1731 matches found
Scan Template Best Practices in InsightVM
When you start out with one of our vulnerability management solutions, Nexpose or InsightVM, one of the first things you should build and set up is a best practices Scan Template. Because best practices are constantly changing, make sure you look at the date this blog was posted and make your...
What's New in InsightIDR: Q4 2021 in Review
More context and customization around detections and investigations, expanded dashboard capabilities, and more. This post offers a closer look at some of the recent releases in InsightIDR, our extended detection and response XDR solution, from Q4 2021. Over the past quarter, we delivered updates ...
Slot Machines and Cybercrime: Why Ransomware Won't Quit Pulling Our Lever
Note: A more detailed version of this post is available as a preprint on the ArXiv. The casino floor at Bally's is a thrilling place, one that loads of hackers are familiar with from our time at DEF CON. One feature of these casinos is the unmistakable song of slots being played. Imagine a slot...
Introducing the Manual Regex Editor in IDR’s Parsing Tool: Part 2
I have logs on my mind right now, because every spring, as trees that didn’t survive the winter are chopped down, my neighbor has truckloads of them delivered to his house. All the logs are eventually burned up in his sugar house and used to make maple syrup, and it reminds me that I have some lo...
Metasploit Wrap-Up
It's the week of December 17th and that can only mean one thing: a week until Christmas! For those of you who don't celebrate Christmas, a very happy Hanukkah/Chanukah, Kwanzaa, Diwali, Chinese New Year, Winter Solstice and Las Posadas to you all! This is our last weekly wrap-up this year, but as...
Log4Shell Strategic Response: 5 Practices for Vulnerability Management at Scale
This post is co-authored by Blake Cifelli, Senior Advisory Services Consultant. In today’s cybersecurity world, risks evolve faster than we can remediate them. To meet our goals and become resilient to these fast changes, we need the right balance of automation and human interaction. Enabling rap...
MDR Vendor Must-Haves, Part 7: Managed Response Actions
This blog post is part of an ongoing series about evaluating Managed Detection and Response MDR providers. For more insights, check out our guide, “10 Things Your MDR Service Must Do.” Security teams face unprecedented challenges as the threat landscape expands in scope and complexity. More...
Metasploit Wrap-Up
Confluence Server OGNL Injection Our own wvu along with Jang added a module that exploits an OGNL injection CVE-2021-26804in Atlassian Confluence's WebWork component to execute commands as the Tomcat user. CVE-2021-26804 is a critical remote code execution vulnerability in Confluence Server and...
Securing the Supply Chain: Lessons Learned from the Codecov Compromise
Supply chain attacks are all the rage these days. While they’re not a new part of the threat landscape, they are growing in popularity among more sophisticated threat actors, and they can create significant system-wide disruption, expense, and loss of confidence across multiple organizations,...
Metasploit Wrap-Up
Containers that fail to Contain Our own Christophe De La Fuente added a module for CVE-2019-5736 based on the work of Adam Iwaniuk that breaks out of a Docker container by overwriting the runc binary of an image which is run in the user context whenever someone outside the container runs docker...
Being Naughty to See Who Was Nice: Machine Learning Attacks on Santa’s List
Editor’s note: We had planned to publish our Hacky Holidays blog series throughout December 2021 – but then Log4Shell happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it’s 2022, we’re feeling in need of...
CVE-2023-47246: SysAid Zero-Day Vulnerability Exploited By Lace Tempest
On November 8, 2023, IT service management company SysAid disclosed CVE-2023-47426, a zero-day path traversal vulnerability affecting on-premise SysAid servers. According to Microsoft’s threat intelligence team, it has been exploited in the wild by DEV-0950 Lace Tempest in “limited attacks.” In a...
Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors
Now that 2022 is fully underway, it's time to wrap up some of the milestones that Rapid7 achieved in 2021. We worked harder than ever last year to help protectors keep their organization's infrastructure secure — even in the face of some of the most difficult threats the security community has...
Attack Surface Analysis Part 1: Vulnerability Scanning
In this three-part series, we’ll explore key considerations and strategies for choosing an attack surface analysis strategy, and the ways it can be used to increase awareness of both technical and process-related risks. We’ll start with vulnerability assessment below. BREACH!!! A word you may hea...
Patch Tuesday - May 2021
Here we are again with another installment of Patch Tuesday. When compared to the past few months this one feels a bit light both in severity and number of vulnerabilities addressed. Microsoft has only released patches for 55 CVEs this month, less than half of the usual volume, with only 4 of the...
Patch Tuesday - January 2024
Microsoft is addressing 49 vulnerabilities this January 2024 Patch Tuesday, including a single critical remote code execution vulnerability. Four browser vulnerabilities were published separately this month, and are not included in the total. No zero-day vulnerabilities are published or patched...
Patch Tuesday - April 2023
Microsoft is offering fixes for 114 vulnerabilities for April 2023 Patch Tuesday. This month’s haul includes a single zero-day vulnerability, as well as seven critical Remote Code Execution RCE vulnerabilities. There is a strong focus on fixes for Windows OS this month. Zero-day vulnerability: CL...
CVE-2022-30190: "Follina" Microsoft Support Diagnostic Tool Vulnerability
On May 30, 2022, Microsoft Security Response Center MSRC published a blog on CVE-2022-30190, an unpatched vulnerability in the Microsoft Support Diagnostic Tool msdt in Windows. Microsoft’s advisory on CVE-2022-30190 indicates that exploitation has been detected in the wild. According to Microsof...
2022 Annual Metasploit Wrap-Up
It's been another gangbusters year for Metasploit, and the holidays are a time to give thanks to all the people that help make our load a little bit lighter. So, while this end-of-year wrap-up is a highlight reel of the headline features and extensions that landed in Metasploit-land in 2022, we...
What's New in InsightVM: Q3 2021 in Review
In today's post, we're giving a rundown of new features and functionality launched in Q3 2021 for InsightVM and the Insight Platform. We hope you can begin to leverage these changes to drive success across your organization. Apple Silicon support on the Insight Agent We're excited to announce tha...
Active Exploitation of VMware Horizon Servers
This post is co-authored by Charlie Stafford, Lead Security Researcher. We will update this blog with further information as it becomes available. CVE | Vendor Advisory | AttackerKB | IVM Content | Patching Urgency | Blog's Last Update ---|---|---|---|---|--- CVE-2021-44228 | VMware Advisory |...
Metasploit Wrap-Up
FortiOS Path Traversal Returning community contributor mekhalleh submitted a module targeting a path traversal vulnerability within the SSL VPN web portal in multiple versions of FortiOS. The flaw is leveraged to read the usernames and passwords of currently logged in users which are stored in...
Metasploit Weekly Wrap-Up
Veritas Backup Exec Agent RCE This module kindly provided by c0rs targets the Veritas Backup Exec Agent in order to gain RCE as the system/root user. The exploit itself is actually a chain of 3 separate CVEs CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878 which only makes it more impressive...
CVE-2022-30526 (Fixed): Zyxel Firewall Local Privilege Escalation
Rapid7 discovered a local privilege escalation vulnerability affecting Zyxel firewalls. The vulnerability allows a low privileged user, such as nobody, to escalate to root on affected firewalls. To exploit this vulnerability, a remote attacker must first establish shell access on the firewall, fo...
Active Exploitation of Confluence Server & Confluence Data Center: CVE-2021-26084
This attack is ongoing. See the Updates section at the end of this post for new information as it comes to light. On August 25, 2021, Atlassian published details on CVE-2021-26084, a critical remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability...
Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518
Daniel Lydon and Conor Quinn contributed attacker behavior insights to this blog. As of November 5, 2023, Rapid7 Managed Detection and Response MDR is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment. We have confirmed that at...
What’s New in InsightVM: Q2 2021 in Review
The world is changing rapidly. We hear that phrase a lot. Throughout Q2 though, it really is true. Vaccines have been rolling out, to varying success depending on the part of the world, but there is optimism. As Rapid7 offices begin to open up to our hard-working team members around the globe, we...
What's New in DivvyCloud by Rapid7: April 2021
Keeping you on scheduler The latest release of DivvyCloud 21.3 encompasses many of the standard changes that we included in each major release, from bug fixes to support for new cloud resources to new filters and other enhancements. As always, all the details are available in the release notes...
InsightAppSec Advanced Authentication Settings: Token Replacement
There are many different ways to use InsightAppSec to authenticate to web apps, but sometimes you need to go deeper into the advanced settings to fully automate your logins, especially with API scanning. Today, we’ll cover one of those advanced settings: Token Replacement. InsightAppSec Token...
Metasploit Wrap-Up
Two new Active Directory attacks This week we added a pair of new post-exploitation modules from community contributor timb-machine. Both modules target UNIX machines running SSSD or One Identity's Vintela Authentication Services VAS as Active Directory integration solutions. The new UNIX Gather...
Metasploit Wrap-Up
MicroFocus? More like MacroVuln MicroFocus’s Operations Bridge Manager is a security information and event management SIEM tool designed to collect and parse security logs from multiple disparate sources. OBM has a large attack surface—something Pedro Ribeiro was able to take advantage of with hi...
CVE-2022-27510: Critical Citrix ADC and Gateway Remote Authentication Bypass Vulnerabilities
On November 8, 2022, Citrix published Citrix Gateway and Citrix ADC Security Bulletin for CVE-2022-27510 CVE-2022-27513 and CVE-2022-27516 announcing fixes for three vulnerabilities: CVE-2022-27510 “Unauthorized access to Gateway user capabilities” CVE-2022-27513 “Remote desktop takeover via...
CVE-2022-0847: Arbitrary File Overwrite Vulnerability in Linux Kernel
CVE | Disclosure | AttackerKB | IVM Content | Patching Urgency | Blog's Last Update ---|---|---|---|---|--- CVE-2022-0847 | Original disclosure | AttackerKB | March 10, 2022 | When practical | March 10, 2022 3:21 PM EST On March 7, 2022, CM4all security researcher Max Kellermann published technic...
NICER Protocol Deep Dive: Internet Exposure of SMB
Welcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we'd end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thin...
Kubernetes Security Is Not Container Security
Container-specific security I recently had an interesting discussion with Gianluca Brindisi from Spotify about the differences between Kubernetes security and container security. Typically, the discussion about container security focuses on general questions that aren’t focused on a specific...
What’s New in InsightVM and Nexpose: Q3 2022 in Review
Another quarter comes to a close! While we definitely had our share of summer fun, our team continued to invest in the product, releasing features and updates like recurring coverage for enterprise technologies, performance enhancements, and more. Let’s take a look at some of the key releases in...
OWASP Top 10 Deep Dive: Injection and Stack Traces From a Hacker's Perspective
In case you missed it, injection claimed the number 3 spot in OWASP's updated Top 10 application security risks for 2021. Today, I'm going to highlight some of the reasons why injection is such a formidable threat, despite it falling two spaces from the number 1 slot on OWASP's 2017 list. But...
Patch Tuesday - July 2024
Microsoft is addressing 139 vulnerabilities this July 2024 Patch Tuesday, which is on the high side in terms of typical CVE counts. They’ve also republished details for 4 CVEs issued by other vendors that affect Microsoft products. Microsoft has evidence of in-the-wild exploitation for 2 of the...
Metasploit Wrap-Up
The Metasploit team is rolling to the end of the year featuring a week of modules, updates, and our annual CTF. I say rolling in part because here in the US, we’re coming off our week of Thanksgiving, which involves lots of pies, and we’re probably all a bit more spherical than normal! For those ...
Metasploit Wrap-Up
Refreshingly configurable F5, on top of being a handy shortcut you can press over and over again until 3am just to watch the RTX 3080 preorders sell out instantly, is also a company that specializes in the delivery, security, performance, and availability of web applications, computing, storage,...
Update on Log4Shell’s Impact on Rapid7 Solutions and Systems
Like the rest of the security community, we have been internally responding to the critical remote code execution vulnerability in Apache’s Log4j Java library a.k.a. Log4Shell. We have been continuously monitoring for Log4Shell exploit attempts in our environment and have been urgently...
Patch Tuesday - June 2022
June's Patch Tuesday sees Microsoft releasing fixes for over 60 CVEs. Top of mind for many administrators this month is CVE-2022-30190, also known as Follina, which was observed being exploited in the wild at the end of May. Microsoft provided mitigation instructions disabling the MSDT URL protoc...
Metasploit Weekly Wrap-Up
ICPR Certificate Management This week Metasploit has a new ICPR Certificate Management module from Oliver Lyak and our very own Spencer McIntyre, which can be utilized for issuing certificates via Active Directory Certificate Services. It has the capability to issue certificates which is useful i...
A Quick Look Into Cloud Security Posture Management (CSPM)
The cloud security solutions market is growing rapidly, and there are many types of solutions to support your specific business needs. But figuring out the right tool—let alone the right type of tool—can be difficult. Gartner has five security archetypes that fall under the broader cloud security...
Patch Tuesday - August 2023
Microsoft is addressing 86 vulnerabilities this August Patch Tuesday, including one zero-day vulnerability, as well as five critical remote code execution RCE vulnerabilities, and 12 browser vulnerabilities. An unpatched zero-day malicious document vulnerability from July also receives Windows OS...
Pushing Open-Source Security Forward: Insights From Black Hat 2022
Open-source security has been a hot topic in recent years, and it's proven to be something of a double-edged sword. On the one hand, there's an understanding of the potential that open-source tools hold for democratizing security, making industry best practices accessible to more organizations an...
Patch Tuesday - November 2022
It’s a relatively light Patch Tuesday this month by the numbers – Microsoft has only published 67 new CVEs, most of which affect their flagship Windows operating system. However, four of these are zero-days, having been observed as exploited in the wild. The big news is that two older zero-day CV...
VMware ESXi CVE-2024-37085 Targeted in Ransomware Campaigns
On Monday, July 29, Microsoft published an extensive threat intelligence blog on observed exploitation of CVE-2024-37085, an Active Directory integration authentication bypass vulnerability affecting Broadcom VMware ESXi hypervisors. The vulnerability, according to Redmond, was identified in...
Metasploit Wrap-Up
Dump Windows secrets from Active Directory This week, our very own Christophe De La Fuente added an important update to the existing Windows Secret Dump module. It is now able to dump secrets from Active Directory, which will be very useful for Metasploit users. This new feature uses the Director...
Patch Tuesday - March 2021
Another Patch Tuesday 2021-Mar is upon us and with this month comes a whopping 122 CVEs. As usual Windows tops the list of the most patched product. However, this month it’s browser vulnerabilities taking the second place, outnumbering Office vulnerabilities 3:1! Lastly, the Exchange Server...