Boston Business Journal Names Rapid7 as a Best Place to Work in Boston

Posted 8 months ago by Rapid7

On June 13th, 2024, Rapid7 was recognized by The Boston Business Journal as a Best Place to Work in Boston. This marks the 13th consecutive year Rapid7 has made the list, this time coming in at #8 in the extra large company category. Best Places to Work rankings are based on anonymous employee surveys where workers rank how they feel about their employer. Questions range from employee engagement and impactful work, to career growth opportunities and having the support of their managers and leaders.

Christina Luconi, Chief People Officer at Rapid7, credits the recognition to the company’s ability to attract, develop, and support exceptionally talented team members across all areas of the business.

“When you are able to get a group of talented people aligned to a shared vision and mission, and you invest in resources to support them in learning and growing their careers, you’re able to create the foundation for both a successful business, and an incredible workplace that people are really proud of,” she said.

Boston is home to Rapid7’s global headquarters, which sits at 120 Causeway Street adjacent to TD Garden and North Station. The location was chosen due to a variety of factors, including easy access to public transportation for employees. The company operates on a hybrid model with employees spending 3 days a week in the office and 2 days working remotely. Inside, employees have access to a variety of working spaces and zones. Designated quiet areas and private meeting rooms equipped with Zoom technology and whiteboards support more focused or heads-down work, while community spaces like their Barista Bar, speakeasy, and living room seating areas foster collaboration and cross-functional interactions.

Rapid7’s Boston site is occupied by all business functions, including engineering, sales, people strategy, marketing, and finance.

To learn more about working at Rapid7, click here.

Rapid7 completes IRAP PROTECTED assessment for Insight Platform solutions

Posted 8 months ago by Rapid7

Exciting news from Australia!

Rapid7 has successfully completed an Information Security Registered Assessors Program (IRAP) assessment to PROTECTED Level for several of our Insight Platform solutions.

What is IRAP?

An IRAP assessment is an independent assessment of the implementation, appropriateness, and effectiveness of a system’s security controls. Achieving IRAP PROTECTED status means Australian Government agencies requiring PROTECTED level controls can access our industry-leading, practitioner-first security solutions. Meeting this status further strengthens our position as a trusted partner for Australian government organizations seeking to enhance their cybersecurity posture.

Rapid7 is one of the only vendors to be IRAP-assessed across what we consider a consolidated cybersecurity operation. This places us in a unique position to supply services across federal, state, and local government in Australia. It provides our government customers with the confidence that we have the right governance and controls in place for our own business in order to deliver that service effectively for our customers, specifically covering:

Vulnerability management on traditional infrastructure
Endpoints
The secure implementation of web applications
Detection and response to alerts or threats
The ability to securely automate workflows

Why is being IRAP PROTECTED important?

Being IRAP-assessed demonstrates our commitment to providing secure and reliable information security services for Government Systems, Cloud Service Providers, Cloud Services, and Information and Communications Technology (ICT) Systems, and more widely to our Australian customers.

Importantly, it highlights how we take the shared responsibility model extremely seriously. It also shows we’re protecting our customers’ information and data across their traditional infrastructure and in the cloud.

Which solutions are approved?

Solutions assessed and approved for PROTECTED Level include InsightIDR (detection and response), InsightVM (vulnerability management), InsightAppSec (application security), and InsightConnect (orchestration and automation). These solutions provide a comprehensive security platform to help government agencies tackle the challenges of today's evolving cybersecurity landscape.

The successful completion of the IRAP assessment at the PROTECTED level demonstrates our commitment to supporting Australian government customers. It means they have access to a comprehensive security platform necessary to tackle the ever-evolving challenges of today's cybersecurity landscape.

As more government agencies migrate to hybrid cloud environments, we can help them better manage the growing complexity of identifying and securing the attack surface.

As attackers become increasingly sophisticated, better armed, and faster, the IRAP assessment is yet another string in our cybersecurity bow, showcasing our potential to support Australian Government agencies and more widely, our customers.

Supply Chain Compromise Leads to Trojanized Installers for Notezilla, RecentX, Copywhiz

Posted 9 months ago by Rapid7

The following Rapid7 analysts contributed to this research: Leo Gutierrez, Tyler McGraw, Sarah Lee, and Thomas Elkins.

Executive Summary

On Tuesday, June 18th, 2024, Rapid7 initiated an investigation into suspicious activity in a customer environment. Our investigation identified that the suspicious behavior was emanating from the installation of Notezilla, a program that allows for the creation of sticky notes on a Windows desktop. Installers for Notezilla, along with tools called RecentX and Copywhiz, are distributed by the India-based company Conceptworld at the official domain conceptworld[.]com. After analyzing the installation packages for all three programs, Rapid7 discovered that the installers had been trojanized to execute information-stealing malware that has the capability to download and execute additional payloads.

Disclosure

On Monday, June 24th, 2024, Rapid7 contacted Conceptworld to disclose the backdoored installers being hosted on conceptworld[.]com in accordance with Rapid7’s vulnerability disclosure policy. Within 12 hours, Conceptworld confirmed and remediated the issue by removing the malicious installers from conceptworld[.]com and replacing them with legitimate, signed copies. Rapid7 is grateful to Conceptworld for their prompt action on this issue.

Overview

Conceptworld is an India-based company offering three different software products: Notezilla, which allows users to create sticky notes on a Windows desktop; RecentX, which stores recently used files/applications/clipboard data; and Copywhiz, which improves file copying and backup operations. A free trial download is available on the official conceptworld[.]com site for each software package.

The installation packages being served by conceptworld[.]com at the time of investigation, however, executed malware alongside the legitimate installer, were not signed, and did not match the file size stated on the download page. The differences in the file sizes are due to the malware and its dependencies, which increases the size of the compromised installation packages.

Filename	SHA256 Hash	Filesize	Notes
NotezillaSetup.exe	6f49756749d175058f15d5f3c80c8a7d46e80ec3e5eb9fb31f4346abdb72a0e7	17.07 MB	Trojanized.
NotezillaSetup.exe	51243990ef8b82865492f0156ebbb23397173647c02a0d83cf3e3dfb4ef8a6bc	15.19 MB	Legitimate, signed by Conceptworld.
RecentXSetup.exe	4df9b7da9590990230ed2ab9b4c3d399cf770ed7f6c36a8a10285375fd5a292f	15.79 MB	Trojanized.
RecentXSetup.exe	a6ad6492e88bdb833d34ac122c266f1fadd9509ecfe0246e283728e4af49f433	13.92 MB	Legitimate, signed by Conceptworld.
CopywhizSetup.exe	2eae4f06f2c376c6206c632ac93f4e8c4b3e0e63eca3118e883f8ac479b2f852	14.14 MB	Trojanized.
CopywhizSetup.exe	fd8d13123218f48c6ab38bf61d94113b4d97095e59fb415e6aa5d9ada012206e	12.27 MB	Legitimate, signed by Conceptworld.

The malware Rapid7 observed contains the functionality to steal browser credentials and crypto currency wallet information, log clipboard contents and keystrokes, and download and execute additional payloads. After infecting a system, the malware persists via a scheduled task that executes the primary payload every three hours.

Based on file submissions to VirusTotal, the malicious copies of the installers have existed since early June of 2024. The malware payloads delivered by the trojanized installers, however, seem to belong to a nameless malware family that has been in distribution since at least January of 2024. Rapid7 internally refers to this malware family as dllFake because of the naming scheme used for several of the malware payloads.

Malicious installer name	VirusTotal First Submission
NotezillaSetup.exe	2024-06-10 06:43:34 UTC
RecentXSetup.exe	2024-06-07 21:38:11 UTC
CopywhizSetup.exe	2024-06-08 07:25:17 UTC

Technical analysis

To take a deeper look at the malware payloads, we will analyze the malicious installer that was served for Notezilla.

Initial Access

Rapid7 determined that trojanized installers for the 32-bit and 64-bit versions of Notezilla, Copywhiz, and RecentX were, at the time of investigation, being served from the official website conceptworld[.]com. Any users searching for this software via a popular search engine at the time were most likely to find the official domain as the first result, which would then have directed them to download the malware.

Execution

The installer served by conceptworld[.]com for Notezilla at the time of investigation was NotezillaSetup.exe, which, based on static analysis, is packed using software called Smart Install Maker(5.04).

Figure 1. Software Properties of NotezillaSetup.exe.

Using the sim_unpacker plugin for the tool UniExtract2, we were able to unpack and acquire most of the contents of the installation package, such as the embedded files and configuration information. The configuration file contains references to the legitimate software installer for Notezilla, which is dropped into %TEMP% during execution, and multiple files that are dropped into the installation directory (i.e., staging folder) %LOCALAPPDATA%\Microsoft\WindowsApps\ during execution.

Installer Files
curl.exe
7z.exe
dllBus.bat
dllBus32.exe
dllCrt.bat
dllCrt.xml
dllCrt32.exe
dll_apps.txt
dll_srv.txt
dll_updt.txt
NotezillaSetup.exe

Figure 2. Output from Using the sim-unpacker tool.

Figure 3. Contents of installer.config.

Once executed, NotezillaSetup.exe will then execute the file dllCrt32.exe from the staging directory %LOCALAPPDATA%\Microsoft\WindowsApps\ via a WINAPI call to ShellExecuteA with the verb open. A second call is then made to ShellExecuteA to execute the file NotezillaSetup.exe, a copy of the legitimate installer, from %TEMP%. As a result, the only thing seen by the end user after initial execution is the installation window pop-up for the legitimate installer, prompting the user to proceed with the installation process for Notezilla.

Figure 4. Typical Process Tree for Initial Execution of the Trojanized Installer.

Figure 5. The User’s View after the Infection has Already Begun in the Background.

The file dllCrt32.exe is a relatively small (~10KB) program that only serves as a wrapper to call CreateProcessA to execute the file dllCrt.bat.

Figure 6. The Contents of dllCrt.bat.

The batch file dllCrt.bat will then create a hidden scheduled task named Check dllHourly32 using schtasks.exe and an XML file that was previously dropped into the staging directory at %LOCALAPPDATA%\Microsoft\WindowsApps\dllCrt.xml. The scheduled task Check dllHourly32 will then execute the file %LOCALAPPDATA%\Microsoft\WindowsApps\dllBus32.exe every three hours after being initially created, which means that the primary malware payload will not be executed until at least three hours after the user originally executed the trojanized installer.

Figure 7. Command Line Assembly within dllBus32.exe.

When dllBus32.exe is executed, it also serves as a small wrapper for calling CreateProcessA, though it initially retrieves several important command line parameters. First, a call to the CRT library function sprintf concatenates a hard-coded IPv4 address. Then, a second call to sprintf concatenates the assembled IPv4 address with several other arguments to be passed to the batch file dllBus.bat. Finally, CreateProcessA is called with the fully assembled command line.

Figure 8. The Initial Lines of dllBus.bat.

The command line arguments passed to dllBus.bat via dllBus32.exe contain an IPv4 address, an SFTP port, a password for ZIP archive payloads, two sets of SFTP credentials, and the staging directory where the majority of the malware’s files are located.

Argument #	Purpose	Value	Notes
1	C2 IPv4 Address	212.70.149[.]210	Stored within dllBus32.exe.
2	SFTP Port	2265	Used for all curl requests regardless of the IPv4 address.
3	ZIP password	MnX!8fsGt0@	Used to decrypt/extract downloaded archives.
4	SFTP Username	phn_sys	The SFTP credentials used for uploading stolen data.
5	SFTP Password		Password for phn_sys.
6	SFTP Username	phn_prj	The SFTP credentials used for downloading payloads.
7	SFTP Password		Password for phn_prj

The batch file dllBus.bat contains functionality to facilitate the theft of information from Google Chrome, Mozilla Firefox, and multiple cryptocurrency wallets. The copy of curl.exe dropped by the installer is also used to connect to a list of command-and-control (C2) addresses hosting SFTP servers. The curl commands are used to download an updated list of C2 addresses, stored as plaintext within the file dll_srv.txt, and to download and execute additional payloads saved within encrypted ZIP archives named Updt.zip, Apps.zip, and BB.zip. The batch script will also attempt to compress all files on the infected system that have specific file extensions and exist in directories that are not on a hardcoded blacklist (for exfiltration). All stolen data is ultimately compressed using 7z.exe and uploaded directly to the selected C2 SFTP server using curl.

Targeted Browsers
Mozilla Firefox
Google Chrome

Targeted Crypto Wallets
Atomic
Exodus
Jaxx Liberty
Guarda
Electrum
Coinomi

Targeted File Extensions	Blacklisted File Path Strings
txt,doc,png,jpg	"icrosoft","indows","otoshop","rogram Files","*rogramData","All Users","AppData","Default","Public"

The payloads Apps.zip and Updt.zip both contain executables created using PyInstaller, which means the original Python script used to create the executables can be recovered trivially using a publicly available extractor. The payload dllChrome32.exe, contained within Updt.zip, is used to facilitate theft of credentials from Google Chrome’s database that are then saved into the file %TEMP%\chrm.txt with the format: URL, Username, Password.

Figure 9. Primary Functionality of dllChrome32.exe.

The payloads dllTemp32.exe and dllCache32.exe stored within Apps.zip contain a clipboard stealer and a keylogger, where the results are saved to the files cl.txt and kl.txt, respectively, within the staging directory at %LOCALAPPDATA%\Microsoft\WindowsApps\.

Figure 10. All Data Copied to the Clipboard is Dumped to cl.txt when dllTemp32.exe is Running.

Figure 11. dllCache32.exe Logs Keystrokes to kl.txt when Running.

Rapid7 did not observe any of the identified SFTP servers hosting the third payload, BB.zip, at the time of writing, although the contents of dllBus.bat indicate that it contains the executables srvBus32.exe and srvCrt32.exe, which serve an unknown function.

Mitigation Guidance

Rapid7 recommends verifying the file integrity of freely available software. Check that the file hash and properties of the downloaded file(s) match those provided by the official distributor and/or that they contain a valid and relevant signature. The malicious installers observed in this case are unsigned and have a file size that is inconsistent with copies of the legitimate installer, even as noted on the official download page.

If an installer for Notezilla, RecentX, or Copywhiz has been executed on a system within the last month, Rapid7 recommends checking for signs of compromise due to the malicious installers detailed in this blog. The primary indicators of infection include the hidden scheduled task Check dllHourly32 and a persistent running instance of the Windows Command Prompt, cmd.exe, which makes outbound network connections via curl.exe.

If evidence of compromise is found, Rapid7 recommends re-imaging affected systems to a known good baseline to eradicate any changes made by the malware.

Rapid7 Customers

InsightIDR, Managed Detection and Response, and Managed Threat Complete customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this activity:

Detections
Persistence - SchTasks Creating A Task Pointed At Users Temp Or Roaming Directory
Attacker - Extraction Of 7zip Archive With Password
Suspicious Process - 7zip Executed From Users Directory
Suspicious Process - TaskKill Executed Successively In Short Time Period
Attacker Technique - Curl or Wget To Public IP Address With Non Standard Port

MITRE ATT&CK Techniques

Tactic	Technique	Procedure
Resource Development	T1584.004: Compromise Infrastructure: Server	The threat actor gained access to the official domain responsible for serving software downloads.
Initial Access	T1195.002: Supply Chain Compromise: Compromise Software Supply Chain	The threat actor trojanized copies of the legitimate installers being served on the official website, to execute malware.
Execution	T1204.002: User Execution: Malicious File	Users are tricked into executing the malicious installer as it is served from the official website.
Execution	T1059.003: Command and Scripting Interpreter: Windows Command Shell	Much of the malware’s functionality is facilitated through batch script files.
Execution	T1059.006: Command and Scripting Interpreter: Python	Several second stage payloads were created using PyInstaller.
Execution	T1053.005: Scheduled Task/Job: Scheduled Task	Initial execution of the primary batch script is delayed by at least 3 hours by the creation of a scheduled task.
Persistence	T1053.005: Scheduled Task/Job: Scheduled Task	The malware is executed every 3 hours and will persist through reboots.
Credential Access	T1555.003: Credentials from Password Stores: Credentials from Web Browsers	The malware decrypts and dumps credentials from Google Chrome and Mozilla Firefox.
Collection	T1560.001: Archive Collected Data: Archive via Utility	Stolen data is archived via 7z.exe.
Collection	T1115: Clipboard Data	A second stage malware payload dumps all clipboard data to disk.
Collection	T1005: Data from Local System	The malware compresses and steals files according to a file extension list and directory path strings blacklist.
Collection	T1056.001: Input Capture: Keylogging	A second stage malware payload logs keystrokes to disk.
Command and Control	T1571: Non-Standard Port	The threat actor uses port 2265 for SFTP instead of the default: 22.
Exfiltration	T1048: Exfiltration Over Alternative Protocol	The malware uploads stolen data to C2 servers using SFTP via curl.

Indicators of Compromise

Network-Based Indicators (NBIs)

Domain/IPv4 Address	Notes
conceptworld[.]com	The official domain that was serving malicious installers.
5.180.185[.]42	C2 IPv4 address hosting an SFTP server.
50.2.108[.]102	C2 IPv4 address hosting an SFTP server.
50.2.191[.]154	C2 IPv4 address hosting an SFTP server.
104.140.17[.]242	C2 IPv4 address hosting an SFTP server.
104.206.2[.]18	C2 IPv4 address hosting an SFTP server.
104.206.57[.]117	C2 IPv4 address hosting an SFTP server.
104.206.95[.]146	C2 IPv4 address hosting an SFTP server.
104.206.220[.]113	C2 IPv4 address hosting an SFTP server.
170.130.34[.]114	C2 IPv4 address hosting an SFTP server.
185.137.137[.]74	C2 IPv4 address hosting an SFTP server.
212.70.149[.]210	C2 IPv4 address hosting an SFTP server.

Host-Based Indicators (HBIs)

File	SHA256	Notes
NotezillaSetup.exe	6F49756749D175058F15D5F3C80C8A7D46E80EC3E5EB9FB31F4346ABDB72A0E7	Trojanized installer package.
NotezillaSetup32.exe	BFA99C41AECC814DE5B9EB8397A27E516C8B0A4E31EDD9ED1304DA6C996B4AAA	Trojanized installer package.
CopywhizSetup.exe	2EAE4F06F2C376C6206C632AC93F4E8C4B3E0E63ECA3118E883F8AC479B2F852	Trojanized installer package.
CopywhizSetup32.exe	048CAE10558CDDFB2CF0ADE25F1101909BBA58D0A448E0D78590CC5E64E95127	Trojanized installer package.
RecentXSetup.exe	4DF9B7DA9590990230ED2AB9B4C3D399CF770ED7F6C36A8A10285375FD5A292F	Trojanized installer package.
RecentXSetup32.exe	EBF2B84ED64629242F8D0ABFCA73344736205249539474E8F57D1D3DBE8CCC41	Trojanized installer package.
dllBus.bat	1FA84B696B055F614CCD4640B724D90CCAD4AFC035358822224A02A9E2C12846	Batch script that coordinates execution of other payloads and performs exfiltration of stolen data.
dllCrt.xml	CDC1F2430681E9278B3F738ED74954C4366B8EFF52C937F185D760C1BBBA2F1D	Used to create a scheduled task for persistence.
dllCrt32.exe	FDC84CB0845F87A39B29027D6433F4A1BBD8C5B808280235CF867A6B0B7A91EB	Executes dllCrt.bat.
dllCrt.bat	A89953915EABE5C4897E414E73F28C300472298A6A8C055FCC956C61C875FD96	Creates a scheduled task using dllCrt.xml.
dllBus32.exe	70BCE9C228AACBDADAAF18596C0EB308C102382D04632B01B826E9DB96210093	Executes dllBus.bat with multiple command line arguments.
Apps.zip	CA6FF18EE006E7AB3CB42FC541B08CE4231DADFAB0CCE57B1C126DB3DF9F1297	Encrypted archive that contains the payloads dllTemp32.exe and dllCache32.exe.
dllTemp32.exe	33E4D5EED3527C269467EEC2AC57AE94AE34FD1D0A145505A29C51CF8E83F1B9	Steals data from the clipboard during execution.
dllCache32.exe	03761D9FD24A2530B386C07BF886350AE497E693440A9319903072B93A30C82D	Logs keystrokes during execution.
Updt.zip	6487A0DC9DFBBAA6557AF096178A1361E49762A41500AA03F17DF5D3B159BF4E	Encrypted archive that contains dllChrome32.exe.
dllChrome32.exe	DE4E03288071CDEBE5C26913888B135FB2424132856CC892BAEA9792D6C66249	Decrypts and dumps credentials from the Google Chrome database if present.

From Top Dogs to Unified Pack

Posted 9 months ago by Rapid7

Embracing a consolidated security ecosystem

Authored by Ralph Wascow

Cybersecurity is as unpredictable as it is rewarding. Each day often presents a new set of challenges and responsibilities, particularly as organizations accelerate digital transformation efforts. This means you and your cyber team may find yourselves navigating a complex landscape of multi-cloud environments and evolving compliance requirements.

So how does that translate into what cyber professionals have to deal with on a daily basis?

A Day in the Life of a Security Professional

In the Trenches

The responsibility of safeguarding sensitive data and protecting that very same data can create a constant pressure to stay one step ahead – of many things. Teams defending environments often face high stress levels and tight deadlines. Unsurprisingly, the demand for skilled security leaders often outpaces the supply of personnel. This is where an array of tools and solutions are introduced to support those teams. And while there are many positives to be had, security teams are often overrun by an array of solutions and vendors, creating increased complexity and vulnerabilities in their organisation’s risk posture.

Multiple Vendors Often Means More Work

Using different vendors and solutions for various security functions can help keep things fresh, but it can also be time-consuming and cumbersome. And rather than help teams, it may lead to a decrease in performance. With each platform and tool requiring its own resources, the overall efficiency of your infrastructure and processes may suffer. These performance issues can impact critical business operations and hinder productivity. For instance, by the time you receive a threat alert, the attacker could already be hard at work.

Security analysts require a streamlined work environment that enables them to understand the root cause of alerts from any source with a single click. They shouldn’t have to waste time switching between multiple tools to investigate and remediate potential threats. And when belts start tightening and resources become scarce, managing multiple vendors with different payment cycles can become frustrating.

It pays to find ways to create a security ecosystem without sacrificing the efficacy of its components. By reducing the number of disparate cyber solutions, security professionals can optimise effectiveness and efficiency, subsequently enhancing security posture and reducing their risk profile.

What are the Benefits of a Unified Security Ecosystem?

Widening visibility into your entire IT environment strengthens threat detection capabilities, allowing security teams to minimise the impact of potential cyberattacks. In fact, 41% of organisations surveyed by Gartner say consolidating security solutions improved their risk posture. For some organisations still clinging to the status quo of best of breed solutions, consider the following consolidation benefits when trying to gain executive-buy-in.

Identify Systems and Applications at Risk

A robust vulnerability management program should be your first port of call to help identify any systems or applications potentially at risk. It provides your security team with critical insight into potential weaknesses in your IT infrastructure and overall network. Importantly, it will enable you to properly manage and patch vulnerabilities that pose risks to the network, protecting your organisation from the possibility of a breach.

Safeguard an Evolving Landscape with Real-time Monitoring

Continuous scanning and testing of applications are vital components of a robust security strategy. Consolidating your security tech stack into a centralised ecosystem offers the ability to monitor your infrastructure in real-time and receive in-depth reports for better cross-team collaboration. Actionable insight gained will give you and your security team the autonomy you need to stay ahead of evolving risks and proactively address potential vulnerabilities.

Broaden Visibility and Contextual Understanding

Avoid leaving your security team with isolated alerts that require manual investigation and correlation. Integrating data from multiple sources, including endpoints, networks, cloud environments, and applications offers a comprehensive view and analysis of threats across different layers of the IT environment. This holistic approach allows for better correlation of data across various vectors, uncovering complex attack patterns that might otherwise go unnoticed. Consider broadening your context with threat intelligence, providing information about actor groups, typical targets, TTP's, and more.

Automate Threat Hunting and Distinguish Friend from Foe

In the face of ever-evolving threats, automating threat hunting becomes a crucial capability. By integrating automation within your consolidated security ecosystem, you’ll be able to quickly discern whether incoming threats are benign or malicious. Streamlined processes allow for efficient identification of potential risks, enabling you and your team to prioritize your efforts for activities that require human effort.

Prioritize Risk and Simplify Workflows

The sheer volume of security alerts can overwhelm even the most robust security operations. A consolidated security ecosystem mitigates this challenge by automatically grouping related alerts and prioritising events that demand immediate attention. Unifying and visualizing activities in one place more rapidly identify the root causes of threats and their potential impact. Armed with this knowledge, you can assess the scope of an incident efficiently, build a timeline of the attack, and take swift, targeted action to effectively neutralize the threat.

Swiftly Investigate with End-to-end Digital Forensics

Incident resolution demands a thorough understanding of the attack's entry point and the ability to track down any traces left by adversaries. With a consolidated security ecosystem, conduct swift and comprehensive investigations using end-to-end digital forensics and review key artefacts such as event logs, registry keys, and browser history across your entire IT environment — significantly enhancing your incident response capabilities. A full view of attacker activity can help you determine the extent of the compromise, identify weaknesses in your defenses, and take appropriate remedial actions.

Coordinate Responses with Remediation and Policy Enforcement

Enable coordinated responses and future-proof defences by integrating prevention technologies across your entire tech stack. Leverage communication between various security components and take decisive action against active threats in real-time. For example, an attack blocked on the network can automatically update policies on endpoints, ensuring consistent security measures across your infrastructure. This proactive approach to security ultimately reduces the risk of successful cyberattacks.

Consolidate to Mitigate

With a rapidly changing threat landscape, consolidation offers the security improvements your organisation needs to give it the balance of power. Simplifying and streamlining your cybersecurity solutions begins with gaining visibility into your tech stack. This enables your team to identify where consolidation can improve your team’s productivity and effectiveness in detecting and mitigating risk.

How Rapid7 Can Help: Managed Threat Complete

Managed Threat Complete offers a simplified security stack, fuelling your D&R program to give you a 24x7x365 SOC, IR, XDR technology, SIEM, SOAR, threat intelligence, and unlimited VRM in a single service. This ensures your environment is monitored round-the-clock and end-to-end by an elite SOC that works transparently with your in-house team, helping to further expand your resources.

Learn more.

Malvertising Campaign Leads to Execution of Oyster Backdoor

Posted 9 months ago by Rapid7

The following analysts contributed to this blog: Thomas Elkins, Daniel Thiede, Josh Lockwood, Tyler McGraw, and Sasha Kovalev.

Executive Summary

Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams. The installers were being used to drop a backdoor identified as Oyster, aka Broomstick. Following execution of the backdoor, we have observed enumeration commands indicative of hands-on-keyboard activity as well as the deployment of additional payloads.

In this blog post, we will examine the delivery methods of the Oyster backdoor, provide an in-depth analysis of its components, and offer a Python script to help extract its obfuscated configuration.

Overview

Initial Access

In three separate incidents, Rapid7 observed users downloading supposed Microsoft Teams installers from typo-squatted websites. Users were directed to these websites after using search engines such as Google and Bing for Microsoft Teams software downloads. Rapid7 observed that the websites were masquerading as Microsoft Teams websites, enticing users into believing they were downloading legitimate software when, in reality, they were downloading the threat actor’s malicious software.

Malvertising Campaign Leads to Execution of Oyster Backdoor
Figure 1 - Fake Microsoft Teams Website

In one case, a user was observed navigating to the URL hxxps://micrsoft-teams-download[.]com/, which led to the download of the binary MSTeamsSetup_c_l_.exe. Initial analysis of the binary MSTeamsSetup_c_l_.exe showed that the binary was assigned by an Authenticode certificate issued to “Shanxi Yanghua HOME Furnishings Ltd”.

Malvertising Campaign Leads to Execution of Oyster Backdoor
Figure 2 - MSTeamsSetup_c_l_.exe File Information

Searching VirusTotal for other files signed by “Shanxi Yanghua HOME Furnishings Ltd” showed the following:

Figure 3 - VirusTotal Signature Search Results

The results indicated other versions of the installer, each impersonating as a legitimate software installer. We observed that the first installer was submitted to VirusTotal around mid-May 2024.

In a related incident that occurred on May 29, 2024, we observed another binary posing as a Microsoft Teams setup file, TMSSetup.exe, which was assigned a valid certificate issued to “Shanghai Ruikang Decoration Co., Ltd”. As of May 30, 2024, that certificate has been revoked.

VirusTotal analysis of the binary MSTeamsSetup_c_l_.exe indicates it is associated with a malware family known as Oyster, dubbed Broomstick by IBM.

What is Oyster/Broomstick?

Oyster aka Broomstick aka CleanUpLoader is a family of malware first spotted in September of 2023 by researchers at IBM. While not much is known about the malware, it was delivered via a loader called Oyster Installer, which masqueraded as a browser installer. The installer was responsible for dropping the backdoor component, Oyster Main. Oyster Main was responsible for gathering information about the compromised host, handling communication with the hard-coded command-and-control (C2) addresses, and providing the capability for remote code execution.

In February, researchers on Twitter observed the same backdoor component and started to name the Oyster Main backdoor, CleanUpLoader.

In recent incidents, Rapid7 has observed Oyster Main being delivered without the Oyster Installer.

Technical Analysis

Initial analysis of the binary MSTeamsSetup_c_l_.exe revealed that two binaries were stored within the resource section. During execution, a function was observed using FindResourceA to locate the binaries, followed by LoadResource to access them. These binaries were then subsequently dropped into the Temp folder. We observed that the intended names of the two binaries dropped by MSTeamsSetup_c_l_.exe were CleanUp30.dll and MSTeamsSetup_c_l_.exe (the legitimate Microsoft Teams installer).

After dropping the binary CleanUp30.dll into the Temp directory, the program executes the DLL, passing the string rundll32.exe %s,Test to the function CreateProcessA, where %s stores the value CleanUp30.dll.

Malvertising Campaign Leads to Execution of Oyster Backdoor
Figure 4 - Execution of CleanUp30.dll

After the execution of CleanUp30.dll, the program proceeds to initiate the legitimate Microsoft Teams installer, MSTeamsSetup_c_l_.exe, also located within the Temp directory. This tactic is employed to avoid raising suspicion from the user.

CleanUp30.dll Analysis

During the execution of CleanUp30.dll, Rapid7 observed that the binary starts by attempting to create the hard coded mutual exclusion (mutex) ITrkfSaV-4c7KwdfnC-Ds165XU4C-lH6R9pk1. Mutex creation is often used by programs in order to determine if the program is already running another instance. If the program is already running, the program will terminate the new instance.

After creating the mutex, the binary determines its execution path by calling the function GetModuleFilenameA. The value is stored as a string and used as a parameter for the creation of a scheduled task, ClearMngs. The scheduled task is created using the function ShellExecuteExW, passing the following as the command line:

schtasks.exe /create /tn ClearMngs /tr "rundll32 '<location of binary>\CleanUp30.dll',Test" /sc hourly /mo 3 /f

The purpose of the scheduled task ClearMngs is to execute the binary <location of binary>\CleanUp30.dll with the exported function of Test using rundll32.exe every three hours.

After the creation of the scheduled task, the binary then proceeds to decode its C2 servers using a unique decoding function. The decoding function begins by taking in a string of encoded characters, and its length is in bytes. The decoding function then proceeds to read in each byte, starting from the end of the encoded string.

Malvertising Campaign Leads to Execution of Oyster Backdoor
Figure 5 - The DLL’s Decoding Loop

Each byte of the encoded string is used as an index location to retrieve the decoded byte from a hard-coded byte map. A byte map is a byte array containing 256 bytes in a randomized order, one for each possible byte value from 1 to 256. Malware authors sometimes use this technique to obfuscate strings and other data. The iteration counter (i) used within the condition for the decoding loop is compared to half of the encoded string’s length as the decoding loop swaps two bytes at a time. The bytes of the encoded string are decoded and swapped beginning at the start and end bytes of the string and the decoding loop then progresses towards the center of the string from each end.

The loop swaps the bytes to reverse the decoded string, as the original plaintext strings stored in the malware were reversed prior to encoding. When the center of the string is reached, the decoding process is complete. Due to this algorithm, all the encoded strings that are passed must be of even length to avoid further processing. Immediately after the decoded string is loaded onto the stack, the malware then re-encodes the string using a similar loop. The final result for the first decoded string is a carriage return line feed (CRLF) delimited list of C2 domains.

We constructed a Python script that can decode all the encoded strings contained within the CleanUp.dll binaries, including previous versions. The Python script can be found in our GitHub repository.

Malvertising Campaign Leads to Execution of Oyster Backdoor
Figure 6 - Sample Output from Python Script

Using our Python script, it revealed some of the C2 functionality, along with several JSON fields that are used to build a fingerprint of the infected system:

Hex Encoded String	Decoded String
2ec6a676766fc6f4960e86	api/connect
50b0aea6747686b64eaef69e2ec6a64e96262ea64e	supfoundrysettlers.us
50b0b6f6c674a646a6b6f6164ea66ea64ea616ee	whereverhomebe.com
50b0ceae74ce4ea6362e2ea6ce9e4e2676aef6660eaece	retdirectyourman.eu
76f6ce56f476f6962e86c696360e0e86045ca60e9e2ab42e76a62e76f6c2	Content-Type: application/json
76f696cece65cef4960e86	api/session
a61ea67426b6c63a346ceaf2eace9eca3a	\SysWOW64\cmd.exe
a61ea6744ccc36362676ae4e3a2c6ceaf2eace9eca3a	\SysWOW64\rundll32.exe
d2f2	OK
3a0eb6a62a3a	\Temp\
445c442696fa267686b6b6f6c6443444	","command_id":"
be44	"}
445c44649644de	{"id":"
445c442e36aecea64e443444	","result":"
445c442696fa76f696cecea6ce443444	","session_id":"
445c44ceae2e862ece443444	","status":"
2e1e2e740eae7686a636c63a	\cleanup.txt
445c44a6b68676fa4e652eae0eb6f6c6443444	","computer_name":"
0ccc445c4476f696ce72a66efa363626443444	","dll_version":"30
445c44769686b6f626443444	","domain":"
be44	"}
445c44649644de	{"id":"
445c443686c6f636fa0e96443444	","ip_local":"
445c44cef6443444	","os":"
445c44263696ae46facef6443444	","os_build":"
445c44a6e6a636656e964e0e443444	","privilege":"

After the binary decodes the C2 addresses, the program proceeds to fingerprint the infected machine, using the following functions:

Function	Description
DsRoleGetPrimaryDomainInformation	Used to gather information about the domain the compromised machine resides in. In particular, the function returns the domain name.
GetUserNameW	Provides the name of the user in which the program is running under.
NetUserGetInfo	Provides details of the user under which the program is running. In this case, the program is querying if the user is admin or user.
GetComputerNameW	Provides the name of the compromised machine in which the binary is running on.
RtlGetVersion	Returns version information about the currently running operating system including name and version number.

Malvertising Campaign Leads to Execution of Oyster Backdoor
Figure 7 - A Selection of Contents of the CleanUp30.dll Code that Outline the Collection of System Information

While enumerating information about the host, the information is stored in the JSON fields uncovered from the encoded strings identified above.

Malvertising Campaign Leads to Execution of Oyster Backdoor
Figure 8 - Example of the Data Collected and Sent via HTTP POST to the Malicious Domains

The fingerprint information is encoded using the same loop previously discussed, where the data string is reversed and encoded using a byte map before being sent.

After the information is encoded, it is sent to the domains whereverhomebe[.]com/, supfoundrysettlers[.]us/, and retdirectyourman[.]eu/ via HTTP POST method. Rapid7 determined that CleanUp30.dll uses the open-source C++ library Boost.Beast to communicate with the observed C2 domains via HTTP and web sockets.

Malvertising Campaign Leads to Execution of Oyster Backdoor
Figure 9 - Captured Network Traffic Attempting to Send POST Requests to whereverhomebe[.]com/ and supfoundrysettlers[.]us/ Following the Execution of CleanUp30.dll

Follow-on Activity

In one of the incidents Rapid7 observed, a PowerShell script was spawned following the execution of another version of CleanUp30.dll, CleanUp.dll. CleanUp.dll, similar to CleanUp30.dll, was originally dropped by the other fake Microsoft Teams installer, TMSSetup.exe, which dropped the binary into the AppData/Local/Temp directory as well.

Malvertising Campaign Leads to Execution of Oyster Backdoor
Figure 10 - PowerShell Command Creating .lnk File DiskCleanUp.lnk

The purpose of the PowerShell script was to create a shortcut LNK file named DiskCleanUp.lnk within C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\. By doing so, this ensured that the LNK file DiskCleanUp.lnk would be run each time the user logged in. The shortcut LNK file was responsible for executing the binary CleanUp.dll using rundll32.exe, passing the export Test.
Following the execution of the PowerShell script, Rapid7 observed execution of additional payloads:

k1.ps1
main.dll
getresult.exe

Unfortunately, during the incident, we were unable to acquire the additional payloads. During the incidents, Rapid7 also observed execution of the following enumeration commands:

Enumeration	Description
systeminfo	Provides information about the system's software and hardware configuration
arp -a	Shows a list of all IP addresses that the local computer has recently interacted with, along with their corresponding MAC addresses
net group 'domain computers' /domain	Lists the "Domain Computers" group within an Active Directory domain
"C:\Windows\system32\nslookup.exe" myip.opendns.com resolver1.opendns.com	Determines the external IP address
whoami /all	Provides detailed information about the current user including user's privileges, group memberships, and security identifiers (SIDs)
nltest /dclist:<domain_name>	Lists all the domain controllers (DCs) for a specific domain
net user admin	Provides detailed information about the user 'admin' including profile information, group memberships, local group memberships, etc
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /s	Queries the registry to find information about installed software
findstr "DisplayName"	Used to filter information, showing only items contained under "DisplayName"

Rapid7 Customers

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this malware campaign:

Persistence - SchTasks Creating A Task Pointed At Users Temp Or Roaming Directory
Suspicious Process: RunDLL32 launching CMD or PowerShell
Persistence - Schtasks.exe Creating Task That Executes RunDLL32
Network Discovery - Nltest Enumerate Domain Controllers
Attacker Technique - Determining External IP Via Command Line
Suspicious Process - .lnk in PowerShell Command Line

MITRE ATT&CK Techniques

Tactic	Technique	Description
Resource Development	Acquire Infrastructure: Domains (T1583.001)	Threat Actor set up typo-squatted domain micrsoft-teams-download[.]com in order to aid in the delivery of the executable MSTeamsSetup_c_l_.exe
Execution	Command and Scripting Interpreter: Powershell (T1059.001)	Used to create .lnk file DiskCleanUp.lnk and execute the PowerShell payload k1.ps1
Execution	User Execution: Malicious File (T1204.002)	User executes the binary MSTeamsSetup_c_l_.exe
Persistence	Scheduled Task (T1053.005)	CleanUp30.DLL and CleanUp.DLL create scheduled task ClearMngs
Defense Evasion	Masquerading: Match Legitimate Name or Location (T1036.005)	MSTeamsSetup_c_l_.exe masquerades as legitimate Microsoft Teams installer
Defense Evasion	Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003)	Execution delays are performed by several stages throughout the attack flow
Collection	Data from Local System (T1005)	Threat Actors enumerated information about compromised hosts using the backdoor CleanUp DLL's
Command and Control	Data Encoding - Non Standard Encoding (T1132.002)	CleanUp DLL's send encoded data to C2's using unique encoding function

IOCs

IOC	Hash	Description
TMSSetup.exe	9601f3921c2cd270b6da0ba265c06bae94fd7d4dc512e8cb82718eaa24accc43	The malicious executable downloaded from prodfindfeatures[.]com/
MSTeamsSetup_c_l_.exe	574C70E84ECDAD901385A1EBF38F2EE74C446034E97C33949B52F3A2FDDCD822	The malicious executable downloaded from prodfindfeatures[.]com/
CleanUp30.dll	CFC2FE7236DA1609B0DB1B2981CA318BFD5FBBB65C945B5F26DF26D9F948CBB4	The .dll file that is run by run32dll.exe following the execution of MSTeamsSetup_c_l_.exe
CleanUp.dll	82B246D8E6FFBA1ABAFFBD386470C45CEF8383AD19394C7C0622C9E62128CB94	The .dll file that is run by run32dll.exe following the execution of TMSSetup.exe
DiskCleanUp.lnk	b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa	An .lnk file that was created following the execution of CleanUp30.dll
prodfindfeatures[.]com/	-	The domain hosting the malicious files TMSSetup (1).exe and MSTeamsSetup_c_l_.exe
micrsoft-teams-download[.]com/	-	The typo-squatted domain that users visited
impresoralaser[.]pro/	-	Part of the domain redirect chain for downloads of TMSSetup (1).exe and MSTeamsSetup_c_l_.exe
whereverhomebe[.]com/	-	Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with
supfoundrysettlers[.]us/	-	Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with
retdirectyourman[.]eu/	-	Domain that CleanUp30.dll and CleanUp.dll attempts to communicate with
149.248.79[.]62	-	Resolving IP for whereverhomebe[.]com/
64.95.10[.]243	-	Resolving IP for supfoundrysettlers[.]us/
206.166.251[.]114	-	Resolving IP for retdirectyourman[.]eu/

References

Article	URL
Broomstick Malware Profile	https://exchange.xforce.ibmcloud.com/malware-analysis/guid:08822f57c12416bc3e74997c473d1889
Twitter Mention of CleanUpLoader	https://x.com/RussianPanda9xx/status/1757932257765945478

Enhancing Velociraptor with the Cado Security Platform

Posted 9 months ago by Rapid7

By: Nicholas Handy, Director of Technical Alliances & Partnerships at Cado Security

Velociraptor is a robust open-source tool designed for collecting and querying forensic and incident response artifacts across various endpoints. This powerful tool allows incident responders to effortlessly gather data from remote systems, regardless of their location.

Advanced data analysis with the Cado Security Platform

The Cado Security platform is a complementary technology that enables analysis and process of captured data at scale and from multiple sources. In conjunction with Velociraptor data, Cado analyzes data captured from cloud VMs, container-based, serverless, and SaaS environments. The platform automatically scales up and down to provide fast, parallel data processing. This means that it can process hundreds of systems simultaneously.

The Cado Security Platform integrates seamlessly with Velociraptor, creating a comprehensive suite for end-to-end data capture and analysis. In fact, Cado’s existing customers routinely analyze data collected by Velociraptor during investigations using this platform, making the most of its powerful capabilities

Optimized data processing and analysis

A common use case involves users performing offline triage to create an agent to collect Windows.KapeFiles from endpoints, to then upload these to cloud storage where Cado can import, process, and analyze them. This capability leverages Cado's cloud-based parallel processing to quickly normalize collected artifacts. Cado creates a timeline of what happened on the systems, runs analysis against the files and enables an analyst to search and browse the captured data.

Enhanced threat visibility

The Cado Security Platform creates detailed timelines of system events, conducts thorough file analysis, and enables analysts to search and browse captured data efficiently. This detailed insight is invaluable for understanding the full impact of threats.

With Velociraptor and The Cado Security Platform working together, incident response teams can achieve a better understanding of the impact of threats with complete visibility across their entire ecosystem, enhancing the overall efficiency of forensic investigations and incident response.

Securing AI Development in the Cloud: Navigating the Risks and Opportunities

Posted 9 months ago by Rapid7

AI-TRiSM - Trust, Risk and Security Management in the Age of AI

Securing AI Development in the Cloud: Navigating the Risks and Opportunities

Co-authored by Lara Sunday and Pojan Shahrivar

As artificial intelligence (AI) and machine learning (ML) technologies continue to advance and proliferate, organizations across industries are investing heavily in these transformative capabilities. According to Gartner, by 2027, spending on AI software will grow to $297.9 billion at a compound annual growth rate of 19.1%. Generative AI (GenAI) software spend will rise from 8% of AI software in 2023 to 35% by 2027.

With the promise of enhanced efficiency, personalization, and innovation, organizations are increasingly turning to cloud environments to develop and deploy these powerful AI and ML technologies. However, this rapid innovation also introduces new security risks and challenges that must be addressed proactively to protect valuable data, intellectual property, and maintain the trust of customers and stakeholders.

Benefits of Cloud Environments for AI Development

Cloud platforms offer unparalleled scalability, allowing organizations to easily scale their computing resources up or down to meet the demanding requirements of training and deploying complex AI models.

"The ability to spin up and down resources on-demand has been a game-changer for our AI development efforts," says Stuart Millar, Principal AI Engineer at Rapid7. "We can quickly provision the necessary compute power during peak training periods, then scale back down to optimize costs when those resources are no longer needed."

Cloud environments also provide a cost-effective way to develop AI models, with usage-based pricing models that avoid large upfront investments in hardware and infrastructure. Additionally, major cloud providers offer access to cutting-edge AI hardware and pre-built tools and services, such as Amazon SageMaker, Azure Machine Learning, and Google Cloud AI Platform, which can accelerate development and deployment cycles.

Challenges and Risks of Cloud-Based AI Development

While the cloud offers numerous advantages for AI development, it also introduces unique challenges that organizations must navigate. Limited visibility into complex data flows and model updates can create blind spots for security teams, leaving them unable to effectively monitor for potential threats or anomalies.

In their AI Threat Landscape Report, HiddenLayer highlighted that 98% of all the companies surveyed identified that elements of their AI models were crucial to their business success, and 77% identified breaches to their AI in the past year. Additionally, multi-cloud and hybrid deployments bring monitoring, governance, and reporting challenges, making it difficult to assess AI/ML risk in context across different cloud environments.

New Attack Vectors and Risk Types

Developing AI in the cloud also exposes organizations to new attack vectors and risk types that traditional security tools may not be equipped to detect or mitigate. Some examples include:

Prompt Injection (LLM01): Imagine a large language model used for generating marketing copy. An attacker could craft a special prompt that tricks the model into generating harmful or offensive content, damaging the company's brand and reputation.

Training Data Poisoning (LLM03, ML02): Adversaries can tamper with training data to compromise the integrity and reliability of cloud-based AI models. In the case of an AI model used for image recognition in a security surveillance system, poisoned training data containing mislabeled images could cause the model to generate incorrect classifications, potentially missing critical threats.

Model Theft (LLM10, ML05): Unauthorized access to proprietary AI models deployed in the cloud poses risks to intellectual property and competitive advantage. If a competitor were to steal a model trained on a company's sensitive data, they could potentially replicate its functionality and gain valuable insights.

Supply Chain Vulnerabilities (LLM05, ML06): Compromised libraries, datasets, or services used in cloud AI development pipelines can lead to widespread security breaches. A malicious actor might introduce a vulnerability into a widely used open-source library for AI, which could then be exploited to gain access to AI models deployed by multiple organizations.

Developing Best Practices for Securing AI Development

To address these challenges and risks, organizations need to develop and implement best practices and standards tailored to their specific business needs, striking the right balance between enabling innovation and introducing risk.

While guidelines like NCSC Secure AI System Development and The Open Standard for Responsible AI provide a valuable starting point, organizations must also develop their own customized best practices that align with their unique business requirements, risk appetite, and AI/ML use cases. For instance, a financial institution developing AI models for fraud detection might prioritize best practices around data governance and model explainability to ensure compliance with regulations and maintain transparency in decision-making processes.

Key considerations when developing these best practices include:

Ensuring secure data handling and governance throughout the AI lifecycle

Implementing robust access controls and identity management for AI/ML resources
Validating and monitoring AI models for potential biases, vulnerabilities, or anomalies
Establishing incident response and remediation processes for AI-specific threats
Maintaining transparency and explainability to understand and audit AI model behavior

Rapid7's Approach to Securing AI Development

"At Rapid7, our InsightCloudSec solution offers real-time visibility into AI/ML resources running across major cloud providers, allowing security teams to continuously monitor for potential risks or misconfigurations," says Aniket Menon, VP, Product Management. "Visibility is the foundation for effective security in any environment, and that's especially true in the complex world of AI development. Without a clear view into your AI/ML assets and activities, you're essentially operating blind, leaving your organization vulnerable to a range of threats."

Here at Rapid7 our AI TRiSM (Trust, Risk, and Security Management) framework empowers our teams. The framework provides us with confidence not only in our operations but also in driving innovation. In their recent blog outlining the company’s AI principles, Laura Ellis and Sabeen Malik shared how Rapid7 tackles and addresses AI challenges. Centering on transparency, fairness, safety, security, privacy, and accountability, these principles are not just guidelines; they are integral to how Rapid7 builds, deploys, and manages AI systems.

Security and compliance are two key InsightCloudSec capabilities. Compliance Packs are out-of-the-box collections of related Insights focused on industry requirements and standards for all of your resources. Compliance packs may focus on security, costs, governance, or combinations of these across a variety of frameworks, e.g., HIPAA, PCI DSS, GDPR, etc.

Last year Rapid7 launched the Rapid7 AI/ML Security Best Practices compliance pack, the pack allows for real-time and continuous visibility into AI/ML resources running across your clouds with support for GenAI services across AWS, Azure and GCP. To empower you to assess this data in the context of your organizational requirements and priorities, you can then automatically prioritize AI/ML-related risk with Layered Context based on exploitability and potential business impact.

You can also leverage Identity Analysis in InsightCloudSec to collect and present the actions executed by a given user or role within a certain time period. These logged actions are collected and analyzed, providing you with a view across your organization of who can access AI/ML resources and automatically rightsize in accordance with the least privilege access (LPA) concept. This enables you to strategically inform your policies moving forward. Native automation allows you to then act on your assessments to alert on compliance drift, remediate AI/ML risk, and enact prevention mechanisms.

Rapid7’s Continued Dedication to AI Innovation

As an inaugural signer of the CISA Secure by Design Pledge, and through our partnership with Queen's University Belfast Centre for Secure Information Technologies (CSIT), Rapid7 remains dedicated to collaborating with industry leaders and academic institutions to stay ahead of emerging threats and develop cutting-edge solutions for securing AI development.

As the adoption of AI and ML capabilities continues to accelerate, it's imperative that organizations have the knowledge and tools to make informed decisions and build with confidence. By implementing robust best practices and leveraging advanced security tools like InsightCloudSec, organizations can harness the power of AI while mitigating the associated risks and ensuring their valuable data and intellectual property remain protected.

To learn more about how Rapid7 can help your organization develop and implement best practices for securing AI development, visit our website to request a demo.

Gartner, Forecast Analysis: Artificial Intelligence Software, 2023-2027, Worldwide, Alys Woodward, et al, 07 November 2023

The Dreaded Network Pivot: An Attack Intelligence Story

Posted 9 months ago by Rapid7

Rapid7 recently released our 2024 Attack Intelligence Report, a 14-month deep dive into the vulnerability and attacker landscape. The spiritual successor to our annual Vulnerability Intelligence Report, the AIR includes data from the Rapid7 research team combined with our detection and response and threat intelligence teams. It is designed to provide the clearest view yet into what security professionals face day to day.

In this blog, we would like to focus on one area of research the AIR highlights: network edge technologies. In 2023 (and early 2024) Rapid7 found some startling information about the vulnerability of these critical devices. Essentially, of the mass compromise events we studied, exploitation of network edge tech increased significantly over the 14 months the report covers — something we will cover in detail shortly.

But first, some background. Way back in 2020, Rapid7 created a new attacker utility category for vulnerabilities that functioned as network pivots. These are vulnerabilities that give external attackers internal network access. Think VPNs, firewalls, security gateways, etc. They serve an important function in any network but visibility into these devices can be challenging, making them prime targets for attackers.

In 2023 we saw a surge in attacks on these network appliances. Mass compromise events stemming from exploitation of network edge tech nearly doubled over the period studied — with 36% of all widely exploited vulnerabilities occurring within network perimeter technology. Looking back over the previous reports, we determined some 60% of all of the vulnerabilities Rapid7 analyzed in network edge devices over a three year period were exploited as zero-days, a disproportionate number when looking at the entirety of the vulnerabilities studied.

Over the four years Rapid7 has been categorizing this type of vulnerability, network edge devices have comprised 24% of exploited vulnerabilities and a quarter of all widespread threats.

State-sponsored groups and ransomware groups like Cl0p, Inc, Bl00dy, Akira, Play, LockBit, and more went after network edge tech in 2023. Network edge devices are essential for modern network operations, but they also represent a major weak spot in cybersecurity defenses — one that these organized groups took advantage of in 2023.

There are a number of reasons for this. It can be difficult to detect intrusions on these types of devices as the capabilities for logging and threat detection vary depending on the specific devices used. Some do not log key events, they use a variety of firmware and (often proprietary) operating systems, and in some cases the firmware itself may be encrypted or obfuscated. This makes monitoring and detecting intrusions troublesome across different devices and developing a strategy for the entire spectrum of devices complex.

For more information about network edge technology vulnerabilities, as well as the latest data on ransomware, attacker utilities, widespread threats, file transfer vulns, and more, download the 2024 Attack Intelligence Report.

CVE-2024-24919: Check Point Security Gateway Information Disclosure

Posted 9 months ago by Rapid7

On May 28, 2024, Check Point published an advisory for CVE-2024-24919, a high-severity information disclosure vulnerability affecting Check Point Security Gateway devices configured with either the “IPSec VPN” or “Mobile Access” software blade.

On May 29, 2024, security firm mnemonic published a blog reporting that they have observed in-the-wild exploitation of CVE-2024-24919 since April 30, 2024, with threat actors leveraging the vulnerability to enumerate and extract password hashes for all local accounts, including accounts used to connect to Active Directory. They’ve also observed adversaries moving laterally and extracting the “ntds.dit” file from compromised customers' Active Directory servers, within hours of an initial attack against a vulnerable Check Point Gateway.

On May 30, 2024, watchTowr published technical details of CVE-2024-24919 including a PoC.

The vulnerability allows an unauthenticated remote attacker to read the contents of an arbitrary file located on the affected appliance. For example, this allows an attacker to read the appliances /etc/shadow file, disclosing the password hashes for local accounts. The attacker is not limited to reading this file and may read other files that contain sensitive information. An attacker may be able to crack the password hashes for these local accounts, and if the Security Gateway allows password only authentication, the attacker may use the cracked passwords to authenticate.

Mitigation Guidance

According to the vendor advisory, the following products are vulnerable to CVE-2024-24919:

CloudGuard Network
Quantum Maestro
Quantum Scalable Chassis
Quantum Security Gateways
Quantum Spark Appliances

Check Point has advised that a Security Gateway is vulnerable if one of the following configuration is applied:

If the “IPSec VPN” blade has been enabled and the Security Gateway device is part of the “Remote Access” VPN community.
If the “Mobile Access” blade has been enabled.

Check Point has released hotfixes for Quantum Security Gateway, Quantum Maestro, Quantum Scalable Chassis, and Quantum Spark Appliances. We advise customers to refer to the Check Point advisory for the most current information on affected versions and hotfixes.

The vendor supplied hotfixes should be applied immediately. Rapid7 strongly recommends that Check Point Security Gateway customers examine their environments for signs of compromise and reset local account credentials in addition to applying vendor-provided fixes.

Check Point notes that exploit attempts their team has observed “focus on remote access scenarios with old local accounts with unrecommended password-only authentication.” The company recommends that customers check for local account usage, disable any unused local accounts, and add certificate-based authentication rather than password-only authentication. More information and recommendations on user and client authentication for remote access is available here.

Rapid7 Customers

A vulnerability check is in development for InsightVM and Nexpose customers to assess exposure to CVE-2024-24919. This blog will be updated with the latest information as and when it is available

Suspicious Web Server Request - Successful Path Traversal Attack
Suspicious Web Request - Possible Check Point VPN (CVE-2024-24919) Exploitation

Celebrating Excellence: Joanne Guariglia and Kelly Hiscoe Recognized as CRN’s 2024 Women of the Channel

Posted 9 months ago by Rapid7

We are thrilled to announce that two of our exceptional team members, Joanne Guariglia and Kelly Hiscoe, have been recognized as CRN's 2024 Women of the Channel. This recognition celebrates the achievements and leadership of women within the channel community, and we are incredibly proud to see Joanne and Kelly honored for their contributions.

Kelly Hiscoe: Driving innovation in partner programs

Kelly Hiscoe and her team are at the forefront of designing and launching partner programs, optimizing our operations to support Rapid7's global channel ecosystem. Their commitment to creating highly effective and streamlined partner experiences ensures seamless execution within our channel. Engaging continuously with partners, Kelly's team drives simplified, scalable, and predictable experiences that benefit all stakeholders.

Kelly's dedication to improving our operational infrastructure and incentive programs is unwavering. Kelly said: "We will never be done focusing on creating improved programs and processes. We will continue to be laser focused on enhancing our operational infrastructure and incentive programs because we care deeply about the partner experience with Rapid7."

Her leadership and vision are integral to our ongoing success and the satisfaction of our partners.

Joanne Guariglia: Building lasting relationships

Joanne Guariglia has demonstrated exceptional skill in building and nurturing lasting relationships with our partners, an area in which Rapid7 are investing heavily - making strides with the channel community more than ever.

"What I enjoy most is being able to build lasting relationships with our partners. Partners want to work with trusted brands who are leaders in the space, and we have that here at Rapid7. Being that trusted voice and growing the relationship, while educating them about our offerings, enables me to have a positive impact," Joanne said.

Her dedication to partner success and her ability to educate and inform are key components of her impactful work.

Commitment to excellence

At Rapid7, we are committed to fostering an environment where talented individuals like Joanne and Kelly can thrive. Their recognition as CRN's 2024 Women of the Channel underscores our dedication to excellence and our focus on building a strong, supportive channel ecosystem. We look forward to their continued contributions and to the ongoing success of our partners.

Please join us in celebrating Joanne and Kelly for their outstanding achievements and their unwavering commitment to excellence in the channel community.

Learn more about Rapid7 global partnerships here.