Latest Articles
Hunting for 'Snake'
Following the NCSC and CISA’s detailed joint advisory on the highly sophisticated ‘Snake’ cyber espionage tool, JUMPSEC threat intelligence analysts have provided a condensed blueprint for organisations to start proactively hunting for Snake within their network, contextualising key Indicators of Compromise (IoC), and providing additional methods to validate the effectiveness of Snake detections. Snake’s capabilitiesThe implant dubbed ‘Snake’ has been attributed to Centre 16 of Russia’s state sponsored FSB. The tool has been collecting intelligence in over 50 countries for up to 20 years, targeting research facilities, government networks, financial services, communications organisations, and other Critical National Infrastructure (CNI) organisations, meaning these organisations should be particularly vigilant and take precautionary steps to protect their networks.
May 26, 2023,francescoiulio
<strong>Advisory CVE-2023-30382 – Half-Life Local Privilege Escalation</strong>
Software: Half-Life Affected versions: Latest (<= build 5433873), at the time of writing Vendor page: www.valvesoftware.com CVE Reference: CVE-2023-30382 Published: 23/05/2023 CVSS 3.1 Score: 8.2 AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Attack Vector: Local Credit: Ryan Saridar Summary An attacker can leverage a stack-based buffer overflow via Half-Life’s command line arguments to compromise the account of any local user who launches the game. Technical details hl.exe does not adequately perform bounds checking on the command line used to launch it, allowing an attacker with control of the launch parameters to gain code execution as the user running it. By default, all users can access the C:\Program Files (x86)\Steam\userdata\\config\localconfig.vdf file, which can be modified to enforce a Steam application to launch with any provided command line parameters. Combining these, a low-privileged attacker can set specially crafted launch parameters using this file, and therefore gain privilege escalation when a higher privileged user runs the application.
May 23, 2023,Ryan Saridar
Butting Heads with a Threat Actor on an Engagement
At the time of writing I am enjoying some non-billable time in the wake of a demanding engagement spanning across several months. As such, I thought it would be a good time to write up a war story from a recent project in which we came head to head against genuine and active threat actors whilst on an engagement. To set the scene, I am working on a purple team project in which we are to cover both the external and internal estate. This tale comes from the external portion of the engagement and as such my colleague and I are going about our usual external red team attack methodology. During this external phase we identify several instances of servers running a software that will remain unnamed for confidentiality’s sake. I will say that this was a third-party software that is used for Identity Access Management, and it appeared to be used in several environments (pre-prod, production, etc) within the client’s estate.
April 17, 2023,Max Corbridge