1728 matches found
The Top 5 Russian Cyber Threat Actors to Watch
This post was updated on March 10, 2022 to include a section on the Conti Ransomware Group. As we continue to monitor the situation between Russia and Ukraine – and the potential for global cybersecurity impacts – we realize that our customers and other business and industry stakeholders may be...
Announcing Metasploit 6.2
Metasploit 6.2.0 has been released, marking another milestone that includes new modules, features, improvements, and bug fixes. Since Metasploit 6.1.0 August 2021 until the latest Metasploit 6.2.0 release we’ve added: 138 new modules 148 enhancements and features 156 bug fixes Top modules Each...
Metasploit Weekly Wrap-Up
CVE-2022-21999 - SpoolFool Our very own Shelby Pace has added a new module for the CVE-2022-21999 SpoolFool privilege escalation vulnerability. This escalation vulnerability can be leveraged to achieve code execution as SYSTEM. This new module has successfully been tested on Windows 10 10.0 Build...
Mass Exploitation of Exchange Server Zero-Day CVEs: What You Need to Know
On March 2, 2021, the Microsoft Threat Intelligence Center MSTIC released details on an active state-sponsored threat campaign exploiting four zero-day vulnerabilities in on-premises instances of Microsoft Exchange Server. MSTIC attributes this campaign to HAFNIUM, a group “assessed to be...
Metasploit Wrap-Up
Struts2 Multi Eval OGNL RCE Our very own zeroSteiner added exploit/multi/http/struts2multievalognl, which exploits Struts2 evaluating OGNL expressions in HTML attributes multiple times CVE-2019-0230 and CVE-2020-17530. The CVE-2019-0230 OGNL chain for remote code execution requires a one-time cha...
Metasploit Wrap-Up
I'm very Emby-ous Community contributor btnz-k has authored a new Emby Version Scanner module consisting of both an exploit and a scanner for the SSRF vulnerability found in Emby. Emby is a previously open source media server designed to organize, play, and stream audio and video to a variety of...
Exploring the (Not So) Secret Code of Black Hunt Ransomware
It seems like every week, the cybersecurity landscape sees the emergence of yet another ransomware variant, with Black Hunt being one of the latest additions. Initially reported by cybersecurity researchers in 2022, this new threat has quickly made its presence known. In a recent incident, Black...
Using InsightVM Remediation Projects To Ensure Accountability
One benefit of InsightVM reporting is that it enables security teams to build accountability into remediation projects. There are a number of ways this can be accomplished and the approach you take will be dictated by your organization’s specific structure and needs. In this blog, we’ll look at t...
Metasploit Wrap-Up
Eternal Blue improvements Prior to this release Metasploit offered two separate exploit modules for targeting MS17-010, dubbed Eternal Blue. The Ruby module previously only supported Windows 7, and a separate ms17010eternalbluewin8 Python module would target Windows 8 and above. Now Metasploit...
Securing Your Applications Against Spring4Shell (CVE-2022-22965)
The warm weather is starting to roll in, the birds are chirping, and Spring... well, Spring4Shell is making a timely entrance. If you’re still recovering from Log4Shell, we’re here to tell you you're not alone. While discovery and research of CVE-2022-22965 is evolving, Rapid7 is committed to...
Metasploit Wrap-Up
Callback Hell Metasploit has now added an exploit module for CVE-2021-40449, a Windows local privilege escalation exploit caused by a use-after-free during the NtGdiResetDC callback in vulnerable versions of win32k.sys. This module can be used to escalate privileges to those of NT AUTHORITY\SYSTE...
Metasploit Wrap-Up
Google Chrome exploits return Community member r4j0x00 contributed a new module for CVE-2020-16040, an integer overflow in the SimplifiedLowering phase of TurboFan in Google Chrome = 87.0.4280.66 that grants attackers RCE. Whilst the exploit in and of itself does not grant RCE by default, unless...
Are You Still Running End-of-Life Windows Servers?
Windows Server 2008 and 2008 R2 reached their end of life EOL on Jan. 14, 2020. What does that mean in practice? Well, any instances running these versions of Windows Server are no longer supported by Microsoft—no more automated fixes, updates, or technical assistance. From a security standpoint,...
Metasploit Wrap-Up
Archive directory traversals, now with your daily allowance of JSP In a year already full of hot vulnerabilities, CVE-2021-21972 in VMware's vCenter Server may already seem like old news. It's not, though! Thanks to wvu-r7 for grabbing this unauthenticated file upload combined with archive...
Multiple Open Source Web App Vulnerabilities Fixed
Today, Rapid7 is disclosing 9 vulnerabilities that affect 3 open-source projects: EspoCRM, Pimcore, and Akaunting. Right out of the gate, I'd like to give a special thanks to these 3 open-source project maintainers. While it's never great to learn of new vulnerabilities in your own product, all 3...
Metasploit Wrap-Up
Zimbra Auth Bypass to Shell Ron Bowes added an exploit module that targets multiple versions of Zimbra Collaboration Suite. The module leverages an authentication bypass CVE-2022-37042 and a directory traversal vulnerability CVE-2022-27925 to gain code execution as the zimbra user. The auth bypas...
Active Exploitation of F5 BIG-IP iControl REST CVE-2022-1388
On May 4, 2022, F5 released an advisory listing several vulnerabilities, including CVE-2022-1388, a critical authentication bypass that leads to remote code execution in iControl REST with a CVSSv3 base score of 9.8. The vulnerability affects several different versions of BIG-IP prior to 17.0.0,...
Spring4Shell: Zero-Day Vulnerability in Spring Framework (CVE-2022-22965)
Rapid7 has completed remediating the instances of Spring4Shell CVE-2022-22965 and Spring Cloud CVE-2022-22963 vulnerabilities that we found on our internet-facing services and systems. For further information and updates about our internal response to Spring4Shell, please see our post here. If yo...
CVE-2021-34527 (PrintNightmare): What You Need to Know
Vulnerability note: This blog originally referenced CVE-2020-1675, but members of the community noted the week of June 29 that the publicly available exploits that purported to exploit CVE-2021-1675 may in fact have been targeting a new vulnerability in the same function as CVE-2021-1675. This wa...
Using Rapid7 Insight Agent and InsightVM Scan Assistant in Tandem
Background Rapid7 Insight Agent and InsightVM Scan Assistant are executables that can be deployed to assist in understanding the vulnerabilities in your environment. Frequently there are questions around when and where you would deploy each, if you need both, what they actually monitor, etc. This...
Metasploit Weekly Wrap-Up
Roxy-WI Unauthenticated RCE This week, community member Nuri Çilengir added an unauthenticated RCE for Roxy-WI. Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers. The vulnerability can be triggered by a specially crafted POST request to a Python script where the ipbackend...
3 Takeaways From the 2022 Verizon Data Breach Investigations Report
Sometimes, data surprises you. When it does, it can force you to rethink your assumptions and second-guess the way you look at the world. But other times, data can reaffirm your assumptions, giving you hard proof they're the right ones — and providing increased motivation to act decisively based ...
OMIGOD: How to Automatically Detect and Fix Microsoft Azure’s New OMI Vulnerability
Update: On September 16, 2021, Microsoft released an updated OMS agent v1.13.40-0 that addresses these vulnerabilities. You can download the updated version from Microsoft's GitHub repo here. In response, our team is updating the pre-built insight in InsightCloudSec to specifically look for...
CVE-2022-41040 and CVE-2022-41082: Unpatched Zero-Day Vulnerabilities in Microsoft Exchange Server
On Thursday, September 29, a Vietnamese security firm called GTSC published information and IOCs on what they claimed was a pair of unpatched Microsoft Exchange Server vulnerabilities being used in attacks on their customers’ environments dating back to early August 2022. The impact of...
CVE-2022-32230: Windows SMB Denial-of-Service Vulnerability (FIXED)
A remote and unauthenticated attacker can trigger a denial-of-service condition on Microsoft Windows Domain Controllers by leveraging a flaw that leads to a null pointer deference within the Windows kernel. We believe this vulnerability would be scored as CVSSv3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:...
Metasploit Wrap-Up
Print Driver PrivEsc If you attended DEF CON last week, you may have seen this talk on print driver vulnerabilities from Metasploit community contributor Jacob Baines. In the spirit of Friday the 13th, we're highlighting some of these "print nightmares" again, in the form of two new Metasploit...
Patch Tuesday - February 2021
The second Patch Tuesday of 2021 is relatively light on the vulnerability count, with 64 CVEs being addressed across the majority of Microsoft’s product families. Despite that, there’s still plenty to discuss this month. Vulnerability Breakdown by Software Family Family | Vulnerability Count...
Metasploit Wrap-Up
Now I Control Your Resource Planning Servers Sage X3 is a resource planning product designed by Sage Group which is designed to help established businesses plan out their business operations. But what if you wanted to do more than just manage resources? What if you wanted to hijack the resource...
Metasploit Wrap-Up
Metasploit Wrapup Windows print spooler vulnerability...again Here we have bwatters-r7 coming in with an exploit for CVE-2020-1337, a patch bypass for a Windows print spooler elevation of privilege vulnerability that was exploited in the wild last year. The original vulnerability, CVE-2020-1048,...
Top Security Recommendations for 2021
Happy HaXmas! We hope everyone is having a wonderful holiday season so far. This year has been wild and unpredictable, and has brought unique risks and threats to the forefront of business activities. So, to help everyone stay safer in 2021, the Strategic Advisory Services team here at Rapid7 is...
PetitPotam: Novel Attack Chain Can Fully Compromise Windows Domains Running AD CS
The PetitPotam attack vector was assigned CVE-2021-36942 and patched on August 10, 2021. See the Updates section at the end of this post for more information. Late last month July 2021, security researcher Topotam published a proof-of-concept PoC implementation of a novel NTLM relay attack...
CVE-2022-31660 and CVE-2022-31661 (FIXED): VMware Workspace ONE Access, Identity Manager, and vRealize Automation LPE
The VMware Workspace ONE Access, Identity Manager, and vRealize Automation products contain a locally exploitable vulnerability whereby the under-privileged horizon user can escalate their permissions to those of the root user. Notably, the horizon user runs the externally accessible web...
[Security Nation] Mike Hanley of GitHub on the Log4j Vulnerability
!\Security Nation\ Mike Hanley of GitHub on the Log4j Vulnerabilityhttps://blog.rapid7.com/content/images/2022/01/securitynationlogo.jpg In our first episode of Security Nation Season 5, Jen and Tod chat with Mike Hanley, Chief Security Officer at GitHub, all about the major vulnerability in...
There Goes The Neighborhood: Dealing With CVE-2020-16898 (and CVE-2020-1656) (aka"Bad Neighbor")
If you’re in the U.S. and were waiting for an “October surprise”, look no further than CVE-2020-16898 which is a remote code execution RCE vulnerability in the Windows TCP/IP stack, or what our own Tod Beardsley likes to call “exploiting poor implementations of core IETF RFCs”. The vulnerability...
Popular Attack Surfaces, August 2021: What You Need to Know
See the Updates section at the end of this post for new information as it comes to light. Whether you attended virtually, IRL, or not at all, Black Hat and DEF CON have officially wrapped, and security folks’ brains are replete with fresh information on new and some not-so-new vulnerabilities and...
Metasploit Wrap-Up
New Olympic Discipline: Hive Hunting This week, community contributor Hakyac added a new Olympic discipline to Metasploit exploit sport category, which is based on the work of community security researchers @jonasLyk and Kevin Beaumont. The rules are simple: You need to abuse a flaw in Windows 10...
Patch Tuesday - September 2023
Microsoft is addressing 65 vulnerabilities this September Patch Tuesday, including two zero-day vulnerabilities, as well as four critical remote code execution RCE vulnerabilities, and six republished third-party vulnerabilities. Word: zero-day NTLM hash disclosure Microsoft Word receives a patch...
Metasploit Weekly Wrap-Up
Spring4Shell module Community contributor vleminator added a new module which exploits CVE-2022-22965—more commonly known as "Spring4Shell." Depending on its deployment configuration, Java Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older can be vulnerable to unauthenticated...
What’s New in InsightVM and Nexpose: Q2 2022 in Review
The Vulnerability Management team kicked off Q2 by remediating the instances of Spring4Shell CVE-2022-22965 and Spring Cloud CVE-2022-22963 vulnerabilities that impacted cybersecurity teams worldwide. We also made several investments to both InsightVM and Nexpose throughout the second quarter tha...
Patch Tuesday - August 2022
It's the week of Hacker Summer Camp in Las Vegas, and Microsoft has published fixes for 141 separate vulnerabilities in their swath of August updates. This is a new monthly record by raw CVE count, but from a patching perspective, the numbers are slightly less dire. 20 CVEs affect their...
How InsightAppSec Detects Log4Shell: Your Questions Answered
If you’re reading this, that means you survived the year 2021, so congratulations! For everyone in the software industry, and especially those in cybersecurity, the past 12 months probably felt like 12 rounds in the ring. Remember the Solarwinds attack and the resulting scramble to mitigate suppl...
CVE-2022-22972: Critical Authentication Bypass in VMware Workspace ONE Access, Identity Manager, and vRealize Automation
On May 18, 2022, VMware published VMSA-2022-0014 on CVE-2022-22972 and CVE-2022-22973. The more severe of the two vulnerabilities is CVE-2022-22972, a critical authentication bypass affecting VMware’s Workspace ONE Access, Identity Manager, and vRealize Automation solutions. The vulnerability...
ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464): What You Need To Know
On June 29, 2021, security researcher Michael Stepankin @artsploit posted details of CVE-2021-35464, a pre-auth remote code execution RCE vulnerability in ForgeRock Access Manager identity and access management software. ForgeRock front-ends web applications and remote access solutions in many...
Metasploit Tips and Tricks for HaXmas 2020
For this year's HaXmas, we're giving the gift of Metasploit knowledge! We'll cover a mix of old, new, or recently improved features that you can incorporate into your workflows. Some of our readers may already know these tips and tricks for using Metasploit, but for the others who aren't aware of...
Metasploit Weekly Wrap-Up
This week’s Metasploit Framework release brings us seven new modules. IP Camera Exploitation Rapid7’s Jacob Baines was busy this week with two exploit modules that target IP cameras. The first module exploits an authenticated file upload on Axis IP cameras. Due to lack of proper sanitization, an...
Russia-Ukraine Cybersecurity Updates
Cyberattacks are a distinct concern in the Russia-Ukraine conflict, with the potential to impact individuals and organizations far beyond the physical frontlines. With events unfolding rapidly, we want to provide a single channel by which we can communicate to the security community the major...
Patch Tuesday - September 2022
This month’s Patch Tuesday is on the lighter side, with 79 CVEs being fixed by Microsoft including 16 CVEs affecting Chromium, used by their Edge browser, that were already available. One zero-day was announced: CVE-2022-37969 is an elevation of privilege vulnerability affecting the Log File Syst...
Metasploit Wrap-Up
Anyone enjoy making chains? The community is hard at work building chains to pull sessions out of vulnerable Exchange servers. This week Rapid7's own wvu & Spencer McIntyre added a module that implements the ProxyShell exploit chain originally demonstrated by Orange Tsai. The module also benefite...
Let's Dance: InsightAppSec and tCell Bring New DevSecOps Improvements in Q1
To the left, to the left, to the right, right — the CI/CD Pipeline is on the move. DevSecOps is all about adding security across the application lifecycle. A popular approach to application security is to shift left, which means moving security earlier in the software development lifecycle SDLC...
Staying Secure in a Global Cyber Conflict
Now that Russia has begun its armed invasion of Ukraine, we should expect increasing risks of cybersecurity attacks and incidents, either as spillover from cyberattacks targeting Ukraine or direct attacks against actors supporting Ukraine. Any state-sponsored Russian attacks aiming to support the...