Rapid7 Cybersecurity Blog

3 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 29, 2023

TeamCity authentication bypass and remote code execution This week’s Metasploit release includes a new module for a critical authentication bypass in JetBrains TeamCity CI/CD Server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource, and the Metasploit module was developed by Rapid7’s Principal Security Researcher Stephen Fewer who additionally published a technical analysis on AttackerKB for CVE-2023-4279

6 min Emergent Threat Response

Critical Vulnerabilities in WS_FTP Server

On September 27, 2023, Progress Software published a security advisory on multiple vulnerabilities affecting WS_FTP Server , a secure file transfer solution. There are a number of vulnerabilities in the advisory, two of which are critical (CVE-2023-40044 and CVE-2023-42657). Our research team has identified what appears to be the .NET deserialization vulnerability (CVE-2023-40044) and confirmed that it is exploitable with a single HTTPS POST request and a pre

3 min DFIR

Unlock Broader Detections and Forensics with Velociraptor in Rapid7 XDR

Rapid7 is excited to announce the integration of Velociraptor, our leading open-source DFIR framework, into the Insight Platform for InsightIDR Ultimate users — all with no additional deployment or configurations required.

3 min InsightVM

Introducing Active Risk

Security teams need better prioritization mechanisms. That's why we developed Active Risk, the new risk scoring methodology in InsightVM.

2 min Emergent Threat Response

CVE-2023-42793: Critical Authentication Bypass in JetBrains TeamCity CI/CD Servers

On September 20, 2023, JetBrains disclosed CVE-2023-42793, a critical authentication bypass vulnerability in on-premises instances of their TeamCity CI/CD server. Successful exploitation could make the vulnerability a potential supply chain attack vector.

4 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 22, 2023

Improved Ticket Forging Metasploit’s admin/kerberos/forge_ticket module has been updated to work with Server 2022. In Windows Server 2022, Microsoft started requiring additional new PAC elements to be present - the PAC requestor and PAC attributes. The newly forged tickets will have the necessary elements added automatically based on the user provided domain SID and user RID. For example: msf6 auxiliary(admin/kerberos/forge_ticket) > run aes_key=4a52b73cf37ba06cf693c40f352e2f4d2002ef61f6031f649

4 min MITRE ATT&CK

Rapid7 2023 MITRE Engenuity ATT&CK® Evaluations

InsightIDR has evolved to stay in front of emergent threats and expanding attack surfaces, and now we are proud to share our participation and results from the most recent MITRE Engenuity ATT&CK Evaluation: Enterprise.

3 min Vulnerability Management

Rapid7 doubles down on a platform approach for Vulnerability Risk Management

This week, Rapid7 was named a Strong Performer in The Forrester Wave™: Vulnerability Risk Management, Q3 2023.

4 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 15, 2023

Flask Cookies This week includes two modules related to Flask cookie signatures. One is specific to Apache Superset where session cookies can be resigned, allowing an attacker to elevate their privileges and dump the database connection strings. While adding this functionality, community member h00die also added a module for generically working with the default session cookies used by Flask. This generic module auxiliary/gather/python_flask_cookie_signer

8 min Patch Tuesday

Patch Tuesday - September 2023

A relatively light month. Word NTLM hash disclosure. Streaming Service Proxy elevation to SYSTEM. Internet Connection Sharing critical RCE.

2 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 8, 2023

New module content (4) Roundcube TimeZone Authenticated File Disclosure Authors: joel, stonepresto, and thomascube Type: Auxiliary Pull request: #18286 contributed by cudalac Path: auxiliary/gather/roundcube_auth_file_read AttackerKB reference: CVE-2017-16651 Description: This PR adds a module to retrieve an arbitrary file on hosts run

2 min Cloud Security

A Look at Our Development Process of the Cloud Resource Enrichment API

Rapid7 has developed a new Cloud Resource Enrichment API that streamlines data retrieval from various cloud resources.

4 min Vulnerability Disclosure

CVE-2023-4528: Java Deserialization Vulnerability in JSCAPE MFT (Fixed)

In August 2023, Rapid7 discovered CVE-2023-4528, a Java deserialization vulnerability in Redwood Software’s JSCAPE MFT secure managed file transfer product. Successful exploitation can run arbitrary Java code as the `root` on Linux or the `SYSTEM` user on Windows.

2 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 1, 2023

Pumpkin Spice Modules Here in the northern hemisphere, fall is on the way: leaves changing, the air growing crisp and cool, and some hackers changing the flavor of their caffeine. This release features a new exploit module targeting Apache NiFi as well as a new and improved library to interact with it. New module content (1) Apache NiFi H2 Connection String Remote Code Execution Authors: Matei "Mal" Badanoiu and h00die Type: Exploit Pull request: #18257

11 min Detection and Response

Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers

Rapid7 has observed the Fake Browser Update lure utilizing a sophisticated new loader to execute infostealers.

All Posts