Latest Articles

Advisory CVE-2021-41551 Leostream Connection Broker - Authenticated Zip Slip

Software: Leostream Connection Broker Affected Versions: 9.0.40.17 Vendor page: https://leostream.com/ CVE Reference: CVE-2021-41551 Published: 25/01/2022 Attack Vector: path traversal, authenticated Credits: Andrei Constantin Scutariu, Lenk Ratchakrit Seriamnuai, Andrea Malusardi Summary Leostream Connection Broker 9.0.40.17 allows administrators to conduct directory traversal attacks by uploading a ZIP file that contains a symbolic link. Mitigation The Leostream has released a patch for this vulnerability, JUMPSEC recommend upgrading the affected versions to this new version as soon as possible. Leostream’s advice and release notes can be found here.

Read more →

January 26, 2022,Lenk Ratchakrit Seriamnuai

No Logs? No Problem! Incident Response without Windows Event Logs

By Dray Agha In this article, we discuss some Digital Forensics and Incident Response (DFIR) techniques you can leverage when you encounter an environment without Windows event logs. Where are the logs?At JUMPSEC, we regularly respond to security incidents with ineffective logging and auditing for the purposes of a cyber incident. In some cases, organisations we encounter don’t have any recognisable SIEM or centralised log repository. In others, organisations with otherwise sufficient logging have seen adversaries intentionally manipulate the logs on an endpoint to prevent analysis - sometimes even wiping them entirely. 

Read more →

November 22, 2021,dray

PowerShell Jobs

By Dray Agha JUMPSEC investigators recently observed an adversary weaponising PowerShell Jobs to schedule their attack, whilst responding to an incident. In this article, we discuss what PowerShell jobs are, how they can be leveraged for malicious purposes, and how defenders can protect, detect, and respond to neutralise the threat. What are PowerShell JobsAdversaries are known to schedule parts of their campaign once they have infiltrated a target network. They may timetable their attack for an opportune moment (such as during unsociable hours, based on the region in which the infrastructure is hosted, or support teams reside) or set up a recurring task to ensure ongoing persistence. 

Read more →

October 7, 2021,dray