4 min
News
State-Sponsored Threat Actors Target Security Researchers
On Monday, Google’s Threat Analysis Group published a blog on a widespread social engineering campaign that targeted security researchers working on vulnerability research and development.
5 min
Research
DOUBLEPULSAR over RDP: Baselining Badness on the Internet
How many internet-accessible RDP services have the DOPU implant installed? How much DOPU-over-RDP traffic do we see being sprayed across the internet?
12 min
Labs
How I Shut Down a (Test) Factory with a Single Layer 2 Packet
In this blog, we discuss how a Denial of Service (DoS) bug could crash all Beckhoff PLCs running the Profinet protocol stack if an attacker gains access.
4 min
Project Sonar
VPNFilter's Potential Reach — Malware Exposure in SMB/Consumer-grade Devices
(Many thanks to Rebekah Brown [/author/rebekah-brown/] & Derek Abdine for their
contributions to the post.)
How does VPNFilter work?
Over the past few weeks, Cisco’s Talos
[https://www.cisco.com/c/en/us/products/security/talos.html] group has published
some significant new research
[https://blog.talosintelligence.com/2018/06/vpnfilter-update.html] on a new
malware family called VPNFilter. VPNFilter targets and compromises networking
devices to monitor the traffic that goes through them. The mal
5 min
Vulnerability Management
Drupalgeddon Vulnerability: What is it? Are You Impacted?
First up: many thanks to Brent Cook [/author/brent-cook/], William Vu
[/author/william-vu/] and Matt Hand for their massive assistance in both the
Rapid7 research into “Drupalgeddon” and their contributions to this post.
Background on the Drupalgeddon vulnerability
The Drupalgeddon 2 vulnerability announcement came out in late March (2018-03-28
) as SA-CORE-2018-002 [https://www.drupal.org/sa-core-2018-002]. The advisory
was released with a patch and CVE (CVE-2018-7600)
[https://www.rapid7.com/
4 min
Research
An Impressively Unprecedented Drop in Open memcached Services
(Many thanks to Jon Hart [https://twitter.com/jhartftw] and Tom Sellers
[https://twitter.com/TomSellers] for their research and content for this blog
post.)
We started performing weekly monitoring of open/amplification-vulnerable
memcached servers after the recent memcrashed
[/2018/02/27/the-flip-side-of-memcrashed/] amplification distributed
denial-of-service (DDoS) attack and today we have some truly awesome news to
report, along with some evidence that the recent spate of DDoS attacks may n
2 min
Project Sonar
National Exposure Index 2017
Today, Rapid7 is releasing the second National Exposure Index
[https://www.rapid7.com/info/national-exposure-index], our effort to quantify
the exposure that nations are taking on by offering public services on the
internet—not just the webservers (like the one hosting this blog), but also
unencrypted POP3, IMAPv4, telnet, database servers, SMB, and all the rest. By
mapping the virtual space of the internet to the physical space where the
machines hosting these services reside, we can provide gr
1 min
Project Sonar
Project Sonar - Mo' Data, Mo' Research
Since its inception, Rapid7's Project Sonar [https://sonar.labs.rapid7.com/] has
aimed to share the data and knowledge we've gained from our Internet scanning
and collection activities with the larger information security community. Over
the years this has resulted in vulnerability disclosures, research papers,
conference presentations, community collaboration and data. Lots and lots of
data.
Thanks to our friends at scans.io [https://scans.io/], Censys
[https://censys.io/], and the Universit
4 min
Honeypots
Apache Struts Vulnerability (CVE-2017-5638) Exploit Traffic
UPDATE - March 10th, 2017: Rapid7 added a check that works in conjunction with
Nexpose's web spider functionality. This check will be performed against any
URIs discovered with the suffix “.action” (the default configuration for Apache
Struts apps). To learn more about using this check, read this post
[/2017/03/15/using-web-spider-to-detect-vulnerable-apache-struts-apps-cve-2017-5638]
.
UPDATE - March 9th, 2017: Scan your network for this vulnerability
[https://www.rapid7.com/products/nexpose/d
8 min
Haxmas
12 Days of HaXmas: A HaxMas Carol
(A Story by Rapid7 Labs)
Merry HaXmas to you! Each year we mark the 12 Days of HaXmas [/tag/haxmas] with
12 blog posts on hacking-related topics and roundups from the year. This year,
we're highlighting some of the “gifts” we want to give back to the community.
And while these gifts may not come wrapped with a bow, we hope you enjoy them.
Happy Holi-data from Rapid7 Labs!
It's been a big year for the Rapid7 elves Labs team. Our nigh 200-node strong
Heisenberg Cloud honeypot network has enabled
3 min
Project Sonar
The Internet of Gas Station Tank Gauges -- Final Take?
In early 2015, HD Moore performed one of the first publicly accessible research
related to Internet-connected gas station tank gauges, The Internet of Gas
Station Tank Gauges [/2015/01/22/the-internet-of-gas-station-tank-gauges].
Later that same year, I did a follow-up study that probed a little deeper in
The
Internet of Gas Station Tank Gauges — Take #2
[/2015/11/18/the-internet-of-gas-station-tank-gauges-take-2]. As part of that
study, we were attempting to see if the exposure of these devic
9 min
Project Sonar
Project Sonar Study of LDAP on the Internet
The topic of today's post is a Rapid7 Project Sonar
[https://sonar.labs.rapid7.com/] study of publicly accessible LDAP services on
the Internet. This research effort was started in July of this year and various
portions of it continue today. In light of the Shadowserver Foundations's
recent announcement [https://ldapscan.shadowserver.org/] regarding the
availability relevant reports we thought it would be a good time to make some of
our results public. The study was originally intended to be a
2 min
Cloud Infrastructure
[Cloud Security Research] Cross-Cloud Adversary Analytics
Introducing Project Heisenberg Cloud
Project Heisenberg Cloud is a Rapid7 Labs research project with a singular
purpose: understand what attackers, researchers and organizations are doing in,
across and against cloud environments. This research is based on data collected
from a new, Rapid7-developed honeypot framework called Heisenberg along with
internet reconnaissance data from Rapid7's Project Sonar
[https://sonar.labs.rapid7.com/?CS=blog].
Internet-scale reconnaissance with cloud-inspired a
11 min
Metasploit
NCSAM: Understanding UDP Amplification Vulnerabilities Through Rapid7 Research
October is National Cyber Security Awareness month and Rapid7 is taking this
time to celebrate security research. This year, NCSAM coincides with new legal
protections for security research under the DMCA
[/2016/10/03/cybersecurity-awareness-month-2016-this-ones-for-the-researchers]
and the 30th anniversary of the CFAA - a problematic law that hinders beneficial
security research. Throughout the month, we will be sharing content that
enhances understanding of what independent security research
6 min
Project Sonar
Sonar NetBIOS Name Service Study
For the past several years, Rapid7's Project Sonar
[https://sonar.labs.rapid7.com/] has been performing studies that explore the
exposure of the NetBIOS name service on the public IPv4 Internet. This post
serves to describe the particulars behind the study and provide tools and data
for future research in this area.
Protocol Overview
Originally conceived in the early 1980s, NetBIOS is a collection of services
that allows applications running on different nodes to communicate over a
network. O