Detection and Response – Noise

Active exploitation of SAP NetWeaver Visual Composer CVE-2025-31324

Caitlin Condon — Mon, 28 Apr 2025 11:57:12 +0000

A critical SAP NetWeaver zero-day vulnerability (CVE-2025-31324) that allows for full SAP server compromise is being actively exploited in the wild.

Password Spray Attacks Taking Advantage of Lax MFA

Chris Boyd — Thu, 10 Apr 2025 13:00:00 +0000

In the first quarter of 2025, Rapid7’s Managed Threat Hunting team observed a significant volume of brute-force password attempts leveraging FastHTTP, a high-performance HTTP server and client library for Go, to automate unauthorized logins via HTTP requests.

Fortinet firewalls hit with new zero-day attack, older data leak

Caitlin Condon — Thu, 16 Jan 2025 15:57:23 +0000

Rapid7 is responding to two separate events affecting Fortinet firewall customers: Zero-day exploitation of CVE-2024-55591 in FortiOS, and a large-scale data leak of older FortiGate firewall IPs, passwords, and configs.

Modular Java Backdoor Dropped in Cleo Exploitation Campaign

Christiaan Beek — Wed, 11 Dec 2024 18:44:06 +0000

While investigating incidents related to Cleo software exploitation, Rapid7 Labs and MDR team discovered a novel, multi-stage attack that deploys an encoded Java Archive (JAR) payload.

Widespread exploitation of Cleo file transfer software (CVE-2024-50623)

Rapid7 — Tue, 10 Dec 2024 14:04:17 +0000

On Monday, December 9, multiple security firms began privately circulating reports of in-the-wild exploitation targeting Cleo file transfer software. Late the evening of December 9, security firm Huntress published a blog on active exploitation of three different Cleo products (docs):

Cleo VLTrader, a server-side solution for “mid-enterprise organizations”
Cleo Harmony,

Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware

Tyler McGraw — Wed, 04 Dec 2024 15:45:04 +0000

Beginning in early October, Rapid7 has observed a resurgence of activity related to the ongoing social engineering campaign being conducted by Black Basta ransomware operators.

Investigating a SharePoint Compromise: IR Tales from the Field

Rapid7 — Wed, 30 Oct 2024 20:19:14 +0000

Our investigation uncovered an attacker who accessed a server without authorization and moved laterally across the network, compromising the entire domain.

Three Recommendations for Creating a Risk-Based Detection and Response Program

Rapid7 — Tue, 24 Sep 2024 13:00:00 +0000

In a report released earlier this summer, Gartner analysts offer three recommendations for fostering an environment of risk-based threat detection, investigation, and response that includes a deeper understanding of your organization’s risk profile by more than just the security team.

VMware ESXi CVE-2024-37085 Targeted in Ransomware Campaigns

Rapid7 — Tue, 30 Jul 2024 00:28:10 +0000

On July 29, Microsoft published threat intelligence on observed exploitation of CVE-2024-37085, an authentication bypass vulnerability in Broadcom VMware ESXi hypervisors that has been used in multiple ransomware campaigns.

Supply Chain Compromise Leads to Trojanized Installers for Notezilla, RecentX, Copywhiz

Rapid7 — Thu, 27 Jun 2024 18:01:02 +0000

The following Rapid7 analysts contributed to this research: Leo Gutierrez, Tyler McGraw, Sarah Lee, and Thomas Elkins.

Executive Summary

On Tuesday, June 18th, 2024, Rapid7 initiated an investigation into suspicious activity in a customer environment. Our investigation identified that the suspicious behavior was emanating from the installation of Notezilla, a

Malvertising Campaign Leads to Execution of Oyster Backdoor

Rapid7 — Mon, 17 Jun 2024 20:28:23 +0000

Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.

CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack

Rapid7 — Thu, 23 May 2024 13:00:00 +0000

Justice AV Solutions (JAVS) is a U.S.-based company specializing in digital audio-visual recording solutions for courtroom environments. Rapid7 has determined that users with JAVS Viewer v8.3.7 installed are at high risk and should take immediate action.

Rapid7 Recognized in the 2024 Gartner® Magic Quadrant™ for SIEM

Meaghan Buchanan — Mon, 13 May 2024 15:06:25 +0000

Rapid7 is excited to share that we are named a Challenger for InsightIDR in the 2024 Gartner Magic Quadrant for SIEM.

Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators

Rapid7 — Fri, 10 May 2024 17:31:59 +0000

Rapid7 observes ongoing social engineering campaign consistent with Black Basta

RCE to Sliver: IR Tales from the Field

Rapid7 — Thu, 15 Feb 2024 19:38:59 +0000

Rapid7 Incident Response was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023

Rapid7 — Fri, 29 Dec 2023 15:52:00 +0000

Rapid7 is excited to announce that version 0.7.1 of Velociraptor is live and available for download. There are several new features and capabilities that add to the power and efficiency of this open-source digital forensic and incident response (DFIR) platform.

Mastering Industrial Cybersecurity: The Significance of Combining Vulnerability Management with Detection and Response

Rapid7 — Thu, 28 Dec 2023 16:00:00 +0000

The convergence of operational technology (OT) and information technology (IT) has ushered in new efficiencies but has also exposed vulnerabilities. This article explores the pivotal role of Vulnerability Management and Detection and Response (VM/DR) in the realm of Industrial Cybersecurity.

What’s New in Rapid7 Detection & Response: Q3 2023 in Review

Margaret Wei — Thu, 05 Oct 2023 15:49:48 +0000

Rapid7 has updated its Detection and Response offerings with advanced DFIR capabilities, custom detection rules, log search features, and more.

Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers

Natalie Zargarov — Thu, 31 Aug 2023 21:44:27 +0000

Rapid7 has observed the Fake Browser Update lure utilizing a sophisticated new loader to execute infostealers.

Under Siege: Rapid7-Observed Exploitation of Cisco ASA SSL VPNs

Rapid7 — Tue, 29 Aug 2023 14:00:00 +0000

Rapid7’s managed detection and response (MDR) teams have observed increased threat activity targeting Cisco ASA SSL VPN appliances (physical and virtual) dating back to at least March 2023, including several incidents that ended in ransomware deployment.