The HubSpot Blog’s 2022 Video Marketing Report [Data from 500+ Video Marketers]

More than ever, social media channels are putting video content front and center on their feeds, as audiences increasingly turn to TikTok, Reels, and live videos to be entertained, discover products, and even learn about exciting new brands.

And for marketers, leveraging video not only offers the highest ROI of any media format, but it plays a key role in helping marketers exceed their goals.

To learn more about the top strategies and opportunities in video marketing today, we surveyed over 500 professionals that specialize in this field. Immediately, the effectiveness of video marketing became obvious.

→ Access Now: Video Marketing Starter Pack [Free Kit]

But where in the world of video marketing should you focus your efforts first? To help you determine your next steps, we gained insights from video marketers about all sorts of topics and tactics including:

Let’s dive in.

Video Marketing Survey Findings

Video Marketing Benchmarks

If no one sees your video, was it even worth making?

We first asked video marketers how many views their videos get on average. Here’s what we found:

38% of marketing videos average less than 10K views
16% average under 1,000 views
16% average over 100K views

But views aren’t the only metric marketers track. There’s a long list of data points you could be keeping your eyes on, so let’s take a look at which are the best measure of your video’s performance.

The Most Prioritized Video Marketing Metrics

Once you begin to get views, you’ll also want to build on your strategy by looking at and improving on a few other metrics.

Among video marketers, video engagement, conversion rate, and click-through rate are among a handful of other KPIs marketers look at, with engagement rate being prioritized by 60% of marketers, and conversion and click-through rates being a focus of 56% and 52% of marketers respectively.

Below, we’ll dig a bit deeper into the importance of each major metric.

1. Engagement Rate

According to 60% of video marketers, engagement is the most important metric to watch. After all, when a video sees high engagement, that means it is resonating with your audience enough to make them want to drop a like, write a comment, or share it with their friends.

2. Conversion Rate

Conversion rate comes in at #2 and can be a great indicator of how successful your video is at getting viewers to take the desired action.

3. Click-through Rate Speaks to Your Thumbnail and Title/Caption

Click-through rate (CTR) comes in at #4 and can tell you how effective your thumbnail is at getting people to watch the video in the first place. Before watching a video, your audience is also seeing the title or caption attached to it, which your CTR will also reflect.

4. Follower and Subscriber Growth

If you are gaining followers/subscribers from a video, that means it’s resonating with viewers and they want to see more from your brand.

If one of your videos grows your following more than usual, try to think about what set this video apart from the rest and replicate it. Also, check your analytics for helpful information on how these new subscribers/followers found your video. How can you keep providing them with valuable content?

5. Average View Time

Average view duration is key to understanding which parts of your video are highly engaging and which sections needed more work or should have been cut out entirely. While the overall average can offer useful insights when comparing similar-length videos, if possible, check the percentage of viewers watching at key moments throughout the video.

For example, if a high percentage of viewers stick around through the introduction, you successfully hooked them. However, if you see a huge dropoff halfway through, the video may have been too long.

Speaking of video length, we also asked video marketers how long a marketing video should be. Let’s take a look at what they told us.

How Long Should a Marketing Video Be?

A whopping 96% of marketers agree that the optimal length of a marketing video is under 10 minutes.

the optimal length for marketing videos Beyond that, opinions start to differ, with the largest chunk of them (36%) saying videos should be between 1-3 minutes, while 27% think the sweet spot is between 4-6 minutes. Another 16% say the optimal video length is under 60 seconds. On the other hand 15% advocate for videos between 7-9 minutes long.

At the end of the day, the length of your video will largely depend on which type of video best suits your goals. So let’s dive into video marketers’ top goals in 2022.

Video Marketing Goals

The top three video marketing goals include increasing revenue (focused on by 33% of respondents(, raising brand awareness and advertising products/services (with 32% of marketers focusing on each).

More than one-fourth of marketers are also focused on improving customers’ understanding of products/services, while 23% want to improve customer service and retention with video.

As I mentioned at the very start, our survey shows video marketing is highly effective for reaching all of these goals, so let’s dive into some of the strategies video marketers are using to succeed.

Video Marketing Strategies

The Top Tactics for Creating Effective Videos

The most important factors for creating effective marketing videos are effectively promoting your video, capturing viewers’ attention in the first few seconds, and keeping your videos short/concise.

Why Video Promotion Is Key

It can be tempting to dedicate all of your time to crafting the “perfect” video with slick edits, high production value, and an irresistible thumbnail. While these things are important, they lose their power without effective video promotion.

In fact, in a recent trends survey, we found that 78% of consumers say it is more important for marketing videos to be authentic and relatable than polished and high-quality. That doesn’t mean you should neglect video/audio quality, but it isn’t going to make or break a video’s success.

whats most important when watching videos

On the other hand, ineffectively promoting your video can cause your video to flop, so let’s take a look at a few strategies video marketers use to make sure that doesn’t happen.

How to Promote a Marketing Video

The most effective video promotion strategies are sharing them on social media, adding videos to your website/blog, running paid ads for your videos, optimizing your title/description for search, and integrating videos into your email campaigns.

Whichever channels you choose for video promotion, remember that simply sharing a video isn’t enough. Effective video promotion begins before a video is even complete and continues long after a video is published.

For example, if your video is going live on YouTube in the next 24 hours, hop on Instagram and start a countdown on your story. Share the thumbnail and title 3-5 hours before the video drops to generate more interest. Prepare a teaser to hook viewers in and share that on social media as soon as your video releases.

Once the video is out, you can run an interactive poll related to your video on social media to engage your core audience and pique the interest of those who haven’t seen it yet. You can also set up an email campaign to go out announcing your video a few hours later, or add a banner to your website linking to the video.

Lastly, make sure to continue promoting when the opportunity arises. For example, if you see a Reddit or Twitter thread related to the topic of your video and think your content could add value to the conversation, drop it in the comment section.

Now that you’re up to speed on video marketing goals and strategies, let’s take a look at which video formats are most effective.

The Top Video Marketing Channels

1. Social Media

Social media is used for video sharing by 76% of video marketers and has the biggest ROI of any video marketing channel, by far. It is also the most effective channel for generating leads from marketing videos.

which channels offer the biggest roi for video marketing Use of social media for sharing marketing videos will grow significantly in 2022, with, 61% of all video marketers planning to invest more in sharing videos on social media than any other channel this year. Additionally, almost 2 in 3 of those who never used social media for sharing videos plan to do so for the first time this year.

2. Blog/Website Pages

A blog or website is used by 55% of video marketers to share their videos, has the 2nd highest ROI, and is the 2nd most effective at generating leads.

which video marketing channels drive the most leads

Use of a blog or website for sharing marketing videos will also grow in 2022, with 59% of video marketers planning to try it for the first time, and 18% of all video marketers investing in using their blog/website for sharing marketing videos over any other channel.

3. Email

Email is used by 44% of video marketers to share their videos and nearly tied with blog or website for ROI.

40% of video marketers plan to share videos through email for the first time in 2022, and 11% plan to invest more in sharing videos through email than through any other channel this year.

While all these channels can be effective for sharing marketing videos, social media is the clear winner. So let’s dive into which social media apps are most effective for video sharing.

The Best Social Media Channels for Sharing Videos

1. Instagram

Instagram is the top social media platform for ROI, engagement, and lead generation for sharing marketing videos and will see significant investment from video marketers in 2022.

Use of Instagram by video marketers will grow significantly in 2022, as 24% of them will invest more into sharing videos on Instagram than on any other platform. Additionally, 42% of those who don’t use Instagram for sharing videos will do so for the first time this year.

which social channels will video marketers invest in

2. YouTube

While YouTube comes in at #2 behind Instagram for ROI and lead generation, it is the most used app for video sharing, with 70% of video marketers leveraging it.

social media platforms for sharing video

YouTube will also see the most investment from video marketers in 2022, with 27% investing more into sharing videos on YouTube than any other platform. On top of that, over half of those who don’t use YouTube for sharing videos will do so for the first time in 2022.

3. Facebook

Facebook is used by 60% of video marketers when sharing marketing videos (tied at #2 for usage with Instagram), though it comes in 4th for ROI, engagement, and lead generation.

35% will invest in sharing videos on Facebook for the first time in 2022 and 16% of video marketers will invest more in sharing videos on Facebook than on any other platform this year.

4. TikTok

While TikTok has the 3rd highest ROI and comes in 2nd for engagement, only 35% of video marketers currently share videos on the app, and just 20% plan to start for the first time in 2022.

social media platforms and sharing videos

Which social media channels have low video performance?

Reddit, Tumblr, Twitch, Snapchat, and Pinterest are consistently the worst channels for sharing marketing videos and will see the least investment from video marketers in 2022.

Another consideration when sharing videos on social media is whether you will pay for ads or share your content organically. Let’s take a look at which video marketers are using.

Should you use paid or organic video posts on social media?

55% of video marketers leverage a mix of organic and paid content when posting videos on social media, while 24% use organic only, and 21% use paid only.

Now that we’ve looked at how marketers are sharing their videos on social media, let’s compare two of the most common platforms for hosting videos – YouTube and Vimeo.

Hosting Videos on YouTube vs. Vimeo

We asked video marketers who use both YouTube and Vimeo to compare the two, and not only do 78% of them say YouTube is more effective for reaching their overall business goals, but YouTube is far superior in every category.

Vimeo comes close to being as effective as YouTube for privacy options, storage, video/audio quality, and video player customization, but still lags behind or is considered about the same as YouTube.

What are the Top Content Types for Marketing Videos?

1. Content Showcasing Your Products and Services

Content showcasing products/services is the most leveraged type of video content and has the highest ROI of any content type, with 66% of participants reporting high returns. It is also the most effective at generating leads and gets the 2nd most engagement of all content types we asked about.

Product and service content will also see the most investment of any video content type this year, with 17% planning to invest in it more than any other, while 36% plan to leverage it for the first time in 2022.

2. Content That Reflects Your Brands Values

Content that reflects a brand’s values is the second most leveraged type of video content and the 2nd most effective for generating leads and engagement.

3. Trendy Content

People generally don’t want to watch videos that feel out of date or out of touch, but they’re drawn to videos that discuss topics that they’re currently intreested in, like trends or news related to their industry or hobbies. This is likely why “trendy content” has the second-highest ROI and gets the most engagement.

4. Relatable Content

Relatable content will see the most new investment in 2022, with 40% planning to leverage it for the first time, while 12% will invest more in it than any other content type.

content types video marketers will begin testing

5. Funny and Interactive Content

Both funny and interactive content have high ROI and will be leveraged by 29% and 27% of video marketers for the first time in 2022, respectively.

Next, let’s look at the different styles of videos you can use, and which are most effective.

Viral Videos

Getting one of your videos to go viral might seem like a pipe dream, but it isn’t as out of reach as you might think.

63% of video marketers have created a viral video – so let’s take a look at exactly how they did it so your next video can blow up too.

How to Make a Video Go Viral

The most effective strategies for creating a viral video are making retable content, keeping videos short/concise, and capturing viewers’ attention in the first few seconds.

Let’s dig a little deeper into these top three strategies and how you can use them.

1. Making Relatable Content Means More Engagement

Making relatable content is key to getting viewers to engage with your video. Whether they comment on your video or share it with a friend, the algorithm takes notice and boosts your video to more viewers, increasing its chances to go viral.

2. Shorter Is Better

Keeping videos short is also crucial to virality. According to 47% of video marketers, short-form videos are the most likely to go viral.

which videos are more likely to go viral

But how long is a short-form video exactly? Our video marketing trends report found that the consensus among video marketers is under 60 seconds, with the biggest chunk (33%) saying the optimal length is 31-60 seconds.

3. Capture Attention Immediately

Capturing viewers’ attention in the first few seconds is the third most effective way to make a video go viral.

This could be as simple as starting a video with a colorful animation, an intriguing question, showing text on-screen, or even with physical movements like hand motions or jumping out of your chair to set a video off.

Now that you know the top strategies to make a video go viral, let’s take a look at which platforms you should use.

Which Platform are Videos Most Likely to Go Viral On?

YouTube, TikTok, Instagram, and Facebook are the platforms that video marketers say are most likely to have a video go viral.

Screen Shot 2022-06-09 at 12.03.25 PM If you have a social media presence on any of those three, they can be powerful for scoring a viral video. But if you’re not leveraging them yet, it might be time to finally give TikTok, Instagram Reels, or YouTube Shorts a shot.

Which Type of Video Content is Most Likely to Go Viral?

Funny, trendy, and relatable videos that reflect a brand’s values are most likely to go viral.

viral video content by type Combine these top content types by creating a funny, relatable, and on-trend video for the best chance of going viral.

Lastly, we’ll take a look at the different video styles and which is most effective for a viral video.

Which Style of Video Content is Most Likely to Go Viral?

Live-action videos are most likely to go viral according to 49% of video marketers, but animation is also effective for 31% of respondents.

If you can, use both. Keep viewers engaged by switching back and forth between your live-action shot and animation with a voiceover.

Video Marketing Benefits & Challenges

Video Marketing Benefits

The biggest benefits of creating marketing videos are that they help customers understand a product/service, get more engagement than other marketing content, and lead to more sales/conversions than other marketing content.

While this seems perfectly in line with video marketers’ goals, those benefits also come with a few challenges.

Video Marketing Challenges

The biggest challenges video marketers face are a lack of time to create video content, difficulty creating an effective video strategy, and inadequate budget to create video content.

The great news is that video marketing is simpler than ever, with 57% of video marketers describing video marketing as easy.

On top of that, 46% of those who started making videos in the past year did so because creating marketing videos became less time-consuming, and 38% said they started because videos became easier to make in-house. 1 in 2 also started making marketing videos in response to the pandemic.

Whether you’re just starting out or you’ve been making videos for a while, budgeting can be a stressful part of the process. To help you navigate your video marketing budget, let’s take a look at how other marketers are budgeting for their videos.

Video Marketing Budgets

81% of video marketers have a dedicated budget for video marketing. Here’s what those budgets look like:

20% of companies spend over $100K on video marketing per quarter
Around 1 in 4 spend under $20K
42% spend between $20K-$100K

We also asked video marketers how their budget changed from 2021 to 2022, and found that 52% of video marketers saw a budget increase in 2022, while 46% saw no change. Just 2% saw a decrease.

Marketers who saw an increase in their video budget generally received a substantial boost in their budget, with 41% of video marketers getting an increase of over 51%.

You may also be wondering what percentage of total marketing budgets goes towards video marketing, so let’s take a look at that too.

what percentage of total marketing budgets go to video?

It turns out that 44% of companies spend 31-60% of their total marketing budget on video marketing.

How Much Does Creating a Marketing Video Cost?

91% of marketers’ companies spend under $50,000 to create a marketing video, and over half spend under $10,000. how much does it cost to create a marketing video

With the total cost of making a marketing video in mind, let’s look into how much video marketers are spending on each step in the video creation process.

Production takes up 24% of the average video marketer’s budget, followed by pre-production and post-production tied at 20%. Another 18% is spent on talent and video promotion/distribution.

We also asked video marketers which part of the video creation process is most expensive, and 65% of them say production is the costliest step.

the most expensive part of video creation Lastly, let’s talk about how long it takes to create a marketing video and which parts are most time-consuming.

How Long Does it Take to Create a Marketing Video?

86% of marketing videos are created in 3 weeks or less, and 40% are made in under a week.

The most time-consuming part of the video creation process is pre-production (coming up with ideas, writing script, casting, etc.), according to 38% of those who make marketing videos in-house.

More Insights From the HubSpot Blog

Whether you’re just getting started with video marketing or a seasoned video professional, keeping up with the latest trends and marketing strategies is key.

While video marketing is currently one of the top marketing strategies, there are a few others that have even better ROI – luckily, you can incorporate most of them into your video marketing strategy for even better results.

If you’re ready to take your video marketing strategy to the next level, check our Marketing Trends and Social Media Trends research from earlier this year!

Just getting started with video? You can also download our free Video Marketing Starter Pack below.

Discover videos, templates, tips, and other resources dedicated to helping you launch an effective video marketing strategy.

Source :
https://blog.hubspot.com/marketing/video-marketing-report

5 Social Media Tips Every Small Business Needs [+ Free Tools]

POV: You’re new in the market and you’re wondering just how your small business can stand out among the millions of brands currently on social media.

In this article, you’ll learn how to use social media for small businesses and which (free) software you should have in your toolbox.

Why social media is important for small businesses?

The biggest benefit to using social media is that it’s a low-cost strategy to increase your brand awareness.

While you, of course, have to invest time and resources in building out your content, you can create high-quality content with a reliable phone and a few tools at your disposal.

In addition, with social media, you have the potential to reach your target audience for a fraction of what you would pay in targeted ads.

https://platform.twitter.com/embed/Tweet.html?creatorScreenName=martinabretous&dnt=false&embedId=twitter-widget-0&features=eyJ0ZndfdHdlZXRfZWRpdF9iYWNrZW5kIjp7ImJ1Y2tldCI6Im9mZiIsInZlcnNpb24iOm51bGx9LCJ0ZndfcmVmc3JjX3Nlc3Npb24iOnsiYnVja2V0Ijoib2ZmIiwidmVyc2lvbiI6bnVsbH0sInRmd190d2VldF9yZXN1bHRfbWlncmF0aW9uXzEzOTc5Ijp7ImJ1Y2tldCI6InR3ZWV0X3Jlc3VsdCIsInZlcnNpb24iOm51bGx9LCJ0Zndfc2Vuc2l0aXZlX21lZGlhX2ludGVyc3RpdGlhbF8xMzk2MyI6eyJidWNrZXQiOiJpbnRlcnN0aXRpYWwiLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2V4cGVyaW1lbnRzX2Nvb2tpZV9leHBpcmF0aW9uIjp7ImJ1Y2tldCI6MTIwOTYwMCwidmVyc2lvbiI6bnVsbH0sInRmd191c2VyX2ZvbGxvd19pbnRlbnRfMTQ0MDYiOnsiYnVja2V0IjoiZm9sbG93IiwidmVyc2lvbiI6bnVsbH0sInRmd190d2VldF9lZGl0X2Zyb250ZW5kIjp7ImJ1Y2tldCI6Im9mZiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=false&id=1440017349621522435&lang=en&origin=https%3A%2F%2Fblog.hubspot.com%2Fmarketing%2Fsmall-business-social-media&sessionId=8329fe61621ccd2fb62e5eecd30ea8ab6b92475e&siteScreenName=HubSpot&theme=light&widgetsVersion=b45a03c79d4c1%3A1654150928467&width=550px

For instance, you may spend $100 developing creative assets for a video that ends up reaching 100,000 users. To reach those same users with an ad, you will likely have to invest much more money.

In addition, social media allows you to:

Drive more traffic to your website and generate leads.
Promote products and services.
Build a community.
Connect with and learn from your target audience.

When you get down to it, the way you use social media as a small business isn’t much different from how you’d use it as a mid to large-size business. In both cases, you’re sharing, engaging, monitoring, and optimizing.

The key difference is that a small business is likely focused on growth while an established brand may prioritize expansion.

Social Media Tips for Small Business

1. Be consistent.

The best thing you can do as a small business when starting out on social media is to be consistent.

Too often, brands get discouraged if they don’t see results within a few weeks. The truth is social media growth can be slow but like most things, if you remain consistent, you will generate results.

This means posting high-quality content on a regular basis (at least once a week). You do this for a few reasons.

https://www.tiktok.com/embed/v2/7046452643429911814?lang=it-IT&referrer=https%3A%2F%2Fblog.hubspot.com%2Fmarketing%2Fsmall-business-social-media

The first is that when a user does land on your profile, you want them to get a clear picture of your brand. If you have little to no content, users will quickly lose interest and leave. The same is true for scattered posts.

Social media is an opportunity to tell a story. When you prioritize consistency and cohesiveness, users will know what to expect from your page, what your voice is, and what you offer. And that’s how you’ll attract your target audience.

2. Diversify your content.

On social media, there’s so much room to be creative and experiment. Too often, brands find one strategy that works and stick to that.

While there’s a lot of truth to the saying “If it ain’t broke, don’t fix it,” social media is constantly evolving. What worked yesterday may not work today, as these platforms implement new features and user behavior changes.

With this in mind, play around with content formats whenever possible. For instance, on TikTok, you can only post videos. However, on Facebook, you have the option of going live, posting images, conducting polls, and more.

Here are some formats you should leverage:

Photos
Videos
Illustrations
Stop-motion
Live streams
Polls

With content, the limit truly does not exist.

Our social media report revealed that small businesses get the best ROI from creating educational and relatable content. Meanwhile, mid-size and large businesses report better results with funny and interactive content.

which social media content types have the biggest ROI

Image Source

This data point makes sense for many reasons. Larger brands have likely already built a strong following and know what their audience likes. That’s why they’re able to do interactive polls and be creative with their content.

Small businesses, on the other hand, still have a lot to prove. They want to add value to their audience and grow a following, and the easiest way to do that? Make content that educates and/or resonates.

This isn’t to say that small businesses should stick to these two types of content. In fact, they should experiment with all content to narrow down what their audience likes. However, this can serve as a strong starting point.

Here are some ideas to get you started:

How-tos
Customer spotlights
Industry facts and updates
Behind the scenes
Trends (viral sounds and dances)
Product highlights
Q&As

3. Focus on quality instead of quantity.

This applies not only to the content you post but also to which platforms you post.

From a content perspective, while it is encouraged that you post often on social media, there’s a caveat. Everything you post should add value.https://www.instagram.com/p/CcLdmLULXBe/embed/?cr=1&v=14&wp=540&rd=https%3A%2F%2Fblog.hubspot.com&rp=%2Fmarketing%2Fsmall-business-social-media#%7B%22ci%22%3A0%2C%22os%22%3A2176.600000000093%2C%22ls%22%3A1543.5%2C%22le%22%3A2142.5%7D

If it doesn’t meet that criteria, consider another strategy, such as reposting brand-related content from a non-competitor or sharing user-generated content (UGC).

In fact, 33% of small businesses surveyed (those with 1-25 employees) report getting the best ROI on social media from leveraging UGC.

Now onto the platforms.

If you’re a small business with limited time and resources, you may not able to manage an account on every single social platform. And that’s OK.

It’s much more valuable to focus on one to three platforms that have your target audience’s demographics and go from there.

According to our 2022 social media marketing research, small businesses are prioritizing Facebook and YouTube in 2022 (even though they report that Facebook and Instagram generate the highest quality leads).

However, if your audience is Gen-Z, you may choose to focus your efforts on TikTok and grow your audience there.

4. Find trends.

This is another piece of advice that relates to both content and platform.

Our research found that many small businesses are exploring live audio chat rooms and short-form videos for the first time – two of the biggest trends of the last two years.

Yes, trying out a new platform demands a lot more than trying out a new format or type of content.

Image Source

For a while, brands were wary of TikTok. They saw it as a non-serious platform meant to entertain Gen-Z. Now, brands realize that it’s another highly valuable network that can broaden their reach and increase their brand awareness.

This is all to say that you don’t have to jump on every trend when it first appears, that’s not the recommendation here. Instead, you want to monitor them and their evolution. Because while some trends die off, others turn into staples.

https://listen.hubspot.com/embed/v2/smallPlayer/9dbce735

Social Media Tools for Small Business

1. Google Analytics for Analytics

When asked about the tools they use to track social media metrics, 75% of small businesses said Google Analytics.

social media tools for small business: snapshot of google analytics

Image Source

The platform allows you to track the impact of your social media accounts on your traffic, specifically:

How many visitors are coming from social media
How long their sessions are
Which landing pages are getting shared most on social media
Conversion rates from social media compared to other channels
Which social campaigns are generating traffic and conversions

There are both free and paid versions of the app – the free version offers so many features that as a small business, there is little need for the upgrade.

2. Canva for Graphic Design

Don’t have money to hire a graphic designer? Don’t fret – Canva to the rescue.

social media for small business: canva homepage

This graphic design platform offers thousands of free social media templates that you can use to build a consistent visual identity.

You can also find stock images and videos that are free to use for commercial and non-commercial use.

Note: While Canva is incredible for creating branded templates, avoid using it for logos, as you may struggle to find unique designs.

3. Asana for Content Planning

Asana is a project management tool that makes social media planning easy.

With the free version, you can:

Integrate it with 100+ tools, including Slack, Google Calendar, Adobe, Canva, MailChimp.
Create unlimited projects and tasks.
Tag social platforms, content, and more for easy sorting.
Have up to 15 users to facilitate collaboration.

Image Source

With all of these features, you can map out your content for the month and create tasks to track your progress. This makes scheduling a piece of cake and allows others to get a clear understanding of your plans.

Growing your social media presence as a small business is an exciting time. Use these tools to get you on track and remember, slow and steady always wins the race.

Source :
https://blog.hubspot.com/marketing/small-business-social-media

Corporate Development vs Business Development: What’s the Difference?

As a business, your overall goal is likely to achieve growth and remain competitive in your market.

Corporate development and business development are two practices that help businesses achieve growth through different means. Read on to learn the difference between the two and how they relate to your business operations.

Free Download: Sales Plan Template

What is corporate development?

Corporate development is the process of achieving growth for a business through internal restructuring and external opportunities for acquisitions and mergers, investments, and divesting assets. All corporate development processes increase the value of a business.

Internal restructuring is typically changing the current management to increase efficiency, such as hiring new staff, combining existing positions, or removing other positions.

An example of internal corporate restructuring can be combining two senior positions that are closely related. An external growth example is a larger company acquiring a smaller company that offers something beneficial to its offerings, like PayPal acquiring Venmo, a money sending service meant for friends and family.

Corporate development indirectly relates to sales as management restructuring and acquisitions will increase a business’s ability to serve customers and drive sales, but the processes come long before a customer receives a receipt.

What is business development?

Business development is identifying opportunities to develop relationships with similar companies to achieve key business objectives and bring value to customers. These relationships are usually developed with companies with similar goals and related offerings.

For example, a restaurant partnering with local delivery services so people can order their favorite food for delivery. The delivery business can make more money through a new client base, and the restaurant can increase its number of orders when customers have more ways to get its food.

https://youtube.com/watch?v=ywMM2lceNyA%3Ffeature%3Doembed

Business development is closely related to sales because partnerships increase value for customers and inspire them to make purchases. The business dev process also begins through market research and qualifying prospects (companies) that it makes sense to partner with.

Difference Between Corporate Development and Business Development

Business development and corporate development are the same in that they focus on activities to help companies grow. Both processes bring a competitive advantage, as their end goal is to help a business increase the value it can provide to a target audience. Both can also involve relationships with external organizations, and business dev teams can exist within corporate dev teams.

They are different in that business dev is external relationships, and corporate dev is external growth through internal changes. While corporate dev involves finance, it does not directly increase sales as financial transactions include acquisitions and mergers and hiring new staff.

Business development is more closely related to sales because partnerships with external businesses drive more sales among consumers.

How do business development and corporate development work together?

Both processes can, however, work together.

For example, a corporate development team may hire a new vice president of marketing to oversee all marketing operations. This new hire brings along unique perspectives for expansion that help the company grow.

The new ideas impact business development as they involve new markets and new relationships with other relevant businesses in those markets.

Over To You

Most businesses should have corporate development and business development teams rather than one over the other. While each one helps your business grow and increase sales, both do so in different ways that are required for your company to succeed.

Source :
https://blog.hubspot.com/sales/corporate-development-vs-business-development

How to Fix and Prevent XSS Attacks in WordPress

Are you worried about hackers attacking your website?

Cross-site scripting, also called XSS, is one of the most common attacks on WordPress sites. Hackers find vulnerabilities on your site and use them to steal information and misuse your website.

What’s worse is that if you don’t fix it immediately, these hacks could lead to more severe damage – the kind that’s really hard to recover from.

You can prevent these hacks by installing a firewall on your WordPress site.

If your website is already under attack, we’ll show you how to fix it right away in simple beginner-friendly language. We’ll keep cybersecurity jargon to the bare minimum in this tutorial. We’ll also show you how to prevent future attacks.

First, let’s quickly understand what happens in an XSS attack so that you’ll be better equipped to handle it.

What is an XSS Attack in WordPress?

XSS stands for Cross Site Scripting which is a kind of injection attack where hackers inject malicious scripts into a website.

These scripts are disguised as good code on a trusted website. Next, when a user lands on this website, their browser executes all the code, including the malicious script, because it thinks it’s all trusted instructions.

In simpler terms, imagine you’re a spy and you’ve just received an official email from the government about a top-secret mission. It contains all the instructions you need to follow down to the T.

What you don’t know is that someone intercepted that email and added a few more instructions of their own. The government has no clue about it and you don’t bother to double check because you trust the source.

Some of it doesn’t make sense but you’re trained to obey every order to achieve your mission.

In this scenario, the government is your website, and the spy is the user’s browser. The browser follows the instructions from your website and can’t differentiate between the good and bad scripts.

These scripts are usually in Javascript, one of the most popular and widely-used programming languages. Although, these attacks can take place using any client-side language.

Now there are many ways to carry out an XSS attack. One way is to send a link to unsuspecting users to get them to click on it. Once they click on it, the attack can possibly do one or more of the following:

Redirect users to a malicious site
Capture the user’s keystrokes
Run web browser-based exploits
Steal cookie information of the user logged into an account

If the hacker is able to steal cookie information, they can completely compromise the user’s account. For instance, if you’re logged into your website’s wp-admin panel, the hacker can steal your credentials and log into your site.

What you need to do to prevent these attacks is to make sure all user data is validated and sanitized properly before it enters your website. That way, no user input can be malicious Javascript code. Added to that, you need to make sure there are no XSS vulnerabilities on your site that can allow a hacker to attack.

We’ve barely scratched the surface of XSS attacks but we hope you have a decent understanding of how a WordPress XSS attack works. Now if you suspect your site is hacked, follow our easy step-by-step tutorial below.

How to Find and Fix an XSS Attack in WordPress

To find any kind of malware or hacks on your site, you’ll need to run a deep scan on your entire website including its files and database.

We’ll be using Sucuri to scan and clean up your hacked site. Sucuri gives you a robust security setup including a firewall, malware scanner, and malware cleaner.

sucuri-security-plugin - IsItWP - Free WordPress Theme Detector

Sucuri offers a free website malware scanner that you can install inside your WordPress site by navigating to Plugins » Add New tab.

We recommend using the premium server-side scanner. This will turn your website inside out to find any trace of malware.

Added to that, here are a few of its highlights:

Monitors spam and malicious scripts
Checks for hidden backdoors created by hackers
Detects changes made to DNS (domain name system) and SSL
Checks for blacklists with search engines and other authorities
Monitors website uptime
Instant alerts via email, SMS, Slack, and RSS

For more details, read our Sucuri Review.

Sucuri comes with a price tag of $199.99 per year. If that’s out of your budget, you can try other security plugins. See our list: 9 Best WordPress Security Plugins Compared.

While selecting a security plugin, make sure it gives you all the cyber security features you need to find and fix malware infections and protect your website.

Step 1: Scanning Your Website

To get started, you’ll need to sign up for a plan with Sucuri. Then, log in to the Sucuri dashboard where you can add your site.

Here, you’ll need to connect your website by entering your FTP credentials. If you don’t know your FTP credentials, you can get them from your web host.

When your site is connected, Sucuri will automatically run a thorough scan of your website. Once done, it will show you a detailed report under the ‘My Sites’ tab.

Now you can click on the ‘Details’ button next to the warning message. This will open up the Monitoring page where you can view the details of the hack or infection.

Step 2: Requesting a Malware Cleanup

On the Monitoring page, you can see what kind of malware has infected your site. Sucuri adds a rating to indicate the risk level. So if it’s a critical or high risk, you know that you need to fix it right away. Added to that, it will also show you if your site has been blacklisted by any search engines.

Now that you know your site is infected, you need to clean it up and Sucuri makes this really easy for you. To get started with the process, click on the ‘Clean Up My Site’ button.

On the next page, click on New Malware Removal Request button and a form will appear where you can enter your site’s details.

Simply fill out the form and submit it. Once done, Sucuri’s security experts will clean up your site for you. In case you don’t know any of the details you need for the form, you can ask your web host for them.

Now you may be wondering how long would it take to get your site cleaned.

Sucuri gives first preference to users on the Business plan. They assure a turnaround time of 6 hours. For other plans, it depends on how complex your site’s infection is and the volume of requests they have in queue.

Immediately after an attack, we strongly recommend logging all users out of your site and changing your login credentials to be on the safe side.

How to Prevent XSS Attacks on Your WordPress Site

It’s always best to protect your website and prevent these kinds of malware attacks on your site. It’s much easier and cheaper than trying to fix a hacked website. Here are our top recommended steps to prevent XSS attacks on your site.

1. Enable a Web Application Firewall (WAF)

Sucuri has one of the best firewalls for WordPress sites. It not only blocks XSS attacks but all sorts of other malware attacks like DDoS, Brute Force, Phishing, and SQL injections.

The firewall will sit in front of your website and scan every user coming through. It will identify and block bad bots before they reach your site.

To enable the Sucuri firewall, navigate to the Firewall tab on your Sucuri dashboard.

Select your site, and you’ll see setup instructions that you can follow. Sucuri gives you 2 options to set up the firewall:

1. Automatic Integration: Simply enter your hosting credentials using cPanel or Plesk. This method requires you to give Sucuri access to your website’s server to automatically set up the firewall on your site.

2. Manual Integration: You can set up the firewall on your own without granting internal access to Sucuri. To get started, click on the internal domain link and make sure that it loads.

Next, you can configure your DNS to point your web traffic at the Sucuri firewall. For this, you’ll need to access the DNS records in your hosting account. Here, you can change the ‘A’ record of your site and enter the IP addresses that Sucuri provides.

If you’re stressed that this is all too complicated, you can ask your web host for help and they will guide you through the process. Added to that, you can also raise a support ticket with Sucuri and their support team will help you change the DNS records.

To open a ticket, you’ll find a link inside the manual instructions on the same page.

Once you’re done setting up the firewall, it usually takes a few hours for the changes to reflect. You can expect a maximum wait time of 48 hours.

When you enable the firewall, it will automatically add security headers to your site to protect it from XSS attacks.

sucuri-xss-protection - IsItWP - Free WordPress Theme Detector

If there’s an attempted XSS attack Sucuri will block it and report it to you in the Reports tab.

xss-attack-blocked-with-sucuri-report - IsItWP - Free WordPress Theme Detector

Now what we love about the Sucuri firewall is that it’s so easy for anyone to use, including beginners. You don’t have to be a cyber security expert or know any coding.

You can enable all sorts of protection features with just a click in the Settings » Security tab.

So for instance, you can enable DDoS protection and geoblocking to make it harder for hackers to attack your site.

To enable a security feature here, all you have to do is check the box and save your settings. When you need to disable it, you simply have to uncheck the box.

Aside from this, the Sucuri plugin will:

Regularly scan and monitor for spam and malicious code
Alert you of any cross-site scripting vulnerability
Block bad bots and hackers
Check for blacklists with search engines and other authorities
Monitor website uptime
Detect changes made to DNS (domain name system) and SSL
Send you instant security alerts via email, SMS, Slack, and RSS

So your site will be protected at all times.

2. Use Secure Forms

On a vulnerable website, forms are one of the most common targets for hackers. If your form is unsecured, this means anyone can simply enter malicious code in your form fields.

Our recommendation for securing your website’s forms is WPForms. It is the #1 WordPress form builder that has built-in security so your forms are protected right from the start.

By default, the forms have anti-spam protection turned on. Plus, you can even add CAPTCHA to your forms to block spam bots.

Advanced noCaptcha and Invisible Captcha

You can enable an invisible captcha or the type where a user will have to solve a little puzzle or tick a box to prove they’re human.

3. Set User Role Permissions

When you have multiple people working on your website, it isn’t wise to give everyone admin access. It’s better to assign them roles based on what permissions they need.

WordPress lets you create roles for:

Super Admin
Administrator
Editor
Author
Contributor
Subscriber

Now if a hacker gets control over a user’s account, they’ll be limited in what they can do on your site.

4. Auto-logout Inactive Users

Hackers can gain access to user accounts by hijacking their browser sessions and stealing cookies.

You can minimize this risk by logging out inactive WordPress users.

Many security plugins have an idle session logout feature or you can use the Inactive Logout plugin.

5. Update Your Website Regularly

WordPress plugins, themes, and even your WordPress installation get updates regularly. You’ll see them inside your WordPress dashboard when they’re available:

Many website owners ignore updates for a long time but this can expose your website to hackers. Updates usually carry bug fixes, new features, and improvements to the software. They can also have security patches. You can see if an update carries a security patch by viewing the details of the update.

This means a vulnerability was found in the software that hackers can use to attack your site. When developers find security problems, they patch them up and release a new version of the software.

All you have to do is update the software on your site.

So if you see it’s a security patch, update it immediately to avoid any risk of being hacked.

One of the main reasons site owners ignore updates is that they can sometimes break your site or cause incompatibility issues. We recommend that you test the update on a staging site and then run it on your live site.

With that, you’ve learned how to fix and prevent XSS attacks on your WordPress site.

Before we wrap up, we’ll give you one more security tip. Always take regular backups of your website.

Even with the strongest security measures on your site, there are many things that can go wrong. For instance, a user can make a simple human error that crashes your website.

You can set up automated backups using a backup plugin like UpdraftPlus. For more options, see our list of the top WordPress backup plugins.

FAQs

1. Is WordPress vulnerable to cross-site scripting attacks?

The WordPress core software is developed and maintained by some of the best experts in the world. Their software is pretty rock solid but keep in mind that no software is free from vulnerabilities.

The reason WordPress websites are attacked often is that the platform is so popular. And most users install tons of third-party themes and plugins. Vulnerabilities can develop in any of these elements and hackers can exploit them to hack your site.

2. Are there different kinds of cross site scripting attacks?

Yes. There are 3 main types of XSS attacks:

Stored XSS (also know as persistent XSS): Attackers stores their payload on a compromised server, causing the website to deliver malicious code to other visitors.
Reflected XSS: The payload is stored in the data sent from the browser to the server.
DOM XSS: Here, the server itself isn’t the one vulnerable to XSS, but rather the JavaScript on the page is.
Self cross-site scripting: Attackers can exploit a vulnerability that needs really specific context and manual changes. The victim here can only be yourself.
Blind cross-site scripting: In these attacks, the vulnerability commonly lies on a page that only authorized users can access. The attacker can’t see the result of an attack.

3. How do I make sure there are no other security issues on my site?

Make sure you always have a security plugin installed on your website. This is a must for all kinds of websites including WooCommerce, blogs, and small business sites. We recommend Sucuri, but you can also check out Wordfence, MalCare, and SiteLock. See more of our top recommendations here: 9 Best WordPress Security Plugins Compared.

That’s all we have for you today. We hope this post has given you everything you need to secure your website.

For more on website security, see our resources on:

These posts will give you more ways to seal vulnerabilities and protect your website from all risks.

Source :
https://www.isitwp.com/fix-prevent-xss-attacks-wordpress/

Google Analytics 4 vs Universal Analytics: Full Comparison 2022

Do you want to know what’s new in Google Analytics 4? How is GA4 different from Universal Analytics?

There’s a lot that’s changed in the new Google Analytics 4 platform including the navigation. Google has added new features and removed a number of reports you’re familiar with. And that means we’ll need to relearn the platform.

In this guide, we’ll detail the differences between Google Analytics 4 (GA4) vs. Universal Analytics (UA) so that you’re prepared to make the switch.

If you haven’t already switched to Google Analytics 4, we have an easy step-by-step guide you can follow: How to Set Up Google Analytics 4 in WordPress.

What’s New Only in Google Analytics 4?

In this section, we’re detailing the things that are new in GA4 that aren’t present in Universal Analytics at all. A little later, we’ll go into depth about all the changes you need to know about.

Creating and Editing Events: GA4 brings about a revolutionary change in the way you track events. You can create a custom event and modify events right inside your GA4 property. This isn’t possible with Universal Analytics unless you write code to create a custom event.
Conversion Events: Conversion goals are being replaced with conversion events. You can simply mark or unmark an event to start tracking it as a conversion. There’s an easy toggle switch to do this. GA4 even lets you create conversion events ahead of time before the event takes place.
Data Streams: UA lets you connect your website’s URL to a view. These views let you filter data. So for instance, you can create a filter in a UA view to exclude certain IP addresses from reports. GA4 uses data streams instead of views.
Data filters: Now you can add data filters to include or exclude traffic internal and developer traffic from your GA4 reports.
Google Analytics Intelligence: You can delete search queries from your search history to fine-tune your recommendations.
Explorations and Templates: There’s a new Explore item in the menu that takes you to the Explorations page and Template gallery. Explorations give you a deeper understanding of your data. And there are report templates that you can use.
Debug View: There’s a built-in visual debugging tool which is awesome news for developers and business owners. With this mode, you can get a real-time view of events displayed on a vertical timeline graph. You can see events for the past 30 minutes as well as the past 60 seconds.
BigQuery linking: You can now link your GA4 account with your BigQuery account. This will let you run business intelligence tasks on your analytics property using BigQuery tools.

While this is what’s unique to GA4, there are a lot more changes than this. But first, let’s take a look at what’s gone from the Universal Analytics platform that we’re all familiar with.

What’s Missing in Google Analytics 4?

Google Analytics 4 has done away with some of the old concepts. These include:

Views and Filters: As we mentioned, GA4 is not using Data Streams and we explain this in depth a bit later. So you won’t be able to create a view and related filters. Once you convert your UA property to GA4, you’ll be able to access a read-only list of UA filters under Admin > Account > All Filters.
Customization (menu): UA properties have a customization menu for options to create dashboards, create custom reports, save existing reports, and create custom alerts. Below are the UA customization options, along with their GA4 equivalent.
- Dashboards: At the time of writing this, there isn’t a way to create a custom GA4 dashboard.
- Custom reports: GA4 has the Explorations page instead where you can create custom reports.
- Saved reports: When you create a report in Explorations, it is automatically saved for you.
- Custom alerts: Inside custom Insights, which is a new feature in GA4, you can set custom alerts.
Google Search Console linking: There isn’t a way to link Google Search Console with a GA4 property at the time of writing.
Bounce rate: One of the most tracked metrics – the bounce rate – is gone. It’s likely that this has been replaced with Engagement Metrics.
Conversion Goals: In UA, you could create conversion goals under Views. But since views are gone, so are conversion goals. However, you can create conversion events to essentially track the same thing.

Now that you know what’s new and what’s missing in GA4, we’ll take you through an in-depth tour of the new GA4 platform.

Google Analytics 4 vs Universal Analytics

Below, we’ll be covering the main differences between GA4 and UA. We’ve created this table of contents for you to easily navigate the comparison guide:

Feel free to use the quick links to skip ahead to the section that interests you the most.

New Mobile Analytics

A major difference between GA4 and UA is that the new GA4 platform will also support mobile app analytics.

In fact, it was originally called “Mobile + Web”.

UA only tracked web analytics so it was difficult for businesses with apps to get an accurate outlook on their performance and digital marketing efforts.

Now with GA4 data model, you’ll be able to track both your website and app. You can set up a data stream for Android and iOS.

There’s also added functionality to create custom campaigns to collect information about which mediums/referrals are sending you the most traffic. This will show you where your campaigns get the most traction so that you can optimize your strategies in the future.

Easy User ID Tracking

Turning on user ID tracking in UA was quite a task. But that’s all been simplified in GA4 with the new measurement model. You simply need to navigate to Admin » Property Settings » Reporting Identity tab.

You can choose between Blended and Observed mode. Select the one you want and save your changes. That’s it.

New Navigational Menu

In GA4, the reporting interface remains familiar and the navigation menu is still on the left! That keeps things familiar but there are quite a few menu items that have changed.

First, there are only 4 high-level menu items right now. Google may add more as the platform is further developed.

Next, each menu item has a collapsed view. You can expand each item by clicking on it.

Now when you click on the submenu items, it will expand the menu to reveal more sub menus.

In GA4, you’ll see familiar menu items you use for SEO and other purposes but in different locations. Here are the notable changes:

Realtime is under Reports
Audience(s) is under Configure
Acquisition is under Reports » Life cycle
Conversions is under Configure

GA4 also comes with completely new menu items as listed below:

Reports snapshot
Engagement
Monetization
Retention
Library
Custom definitions
DebugView

Measurement ID vs Tracking ID

Universal Analytics uses a Tracking ID that has a capital UA, a hyphen, a 7-digit tracking code followed by another hyphen, and a number. Like this: UA-1234567-1.

The last number is a sequential number starting from 1 that maps to a specific property in your Google Analytics account. So if you set up a second Google Analytics property, the new code will change to UA-1234567-2.

You can find the Tracking ID for a Universal Analytics property under Admin » Property column. Navigate to Property Settings » Tracking ID tab where you can see your UA tracking ID.

In GA4, you’ll see a Measurement ID instead of a Tracking ID. This starts with a capital G, a hyphen followed by a 10-character code.

It would look like this: G-SV0GT32HNZ.

To find your GA4 Measurement ID, go to Admin » Property » Data Streams. Click on a data stream. You’ll see your Measurement ID in the stream details after the Stream URL and Stream Name.

Data Streams vs Views

In UA, you could connect your website’s URL to a view. UA views are mostly used to filter data. So for instance, you can create a filter in a UA view to exclude certain IP addresses from reports.

GA4 uses data streams instead. You’ll need to connect your website’s URL to a data stream.

But don’t be mistaken, they are not the same as views.

Also, you can’t create a filter in GA4. In case your property was converted from UA to GA4, then you can find a read-only list of UA filters under Admin » Account » All Filters.

Now Google defines a data stream as:

“A flow of data from your website or app to Analytics. There are 3 types of data stream: Web (for websites), iOS (for iOS apps), and Android (for Android apps).”

You can use your data stream to find your measurement ID and global site tag code snippet. You can also enable enhanced measurements such as your page views, scrolls, and outbound clicks.

In a data stream, you can do the following:

Set up a list of domains for cross-domain tracking
Create a set of rules for defining internal traffic rules
Put together a list of domains to exclude from tracking

Data streams will make a lot of things easier. But there are 2 things that you need to be aware of. First, once you create a data stream, there’s no way to edit it. And if you delete a data stream, you can’t undo this action.

Events vs. Hit Types

UA tracks data by hit types which is essentially an interaction that results in data being sent to Analytics. This includes page hits, event hits, eCommerce hits, and social interaction hits.

GA4 moves away from the concept of hit types. Instead, it’s event-based meaning every interaction is captured as an event. This means everything including page, events, eCommerce transactions, social, and app view hits are all captured as events.

There’s also no option for creating conversion goals. But GA4 lets you flag or mark an event as a conversion with the flip of a toggle switch.

This is essentially the same thing as creating a conversion goal in Universal Analytics. You can also create new conversion events ahead of time before those events actually take place.

In GA4, Google organizes events into 4 categories and recommends that you use them in this order:

1. Automatically collected

In the first event category, there’s no option to turn on any setting for tracking events so you don’t need to activate anything here. Google will automatically collect data on these events:

first_visit – the first visit to a website or Android instant app
session_start – the time when a visitor opens a web page or app
user_engagement – when a session lasts longer than 10 seconds or had 1 or more conversions or had 2 or more page views

Keep in mind that we’re only at the start of GA4. With Google’s ever-advancing and machine-learning technology, more automatically collected events may be added as the platform progresses.

2. Enhanced measurement

In this section, you don’t need to write any code but there are settings to turn on enhanced measurements. This will give you an extra set of automatically collected events.

To enable this data collection, you need to turn on the Enhanced measurement setting in your Data Stream.

Then you’ll see more enhanced measurement events that include:

page_view: a page-load in the browser or a browser history state change
click: a click on an outbound link that goes to an external site
file-download: a click that triggers a file download
scroll: the first time a visitor scrolls to the bottom of a page

3. Recommended

These GA4 events are recommended but aren’t automatically collected in GA4 so you’ll need to enable them if you want to track them.

We suggest you check out what is in the recommended events and turn on tracking for what you need. This can include signups, logins, and purchases.

Before we move to custom events, if you don’t see these 3 event types – automatically collected, enhanced measurement, and recommended – in your dashboard, you should ideally create a custom event for it.

4. Custom

Custom events let you set up tracking for any event that doesn’t fall into the above 3 categories. You can create and modify your events. So for instance, you can create custom events to track menu clicks.

You can design and write custom code to enable tracking for the event you want. But there is no guarantee that Google will support your custom metrics and events.

No Bounce Rate

The bounce rate metric has vanished! It’s been suggested that Google wants to focus on users that stay on your website rather than the ones that leave.

So this has likely been replaced with engagement rate metrics to collect more data on user interactions and engaged sessions.

No Custom Reports

UA properties have a customization menu for options to create dashboards, create custom reports, save existing reports, and create custom alerts.

A lot of this has changed in GA4. To make it easier for you to understand, here are the UA metrics and their GA4 equivalents:

Custom reports can be found in the Explorations page.
Saved reports are automatically created when you run an Exploration.
Custom alerts can be set up inside custom Insights from the GA4 home page.

One more thing to note is that you also won’t find a way to link Google Search Console with a GA4 property (at the time of writing). And that’s all the key differences between Universal Analytics and Google Analytics 4.

Now you may be wondering whether you HAVE TO make the switch to GA4. A lot of our users have been asking us this question so we’ll tell you quickly what you need to do.

Do I Have To Switch to GA4?

Google will retire Universal Analytics in July 2023. You’ll have access to your UA data for some time but all new data will flow into GA4. If you have a US property set up, you’ll see this warning in your dashboard:

So you have to set up a GA4 property sooner or later and we recommend that you do it sooner. This is because your UA data won’t be transferred to GA4. You have to start afresh.

You can set up your GA4 property now and let it collect data. In the meantime, you can continue to use Universal Analytics and use the time to learn the new GA4 platform. Then when we’re all forced to make the switch, you’ll have plenty of historical data in your GA4 property.

If you haven’t set up your Google Analytics 4 property yet, we’ve compiled an easy step-by step guide for you: How to Set Up Google Analytics 4 in WordPress.

Want to skip the guide and use a tool? Then MonsterInsights is the best to set up GA4. It even lets you create dual tracking profiles so you can have both UA and GA4 running simultaneously.

Get MonsterInsights Now »

After setting up GA4, you can go deeper into your data with these guides:

These posts will help you track your users and their activity on your site so that you can get more valuable insights and analytics data to improve your site’s performance.

Source :
https://www.isitwp.com/google-analytics-4-vs-universal-analytics/

How to Accept Google Pay in WordPress (The Easy Way)

Would you like to accept Google Pay on your WordPress site?

When you allow your customers to choose their preferred payment method, you’ll build trust and increase conversions on your website.

In this article, we’ll show you how to accept Google Pay in WordPress.

Why Accept Google Pay in WordPress?

If you’re selling products or services on your WordPress website or asking for donations, then it’s important to let your visitors pay using their preferred method.

Often they will want to pay by credit card or PayPal, but newer methods like Google Pay and Apple Pay are becoming more popular.

Google Pay is available in 40 countries around the world and makes online payments simple. However, your customers can only use it if they’re on an Android device running version Lollipop 5.0 or higher, so you’ll probably want to include additional payment options for people using other devices.

That being said, let’s take a look at how to accept Google Pay in your online store.

Note: We’ll cover how to add a Google Pay option in WordPress without adding a full eCommerce cart, but we will leave other helpful resources at the end of this article for those looking for full eCommerce solutions.

How to Accept Google Pay in WordPress

The first thing you need to do is install and activate the WP Simple Pay plugin. For more details, see our step by step guide on how to install a WordPress plugin.

WP Simple Pay is a simple yet powerful WordPress invoicing and payments plugin. The best part is that WP Simple Pay does not charge you any additional transaction fees, and you can set it up without the complexity of a cart system.

It lets you add Apple Pay, Google Pay, credit card as well as ACH bank payments, so you can give users multiple payment options which improves conversion.

While there is a free version of the plugin, you need the Pro plugin to accept Google Pay, create on-site payment forms, and more.

Upon activation, the WP Simple Pay setup wizard will start automatically. You simply need to click the ‘Let’s Get Started’ button to continue.

On the first page, you’ll be asked to enter your license key. You can find this information from your account on the WP Simple Pay website.

After that, you need to click the ‘Activate and Continue’ button to move to the next step.

You’ll Be Asked to Enter Your WP Simple Pay License Key

On the second page, you will need to connect WP Simple Pay to Stripe. Stripe is a popular payment gateway, and it’s the easiest way to add Google Pay to your website. It also supports all top credit and debit cards, Apple Pay, ACH payments, and more.

Simply click the ‘Connect with Stripe’ button, and from there you can log in to your Stripe account or create a new one. Anyone with a legitimate business can create a Stripe account and accept payments online.

You Need to Connect WP Simple Pay to Stripe

Note: Stripe requires your site to be using SSL/HTTPS encryption. If you don’t already have an SSL certificate for your website, then please see our step by step guide on how to add SSL in WordPress.

Once you’ve connected to Stripe, you’ll be asked to configure your WP Simple Pay emails.

The options for payment and invoice emails to your customers have already been enabled for you. So is the option for sending payment notification emails.

You just need to enter the email address where the notifications should be sent.

Once you’ve done that, you need to click the ‘Save and Continue’ button to complete your setup of WP Simple Pay.

Google Pay is enabled by default when using Stripe Checkout, and will be automatically offered to Android users in participating countries.

If you decide to disable Google Pay in the future, then you will need to change the payment method settings in the Stripe Dashboard.

Creating a Payment Form in WordPress

Next, you need to create a payment form.

You can do that by clicking the ‘Create a Payment Form’ button on the last page of the setup wizard. This will automatically take you to the WP Simple Pay » Add New page.

You’ll be shown a list of payment form templates. You need to scroll down until you locate the Apple Pay / Google Pay template.

Simply hover over the template and click the ‘Use Template’ button when it appears.

Select the Apple Pay / Google Pay Template

This will take you to the payment form editor.

If you like, you can rename the form and give it a description. After that, you need to select the ‘Stripe Checkout’ option under Form Type.

After you’ve done that, we’ll move on to the Payment tab.

Here you can set the payment mode to either live or testing. Testing mode will let you make payments that are not actually charged so you can make sure your form is working properly and emails are being sent.

Don’t forget to change this to ‘Live’ when you’ve finished testing and are ready to start receiving payments from your customers.

You can also add the products or services that you offer, along with their prices and whether they are a one-time payment or a subscription.

Simply click the ‘Add Price’ button until you have added as many prices as you need. After that, you will need to add a label and price for each one. You can also select other options, such as recurring payments, or the user can determine the price, as in a donation.

Add Your Products and Services to the Payment Form

You can show or hide a price by clicking the small arrow on the right.

Next, we’ll move on to the ‘Form Fields’ tab. Notice that the essential fields have already been added to the form, including an ‘Apple Pay / Google Pay’ button, credit card details, and a checkout button.

The Essential Form Fields Have Been Added For You

Using the ‘Form Fields’ drop down, you can choose additional fields and add them by clicking the ‘Add Field’ button. Options include name, phone number, address, and much more.

Finally, the ‘Stripe Checkout’ tab allows you to select additional payment methods and tweak the checkout form that is displayed after the user clicks the ‘Pay’ button.

For this tutorial, we’ll leave those settings as they are.

Select any Additional Payment Methods and Tweak the Checkout Form

When you are happy with your payment form, click on the ‘Publish’ button to store your settings and push the form live.

Now we can add the form to a post or page on your website.

Adding the Payment Form to Your Website

WP Simple Pay makes it super easy to add forms anywhere on your website.

Simply create a new post or page, or edit an existing one. Then, click on the plus (+) sign at the top and add a WP Simple Pay block in the WordPress block editor.

Insert a WP Simple Pay Block and Choose the Correct Form

After that, select your order form from the dropdown menu in the WP Simple Pay block.

Once you’re finished, you can update or publish the post or page, and then click on the preview button to see your form in action.

When your users click the Pay button, the Stripe checkout form will be displayed.

If they are using an Android device running Lollipop 5.0 or higher, then the Google Pay option will be displayed at the top of the form. Otherwise, the Google Pay option will be hidden, and your customers can pay using a credit card.

If you’re looking for other ways to add Google Pay in WordPress, then you can use full eCommerce solutions like Easy Digital Downloads or WooCommerce. Both of them have support for Apple Pay and Google Pay options.

We hope this tutorial helped you learn how to accept Google Pay in WordPress. You may also want to learn the right way to create an email newsletter, or check out our expert pick of the best contact form plugins for WordPress.

Source :
https://www.wpbeginner.com/plugins/how-to-accept-google-pay-in-wordpress/

How to Switch to Google Analytics 4 in WordPress (The RIGHT Way)

Are you looking to switch to the latest Google Analytics version?

Google is now recommending website owners to move to the new Google Analytics 4 because they will be sunsetting the previous Universal Analytics on July 1, 2023. After the sunset day, you won’t be able to track data in the older version.

In this article, we’ll show you how to easily switch to Google Analytics 4 in WordPress.

Why Switch to Google Analytics 4?

Google Analytics 4 (GA4) is the latest version of Google Analytics. It lets you track your mobile apps and websites in the same account, and offers new metrics, reports, and tracking features.

If you haven’t created a GA4 property yet, then now is the best time to switch to the latest version. That’s because Google announced that it will be closing down the old Universal Analytics on July 1, 2023.

What this means is that Universal Analytics will no longer receive data from your WordPress website, and it will eventually stop working after the sunset date. That means that all your old analytics data will be lost.

Switching to Google Analytics 4 as soon as possible will protect you from starting from scratch with no historical data.

To do this right, a lot of smart website owners are using the dual tracking method which allows you to continue using the current Universal Analytics while start sending data to GA4.

This way, you can future-proof your data while giving yourself plenty of time to learn the new Google Analytics dashboard and features.

That being said, let’s see how you can switch to Google Analytics 4 in WordPress with dual tracking.

Video Tutorial

https://youtube.com/watch?v=8dihyjwMNnE%3Fversion%3D3%26rel%3D0%26fs%3D1%26showsearch%3D0%26showinfo%3D1%26iv_load_policy%3D1%26wmode%3Dtransparent

Subscribe to WPBeginner

If you’d prefer written instructions, just keep reading.

Creating a Google Analytics 4 Property

If you already have an existing Google Analytics account using the old version, then you can eaily create a new GA4 property and start sending stats to GA4.

First, you’ll need to visit the Google Analytics website and login to your account.

After that, head over to the ‘Admin’ settings page in the bottom left corner.

If you’re on classic Google analytics, then you’ll see the option to setup GA4.

Go ahead and click on ‘GA4 Setup Assistant’ under the Property column.

In the next step, the setup assistant will give you 2 options. You can create a new Google Analytics 4 property or connect an existing one.

Since we’re setting up a new property, simply click the Get Started button under the ‘I want to create a new Google Analytics 4 property’ option.

A popup will now appear with the details about the setup wizard.

If you’ve implemented your Universal Analytics using the Global Site Tag (gtag.js) code, then you’ll see an option to Enable data collection using existing tags.

This uses the existing tracking code on your site to collect information. That said, if you don’t already have the right tracking code on your website, we’ll show you how to add it to your WordPress blog below.

For now, you can go ahead and click the ‘Create property’ button.

The setup wizard will add a new GA4 property and copy the Universal Analytics property name, website URL, timezone, and currency settings.

You can now view your new Google Analytics 4 property in the GA4 Setup Assistant.

Next, you’ll need to click on the ‘See your GA4 property’ button to see your Google Analytics tracking code.

After clicking on the button, simply click on the ‘Tag installation’ option to retrieve your tracking code.

You should now see your new GA4 property under Data Streams.

Go ahead and click on your new property.

A new window will slide in from the right, and you’ll be able to see your web stream details.

Note: Google Analytics 4 uses both ‘data stream’ and ‘web stream’. These both simply mean the flow of analytics data that Google Analytics receives from your website.

Simply scroll down to Tagging Instructions section and click the Global site tag (gtag.js) option to expand the settings. You’ll now see your Google Analytics tracking code that needs to be added to your WordPress site.

One thing you need to know is that Google Analytics 4 reports are quite different than what you’re used to in Universal Analytics.

They have introduced new terminology, and many familiar metrics and reports are missing completely. Basically if you were using common reports like the Top Landing Pages report or others, then you’d have to recreate those from scratch in Google Analytics 4.

That’s why we recommend using MonsterInsights Pro or even the free version of MonsterInsights.

It will help you see all the familiar analytics reports right in your WordPress dashboard, and it also lets you use both Universal Analytics and Google Analytics 4 at the same time.

Not to mention, with MonsterInsights you get all the powerful tracking features such as outbound link tracking, author tracking, and more which can be enabled without writing any code.

Let’s take a look at how to easily set up Google Analytics 4 on your WordPress site with MonsterInsights.

Adding Google Analytics Tracking Code to WordPress Site

The best way to add Google Analytics tracking code to your WordPress website is by using MonsterInsights. This is the plugin that we use on WPBeginner.

MonsterInsights is the best Analytics solution for WordPress, and it’s trusted by over 3 million websites because it lets you easily setup advanced tracking without any coding skills.

You can use the MonsterInsights Lite version to set up Google Analytics in no time. There are also premium MonsterInsights plans that offer more features like custom dashboard reports, email summaries, scroll tracking, eCommerce tracking, premium integrations, and more.

MonsterInsights also offers dual tracking, meaning you can use both Universal Analytics and Google Analytics 4 at the same time. This is available in both the free version as well paid, and we highly recommend using this to ensure that your transition to GA4 goes smoothly.

First, you’ll need to install and activate the MonsterInsights plugin. For more details, please see our guide on how to install a WordPress plugin.

Upon activation, you’ll be taken to the MonsterInsights welcome screen in your WordPress dashboard. Simply click the ‘Launch the Wizard’ button to add Google Analytics to your site.

After clicking the button, the setup wizard will ask you to choose a category that best describes your website.

You can choose from a business website, publisher (blog), or online store. Once you’ve selected a category, click the ‘Save and Continue’ button.

In the next step, you’ll need to connect MonsterInsights with your WordPress site.

Go ahead and click the ‘Connect MonsterInsights’ button.

Once you click the button, you’ll need to sign in to your Google Account.

Simply select your account and click the ‘Next’ button.

Next, MonsterInsights will require access to your Google Analytics Account.

MonsterInsights App needs these permissions, so it can help you setup analytics properly and show you all the relevant stats right inside your WordPress dashboard.

You can click the ‘Allow’ button to continue.

After that, you’ll be redirected back to the MonsterInsights setup wizard.

To complete the connection, select your Google Analytics 4 property from the dropdown menu and click the ‘Complete Connection’ button.

Next, MonsterInsights will connect Google Analytics with your WordPress website.

On the next screen, you’ll see some recommended settings like file download tracking and affiliate link tracking.

You can use the default settings in the setup wizard. However, if you’re using an affiliate link plugin, then you’ll need to enter the path you use to cloak the affiliate links.

Next, you can scroll down and select who can see reports and add different WordPress user roles.

Once you’re done, click the ‘Save and continue’ button.

After that, MonsterInsights will show different tracking features that you can enable for your website.

You can scroll down and click the ‘Skip for Now’ button.

Choose which tracking features to enable

Next, you’ll see a checklist showing that you’ve successfully connected Google Analytics to your website.

For example, it will show that you’re successfully connected to Google Analytics, the tracking code is properly installed, and the data is being collected.

That’s it, you’ve added Google Analytics 4 property to your WordPress site.

Creating a Measurement Protocol API Secret

If you want to MonsterInsights to track eCommerce purchases, form conversions, and more advanced tracking in Google Analytics, then you’ll need to create a Measurement Protocol API Secret.

First, you’ll need to go back to your Google Analytics account and then go to Admin settings. Next, click on the ‘Data Streams’ option under Property column.

Then you’ll need to select the Google Analytics 4 property that we created earlier.

Go ahead and select your property under Data Streams.

After that, you can scroll down to the ‘Advanced Settings’ section.

Simply click the ‘Measurement Protocol API secrets’ option.

Select measurement protocol API secrets option

A new window will now slide in with your Measurement Protocol API secrets.

You will have to click the ‘Create’ button.

After that, enter a nickname for your API secret so it’s easily identifiable.

When you’re done, click the ‘Create’ button.

You should now see your Measurement Protocol API secret.

Simply copy the API secret under the ‘Secret value’ field.

After that, you can head back to your WordPress website and navigate to Insights » Settings from your dashboard.

Now click on the ‘General’ tab at the top.

Next, you will have to scroll down to the ‘Google Authentication’ section.

Go ahead and enter the Secret value you just copied in the Measurement Protocol API Secret field.

Enter measurement protocol API secret in MonsterInsights

You’ve successfully added Measurement Protocol API Secret in MonsterInsights.

Setting Up Universal Analytics Dual Tracking

Now that you have setup GA4, the next step is to enable dual tracking for Universal Analytics, so it can run alongside your Google Analytics 4 property in WordPress.

With MonsterInsights, you can easily set up dual tracking and simultaneously track both properties without writing code.

Note: If you already have Universal Analytics tracking code added to your WordPress website, then we recommend disabling it first. Otherwise, it could lead to double-tracking and can skew your data.

To start setting up dual tracking properly, you can head to Insights » Settings from your WordPress admin panel and then click on the ‘General’ tab.

Next, you’ll need to scroll down to the ‘Google Authentication’ section.

Now under the Dual Tracking Profile, enter your Universal Analytics (UA) code.

You can easily find your UA code in Google Analytics Admin settings.

Simply go to the Admin settings page in Google Analytics of your Universal Analytics property.

Then click on ‘Property Settings’ under the Property column.

You should see the Tracking Id, and it will look like this: UA-123856789-5

You’ve now successfully set up dual tracking on your WordPress website.

To see how your website is performing, simply go to Insights » Reports. Here you’ll find all the data you need to make the right decisions to grow your website.

We hope this article helped you learn how to switch to Google Analytics 4 in WordPress. You may also want to see our ultimate WordPress SEO guide to improve your rankings, or see our comparison of the best email marketing services for small business.

Source :
https://www.wpbeginner.com/wp-tutorials/how-to-switch-to-google-analytics-4-in-wordpress/

Five years of 100% renewable energy – and a look ahead to a 24/7 carbon-free future

Google operates the cleanest cloud in the industry, and we have long been a leading champion of clean energy around the world. Since we began purchasing renewable energy in 2010, Google has been responsible for more than 60 new clean energy projects with a combined capacity of over 7 gigawatts — about the same as 20 million solar panels. Our long-term support for clean energy projects has contributed to the rapid growth of the industry, remarkable declines in the cost of solar and wind power, and innovative new contracting models and industry partnerships to accelerate corporate clean energy procurement.

Global Corporate PPA Volumes - Chart [June 2022].jpg

In 2021, we were the only major cloud provider to match 100% of the electricity consumption of our operations with renewable energy purchases – a goal we’ve accomplished for the past five years. This establishes Google Cloud as the cleanest cloud in the industry, and is particularly exciting given the rapid expansion of computing conducted in our data centers over the same period. This required significantly ramping up our global renewable energy purchasing: in 2021 alone we signed agreements to buy power from new renewable energy projects with a combined capacity of nearly 1300 MW – expanding our global portfolio by almost 25%.

A new frontier: 24/7 Carbon-Free Energy

Matching our annual energy consumption with renewable energy purchases has been an important step in our sustainability journey, but there are still regions and times of day where clean energy is unavailable and we are forced to rely on fossil fuels to meet our electricity needs. That is why we are now working towards our moonshot goal of operating on 24/7 carbon-free energy (CFE) by 2030, the last step in our journey to fully decarbonize Google’s global operations.

https://youtube.com/watch?v=YhSSW9LAUyw%3Fenablejsapi%3D1%26

Operating on 24/7 CFE is a far more complex and technically challenging goal than matching our annual global energy use with renewable energy purchases. It means matching our electricity demand with carbon-free energy supply every hour of every day, in every region where we operate. No company has achieved this before, and there is no playbook for achieving this.

In the spirit of transparency, today we are releasing the 2021 carbon-free energy percentages (CFE%) for each of Google’s data centers. Globally, Google operated at 66%¹ CFE in 2021 – 5% higher than 2019, but 1% lower than 2020. We expected this kind of short-term fluctuation: building new clean energy is a multi-year process, and our near-term priority is to build strong foundations for long-term CFE growth.

Our largest percentage increases were at our data centers in Chile, at 4%, and Ohio and Virginia, at 4%. In other regions, we encountered significant new headwinds, including a lack of available renewable energy supply and delays to CFE construction due to supply chain disruptions and interconnection challenges. Notably, we also saw flat or declining CFE percentages on the majority of the grids where we operate, underscoring the need for more ambitious action to accelerate grid-level decarbonization everywhere. This is an enormous challenge that requires holistic and long-term solutions, and we are working with our partners across government, industry, and civil society to build a global movement to drive progress at the speed and scale required.

As we work to operate on 24/7 carbon-free energy by 2030, we remain confident in our long-term trajectory and are increasing our focus on regions and times of day where carbon-free energy is not readily available due to resource constraints, policy barriers, or market obstacles. We are building solutions to fill these gaps, including:

New approaches to buying diverse portfolios of carbon-free energy
Projects to advance next-generation technologies like geothermal and batteries
A first-of-its kind carbon-intelligent computing platform to maximize the reduction in grid-level CO2 emissions
Advanced methods for tracking clean energy and maximizing the economic value of clean energy projects
Expanded efforts to advocate for public policies that accelerate grid-level decarbonization

Getting to 24/7 CFE won’t be easy, but we’re optimistic for the future. Our CFE goal is part of our third decade of climate action and company goal of reaching net-zero emissions across our operations and value chain, including our consumer hardware products, by 2030. We aim to reduce the majority of our emissions (versus our 2019 baseline) before 2030, and plan to invest in carbon removal solutions to neutralize our remaining emissions.

We will continue to share our progress and lessons as we work towards our goal, and to work with our partners to accelerate the global transition to a prosperous, carbon-free future.

Source :
https://cloud.google.com/blog/topics/sustainability/5-years-of-100-percent-renewable-energy

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware

A week after it emerged that a sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices.

Additionally, necessary changes have been implemented in Google Play Protect — Android’s built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG) said in a Thursday report.

Hermit, the work of an Italian vendor named RCS Lab, was documented by Lookout last week, calling out its modular feature-set and its abilities to harvest sensitive information such as call logs, contacts, photos, precise location, and SMS messages.

Once the threat has thoroughly insinuated itself into a device, it’s also equipped to record audio and make and redirect phone calls, in addition to abusing its permissions to accessibility services to keep tabs on the foreground apps used by the victims.

Its modularity also enables it to be wholly customizable, equipping the spyware’s functionality to be extended or altered at will. It’s not immediately clear who were targeted in the campaign, or which of RCS Lab clients were involved.

The Milan-based company, operating since 1993, claims to provide “law enforcement agencies worldwide with cutting-edge technological solutions and technical support in the field of lawful interception for more than twenty years.” More than 10,000 intercepted targets are purported to be handled daily in Europe alone.

“Hermit is yet another example of a digital weapon being used to target civilians and their mobile devices, and the data collected by the malicious parties involved will surely be invaluable,” Richard Melick, director of threat reporting for Zimperium, said.

The targets have their phones infected with the spy tool via drive-by downloads as initial infection vectors, which, in turn, entails sending a unique link in an SMS message that, upon clicking, activates the attack chain.

It’s suspected that the actors worked in collaboration with the targets’ internet service providers (ISPs) to disable their mobile data connectivity, followed by sending an SMS that urged the recipients to install an application to restore mobile data access.

“We believe this is the reason why most of the applications masqueraded as mobile carrier applications,” the researchers said. “When ISP involvement is not possible, applications are masqueraded as messaging applications.”

To compromise iOS users, the adversary is said to have relied on provisioning profiles that allow fake carrier-branded apps to be sideloaded onto the devices without the need for them to be available on the App Store.

An analysis of the iOS version of the app shows that it leverages as many as six exploits — CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907, CVE-2021-30883, and CVE-2021-30983 — to exfiltrate files of interest, such as WhatsApp databases, from the device.

“As the curve slowly shifts towards memory corruption exploitation getting more expensive, attackers are likely shifting too,” Google Project Zero’s Ian Beer said in a deep-dive analysis of an iOS artifact that impersonated the My Vodafone carrier app.

On Android, the drive-by attacks require that victims enable a setting to install third-party applications from unknown sources, doing so which results in the rogue app, masquerading as smartphone brands like Samsung, requests for extensive permissions to achieve its malicious goals.

The Android variant, besides attempting to root the device for entrenched access, is also wired differently in that instead of bundling exploits in the APK file, it contains functionality that permits it to fetch and execute arbitrary remote components that can communicate with the main app.

“This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need,” the researchers noted. “Basic infection vectors and drive by downloads still work and can be very efficient with the help from local ISPs.”

Stating that seven of the nine zero-day exploits it discovered in 2021 were developed by commercial providers and sold to and used by government-backed actors, the tech behemoth said it’s tracking more than 30 vendors with varying levels of sophistication who are known to trade exploits and surveillance capabilities.

What’s more, Google TAG raised concerns that vendors like RCS Lab are “stockpiling zero-day vulnerabilities in secret” and cautioned that this poses severe risks considering a number of spyware vendors have been compromised over the past ten years, “raising the specter that their stockpiles can be released publicly without warning.”

“Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits,” TAG said.

“While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians.”

Source :
https://thehackernews.com/2022/06/google-says-isps-helped-attackers.html

The More You Know, The More You Know You Don’t Know

A Year in Review of 0-days Used In-the-Wild in 2021

Posted by Maddie Stone, Google Project Zero

This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository.

We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for attackers to use 0-day capabilities. 2021 highlighted just how important it is to stay relentless in our pursuit to make it harder for attackers to exploit users with 0-days. We heard over and over and over about how governments were targeting journalists, minoritized populations, politicians, human rights defenders, and even security researchers around the world. The decisions we make in the security and tech communities can have real impacts on society and our fellow humans’ lives.

We’ll provide our evidence and process for our conclusions in the body of this post, and then wrap it all up with our thoughts on next steps and hopes for 2022 in the conclusion. If digging into the bits and bytes is not your thing, then feel free to just check-out the Executive Summary and Conclusion.

Executive Summary

2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. That’s more than double the previous maximum of 28 detected in 2015 and especially stark when you consider that there were only 25 detected in 2020. We’ve tracked publicly known in-the-wild 0-day exploits in this spreadsheet since mid-2014.

While we often talk about the number of 0-day exploits used in-the-wild, what we’re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild. And that leads into our first conclusion: we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.

With this record number of in-the-wild 0-days to analyze we saw that attacker methodology hasn’t actually had to change much from previous years. Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces. Project Zero’s mission is “make 0day hard”. 0-day will be harder when, overall, attackers are not able to use public methods and techniques for developing their 0-day exploits. When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous & publicly known vulnerabilities. Only two 0-days stood out as novel: one for the technical sophistication of its exploit and the other for its use of logic bugs to escape the sandbox.

So while we recognize the industry’s improvement in the detection and disclosure of in-the-wild 0-days, we also acknowledge that there’s a lot more improving to be done. Having access to more “ground truth” of how attackers are actually using 0-days shows us that they are able to have success by using previously known techniques and methods rather than having to invest in developing novel techniques. This is a clear area of opportunity for the tech industry.

We had so many more data points in 2021 to learn about attacker behavior than we’ve had in the past. Having all this data, though, has left us with even more questions than we had before. Unfortunately, attackers who actively use 0-day exploits do not share the 0-days they’re using or what percentage of 0-days we’re missing in our tracking, so we’ll never know exactly what proportion of 0-days are currently being found and disclosed publicly.

Based on our analysis of the 2021 0-days we hope to see the following progress in 2022 in order to continue taking steps towards making 0-day hard:

All vendors agree to disclose the in-the-wild exploitation status of vulnerabilities in their security bulletins.
Exploit samples or detailed technical descriptions of the exploits are shared more widely.
Continued concerted efforts on reducing memory corruption vulnerabilities or rendering them unexploitable.Launch mitigations that will significantly impact the exploitability of memory corruption vulnerabilities.

A Record Year for In-the-Wild 0-days

2021 was a record year for in-the-wild 0-days. So what happened?

bar graph showing the number of in-the-wild 0-day detected per year from 2015-2021. The totals are taken from this tracking spreadsheet: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708

Is it that software security is getting worse? Or is it that attackers are using 0-day exploits more? Or has our ability to detect and disclose 0-days increased? When looking at the significant uptick from 2020 to 2021, we think it’s mostly explained by the latter. While we believe there has been a steady growth in interest and investment in 0-day exploits by attackers in the past several years, and that security still needs to urgently improve, it appears that the security industry’s ability to detect and disclose in-the-wild 0-day exploits is the primary explanation for the increase in observed 0-day exploits in 2021.

While we often talk about “0-day exploits used in-the-wild”, what we’re actually tracking are “0-day exploits detected and disclosed as used in-the-wild”. There are more factors than just the use that contribute to an increase in that number, most notably: detection and disclosure. Better detection of 0-day exploits and more transparently disclosed exploited 0-day vulnerabilities is a positive indicator for security and progress in the industry.

Overall, we can break down the uptick in the number of in-the-wild 0-days into:

More detection of in-the-wild 0-day exploits
More public disclosure of in-the-wild 0-day exploitation

More detection

In the 2019 Year in Review, we wrote about the “Detection Deficit”. We stated “As a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can’t draw significant conclusions due to the lack of (and biases in) the data we have collected.” In the last two years, we believe that there’s been progress on this gap.

Anecdotally, we hear from more people that they’ve begun working more on detection of 0-day exploits. Quantitatively, while a very rough measure, we’re also seeing the number of entities credited with reporting in-the-wild 0-days increasing. It stands to reason that if the number of people working on trying to find 0-day exploits increases, then the number of in-the-wild 0-day exploits detected may increase.

A bar graph showing the number of distinct reporters of 0-day in-the-wild vulnerabilities per year for 2019-2021. 2019: 9, 2020: 10, 2021: 20. The data is taken from: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708

a line graph showing how many in-the-wild 0-days were found by their own vendor per year from 2015 to 2021. 2015: 0, 2016: 0, 2017: 2, 2018: 0, 2019: 4, 2020: 5, 2021: 17. Data comes from: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708

We’ve also seen the number of vendors detecting in-the-wild 0-days in their own products increasing. Whether or not these vendors were previously working on detection, vendors seem to have found ways to be more successful in 2021. Vendors likely have the most telemetry and overall knowledge and visibility into their products so it’s important that they are investing in (and hopefully having success in) detecting 0-days targeting their own products. As shown in the chart above, there was a significant increase in the number of in-the-wild 0-days discovered by vendors in their own products. Google discovered 7 of the in-the-wild 0-days in their own products and Microsoft discovered 10 in their products!

More disclosure

The second reason why the number of detected in-the-wild 0-days has increased is due to more disclosure of these vulnerabilities. Apple and Google Android (we differentiate “Google Android” rather than just “Google” because Google Chrome has been annotating their security bulletins for the last few years) first began labeling vulnerabilities in their security advisories with the information about potential in-the-wild exploitation in November 2020 and January 2021 respectively. When vendors don’t annotate their release notes, the only way we know that a 0-day was exploited in-the-wild is if the researcher who discovered the exploitation comes forward. If Apple and Google Android had not begun annotating their release notes, the public would likely not know about at least 7 of the Apple in-the-wild 0-days and 5 of the Android in-the-wild 0-days. Why? Because these vulnerabilities were reported by “Anonymous” reporters. If the reporters didn’t want credit for the vulnerability, it’s unlikely that they would have gone public to say that there were indications of exploitation. That is 12 0-days that wouldn’t have been included in this year’s list if Apple and Google Android had not begun transparently annotating their security advisories.

bar graph that shows the number of Android and Apple (WebKit + iOS + macOS) in-the-wild 0-days per year. The bar graph is split into two color: yellow for Anonymously reported 0-days and green for non-anonymous reported 0-days. 2021 is the only year with any anonymously reported 0-days. 2015: 0, 2016: 3, 2018: 2, 2019: 1, 2020: 3, 2021: Non-Anonymous: 8, Anonymous- 12. Data from: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708

Kudos and thank you to Microsoft, Google Chrome, and Adobe who have been annotating their security bulletins for transparency for multiple years now! And thanks to Apache who also annotated their release notes for CVE-2021-41773 this past year.

In-the-wild 0-days in Qualcomm and ARM products were annotated as in-the-wild in Android security bulletins, but not in the vendor’s own security advisories.

It’s highly likely that in 2021, there were other 0-days that were exploited in the wild and detected, but vendors did not mention this in their release notes. In 2022, we hope that more vendors start noting when they patch vulnerabilities that have been exploited in-the-wild. Until we’re confident that all vendors are transparently disclosing in-the-wild status, there’s a big question of how many in-the-wild 0-days are discovered, but not labeled publicly by vendors.

New Year, Old Techniques

We had a record number of “data points” in 2021 to understand how attackers are actually using 0-day exploits. A bit surprising to us though, out of all those data points, there was nothing new amongst all this data. 0-day exploits are considered one of the most advanced attack methods an actor can use, so it would be easy to conclude that attackers must be using special tricks and attack surfaces. But instead, the 0-days we saw in 2021 generally followed the same bug patterns, attack surfaces, and exploit “shapes” previously seen in public research. Once “0-day is hard”, we’d expect that to be successful, attackers would have to find new bug classes of vulnerabilities in new attack surfaces using never before seen exploitation methods. In general, that wasn’t what the data showed us this year. With two exceptions (described below in the iOS section) out of the 58, everything we saw was pretty “meh” or standard.

Out of the 58 in-the-wild 0-days for the year, 39, or 67% were memory corruption vulnerabilities. Memory corruption vulnerabilities have been the standard for attacking software for the last few decades and it’s still how attackers are having success. Out of these memory corruption vulnerabilities, the majority also stuck with very popular and well-known bug classes:

17 use-after-free
6 out-of-bounds read & write
4 buffer overflow
4 integer overflow

In the next sections we’ll dive into each major platform that we saw in-the-wild 0-days for this year. We’ll share the trends and explain why what we saw was pretty unexceptional.

Chromium (Chrome)

Chromium had a record high number of 0-days detected and disclosed in 2021 with 14. Out of these 14, 10 were renderer remote code execution bugs, 2 were sandbox escapes, 1 was an infoleak, and 1 was used to open a webpage in Android apps other than Google Chrome.

The 14 0-day vulnerabilities were in the following components:

6 JavaScript Engine – v8 (CVE-2021-21148, CVE-2021-30551, CVE-2021-30563, CVE-2021-30632, CVE-2021-37975, CVE-2021-38003)
2 DOM Engine – Blink (CVE-2021-21193 & CVE-2021-21206)
1 WebGL (CVE-2021-30554)
1 IndexedDB (CVE-2021-30633)
1 webaudio (CVE-2021-21166)
1 Portals (CVE-2021-37973)
1 Android Intents (CVE-2021-38000)
1 Core (CVE-2021-37976)

When we look at the components targeted by these bugs, they’re all attack surfaces seen before in public security research and previous exploits. If anything, there are a few less DOM bugs and more targeting these other components of browsers like IndexedDB and WebGL than previously. 13 out of the 14 Chromium 0-days were memory corruption bugs. Similar to last year, most of those memory corruption bugs are use-after-free vulnerabilities.

A couple of the Chromium bugs were even similar to previous in-the-wild 0-days. CVE-2021-21166 is an issue in ScriptProcessorNode::Process() in webaudio where there’s insufficient locks such that buffers are accessible in both the main thread and the audio rendering thread at the same time. CVE-2019-13720 is an in-the-wild 0-day from 2019. It was a vulnerability in ConvolverHandler::Process() in webaudio where there were also insufficient locks such that a buffer was accessible in both the main thread and the audio rendering thread at the same time.

CVE-2021-30632 is another Chromium in-the-wild 0-day from 2021. It’s a type confusion in the TurboFan JIT in Chromium’s JavaScript Engine, v8, where Turbofan fails to deoptimize code after a property map is changed. CVE-2021-30632 in particular deals with code that stores global properties. CVE-2020-16009 was also an in-the-wild 0-day that was due to Turbofan failing to deoptimize code after map deprecation.

WebKit (Safari)

Prior to 2021, Apple had only acknowledged 1 publicly known in-the-wild 0-day targeting WebKit/Safari, and that was due the sharing by an external researcher. In 2021 there were 7. This makes it hard for us to assess trends or changes since we don’t have historical samples to go off of. Instead, we’ll look at 2021’s WebKit bugs in the context of other Safari bugs not known to be in-the-wild and other browser in-the-wild 0-days.

The 7 in-the-wild 0-days targeted the following components:

4 Javascript Engine – JavaScript Core (CVE-2021-1870, CVE-2021-1871, CVE-2021-30663, CVE-2021-30665)

1 IndexedDB (CVE-2021-30858)
1 Storage (CVE-2021-30661)
1 Plugins (CVE-2021-1879)

The one semi-surprise is that no DOM bugs were detected and disclosed. In previous years, vulnerabilities in the DOM engine have generally made up 15-20% of the in-the-wild browser 0-days, but none were detected and disclosed for WebKit in 2021.

It would not be surprising if attackers are beginning to shift to other modules, like third party libraries or things like IndexedDB. The modules may be more promising to attackers going forward because there’s a better chance that the vulnerability may exist in multiple browsers or platforms. For example, the webaudio bug in Chromium, CVE-2021-21166, also existed in WebKit and was fixed as CVE-2021-1844, though there was no evidence it was exploited in-the-wild in WebKit. The IndexedDB in-the-wild 0-day that was used against Safari in 2021, CVE-2021-30858, was very, very similar to a bug fixed in Chromium in January 2020.

Internet Explorer

Since we began tracking in-the-wild 0-days, Internet Explorer has had a pretty consistent number of 0-days each year. 2021 actually tied 2016 for the most in-the-wild Internet Explorer 0-days we’ve ever tracked even though Internet Explorer’s market share of web browser users continues to decrease.

So why are we seeing so little change in the number of in-the-wild 0-days despite the change in market share? Internet Explorer is still a ripe attack surface for initial entry into Windows machines, even if the user doesn’t use Internet Explorer as their Internet browser. While the number of 0-days stayed pretty consistent to what we’ve seen in previous years, the components targeted and the delivery methods of the exploits changed. 3 of the 4 0-days seen in 2021 targeted the MSHTML browser engine and were delivered via methods other than the web. Instead they were delivered to targets via Office documents or other file formats.

The four 0-days targeted the following components:

MSHTML browser engine (CVE-2021-26411, CVE-2021-33742, CVE-2021-40444)
Javascript Engine – JScript9 (CVE-2021-34448)

For CVE-2021-26411 targets of the campaign initially received a .mht file, which prompted the user to open in Internet Explorer. Once it was opened in Internet Explorer, the exploit was downloaded and run. CVE-2021-33742 and CVE-2021-40444 were delivered to targets via malicious Office documents.

CVE-2021-26411 and CVE-2021-33742 were two common memory corruption bug patterns: a use-after-free due to a user controlled callback in between two actions using an object and the user frees the object during that callback and a buffer overflow.

There were a few different vulnerabilities used in the exploit chain that used CVE-2021-40444, but the one within MSHTML was that as soon as the Office document was opened the payload would run: a CAB file was downloaded, decompressed, and then a function from within a DLL in that CAB was executed. Unlike the previous two MSHTML bugs, this was a logic error in URL parsing rather than a memory corruption bug.

Windows

Windows is the platform where we’ve seen the most change in components targeted compared with previous years. However, this shift has generally been in progress for a few years and predicted with the end-of-life of Windows 7 in 2020 and thus why it’s still not especially novel.

In 2021 there were 10 Windows in-the-wild 0-days targeting 7 different components:

2 Enhanced crypto provider (CVE-2021-31199, CVE-2021-31201)
2 NTOS kernel (CVE-2021-33771, CVE-2021-31979)
2 Win32k (CVE-2021-1732, CVE-2021-40449)
1 Windows update medic (CVE-2021-36948)
1 SuperFetch (CVE-2021-31955)
1 dwmcore.dll (CVE-2021-28310)
1 ntfs.sys (CVE-2021-31956)

The number of different components targeted is the shift from past years. For example, in 2019 75% of Windows 0-days targeted Win32k while in 2021 Win32k only made up 20% of the Windows 0-days. The reason that this was expected and predicted was that 6 out of 8 of those 0-days that targeted Win32k in 2019 did not target the latest release of Windows 10 at that time; they were targeting older versions. With Windows 10 Microsoft began dedicating more and more resources to locking down the attack surface of Win32k so as those older versions have hit end-of-life, Win32k is a less and less attractive attack surface.

Similar to the many Win32k vulnerabilities seen over the years, the two 2021 Win32k in-the-wild 0-days are due to custom user callbacks. The user calls functions that change the state of an object during the callback and Win32k does not correctly handle those changes. CVE-2021-1732 is a type confusion vulnerability due to a user callback in xxxClientAllocWindowClassExtraBytes which leads to out-of-bounds read and write. If NtUserConsoleControl is called during the callback a flag is set in the window structure to signal that a field is an offset into the kernel heap. xxxClientAllocWindowClassExtraBytes doesn’t check this and writes that field as a user-mode pointer without clearing the flag. The first in-the-wild 0-day detected and disclosed in 2022, CVE-2022-21882, is due to CVE-2021-1732 actually not being fixed completely. The attackers found a way to bypass the original patch and still trigger the vulnerability. CVE-2021-40449 is a use-after-free in NtGdiResetDC due to the object being freed during the user callback.

iOS/macOS

As discussed in the “More disclosure” section above, 2021 was the first full year that Apple annotated their release notes with in-the-wild status of vulnerabilities. 5 iOS in-the-wild 0-days were detected and disclosed this year. The first publicly known macOS in-the-wild 0-day (CVE-2021-30869) was also found. In this section we’re going to discuss iOS and macOS together because: 1) the two operating systems include similar components and 2) the sample size for macOS is very small (just this one vulnerability).

Bar graph showing the number of macOS and iOS itw 0-days discovered per year. macOs is 0 for every year except 2021 when 1 was discovered. iOS - 2015: 0, 2016: 2, 2017: 0, 2018: 2, 2019: 0, 2020: 3, 2021: 5. Data from: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708

For the 5 total iOS and macOS in-the-wild 0-days, they targeted 3 different attack surfaces:

IOMobileFrameBuffer (CVE-2021-30807, CVE-2021-30883)
XNU Kernel (CVE-2021-1782 & CVE-2021-30869)
CoreGraphics (CVE-2021-30860)
CommCenter (FORCEDENTRY sandbox escape – CVE requested, not yet assigned)

These 4 attack surfaces are not novel. IOMobileFrameBuffer has been a target of public security research for many years. For example, the Pangu Jailbreak from 2016 used CVE-2016-4654, a heap buffer overflow in IOMobileFrameBuffer. IOMobileFrameBuffer manages the screen’s frame buffer. For iPhone 11 (A13) and below, IOMobileFrameBuffer was a kernel driver. Beginning with A14, it runs on a coprocessor, the DCP. It’s a popular attack surface because historically it’s been accessible from sandboxed apps. In 2021 there were two in-the-wild 0-days in IOMobileFrameBuffer. CVE-2021-30807 is an out-of-bounds read and CVE-2021-30883 is an integer overflow, both common memory corruption vulnerabilities. In 2022, we already have another in-the-wild 0-day in IOMobileFrameBuffer, CVE-2022-22587.

One iOS 0-day and the macOS 0-day both exploited vulnerabilities in the XNU kernel and both vulnerabilities were in code related to XNU’s inter-process communication (IPC) functionality. CVE-2021-1782 exploited a vulnerability in mach vouchers while CVE-2021-30869 exploited a vulnerability in mach messages. This is not the first time we’ve seen iOS in-the-wild 0-days, much less public security research, targeting mach vouchers and mach messages. CVE-2019-6625 was exploited as a part of an exploit chain targeting iOS 11.4.1-12.1.2 and was also a vulnerability in mach vouchers.

Mach messages have also been a popular target for public security research. In 2020 there were two in-the-wild 0-days also in mach messages: CVE-2020-27932 & CVE-2020-27950. This year’s CVE-2021-30869 is a pretty close variant to 2020’s CVE-2020-27932. Tielei Wang and Xinru Chi actually presented on this vulnerability at zer0con 2021 in April 2021. In their presentation, they explained that they found it while doing variant analysis on CVE-2020-27932. TieLei Wang explained via Twitter that they had found the vulnerability in December 2020 and had noticed it was fixed in beta versions of iOS 14.4 and macOS 11.2 which is why they presented it at Zer0Con. The in-the-wild exploit only targeted macOS 10, but used the same exploitation technique as the one presented.

The two FORCEDENTRY exploits (CVE-2021-30860 and the sandbox escape) were the only times that made us all go “wow!” this year. For CVE-2021-30860, the integer overflow in CoreGraphics, it was because:

For years we’ve all heard about how attackers are using 0-click iMessage bugs and finally we have a public example, and
The exploit was an impressive work of art.

The sandbox escape (CVE requested, not yet assigned) was impressive because it’s one of the few times we’ve seen a sandbox escape in-the-wild that uses only logic bugs, rather than the standard memory corruption bugs.

For CVE-2021-30860, the vulnerability itself wasn’t especially notable: a classic integer overflow within the JBIG2 parser of the CoreGraphics PDF decoder. The exploit, though, was described by Samuel Groß & Ian Beer as “one of the most technically sophisticated exploits [they]’ve ever seen”. Their blogpost shares all the details, but the highlight is that the exploit uses the logical operators available in JBIG2 to build NAND gates which are used to build its own computer architecture. The exploit then writes the rest of its exploit using that new custom architecture. From their blogpost:

Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It’s not as fast as Javascript, but it’s fundamentally computationally equivalent.

The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It’s pretty incredible, and at the same time, pretty terrifying.

This is an example of what making 0-day exploitation hard could look like: attackers having to develop a new and novel way to exploit a bug and that method requires lots of expertise and/or time to develop. This year, the two FORCEDENTRY exploits were the only 0-days out of the 58 that really impressed us. Hopefully in the future, the bar has been raised such that this will be required for any successful exploitation.

Android

There were 7 Android in-the-wild 0-days detected and disclosed this year. Prior to 2021 there had only been 1 and it was in 2019: CVE-2019-2215. Like WebKit, this lack of data makes it hard for us to assess trends and changes. Instead, we’ll compare it to public security research.

For the 7 Android 0-days they targeted the following components:

Qualcomm Adreno GPU driver (CVE-2020-11261, CVE-2021-1905, CVE-2021-1906)
ARM Mali GPU driver (CVE-2021-28663, CVE-2021-28664)
Upstream Linux kernel (CVE-2021-1048, CVE-2021-0920)

5 of the 7 0-days from 2021 targeted GPU drivers. This is actually not that surprising when we consider the evolution of the Android ecosystem as well as recent public security research into Android. The Android ecosystem is quite fragmented: many different kernel versions, different manufacturer customizations, etc. If an attacker wants a capability against “Android devices”, they generally need to maintain many different exploits to have a decent percentage of the Android ecosystem covered. However, if the attacker chooses to target the GPU kernel driver instead of another component, they will only need to have two exploits since most Android devices use 1 of 2 GPUs: either the Qualcomm Adreno GPU or the ARM Mali GPU.

Public security research mirrored this choice in the last couple of years as well. When developing full exploit chains (for defensive purposes) to target Android devices, Guang Gong, Man Yue Mo, and Ben Hawkes all chose to attack the GPU kernel driver for local privilege escalation. Seeing the in-the-wild 0-days also target the GPU was more of a confirmation rather than a revelation. Of the 5 0-days targeting GPU drivers, 3 were in the Qualcomm Adreno driver and 2 in the ARM Mali driver.

The two non-GPU driver 0-days (CVE-2021-0920 and CVE-2021-1048) targeted the upstream Linux kernel. Unfortunately, these 2 bugs shared a singular characteristic with the Android in-the-wild 0-day seen in 2019: all 3 were previously known upstream before their exploitation in Android. While the sample size is small, it’s still quite striking to see that 100% of the known in-the-wild Android 0-days that target the kernel are bugs that actually were known about before their exploitation.

The vulnerability now referred to as CVE-2021-0920 was actually found in September 2016 and discussed on the Linux kernel mailing lists. A patch was even developed back in 2016, but it didn’t end up being submitted. The bug was finally fixed in the Linux kernel in July 2021 after the detection of the in-the-wild exploit targeting Android. The patch then made it into the Android security bulletin in November 2021.

CVE-2021-1048 remained unpatched in Android for 14 months after it was patched in the Linux kernel. The Linux kernel was actually only vulnerable to the issue for a few weeks, but due to Android patching practices, that few weeks became almost a year for some Android devices. If an Android OEM synced to the upstream kernel, then they likely were patched against the vulnerability at some point. But many devices, such as recent Samsung devices, had not and thus were left vulnerable.

Microsoft Exchange Server

In 2021, there were 5 in-the-wild 0-days targeting Microsoft Exchange Server. This is the first time any Exchange Server in-the-wild 0-days have been detected and disclosed since we began tracking in-the-wild 0-days. The first four (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were all disclosed and patched at the same time and used together in a single operation. The fifth (CVE-2021-42321) was patched on its own in November 2021. CVE-2021-42321 was demonstrated at Tianfu Cup and then discovered in-the-wild by Microsoft. While no other in-the-wild 0-days were disclosed as part of the chain with CVE-2021-42321, the attackers would have required at least another 0-day for successful exploitation since CVE-2021-42321 is a post-authentication bug.

Of the four Exchange in-the-wild 0-days used in the first campaign, CVE-2021-26855, which is also known as “ProxyLogon”, is the only one that’s pre-auth. CVE-2021-26855 is a server side request forgery (SSRF) vulnerability that allows unauthenticated attackers to send arbitrary HTTP requests as the Exchange server. The other three vulnerabilities were post-authentication. For example, CVE-2021-26858 and CVE-2021-27065 allowed attackers to write arbitrary files to the system. CVE-2021-26857 is a remote code execution vulnerability due to a deserialization bug in the Unified Messaging service. This allowed attackers to run code as the privileged SYSTEM user.

For the second campaign, CVE-2021-42321, like CVE-2021-26858, is a post-authentication RCE vulnerability due to insecure deserialization. It seems that while attempting to harden Exchange, Microsoft inadvertently introduced another deserialization vulnerability.

While there were a significant amount of 0-days in Exchange detected and disclosed in 2021, it’s important to remember that they were all used as 0-day in only two different campaigns. This is an example of why we don’t suggest using the number of 0-days in a product as a metric to assess the security of a product. Requiring the use of four 0-days for attackers to have success is preferable to an attacker only needing one 0-day to successfully gain access.

While this is the first time Exchange in-the-wild 0-days have been detected and disclosed since Project Zero began our tracking, this is not unexpected. In 2020 there was n-day exploitation of Exchange Servers. Whether this was the first year that attackers began the 0-day exploitation or if this was the first year that defenders began detecting the 0-day exploitation, this is not an unexpected evolution and we’ll likely see it continue into 2022.

Outstanding Questions

While there has been progress on detection and disclosure, that progress has shown just how much work there still is to do. The more data we gained, the more questions that arose about biases in detection, what we’re missing and why, and the need for more transparency from both vendors and researchers.

Until the day that attackers decide to happily share all their exploits with us, we can’t fully know what percentage of 0-days are publicly known about. However when we pull together our expertise as security researchers and anecdotes from others in the industry, it paints a picture of some of the data we’re very likely missing. From that, these are some of the key questions we’re asking ourselves as we move into 2022:

Where are the [x] 0-days?

Despite the number of 0-days found in 2021, there are key targets missing from the 0-days discovered. For example, we know that messaging applications like WhatsApp, Signal, Telegram, etc. are targets of interest to attackers and yet there’s only 1 messaging app, in this case iMessage, 0-day found this past year. Since we began tracking in mid-2014 the total is two: a WhatsApp 0-day in 2019 and this iMessage 0-day found in 2021.

Along with messaging apps, there are other platforms/targets we’d expect to see 0-days targeting, yet there are no or very few public examples. For example, since mid-2014 there’s only one in-the-wild 0-day each for macOS and Linux. There are no known in-the-wild 0-days targeting cloud, CPU vulnerabilities, or other phone components such as the WiFi chip or the baseband.

This leads to the question of whether these 0-days are absent due to lack of detection, lack of disclosure, or both?

Do some vendors have no known in-the-wild 0-days because they’ve never been found or because they don’t publicly disclose?

Unless a vendor has told us that they will publicly disclose exploitation status for all vulnerabilities in their platforms, we, the public, don’t know if the absence of an annotation means that there is no known exploitation of a vulnerability or if there is, but the vendor is just not sharing that information publicly. Thankfully this question is something that has a pretty clear solution: all device and software vendors agreeing to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited in-the-wild.

Are we seeing the same bug patterns because that’s what we know how to detect?

As we described earlier in this report, all the 0-days we saw in 2021 had similarities to previously seen vulnerabilities. This leads us to wonder whether or not that’s actually representative of what attackers are using. Are attackers actually having success exclusively using vulnerabilities in bug classes and components that are previously public? Or are we detecting all these 0-days with known bug patterns because that’s what we know how to detect? Public security research would suggest that yes, attackers are still able to have success with using vulnerabilities in known components and bug classes the majority of the time. But we’d still expect to see a few novel and unexpected vulnerabilities in the grouping. We posed this question back in the 2019 year-in-review and it still lingers.

Where are the spl0itz?

To successfully exploit a vulnerability there are two key pieces that make up that exploit: the vulnerability being exploited, and the exploitation method (how that vulnerability is turned into something useful).

Unfortunately, this report could only really analyze one of these components: the vulnerability. Out of the 58 0-days, only 5 have an exploit sample publicly available. Discovered in-the-wild 0-days are the failure case for attackers and a key opportunity for defenders to learn what attackers are doing and make it harder, more time-intensive, more costly, to do it again. Yet without the exploit sample or a detailed technical write-up based upon the sample, we can only focus on fixing the vulnerability rather than also mitigating the exploitation method. This means that attackers are able to continue to use their existing exploit methods rather than having to go back to the design and development phase to build a new exploitation method. While acknowledging that sharing exploit samples can be challenging (we have that challenge too!), we hope in 2022 there will be more sharing of exploit samples or detailed technical write-ups so that we can come together to use every possible piece of information to make it harder for the attackers to exploit more users.

As an aside, if you have an exploit sample that you’re willing to share with us, please reach out. Whether it’s sharing with us and having us write a detailed technical description and analysis or having us share it publicly, we’d be happy to work with you.

Conclusion

Looking back on 2021, what comes to mind is “baby steps”. We can see clear industry improvement in the detection and disclosure of 0-day exploits. But the better detection and disclosure has highlighted other opportunities for progress. As an industry we’re not making 0-day hard. Attackers are having success using vulnerabilities similar to what we’ve seen previously and in components that have previously been discussed as attack surfaces.The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. And while we made distinct progress in detection and disclosure it has shown us areas where that can continue to improve.

While this all may seem daunting, the promising part is that we’ve done it before: we have made clear progress on previously daunting goals. In 2019, we discussed the large detection deficit for 0-day exploits and 2 years later more than double were detected and disclosed. So while there is still plenty more work to do, it’s a tractable problem. There are concrete steps that the tech and security industries can take to make it even more progress:

Make it an industry standard behavior for all vendors to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited,
Vendors and security researchers sharing exploit samples or detailed descriptions of the exploit techniques.
Continued concerted efforts on reducing memory corruption vulnerabilities or rendering them unexploitable.

Through 2021 we continually saw the real world impacts of the use of 0-day exploits against users and entities. Amnesty International, the Citizen Lab, and others highlighted over and over how governments were using commercial surveillance products against journalists, human rights defenders, and government officials. We saw many enterprises scrambling to remediate and protect themselves from the Exchange Server 0-days. And we even learned of peer security researchers being targeted by North Korean government hackers. While the majority of people on the planet do not need to worry about their own personal risk of being targeted with 0-days, 0-day exploitation still affects us all. These 0-days tend to have an outsized impact on society so we need to continue doing whatever we can to make it harder for attackers to be successful in these attacks.

2021 showed us we’re on the right track and making progress, but there’s plenty more to be done to make 0-day hard.

Source :
https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html

Video Marketing Survey Findings

Video Marketing Benchmarks

The Most Prioritized Video Marketing Metrics

1. Engagement Rate

2. Conversion Rate

3. Click-through Rate Speaks to Your Thumbnail and Title/Caption

4. Follower and Subscriber Growth

5. Average View Time

How Long Should a Marketing Video Be?

Video Marketing Goals

Video Marketing Strategies

The Top Tactics for Creating Effective Videos

Why Video Promotion Is Key

How to Promote a Marketing Video

Top Video Formats

1. Short-form Video

2. Long-Form Video

3. Live Videos/Live Streams Metrics And Benchmarks

The Top Video Marketing Channels

1. Social Media

2. Blog/Website Pages

3. Email

The Best Social Media Channels for Sharing Videos

1. Instagram

2. YouTube

3. Facebook

4. TikTok

Which social media channels have low video performance?

Should you use paid or organic video posts on social media?

Hosting Videos on YouTube vs. Vimeo

What are the Top Content Types for Marketing Videos?

1. Content Showcasing Your Products and Services

2. Content That Reflects Your Brands Values

3. Trendy Content

4. Relatable Content

5. Funny and Interactive Content

Top Video Styles

1. Live-Action (Videos Featuring Real Footage)

2. Animated Videos

3. Screen-Capture or Screen Recording

Viral Videos

How to Make a Video Go Viral

1. Making Relatable Content Means More Engagement

2. Shorter Is Better

3. Capture Attention Immediately

Which Platform are Videos Most Likely to Go Viral On?

Which Type of Video Content is Most Likely to Go Viral?

Which Style of Video Content is Most Likely to Go Viral?

Video Marketing Benefits & Challenges

Video Marketing Benefits

Video Marketing Challenges

Video Marketing Budgets

How Much Does Creating a Marketing Video Cost?

How Long Does it Take to Create a Marketing Video?

More Insights From the HubSpot Blog

Why social media is important for small businesses?

Social Media Tips for Small Business

1. Be consistent.

2. Diversify your content.

3. Focus on quality instead of quantity.

4. Find trends.

Social Media Tools for Small Business

1. Google Analytics for Analytics

2. Canva for Graphic Design

3. Asana for Content Planning

What is corporate development?

What is business development?

Difference Between Corporate Development and Business Development

How do business development and corporate development work together?

Over To You

What is an XSS Attack in WordPress?

How to Find and Fix an XSS Attack in WordPress

Step 1: Scanning Your Website

Step 2: Requesting a Malware Cleanup

How to Prevent XSS Attacks on Your WordPress Site

1. Enable a Web Application Firewall (WAF)

2. Use Secure Forms

3. Set User Role Permissions

4. Auto-logout Inactive Users

5. Update Your Website Regularly