2 min
Emergent Threat Response
CVE-2023-42793: Critical Authentication Bypass in JetBrains TeamCity CI/CD Servers
On September 20, 2023, JetBrains disclosed CVE-2023-42793, a critical authentication bypass vulnerability in on-premises instances of their TeamCity CI/CD server. Successful exploitation could make the vulnerability a potential supply chain attack vector.
4 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 22, 2023
Improved Ticket Forging
Metasploit’s admin/kerberos/forge_ticket module has been updated to work with
Server 2022. In Windows Server 2022, Microsoft started requiring additional new
PAC elements to be present - the PAC requestor and PAC attributes. The newly
forged tickets will have the necessary elements added automatically based on the
user provided domain SID and user RID. For example:
msf6 auxiliary(admin/kerberos/forge_ticket) > run aes_key=4a52b73cf37ba06cf693c40f352e2f4d2002ef61f6031f649
4 min
MITRE ATT&CK
Rapid7 2023 MITRE Engenuity ATT&CK® Evaluations
InsightIDR has evolved to stay in front of emergent threats and expanding attack surfaces, and now we are proud to share our participation and results from the most recent MITRE Engenuity ATT&CK Evaluation: Enterprise.
3 min
Vulnerability Management
Rapid7 doubles down on a platform approach for Vulnerability Risk Management
This week, Rapid7 was named a Strong Performer in The Forrester Wave™: Vulnerability Risk Management, Q3 2023.
4 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 15, 2023
Flask Cookies
This week includes two modules related to Flask cookie signatures. One is
specific to Apache Superset where session cookies can be resigned, allowing an
attacker to elevate their privileges and dump the database connection strings.
While adding this functionality, community member h00die
also added a module for generically working with the
default session cookies used by Flask. This generic module
auxiliary/gather/python_flask_cookie_signer
8 min
Patch Tuesday
Patch Tuesday - September 2023
A relatively light month. Word NTLM hash disclosure. Streaming Service Proxy elevation to SYSTEM. Internet Connection Sharing critical RCE.
2 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 8, 2023
New module content (4)
Roundcube TimeZone Authenticated File Disclosure
Authors: joel, stonepresto, and thomascube
Type: Auxiliary
Pull request: #18286
contributed by cudalac
Path: auxiliary/gather/roundcube_auth_file_read
AttackerKB reference: CVE-2017-16651
Description: This PR adds a module to retrieve an arbitrary file on hosts
run
2 min
Cloud Security
A Look at Our Development Process of the Cloud Resource Enrichment API
Rapid7 has developed a new Cloud Resource Enrichment API that streamlines data retrieval from various cloud resources.
4 min
Vulnerability Disclosure
CVE-2023-4528: Java Deserialization Vulnerability in JSCAPE MFT (Fixed)
In August 2023, Rapid7 discovered CVE-2023-4528, a Java deserialization vulnerability in Redwood Software’s JSCAPE MFT secure managed file transfer product. Successful exploitation can run arbitrary Java code as the `root` on Linux or the `SYSTEM` user on Windows.
2 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 1, 2023
Pumpkin Spice Modules
Here in the northern hemisphere, fall is on the way: leaves changing, the air
growing crisp and cool, and some hackers changing the flavor of their caffeine.
This release features a new exploit module targeting Apache NiFi as well as a
new and improved library to interact with it.
New module content (1)
Apache NiFi H2 Connection String Remote Code Execution
Authors: Matei "Mal" Badanoiu and h00die
Type: Exploit
Pull request: #18257
11 min
Detection and Response
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
Rapid7 has observed the Fake Browser Update lure utilizing a sophisticated new loader to execute infostealers.
3 min
Emergent Threat Response
Exploitation of Juniper Networks SRX Series and EX Series Devices
On August 17, 2023, Juniper Networks published an out-of-band advisory on four different CVEs affecting Junos OS on SRX and EX Series devices. Successful exploitation would likely enable attackers to pivot to organizations’ internal networks.
7 min
Penetration Testing
PenTales: What It’s Like on the Red Team
In this series, we’re sharing some of our favorite tales from the pen test desk and hopefully highlight some ways you can improve your own organization’s security.
5 min
Velociraptor
Velociraptor 0.7.0 Release: Dig Deeper With Enhanced Client Search, Server Improvements and Expanded VQL Library
Rapid7 is thrilled to announce version 0.7.0 of Velociraptor is now LIVE and available for download.
7 min
Emergent Threat Response
Under Siege: Rapid7-Observed Exploitation of Cisco ASA SSL VPNs
Rapid7’s managed detection and response (MDR) teams have observed increased threat activity targeting Cisco ASA SSL VPN appliances (physical and virtual) dating back to at least March 2023, including several incidents that ended in ransomware deployment.