At JUMPSEC we foster a research culture and want to provide people with tools and safe environments necessary to conduct research. As part of my ongoing work in setting up a new research lab I also wanted to investigate TOR environments. By design TOR is a privacy first process and the The Onion Router provides a very good solution out of the box. I won’t elaborate on the foundations of TOR in this article, instead I want to use it as an example about various options and pitfalls with routing in docker environments. Let’s look at TOR from a business implementation requirement: If devices are domain joined, adding another Intune package requires more maintenance. TOR usage in our company should be monitored, for various reasons I am not going to elaborate. Hide TOR activity from your ISP (without using obfuscated bridges). I wanted to create a central TOR service that can be used by any...
JUMPSEC LABS
The JUMPSEC Lab is a place where the technical team get creative and showcase their latest security research, publications, interesting news and general thoughts! We love what we do and are passionate about security, with some great upcoming projects planned, bookmark our site and stick around to see what we are working on.
TokenSmith – Bypassing Intune Compliant Device Conditional Access
Conditional Access Policies (CAPs) are the core of Entra ID’s perimeter defense for the vast majority of Enterprise Microsoft 365 (M365) and Azure environments. The core ideas of...
BCP, as easy as ABC?
A Business Continuity Plan (BCP) is a strategic playbook created to help an organisation maintain or quickly resume business functions in the face of disruption. (Pratt, Tittel,...
Advisory CVE-2023-43042 – IBM Backup Products Superuser Information Disclosure
Software: IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Storage Virtualize products Affected versions: 8.3 Vendor page: https://www.ibm.com/support/pages/node/7064976 CVE Reference: CVE-2023-43042 Published: 08/12/2023 CVSS 3.0 Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector: Network Credit: Max Corbridge Summary JUMPSEC’s Head of Adversarial Simulation...
Red Teaming the Cloud: A Shift in Perspective
Having delivered entirely cloud red teams, JUMPSEC experts discuss the shifts in perspective necessary for red teamers when targeting cloud environments.
Advisory: IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware
TL;DR Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) of JUMPSEC’s Red Team recently discovered a vulnerability in the latest version of Microsoft Teams which allows for the possible introduction of malware into any organisations using Microsoft Teams in its default configuration. This is done by bypassing client-side security controls which prevent external tenants from sending files...
Hunting the Snake: An Overview of Threat Hunting with Velociraptor
In May 2023 the NCSC and CISA released a joint cyber security advisory addressing a piece of Russian malware called Snake. According to them, this malware has been gathering intelligence for the FSB in more than 50 countries for the last 20 years. Off the back of this advisory JUMPSEC decided to perform a number of threat hunts to provide assurance for some of our clients. Whilst conducting...
Ligolo: Quality of Life on Red Team Engagements
In recent months we, JUMPSEC’s red team, have been using a nifty little tool that we would like to share with you in this blog post. Ligolo-ng is a versatile tool that has been aiding our covert, and slightly-less-covert, engagements with regards to tunnelling, exfiltration, persistence, and widely improving the operators’ “quality of life” when carrying out assessments involving beaconing from...
Hunting for ‘Snake’
Following the NCSC and CISA’s detailed joint advisory on the highly sophisticated ‘Snake’ cyber espionage tool, JUMPSEC threat intelligence analysts have provided a condensed blueprint for organisations to start proactively hunting for Snake within their network, contextualising key Indicators of Compromise (IoC), and providing additional methods to validate the effectiveness of Snake...
Advisory CVE-2023-30382 – Half-Life Local Privilege Escalation
Software: Half-Life Affected versions: Latest (<= build 5433873), at the time of writing Vendor page: www.valvesoftware.com CVE Reference: CVE-2023-30382 Published: 23/05/2023 CVSS 3.1 Score: 8.2 AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Attack Vector: Local Credit: Ryan Saridar Summary An attacker can leverage a stack-based buffer overflow via Half-Life’s command line arguments to compromise the...
Butting Heads with a Threat Actor on an Engagement
After compromising a sensitive external server JUMPSEC’s Red Team found that they were not the first ones there…
Disclaimer
The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.