3 min
Threat Intel
Network Access for Sale: Protect Your Organization Against This Growing Threat
Vulnerable network access points are a potential gold mine for threat actors. We look at the techniques they use and best practices for prevention.
12 min
Malware
Sneaking Through Windows: Infostealer Malware Masquerades as Windows Application
Rapid7's Managed Detection and Response (MDR) team recently identified a malware campaign whose payload installs itself as a Windows application.
4 min
Project Sonar
VPNFilter's Potential Reach — Malware Exposure in SMB/Consumer-grade Devices
(Many thanks to Rebekah Brown [/author/rebekah-brown/] & Derek Abdine for their
contributions to the post.)
How does VPNFilter work?
Over the past few weeks, Cisco’s Talos
[https://www.cisco.com/c/en/us/products/security/talos.html] group has published
some significant new research
[https://blog.talosintelligence.com/2018/06/vpnfilter-update.html] on a new
malware family called VPNFilter. VPNFilter targets and compromises networking
devices to monitor the traffic that goes through them. The mal
4 min
Threat Intel
Simplicity, Harmony, and Opportunity: Rapid7 Threat Report Q3 2017
John Archibald Wheeler, the theoretical physicist who first coined the term
“wormhole” (and therefore brought us Deep Space 9) once listed Albert Einstein’s
Three Rules of Work:
> Out of clutter find simplicity; from discord find harmony; in the middle of
difficulty lies opportunity.
These rules seemed fitting for our third quarter threat report
[https://www.rapid7.com/info/threat-report/2017-q3-threat-report/]. Q3 brought
us plenty of clutter, discord, and difficulty, but in this threat repo
3 min
Malware
The BadRabbit Ransomware Attack: What You Need To Know
What’s Up?
Rapid7 has been tracking reports of an expanding ransomware campaign dubbed
BadRabbit. Russian news outlets and other organizations across Europe have
reported being victims of this malware and the “outbreak” is continuing to
spread.
The BadRabbit attackers appear to have learned some lessons from previous
outbreaks earlier this year and have both limited the external spreading
capabilities of the ransomware as well as made the payments a bit harder for
researchers, responders and au
6 min
Malware
The CIS Critical Controls Explained- Control 8: Malware Defenses
This is a continuation of our CIS critical security controls
[/2017/04/19/the-cis-critical-security-controls-series] blog series.
Workstations form the biggest threat surface in any organization. The CIS
Critical Security Controls
[https://www.rapid7.com/solutions/compliance/critical-controls/] include
workstation and user-focused endpoint security in several of the controls, but
Control 8 (Malware Defenses) is the only control to strictly focus on antivirus
and malware across the organization.
3 min
Incident Detection
Introspective Intelligence: Understanding Detection Techniques
To provide insight into the methods devised by Rapid7, we'll need to revisit the
detection methods implemented across InfoSec products and services and how we
apply data differently. Rapid7 gathers volumes of threat intelligence on a daily
basis - from new penetration testing tools
[https://www.rapid7.com/products/metasploit/download.jsp?CS=blog], tactics, and
procedures in Metasploit
[https://www.rapid7.com/products/metasploit/index.jsp?CS=blog], vulnerability
detections in Nexpose [https://www
4 min
Malware
Malware and Advanced Threat Protection: A User-Host-Process Model
[Editor's Note: This is a sneak peek at what Tim will be presenting at UNITED
2016 in November. Learn more and secure your pass at http://www.unitedsummit.org
[http://www.unitedsummit.org/?CS=blog]!]
In today's big data and data science age, you need to think outside the box when
it comes to malware and advanced threat protection. For the Analytic Response
team [https://www.rapid7.com/services/] at our 24/7 SOC in Alexandria, VA, we
use three levels of user behavior analytics
[https://www.rapid
4 min
InsightIDR
Compromised Credentials Have a High ROI for Attackers
Given that detecting the use of compromised credentials is at the core of user
behavior analytics', and InsightIDR's, focus, I want to explain why compromised
credentials are so valuable to attackers. To effectively understand any attacker
tools and techniques, we have to put them into the context of their challenges
and goals the same way you would a business, or supply chain of businesses.
Accordingly, I will use some common microeconomics terms to explain.
Phishing has a high expected return
4 min
Malware
Attackers Take Advantage Of The Options You Give Them - Malware vs. Credentials
When InsightIDR was purpose-built to detect compromised credentials in the first
months of 2014, we did so because we identified a significant gap in detection
solutions currently available to security teams. The 2014 Verizon DBIR just
happened to subsequently quantify the size of this gap (and it has repeated in
2015 and 2016). User behavior analytics, as an industry, emerged to cover this
gap in SIEM and other solutions. This does not mean that malware is not heavily
used in attacks today, but
3 min
Malware
Ransomware FAQ: Avoiding the latest trend in malware
Recently, a number of Rapid7's customers have been evaluating the risks posed by
the swift rise of ransomware as an attack vector. Today, I'd like to address
some of the more common concerns.
What is Ransomware?
Cryptowall [http://www.theregister.co.uk/2015/11/09/cryptowall_40/] and
Cryptolocker [https://www.us-cert.gov/ncas/alerts/TA13-309A] are among of the
best known ransomware criminal malware packages today. In most cases, users are
afflicted by ransomware by clicking on a phishing link o
2 min
Malware
Hammertoss Demonstrates Need for Applying Attacker Knowledge to Behavior Analytics
A recent report on a new type of malware dubbed “Hammertoss
[http://www.cnet.com/news/hammertoss-extra-sneaky-malware-acts-just-like-you/]”
highlights the importance of applying knowledge of attacker methodologies to
behavior analytics.
As an industry, we get very fixated on the latest intruder tools. The risk here
is that we can't see the forest for the trees. To effectively detect intruders,
we must look at the entire attack chain and the methods attackers will always
use to complete their mi
8 min
Flash
More Flash Exploits in the Framework
As todb [/author/tod-beardsley/] pointed out in the last weekly metasploit
update wrapup [/2015/06/26/weekly-metasploit-wrapup] we recently added two new
exploits for Flash: CVE-2015-3090
[http://www.cvedetails.com/cve-details.php?cve_id=CVE-2015-3090] and
CVE-2015-3105 [http://www.cvedetails.com/cve-details.php?cve_id=CVE-2015-3105],
based on the samples found in the wild.
As you're probably aware, the last years, and especially the end of 2014 and
2015, Flash has become the trending target f
2 min
Malware
What exactly is Duqu 2.0?
Overview:
Duqu, a very complex and modular malware platform thought to have gone dark in
late 2012, has made its appearance within the environment of Kaspersky Labs.
[https://threatpost.com/duqu-resurfaces-with-new-round-of-victims-including-kaspersky-lab/113237]
Dubbed “Duqu 2.0” by Kaspersky, the level of complexity found within the malware
represents a high level of sophistication, skill, funding and motivation seen by
nation-sponsored actors. Infections related to this malware have reveale
2 min
Malware
Rapid7 UserInsight Brings User Context to Palo Alto WildFire Alerts
According to the Ponemon Institute's 2014 Industry Report, 74% of security
professionals claim incident investigation solutions lack integration with
existing security products. UserInsight, our intruder analytics solution, now
integrates with Palo Alto WildFire to provide user context and investigative
tools to their advanced malware alerts.
What does user context mean? For incident alerts, monitoring solutions often
provide the IP addresses or assets affected. However, as users connect to the