Posts tagged Project Sonar

13 min Research

Don’t Put It on the Internet: Tesla Backup Gateway Edition

In this blog, we address Tesla Backup Gateways and identify key areas where Tesla could improve security and privacy to help customers protect themselves.

5 min Research

Microsoft Exchange 2010 End of Support and Overall Patching Study

Today's topic is Exchange 2010, which reaches end of support (EoS) on Oct. 13, 2020, as well as a survey of other versions of Exchange and how well they are being kept up-to-date.

2 min Quarterly Threat Report

Rapid7 Releases Q2 2020 Quarterly Threat Report

It’s hard to believe it’s already the end of September, and with it comes Rapid7’s Q2 2020 Quarterly Threat Report.

3 min Vulnerability Management

CVE-2020-3452 Cisco ASA / Firepower Read-Only Path Traversal Vulnerability: What You Need to Know

On July 22, Cisco released a patch for a high-severity read-only patch traversal vulnerability in its Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) products.

3 min Vulnerability Disclosure

CVE-2020-2021 Authentication Bypass in PAN-OS Security Assertion Markup Language (SAML) Authentication Disclosed

On Monday, June 29, 2020, Palo Alto released details on CVE-2020-2021 a new, critical weakness in SAML authentication on PAN-OS devices.

5 min Research

CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection Vulnerability Remediation Guidance and Exposure Overview

On April 22, Sophos received a report documenting a suspicious field value visible in the management interface of an XG Firewall.

7 min Microsoft

Phishing for SYSTEM on Microsoft Exchange (CVE-2020-0688)

As of March 24, there were over 350,000 Microsoft Exchange servers exposing a version of the software with a vulnerability.

5 min Research

DOUBLEPULSAR over RDP: Baselining Badness on the Internet

How many internet-accessible RDP services have the DOPU implant installed? How much DOPU-over-RDP traffic do we see being sprayed across the internet?

9 min Research

Oh, Behave! Who Made It to Rapid7 Labs' Naughty List(s) in 2019?

The Labs team thought it might be fun to give folks a glimpse into who made it to some of our naughtiest lists in 2019 based on insights gleaned through our research projects.

2 min Research

Rapid7 Introduces Industry Cyber-Exposure Report: Deutsche Börse Prime Standard 320

Today, Rapid7 released our fifth Industry Cyber-Exposure Report (ICER) examining the overall exposure of the companies listed in the Deutsche Börse Prime Standard index.

5 min Cloud Infrastructure

Avoiding the Zombie Cloud Apocalypse: How to Reduce Exposure in the Cloud

In this blog, we share the top cloud configuration mistakes organizations make and four rules to implement so you can migrate securely to the cloud.

5 min Project Sonar

Exim Vulnerability (CVE-2019-16928): Global Exposure Details and Remediation Advice

On Sept. 27, CVE-2019-16928 was promulgated, indicating all Exim versions 4.92–4.92.2 were vulnerable to a heap-based buffer overflow.

4 min InsightVM

How Rapid7 Industry Research Strengthens InsightVM

Rapid7’s vulnerability scanner, InsightVM is backed by multiple large-scale research projects that keep it on the leading edge of vulnerability risk management.

3 min InsightVM

Attack Surface Monitoring with Project Sonar

Attack Surface Monitoring with Project Sonar can help you reduce and monitor your attack surface.

5 min Research

Rapid7 Releases Industry Cyber-Exposure Report: FTSE 250+

Today, Rapid7 released our third Industry Cyber-Exposure Report, examining the overall exposure of the companies listed in the FTSE 250 index.

8 min Verizon DBIR

Key Concepts and Findings from the 2019 Verizon Data Breach Investigations Report

Our Rapid7 Labs research team has pored over Verizon Data Breach Investigations Report to identify some key waypoints to help the Rapid7 community navigate through this sea of information.

1 min Research

Confluence Unauthorized RCE Vulnerability (CVE-2019-3396): What You Need to Know

Atlassian was notified in late February about a remote code execution (RCE) flaw in their Confluence and Data Center products and issued an alert with a patch on March 20, 2019.

4 min Incident Detection

Q4 Threat Report: Analyzing the Top 3 Advanced Threats and Detection Techniques

In this post, we’ll review three major findings based on data from Project Sonar, Project Heisenberg, and our Managed Detection and Response customer base, which leverages our security experts and InsightIDR to unify security data and identify compromises in real-time.

2 min Research

Apache HTTP Server Privilege Escalation (CVE-2019-0211): What You Need to Know

The joke was on roughly 2 million servers on Monday (April 1!), as the Apache Foundation released a patch for a privilege escalation bug (CVE-2019-0211) in Apache HTTP Server 2.4 releases 2.4.17–2.4.38.

1 min Research

A Serial Problem: Exploitation and Exposure of Java Serialized Objects

In our new research report, we take a look at Java Serialized Objects (JSOs), which are a reliable threat vector and present a rising threat to enterprise networks.

4 min Research

Rapid7 Introduces Industry Cyber-Exposure Report: ASX 200

Today, Rapid7 released our second Industry Cyber-Exposure Report, examining the overall exposure of the ASX 200 family of companies.

2 min Research

Cisco® RV110/RV130/RV215 Unauthenticated Configuration Export Vulnerability (CVE-2019-1663): What You Need to Know

This week, Cisco® released an advisory and patch for a remote code execution flaw in small-business routers used for wireless connectivity in small offices and home offices.

8 min Research

Secure That Query! Researching the Landscape of DNS over Transport Layer Security (TLS)

In this blog, we highlight research conducted about the landscape of DNS over Transport Layer Security (TLS).

8 min Vulnerability Management

Understanding Ubiquiti Discovery Service Exposures

On Jan. 29, the Rapid7 Labs team was informed of a tweet by Jim Troutman indicating that Ubiquiti devices were being exploited and used to conduct denial-of-service attacks using a service on 10001/UDP.

3 min Research

Cisco RV320/RV325 Router Unauthenticated Configuration Export Vulnerability (CVE-2019-1653): What You Need to Know

Last week, a critical configuration weakness in Cisco® routers was responsibly disclosed on the Full Disclosure mailing list. Here's what you need to know.

6 min Haxmas

Happy HaXmas! Year-End Internet Scanning Observations

As we wrap up 2018 and forge ahead into 2019, let's reflect on some of the key observations we made through our internet scanning with Project Sonar.

13 min Research

Rsunk your Battleship: An Ocean of Data Exposed through Rsync

Rapid7 Labs recently decided to take a fresh look at rsync, this time focusing on exposure of rsync globally on the public internet.

2 min Research

Charting the Forthcoming PHPocalypse in 2019

This experiment began when Josh Frantz remarked that he would be curious about the potential exposure from the just-reached EOL date for PHP Version 7.0 and the forthcoming EOL date for PHP 5.6.

4 min AWS

Securing Buckets with Amazon S3 Block Public Access

Amazon Web Services recently introduced a new security enhancement to its cloud storage service: Amazon S3 Block Public Access.

5 min AWS

How to Conduct DNS Reconnaissance for $.02 Using Rapid7 Open Data and AWS

Rapid7 is happy to announce that a subset of data from Project Sonar is now available on Amazon Web Services (AWS).

4 min Project Sonar

VPNFilter's Potential Reach — Malware Exposure in SMB/Consumer-grade Devices

(Many thanks to Rebekah Brown [/author/rebekah-brown/] & Derek Abdine for their contributions to the post.) How does VPNFilter work? Over the past few weeks, Cisco’s Talos [https://www.cisco.com/c/en/us/products/security/talos.html] group has published some significant new research [https://blog.talosintelligence.com/2018/06/vpnfilter-update.html] on a new malware family called VPNFilter. VPNFilter targets and compromises networking devices to monitor the traffic that goes through them. The mal

1 min Honeypots

Whiteboard Wednesday: Your 6-Minute Recap of Q1 2018’s Threat Landscape

Gotten a chance to read Rapid7’s Quarterly Threat Report for 2018 Q1 [https://www.rapid7.com/info/threat-report/2018-q1-threat-report/]? If not (or if you’re more of an auditory learner), we’ve put together a 6-minute recap video of the major findings. In our Quarterly Threat Reports [https://www.rapid7.com/info/threat-report/], our security researchers provide a wide-angle view of the threat landscape by leveraging intelligence from the Rapid7 Insight platform [https://www.rapid7.com/products/

2 min Honeypots

Off the Chain! A Research Paper Observing Bitcoin Nodes on the Public Internet

Over the last several years, blockchain-based technologies have exploded in growth. Lately it seems like blockchains are turning up everywhere, from chicken management systems [https://www.bloomberg.com/news/features/2018-04-09/yes-these-chickens-are-on-the-blockchain] to the next hot cryptocurrency [https://medium.com/bitfwd/how-to-do-an-ico-on-ethereum-in-less-than-20-minutes-a0062219374] . Waves of new companies, products and applications exist, often in the form of just wedging a blockcha

3 min Vulnerability Management

Cisco Smart Install (SMI) Remote Code Execution: What You Need To Know

What’s Up? Researchers from Embedi discovered [https://embedi.com/blog/cisco-smart-install-remote-code-execution/] (and responsibly disclosed) a stack-based buffer overflow weakness in Cisco Smart Install Client code which causes the devices to be susceptible to arbitrary remote code execution without authentication. Cisco Smart Install (SMI) is a “plug-and-play” configuration and image-management feature that provides zero-touch deployment for new (typically access layer) switches. The feature

4 min Research

An Impressively Unprecedented Drop in Open memcached Services

(Many thanks to Jon Hart [https://twitter.com/jhartftw] and Tom Sellers [https://twitter.com/TomSellers] for their research and content for this blog post.) We started performing weekly monitoring of open/amplification-vulnerable memcached servers after the recent memcrashed [/2018/02/27/the-flip-side-of-memcrashed/] amplification distributed denial-of-service (DDoS) attack and today we have some truly awesome news to report, along with some evidence that the recent spate of DDoS attacks may n

2 min Project Sonar

The Flip Side of memcrashed

Rapid7 Labs keeps a keen eye on research and findings from other savvy security and technology organizations and noticed Cloudflare’s report [https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/] on new distributed denial of service (DDoS) amplification attacks using memcached [https://www.memcached.org/]. If you haven’t read Cloudflare’s (excellent) analysis yet, the TLDR is, memcached over UDP [https://github.com/memcached/memcached/blob/master/doc/protocol.txt

8 min Haxmas

The Ghost of a Botnet (Possibly) Past

For a week and a half in April, Rapid7 Labs observed a botnet with 18,000 distinct IPs marauding across the public internet. Then it disappeared, only to resurface again later. Join us as we tell the HaXmas tale of the ghost of a botnet past!

7 min Haxmas

Yankee Swapped: MQTT Primer, Exposure, Exploitation, and Exploration

This HaXmas, Rapid7's Jon Hart Yankee swaps readers a few minutes' attention for a festive look at MQTT exposure on the public IPv4 internet (and an exploitation module!).

8 min UNITED

Data Mining the Undiscovered Country

Using Internet-scale Research Data to Quantify and Reduce Exposure It’s been a busy 2017 at Rapid7 Labs. Internet calamity struck swift and often, keeping us all on our toes and giving us a chance to fully test out the capabilities of our internet-scale research platform [https://sonar.labs.rapid7.com/]. Let’s take a look at how two key components of Rapid7 Labs’ research platform—Project Heisenberg and Heisenberg Cloud—came together to enumerate and reduce exposure the past two quarters. (If r

11 min Research

Measuring SharknAT&To Exposures

On August 31, 2017, NoMotion’s “SharknAT&To” research [https://www.nomotion.net/blog/sharknatto/] started making the rounds on Twitter. After reading the findings, and noting that some of the characteristics seemed similar to trends we’ve seen in the past, we were eager to gauge the exposure of these vulnerabilities on the public internet. Vulnerabilities [https://www.rapid7.com/fundamentals/vulnerabilities-exploits-threats/] such as default passwords or command injection, which are usually tri

2 min Project Sonar

National Exposure Index 2017

Today, Rapid7 is releasing the second National Exposure Index [https://www.rapid7.com/info/national-exposure-index], our effort to quantify the exposure that nations are taking on by offering public services on the internet—not just the webservers (like the one hosting this blog), but also unencrypted POP3, IMAPv4, telnet, database servers, SMB, and all the rest. By mapping the virtual space of the internet to the physical space where the machines hosting these services reside, we can provide gr

6 min Research

WannaCry Update: Vulnerable SMB Shares Are Widely Deployed And People Are Scanning For Them (Port 445 Exploit)

WannaCry Overview Last week the WannaCry ransomware worm, also known as Wanna Decryptor, Wanna Decryptor 2.0, WNCRY, and WannaCrypt started spreading around the world, holding computers for ransom at hospitals, government offices, and businesses. To recap: WannaCry exploits a vulnerability in the Windows Server Message Block (SMB) file sharing protocol. It spreads to unpatched devices directly connected to the internet and, once inside an organization, those machines and devices behind the firew

1 min Project Sonar

Project Sonar - Mo' Data, Mo' Research

Since its inception, Rapid7's Project Sonar [https://sonar.labs.rapid7.com/] has aimed to share the data and knowledge we've gained from our Internet scanning and collection activities with the larger information security community.  Over the years this has resulted in vulnerability disclosures, research papers, conference presentations, community collaboration and data.  Lots and lots of data. Thanks to our friends at scans.io [https://scans.io/], Censys [https://censys.io/], and the Universit

8 min Haxmas

12 Days of HaXmas: A HaxMas Carol

(A Story by Rapid7 Labs) Merry HaXmas to you! Each year we mark the 12 Days of HaXmas [/tag/haxmas] with 12 blog posts on hacking-related topics and roundups from the year. This year, we're highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them. Happy Holi-data from Rapid7 Labs! It's been a big year for the Rapid7 elves Labs team. Our nigh 200-node strong Heisenberg Cloud honeypot network has enabled

3 min Project Sonar

Signal to Noise in Internet Scanning Research

We live in an interesting time for research related to Internet scanning. There is a wealth of data and services to aid in research. Scanning related initiatives like Rapid7's Project Sonar [https://sonar.labs.rapid7.com/], Censys [https://censys.io/], Shodan [https://www.shodan.io/], Shadowserver [https://www.shadowserver.org/] or any number of other public/semi-public projects have been around for years, collecting massive troves of data.  The data and services built around it has been used f

3 min Project Sonar

The Internet of Gas Station Tank Gauges -- Final Take?

In early 2015, HD Moore performed one of the first publicly accessible research related to Internet-connected gas station tank gauges, The Internet of Gas Station Tank Gauges [/2015/01/22/the-internet-of-gas-station-tank-gauges]. Later that same year, I did a follow-up study that probed a little deeper in The Internet of Gas Station Tank Gauges — Take #2 [/2015/11/18/the-internet-of-gas-station-tank-gauges-take-2]. As part of that study, we were attempting to see if the exposure of these devic

9 min Project Sonar

Project Sonar Study of LDAP on the Internet

The topic of today's post is a Rapid7 Project Sonar [https://sonar.labs.rapid7.com/] study of publicly accessible LDAP services on the Internet. This research effort was started in July of this year and various portions of it continue today.  In light of the Shadowserver Foundations's recent announcement [https://ldapscan.shadowserver.org/] regarding the availability relevant reports we thought it would be a good time to make some of our results public. The study was originally intended to be a

11 min Metasploit

NCSAM: Understanding UDP Amplification Vulnerabilities Through Rapid7 Research

October is National Cyber Security Awareness month and Rapid7 is taking this time to celebrate security research. This year, NCSAM coincides with new legal protections for security research under the DMCA [/2016/10/03/cybersecurity-awareness-month-2016-this-ones-for-the-researchers] and the 30th anniversary of the CFAA - a problematic law that hinders beneficial security research. Throughout the month, we will be sharing content that enhances understanding of what independent security research

6 min Project Sonar

Sonar NetBIOS Name Service Study

For the past several years, Rapid7's Project Sonar [https://sonar.labs.rapid7.com/] has been performing studies that explore the exposure of the NetBIOS name service on the public IPv4 Internet.  This post serves to describe the particulars behind the study and provide tools and data for future research in this area. Protocol Overview Originally conceived in the early 1980s, NetBIOS is a collection of services that allows applications running on different nodes to communicate over a network.  O

7 min Exploits

Bringing Home The EXTRABACON [Exploit]

by Derek Abdine & Bob Rudis [/author/bob-rudis/] (photo CC-BY-SA Kalle Gustafsson) Astute readers will no doubt remember the Shadow Brokers leak of the Equation Group exploit kits and hacking tools back in mid-August. More recently, security researchers at SilentSignal noted [https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/] that it was possible to modify the EXTRABACON exploit from the initial dump to work on newer Cisco ASA (Adaptive Security Appliance) devices, meaning that

6 min Project Sonar

Digging for Clam[AV]s with Project Sonar

A little over a week ago some keen-eyed folks discovered a feature/configuration weakness [http://seclists.org/nmap-dev/2016/q2/198] in the popular ClamAV malware scanner that makes it possible to issue administrative commands such as SCAN or SHUTDOWN remotely—and without authentication—if the daemon happens to be running on an accessible TCP port. Shortly thereafter, Robert Graham unholstered his masscan [https://github.com/robertdavidgraham/masscan] tool and did a s ummary blog post [http://bl

2 min Research

Rapid7 Releases New Research: The National Exposure Index

Today, I'm happy to announce the latest research paper from Rapid7, National Exposure Index: Inferring Internet Security Posture by Country through Port Scanning [https://information.rapid7.com/national-exposure-index.html], by Bob Rudis, Jon Hart, and me, Tod Beardsley. This research takes a look at one of the most foundational components of the internet: the millions and millions of individual services that live on the public IP network. When people think about "the internet," they tend to

6 min Research

The Attacker's Dictionary

Rapid7 is publishing a report about the passwords attackers use when they scan the internet indiscriminately. You can pick up a copy at booth #4215 at the RSA Conference this week, or online right here [https://information.rapid7.com/attackers-dictionary.html]. The following post describes some of what is investigated in the report. Announcing the Attacker's Dictionary Rapid7's Project Sonar [https://sonar.labs.rapid7.com/] periodically scans the internet across a variety of ports and protocols

5 min Project Sonar

Rapid7 Labs' Project Sonar - Nexpose Integration

With the release of Nexpose 5.17, customers were enabled to easily gain an outsider's view of their internet-facing assets.  This capability was made possible through integration with Rapid7 Labs' Project Sonar [/2013/09/26/welcome-to-project-sonar]. What is Project Sonar? Project Sonar is a community effort to improve security through the active analysis of public networks. This includes running scans across public internet-facing systems, organizing the results, and sharing the data with the

2 min AWS

The real challenge behind asset inventory

As the IT landscape evolves, and as companies diversify the assets they bring to their networks - including on premise, cloud and personal assets - one of the biggest challenges becomes maintaining an accurate picture of which assets are present on your network. Furthermore, while the accurate picture is the end goal, the real challenge becomes optimizing the means to obtain and maintain that picture current. The traditional discovery paradigm of continuous discovery sweeps of your whole network

3 min Metasploit

12 Days of HaXmas: Metasploit, Nexpose, Sonar, and Recog

This post is the tenth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. The Metasploit Framework uses operating system and service fingerprints for automatic target selection and asset identification. This blog post describes a major overhaul of the fingerprinting backend within Metasploit and how you can extend it by submitting new fingerprints. Historically, Metasploit wasn't great at fin

2 min Project Sonar

2015: Project Sonar Wiki & UDP Scan Data

Project Sonar started in September of 2013 with the goal of improving security through the active analysis of public networks. For the first few months, we focused almost entirely on SSL, DNS, and HTTP enumeration. This uncovered all sorts of interesting security issues and contributed to a number of advisories and research papers. The SSL and DNS datasets were especially good at identifying assets for a given organization, often finding systems that the IT team had no inkling of. At this point,

17 min Project Sonar

R7-2014-17: NAT-PMP Implementation and Configuration Vulnerabilities

Overview In the summer of 2014, Rapid7 Labs started scanning the public Internet for NAT-PMP as part of Project Sonar [https://community.rapid7.com/community/infosec/sonar].  NAT-PMP is a protocol implemented by many SOHO-class routers and networking devices that allows firewall and routing rules to be manipulated to enable internal, assumed trusted users behind a NAT device to allow external users to access internal TCP and UDP services for things like Apple's Back to My Mac and file/media shar

2 min Project Sonar

R7-2014-16: Palo Alto Networks User-ID Credential Exposure

Project Sonar [https://community.rapid7.com/community/infosec/sonar] tends to identify unexpected issues, especially with regards to network security products. In July of this year, we began to notice a flood of incoming SMB connections every time we launched the VxWorks WDBRPC [/2010/08/02/shiny-old-vxworks-vulnerabilities] scan. To diagnose the issue, we ran the Metasploit SMB Capture [http://www.rapid7.com/db/modules/auxiliary/server/capture/smb] module on one of our scanning nodes and collec

3 min Project Sonar

107,000 web sites no longer trusted by Mozilla

Mozilla's Firefox and Thunderbird recently removed 1024-bit certificate authority (CA) certificates from their trusted store. This change was announced to the various certificate authorities in May of this year and shipped with Firefox 32 on September 2nd. This change was a long time coming, as the National Institute of Standards and Technology (NIST) recommended [http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf] that 1024-bit RSA keys be deprecated in 2010 and disallowed after

3 min Project Sonar

Gaping SSL? My Heartbleeds

As you may already know, last night a vulnerability affecting OpenSSL was reported and it most likely affects your organization. The "Heartbleed" SSL vulnerability affects widely deployed versions of the OpenSSL library, which is used in the majority of software, including web-, email-, database- and chat-servers. How does it work? This vulnerability allows an attacker to read a portion of memory from the remote system without the need for any known credentials or other authentication forms.

4 min Project Sonar

Legal Considerations for Widespread Scanning

Last month Rapid7 Labs launched Project Sonar, [/2013/09/26/welcome-to-project-sonar]a community effort to improve internet security through widespread scanning and analysis of public-facing computer systems. Though this project, Rapid7 is actively running large-scale scans to create datasets, sharing that information with others in the security community, and offering tools to help them create datasets, too. Others in the security field are doing similar work. This fall, a research team at the

3 min Exploits

Estimating ReadyNAS Exposure with Internet Scans

I wanted share a brief example of using a full scan of IPv4 to estimate the exposure level of a vulnerability. Last week, Craig Young [https://twitter.com/craigtweets], a security researcher at Tripwire, wrote a blog post [http://www.tripwire.com/state-of-security/vulnerability-management/readynas-flaw-allows-root-access-unauthenticated-http-request/] about a vulnerability in the ReadyNAS network storage appliance. In an interview with Threatpost [http://threatpost.com/netgear-readynas-storag

4 min Project Sonar

The Security Space Age

I was fortunate enough to present as the keynote speaker for HouSecCon 4 [http://houstonseccon.com/]. The first part of my presentation focused on the parallels between information security today and the dawn of the space age in the late 1950s. The second section dove into internet-wide measurement and details about Project Sonar. Since it may be a while before the video of the presentation is online, I wanted to share the content for those who may be interested and could not attend the event. A