and any META keywords you want!
*   Google Analytic 4!
*   Google Webmaster Tools!
*   Bing verification & Yandex verification!
*   Twitter and Facebook customization!
*   Quickedit SEO titles and descriptions!
*   Import Yoast SEO data!
*   Import Rank Math SEO data!
*   Import All In One SEO data!
*   Supports custom post types!

1.  Upload the plugin files to the /wp-content/plugins/cds-simple-seo directory, or install the plugin through the WordPress plugins screen directly.
2.  Activate the plugin through the ‘Plugins’ screen in WordPress.
3.  Use the Settings -> Simple SEO screen to configure the sitemap, the META info for the homepage, Google webmaster tools, Google analytic, etc.

If upgrading, please back up your database first!

Please email dave@coleds.com with any questions.

Q: How does front page title and description work.

A: The default title and description will be used under settings. If the front page, or blog page are used, then those pages meta information will be used.

Keep it up Mr. Cole. Simplicity in chaos is the correct path.

As feedback, We are not pleased with the way the plugin is set, but also with the support provided to properly configuring it. This made us simply unistalled it. Perhaps you guys may need to include more people to help you with this area, while having videos, screenshots and all the information available to configure the plugin easy and efficiently, but also providing a lean and clean way to unistall it if the case arises. At the end all is about service quality and customer experience.

JUST AWESOME & simple. please add redirect url. complete!

Finally after searching through SEO plugins all day I came across this one. Does exactly what I wanted, nothing superfluous. Excellent!

Great SEO plug-in! Puts the control back to the user without all the smoke and mirrors of Yoast, AIOSEO, et. al. Study your SEO manual, install this WordPress plug-in, and you're set.

Finally, a simple plugin just to add custom keyword and meta description like the old days.

Read all 14 reviews

“Simple SEO” is open source software. The following people have contributed to this plugin.

Contributors

*    David Cole

**1.1.0**

*   Added Google webmaster tools and analytic

**1.2.0**

Release Date: August 11th, 2017

*   Enhancements
    
    *   Added Robot NOINDEX and NOFOLLOW
    *   Added a preview sections for how the meta information should show on a search engine page.
    *   Added pre\_get\_document\_title for compatibility
*   Bugfixes
    
    *   Fixes a typo in the readme.txt :-p

**1.2.1**

Release Date: August 24th, 2017

*   Bugfixes
    *   Google Verification fixed/updated.

**1.2.2**

Release Date: August 30th, 2017

*   Bugfixes
    *   Fixed title, description, etc from showing a empty result () if it’s not specified.
    *   Added some simple code to generate default metadata if none is specified.

**1.2.3**

*   Enhancements
    *   Added settings link to plugin page.
    *   Updated the GA script/code.
    *   Various minor changes for future updates.

**1.3.0**

Release Date: April 17th, 2018

*   Enchancments
    
    *   Complete overhaul of Simple SEO presentation when editing pages, posts, etc.
    *   Lots of code optimization.
*   Random
    
    *   Updated the license to: GPLv3

**1.3.1**

Release Date: May 21st, 2018

*   Bugfixes
    *   Fixed a bug which prevented the keywords and description from showing. Thank you Aletta!

**1.3.2**

Release Date: May 28th, 2018

*   Bugfixes
    *   Fixed a bug which displayed Google Analytic even if a code was not added. Thank you Mahendra!

**1.3.3**

Release Date: June 21th, 2018

*   Enchancments
    *   Added meta title and meta description input fields to quick edit and bulk edit.
    *   Added meta titles and meta description to index; where applicable

**1.3.4**

Release Date: July 5th, 2018

*   Bugfixes
    *   Quick edit fix.

**1.4.0**

Release Date: May 19th, 2019

*   Enchancments
    *   Facebook
    *   Twitter
    *   Bing Verification
    *   Baidu Verification
    *   Yandex Verification

**1.4.1**

Release Date: May 22nd, 2019

*   Bugfix
    *   WooCommerce compadability – Thank you Andrew.

**1.4.2**

Release Date: May 23rd, 2019

*   Bugfix
    *   WooCommerce compadability – Thank you Andrew.

**1.4.3**

Release Date: June 13th, 2019

*   Enchancments
    *   Added quick edit for posts
    *   Added the option to import Yoast SEO data into Simple SEO. This can be found under Settings -> Simple SEO at the bottom of the page.

**1.4.4**

Release Date: June 13th, 2019

*   Enchancments
    *   Added post\_name to the columns options

**1.4.5**

Release Date: June 13th, 2019

*   Enchancments
    *   Added taxonomy support
    *   Including WooCommerce taxonomy support!

**1.4.6**

Release Date: June 13th, 2019

*   Bugfix
    *   Taxonomy fix.

**1.4.8**

Release Date: June 14th, 2019

*   Bugfix
    *   WooCommerce compadability issue for those not running woocommerce. Fixed.

**1.4.9**

Release Date: June 14th, 2019

*   Bugfix
    *   d2.roth posted a bug with contact form 7. Fixed.

**1.5**

Release Date: Feb 27th, 2020

*   Enchancments
    *   Quickedit for custom post types
    *   Column sorting

**1.5.1**

Release Date: June 16th, 2020

*   Bugfix
    *   Fix an issues where the default meta data was not showing on the static post front page.

**1.5.2**

Release Date: October 12th, 2020

*   Bugfix
    *   WooCommerce CSS updates.

**1.5.3**

Release Date: October 14th, 2020

*   Bugfix
    *   WooCommerce updates.

**1.5.6**

Release Date: December 4th, 2020

*   Update
    *   Minor updates to code.

**1.6**

Release Date: December 7th, 2020

*   Update
    *   Added sitemap generation.

**1.6.1**

Release Date: December 7th, 2020

*   Update
    *   added htmlspecialchars() to url for sitemap.

**1.6.2**

Release Date: December 8th, 2020

*   Update
    *   updated the date format in sitemap.

**1.6.4**

Release Date: December 9th, 2020

*   Update
    *   Disabled sitemap generation on admin\_init
    *   Removed noindex, nofollow pages (Simple SEO) from sitemap
    *   Added more translation features/options (more coming soon.)
    *   Added action for transition\_post\_status to update sitemap, if sitemap generation is enabled.

**1.6.5**

Release Date: December 9th, 2020

*   Bugfix
    *   Modified the transition\_post\_status

**1.6.6**

Release Date: Jan 1st, 2021

*   Update
    *   Added some more translation capabiltiies
    *   Added the abilty to import infor from All in One SEO and Rank Math. Enjoy!

**1.6.7**

Release Date: Jan 1st, 2021

*   Update
    *   Corrected some typos.

**1.6.8**

Release Date: March 3rd, 2021

*   Update
    *   Corrected some typos.

**1.6.9**

Release Date: July 19th, 2021

*   Update
    *   WordPress 5.8.
    *   Blog page title shows if using a static page
    *   Some other minor fixes.
    *   Added supportt for Google Analytic 4

**1.7**

Release Date: August 11th, 2021

*   Bugfix
    *   Fixed homepage title bug for static page.
    *   Fixed keywords being erased when using quickedit.

**1.7.1**

Release Date: October 19th, 2021

*   New Feature
    *   Added canonical urls.

**1.7.2**

Release Date: Jan 20th, 2022

*   Bugfix
    *   Taxonomy code updates and meta title fixes provides by Daniel Roth. Thanks Daniel!

**1.7.3**

Release Date: March 6th, 2022

*   Bugfix
    *   Search title update. Thanks Daniel Roth!

**1.7.4**

Release Date: March 6th, 2022

*   Bugfix
    *   og and twitter title update.

**1.7.5**

Release Date: March 14th, 2022

*   Bugfix
    *   Category forwardslash issue fix. Thanks Daniel Roth!

**1.7.7**

Release Date: May 8th, 2022

*   Update for WP 6.0

**1.7.8**

Release Date: June 20th, 2022

*   Archive pages titles, descriptions, og data fixed!
*   Sitemaps fixed; for now it will only show pages and posts. Recommend using WordPress built in Sitemap as this sitemap feature will be removed in the future.

**1.7.9**

Release Date: July 10th, 2022

*   Updated sseoGetTitle() for archive pages.

**1.7.91**

Release Date: July 11th, 2022

*   Updated sseoGetTitle() for WooCommerce shop page.

**1.7.96**

Release Date: July 25th, 2022

*   Updates for WordPress compliance.

**1.7.98**

Release Date: July 26th, 2022

*   Update is\_home\_posts\_page()

**1.7.99**

Release Date: August 18th, 2022

*   Update to FB/OG meta data.

**1.8.0**

Release Date: August 18th, 2022

*   Update to FB/OG meta data.

**1.8.1**

Release Date: Sept 4th, 2022

*   Updated default meta titles, descriptions and keywords.
*   More updates coming for default FB, Twitter, and erasing database information on uninstall.

**1.8.12**

Release Date: Sept 7th, 2022

*   Fixed meta description issue.

**1.8.13**

Release Date: October 14th, 2022

*   Removed Baidu.
*   Removed Sitemaps; WordPress has a built in Sitemap, no need for this functionality.

**1.8.14**

Release Date: October 26th, 2022

*   Preping for WordPress 6.1

**1.8.15**

Release Date: October 26th, 2022

*   Preping for WordPress 6.1
*   Added screenshots
*   Removed obsolete code functions

CVE-2022-36404: Simple SEO

Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Stage Rock Convert plugin <= 2.11.0 on WordPress.

*   Details
*   Reviews
*   Support
*   Development

Publique banners no seu blog de maneira rápida e efetiva, e converta visitantes em subscribers, leads ou clientes sem precisar entender código. Esses calls-to-action (CTAs) serão publicados diretamente do seu painel do WordPress e poderão ser monitorados através do Google Analytics.

**Adicione os banners em massa**

Seus posts estão sendo criados, mas você tem problemas quando o assunto é aumentar o número de conversões? Publique seus banners em todos os seus posts sem mexer diretamente no código.

**Organize de acordo com categorias**

Para facilitar, os banners podem ser organizados para serem apresentados de acordo com a categoria dos posts do seu blog. Assim fica fácil manter o controle sobre o que cada conteúdo irá apresentar.

**Personalize e obtenha melhores resultados**

Posicione o CTA dentro dos posts escolhendo entre o topo e o final do conteúdo, programe a data do lançamento e personalize as tags HTML para obter melhores resultados.

**Analise os resultados**

Insira UTMs (as tags de monitoramento padrão do Google) para monitorar os resultados diretamente no Google Analytics.

**Outras funcionalidades**

*   Compatível com SEO.
*   Compatível com qualquer versão do WordPress, sem a necessidade de customização de estilo (CSS).
*   Compatível com AMP.
*   Responsivo (funciona em qualquer dispositivo).
*   Disponível em inglês (en) e português (pt-br).
*   Clique aqui para ver exemplos online.

Avalie o plugin deixando uma classificação ou sugira novas features no fórum de suporte.

Feito com ❤ pelo time da Rock Content no #SanPedroValley.

Rock Convert will definitely save you some hours of manual work through enabling you to scale banner distribution across your blog and converting users to leads. If you download it, you will not regret!

As estatísticas pararam de funcionar. Testei direto no PHP e direto no texto também, mas não contabiliza mais. Utilizo o plugin há tempos e funcionava. Estou usando a versão 2.9.5.

Instalei pois necessitava de uma caixa de captura para newsletter. A caixa é a com o melhor design e a mais fácil de configurar entre todas as opções que vi (testei várias). Porém a mesma não funciona no site versão AMP. Uso o AMP oficial do Wordpress. Entrei em contato com o suporte e infelizmente também não conseguiram resolver. Sá não tirei ainda do meu site, pois os demais plugins de newsletter não me agradaram.

Gostei mas o plugin não está atualizado, só queria adicionar CTA de baixar o conteúdo em páginas e não artigos. Está causando erro quando atualiza a nova versão do WordPress.

Sou desenvolvedor e sempre instalo nos WP que faço. Com ele de maneira muito fácil você consegue colocar e partes estratégicas do site um action para sua LP e assim aumentar o número de leads

Ainda não experimentei pois o WP só permite instalação de plugins no plano pago(pago eu utilizo o Wix). Ou plano de hospedagem profissional, mas a princípio para uma forma de adSense da RockContent.

Read all 20 reviews

“Rock Convert” is open source software. The following people have contributed to this plugin.

Contributors

*    Rock Content

**3.0.0**

*   Revisão completa do plugin
*   Refatorado o código para melhor desempenho e segurança
*   Todas as variáveis e opções foram escapadas a fim de evitar ataques XSS
*   Refatoração baseada no WordPress Coding Standard

**2.11.0**

Correção:  
\* Corrigidos pontos de vulnerabilidade XSS  
\* Melhoria na semântica dos formulários da área administrativa  
\* Corrigida chamada a API Rest

**2.10.2**

Improvements:  
\* Improvements in the plugin security

**2.10.1**

Correção:  
\* Css which affected the theme fixed

**2.10.0**

Correção:  
\* Fix popup front

**2.9.9**

Correção:  
\* Fix query categories and layout admin

**2.9.8**

Correção:  
\* Correção do formulário de popup

**2.9.7**

Correção:  
\* Melhorias no layout do preview

**2.9.6**

Correção:  
\* Correção de chamada de função javascript  
\* Melhorias no layout do preview

**2.9.5**

Correção:  
\* Correção dos endpoints rest

**2.9.4**

Correção:  
\* Correção de css dos titulos do blog

**2.9.3**

Correção:  
\* Correção de versão do arquivo javascript

**2.9.2**

Correção:  
\* Correção de bug no campo de widget

**2.9.1**

Correção:  
\* Correção de bug no layout do admin

**2.9**

Novidades:  
\* Adição de nova funcionalidade de popup exit

**2.8.1**

Melhorias:  
\* Corrigida chamada rest  
\* Corrigida quebra de layout no painel

**2.8**

Novidades:  
\* Adicionado novos campos para o formulário do widget

**2.7.1**

Novidades:  
\* Adicionado painel para visualização das leads

**2.7.0**

Novidades:  
\* Suporte a tags  
\* Possibilidade de escolher regras de exibição mais refinadas

**2.2.0**

Novidades:  
\* Nova funcionalidade: Barra de anúncios no topo do site  
\* Nova funcionalidade: CTA customizavel na barra lateral

Melhorias:  
\* Altera separador ao exportar para arquivo CSV de ; para ,  
\* Permite alterar a mensagem de sucesso do widget Caixa de captura  
\* Permite alterar o titulo e o texto do botão na caixa de download

**2.1.4**

Melhorias:  
\* Adiciona suporte a event tracking para o Google Analytics  
\* Reduz o tamanho do script necessário para utilizar o Rock Convert

**2.1.3**

Correção:  
\* Previne que aconteça o Fatal Error na função get\_rest\_url

Melhorias:  
\* Previne que as visualizações dos CTAs sejam bloqueadas por plugins de cache

**2.1.2**

Melhorias:  
\* Permite cadastrar parametros customizados no link do CTA  
\* Adiciona suporte ao WordPress 5.0  
\* Adiciona formulário na página de configurações para se inscrever na newsletter do Rock Convert

**2.1**

Novas funcionalidades  
\* Adiciona Widget com caixa de captura de e-mails

**2.0.11**

Correção:  
\* Previne que o erro “Undefined index” aconteça ao mostrar banners na página do post

**2.0.0**

Melhorias:  
\* Visibilidade: Agora é possível escolher páginas onde um banner não deve aparecer;  
\* Shortcode: Todo banner tem um shortcode único que pode ser adicionado em qualquer posição de qualquer conteúdo;

Novas funcionalidades:  
\* Analytics: saiba como seus CTAs estão performando diretamente no painel do wordpress;  
\* Captura de leads: Disponibilize seus posts para download no formato PDF e capture os e-mails;  
\* Faça download dos leads no formato CSV

**1.0.0**

*   Permite criar CTAs
*   Permite selecionar as categorias onde o CTA deve aparecer
*   Permite selecionar a imagem do CTA
*   Permite selecionar onde o CTA deve aparecer (início ou fim do post)
*   Permite cadastrar as UTM Tags para o link

CVE-2022-36428: Rock Convert

A French-speaking threat actor dubbed OPERA1ER has been linked to a series of more than 30 successful cyber attacks aimed at banks, financial services, and telecom companies across Africa, Asia, and Latin America between 2018 and 2022.
According to Singapore-headquartered cybersecurity company Group-IB, the attacks have led to thefts totaling $11 million, with actual damages estimated to be as

A French-speaking threat actor dubbed **OPERA1ER** has been linked to a series of more than 30 successful cyber attacks aimed at banks, financial services, and telecom companies across Africa, Asia, and Latin America between 2018 and 2022.

According to Singapore-headquartered cybersecurity company Group-IB, the attacks have led to thefts totaling $11 million, with actual damages estimated to be as high as $30 million.

Some of the more recent attacks in 2021 and 2021 have singled out five different banks in Burkina Faso, Benin, Ivory Coast, and Senegal. Many of the victims identified are said to have been compromised twice, and their infrastructure subsequently weaponized to strike other organizations.

OPERA1ER, also known by the names DESKTOP-GROUP, Common Raven, and NXSMS, is known to be active since 2016, operating with the goal of conducting financially motivated heists and exfiltration of documents for further use in spear-phishing attacks.

"OPERA1ER often operates during weekends and public holidays," Group-IB said in a report shared with The Hacker News, adding the adversary's "entire arsenal is based on open-source programs and trojans, or free published RATs that can be found on the dark web."

This includes off-the-shelf malware such as Nanocore, Netwire, Agent Teslam Venom RAT, BitRAT, Metasploit, and Cobalt Strike Beacon, among others.

The attack chain commences with "high-quality spear-phishing emails" with invoice and delivery-themed lures written primarily in French and to a lesser extent in English.

These messages feature ZIP archive attachments or links to Google Drive, Discord servers, infected legitimate websites, and other actor-controlled domains, which lead to the deployment of remote access trojans.

Succeeding in the RAT execution, post-exploitation frameworks like Metasploit Meterpreter and Cobalt Strike Beacon are downloaded and launched to establish persistent access, harvest credentials, and exfiltrate files of interest, but not before an extended reconnaissance period to understand the back-end operations.

This is substantiated by the fact that the threat actor has been observed spending anywhere between three to 12 months from initial intrusion to making fraudulent transactions to withdraw money from ATMs.

The final phase of the attack involves breaking into the victim's digital banking backend, enabling the adversary to move funds from high value accounts to hundreds of rogue accounts, and ultimately cash them out via ATMs with the help of a network of money mules hired in advance.

"Here clearly the attack and theft of funds were possible because the bad actors managed to accumulate different levels of access rights to the system by stealing the login credentials of various operator users," Group-IB explained.

In one instance, over 400 mule subscriber accounts were employed to illicitly siphon the money, indicating that the "attack was very sophisticated, organized, coordinated, and planned over a long period of time"

The findings – carried out in collaboration with telecom giant Orange – that OPERA1ER managed to pull off the banking fraud operation by solely relying on publicly available malware highlights the effort that has gone into studying the internal networks of the organizations.

"There are no zero-day threats in OPERA1ER's arsenal, and the attacks often use exploits for vulnerabilities discovered three years ago," the company noted. "By slowly and careful inching their way through the targeted system, they were able to successfully carry out at least 30 attacks all around the world in less than three years."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

OPERA1ER APT Hackers Targeted Dozens of Financial Organizations in Africa

In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.

There is an out-of-bounds write in rasterize\_edges\_8 due to an integer overflow in  pixman_sample_floor_y.

    pixman_sample_floor_y (pixman_fixed_t y, int n)
    {
        pixman_fixed_t f = pixman_fixed_frac (y);
        pixman_fixed_t i = pixman_fixed_floor (y);
    
        f = DIV (f - pixman_fixed_e - Y_FRAC_FIRST (n), STEP_Y_SMALL (n)) * STEP_Y_SMALL (n) +
        Y_FRAC_FIRST (n);
    
        if (f < Y_FRAC_FIRST (n))
        {
            if (pixman_fixed_to_int (i) == 0x8000)  ←(1)
            {
                f = 0; /* saturate */
            }
            else
            {
                f = Y_FRAC_LAST (n);
                i -= pixman_fixed_1; ← (2)
            }
        }
        return (i | f);
    }

The condition at (1) will never be true because if i = 0x80000000, then pixman_fixed_to_int would return 0xffff8000, not 0x8000. The subtraction at (2) would then overflow back to 0x7fffffff.

Using the example from the attached POC: let’s say y=0x80000700. At (1), i= 0x80000000 and f=0xfffff778. So pixman_fixed_to_int(i) = 0xffff8000. Therefore the code falls into the else block and completes i -= pixman_fixed_1 at (2) which causes i to overflow to 0x7fff0000. pixman_sample_floor_y(0x80000700) returns 0x7ffff777 instead of 0x80000000.

pixman_rasterize_trapezoid then passes a much too large b to pixman_rasterize_edges leading to the heap out-of-bounds write in the memset in rasterize_edges_8.

\================================================================

PROOF OF CONCEPT

Tested as of commit 285b9a907caffeb979322e629d4e57aa42061b5a.

Copy to pixman/pixman directory and build: $gcc poc.c -ldl -fsanitize=address -o poc

\=================================================================

    ==473984==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b0000009b1 at pc 0x7f269bb0928e bp 0x7ffde5f223d0 sp 0x7ffde5f21b80
    WRITE of size 10 at 0x61b0000009b1 thread T0
        #0 0x7f269bb0928d in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799
        #1 0x7f2698a8d421 in rasterize_edges_8 /usr/local/google/home/maddiestone/pixman/pixman/pixman-edge.c:320
        #2 0x7f2698a8d421 in pixman_rasterize_edges_no_accessors /usr/local/google/home/maddiestone/pixman/pixman/pixman-edge.c:359
        #3 0x7f2698a8d421 in pixman_rasterize_edges /usr/local/google/home/maddiestone/pixman/pixman/pixman-edge.c:382
        #4 0x7f2698ab3894 in pixman_rasterize_trapezoid /usr/local/google/home/maddiestone/pixman/pixman/pixman-trap.c:386
        #5 0x55ca2f9ec7a1 in main (/usr/local/google/home/maddiestone/pixman/pixman/poc+0x17a1)
        #6 0x7f269b9147fc in __libc_start_main ../csu/libc-start.c:332
        #7 0x55ca2f9ec129 in _start (/usr/local/google/home/maddiestone/pixman/pixman/poc+0x1129)
    
    0x61b0000009b1 is located 769 bytes to the right of 1584-byte region [0x61b000000080,0x61b0000006b0)
    allocated by thread T0 here:
        #0 0x7f269bb7e987 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
        #1 0x7f2698a71209 in create_bits /usr/local/google/home/maddiestone/pixman/pixman/pixman-bits-image.c:1273
        #2 0x7f2698a71209 in _pixman_bits_image_init /usr/local/google/home/maddiestone/pixman/pixman/pixman-bits-image.c:1296
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799 in __interceptor_memset
    Shadow bytes around the buggy address:
      0x0c367fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c367fff8130: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
      0x0c367fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==473984==ABORTING

This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. **The scheduled deadline is 2022-11-03**. For more details, see the Project Zero vulnerability disclosure policy: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html

poc.c

CVE-2022-44638: Integer overflow in pixman_sample_floor_y leading to heap out-of-bounds write (#63) · Issues · Pixman / pixman · GitLab

A vulnerability has been found in phpipam and classified as problematic. Affected by this vulnerability is an unknown functionality of the file app/admin/import-export/import-load-data.php of the component Import Preview Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.5.0 is able to address this issue. The name of the patch is 22c797c3583001211fe7d31bccd3f1d4aeeb3bbc. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-212863.

    New features:
    ------------
    + Mark subnet as isPool to allocate network and broadcast addresses;
    + Optionally hide section subnet menus;
    + L2 Domains user permissions;
    + Add scanPingType=="none" option to disable scanning;
    + Custom fields on IP request forms (#2956);
    + Added subnet free space map for each possible subnet mask;
    + Added Vaults (Certificate andf password storing);
    + Added Tools->Duplicate subnets & IP page;
    + Added config.php offline_mode to disable server-side Internet lookups (#3462);
    + Added MAC vendor lookup widget;
    
    Enhancements, changes:
    ----------------------------
    + php7.4 compatibility;
    + SameSite attribute enabled for site cookies;
    + SAML2
        + php-saml updated to 3.4.1 (#3055);
        + Removal of php-mcrypt dependancy;
        + Drop support for idpcertfingerprint;
        + MAP_SAML_USER and SAML_USERNAME config.php configuration moved to db;
        + php-saml protocol debugging;
        + Support for signed assertions;
        + SAML usernames can be extracted from assertion attributes (#2948);
        + JIT auto-provisioning of accounts (#3389);
    + Selectable mask for number of subnets/hosts in subnet masks;
    + Switch from Google Maps to OpenStreeMap and Nominatim;
    
    Bugfixes:
    ----------------------------
    + Fixed upgrade queries issues from 1.3.x to 1.4+ (#3130);
    + Fixed boolean printout in footer (#2625);
    + Fixed BGP Admin isn't working (#2631);
    + do not show statistics in dashboard widget for disabled modules (#2602);
    + MySQL 8.0 compatibility. (#2646,#2239,#3036);
    + MariaDB Galera Cluster compatibility (#2498,#3413);
    + Permit non-numeric postcodes for customers (#2393);
    + Bandwidth calculator - 400 Bad Request (#1807,#2648);
    + Table layout not aligned (#2656,#3105,#3113);
    + Improve scanning requirement checks (#1183);
    + Date picker hidden (#2673);
    + PDNS Add/Edit DNS record not working for normal users (#2686);
    + Unable to save settings with link addresses = text custom field (#2702);
    + Kea MAC address display issue (#2704);
    + Returned custom fields to devices table (#2572);
    + Invalid scan agent key warning;
    + Subnet filter issue when IP contains 0 octet. (#2748);
    + Add VLAN button not working (#2741);
    + Incorrect subnet links in /tools/vrf/ view. (#2774);
    + Location data missing in exports. (#2833);
    + Check mysqldump path when exporting database;
    + Current rack position missing when editing a device. (#2545);
    + Permit colon in firewall zone interface names (#2737);
    + Fixed PowerDNS txt SPF editing (#1641);
    + Blank 'MAC' on SNMP-ARP and SNMP-MAC scans (#2911);
    + Incorrect network/broadcast calculation for IPv6 (#2879);
    + Increase allowed email and password lengths (#3021);
    + Wrong unit location for dual-sided racks (#3086);
    + Linked ip_addr shows integer notation (#3100);
    + Invalid scan type () error (#2785);
    + Invalid CSRF cookie editing rack items (#2556);
    + FPing discovery marks all addresses as alive (#2888);
    + Subnet usage calculation updated for nested subnets;
    + SNMP, number of discovered hosts exceed maximum warning (#3279);
    + Exclude IPv6 from Ping and Discovery scans (#3354);
    + Fix for SAML/2FA/login redirections (#3492, #3435, #3517);
    + php_sessions table doesn't exist error when upgrading (#3417);
    + Changelog data too long for column errors (#3376,#3398);
    + RFC 6265 compliant cookies (#3452);
    + Require unique subnets not working as intended (#3529);
    + API:
        + Fixed /user/ calls for SSL with app code (static app code);
        + Address IP field not displayed when using filter_by (#2934);
        + Addresses first_free & Subnets first/last_subnet thread safety (#2960);
    
    Security Fixes:
    ----------------------------
    + SQL injections processing `tableName` (#2738);
    + SQL injections processing `ftype` (#2751);
    + All circuits map, PHP object injection (#2937);
    + Upgraded jQuery to 3.5.1 (#3119);
    + Stored XSS in instructions widgets (#3025, #3360);
    + PHP session ID fixation (#3342);
    + XSS (reflected) in IP calculator (#3351);
    + XSS in pass-change/result.php (#3373);
    + SQL injection in edit-bgp-mapping-search.php;
    + Stored XSS in the "Site title" parameter;
    + XSS while uploading CVS files;
    + XSS (reflected) in 'find subnets';
    + Incorrect privilege assignments (#3506);
    + XXS (reflected) in ripe-arin-query;
    + XSS (reflected) in import previews;
    
    Translations:
    ----------------------------
    + Update Traditional Chinese support to version 1.5 (#2658);
    + Update Simplified Chinese Translation (#2725);
    + Italian (it_IT) translation added (#2813);
    + Updated German translation (#2970, #3065);
    + Updated Russian translation (#3028, #3367);

CVE-2022-3845: Release 1.5.0 · phpipam/phpipam

"SandStrike," the latest example of espionage-aimed Android malware, relies on elaborate social media efforts and back-end infrastructure.

Adware and other unwanted and potentially risky applications continue to represent the biggest threat that users of mobile devices currently face. But that doesn't mean attackers aren't constantly trying to deploy other sophisticated mobile malware as well.

The latest example is "SandStrike," a booby-trapped VPN application for loading spyware on Android devices. The malware is designed to find and steal call logs, contact lists, and other sensitive data from infected devices; it can also track and monitor targeted users, Kaspersky said in a report this week.

The security vendor said its researchers had observed the operators of SandStrike attempting to deploy the sophisticated spyware on devices belonging to members of Iran's Baha'i community, a persecuted, Persian-speaking minority group. But the vendor did not disclose how many devices the threat actor might have targeted or succeeded in infecting. Kaspersky could not be immediately reached for comment.

**Elaborate Social Media Lures**

To lure users into downloading the weaponized app, the threat actors have established multiple Facebook and Instagram accounts, all of which purport to have more than 1,000 followers. The social media accounts are loaded with what Kaspersky described as attractive, religious-themed graphics designed to grab the attention of members of the targeted faith group. The accounts often also contain a link to a Telegram channel that offers a free VPN app for users wishing to access sites containing banned religious materials.

According to Kaspersky, the threat actors have even set up their own VPN infrastructure to make the app fully functional. But when a user downloads and uses SandStrike, it quietly collects and exfiltrates sensitive data associated with the owner of the infected device.

The campaign is just the latest in a growing list of espionage efforts involving advanced infrastructure and mobile spyware — an arena that includes well-known threats like NSO Group's notorious Pegasus spyware along with emerging problems like Hermit.

**Mobile Malware on the Rise**

The booby-trapped SandStrike VPN app is an example of the growing range of malware tools being deployed on mobile devices. Research that Proofpoint released earlier this year highlighted a 500% increase in mobile malware delivery attempts in Europe in the first quarter of this year. The increase followed a sharp decline in attack volumes toward the end of 2021.

The email security vendor found that many of the new malware tools are capable of a lot more than just credential stealing: "Recent detections have involved malware capable of recording telephone and non-telephone audio and video, tracking location and destroying or wiping content and data."

Google and Apple's official mobile app stores continue to be a popular mobile malware delivery vector. But threat actors are also increasingly using SMS-based phishing campaigns and social engineering scams of the sort seen in the SandStrike campaign to get users to install malware on their mobile devices.

Proofpoint also found that attackers are targeting Android devices far more heavily than iOS devices. One big reason is that iOS doesn't allow users to install an app via an unofficial third-party app store or to download it directly to the device, like Android does, Proofpoint said.

**Different Types of Mobile Malware in Circulation**

Proofpoint identified the most significant mobile malware threats as FluBot, TeaBot, TangleBot, MoqHao, and BRATA. The different capabilities integrated into these malware tools include data and credential theft, stealing funds from online accounts, and general spying and surveillance. One of these threats — FluBot — has been largely quiet since the disruption of its infrastructure in a coordinated law enforcement action in June.

Proofpoint found that mobile malware is not confined to a specific region or language. "Instead, threat actors adapt their campaigns to a variety of languages, regions and devices," the company warned.

Meanwhile, Kaspersky said it blocked some 5.5 million malware, adware, and riskware attacks targeted at mobile devices in Q2 2022. More than 25% of these attacks involved adware, making it the most common mobile threat at the moment. But other notable threats included mobile banking Trojans, mobile ransomware tools, spyware link SandStrike, and malware downloaders. Kaspersky found that creators of some malicious mobile apps have increasingly targeted users from multiple countries at once.

The mobile malware trend poses a growing threat to enterprise organizations, especially those that allow unmanaged and personally owned devices in the workplace. Last year, the US Cybersecurity and Infrastructure Security Agency (CISA) released a checklist of actions that organizations can take to address these threats. Its recommendations include the need for organizations to implement security-focused mobile device management; to ensure that only trusted devices are allowed access to applications and data; to use strong authentication; to disable access to third-party app stores; and to ensure that users use only curated app stores.

Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware

Rust makes it impossible to introduce some of the most common security vulnerabilities. And its adoption can’t come soon enough.

Whether you run IT for a massive organization or simply own a smartphone, you're intimately familiar with the unending stream of software updates that constantly need to be installed because of bugs and security vulnerabilities. People make mistakes, so code is inevitably going to contain mistakes—you get it. But a growing movement to write software in a language called Rust is gaining momentum because the code is goof-proof in an important way. By design, developers can't accidentally create the most common types of exploitable security vulnerabilities when they're coding in Rust, a distinction that could make a huge difference in the daily patch parade and ultimately the world's baseline cybersecurity.

There are fads in programming languages, and new ones come and go, often without lasting impact. Now 12 years old, Rust took time to mature from the side project of a Mozilla researcher into a robust ecosystem. Meanwhile, the predecessor language C, which is still widely used today, turned 50 this year. But because Rust produces more secure code and, crucially, doesn't worsen performance to do it, the language has been steadily gaining adherents and now is at a turning point. Microsoft, Google, and Amazon Web Services have all been utilizing Rust since 2019, and the three companies formed the nonprofit Rust Foundation with Mozilla and Huawei in 2020 to sustain and grow the language. And after a couple of years of intensive work, the Linux kernel took its first steps last month to implement Rust support.

“It’s going viral as a language,” says Dave Kleidermacher, vice president of engineering for Android security and privacy. “We’ve been investing in Rust on Android and across Google, and so many engineers are like, ‘How do I start doing this? This is great.’ And Rust just landed for the first time as an officially recognized and accepted language in Linux. So this is not just Android; any system based on Linux now can start to incorporate Rust components.”

Rust is what's known as a “memory-safe” language because it's designed to make it impossible for a program to pull unintended data from a computer's memory accidentally. When programmers use stalwart languages that don't have this property, including C and C++, they have to carefully check the parameters of what data their program is going to be requesting and how—a task that even the most skilled and experienced developers will occasionally botch. By writing new software in Rust instead, even amateur programmers can be confident that they haven't introduced any memory-safety bugs into their code.

A program's memory is a shared resource used by all of its features and libraries. Imagine a calendar program written in a language that isn't memory-safe. You open your calendar and then request entries for November 2, 2022, and the program fetches all information from the area of your computer's memory assigned to store that date’s data. All good. But if the program isn't designed with the right constraints, and you request entries for November 42, 2022, the software, instead of producing an error or other failure, may dutifully return information from a part of the memory that's housing different data—maybe the password you use to protect your calendar or the credit card number you keep on file for premium calendar features. And if you add a birthday party to your calendar on November 42, it may overwrite unrelated data in memory instead of telling you that it can't complete the task. These are known as “out-of-bounds” read and write bugs, and you can see how they could potentially be exploited to give an attacker improper access to data or even expanded system control.

Another common type of memory-safety bug, known as “use-after-free,” involves a situation where a program has given up its claim to a portion of memory (maybe you deleted all your calendar entries for October 2022) but mistakenly retains access. If you later request data from October 17, the program may be able to grab whatever data has ended up there. And the existence of memory-safety vulnerabilities in code also introduces the possibility that a hacker could craft, say, a malicious calendar invitation with a strategically chosen date or set of event details designed to manipulate the memory to grant the attacker remote access.

These types of vulnerabilities aren't just esoteric software bugs. Research and auditing have repeatedly found that they make up the majority of all software vulnerabilities. So while you can still make mistakes and create security flaws while programming in Rust, the opportunity to eliminate memory-safety vulnerabilities is significant.

“Memory-safety issues are responsible for a huge, huge percentage of all reported vulnerabilities, and this is in critical applications like operating systems, mobile phones, and infrastructure,” says Dan Lorenc, CEO of the software supply-chain security company Chainguard. “Over the decades that people have been writing code in memory-unsafe languages, we’ve tried to improve and build better tooling and teach people how to not make these mistakes, but there are just limits to how much telling people to try harder can actually work. So you need a new technology that just makes that entire class of vulnerabilities impossible, and that’s what Rust is finally bringing to the table.”

Rust is not without its skeptics and detractors. The effort over the last two years to implement Rust in Linux has been controversial, partly because adding support for any other language inherently increases complexity, and partly because of debates about how, specifically, to go about making it all work. But proponents emphasize that Rust has the necessary elements—it doesn't cause performance loss, and it interoperates well with software written in other languages—and that it is crucial simply because it meets a dire need.

“It’s less that it’s the right choice and more that it’s ready,” Lorenc, a longtime open-source contributor and researcher, says. “There are no real alternatives right now, other than not doing anything, and that’s just not an option anymore. Continuing to use memory-unsafe code for another decade would be a massive problem for the tech industry, for national security, for everything.”

One of the biggest challenges of the transition to Rust, though, is precisely all the decades that developers have already spent writing vital code in memory-unsafe languages. Writing new software in Rust doesn't address that massive backlog. The Linux kernel implementation, for example, is starting on the periphery by supporting Rust-based drivers, the programs that coordinate between an operating system and hardware like a printer.

“When you’re doing operating systems, speed and performance is always top-of-mind, and the parts that you’re running in C++ or C are usually the parts that you just can’t run in Java or other memory-safe languages, because of performance,” Google's Kleidermacher says. “So to be able to run Rust and have the same performance but get the memory safety is really cool. But it’s a journey. You can’t just go and rewrite 50 million lines of code overnight, so we’re carefully picking security-critical components, and over time we’ll retrofit other things.”

In Android, Kleidermacher says a lot of encryption-key-management features are now written in Rust, as is the private internet communication feature DNS over HTTPS, a new version of the ultra-wideband chip stack, and the new Android Virtualization Framework used in Google's custom Tensor G2 chips. He adds that the Android team is increasingly converting connectivity stacks like those for Bluetooth and Wi-Fi to Rust because they are based on complex industry standards and tend to contain a lot of vulnerabilities. In short, the strategy is to start getting incremental security benefits from converting the most exposed or vital software components to Rust first and then working inward from there. 

“Yes, it’s a lot of work, it will be a lot of work, but the tech industry has how many trillions of dollars, plus how many talented programmers? We have the resources," says Josh Aas, executive director of the Internet Security Research Group, which runs the memory-safety initiative Prossimo as well as the free certificate authority Let's Encrypt. “Problems that are merely a lot of work are great."

As Rust makes the transition to mainstream adoption, the case for some type of solution to memory-safety issues seems to get made again and again every day. Just this week, a high-criticality vulnerability in the ubiquitous secure communication library OpenSSL could have been prevented if the mechanism were written in a memory-safe language. And unlike the notorious 2014 OpenSSL vulnerability Heartbleed, which lurked unnoticed for two years and exposed websites across the internet to data interception attacks, this new bug had been introduced into OpenSSL in the past few months, in spite of efforts to reduce memory-safety vulnerabilities.

“How many people right now are living the identity-theft nightmare because of a memory-safety bug? Or on a national security level, if we’re worried about cyberattacks on the United States, how much of that threat is on the back of memory-safety vulnerabilities?” Aas says. “From my point of view, the whole game now is just convincing people to put in the effort. Do we understand the threat well enough, and do we have the will.”

The Rise of Rust, the ‘Viral’ Secure Programming Language That’s Taking Over Tech

By Waqas
The spyware is delivered through a malicious VPN app, and the preferred targets of attackers are Persian-speaking Baháʼí Faith practitioners. 
This is a post from HackRead.com Read the original post: SandStrike Spyware Infecting Android Devices through VPN Apps

Did you know **38% of VPN apps** on Google Play Store are plagued with malware? Nonetheless, the IT security researchers at Kaspersky have discovered that threat actors are increasingly relying on SandStrike spyware that is specifically impacting Android devices.

The spyware is delivered through a **malicious VPN app**, and the preferred targets of attackers are Persian-speaking Baháʼí Faith practitioners. It is the name of a religion practiced mainly in the Middle East, particularly in Iran.

**How SandStrikes Infect Devices**

The previously undocumented spyware campaign was detected to be disguised as a harmless-looking VPN app, which is marketed as a potent method of **bypassing censorship** of religious content in certain parts of the Middle East.

For distributing SandStrike through the malicious VPN app, threat actors have set up Facebook and Instagram accounts boasting over 1,000 followers. These pages are designed with attention-grabbing religious content to trap those who adhere to the religion. Most of these accounts contain a **Telegram** channel link owned by the attacker.

Unsuspecting users download links to the malicious app, and SandStrike spyware also gets installed. Once on the device, it scans it for sensitive data and extracts the information from the attacker-controlled servers. The campaign is yet to be attributed to a specific threat actor/group.

**What Data Does SandStrike Target?**

SandStrike targets diverse data types, including call logs and contact lists, and monitors the victim’s device to keep track of the victim’s activities. The company noted in its **APT trends report for Q3 2022** that the SandStrike spyware is distributed to access resources about the Bahá’í religion, which is banned in Iran.

**Stay Protected from Such Threats**

For businesses and government organizations, the use of **threat intelligence** has become increasingly important in recent years as the landscape of cyber threats has shifted and evolved.

Attackers are now more sophisticated and organized, and they are using more sophisticated methods to launch attacks. This has made it more difficult for traditional security defenses to keep up.

Threat intelligence can help organizations stay ahead of the curve by providing them with information about the latest threats and trends. This information can be used to improve security defenses and help organizations respond quickly to new attacks.

Organizations that use threat intelligence can stay one step ahead of attackers and protect themselves from the latest malware threats. By understanding the latest trends and techniques, they can develop better defenses and response plans to keep their systems safe.

For unsuspected users, it is a fact that in recent years, the number of spyware programs has increased dramatically, making it more important than ever for computer and smartphone users to know how to protect themselves.

While most people are aware of the need to **install antivirus and anti-malware software**, they may not realize that these programs do not always provide adequate protection against spyware.

There are a few simple steps that every user can take to protect themselves from spyware. First, be careful about what you download and install on your computer. Many spyware programs are installed without the user’s knowledge or consent when they visit malicious websites or download infected files.

Second, keep your software up to date. Both your operating system and your applications should be kept up to date with the latest security patches. Spyware authors are constantly finding new ways to exploit vulnerabilities, so it’s important to have the latest security fixes installed.

**Use VirusTotal**

**VirusTotal** is a free virus, malware, and URL online scanning service. It is one of the most popular online services used by computer users to scan files and URLs for viruses, malware, and malicious content.

VirusTotal scans files and URLs using over 50 antivirus engines and URL scanners. If a file or URL is detected by at least one scanner, it is considered malicious. VirusTotal also aggregates and analyses information from other sources, such as user comments and offense reports. This allows users to see if a file or URL has been reported as malicious by other users.

Fake VPN website delivering password-stealing malware

What is a VPN and what does data logging by a VPN means?

Popular free Android VPN apps on Play Store contain malware

This malware hides behind free VPN, pirated security software keys

Hackers clone ProtonVPN website to drop password stealer malware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

SandStrike Spyware Infecting Android Devices through VPN Apps

Report reveals new top sources of fake login page referrals, rise of fake third-party cloud apps used to trick users.

**SANTA CLARA, Calif., Nov. 2, 2022 /PRNewswire/** — Netskope, a leader in secure access service edge (SASE), today unveiled new research that shows how the prevalence of cloud applications is changing the way threat actors are using phishing attack delivery methods to steal data.

The Netskope Cloud and Threat Report: Phishing details trends in phishing delivery methods such as fake login pages and fake third-party cloud applications designed to mimic legitimate apps, the targets of phishing attacks, where the fraudulent content is hosted, and more.

Although email is still a primary mechanism for delivering phishing links to fake login pages to capture usernames, passwords, MFA codes and more, the report reveals that users are more frequently clicking phishing links arriving through other channels, including personal websites and blogs, social media, and search engine results. The report also details the rise in fake third-party cloud apps designed to trick users into authorizing access to their cloud data and resources.

**Phishing Comes From All Directions**

Traditionally considered the top phishing threat, 11% of the phishing alerts were referred from webmail services, such as Gmail, Microsoft Live, and Yahoo. Personal websites and blogs, particularly those hosted on free hosting services, were the most common referrers to phishing content, claiming the top spot at 26%. The report identified two primary phishing referral methods: the use of malicious links through spam on legitimate websites and blogs, and the use of websites and blogs created specifically to promote phishing content.

Search engine referrals to phishing pages have also become common, as attackers are weaponizing data voids by creating pages centered around uncommon search terms where they can readily establish themselves as one of the top results for those terms. Examples identified by Netskope Threat Labs include how to use specific features in popular software, quiz answers for online courses, user manuals for a variety of business and personal products, and more.

"Business employees have been trained to spot phishing messages in email and text messages, so threat actors have adjusted their methods and are luring users into clicking on phishing links in other, less expected places," said Ray Canzanese, Threat Research Director, Netskope Threat Labs. "While we might not be thinking about the possibility of a phishing attack while surfing the internet or favorite search engine, we all must use the same level of vigilance and skepticism as we do with inbound email, and never enter credentials or sensitive information into any page after clicking a link. Always browse directly to login pages."

**The Rise of Fake Third-Party Cloud Apps**

Netskope's report discloses another key phishing method: tricking users into granting access to their cloud data and resources through fake third-party cloud applications. This early trend is particularly concerning because access to third-party applications is ubiquitous and poses a large attack surface. On average, end-users in organizations granted more than 440 third-party applications access to their Google data and applications, with one organization having as many as 12,300 different plugins accessing data – an average of 16 plugins per user. Equally as alarming, over 44% of all third-party applications accessing Google Drive have access to either sensitive data or all data on a user's Google Drive—further incentivizing criminals to create fake third-party cloud apps.

"The next generation of phishing attacks is upon us. With the prevalence of cloud applications and the changing nature of how they are used, from Chrome extensions or app add-ons, users are being asked to authorize access in what has become an overlooked attack vector," added Canzanese. "This new trend of fake third-party apps is something we're closely monitoring and tracking for our customers. We expect these types of attacks to increase over time, so organizations need to ensure that new attack paths such as OAuth authorizations are restricted or locked down. Employees should also be aware of these attacks and scrutinize authorization requests the same way they scrutinize emails and text messages."

Within the report, Netskope Threat Labs includes actionable steps organizations can take to identify and control access to phishing sites or applications, such as deploying a security service edge (SSE) cloud platform with a secure web gateway (SWG), enabling zero trust principles for least privilege access to data and continuous monitoring, and using Remote Browser Isolation (RBI) to reduce browsing risk for newly-registered domains.

Additional key findings from the report include:

*   **Employees continue to click, fall victim to malicious links**. It is widely understood that it takes just one click to severely compromise an organization. While enterprise phishing awareness and training continues to be more prevalent, the report reveals that an average of eight out of every 1,000 end-users in the enterprise clicked on a phishing link or otherwise attempted to access phishing content.

*   **Users are being lured by fake websites designed to mimic legitimate login pages.** Attackers primarily host these websites on content servers (22%) followed by newly registered domains (17%). Once users put personal information into a fake site, or grant it access to their data, attackers are able to capture usernames, passwords, and multi-factor authentication (MFA) codes.

*   **Geographic location plays a role in the access rate of phishing.** Africa and the Middle East were the two regions with the highest percentages of users accessing phishing content. In Africa, the percentage of users accessing phishing content is more than 33% above average, and in the Middle East, it is more than twice the average. Attackers frequently use fear, uncertainty, and doubt (FUD) to design phishing lures and also try to capitalize on major news items. Especially in the Middle East, attackers appear to be having success designing lures that capitalize on political, social, and economic issues affecting the region.

Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. Statistics in this report are based on the three-month period from July 1, 2022 through September 30, 2022.

Get the full Netskope Cloud and Threat Report: Phishing here.

Learn more about Netskope Threat Labs and gain insight from the Netskope Security Cloud Platform by visiting Netskope's Threat Research Hub.

**About Netskope**

Netskope, a global SASE leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

**SOURCE:** Netskope

Tag

#google