2 min
Vulnerability Disclosure
R7-2015-26: Advantech EKI Dropbear Authentication Bypass (CVE-2015-7938)
While looking into the SSH key issue outlined in the ICS-CERT ISCA-15-309-01
advisory, it became
clear that the Dropbear SSH daemon did not enforce authentication, and a
possible backdoor account was discovered in the product. All results are from
analyzing and running firmware version 1322_D1.98, which was released in
response to the ICS-CERT advisory.
This issue was discovered and disclosed as part of research resulting in
Rapid7's dis
2 min
IT Ops
Analyzing ELB Log Data
Thanks to some slick work from our engineering team, we have recently released a
lightweight python script that will allow you to pull your Elastic Load Balancer
logs from S3 into Logentries.
In this implementation, we use AWS Lambda and leverage the S3 trigger, so the
script only runs when needed.
The full documentation is available here:
https://logentries.com/doc/s3-ingestion-with-lambda/
1 min
IT Ops
Introducing a Buildbot status plugin for pushing status updates to Logentries
Buildbot is a framework for building continuous deployment and integration
systems, it is highly flexible and is written in python. It is also a mature
system which a number of large projects use e.g. Mozilla, Chromium, Python – see
trac.buildbot.net/wiki/SuccessStories
To send build status information — specifically Start, Success and Failure
states from Buildbot to Logentries — start by generating a log token from
Logentries.
4 min
Metasploit
12 Days of HaXmas: Metasploit End of Year Wrapup
This is the seventh post in the series, "The 12 Days of HaXmas."
It's the last day of the year, which means that it's time to take a moment to
reflect on the ongoing development of the Metasploit Framework, that de facto
standard in penetration testing, and my favorite open source project around.
While the acquisition of Metasploit way back in 2009 was met with some healthy
skepticism, I think this year, it's easy to say that Rapid7's involvement with
Metasploit has been an enormously positive
4 min
Metasploit
512 Days of HaXmas: Metasploit's IoT WebApp Login Support
This is the sixth post in the series, "The Twelve Days of HaXmas."
Well, the year is coming to a close, and it's just about time for the annual
breakdown of Metasploit commit action. But before we get to that, I wanted to
take a moment to highlight the excellent work we landed in 2015 in adding new
web application login support to Metasploit. After all, who needs exploits when
your password is "public" or "admin" or "password" or any other of the very few
well-known default passwords? Maybe i
3 min
Haxmas
12 Days of HaXmas: Santa makes a list and checks it twice, do you?
This post is the fifth in the series, "The Twelve Days of HaXmas."
This is the time of the year where kids and adults alike think back over the
past year, wondering which of Santa's two lists they will be on. The nice list
is reserved for those who say "please" and "thank you", brush their teeth, and
of course, those who regularly update and practice their incident response
plans.
Santa gives presents to the children on the nice list and coal to the ones on
the naughty. When the list gets chec
7 min
Haxmas
12 Days of HaXmas: What Home Alone Can Teach About Active Defense
This post is the fourth in the series, "The 12 Days of HaXmas."
As you venture from the world of defense, including protecting and monitoring
systems, into the realm of active defense, who can be your mentor? Who can make
you as cool as Frosty?
Does anyone know enough about active defense to make a movie out of it?
OF COURSE!
Macaulay Culkin is the mentor you are looking for. More precisely, Kevin
McCallister , from the
Home Alone fra
4 min
Threat Intel
12 Days of HaXmas: Charlie Brown Threat Intelligence
This post is the third in the series, "The 12 Days of HaXmas."
“Get the biggest aluminum threat feed you can find, Charlie Brown, maybe painted
pink.”
It has been a few years now since the term “cyber threat intelligence” entered
mainstream, and since then it has exploded into a variety of products, all
claiming to have the biggest, the best, the shiniest, most aluminum-est threat
feed, report, or platform. Much of the advertising and media surrounding threat
intelligence capitalizes on fear
10 min
Haxmas
12 Days of HaXmas: Advanced Persistent Printer
This post is the second in the series, "The 12 Days of HaXmas."
By Deral Heiland, Principal Consultant, and Nate Power, Senior Consultant, of
Rapid7 Global Services
Year after year we have been discussing the risk of Multi-Function Printers
(MFP) in the corporate environment and how a malicious actor can easily leverage
these devices to carry out attacks, including extraction of Windows Active
Directory credentials via LDAP and abusing the "Scan to File" and "Scan to
E-mail" features. To take
3 min
Haxmas
12 Days of HaXmas: Rapid7 Gives to You... Free Professional Media Training (Pear Tree Not Included)
Ho ho ho, Merry HaXmas ! For those of you new to this series,
every year we mark the 12 days of HaXmas with 12 blog posts on hacking-related
topics and roundups from the year. This year we're kicking the series off with
something not altogether hackery, but it's a gift, see, so very appropriate for
the season.
For the past couple of years, I've provided free media training at various
security conferences, often as part of an I Am The Cavalry
track,
8 min
Vulnerability Management
ScanNow DLL Search Order Hijacking Vulnerability and Deprecation
Overview
On November 27, 2015, Stefan Kanthak contacted Rapid7 to report a vulnerability
in Rapid7's ScanNow tool. Rapid7 takes security issues seriously and this was
no exception. In combination with a preexisting compromise or other
vulnerabilities, and in the absence of sufficient mitigating measures, a system
with ScanNow can allow a malicious party to execute code of their choosing
leading to varying levels of additional compromise. In order to protect the
small community of users who ma
2 min
IT Ops
How to Log Messages from Slack
We recently added support for unedited HTTP logging in Logentries. This means
you can send us log data via HTTPS drain (from heroku), or via any webhook you
want.
One webhook that we’ve been looking to log for a while is Slack
.
People are always chatting away on Slack, and this data might be useful some
day. You can send the data into Logentries however you want, and then worry
about what to do it when you actually need it!
First, you’ll need to
5 min
Vulnerability Disclosure
CVE-2015-7755: Juniper ScreenOS Authentication Backdoor
On December 18th, 2015 Juniper issued an advisory
indicating that they had discovered unauthorized code in the ScreenOS software
that powers their Netscreen firewalls. This advisory covered two distinct
issues; a backdoor in the VPN implementation that allows a passive eavesdropper
to decrypt traffic and a second backdoor
3 min
Nexpose
Have JBoss, Jenkins, WebLogic, WebSphere based applications? Brace yourself, they've got an unwanted Christmas present for you!
Java based server applications are prevalent throughout most corporate
networks. Thousands, if not millions, of applications are deployed using JBoss,
Jenkins, WebLogic and WebSphere - so when a vulnerability affecting the
underlying technology pops up, the impact can be significant. A vulnerability
was recently discovered affecting any Java application which can receive data
back from users, allowing malicious actors to insert unsafe data as it attempts
to ingest the information. The applica
0 min
Rapid7 Culture
Holiday greetings from all of us at Rapid7!
As we reach the end of December and the end of the year, we wanted to take a
moment to pause and recognize what an amazing year it has been -- and how
grateful we are to EVERYONE who made 2015 so memorable. That's why we put
together this short video as a way to say, quite simply, thank you.
(Please note: If you see a grey box instead of a video above, the player may
take a moment to load.)
Happy holidays and happy new year!
~ @mvarmazis