1723 matches found
Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange
In recent weeks, there has been quite a lot of reporting on the exploitation of the latest disclosed vulnerabilities in Microsoft’s Exchange Server by an attacker referred to as HAFNIUM. One of the major reasons these latest vulnerabilities are so dangerous and appealing to attackers is that they...
SOC Automation with InsightIDR and InsightConnect: Three Key Use Cases to Explore to Optimize Your Security Operations
You probably already know that SOC automation with InsightIDR and InsightConnect can decrease your MeanTimeToResponse. It may not be a surprise that automating your security operations will augment your team’s skills and expertise to detect and respond to threats with super speed. You can even...
Metasploit Wrap-Up
Windows Server 2012 Fun Community contributor Erik Wynter added a local exploit module for a DLL hijacking vulnerability he discovered in Windows Server 2012. The TiWorker.exe process that runs as NT AUTHORITY\SYSTEM attempts to load SrClient.dll, which does not exist on the system. Because of...
Top Security Trends Driving Threat Detection and Response Priorities Today
The threat landscape continues to grow at a rapid pace, and organizations need security solutions that can keep up. A modern SaaS SIEM is built in the cloud, provides extended coverage across diverse data sources, and leverages automation to expedite response and containment, making it a great to...
F5 Discloses Eight Vulnerabilities—Including Four Critical Ones—in BIG-IP Systems
Update March 25, 2021: CVE-2021-22986 is now being actively exploited in the wild by a range of malicious actors. Rapid7 has in-depth technical analysis on this vulnerability, including proof-of-concept code and information on indicators of compromise, available here. On March 10, 2021, F5...
Rapid7 Announces Release of New tCell Amazon CloudFront Agent
Cloud-native approaches to building, hosting, and delivering web applications are growing rapidly. Content delivery networks CDNs such as Amazon CloudFront are on the rise, pushing content closer to end users to improve the performance of web applications. To protect web applications security tea...
Metasploit Wrap-Up
Archive directory traversals, now with your daily allowance of JSP In a year already full of hot vulnerabilities, CVE-2021-21972 in VMware's vCenter Server may already seem like old news. It's not, though! Thanks to wvu-r7 for grabbing this unauthenticated file upload combined with archive...
Introducing the 2020 Vulnerability Intelligence Report: 50 CVEs that Made Headlines in 2020
2020 was a tumultuous year for vulnerability risk management. Defenders had to contend with a growing volume of high-priority security threats, many of them in internet-facing technologies deployed to enable and secure a suddenly remote workforce. New communications from the U.S. National Securit...
InsightIDR’s NTA Capabilities Expanded to AWS
We’re excited to announce we have expanded the Network Traffic Analysis NTA capabilities in InsightIDR to support Amazon Web Services AWS environments. This means InsightIDR and MDR customers can now ingest detailed network data from AWS, including north/south and east/west traffic across a...
Patch Tuesday - March 2021
Another Patch Tuesday 2021-Mar is upon us and with this month comes a whopping 122 CVEs. As usual Windows tops the list of the most patched product. However, this month it’s browser vulnerabilities taking the second place, outnumbering Office vulnerabilities 3:1! Lastly, the Exchange Server...
What's New in DivvyCloud by Rapid7: February 2021 Feature Releases
February was another busy month. Internally, as we work to improve our processes, we are still committed to maintaining our frequent release cadence. Our releases, both minor and major, ensure that customers have access to valuable improvements, features, expanded support capabilities, and bug...
How to Keep Up With Vulnerability Management Challenges in Ephemeral Cloud Environments
This blog is part of an ongoing series sharing key takeaways from Rapid7’s 2020 Cloud Security Executive Summit. Interested in participating in the next summit on March 9? Register here! The modern perspective is that the cloud has made it much easier to have visibility of your attack surface and...
Metasploit Wrap-Up
FortiOS Path Traversal Returning community contributor mekhalleh submitted a module targeting a path traversal vulnerability within the SSL VPN web portal in multiple versions of FortiOS. The flaw is leveraged to read the usernames and passwords of currently logged in users which are stored in...
Mass Exploitation of Exchange Server Zero-Day CVEs: What You Need to Know
On March 2, 2021, the Microsoft Threat Intelligence Center MSTIC released details on an active state-sponsored threat campaign exploiting four zero-day vulnerabilities in on-premises instances of Microsoft Exchange Server. MSTIC attributes this campaign to HAFNIUM, a group “assessed to be...
IAM Never Gonna Give You Up, Never Gonna Breach Your Cloud
This blog is part of an ongoing series sharing key takeaways from Rapid7’s 2020 Cloud Security Executive Summit. Interested in participating in the next summit on Tuesday, March 9? Register here! Identity and access management IAM credentials have solved myriad security issues, but the recent...
Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day
Starting February 27, 2021, Rapid7 has observed a notable increase in the exploitation of Microsoft Exchange through existing detections in InsightIDR’s Attacker Behavior Analytics ABA. The Managed Detection and Response MDR identified multiple, related compromises in the past 72 hours. In most...
Indiscriminate Exploitation of Microsoft Exchange Servers (CVE-2021-24085)
The following blog post was co-authored by Andrew Christian and Brendan Watters. Beginning Feb. 27, 2021, Rapid7’s Managed Detection and Response MDR team has observed a notable increase in the automated exploitation of vulnerable Microsoft Exchange servers to upload a webshell granting attackers...
How to Achieve and Maintain Continuous Cloud Compliance
This blog is part of an ongoing series sharing key takeaways from Rapid7’s 2020 Cloud Security Executive Summit. Interested in participating in the next summit on Tuesday, March 9? Register here! There are two things that make data a hot topic. First, keeping track of your organization’s sheer...
Metasploit Wrap-Up
Hey who finked about Flink? In this week's round of modules, contributor bcoles offered up two modules to leverage that Apache Flink install you found in some fun new ways. If you are just looking to filch a few files, auxiliary/scanner/http/apacheflinkjobmanagertraversal leverages CVE-2020-17519...
Celebrating Black History Today and Every Day
Black History Month is a time for every person, from all different backgrounds to honor and celebrate the achievements of Black and African Americans in the U.S. and their impact on world history. In honor of Black History Month, we would like to recognize some of our amazing team members who hav...
Building a Holistic VRM Strategy That Includes the Web Application Layer
Building security into your overall vulnerability risk management VRM strategy is a must-do in the age of the all-important web app. Between security and IT-Ops teams, there are a number of steps in the VRM process, including asset identification, enumeration, prioritization, and remediation. How...
Multiple Unauthenticated Remote Code Control and Execution Vulnerabilities in Multiple Cisco Products
What’s up? On Feb. 24, 2021, Cisco released many patches for multiple products, three of which require immediate attention by organizations if they are running affected systems and operating system/software configurations. They are detailed below: Cisco ACI Multi-Site Orchestrator Application...
VMware vCenter Server CVE-2021-21972 Remote Code Execution Vulnerability: What You Need to Know
This blog post was co-authored by Bob Rudis and Caitlin Condon. What’s up? On Feb. 23, 2021, VMware published an advisory VMSA-2021-0002 describing three weaknesses affecting VMware ESXi, VMware vCenter Server, and VMware Cloud Foundation. Before digging into the individual vulnerabilities, it is...
Software Engineering, Vulnerability and Risk Management: Revolutionizing the Security Landscape at Rapid7
At Rapid7, our software engineers defend the digital world and design the future of security. With a supportive, collaborative team, immense learning and development opportunities to fine-tune and hone in on skills and knowledge, opportunities to work with innovative technology, and the pursuance...
How to Combat Alert Fatigue With Cloud-Based SIEM Tools
Today’s security teams are facing more complexity than ever before. IT environments are changing and expanding rapidly, resulting in proliferating data as organizations adopt more tools to stay on top of their sprawling environments. And with an abundance of tools comes an abundance of alerts,...
Metasploit Wrap-Up
GSoC Rocks! In a rare double whammy, one of our 2020 Google Summer of Code GSoC participants has authored a PR containing both enhancements & a new module! Improvements to our SQL injection library now allow PostgreSQL injection, and this new functionality has been verified with both a test modul...
Take the Full-Stack Approach to Securing Your Modern Attack Surface
A growing remote-work culture demands a graduation in the approach to security. It’s time to test, monitor, secure, and extend to the application layer. A modern methodology for vulnerability management VM is vital for organizations looking to minimize attack surfaces by prioritizing potential...
Securing Your Web App, One Robot at a Time
Modern web apps are two things: complex, and under persistent attack. Any publicly accessible web application can receive up to tens of thousands of attacks a month. While that sounds like a reason to immediately pull the plug and find a safe space to hide, these are likely spread across the...
Why More Teams are Shifting Security Analytics to the Cloud This Year
As the threat landscape continues to evolve in size and complexity, so does the security skills and resource gap, leaving organizations both understaffed and overwhelmed. An ESG study found that 63% of organizations say security is more difficult than it was two years ago. Teams cite the growing...
Monitor Google Cloud Platform (GCP) Data With InsightIDR
InsightIDR was built in the cloud to support dynamic and rapidly changing environments—including remote workers, hybrid cloud and on-premises architectures, and fully cloud environments. Today, more and more organizations are adopting multi-cloud or hybrid environments, creating increasingly more...
Metasploit Wrap-Up
MicroFocus? More like MacroVuln MicroFocus’s Operations Bridge Manager is a security information and event management SIEM tool designed to collect and parse security logs from multiple disparate sources. OBM has a large attack surface—something Pedro Ribeiro was able to take advantage of with hi...
Talkin’ SMAC: Alert Labeling and Why It Matters
If you’ve ever worked in a Security Operations Center SOC, you know that it’s a special place. Among other things, the SOC is a massive data-labeling machine, and generates some of the most valuable data in the cybersecurity industry. Unfortunately, much of this valuable data is often rendered...
New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days
Organizations are in a constant struggle to identify and reduce risks in their constantly changing environments. These changes may manifest by several means and can be recurring events. For example: 1. Laptops and other devices are commissioned or decommissioned due to changes in the workforce. 2...
CVE-2021-22652: Advantech iView Missing Authentication RCE (FIXED)
Advantech iView versions prior to 5.7.03.6112 suffer from an instance of "CWE-306: Missing Authentication For Critical Function." This vulnerability CVE-2021-22652 has a CVSSv3 score of 9.8, which is usually CRITICAL, since it effectively allows anyone who can connect to the iView server to run...
SOAR Tools: What to Look for When Investing in Security Automation Tech
Security orchestration and automation SOAR refers to a collection of software solutions and tools that organizations can leverage to streamline security operations in three key areas: threat and vulnerability management, incident response, and security-operations automation. From a single platfor...
Patch Tuesday - February 2021
The second Patch Tuesday of 2021 is relatively light on the vulnerability count, with 64 CVEs being addressed across the majority of Microsoft’s product families. Despite that, there’s still plenty to discuss this month. Vulnerability Breakdown by Software Family Family | Vulnerability Count...
Metasploit Wrap-Up
Baron Samedit is coming to get you Last week, a critical bug in sudo came out and could potentially affect most of the Linux-based operating systems, since this tool is usually installed by default. This vulnerability is identified as CVE-2021-3156, but better known as "Baron Samedit", and is...
Cisco Patches Recently Disclosed "sudo" Vulnerability (CVE-2021-3156) in Multiple Products
While Punxsutawney Phil may have said we only have six more weeks of winter, the need to patch software and hardware weaknesses will, unfortunately, never end. Cisco has released security updates to address vulnerabilities in most of their product portfolio, some of which may be exploited to gain...
SonicWall SNWLID-2021-0001 Zero-Day and SolarWinds’ 2021 CVE Trifecta: What You Need to Know
Not content with the beating it laid down in January, 2021 continues to deliver with an unpatched zero-day exposure in some SonicWall appliances and three moderate-to-critical CVEs in SolarWinds software. We dig into the details below. Urgent mitigations required for SonicWall SMA 100 Series...
Vulnerability Scanning With the Metasploit Remote Check Service (Beta Release)
InsightVM and Nexpose customers can now harness the power of the Metasploit community to assess their exposure to the latest threats. The Feb. 3 release of InsightVM and Nexpose version 6.6.63 includes a beta version of the Metasploit Remote Check Service, bringing Metasploit check method...
Addressing the OT-IT Risk and Asset Inventory Gap
Cyber-espionage and exploitation from nation-state-sanctioned actors have only become more prevalent in recent years, with recent examples including the SolarWinds attack, which was attributed to nation-state actors with alleged Russian ties. There are suspicions that sensitive information has be...
Rapid7 Acquires Leading Kubernetes Security Provider, Alcide
Organizations around the globe continue to embrace the flexibility, speed, and agility of the cloud. Those that have adopted it are able to accelerate innovation and deliver real value to their customers faster than ever before. However, while the cloud can bring a tremendous amount of benefits t...
Metasploit Wrap-Up
MobileIron MDM Hessian-Based Java Deserialization RCE Our very own wvu-r7 has added exploits/linux/http/mobileironmdmhessianrce, which exploits an ACL bypass in MobileIron MDM products to execute a Java deserialization attack using a Groovy gadget against a Hessian based endpoint. CVE-2020-15505...
NICER Protocol Deep Dive: Internet Exposure of HTTP and HTTPS
Welcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we'd end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thin...
Upcoming Rapid7 Webcast: How Far Does Your VRM Strategy Go?
Web applications have been growing in complexity over the past several years, while also becoming the preferred method for attackers looking to capitalize on emergent technologies. This is a trend that will only persist and evolve, so it’s crucial to extend your web application testing strategy t...
State-Sponsored Threat Actors Target Security Researchers
This blog was co-authored by Caitlin Condon, VRM Security Research Manager, and Bob Rudis, Senior Director and Chief Security Data Scientist. On Monday, Jan. 25, 2021, Google’s Threat Analysis Group TAG published a blog on a widespread social engineering campaign that targeted security researcher...
Finding Results at the Intersection of Security and Engineering
As vice president and head of global security at ActiveCampaign, I’m fortunate to be able to draw on a multitude of experiences and successes in my career. I started in general network security, where I was involved in pen testing and security research. I worked at several multibillion-dollar Saa...
Metasploit Wrap-Up
Metasploit Wrapup Windows print spooler vulnerability...again Here we have bwatters-r7 coming in with an exploit for CVE-2020-1337, a patch bypass for a Windows print spooler elevation of privilege vulnerability that was exploited in the wild last year. The original vulnerability, CVE-2020-1048,...
NICER Protocol Deep Dive: Internet Exposure of NTP
Welcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we'd end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thin...
Principles for personal information security legislation
It goes without saying that the 117th US Congress has a lot to get done and many legitimate priorities are competing for finite legislative attention. Cybersecurity will be in this mix. In the wake of the SolarWinds attack, President-elect Biden issued a statement emphasizing that his...