CMS Exploitation Made Simple

"CMS Made Simple" is an open-source Content Management System. Mustafa Hasen
discovered and reported that versions 2.2.5 and 2.2.7 include a vulnerability in file uploads that permit an authenticated attacker to gain execution of arbitrary PHP scripts. The multi/http/cmsms_upload_rename_rce exploit module uses our PHP Meterpreter to gain full control of the target.

Axis Allies

Isn't it lovely when a team comes together? Last week, a group of Metasploit developers and Rapid7 pen testers got together to play with a series of critical vulnerabilities in Axis cameras. The vulnerabilities permit an attacker with network access to the camera to bypass authentication and gain remote code execution as root. Check out the AXIS advisory and the team's Metasploit module, linux/http/axis_srv_parhand_rce.

PHPMyAdmin Login Scanner

Pen testers and players of last year's Metasploitable3 CTF know how valuable discovering the credentials to a MySQL database can be. Wouldn't it be great if you could easily check the credentials against a PHPMyAdmin instance? @space-r7 thought so too! Check out her auxiliary/scanner/http/phpmyadmin_login module.

Speaking of Pen Testers...

Earlier this week, Rapid7 released its second Under the Hoodie report, which digs into data from 268 pen tester engagements to highlight exploitation success rates, credential capture rates, and memorable "war stories" from the offensive security trenches. Download the (free, ungated!) report here to explore takeaways from our pen testing fam.

Open Source Security Meetup (OSSM): Vegas 2018

Like open source security? Want to take a break from corporate events at hacker summer camp to share projects and chat in a low-key environment? Stop by the fourth annual Open Source Security Meetup (OSSM) in Vegas from 4-6 PM August 9. There are no formal presentations this year (true meetup-style), but if you’re an open source security dev with a project you want to discuss, let us know here.

New Modules

Exploit modules (2 new)

• Axis Network Camera .srv to parhand RCE by wvu, sinn3r, Brent Cook, Cale Black, Chris Lee, Jacob Robles, Matthew Kienow, Or Peles, and Shelby Pace, which exploits CVE-2018-10660, CVE-2018-10661, and CVE-2018-10662.

• CMS Made Simple Authenticated RCE via File Upload/Copy by Jacob Robles and Mustafa Hasen, which exploits CVE-2018-1000094.

Auxiliary and post modules (1 new)

• PhpMyAdmin Login Scanner by Shelby Pace

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 4.17.2...4.17.3
• Full diff 4.17.2...4.17.3
• Development diff 778b3f42...ba39226f

To install fresh, check out the open-source-only Nightly Installers,
or the binary installers which also include the commercial
editions. PLEASE NOTE that these installers, and Metasploit
Framework versions included in distros such as Kali, Parrot, etc.,
are based off the stable Metasploit 4 branch. If you'd like to try out
the newer things going into Metasploit 5, that work is
available in the master branch of the Metasploit Framework repo on GitHub.

A company is only as effective as the people behind it. Recently, I had the pleasure of sitting down with one of our incredibly talented threat intelligence analysts, Rebekah Brown, to learn more about her experience working on the front line of one of our newest and rapidly growing features, Attacker Behavior Analytics (or ABA), which is changing the world of incident detection and response.

1. Tell us about your role in threat intelligence at Rapid7.

My job is to coordinate threat intelligence across all of Rapid7’s products. Working alongside our in-house security operations center (SOC) for our managed detection and response (MDR) services team, my team and I are constantly investigating threats and suspicious behaviors. We not only want to know what attackers are out there, but what their intent is, what information they’re looking to steal, how they get in, and so on. We also look at attacks from a broader lens by understanding what else is going on in the world that might make an attacker more likely to target an industry or country in particular.

Before joining Rapid7, I worked in similar roles at Nike and in the U.S. Marine Corp where I learned just how important it was to have a strategic view on security, and how monitoring for malicious behaviors, not just static indicators, can be a far more effective threat detection technique.

2. What is your role in creating Attacker Behavior Analytics?

Attacker Behavior Analytics was built to solve a critical need companies are facing today: to detect malicious behaviors at the earliest point in the attack chain—even if they’ve been altered to evade threat intelligence defenses.

Once our managed detection and response (MDR) team detects suspicious behavior (e.g. manipulation of a file, unusual login), they create a rule to detect future behaviors. As this behavior alerts, it gives the threat intelligence team an opportunity to better understand the behavior in order to identify if it is isolated to one victim or part of a larger campaign, if it is targeting a specific industry, and if other malicious activities were see in conjunction with the behavior. Since we are on the front line of behavior detection, the intel we gather and rules we develop are presented to our InsightIDR team to become part of Attacker Behavior Analytics, which is then fed into a multitude of Rapid7 products to help customers detect and respond to attacks as early in the attack chain as possible.

Related: [VIDEO] Understanding the Attack Chain to Detect Intruders

Working alongside our SOC and Intel teams, we can pull together the who, what, where, when, and why of an attacker behavior so we can load ABA with context and create threat response recommendations. These offer step-by-step instructions so customers know what systems, files, and logs to look into to remove a threat and prevent it from coming back tomorrow … or ever.

3. What do you appreciate most about ABA?

What I love most about Attacker Behavior Analytics is that it’s a team effort. ABA is a product of the collaboration between our threat intel, MDR, Rapid7 Labs, IDR, and other Rapid7 teams, allowing us to fully understand attacker behaviors and arm our customers with the information they need to know.

It really does take a village to pull together all this information, and one of my favorite parts about working for Rapid7 is that we have the resources and expertise to do this. At the end of the day, everyone wants to help our customers better secure and protect their networks, and Attacker Behavior Analytics is one of those places where we can see this come to life. If you remember the show Voltron, when something urgent happened, all teams assembled and became one working entity. Here at Rapid7, we actually say “Voltron unite!” when we come together like this. At least I do, and everyone else just humors me.

4. In your experience working with customers, what do they love most about these threat detections?

The fact that ABA, alongside our InsightIDR product, is able to identify a lot of different activity is really important to customers. Because ABA helps customers rapidly determine which behaviors are malicious and whether they’re part of a larger campaign, it helps customers understand the bigger picture of what’s going on, such as an industry-wide attack or nation-state attack. Customers often tell me they appreciate how easy we make it to piece together activities.

ABA looks for one-off suspicious activity, as well as clusters of activity happening at the same time. This helps us define what we’re seeing, how widespread it is, where it’s coming from, what the goal of the attack is, and, ultimately, how we can stop it. Because these detections are based on behaviors—many of which happen in the early stages of the attack chain—customers are able to spot and stop attacks faster, which is incredibly valuable.

5. What are your top incident detection and response best practices for security teams?

There’s a saying that, “When everything is a priority, nothing is a priority.” That’s why my first piece of advice is that you should have a solid understanding of your own internal environment. Knowing what security vulnerabilities you have will help you to better interpret ABA, other types of detections, and threats you read about in the news. For example, if you determine that weak password use and phishing are the two main ways threats infiltrate your networks, then this will help you prioritize security awareness training over other things like state-sponsored malware or DDoS attacks that are far less relevant to you. There’s a constant alarm in the media that whenever something happens to one company, everyone needs to jump on it, but if you have self-awareness, you’ll be a better judge of what you should be spending your time on.

It’s also important to recognize that threats aren’t black and white. There is a spectrum of threats and the impact can vary from company to company. It’s tools like InsightVM, Rapid7’s vulnerability management solution, that can help better prioritize alerts based on what’s most important to the business, and if you use InsightIDR, you can see overtime what is really happening on your network. If you see that 70% of issues are coming from spear phishing, for example, that’s an area you should really focus on from a technology, response, and user awareness perspective.

Thank you, Rebekah!

A big thanks goes out to Rebekah for spending some time with us diving into how ABA was created, why she was drawn to it (as well as why many customers are), and for offering some pro tips to our readers.

Do you have more questions for Rebekah? Leave a comment below. Do you love reading and want to continue learning about threat intelligence? Join her for our summer installment of the Threat Intelligence Book Club.

Leverage Attacker Behavior Analytics in Your Environment with InsightIDR Today

Get Started

A Security Automation-Focused API for Forward-Thinking Vulnerability Management

Released in January of 2018, Rapid7 InsightVM’s API version 3—the RESTful API—was a highly anticipated, perhaps somewhat inconspicuous, addition to our vulnerability management solution. Introduced as a successor to previous API versions, the RESTful API was designed for automation-focused security teams.

Let’s look at how (and why) the RESTful API was developed to get a better understanding of how you can use it.

Built to Code

InsightVM’s API v3 was developed in adherence to the Representational State Transfer (REST) architectural style, which defines a set of constraints or rules for creating RESTful web services, including APIs. One of these constraints mandates a client-server architecture. Simply put, the client can send requests to the server, the server will process those requests, then the server will return a successful operation or failure along with a status code (and some additional information) for troubleshooting. These requests, often referred to as API calls, utilize URLs and standard HTTP methods (ex. GET, POST, PUT, DELETE) to interact with data stored on the server. REST architecture dictates that client-server interactions must be stateless, so client data is not retained by the server between requests.

The API accepts and produces messages in JavaScript Object Notation (JSON), a language-independent and compact syntax that is easy to read and write. As a component of yet another REST constraint, it also follows Hypermedia as the Engine of Application State (HATEOAS) principles. The API is hypermedia friendly, meaning the server will return hyperlinks to available resources as part of its responses to the client. This helps decouple the client from the server, because the client doesn’t need to store any information locally, or even have knowledge of the web service prior to interacting with it. The REST client can discover all the resources it needs—dynamically—from the API itself.

An OpenAPI v2 specification file for the API is available to all users. This specification prescribes a machine-readable interface file governing the API’s functionality. This file can be provided to a variety of tools, such as swagger-codegen, to create documentation and even API clients.

Get to the point, already!

I wanted to provide some background on InsightVM’s RESTful API and set the stage for the rest of this blog, but it’s possible that you skipped over the tech jargon, or your eyes glazed over after the second (or third) acronym. That’s fair. One of my favorite questions following a lengthy exposition on technical info—both on the giving or receiving end—is a good old fashioned, “so what?” Trust me, try it out.

So, what does this information mean for me?

I’m glad you asked!

While previous versions of the API were enduring and feature-rich, they had the look and feel of locally executed code. Versions 1.1 and 1.2 were XML over HTTP APIs, and interaction with these services was controlled by Ruby Gems (and a pinch of Python). Client entanglement was a very real thing, locking capabilities behind a gauntlet of additional deployments and configurations. These APIs were thick clients in the age of virtualization: highly capable, but difficult to transition to the web. Such offerings have largely fallen out of favor with the developer community, and demand time and knowledge commitments beyond the means of many security teams.

InsightVM’s RESTful API is a modern web service, composed using a set of industry standards that make it both flexible and approachable for anyone with even a passing interest in harnessing its power. The REST style means that your API calls will be message-based and reliant on HTTP standards. Using JSON means that you can easily read and write those messages, while HATEOAS means that you’ll be working with a web service that is interactive and self-describing. You can wade into the code and learn as you go with a system that provides feedback to keep you pointed in the right direction.

As noted in an earlier post, you can explore API resources directly from your browser with simple URLs, or download a tool such as Postman to write some more advanced requests. The API is fully documented (with example code) directly within your InsightVM console interface and in our help documentation.

So, how can I use it?

Another great question! Let’s take a look at some real-world applications of the API.

Driving Security Automation

The RESTful API was purpose-built to feed automated and repeatable activities, and this is where it excels. It does not facilitate one-time operations (ex. managing web certificate) or bulk data extraction (The Dimensional Data Warehouse Export is better).

Common use cases of InsightVM’s API include:

Automation of console activities

You can create and interact with components of the solution, such as users, assets, reports, and sites in an automated fashion.

For example, a simple URL sent through your browser will return a list of sites and their respective IDs:

https://10.3.71.73:3780/api/3/sites

Plug one of those site IDs into the following URL in Postman to initiate a scan with a ‘POST’ request:

https://10.3.71.73:3780/api/3/sites/52/scans

Write a script to send that request along with a cron job, and you have a scheduled scan. (Quick and easy, right?)

What if we want to find some assets to add to a site prior to scanning? Let’s check the API documentation for some sample code that we can modify. First, we can check the documentation for some info on how we can search for assets:

I want to create a group of assets with a CVSS score greater than 8 that are also assigned (or tagged) to Bob. I don’t want to just list these assets in my browser, though. I want to add them to an asset group so I can then use them as targets in a scan:

Perfect! Over to Postman with the request and the modified JSON:

Bob’s asset group now exists within InsightVM:

...So we can create a new site using that group:

While this was a relatively simple and straightforward set of actions, you may begin to envision a fully automated approach to scanning in the modern network, dynamically generating each and every component of a scan as needed. With many organizations turning to entirely virtual and ephemeral asset deployments—resources created and terminated on demand—we now have a way to align not just scan activities, but scan infrastructure, with those needs.

Data interface between solutions

You can invoke the API to drive a data exchange between InsightVM and other solutions in your toolkit. Integrations of this type may include some of those listed on Rapid7’s Technology Partners page and bespoke workflows created for customers by our Enterprise Security Consulting team. Extract data from the console for sharing, or gather it elsewhere and provide it to InsightVM to establish or add context to your assets.

A very common question that we receive from our customers is, “can we integrate with our CMDB?” The good news is that we can typically jump right past the resounding “YES!” and dive into the details; what would you like to accomplish with this integration? The API can help establish scan targets, tag assets in InsightVM using pre-existing configuration item details (thus applying vital context), and even update your system of record by seeding the database with newly discovered assets. Run your scripts on a schedule and you’ll have an automated workflow that ensures up-to-date visibility across systems.

Custom interfaces

The majority of InsightVM users don’t need access to every piece of the web interface. Using the API, you can create a custom interface that exposes only necessary functions and information to those users, giving them a simpler view or list of actions for their day-to-day work. This can help streamline the user experience according to your organization’s needs and, well, lets you flex those creative muscles.

And in Conclusion...

If you’re interested (and feeling confident), it’s a good time to head over to GitHub and check out some of the Rapid7 information shared there, including the unofficial (but very useful) Python library. Within this repository, you’ll find some helpful instructions and documentation, including some sample code snippets like this, which is pulling a list of assets:

list_assets.py

APIs make the world go round. In the security world, APIs can be used to bridge gaps between individual systems throughout an organization’s ecosystem, helping establish an interconnected and automated program in which data and processes no longer live in independent silos.

A highly capable API is only as valuable as your ability to access and use it efficiently. Our hope is that InsightVM’s RESTful API is not only robust enough to draw you in, but accommodating enough to help you deliver value to your vulnerability management program.

Ready to leverage InsightVM's RESTful API?

Start 30-day free trial

Today, I’m excited to announce the release of our 2018 edition of Under the Hoodie: Lessons from a Season of Penetration Testing by the Rapid7 Global Services team, along with me, Tod Beardsley and Kwan Lin. In this paper, we collect and analyze the results of a long-running exit survey we give to our penetration testing team that covers what goes on in real-world pentests: what kinds of vulnerabilities are exploitable, what kinds of software and network misconfigurations are leveraged to enhance access, and how user credentials are obtained and used.

268 Engagements Surveyed

Probably the most scientifically relevant feature of this paper is the fact that we’re able to collect data from hundreds of penetration testing engagements. A particularly industrious and busy individual pentester might be involved in about forty penetration tests in a given year, and most are involved in far fewer engagements. Drawn from hundreds of engagements across all sorts of industries and organization sizes, Under the Hoodie can only help penetration testers learn more about what the normal baselines in their own specializations look like.

Exploitation Success Rates

We found that, overall, Rapid7 penetration testers were able to exploit at least one in-production vulnerability in 84% of all engagements. That figure rises to 96% of all internally-based penetration tests, where the pentester has (or gains) local network access. This finding tells us that while penetration testers don’t quite always win (by gaining administrative control of a network), when they are able to touch the internal LAN or WLAN, the attacker success rate significantly rises. While this finding might be intuitive to practitioners in this space, we believe there’s a lot of value to be had in actually measuring this success rate in the field.

Credential Capture

Just over half the time (53%) on a given engagement, at least one useful username and password is collected from the target organization, and that capture rate rises to 86% when the attacker is already in the local, internal network. Penetration testers will be the first to tell you that it’s usually easier to simply guess (or ask for) passwords than to exploit vulnerabilities and leverage network misconfigurations, and attacks involving capturing credentials tend to afford longer-lasting access.

This One Time on a Pentest

While the statistics around success and failure rates on penetration tests are fascinating on their own, this paper also pulls in a number of “war stories” related by individual penetration testers. These stories are both wildly entertaining tales of technical derring-do as well as illustrative examples of vulnerability exploitation, investigative techniques, and examples of the kind of in-the-moment flexibility that a seasoned professional penetration tester can provide to an organization. After all, when companies are paying for professional services, they should expect a level of experience and expertise that (alas) cannot be comprehensively provided by an automated scan-and-patch IT security solution.

Get the Details

So, if you’re interested in digging through the stats and stories that go into the business of penetration testing, you’re invited to download the free paper. If reading isn’t your thing, we’re also presenting our findings at a free webcast on July 31, so click here to register to hear Tod Beardsley and Kwan Lin go over the findings and methodology.

Privilege Escalation

Linux BPF

CVE-2017-16995 is a Linux kernel vulnerability in the way that a Berkeley Packet Filter (BPF) is verified. Multiple sign extension bugs allows memory corruption by unprivileged users, which could be used for a local privilege escalation attack by overwriting a credential structure in memory to gain root access to a compromised host. The bpf_sign_extension_priv_esc module uses C exploit code written by rlarabee to perform the privilege escalation.

POP/MOV SS

How debug exceptions are handled after a MOV SS or POP SS instruction could lead to a privilege escalation vulnerability against certain Windows kernels. bwatters-r7 created a module in framework that utilizes a compiled version of can1357's exploit to gain SYSTEM access on vulnerable 64-bit Windows hosts. Because the CVE is recent, the exploit works with several modern releases of Windows 10x64. If you would like to dig more into how this exploit works and see brilliant older features sometimes have unexpected effects on current software, check out can1357's blog post about it.

Open Source Security Meetup (OSSM): Vegas 2018

Like open source security? Want to take a break from corporate events at hacker summer camp to share projects and chat in a low-key environment? Stop by the fourth annual Open Source Security Meetup (OSSM) in Vegas from 4-6 PM August 9. There are no formal presentations this year (true meetup-style), but if you’re an open source security dev with a project you want to discuss, let us know here.

New Modules

Exploit modules (5 new)

• Hadoop YARN ResourceManager Unauthenticated Command Execution by Green-m and cbmixx
• QNAP Q'Center change_passwd Command Execution by Brendan Coles and Ivan Huertas, which exploits CVE-2018-0707
• Linux BPF Sign Extension Local Privilege Escalation by Jann Horn, bcoles, bleidl, h00die, rlarabee, and vnik, which exploits CVE-2017-16995
• Nanopool Claymore Dual Miner APIs RCE by phra and reversebrain, which exploits CVE-2018-1000049
• Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability by Can Bölük, Nemanja Mulasmajic, Nick Peterson, and bwatters-r7, which exploits CVE-2018-8897

Improvements

• Support has been added for running external modules at the command line by acammack-r7.
• Authentication has been added to the data services REST API endpoints by mkienow-r7.
• bcoles added HTTP POST and Basic authentication support to the password sniffer psnuffle.
• wvu-r7 improved bind handler to wait until an exploit has completed before attempting to connect to the remote host.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 4.17.1...4.17.2
• Full diff 4.17.1...4.17.2
• Development diff 4114d5e8...778b3f42

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.

Want to chat with members of the Metasploit Framework core dev team about open source security in Vegas this year...without having to plan a presentation or trawl for an invitation? Metasploit is “hosting” the fourth annual Open Source Security Meetup (OSSM) in Las Vegas on August 9, and this time we’re going back to our OSSM roots: no rented space, no tickets, no guest list, no structured presentations—just a bunch of open source security developers and fans stopping by to talk shop and share ideas.

Where? When?

We'll be hanging out around the Lobby Bar area at Caesars Palace from 4 PM - 6 PM on Thursday, August 9 to talk open source development with anyone who cares to drop by.

Are you an open source security developer yourself?
Let us know in our survey here that you'd like to come and chat about your project with attendees; we'll have some Metasploit t-shirts on hand for OSS developers.

What’s different this year?

This year's OSSM is a true grassroots meetup, not a hosted event. There are no formal talks or presentations, and you don't need a ticket or an invitation to attend. Just show up, look for the folks in Metasploit shirts, and share what you're working or what you'd like to see from the open source security world in the future.

Can't make OSSM but still want to say hi to us in Las Vegas? Visit us at the Rapid7 booth at BSides, where there will be an instance of Metasploitable3 to play around with, or at Rapid7's DEF CON table, where we'll be selling limited edition Metasploit t-shirts to benefit the EFF. See everywhere you can find Rapid7 in Vegas here.

Welcome back to Password Tips From a Pen Tester. Last time, I exposed common password patterns we see when we perform penetration testing service engagements for our clients at Rapid7. This month, let’s dig into the amazingly weak default passwords that so many companies use.

The first day on the job: We fill out all the requisite paperwork for Human Resources and get a computer and our network password. That password is often something easy to remember, and is often the same for every new employee. It might be Welcome1, ChangeMe! or one of our old favorites, the SeasonYear (ie. Summer2018). If a new employee is having trouble signing in for the first time and they call the help desk, they can easily get the help they need. A big problem with this methodology is that attackers can do the same thing. When I’m on a social engineering engagement with a company, one of my first moves is always to call the help desk with a story about being new and needing to know what the default password is (or that I can’t remember mine and would like to just have it reset to the original, default value). If I’m able to find out what that is, I can then attempt to log in with other usernames and that default password. This works because I know that some people don’t change their first password—ever.

I have compiled a list of more than 136,000 passwords from pentests done by the Rapid7 team over the last three months. From that data, I searched for some of these typical first passwords. For example, looking at versions of “welcome,” I see:

• Welcome1 - 1015 times
• Welcome! - 9 times
• Welcome1! - 16 times

I also did a search for Welcome2 and got 637 results. This one is a little trickier because I am doing a wildcard search, so that could simply be someone who changed their Welcome1 to the next digit, or it could be a password like Welcome2Rapid7. When I dug in further, 121 of those were only Welcome2. Exactly 430 were of the Welcome2CompanyName variety and the remainder were Welcome2018 or some other small number of combinations.

It seems “change” might do a better jump of conveying to employees that the password should be changed. I found 38 variations of ChangeMe, 4 instances of Changeit, and 9 entries for Changethispassw0rd (yes, that’s a zero).

The data does also show different single digits after the Welcome and Change, possibly indicating another common user behavior, that the account holder is simply incrementing the number on each required update.

With all this discussion of “Welcome” and “Change”, we need to look at one other password that we’ve seen many times before. While it might also be something chosen by users, sometimes it is the default password. This was the most common password that I found when searching through my data. It’s none other than our old friend “password”. I took my file with 137,000 passwords and sorted and counted each and when I removed the company-specific passwords (ie. Rapid7!) the top remaining password, with 960 entries was Password1. As I look down the list, there are more versions of it. I see 314 entries for Password123, 175 entries for _Pass_Word1, 151 entries for password, 92 entries for Password2, and 60 entries for P@ssw0rd. The list of “passwords” just keeps going on and on.

So how do we deal with these default passwords? The short answer is to force employees to change it. The system administrator should activate a setting when the account is created, then check the box for “User Must Change Password at Next Logon”. I can’t give instructions on exactly how to do it as there might be slight variations for your environment, so I recommend using your vendor’s documentation on the proper way to set that value.

Ensuring that your people aren’t using a known, weak password will go a long way to helping the security of your network, and at least forcing them to change their original, default password is a great first step.

---

Interested in more penetration testing research from Rapid7? Check out our Under the Hoodie series, and uncover the most effective methods our pen testers have found to compromise high-value credentials.

Rapid7 Research: Building a safer world through open sources (that go beyond code)

Learn more

As penetration testers, we often find ourselves working with applications and services that are new to us or uncommon. In one such case, I performed an internal network penetration test that was focused exclusively on a handful of Teradata database servers. To test for weak passwords, I had cobbled together a Windows batch file that would wrap username and password lists around Teradata’s bteq application. However, one thing I wanted to do was come back sometime and build a proper Metasploit login scanner module.

We’ve created an auxiliary login scanner module for Teradata, as well as an admin module that you can use to run SQL queries once you have found credentials. Both of these are now in Metasploit.

Creation and Setup

Last year, the Metasploit team added support for Python modules in Framework. You can find some more background on how to write one here.

This seemed to be the way to go for Teradata because the REST API was an optional, add-on feature, and there is a Python Teradata module that works with the downloadable ODBC drivers.

So, before you can use these modules, you will need to install the Python module:

pip install teradata

You also need to download and install the ODBC drivers. You can create a free account on Teradata’s downloads site for tools, drivers, and even a Teradata Express virtual machine you can use for testing. To get everything set up on Kali Linux, you can use the Ubuntu drivers and README here. While there is documentation for installing the ODBC drivers from the .deb file, the basic steps are:

• Install lib32stdc++6 if necessary
• Install the ODBC drivers: dpkg -i [package].deb
• Copy /opt/teradata/client/ODBC_64/odbc.ini to /root/.odbc.ini

Login Scanner

While we were working on this project, we added a Python module type for login scanners. This means that our Teradata login scanner uses our standard login scanner options, such as USERNAME, PASSWORD, USER_FILE, PASS_FILE, and USERPASS_FILE. It also means that valid credentials are written to the database.

In the example below, we’ve loaded the module, set a PASS_FILE containing the default ‘dbc’ password and ‘1234’, set our target with RHOSTS, and set the USERNAME we’re guessing to the default ‘dbc’:

When we run the module as configured, we see a successful login with ‘dbc:dbc’, and a failed login with ‘dbc:1234’:

A lot of the extra output you see above is a combination of what the ODBC driver outputs and how Metasploit reads output from Python modules.

SQL Query Module

Once we’ve identified credentials, there is another module we can use to run SQL queries. The built-in ‘dbc’ credentials are the default username and password option values. In the example below, we’re using them after setting our target host:

We’ve also built in a default SQL query that will list different database names. You can leave this alone as a starting point, or set the SQL option value to the SQL query that you want to run. When we run the module as configured, we get:

The End of the Beginning

To wrap up, we’ve now got a starting point for testing Teradata databases with Metasploit. Hopefully this will be a good base to build to things like finding exploits and dropping payloads.

Rebekah Brown and I kicked off the summer session of threat intelligence book club last week with Kim Zetter’s Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. For anyone new, the goal of this book club is three-fold: to learn about the history and role of threat intel in information security; to connect with others interested in threat intel; and to explore the applicability of threat intelligence in everyday contexts. No experience is required, and banter is all but guaranteed.

Our next (digital) meeting is Wednesday, August 29 at 8 PM EDT/5 PM PDT. We’ll cover chapters 7-10. Register (required) here!

A summary of last week’s discussion is below for those who want to catch up.

Summary: July 11 (Chapters 1-6)

• Countdown to Zero Day tells the story of Stuxnet—the first malware targeting industrial control systems. The book incorporates information on malware, international relations, history, and traditional intelligence sources; it’s very much relevant to continued attacks against critical infrastructure.
• In the first six chapters of the book, a Belarusian security firm discovers a zero-day exploit signed with legitimate digital certificates on an Iranian system. When signatures are added to security tools, thousands of malicious files pop up, and more security firms get involved. However, even as the malware is better understood, the motives for its release remain unclear.
• To understand the motive and rationale of nation-state activity, it’s necessary to go beyond the malicious code; the book does a deep dive into the history of Iran’s nuclear programs and foreign powers’ efforts to monitor and limit them.

Takeaways: July 11 (Chapters 1-6)

• There are very few limits to what a determined and well-supported adversary can do.
• Malware analysis and Digital Forensics can give us a lot of information about what an attacker does...but not always why.
• Important context may not be readily or publicly available; identifying knowledge gaps is critical to effective analysis.
• Just like in The Cuckoo’s Egg (our first book club book), the researchers at Symantec had to convince their management to let them continue to work on the Stuxnet code. A personal sense of curiosity played a big part in driving the people in the book to understand complex problems and unravel incidents.

We’ll post discussion questions for August 29 here as the date draws closer. As always, post questions, comments, or suggestions below—or find Rebekah and me on Twitter. See you August 29!

Today, we announced continued, more comprehensive development of the integration between the Rapid7 Insight platform and Microsoft Azure.

A new integration with Azure Security Center makes it easy to deploy the Rapid7 unified Insight Agent across new and existing Azure Virtual Machines. This automated deployment enables InsightVM customers to maintain constant visibility into the assets, vulnerabilities, and risks in their Azure environments.

Additionally, our InsightIDR user behavior analytics (UBA) now support Azure Active Directory, making it possible to identify compromised users and risky behaviors across both on-premises Active Directory and your Identity and Access Management (IAM) services hosted in the Azure cloud.

On a higher level, these two new integrations help Rapid7 customers break down the silos between IT and Security teams in an effort to power SecOps at their organizations. Simplifying the deployment of important security tools while providing visibility into the modern environment is critical for collaboration across teams towards shared goals.

Let’s dig into the day-to-day value-adds of these two new integrations:

Azure Security Center Integration with InsightVM

The small footprint and versatility of the unified Insight Agent makes it the ideal solution to monitor today’s modern environment. Azure Security Center makes it simple to automatically deploy the Insight Agent to Azure Virtual Machines as they are spun up.

Traditional vulnerability assessment solutions can’t keep up with the highly dynamic nature of cloud environments. Vulnerable assets can come online and operate for extended periods of time before traditional solutions identify their risk (if they do so before the asset spins down, that is). Rapid7’s Insight Agent and InsightVM ensure assets are continually assessed, without requiring scan engines or waiting for scan windows. As a result, security professionals know before attackers do when vulnerable assets have been introduced to their environments.

In addition to configuring Azure Security Center to auto-deploy the agent onto each new Virtual Machine, the agent can all also be installed on all of your existing Virtual Machines with one click:

With the agent deployed to your existing assets (and automatically deployed on new assets), you’ll then be able to see all of your assets—from Azure, AWS, on-premises, VMware, and more—in a unified view in InsightVM.

Track your cumulative risk organization-wide over time.

For the full details of how to get set up, head on over to our help documentation.

Azure Active Directory Integration with InsightIDR

Rapid7 InsightIDR integrates with Microsoft Active Directory (and now Azure AD), DHCP, and LDAP to help you find early signs of user and asset compromise. This includes all of the top malicious behaviors behind breaches: the use of stolen credentials, malware, and lateral movement.

InsightIDR is able to consistently identify compromised users by applying user behavior analytics to the data already generated by your network and security stack. For example, once InsightIDR has access to logs generated by your directory services, activity on your network will be correlated to the users and assets behind them. Combined with our included, cross-product Insight Agent, you have visibility into user behavior across endpoint, network, and cloud.

With this new integration, you can have full visibility across your environment whether you are using Active Directory on-premises or Azure Active Directory in the cloud.

For the full details for connecting Microsoft Azure Active Directory, LDAP, and relevant DHCP data into InsightIDR, please see our help documentation here.

Not using InsightVM or InsightIDR yet?

Reduce risk in your Azure environment and respond to threats with confidence. Start your 30-day trial of InsightVM and InsightIDR today.

InsightVM | InsightIDR

Committing to some shells in GitList

Shelby has been killing it with new exploit and aux modules by the day. In this iteration, she's produced an exploit for GitList 0.6.0 and likely older versions. The software is built on PHP and allows users to view a Git repo on the web. Through an argument injection, a fake pager can be executed... that is really our shell. There's no reverting this one!

phpMyAdmin today, phpMyAdmin tomorrow

Our pentester-turned-dev and general bad*ss Jacob comes at us this week with a well-researched and implemented exploit module for phpMyAdmin 4.8.0 and 4.8.1. This vuln turns LFI (local file inclusion) into RCE (remote code execution, of course!). Jacob's exploit works on both Windows and Linux, including a MySQL table file on Windows and the PHP sessions file on Linux. Great job!

C randomization for your evasion totally legit needs

Longtime dev and researcher sinn3r aka "Wei Chen" took it upon himself to add C code randomization capabilities to Metasploit::Framework::Compiler. Now you can take raw C code, mutate it, and compile it on the fly with Metasploit. You can use the new feature independently or within a module. The possibilities are endless!

New Modules

Exploit modules (9 new)

• Apache CouchDB Arbitrary Command Execution by Green-m, Joan Touzet, and Max Justicz, which exploits CVE-2017-12635
• HP VAN SDN Controller Root Command Injection by wvu and Matt Bergin
• IBM QRadar SIEM Unauthenticated Remote Code Execution by Pedro Ribeiro, which exploits CVE-2018-1612
• HID discoveryd command_blink_on Unauthenticated RCE by Brendan Coles, Ricky "HeadlessZeke" Lawshae, and coldfusion39, which exploits ZDI-16-223
• GitList v0.6.0 Argument Injection Vulnerability by Kacper Szurek and Shelby Pace, which exploits CVE-2018-1000533
• Monstra CMS Authenticated Arbitrary File Upload by Ishaq Mohammed and Touhid M.Shaikh, which exploits CVE-2017-18048
• phpMyAdmin Authenticated Remote Code Execution by ChaMd5, Henry Huang, and Jacob Robles, which exploits CVE-2018-12613
• Manage Engine Exchange Reporter Plus Unauthenticated RCE by Kacper Szurek

Auxiliary and post modules (4 new)

• Docker Server Version Scanner by Agora-Security
• DCOM Exec by Alberto Solino and Spencer McIntyre
• Open a file or URL on the target computer by Eliott Teissonniere
• Multi Manage the screensaver of the target computer by Eliott Teissonniere

Improvements

• Added missing CVE references by sinn3r. Ongoing work by Aaron Soto, Jacob Robles, and sinn3r to add missing or document unavailable CVE references in modules.
• Added bind handler messages by wvu. Bind handlers now print connection errors if VERBOSE is enabled in the console. They would run silently before.
• Added WPCHECK option by bcoles. The WPCHECK advanced option has been added to enable or disable checking for WordPress before exploitation.
• Removed ring buffer by busterb. The ring buffer for sessions and channels has been replaced with streams. This shouldn't be noticeable to most users.
• Fixed module_reference tool by sinn3r. The module_reference tool would break on Python external modules. It has been fixed to continue running.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 4.17.0...4.17.1
• Full diff 4.17.0...4.17.1
• Development diff 745471ea...4114d5e8

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.

In Part 1, we talked about the need for organizations to test their security programs by performing social-engineering campaigns with their employees so they can understand employee susceptibility to these kinds of tactics, the potential impact to the organization of this kind of attack, and develop methods of defending against a real attack. We spoke about the need for accurately simulating threat actors by setting up an Asterisk PBX server and configuring a SIP trunk in order to communicate with a chosen service provider. We discussed how to create an extension, how to manually set your caller ID, and how to interact with your brand new SIP trunk with Linphone, a popular open-source softphone application.

This post will take it a step further. We will discuss how to setup a DID external telephone number, configure a DISA and forward your call to your PBX, and how to setup an extension configuration to create a menu for you and your users to automate the spoofing process. This way, you can dial a telephone number, enter (via touch-tone) the telephone number you want to spoof, and enter the telephone number you want to call.

And just to be completely and totally clear: The techniques described here are useful for bolstering your credibility when performing a penetration testing engagement that has a social engineering component. Spoofing your caller ID isn’t illegal in the United States, but misrepresenting your identity can be illegal in many situations. So, always get your client’s informed consent before tricking their employees. Always, always, always.

Alrighty, with that out of the way, let’s get started!

Setting up DID with your Service Provider

This step will be done through your service provider. You need to choose your external DID telephone number which will be used to externally dial in to your PBX. If your provider has a login portal like mine, you should be able to set this up online. Here’s an example of what it looks like on my provider’s portal:

These DIDs should not be very expensive. My service provider charges about 50 cents a month. Once you’ve got your DID telephone number, you need to be sure to route your DID to the Trunk we setup on the service provider earlier. This should also be possible through your VoIP provider’s portal. Here’s an example of what routing DIDs looks like with my provider’s portal:

Configuring DISA to Route Internal DID Calls to Internal Extension

With this step, we’ll be setting up the bridge that will link the external phone number to your PBX. For network engineers, this is functionally similar to setting up a VPN. You’ll need to ensure the DISA module is installed in your version of Asterisk.

• Applications → DISA
  • You can install this plugin by:
    • Admin → Module Administration.
    • Select Standard, Extended, and Unsupported and click ‘Check Online.’

• Once installed, navigate to Applications → DISA

• Click ‘Add DISA’
  • Create a name.
  • Add a PIN to authenticate when dialing in to your DISA.
  • Everything else should remain default.

• Connectivity → Inbound Routes

• Enter your DID telephone number provided from your service provider.

• Set Destination to the DISA we created earlier.

Writing Custom Extension to Spoof Calls on the Fly

Shoutout to Ventz from vpetkov.net for his blog on spoofing caller ID on the fly. I largely based my configuration off his example provided here:

https://blog.vpetkov.net/2011/07/10/spoofing-caller-id-on-the-fly-from-any-phone-for-legal-and-legitimate-purposes/

Custom Asterisk configurations must be saved in ‘/etc/asterisk/’ and contain ‘custom’ in the name (e.g., vim /etc/asterisk/extensions_custom.conf). The following configuration answers the incoming call from our external dialed in DISA, reads the instructions (audio file), accepts the user input, and dials the user-specified number with the assigned user-specified caller-id:

`1 [from-internal-custom]
2 include => proof-of-concept-custom

3 [proof-of-concept-custom]
4 exten => 1,1,Answer
5 exten => 1,n,Wait(2)
6 exten => 1,n,Playback(custom/welcome)
7 exten => 1,n(collect),Read(digito,,10)
8 exten => 1,n,Set(CALLER ID(number)=1${digito})
9 exten => 1,n,Set(CDR(outbound_cnum)=1${digito})
10 exten => 1,n,Answer
11 exten => 1,n,Wait(2)
12 exten => 1,n,Playback(custom/call)
13 exten => 1,n(collect),Read(digito1,,10)
14 exten => 1,n,SayDigits(${digito1})
15 exten => 1,n,Set(OUTBOUND_GROUP=OUT_3)
16 exten => 1,n,Playback(custom/dialing)
17 exten => 1,n,Dial(SIP/<sip trunk name goes here>/${digito1},300)`

The configuration answers the call then waits two seconds. The file “welcome” is then played, which is located in /usr/share/asterisk/sounds/custom/welcome.gsm. The system then waits for user input, accepting up to 10 digits to be entered. The user submitted digits are then assigned to the outbound caller ID variable. The system then reads back the input submitted by the user, plays the /usr/share/asterisk/sounds/custom/call.gsm file, and assigns the user input to the destination phone number variable.

Conclusion

All of this information took me a few years to learn. Not because it was difficult, but mostly because I didn’t know I had a need for it, I had a different system/process in place for spoofing caller ID, and the information for how to spin up the infrastructure wasn’t readily available. Hopefully this will help you out with getting your spoofer rig setup. If you have any questions throughout the process, feel free to reach out via Twitter (fr4nk3nst1ner). We follow strict guidelines which are documented and approved in our customer contracts and only perform Vishing and spoof Caller ID after authorization has been provided. Remember to follow the rules, hack only authorized folks, and have fun with your next telephone pretexting gig!

Let’s imagine you are designing a new city. You want this “city of the future” to be an ultra-efficient urban dwelling, hyper connected with easy-to-use public transportation (take notes, Boston). Would you design and build your entire city, and then decide how to connect it via these different transportation methods?

In short, no. If your true goal is to have a connected and efficient city, then you’ll be thoughtful throughout the development process to make sure your design supports this type of hyper connectivity and maximization. At Rapid7, this same thought process can be applied when you are looking to implement security orchestration, automation, and response (SOAR) in your environment.

SOAR can help maximize efficiency by giving your security team the ability to integrate your disparate security tools and automate manual, time-intensive security-related processes so that you and your team’s time can be spent much more strategically. Not only will you be able to break down various barriers within your security team, but also in other areas of the business.

And just like designing a city, you should take certain factors into consideration when building your security stack so that you can enable security automation and orchestration. With a thoughtfully implemented tech stack, you’ll likely see larger returns and more possibilities.

So, how do you build a tech stack while planning for security orchestration and automation? We’ve got a few pointers:

1. Evaluate Your Security Processes

To start, think about the processes you and your team spend most of your time performing. By looking at each process from a high level, you should be able to answer the following questions:

• What are the overarching goals of the process?
• Are the tasks well defined and repeatable?
• Is the process achievable for your current team and tool set?
• Will the process scale?

Next, dig deeper into these processes. Map out each step. What kicks off the process? What other tasks need to occur? Are there other teams involved?

This should also give you an idea of where human insight might be helpful. It may be possible to completely automate some of these processes, but in many situations you will want to layer human checkpoints between automated actions.

When you begin to implement security automation and orchestration in your environment, starting with these time-intensive processes and running through this checklist will provide quick wins to build a successful security orchestration and automation foundation.

2. Audit Your Current Suite of Security Tools

With the processes you have just evaluated, what associated tools do you use? Keeping tabs on these tools will be an important part of the design. Your current manual processes will likely involve using multiple products, as will your automated processes. You’ll want to list each of these tools out, and understand how they will fit into your automation goals.

The next questions to consider revolve around vendors and openness. When auditing your current tech stack, ask:

• Do these vendors and tools have open APIs, and if so, how open are they?
• Are their APIs well-documented?
• How often do these APIs change, and how are these changes communicated?
• Do these vendors offer support for developers who look to utilize their APIs?
• Are they commonly announcing technical partnerships with other vendors?
• Is there a cost associated with accessing their API?

These are a few key points that will help you determine the level of effort it will take to build automation between your tools. And for future purchases, you’ll be better equipped to pick the right technology for a security orchestration and automation-enabled stack, ultimately helping you get more value from your suite of tools.

At this point, you can also get more granular with the requirements for your tech stack. There will be scenarios where certain actions won’t be a good fit for automation, and a vendor will have a good reason for not exposing it via the API. If certain functionality that you require is not available via the API, determine which tools and actions, and how they’ll fit in with your new, automated processes. Oftentimes, these tasks are great candidates for a person to perform. Which leads me to my next point ...

3. Highlight Automation Gaps and Determine Human Checkpoints

As you identify gaps in your processes and technology with relation to implementing security orchestration and automation, you’ll need to think about how these non-automated tasks will be handled.

You have a few options:

• Work with the vendor to understand their roadmap. Are they moving in a direction that will enable automation?
• Apply pressure where necessary. If their roadmap does not line up with your automation goals, you might consider investigating alternative solutions.
• Mark that step as an area where human intervention may be necessary. Whether you’re working with a vendor to get that action added to the API or you’ve determined that the task is too risky for automation, partially automated processes still provide value to your security team.

It’s important to understand that human intervention does not reflect failures in the process itself. There will be tasks that you may not feel comfortable automating, so you’ll want to make room for human decision points in those scenarios.

This is where a security orchestration, automation, and response solution shines. Unlike custom-built orchestration and automation, a security orchestration and automation solution like Komand is designed to complement your security team by providing building blocks for automation, and allowing an automated process to pause so a person can step in and provide needed context or perform a business-critical task, such as patching a production server.

Another benefit of a security orchestration and automation solution? A library of integrations at your fingertips, with the APIs and data structures managed by the vendor. You won’t need to spend time maintaining APIs or chasing down the documentation—you’ll be empowered to build automation right away, instantly providing value to your team and company.

Maximizing Your Technology Investment with Security Orchestration, Automation, and Response

If your team wants to maximize efficiency and connectivity through security orchestration and automation, I urge you to take the aforementioned considerations into account with every building block that you put into place.

Security orchestration and automation can act as the glue that will connect the people, processes, and technology of your security program together so that you can achieve maximum efficiency. And with a solution in place like Komand, you’ll bolster the capabilities of your tech stack, allowing your team to actively respond to threats faster than ever before.

Want to see for yourself? Visit our website or request a demo.

Related content: Security Automation Best Practices

Read the eBook

Vulnerability management is a big deal to us at Evercore—not just for compliance reasons, but because we feel it’s the right thing to do. With complete visibility into our network using InsightVM, a cloud-based vulnerability management tool, we can find vulnerabilities on any machine and fix issues straight away based on risk score. By addressing security this way, we see a substantial improvement to our overall risk posture because we know what the biggest vulnerabilities are. It also allows us to look at the software and processes we use, determine what’s safe and what’s not, and find better alternatives.

In this post, I’ll shed some light on why we chose InsightVM and how we use it today.

1. Clear and succinct vulnerability reporting through dashboards

The reports we were getting from our former vulnerability management tool were quite poor, spitting out two-inch-thick stacks of paper with every vulnerability, CVE score, and IP address listed out. No one wanted to deal with it, so it was difficult to do proper vulnerability management.

To fix this, I started looking at Rapid7. I spun up a private POC and ran an initial scan. I showed my boss the report and his eyes instantly lit up. He then spent the next week exploring and configuring it all himself. From there, it was an easy sell to the business and financial approval was quickly granted. Next, we began using InsightVM to monitor our cloud assets and found the reports for those assets to also be accessible, actionable, and relevant to both executives and our technical staff.

Once more people saw the reports, everyone became enthusiastic about vulnerability management, eager to attend weekly meetings to report on patches, and wanting to help our risk score go down. What’s great is we can get both an executive report as well as detailed reports for things like individual workstations, networks, servers, etc. that anyone on our team can read and act on. Now when threats like Wannacry come out, for example, more people want to help out because they can see in real-time the impact of patching.

Within InsightVM, we use dynamic asset groups to prioritize our most vulnerable assets. This allows us to track things like obsolete operating systems, newly discovered assets, IP locations, servers, and an actual asset count. It’s a great snapshot of what’s going on and allows us to go to our infrastructure and network teams and show them what servers or networks need to be patched in priority order.

We can also see in real-time on the dashboard what assets are most vulnerable according to InsightVM’s Real Risk Score powered by attacker-based analytics. This helps us target risky assets or offending software straight away. We also have DHCP feeds set up in InsightVM that catch new machines and classifies them according to our rules so we can keep an eye on them. This has helped us get better visibility and patch faster.

2. Universal agents that provide broader coverage and live updates

Bringing agents into our environment forced us to completely rethink our attack surface. That’s because InsightVM’s agents picked up machines we didn’t know were there before, which helped us reframe our discovery process. For example, if our network team spins up assets without telling us, we know the agents will pick them up and notify us. And since we have remote workers who are operating outside the network, we can see them too because the agents aren’t restricted to just what’s on the network in our office. This helps us better track assets and ensure we don’t forget about the forgotten ones like old servers or out of office employees.

We also realized we didn’t have to be bound by the monthly scans to discover risk or have to re-run a scan if the first one fails (fully authenticated scans are just too labor intensive to set up and maintain, and tend to be prone to errors). We now push everything to the InsightVM agent and get a continual baseline of where vulnerabilities stand, meaning we don’t even have to wait for a scan to finish before we can start patching—we can do it straight away and then instantly see our risk score go down. This is incredibly motivating to our team.

3. Ease of setup

One of the best parts of InsightVM is you don’t have to be a grizzled security person with 30 years of experience to set it up or use it. It’s my infrastructure team that is responsible for logging on daily, running scans, and maintaining the patching process, and this was a big selling point for us. I don’t have to be heavily involved in the day-to-day operations of it, and my only job is to make sure everything is maintained, otherwise I can spend my time on longer-term projects and strategy.

Any infrastructure person with any interest in security, in our experience, will want to be involved in the running of InsightVM. Security people have been bad at allowing others to get involved mostly because non-security folks often can’t run the tools. It’s great that we can give them that responsibility with InsightVM and watch them go off and run it without our help. We then have a weekly meeting to review the top vulnerabilities and learn how our teams are working to bring risk down.

4. Proof of ROI in vulnerability management

ROI is pretty easy to prove with InsightVM because all I need to do is show my management team a monthly report on the downward trend of our Real Risk Score, which shows that what we’re working on is directly addressing risk. There isn’t a specific metric we measure, it’s more that we want to see a continual decline in risk and be able to demonstrate that we’re making progress, which InsightVM makes easy to do.

Anytime we spot a spike in the risk score (which is usually caused by a patch Tuesday or celebrity vulnerability like Wannacry), I can explain exactly why that is and what we’re doing about it. We can also see if any spikes in the risk score are due to risky software like Adobe, Flash, or Java, for example, which help us justify dropping the use of such software.

Rapid7’s vulnerability management suite has shown us a whole new way of looking at our risk and better managing it, and our whole team has been excited to get involved.

Interested in trying InsightVM?

Sign up for a 30-day free trial

This month's security updates from Microsoft address 50 separate vulnerabilities, including two fixes for Adobe Flash Player (APSB18-24). There are no 0-days this month, although three vulnerabilities had been publicly disclosed prior to the release: two privilege escalation vulnerabilities in Windows and a spoofing vulnerability in Edge whereby a user could be tricked into believing a malicious website is legitimate.

Over half of the vulnerabilities fixed today allow Remote Code Execution (RCE), and for the most part affect Edge and/or Internet Explorer. There are also RCEs in Lync / Skype for Business (CVE-2018-8311), Access (CVE-2018-8312), SharePoint Server (CVE-2018-8300), and Office (CVE-2018-8281).

Four vulnerabilities in .NET Framework have been patched: a security feature bypass, RCE, remote code injection, and elevation of privilege).

On the server side, patches are relatively light this month. However, Sharepoint Server admins should be aware of two privilege escalation vulnerabilities being fixed in addition to the RCE. There is also a denial of service in FTP Server being fixed (CVE-2018-8206).

Software developers making use of Microsoft technologies should take note of fixes made for Visual Studio: CVE-2018-8172 allows RCE via a maliciously crafted project or resource file, and CVE-2018-8232 is a validation bug in Macro Assembler. There is also a fix for ASP.NET (CVE-2018-8171, a denial of service vulnerability). This is not to mention the typical spate of RCE vulnerabilities patched in ChakraCore, Microsoft's open source JavaScript engine.

Note: not all CVEs had CVSSv3 data available at the time of writing

If you’ve never had the pleasure of visiting Belfast in Northern Ireland, I heartily recommend doing so. It’s an absolutely stunning city, with a plethora of activities, eateries, and bars, all brimming with wonderful Northern Irish hospitality. If you’re a Game of Thrones aficionado, you’re in for a treat too, as there are many filming locations within a throne’s throw (see what we did there! #notsorry) of the city. The purpose of this blog is actually not to gain favour with the Belfast tourist board, or George RR Martin for that matter (though please hurry up!), but you’d be forgiven for thinking so.

Belfast is also home to two top-notch universities, which brings not just a cool university town feel to the city, but also a regular wave of super smart new students. Rapid7, like many tech companies, chose to invest in the city for this reason, and we’ve forged great relationships with the universities and the local security community.

Take a tour of the Belfast SOC

Watch the video

Making a Rapid7 Home in Belfast

What started 4 years ago as one person in their home office is now a bustling technology centre, which has grown to be the second largest Rapid7 office overall, and the largest engineering site. We’ve hired software engineers, technical support teams, product managers, IT people, and have seen multiple local students join the herd as interns, many of whom have returned to us when they’ve completed their studies.

In recent months we’ve also added a fully operational battleship, or indeed a Security Operations Centre (SOC), where our managed services team provide round-the-clock security for our customers. This team, who have incredibly impressive backgrounds (including a minimum of 300 hours of breach response experience), provide managed detection and response capabilities for a wide range of organisations who benefit from having an extended team of Rapid7 experts. Our customer advisors are supported by multiple tiers of analysts who perform threat hunts, investigate anomalies, and respond to incidents, and a threat intelligence team run by the awesome Rebekah Brown.

Want to Learn More About Rapid7 Security Operations Centres?

Ever wondered what happens at a Rapid7 SOC? While we can’t share too much, join us for a glimpse into the world of Castle Black (yes, our Belfast conference rooms are GoT themed because OBVIOUSLY), and learn how our spotters, defenders, and hunters take care of our managed detection and response customers around the world. This video will transport you right into the heart of our Belfast SOC.

If your organisation would like to know more about the benefits of Rapid7’s managed detection and response service please visit our website or contact us. Our team is ready to become your team!

Try the technology that powers our global SOCs

Free trial of InsightIDR