A vulnerability has been found in phpipam and classified as problematic. Affected by this vulnerability is an unknown functionality of the file app/admin/import-export/import-load-data.php of the component Import Preview Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.5.0 is able to address this issue. The name of the patch is 22c797c3583001211fe7d31bccd3f1d4aeeb3bbc. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-212863.

    New features:
    ------------
    + Mark subnet as isPool to allocate network and broadcast addresses;
    + Optionally hide section subnet menus;
    + L2 Domains user permissions;
    + Add scanPingType=="none" option to disable scanning;
    + Custom fields on IP request forms (#2956);
    + Added subnet free space map for each possible subnet mask;
    + Added Vaults (Certificate andf password storing);
    + Added Tools->Duplicate subnets & IP page;
    + Added config.php offline_mode to disable server-side Internet lookups (#3462);
    + Added MAC vendor lookup widget;
    
    Enhancements, changes:
    ----------------------------
    + php7.4 compatibility;
    + SameSite attribute enabled for site cookies;
    + SAML2
        + php-saml updated to 3.4.1 (#3055);
        + Removal of php-mcrypt dependancy;
        + Drop support for idpcertfingerprint;
        + MAP_SAML_USER and SAML_USERNAME config.php configuration moved to db;
        + php-saml protocol debugging;
        + Support for signed assertions;
        + SAML usernames can be extracted from assertion attributes (#2948);
        + JIT auto-provisioning of accounts (#3389);
    + Selectable mask for number of subnets/hosts in subnet masks;
    + Switch from Google Maps to OpenStreeMap and Nominatim;
    
    Bugfixes:
    ----------------------------
    + Fixed upgrade queries issues from 1.3.x to 1.4+ (#3130);
    + Fixed boolean printout in footer (#2625);
    + Fixed BGP Admin isn't working (#2631);
    + do not show statistics in dashboard widget for disabled modules (#2602);
    + MySQL 8.0 compatibility. (#2646,#2239,#3036);
    + MariaDB Galera Cluster compatibility (#2498,#3413);
    + Permit non-numeric postcodes for customers (#2393);
    + Bandwidth calculator - 400 Bad Request (#1807,#2648);
    + Table layout not aligned (#2656,#3105,#3113);
    + Improve scanning requirement checks (#1183);
    + Date picker hidden (#2673);
    + PDNS Add/Edit DNS record not working for normal users (#2686);
    + Unable to save settings with link addresses = text custom field (#2702);
    + Kea MAC address display issue (#2704);
    + Returned custom fields to devices table (#2572);
    + Invalid scan agent key warning;
    + Subnet filter issue when IP contains 0 octet. (#2748);
    + Add VLAN button not working (#2741);
    + Incorrect subnet links in /tools/vrf/ view. (#2774);
    + Location data missing in exports. (#2833);
    + Check mysqldump path when exporting database;
    + Current rack position missing when editing a device. (#2545);
    + Permit colon in firewall zone interface names (#2737);
    + Fixed PowerDNS txt SPF editing (#1641);
    + Blank 'MAC' on SNMP-ARP and SNMP-MAC scans (#2911);
    + Incorrect network/broadcast calculation for IPv6 (#2879);
    + Increase allowed email and password lengths (#3021);
    + Wrong unit location for dual-sided racks (#3086);
    + Linked ip_addr shows integer notation (#3100);
    + Invalid scan type () error (#2785);
    + Invalid CSRF cookie editing rack items (#2556);
    + FPing discovery marks all addresses as alive (#2888);
    + Subnet usage calculation updated for nested subnets;
    + SNMP, number of discovered hosts exceed maximum warning (#3279);
    + Exclude IPv6 from Ping and Discovery scans (#3354);
    + Fix for SAML/2FA/login redirections (#3492, #3435, #3517);
    + php_sessions table doesn't exist error when upgrading (#3417);
    + Changelog data too long for column errors (#3376,#3398);
    + RFC 6265 compliant cookies (#3452);
    + Require unique subnets not working as intended (#3529);
    + API:
        + Fixed /user/ calls for SSL with app code (static app code);
        + Address IP field not displayed when using filter_by (#2934);
        + Addresses first_free & Subnets first/last_subnet thread safety (#2960);
    
    Security Fixes:
    ----------------------------
    + SQL injections processing `tableName` (#2738);
    + SQL injections processing `ftype` (#2751);
    + All circuits map, PHP object injection (#2937);
    + Upgraded jQuery to 3.5.1 (#3119);
    + Stored XSS in instructions widgets (#3025, #3360);
    + PHP session ID fixation (#3342);
    + XSS (reflected) in IP calculator (#3351);
    + XSS in pass-change/result.php (#3373);
    + SQL injection in edit-bgp-mapping-search.php;
    + Stored XSS in the "Site title" parameter;
    + XSS while uploading CVS files;
    + XSS (reflected) in 'find subnets';
    + Incorrect privilege assignments (#3506);
    + XXS (reflected) in ripe-arin-query;
    + XSS (reflected) in import previews;
    
    Translations:
    ----------------------------
    + Update Traditional Chinese support to version 1.5 (#2658);
    + Update Simplified Chinese Translation (#2725);
    + Italian (it_IT) translation added (#2813);
    + Updated German translation (#2970, #3065);
    + Updated Russian translation (#3028, #3367);

CVE-2022-3845: Release 1.5.0 · phpipam/phpipam

"SandStrike," the latest example of espionage-aimed Android malware, relies on elaborate social media efforts and back-end infrastructure.

Adware and other unwanted and potentially risky applications continue to represent the biggest threat that users of mobile devices currently face. But that doesn't mean attackers aren't constantly trying to deploy other sophisticated mobile malware as well.

The latest example is "SandStrike," a booby-trapped VPN application for loading spyware on Android devices. The malware is designed to find and steal call logs, contact lists, and other sensitive data from infected devices; it can also track and monitor targeted users, Kaspersky said in a report this week.

The security vendor said its researchers had observed the operators of SandStrike attempting to deploy the sophisticated spyware on devices belonging to members of Iran's Baha'i community, a persecuted, Persian-speaking minority group. But the vendor did not disclose how many devices the threat actor might have targeted or succeeded in infecting. Kaspersky could not be immediately reached for comment.

**Elaborate Social Media Lures**

To lure users into downloading the weaponized app, the threat actors have established multiple Facebook and Instagram accounts, all of which purport to have more than 1,000 followers. The social media accounts are loaded with what Kaspersky described as attractive, religious-themed graphics designed to grab the attention of members of the targeted faith group. The accounts often also contain a link to a Telegram channel that offers a free VPN app for users wishing to access sites containing banned religious materials.

According to Kaspersky, the threat actors have even set up their own VPN infrastructure to make the app fully functional. But when a user downloads and uses SandStrike, it quietly collects and exfiltrates sensitive data associated with the owner of the infected device.

The campaign is just the latest in a growing list of espionage efforts involving advanced infrastructure and mobile spyware — an arena that includes well-known threats like NSO Group's notorious Pegasus spyware along with emerging problems like Hermit.

**Mobile Malware on the Rise**

The booby-trapped SandStrike VPN app is an example of the growing range of malware tools being deployed on mobile devices. Research that Proofpoint released earlier this year highlighted a 500% increase in mobile malware delivery attempts in Europe in the first quarter of this year. The increase followed a sharp decline in attack volumes toward the end of 2021.

The email security vendor found that many of the new malware tools are capable of a lot more than just credential stealing: "Recent detections have involved malware capable of recording telephone and non-telephone audio and video, tracking location and destroying or wiping content and data."

Google and Apple's official mobile app stores continue to be a popular mobile malware delivery vector. But threat actors are also increasingly using SMS-based phishing campaigns and social engineering scams of the sort seen in the SandStrike campaign to get users to install malware on their mobile devices.

Proofpoint also found that attackers are targeting Android devices far more heavily than iOS devices. One big reason is that iOS doesn't allow users to install an app via an unofficial third-party app store or to download it directly to the device, like Android does, Proofpoint said.

**Different Types of Mobile Malware in Circulation**

Proofpoint identified the most significant mobile malware threats as FluBot, TeaBot, TangleBot, MoqHao, and BRATA. The different capabilities integrated into these malware tools include data and credential theft, stealing funds from online accounts, and general spying and surveillance. One of these threats — FluBot — has been largely quiet since the disruption of its infrastructure in a coordinated law enforcement action in June.

Proofpoint found that mobile malware is not confined to a specific region or language. "Instead, threat actors adapt their campaigns to a variety of languages, regions and devices," the company warned.

Meanwhile, Kaspersky said it blocked some 5.5 million malware, adware, and riskware attacks targeted at mobile devices in Q2 2022. More than 25% of these attacks involved adware, making it the most common mobile threat at the moment. But other notable threats included mobile banking Trojans, mobile ransomware tools, spyware link SandStrike, and malware downloaders. Kaspersky found that creators of some malicious mobile apps have increasingly targeted users from multiple countries at once.

The mobile malware trend poses a growing threat to enterprise organizations, especially those that allow unmanaged and personally owned devices in the workplace. Last year, the US Cybersecurity and Infrastructure Security Agency (CISA) released a checklist of actions that organizations can take to address these threats. Its recommendations include the need for organizations to implement security-focused mobile device management; to ensure that only trusted devices are allowed access to applications and data; to use strong authentication; to disable access to third-party app stores; and to ensure that users use only curated app stores.

Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware

Rust makes it impossible to introduce some of the most common security vulnerabilities. And its adoption can’t come soon enough.

Whether you run IT for a massive organization or simply own a smartphone, you're intimately familiar with the unending stream of software updates that constantly need to be installed because of bugs and security vulnerabilities. People make mistakes, so code is inevitably going to contain mistakes—you get it. But a growing movement to write software in a language called Rust is gaining momentum because the code is goof-proof in an important way. By design, developers can't accidentally create the most common types of exploitable security vulnerabilities when they're coding in Rust, a distinction that could make a huge difference in the daily patch parade and ultimately the world's baseline cybersecurity.

There are fads in programming languages, and new ones come and go, often without lasting impact. Now 12 years old, Rust took time to mature from the side project of a Mozilla researcher into a robust ecosystem. Meanwhile, the predecessor language C, which is still widely used today, turned 50 this year. But because Rust produces more secure code and, crucially, doesn't worsen performance to do it, the language has been steadily gaining adherents and now is at a turning point. Microsoft, Google, and Amazon Web Services have all been utilizing Rust since 2019, and the three companies formed the nonprofit Rust Foundation with Mozilla and Huawei in 2020 to sustain and grow the language. And after a couple of years of intensive work, the Linux kernel took its first steps last month to implement Rust support.

“It’s going viral as a language,” says Dave Kleidermacher, vice president of engineering for Android security and privacy. “We’ve been investing in Rust on Android and across Google, and so many engineers are like, ‘How do I start doing this? This is great.’ And Rust just landed for the first time as an officially recognized and accepted language in Linux. So this is not just Android; any system based on Linux now can start to incorporate Rust components.”

Rust is what's known as a “memory-safe” language because it's designed to make it impossible for a program to pull unintended data from a computer's memory accidentally. When programmers use stalwart languages that don't have this property, including C and C++, they have to carefully check the parameters of what data their program is going to be requesting and how—a task that even the most skilled and experienced developers will occasionally botch. By writing new software in Rust instead, even amateur programmers can be confident that they haven't introduced any memory-safety bugs into their code.

A program's memory is a shared resource used by all of its features and libraries. Imagine a calendar program written in a language that isn't memory-safe. You open your calendar and then request entries for November 2, 2022, and the program fetches all information from the area of your computer's memory assigned to store that date’s data. All good. But if the program isn't designed with the right constraints, and you request entries for November 42, 2022, the software, instead of producing an error or other failure, may dutifully return information from a part of the memory that's housing different data—maybe the password you use to protect your calendar or the credit card number you keep on file for premium calendar features. And if you add a birthday party to your calendar on November 42, it may overwrite unrelated data in memory instead of telling you that it can't complete the task. These are known as “out-of-bounds” read and write bugs, and you can see how they could potentially be exploited to give an attacker improper access to data or even expanded system control.

Another common type of memory-safety bug, known as “use-after-free,” involves a situation where a program has given up its claim to a portion of memory (maybe you deleted all your calendar entries for October 2022) but mistakenly retains access. If you later request data from October 17, the program may be able to grab whatever data has ended up there. And the existence of memory-safety vulnerabilities in code also introduces the possibility that a hacker could craft, say, a malicious calendar invitation with a strategically chosen date or set of event details designed to manipulate the memory to grant the attacker remote access.

These types of vulnerabilities aren't just esoteric software bugs. Research and auditing have repeatedly found that they make up the majority of all software vulnerabilities. So while you can still make mistakes and create security flaws while programming in Rust, the opportunity to eliminate memory-safety vulnerabilities is significant.

“Memory-safety issues are responsible for a huge, huge percentage of all reported vulnerabilities, and this is in critical applications like operating systems, mobile phones, and infrastructure,” says Dan Lorenc, CEO of the software supply-chain security company Chainguard. “Over the decades that people have been writing code in memory-unsafe languages, we’ve tried to improve and build better tooling and teach people how to not make these mistakes, but there are just limits to how much telling people to try harder can actually work. So you need a new technology that just makes that entire class of vulnerabilities impossible, and that’s what Rust is finally bringing to the table.”

Rust is not without its skeptics and detractors. The effort over the last two years to implement Rust in Linux has been controversial, partly because adding support for any other language inherently increases complexity, and partly because of debates about how, specifically, to go about making it all work. But proponents emphasize that Rust has the necessary elements—it doesn't cause performance loss, and it interoperates well with software written in other languages—and that it is crucial simply because it meets a dire need.

“It’s less that it’s the right choice and more that it’s ready,” Lorenc, a longtime open-source contributor and researcher, says. “There are no real alternatives right now, other than not doing anything, and that’s just not an option anymore. Continuing to use memory-unsafe code for another decade would be a massive problem for the tech industry, for national security, for everything.”

One of the biggest challenges of the transition to Rust, though, is precisely all the decades that developers have already spent writing vital code in memory-unsafe languages. Writing new software in Rust doesn't address that massive backlog. The Linux kernel implementation, for example, is starting on the periphery by supporting Rust-based drivers, the programs that coordinate between an operating system and hardware like a printer.

“When you’re doing operating systems, speed and performance is always top-of-mind, and the parts that you’re running in C++ or C are usually the parts that you just can’t run in Java or other memory-safe languages, because of performance,” Google's Kleidermacher says. “So to be able to run Rust and have the same performance but get the memory safety is really cool. But it’s a journey. You can’t just go and rewrite 50 million lines of code overnight, so we’re carefully picking security-critical components, and over time we’ll retrofit other things.”

In Android, Kleidermacher says a lot of encryption-key-management features are now written in Rust, as is the private internet communication feature DNS over HTTPS, a new version of the ultra-wideband chip stack, and the new Android Virtualization Framework used in Google's custom Tensor G2 chips. He adds that the Android team is increasingly converting connectivity stacks like those for Bluetooth and Wi-Fi to Rust because they are based on complex industry standards and tend to contain a lot of vulnerabilities. In short, the strategy is to start getting incremental security benefits from converting the most exposed or vital software components to Rust first and then working inward from there. 

“Yes, it’s a lot of work, it will be a lot of work, but the tech industry has how many trillions of dollars, plus how many talented programmers? We have the resources," says Josh Aas, executive director of the Internet Security Research Group, which runs the memory-safety initiative Prossimo as well as the free certificate authority Let's Encrypt. “Problems that are merely a lot of work are great."

As Rust makes the transition to mainstream adoption, the case for some type of solution to memory-safety issues seems to get made again and again every day. Just this week, a high-criticality vulnerability in the ubiquitous secure communication library OpenSSL could have been prevented if the mechanism were written in a memory-safe language. And unlike the notorious 2014 OpenSSL vulnerability Heartbleed, which lurked unnoticed for two years and exposed websites across the internet to data interception attacks, this new bug had been introduced into OpenSSL in the past few months, in spite of efforts to reduce memory-safety vulnerabilities.

“How many people right now are living the identity-theft nightmare because of a memory-safety bug? Or on a national security level, if we’re worried about cyberattacks on the United States, how much of that threat is on the back of memory-safety vulnerabilities?” Aas says. “From my point of view, the whole game now is just convincing people to put in the effort. Do we understand the threat well enough, and do we have the will.”

The Rise of Rust, the ‘Viral’ Secure Programming Language That’s Taking Over Tech

By Waqas
The spyware is delivered through a malicious VPN app, and the preferred targets of attackers are Persian-speaking Baháʼí Faith practitioners. 
This is a post from HackRead.com Read the original post: SandStrike Spyware Infecting Android Devices through VPN Apps

Did you know **38% of VPN apps** on Google Play Store are plagued with malware? Nonetheless, the IT security researchers at Kaspersky have discovered that threat actors are increasingly relying on SandStrike spyware that is specifically impacting Android devices.

The spyware is delivered through a **malicious VPN app**, and the preferred targets of attackers are Persian-speaking Baháʼí Faith practitioners. It is the name of a religion practiced mainly in the Middle East, particularly in Iran.

**How SandStrikes Infect Devices**

The previously undocumented spyware campaign was detected to be disguised as a harmless-looking VPN app, which is marketed as a potent method of **bypassing censorship** of religious content in certain parts of the Middle East.

For distributing SandStrike through the malicious VPN app, threat actors have set up Facebook and Instagram accounts boasting over 1,000 followers. These pages are designed with attention-grabbing religious content to trap those who adhere to the religion. Most of these accounts contain a **Telegram** channel link owned by the attacker.

Unsuspecting users download links to the malicious app, and SandStrike spyware also gets installed. Once on the device, it scans it for sensitive data and extracts the information from the attacker-controlled servers. The campaign is yet to be attributed to a specific threat actor/group.

**What Data Does SandStrike Target?**

SandStrike targets diverse data types, including call logs and contact lists, and monitors the victim’s device to keep track of the victim’s activities. The company noted in its **APT trends report for Q3 2022** that the SandStrike spyware is distributed to access resources about the Bahá’í religion, which is banned in Iran.

**Stay Protected from Such Threats**

For businesses and government organizations, the use of **threat intelligence** has become increasingly important in recent years as the landscape of cyber threats has shifted and evolved.

Attackers are now more sophisticated and organized, and they are using more sophisticated methods to launch attacks. This has made it more difficult for traditional security defenses to keep up.

Threat intelligence can help organizations stay ahead of the curve by providing them with information about the latest threats and trends. This information can be used to improve security defenses and help organizations respond quickly to new attacks.

Organizations that use threat intelligence can stay one step ahead of attackers and protect themselves from the latest malware threats. By understanding the latest trends and techniques, they can develop better defenses and response plans to keep their systems safe.

For unsuspected users, it is a fact that in recent years, the number of spyware programs has increased dramatically, making it more important than ever for computer and smartphone users to know how to protect themselves.

While most people are aware of the need to **install antivirus and anti-malware software**, they may not realize that these programs do not always provide adequate protection against spyware.

There are a few simple steps that every user can take to protect themselves from spyware. First, be careful about what you download and install on your computer. Many spyware programs are installed without the user’s knowledge or consent when they visit malicious websites or download infected files.

Second, keep your software up to date. Both your operating system and your applications should be kept up to date with the latest security patches. Spyware authors are constantly finding new ways to exploit vulnerabilities, so it’s important to have the latest security fixes installed.

**Use VirusTotal**

**VirusTotal** is a free virus, malware, and URL online scanning service. It is one of the most popular online services used by computer users to scan files and URLs for viruses, malware, and malicious content.

VirusTotal scans files and URLs using over 50 antivirus engines and URL scanners. If a file or URL is detected by at least one scanner, it is considered malicious. VirusTotal also aggregates and analyses information from other sources, such as user comments and offense reports. This allows users to see if a file or URL has been reported as malicious by other users.

Fake VPN website delivering password-stealing malware

What is a VPN and what does data logging by a VPN means?

Popular free Android VPN apps on Play Store contain malware

This malware hides behind free VPN, pirated security software keys

Hackers clone ProtonVPN website to drop password stealer malware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

SandStrike Spyware Infecting Android Devices through VPN Apps

Report reveals new top sources of fake login page referrals, rise of fake third-party cloud apps used to trick users.

**SANTA CLARA, Calif., Nov. 2, 2022 /PRNewswire/** — Netskope, a leader in secure access service edge (SASE), today unveiled new research that shows how the prevalence of cloud applications is changing the way threat actors are using phishing attack delivery methods to steal data.

The Netskope Cloud and Threat Report: Phishing details trends in phishing delivery methods such as fake login pages and fake third-party cloud applications designed to mimic legitimate apps, the targets of phishing attacks, where the fraudulent content is hosted, and more.

Although email is still a primary mechanism for delivering phishing links to fake login pages to capture usernames, passwords, MFA codes and more, the report reveals that users are more frequently clicking phishing links arriving through other channels, including personal websites and blogs, social media, and search engine results. The report also details the rise in fake third-party cloud apps designed to trick users into authorizing access to their cloud data and resources.

**Phishing Comes From All Directions**

Traditionally considered the top phishing threat, 11% of the phishing alerts were referred from webmail services, such as Gmail, Microsoft Live, and Yahoo. Personal websites and blogs, particularly those hosted on free hosting services, were the most common referrers to phishing content, claiming the top spot at 26%. The report identified two primary phishing referral methods: the use of malicious links through spam on legitimate websites and blogs, and the use of websites and blogs created specifically to promote phishing content.

Search engine referrals to phishing pages have also become common, as attackers are weaponizing data voids by creating pages centered around uncommon search terms where they can readily establish themselves as one of the top results for those terms. Examples identified by Netskope Threat Labs include how to use specific features in popular software, quiz answers for online courses, user manuals for a variety of business and personal products, and more.

"Business employees have been trained to spot phishing messages in email and text messages, so threat actors have adjusted their methods and are luring users into clicking on phishing links in other, less expected places," said Ray Canzanese, Threat Research Director, Netskope Threat Labs. "While we might not be thinking about the possibility of a phishing attack while surfing the internet or favorite search engine, we all must use the same level of vigilance and skepticism as we do with inbound email, and never enter credentials or sensitive information into any page after clicking a link. Always browse directly to login pages."

**The Rise of Fake Third-Party Cloud Apps**

Netskope's report discloses another key phishing method: tricking users into granting access to their cloud data and resources through fake third-party cloud applications. This early trend is particularly concerning because access to third-party applications is ubiquitous and poses a large attack surface. On average, end-users in organizations granted more than 440 third-party applications access to their Google data and applications, with one organization having as many as 12,300 different plugins accessing data – an average of 16 plugins per user. Equally as alarming, over 44% of all third-party applications accessing Google Drive have access to either sensitive data or all data on a user's Google Drive—further incentivizing criminals to create fake third-party cloud apps.

"The next generation of phishing attacks is upon us. With the prevalence of cloud applications and the changing nature of how they are used, from Chrome extensions or app add-ons, users are being asked to authorize access in what has become an overlooked attack vector," added Canzanese. "This new trend of fake third-party apps is something we're closely monitoring and tracking for our customers. We expect these types of attacks to increase over time, so organizations need to ensure that new attack paths such as OAuth authorizations are restricted or locked down. Employees should also be aware of these attacks and scrutinize authorization requests the same way they scrutinize emails and text messages."

Within the report, Netskope Threat Labs includes actionable steps organizations can take to identify and control access to phishing sites or applications, such as deploying a security service edge (SSE) cloud platform with a secure web gateway (SWG), enabling zero trust principles for least privilege access to data and continuous monitoring, and using Remote Browser Isolation (RBI) to reduce browsing risk for newly-registered domains.

Additional key findings from the report include:

*   **Employees continue to click, fall victim to malicious links**. It is widely understood that it takes just one click to severely compromise an organization. While enterprise phishing awareness and training continues to be more prevalent, the report reveals that an average of eight out of every 1,000 end-users in the enterprise clicked on a phishing link or otherwise attempted to access phishing content.

*   **Users are being lured by fake websites designed to mimic legitimate login pages.** Attackers primarily host these websites on content servers (22%) followed by newly registered domains (17%). Once users put personal information into a fake site, or grant it access to their data, attackers are able to capture usernames, passwords, and multi-factor authentication (MFA) codes.

*   **Geographic location plays a role in the access rate of phishing.** Africa and the Middle East were the two regions with the highest percentages of users accessing phishing content. In Africa, the percentage of users accessing phishing content is more than 33% above average, and in the Middle East, it is more than twice the average. Attackers frequently use fear, uncertainty, and doubt (FUD) to design phishing lures and also try to capitalize on major news items. Especially in the Middle East, attackers appear to be having success designing lures that capitalize on political, social, and economic issues affecting the region.

Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. Statistics in this report are based on the three-month period from July 1, 2022 through September 30, 2022.

Get the full Netskope Cloud and Threat Report: Phishing here.

Learn more about Netskope Threat Labs and gain insight from the Netskope Security Cloud Platform by visiting Netskope's Threat Research Hub.

**About Netskope**

Netskope, a global SASE leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

**SOURCE:** Netskope

Netskope Threat Research: Next Generation of Phishing Attacks Uses Unexpected Delivery Methods to Steal Data

A proposed plan to charge users for the platform's coveted blue check mark has, unsurprisingly, inspired attackers to try to dupe people into giving up their credentials.

One of Elon Musk's proposed first moves after his Twitter takeover seems to have backfired, at least from a security perspective. A teaser by the platform proposing to charge users a monthly fee to have verified accounts confirming them as a public persona or entity — and thus earn the distinction of a coveted blue check mark by their account name — has spawned a phishing campaign aiming to take advantage of the controversy surrounding the move.  

A number of Twitter users claim to have received phishing emails that use the lure of losing their verified status to try to fool them into supplying their credentials. The scam works via a Google doc made to look like a Twitter help page, according to users.

Several of those who were targeted (natch) took to Twitter to warn others about it on Monday, including two reporters: Zach Whittaker, security editor for TechCrunch, and Kevin Collier from NBC News.

"Twitter's ongoing verification chaos is now a cybersecurity problem," Whittaker tweeted, subsequently posting a report on TechCrunch about the scam. "It looks like some people (including in our newsroom) are getting crude phishing emails trying to trick people into turning over their Twitter credentials."

Collier reported that the email he received "apparently slipped right by Outlook's robust protections," though he himself was not fooled. "Didn't get me but I bet this gets somebody," Collier wrote in the post.

The email, according to screenshots both Whittaker and Collier posted, is sent from a Gmail account, twittercontactcenter\[at\]gmail.com, which Collier said is a "dead giveaway" that it's bogus. It warns the targeted user that "the verification badge will be $19.99 per month for some users after November 2, 2022," and that Twitter currently is unable to verify some "famous or well-known people."

The email goes on to inform targets that they need to provide a confirmation of who they are to receive the verification badge "for free," and provides a button to "Provide Information" and a link to the "Help Center" to find out about updated rules for the verification program.

Clicking on the button leads to a Google Doc with another link to a Google site that lets users host web content, according to Whittaker's report. The phishing page itself is designed to look like Twitter's help page and contains an embedded frame from another site, which is hosted by Beget, a Russian web hosting provider, according to the report.

The page asks users to provide their Twitter username, password, and phone number, which could allow an attacker to break into an account without two-factor authentication enabled.

To mitigate damage from the campaign, Google took swift action to take down the phishing site a short time after TechCrunch alerted the company, Whittaker wrote.

**Capitalizing on Controversy**

Security professionals noted that it's not surprising that a threat actor has taken advantage of the commotion currently surrounding Twitter. Leveraging a controversial situation that elicits an emotional response not only spells a cybercriminal opportunity, but also boosts the chance of a phishing campaign's success, Patrick Harr, CEO at SlashNext, an anti-phishing company, wrote in an email to Dark Reading.

"These types of social-engineering phishing attempts are very effective because they play on emotion and instigated immediate action," he said. "Before the victim has time to think if this is phishing, they quickly jump to action."

The obfuscation tactics used in the campaign also make it easier to hide from threat-detection engines because they likely won't flag Google Docs, a trusted service — which, at least in Collier's case, was exactly what happened, security professionals noted.

Indeed, the campaign and its ability to bypass email scanners stresses why it's important for people to remain vigilant when receiving emails from unknown sources, and protect all of their accounts with multifactor authentication (MFA) and other security buffers, observed Joseph Carson, chief security scientist and advisory CISO at Delinea, a provider of privileged access management (PAM).

"Make sure you always use MFA, a password manager that creates strong unique passwords for every account, and never give over personal information or credentials details on websites without first verifying authenticity," he advised in an email to Dark Reading.

**Twitter Exodus?**

For his part, Musk in a tweet on Tuesday seemed to corroborate that implementing the controversial verification fee would be a first order of business — the news of which first surfaced in a report on The Verge Monday.

However, after some verified account holders claimed they would leave rather than pay the reported fee of $20 a month for their blue check mark — including high-profile users such as author Stephen King — Musk suggested lowering the price.

"Twitter's current lords & peasants system for who has or doesn't have a blue check mark is bull\*\*\*\*," he tweeted. "Power to the people! Blue for $8/month."

Musk's mere purchase of Twitter in a $44 billion deal — after a highly publicized, months-long back-and-forth between the company and the multibillionaire founder of Tesla — has already drawn the derision of celebrity users of the platform, some of whom already told followers they were closing their accounts.

The verification debacle occurring now is just fuel for the fire, adding to a growing controversy that is likely music to the ears of threat actors, who thrive on social, political, and economic conflict as an opportunity to commit cybercrime, security professionals observed.

"Cybercriminals have long exploited volatile situations for their own gain, especially newsworthy, current events," noted Darren Guccione, CEO and co-founder at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software. "The recent acquisition and upheaval at Twitter is the latest example."

Musk's Twitter-Verification Payment Tease Spurs Cyberattackers

A set of four Android apps released by the same developer has been discovered directing victims to malicious websites as part of an adware and information-stealing campaign.
The apps, published by a developer named Mobile apps Group and currently available on the Play Store, have been collectively downloaded over one million times.
According to Malwarebytes, the websites are designed to generate

A set of four Android apps released by the same developer has been discovered directing victims to malicious websites as part of an adware and information-stealing campaign.

The apps, published by a developer named Mobile apps Group and currently available on the Play Store, have been collectively downloaded over one million times.

According to Malwarebytes, the websites are designed to generate revenues through pay-per-click ads, and worse, prompt users to install cleaner apps on their phones with the goal of deploying additional malware.

The list of apps is as follows -

*   Bluetooth App Sender (com.bluetooth.share.app) - 50,000+ downloads
*   Bluetooth Auto Connect (com.bluetooth.autoconnect.anybtdevices) - 1,000,000+ downloads
*   Driver: Bluetooth, Wi-Fi, USB (com.driver.finder.bluetooth.wifi.usb) - 10,000+ downloads
*   Mobile transfer: smart switch (com.mobile.faster.transfer.smart.switch) - 1,000+ downloads

It's no surprise that malicious apps have devised new ways to get past Google Play Store security protections. One of the more popular tactics adopted by threat actors is to introduce time-based delays to conceal their malicious behavior.

Malwarebytes' analysis found the apps to have an approximately four-day waiting period before opening the first phishing site in Chrome browser, and then proceed to launch more tabs every two hours.

The apps are part of a broader malware operation called HiddenAds, which has been active since at least June 2019 and has a track record of illicitly earning revenues by redirecting users to advertisements.

The findings also come as researchers from Guardio Labs disclosed details of a malvertising campaign dubbed Dormant Colors that leverages rogue Google Chrome and Microsoft Edge extensions to hijack user search queries to an actor-controlled domain.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

These Android Apps with a Million Play Store Installations Redirect Users to Malicious Sites

Underwater cables keep the internet online. When they congregate in one place, things get tricky.

The Asia-Africa-Europe-1 internet cable travels 15,500 miles along the seafloor, connecting Hong Kong to Marseille, France. As it snakes through the South China Sea and toward Europe, the cable helps provide internet connections to more than a dozen countries, from India to Greece. When the cable was cut on June 7, millions of people were plunged offline and faced temporary internet blackouts.

The cable, also known as AAE-1, was severed where it briefly passes across land through Egypt. One other cable was also damaged in the incident, with the cause of the damage unknown. However, the impact was immediate. “It affected about seven countries and a number of over-the-top services,” says Rosalind Thomas, the managing director of SAEx International Management, which plans to create a new undersea cable connecting Africa, Asia, and the US. “The worst was Ethiopia, that lost 90 percent of its connectivity, and Somalia thereafter also 85 percent.” Cloud services belonging to Google, Amazon, and Microsoft were all also disrupted, subsequent analysis revealed.

While connectivity was restored in a few hours, the disruption highlights the fragility of the world’s 550-plus subsea internet cables, plus the outsized role Egypt and the nearby Red Sea have in the internet’s infrastructure. The global network of underwater cables forms a large part of the internet’s backbone, carrying the majority of data around the world and eventually linking up to the networks that power cell towers and Wi-Fi connections. Subsea cables connect New York to London and Australia to Los Angeles.

Sixteen of these submarine cables—which are often no thicker than a hosepipe and are vulnerable to damage from ships’ anchors and earthquakes—pass 1,200 miles through the Red Sea before they hop over land in Egypt and get to the Mediterranean Sea, connecting Europe to Asia. The last two decades have seen the route emerge as one of the world’s largest internet chokepoints and, arguably, the internet’s most vulnerable place on Earth. (The region, which also includes the Suez Canal, is also a global choke point for shipping and the movement of goods. Chaos ensued when the container ship _Ever Given_ got wedged in the canal in 2021.)

“Where there are chokepoints, there are single points of failure,” Nicole Starosielski, an associate professor of media, culture, and communication at New York University and an author on submarine cables. “Because it's a site of intense concentration of global movement, that does make it more vulnerable than many places around the world.”

The area has also recently gained attention from the European Parliament, which in a June report highlighted it as a risk for widespread internet disruption. “The most vital bottleneck for the EU concerns the passage between the Indian Ocean and the Mediterranean via the Red Sea because the core connectivity to Asia runs via this route,” the report says, flagging extremism and maritime terrorism are risks in the area.

Pyramid Scheme

Look at Egypt on a map of the world’s subsea internet cables and it immediately becomes clear why internet experts have been concerned about the area for years. The 16 cables in the area are concentrated through the Red Sea and touch land in Egypt, where they make a 100-mile journey across the country to reach the Mediterranean Sea. (Cable maps don’t show the exact locations of cables.)

It has been estimated that around 17 percent of the world’s internet traffic travels along these cables and passes through Egypt. Alan Mauldin, the research director of telecoms market research firm TeleGeography, says last year the region had 178 terabits of capacity, or 178,000,000 Mbps—the US has median home internet speeds of 167 Mbps.

The Most Vulnerable Place on the Internet

Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)

CVE-2022-3723

Use after free in Feedback service on Chrome OS in Google Chrome on Chrome OS prior to 107.0.5304.62 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific UI interaction. (Chrome security severity: Medium)

Tag

#google