9 min
Malware
Modular Java Backdoor Dropped in Cleo Exploitation Campaign
While investigating incidents related to Cleo software exploitation, Rapid7 Labs and MDR team discovered a novel, multi-stage attack that deploys an encoded Java Archive (JAR) payload.
5 min
Emergent Threat Response
Widespread exploitation of Cleo file transfer software (CVE-2024-50623)
On Monday, December 9, multiple security firms began privately circulating
reports of in-the-wild exploitation targeting Cleo file transfer software. Late
the evening of December 9, security firm Huntress published a blog
[http://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild]
on active exploitation of three different Cleo products (docs
[http://cleo-infoeng.s3.us-east-2.amazonaws.com/PDF/Harmony/5.8/Harmony_58_UserGuide_053123.pdf]
):
*
18 min
Incident Response
Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware
Beginning in early October, Rapid7 has observed a resurgence of activity related to the ongoing social engineering campaign being conducted by Black Basta ransomware operators.
7 min
Incident Response
Investigating a SharePoint Compromise: IR Tales from the Field
Our investigation uncovered an attacker who accessed a server without authorization and moved laterally across the network, compromising the entire domain.
2 min
Gartner
Three Recommendations for Creating a Risk-Based Detection and Response Program
In a report released earlier this summer, Gartner analysts offer three recommendations for fostering an environment of risk-based threat detection, investigation, and response that includes a deeper understanding of your organization’s risk profile by more than just the security team.
4 min
Emergent Threat Response
VMware ESXi CVE-2024-37085 Targeted in Ransomware Campaigns
On July 29, Microsoft published threat intelligence on observed exploitation of CVE-2024-37085, an authentication bypass vulnerability in Broadcom VMware ESXi hypervisors that has been used in multiple ransomware campaigns.
10 min
Managed Detection and Response (MDR)
Supply Chain Compromise Leads to Trojanized Installers for Notezilla, RecentX, Copywhiz
The following Rapid7 analysts contributed to this research: Leo Gutierrez, Tyler
McGraw, Sarah Lee, and Thomas Elkins.
Executive Summary
On Tuesday, June 18th, 2024, Rapid7 initiated an investigation into suspicious
activity in a customer environment. Our investigation identified that the
suspicious behavior was emanating from the installation of Notezilla, a program
that allows for the creation of sticky notes on a Windows desktop. Installers
for Notezilla, along with tools called RecentX and
10 min
Managed Detection and Response (MDR)
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
10 min
Managed Detection and Response (MDR)
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Justice AV Solutions (JAVS) is a U.S.-based company specializing in digital audio-visual recording solutions for courtroom environments.
Rapid7 has determined that users with JAVS Viewer v8.3.7 installed are at high risk and should take immediate action.
5 min
Gartner
Rapid7 Recognized in the 2024 Gartner® Magic Quadrant™ for SIEM
Rapid7 is excited to share that we are named a Challenger for InsightIDR in the 2024 Gartner Magic Quadrant for SIEM.
8 min
Incident Response
Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
Rapid7 observes ongoing social engineering campaign consistent with Black Basta
11 min
Velociraptor
Velociraptor 0.7.2 Release: Digging Deeper than Ever with EWF Support, Dynamic DNS and More
Rapid7 is very excited to announce that version 0.7.2 of Velociraptor is now fully available for download. In this post we’ll discuss some of the interesting new features.
7 min
Incident Response
RCE to Sliver: IR Tales from the Field
Rapid7 Incident Response was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions.
10 min
Velociraptor
Velociraptor 0.7.1 Release
Rapid7 is excited to announce that version 0.7.1 of Velociraptor is live and available for download. There are several new features and capabilities that add to the power and efficiency of this open-source digital forensic and incident response (DFIR) platform.
5 min
Vulnerability Management
Mastering Industrial Cybersecurity: The Significance of Combining Vulnerability Management with Detection and Response
The convergence of operational technology (OT) and information technology (IT) has ushered in new efficiencies but has also exposed vulnerabilities. This article explores the pivotal role of Vulnerability Management and Detection and Response (VM/DR) in the realm of Industrial Cybersecurity.