Posts tagged Project Sonar

2 min Research

Charting the Forthcoming PHPocalypse in 2019

This experiment began when Josh Frantz remarked that he would be curious about the potential exposure from the just-reached EOL date for PHP Version 7.0 and the forthcoming EOL date for PHP 5.6.

4 min AWS

Securing Buckets with Amazon S3 Block Public Access

Amazon Web Services recently introduced a new security enhancement to its cloud storage service: Amazon S3 Block Public Access.

5 min AWS

How to Conduct DNS Reconnaissance for $.02 Using Rapid7 Open Data and AWS

Rapid7 is happy to announce that a subset of data from Project Sonar is now available on Amazon Web Services (AWS).

4 min Project Sonar

VPNFilter's Potential Reach — Malware Exposure in SMB/Consumer-grade Devices

(Many thanks to Rebekah Brown [/author/rebekah-brown/] & Derek Abdine for their contributions to the post.) How does VPNFilter work? Over the past few weeks, Cisco’s Talos [https://www.cisco.com/c/en/us/products/security/talos.html] group has published some significant new research [https://blog.talosintelligence.com/2018/06/vpnfilter-update.html] on a new malware family called VPNFilter. VPNFilter targets and compromises networking devices to monitor the traffic that goes through them. The mal

1 min Honeypots

Whiteboard Wednesday: Your 6-Minute Recap of Q1 2018’s Threat Landscape

Gotten a chance to read Rapid7’s Quarterly Threat Report for 2018 Q1 [https://www.rapid7.com/info/threat-report/2018-q1-threat-report/]? If not (or if you’re more of an auditory learner), we’ve put together a 6-minute recap video of the major findings. In our Quarterly Threat Reports [https://www.rapid7.com/info/threat-report/], our security researchers provide a wide-angle view of the threat landscape by leveraging intelligence from the Rapid7 Insight platform [https://www.rapid7.com/products/

2 min Honeypots

Off the Chain! A Research Paper Observing Bitcoin Nodes on the Public Internet

Over the last several years, blockchain-based technologies have exploded in growth. Lately it seems like blockchains are turning up everywhere, from chicken management systems [https://www.bloomberg.com/news/features/2018-04-09/yes-these-chickens-are-on-the-blockchain] to the next hot cryptocurrency [https://medium.com/bitfwd/how-to-do-an-ico-on-ethereum-in-less-than-20-minutes-a0062219374] . Waves of new companies, products and applications exist, often in the form of just wedging a blockcha

3 min Vulnerability Management

Cisco Smart Install (SMI) Remote Code Execution: What You Need To Know

What’s Up? Researchers from Embedi discovered [https://web.archive.org/web/20180828224625/https://embedi.com/blog/cisco-smart-install-remote-code-execution/] (and responsibly disclosed) a stack-based buffer overflow weakness in Cisco Smart Install Client code which causes the devices to be susceptible to arbitrary remote code execution without authentication. Cisco Smart Install (SMI) is a “plug-and-play” configuration and image-management feature that provides zero-touch deployment for new (t

4 min Research

An Impressively Unprecedented Drop in Open memcached Services

(Many thanks to Jon Hart [https://twitter.com/jhartftw] and Tom Sellers [https://twitter.com/TomSellers] for their research and content for this blog post.) We started performing weekly monitoring of open/amplification-vulnerable memcached servers after the recent memcrashed [/2018/02/27/the-flip-side-of-memcrashed/] amplification distributed denial-of-service (DDoS) attack and today we have some truly awesome news to report, along with some evidence that the recent spate of DDoS attacks may n

2 min Project Sonar

The Flip Side of memcrashed

Rapid7 Labs keeps a keen eye on research and findings from other savvy security and technology organizations and noticed Cloudflare’s report [https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/] on new distributed denial of service (DDoS) amplification attacks using memcached [https://www.memcached.org/]. If you haven’t read Cloudflare’s (excellent) analysis yet, the TLDR is, memcached over UDP [https://github.com/memcached/memcached/blob/master/doc/protocol.txt

8 min Haxmas

The Ghost of a Botnet (Possibly) Past

For a week and a half in April, Rapid7 Labs observed a botnet with 18,000 distinct IPs marauding across the public internet. Then it disappeared, only to resurface again later. Join us as we tell the HaXmas tale of the ghost of a botnet past!

7 min Haxmas

Yankee Swapped: MQTT Primer, Exposure, Exploitation, and Exploration

This HaXmas, Rapid7's Jon Hart Yankee swaps readers a few minutes' attention for a festive look at MQTT exposure on the public IPv4 internet (and an exploitation module!).

8 min UNITED

Data Mining the Undiscovered Country

Using Internet-scale Research Data to Quantify and Reduce Exposure It’s been a busy 2017 at Rapid7 Labs. Internet calamity struck swift and often, keeping us all on our toes and giving us a chance to fully test out the capabilities of our internet-scale research platform [https://sonar.labs.rapid7.com/]. Let’s take a look at how two key components of Rapid7 Labs’ research platform—Project Heisenberg and Heisenberg Cloud—came together to enumerate and reduce exposure the past two quarters. (If r

11 min Research

Measuring SharknAT&To Exposures

On August 31, 2017, NoMotion’s “SharknAT&To” research [https://www.nomotion.net/blog/sharknatto/] started making the rounds on Twitter. After reading the findings, and noting that some of the characteristics seemed similar to trends we’ve seen in the past, we were eager to gauge the exposure of these vulnerabilities on the public internet. Vulnerabilities [https://www.rapid7.com/fundamentals/vulnerabilities-exploits-threats/] such as default passwords or command injection, which are usually tri

2 min Project Sonar

National Exposure Index 2017

Today, Rapid7 is releasing the second National Exposure Index [https://www.rapid7.com/info/national-exposure-index], our effort to quantify the exposure that nations are taking on by offering public services on the internet—not just the webservers (like the one hosting this blog), but also unencrypted POP3, IMAPv4, telnet, database servers, SMB, and all the rest. By mapping the virtual space of the internet to the physical space where the machines hosting these services reside, we can provide gr

6 min Research

WannaCry Update: Vulnerable SMB Shares Are Widely Deployed And People Are Scanning For Them (Port 445 Exploit)

WannaCry Overview Last week the WannaCry ransomware worm, also known as Wanna Decryptor, Wanna Decryptor 2.0, WNCRY, and WannaCrypt started spreading around the world, holding computers for ransom at hospitals, government offices, and businesses. To recap: WannaCry exploits a vulnerability in the Windows Server Message Block (SMB) file sharing protocol. It spreads to unpatched devices directly connected to the internet and, once inside an organization, those machines and devices behind the firew