Latest Articles
Ligolo: Quality of Life on Red Team Engagements
** ligolo bugsbunny 2023 06 09 12 50 **In recent months we, JUMPSEC’s red team, have been using a nifty little tool that we would like to share with you in this blog post. Ligolo-ng is a versatile tool that has been aiding our covert, and slightly-less-covert, engagements with regards to tunnelling, exfiltration, persistence, and widely improving the operators’ “quality of life” when carrying out assessments involving beaconing from within an internal network.
June 9, 2023,francescoiulio
Hunting for 'Snake'
Following the NCSC and CISA’s detailed joint advisory on the highly sophisticated ‘Snake’ cyber espionage tool, JUMPSEC threat intelligence analysts have provided a condensed blueprint for organisations to start proactively hunting for Snake within their network, contextualising key Indicators of Compromise (IoC), and providing additional methods to validate the effectiveness of Snake detections. Snake’s capabilitiesThe implant dubbed ‘Snake’ has been attributed to Centre 16 of Russia’s state sponsored FSB. The tool has been collecting intelligence in over 50 countries for up to 20 years, targeting research facilities, government networks, financial services, communications organisations, and other Critical National Infrastructure (CNI) organisations, meaning these organisations should be particularly vigilant and take precautionary steps to protect their networks.
May 26, 2023,francescoiulio
<strong>Advisory CVE-2023-30382 – Half-Life Local Privilege Escalation</strong>
Software: Half-Life Affected versions: Latest (<= build 5433873), at the time of writing Vendor page: www.valvesoftware.com CVE Reference: CVE-2023-30382 Published: 23/05/2023 CVSS 3.1 Score: 8.2 AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Attack Vector: Local Credit: Ryan Saridar Summary An attacker can leverage a stack-based buffer overflow via Half-Life’s command line arguments to compromise the account of any local user who launches the game. Technical details hl.exe does not adequately perform bounds checking on the command line used to launch it, allowing an attacker with control of the launch parameters to gain code execution as the user running it. By default, all users can access the C:\Program Files (x86)\Steam\userdata\\config\localconfig.vdf file, which can be modified to enforce a Steam application to launch with any provided command line parameters. Combining these, a low-privileged attacker can set specially crafted launch parameters using this file, and therefore gain privilege escalation when a higher privileged user runs the application.
May 23, 2023,Ryan