Rapid7 Blog

Microsoft  

Petya-like Ransomware Explained

TL;DR summary (7:40 PM EDT June 28): A major ransomware attack started in Ukraine yesterday and has spread around the world. The ransomware, which was initially thought to be a modified Petya variant, encrypts files on infected machines and uses multiple mechanisms to…

TL;DR summary (7:40 PM EDT June 28): A major ransomware attack started in Ukraine yesterday and has spread around the world. The ransomware, which was initially thought to be a modified Petya variant, encrypts files on infected machines and uses multiple mechanisms to both gain entry to target networks and to spread laterally. Several research teams are reporting that once victims' disks are encrypted, they cannot be decrypted. For this reason, there's dissent on whether the Petya-like attack should be called ransomware at all. Whatever you call it, our advice is the same: Back up, patch against MS17-010 vulnerabilities (mitigation against internal spread), and block TCP/445 traffic.Don’t pay the ransom, since decryption by the attacker is impossible. Read on for further information on infection vectors, IOCs, and additional Rapid7 resources. In the early morning hours of June 27, 2017, UTC 3 time, ransomware that appears to be an updated variant belonging to the Petya family surfaced in Eastern Europe (read a sample summary here). Incident detection and response professionals around the world immediately started connecting this Petya-like ransomware with the same EternalBlue exploits used by the WannaCry ransomware. Since the attack was so widespread, collecting a sample was pretty straightforward, and Rapid7's incident response team is currently analyzing what is actually going on here. This blog post will be updated throughout the day with what we know about the ransomware, as well as what Rapid7 customers can do to prevent, detect, and respond to it. In the meantime, organizations are strongly advised to take the following actions: Ensure that all Windows systems have been patched against MS17-010 vulnerabilities. Employ network and host-based firewalls to block TCP/445 traffic from untrusted systems. If possible, block 445 inbound to all internet-facing Windows systems. Ensure critical systems and files have up-to-date backups. Backups are the only full mitigation against data loss due to ransomware. Rapid7 has a ransomware resources page available here. For those already hit by this ransomware, our best guidance right now is to work with law enforcement and incident response experts. Our own incident responders are available 24/7 on the hotline: 1-844-RAPID-IR. Unfortunately - though we really hate to say so - the bottom line here is that if you don't have thorough and timely backups, paying the ransom will need to remain an option for you. See 14:30 PM update for details. Update 13:45 PM EDT: We've confirmed that this ransomworm achieves its initial infection via a malicious document attached to a phishing email, requiring a victim to download and open it (update: see the 16:50 text below). After that, it does indeed use the EternalBlue and DoublePulsar exploits to spread laterally. Unlike WannaCry, though, it is currently using these mechanisms to spread only on internal networks. While this is bad news for compromised organizations, the good news is that the spread directly across the internet is rather limited. The worse news is that there is still plenty of SMB on the internet to go after. Here's a map of the exposed SMB we've generated from some fresh Sonar data: Malware rarely stays static for long, so it's only a matter of time before a variant of this malware is released that uses SMB to spread directly across the internet, just like WannaCry. Update 14:30 PM EDT: Victims of this attack are directed to contact an email address once they've paid the ransom; however, the email account in question has been disabled by the German company that hosts it. Therefore, victims who pay the ransom are reportedly unable to recover their files. More details here. Update 15:30 PM EDT: We've identified the IP addresses 95.141.115.108, 185.165.29.78, 84.200.16.242, and 111.90.139.247 as fine candidates to watch for at your firewall. If you get connection attempts there sources from your internal network, either someone is infected, or someone is monkeying around with live malware samples. Jon Hart goes into more detail on these, and their associated domain names, on this gist. Update 16:50 PM EDT: There have been some reports of Petya-like infections occurring in networks that seemed to lack the initial phishing component. While this might not appear to be possible, there are scenarios where this can seem to happen. First, recall that infected computers actively search their local network for targets vulnerable to the issues addressed in MS17-010. Second, some of these devices are quite mobile, and hop around networks. If my laptop gets popped by this ransomware in my home network at FooCorp, then I take it to my local coffee shop's wifi, and infect someone from BarCom, when that BarCom employee goes back to the office, his incident response people are going to see this race around their network without the phishing email kicking everything off. This is one scenario where the phishing component would not be immediately obvious. There may be more to this malware, though, and our own IR engineers are still running through static and dynamic analysis, so we may have more on how this thing vectors around in the coming hours. Update 18:00 PM EDT: We've confirmed that this ransomware uses a lightly modified version of mimikatz to extract credentials from memory for use in its psexec and WMI vectors for spreading. Mimikatz is a widely-used open source security tool used primarily by security researchers to understand how credential handling is performed in Windows environments. (Thanks, Tim and Mike!) Update 20:15 EDT: For Rapid7 customers, you should be aware that we've already pushed the unique Indicators of Compromise (IOCs) out to all our InsightIDR users, and we've just published a handy HOWTO for InsightVM folks on scanning for MS17-010, which hits the exploit vector being leveraged in this attack. In the meantime, this is a fine time to review your own backup and restore capabilities -- especially the restore part. It seems unlikely we'll have any more updates through the night, but we're still pursuing analysis work. Once we learn anything new, we'll be updating here.

Announcing Microsoft Azure Asset Discovery in InsightVM

Almost every security or IT practitioner is familiar with the ascent and continued dominance of Amazon Web Services (AWS). But you only need to peel back a layer or two to find Microsoft Azure growing its own market share and establishing its position as the…

Almost every security or IT practitioner is familiar with the ascent and continued dominance of Amazon Web Services (AWS). But you only need to peel back a layer or two to find Microsoft Azure growing its own market share and establishing its position as the most-used, most-likely-to-renew public cloud provider. Azure is a force to be reckoned with. Many organizations benefit from this friendly competition and not only adopt Azure but increasingly use both Azure and AWS. In this context, security teams are often caught on the swinging end of the rope. A small shake at the top of the rope triggers big swings at the bottom. A credit card is all that is needed to spin up new VMs, but as security teams know, the effort to secure the resulting infrastructure is not trivial. Built for modern infrastructure One way you can keep pace is by using a Rapid7 Scan Engine from the Azure Marketplace. You can make use of a pre-configured Rapid7 Scan Engine within your Azure infrastructure to gain visibility to your VMs from within Azure itself. Another way is to use the Rapid7 Insight Agent on your VM images within Azure. With Agents, you get visibility into your VMs as they spin up. This sounds great in a blog post, but since assets in Microsoft Azure are virtual, they come and go without much fanfare. Remember the bottom-of-the-rope metaphor? You're there now. Security needs visibility to identify vulnerabilities in infrastructure to get on the path to remediation, but this is complicated by a few questions: Do you know when a VM is spun up? How can you assess risk if the VM appears outside your scan window? Do you know when a VM is decommissioned? Are you reporting on VMs that no longer exist? Do you know what a VM is used for? Is your reporting simply a collection of VMs, or do those VMs mean something to your stakeholders? You might struggle with answering these questions if you employ tools that weren't designed with the behavior of modern infrastructure in mind. Automatically discover and manage assets in Azure InsightVM and Nexpose, our vulnerability management solutions offer a new discovery connection to communicate directly to Microsoft Azure. If you know about our existing discovery connection to AWS you'll find this familiar, but we've added new powers to fit the behavior of modern infrastructure: Automated discovery: Detect when assets in Azure are spun up and trigger visibility when you need it using Adaptive Security. Automated cleanup: When VMs are destroyed in Azure, automatically remove them from InsightVM/Nexpose. Keep your inventory clean and your license consumption cleaner. Automated tag synchronization: Synchronize Azure tags with InsightVM/Nexpose to give meaning to the assets discovered in Azure. Eliminate manual efforts to keep asset tags consistent. Getting started First, you'll need to configure Azure to allow InsightVM/Nexpose to communicate with it directly. Follow this step-by-step guide in Azure Resource Manager docs. Specifically, you will need the following pieces of information to set up your connection: Application ID and Application Secret Key Tenant ID Once you have this information, navigate to Administration > Connections > Create Select Microsoft Azure from the dropdown menu. Enter a Connection name, your Tenant ID, Application ID and Application Secret key (a.k.a. Authentication Key). Next, we'll select a Site we want to use to contain the assets discovered from Azure. We can control which assets we want to import with Azure tags. Azure uses a : format for tags. If you want to enter multiple tags, use as a delimiter, e.g., Class:DatabaseType:Production. Check Import tags to import all tags from Azure. If you don't care to import all tags in Azure, you can specify exactly which ones to import. The tags on the VM in Azure will be imported and associated automatically with Assets as they are discovered. When there are changes to tag assignment in Azure, InsightVM/Nexpose will automatically synchronize tag assignments. Finally, as part of the synchronization when VMs are destroyed within Azure, the corresponding asset in InsightVM/Nexpose will be deleted automatically, ensuring your view remains as fresh and current as your modern infrastructure. Great success! Now what...? If you've made it this far, you're at the point where you have your Azure assets synchronized with InsightVM/Nexpose, and you might even have a handful of tags imported. Here are a few ideas to consider when looking to augment your kit: Create an Azure Liveboard: Use Azure tags as filtering criteria to create a tailored dashboard. Scan the site or schedule a scan of a subset of the site. Create Dynamic Asset Groups using tags to subdivide and organize assets. Create an automated action to trigger a scan on assets that haven't been assessed. All of our innovations are built side-by-side with our customers through the Rapid7 Voice program. Please contact your Rapid7 CSM or sales representative if you're interested in helping us make our products better. Not a customer of ours? Try a free 30- day trial of InsightVM today.

Patch Tuesday - June 2017

This month sees another spate of critical fixes from Microsoft, including patches for a number of Remote Code Execution (RCE) vulnerabilities. Two of these are already known to be exploited in the wild (CVE-2017-8543 and CVE-2017-8464). Today's patches are so crucial that Microsoft has once…

This month sees another spate of critical fixes from Microsoft, including patches for a number of Remote Code Execution (RCE) vulnerabilities. Two of these are already known to be exploited in the wild (CVE-2017-8543 and CVE-2017-8464). Today's patches are so crucial that Microsoft has once again released fixes for end-of-life operating systems, citing "the elevated risk for destructive cyber attacks at this time," and explicitly calling out the threat of nation-state actors. Updates are available for Windows XP, Windows Vista, Windows 8, and Windows Server 2003. They include fixes for MS17-013 (a Security Bulletin from April), as well as 21 CVEs with impact ranging across RCE, information disclosure, and elevation of privilege. Further details are available in Microsoft's Security Advisory 4025685.This month's updates aren't just about severity, but quantity as well, with 94 separate flaws being patched (compared to 66 last month, and 44 in April). This doesn't even include the nine critical Adobe Flash Player RCE vulnerabilities (see APSB17-17 for details) that are also being fixed today and are rated "Priority 1" (meaning there is a high risk of vulnerable systems being targeted in the wild).Most of the vulnerabilities are for Windows, split evenly between desktop and server flavors. All of the Windows CVEs have a severity of Important or Critical, with the bulk of impact being information disclosure, followed by RCE, privilege escalation, and some security feature bypass vulnerabilities in newer versions of Windows (8.1, 10, Server 2012 R2, and Server 2016).Microsoft Office and Office-related software (e.g. SharePoint, Lync/Skype for Business, and Office Web Apps) also have plenty of vulnerabilities being addressed this month, with thirteen information disclosure vulnerabilities and twelve RCEs between them all. In addition to various RCE vulnerabilities for SharePoint being patched, Microsoft has released a defense-in-depth update for SharePoint Enterprise Server 2013 SP1 and Enterprise Server 2016 that harden the products without addressing specific vulnerabilities.As usual, web technologies continue to provide additional attack surface. 16 issues with the Edge browser have been patched: 10 RCE, 3 information disclosure and 3 security feature bypass vulnerabilities. Internet Explorer sees 4 RCE and 2 information disclosure bugs being fixed. Last but not least, two critical RCE vulnerabilities in Silverlight have also been patched (CVE-2017-0283 and CVE-2017-8527, each of which also affects several other products).Hopefully you don't have any obsolete operating systems in your environment. But if you do, be sure to apply this month's patches as attackers often see end-of-life systems as low-hanging fruit, and exploits are already out there. Of course, this means supported systems are also at significant risk. Best get patching!

Wanna Decryptor (WNCRY) Ransomware Explained

Mark the date: May 12, 2017. This is the day the “ransomworm” dubbed “WannaCry” / “Wannacrypt” burst — literally — onto the scene with one of the initial targets being the British National Health Service. According to The Guardian: the “unprecedented attack… affected 12 countries and at least…

Mark the date: May 12, 2017. This is the day the “ransomworm” dubbed “WannaCry” / “Wannacrypt” burst — literally — onto the scene with one of the initial targets being the British National Health Service. According to The Guardian: the “unprecedented attack… affected 12 countries and at least 16 NHS trusts in the UK, compromising IT systems that underpin patient safety. Staff across the NHS were locked out of their computers and trusts had to divert emergency patients.” A larger estimate by various cybersecurity firms indicates that over 70 countries have been impacted in some way by the WannaCry worm. As of this post's creation time, a group with the Twitter handle @0xSpamTech has claimed responsibility for instigating the attack but this has not yet been confirmed. What is involved in the attack, what weakness(es) and systems does it exploit, and what can you do to prevent or recover from this attack? The following sections will dive into the details and provide guidance on how to mitigate the impact from future attacks. What is "Ransomware"? Ransomware "malicious software which covertly encrypts your files – preventing you from accessing them – then demands payment for their safe recovery. Like most tactics employed in cyberattacks, ransomware attacks can occur after      clicking on a phishing link or visiting a compromised website.” (https://www.rapid7.com/solutions/ransomware/) However, WannaCry ransomware deviates from the traditional ransomware definition by including a component that is able to find vulnerable systems on a local network and spread that way as well. This type of malicious software behavior is called a “worm” and the use of such capabilities dates back to 1988 when the Morris Worm spread across the internet (albeit a much smaller neighborhood at the time). Because WannaCry combines two extremely destructive capabilities, it has been far more disruptive and destructive than previous cases of ransomware that we've seen over the past 18-24 months. While the attackers are seeking ransom — you can track payments to their Bitcoin addresses: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 here: https://blockchain.info/address/ — there have been reports of this also corrupting drives, adding a destructive component as well as a ransom-recovery component to the attack. What Systems Are Impacted? WannaCry only targets Microsoft Windows systems and is known to impact the following versions: Microsoft Windows Vista SP2 Windows Server 2008 SP2 and R2 SP1 Windows 7 Windows 8.1 Windows RT 8.1 Windows Server 2012 and R2 Windows 10 Windows Server 2016 Windows XP However, all versions of Windows are likely vulnerable and on May 13, 2017 Microsoft issued a notification that included links to patches for all impacted Windows operating systems — including Windows XP. As noted, Windows XP is impacted as well. That version of Windows still occupies a 7-10% share of usage (as measured by NetMarketshare): and, this usage figure likely does not include endpoint counts from countries like China, who have significant use of “aftermarket” versions of Windows XP and other Windows systems, making them unpatchable. The “worm” component takes advantage of a Remote Code Execution (RCE) vulnerability that is present in the part of Windows that makes it possible to share files over the network (known as “Server Message Block” or SMB). Microsoft released a patch -MS17-010 - for this vulnerability on March 14th, 2017 prior to the release of U.S. National Security Agency (NSA) tools (EternalBlue / DoublePulsar) by a group known as the the Shadow Brokers. Rapid7's Threat Intelligence Lead, Rebekah Brown, wrote a breakdown of this release in a blog post in April. Vulnerability detection tools, such as Rapid7's Metasploit, have had detection capabilities for this weakness for a while, with the most recent Metasploit module being updated on April 30, 2017. This ransomworm can be spread by someone being on public Wi-Fi or an infected firm's “guest” WiFi and then taking an infected-but-not-fully-encrypted system to another network. WannaCry is likely being spread, still, by both the traditional phishing vector as well as this network worm vector. What Can You Do? Ensure that all systems have been patched against MS17-010 vulnerabilities. Identify any internet-facing systems that have not been patched and remediate as soon as possible. Employ network and host-based firewalls to block TCP/445 traffic from untrusted systems. If possible, block 445 inbound to all internet-facing Windows systems. Ensure critical systems and files have up-to-date backups. Backups are the only full mitigation against data loss due to ransomware. NOTE: The Rapid7 Managed Detection & Response (MDR) SOC has developed detection indicators of compromise (IOCs) for this campaign, however we are only alerted once the malware executes on a compromised system. This is not a mitigation step. UPDATE - May 15, 2017: For information on how to scan for, and remediate, MS17-010 with Nexpose and InsightVM, please read this blog. A Potentially Broader Impact We perform regular SMB scans as a part of Project Sonar and detected over 1.8 million devices responding to full SMB connection in our May 3, 2017 scan: Some percentage of these systems may be Linux/UNIX servers emulating the SMB protocol but it's likely that a large portion are Windows systems. Leaving SMB (via TCP port 445) open to the internet is also a sign that these systems are not well maintained, and are also susceptible to attack. Rapid7's Heisenberg Cloud — a system of honeypots spread throughout the internet — has seen a recent spike in probes for systems on port 445 as well: Living With Ransomware Ransomware has proven to be an attractive and lucrative vector for cybercriminals. As stated previously, backups, along with the ability to quickly re-provision/image an impacted system, are your only real defenses. Rapid7 has additional resources available for you to learn more about dealing with ransomware: Understanding Ransomware: https://www.rapid7.com/resources/understanding-ransomware/ Ransomware FAQ: /2016/03/22/ransomware-faq-av oiding-the-latest-trend-in-malware If you'd like more information on this particular ransomworm as seen by Project Sonar or Heisenberg Cloud, please contact research [at] rapid7 [dot] com. Many thanks to the many contributors across Rapid7 who provided vital information and content for this post. For more information and resources on WannaCry and ransomware, please visit this page.

Patch Tuesday - May 2017

It's a relatively light month as far as Patch Tuesdays go, with Microsoft issuing fixes for a total of seven vulnerabilities as part of their standard update program. However, an eighth, highly critical vulnerability (CVE-2017-0290) that had some of the security community buzzing over the…

It's a relatively light month as far as Patch Tuesdays go, with Microsoft issuing fixes for a total of seven vulnerabilities as part of their standard update program. However, an eighth, highly critical vulnerability (CVE-2017-0290) that had some of the security community buzzing over the weekend was also addressed late Monday evening. A flaw in the scanning engine used by various Microsoft anti-malware products could allow attackers to fully compromise a user's system simply by sending them a file as an email attachment or in an instant message, or by enticing them to visit a malicious web page. This vulnerability is especially dangerous for two reasons. In most attacks, users need to be tricked into opening a file or visiting a web page, and even then the malware would generally run at their privilege level unless it's able to escalate. But because the engine runs as SYSTEM, the highest privilege level, it's game over for a compromised system; the attacker has full control. Additionally, because the engine may scan files in the background before the user even sees them, exploitation can occur without the typical prerequisite social engineering tactics. The only good news here is that Microsoft shipped the fix very quickly after being notified, and since it's being delivered as an anti-malware update as opposed to via Windows Update, most users should get the patch without having to take any action.The fixes released as part of the regular Patch Tuesday updates continue some long-standing trends we've seen from Microsoft, with critical KBs for all supported operating systems addressing remote code execution (RCE) and privilege escalation vulnerabilities. Two separate RCE vulnerabilities in Office were also patched, one of which (CVE-2017-0261) is known to be exploited in the wild. The other Office vulnerability, CVE-2017-0281, is rated "Important" but affects a wide range of products beyond just Office, including Skype for Business and several server platforms such as SharePoint, Office Web Apps, and Project Server 2013. Edge and Internet Explorer remain reliable attack surfaces with RCE vulnerabilities being patched for both. Rounding out the vulnerabilities this month is a DNS denial of service (CVE-2017-0171) affecting all supported server operating systems.Alongside today's updates Microsoft published Security Advisory 4010323 indicating that they've now fully deprecated SSL/TLS certificates that use SHA-1 due to known weaknesses in the algorithm. IE 11 and Edge will no longer load sites with such certificates, and will instead display an invalid certificate warning. The exception to this is self-signed and enterprise certificates (those not chained to a Microsoft-trusted root); however, any such sites really should switch to SHA-2 based certificates as soon as possible.

Simple Vulnerability Remediation Collaboration with InsightVM

Many security groups today use ticketing systems that were originally designed for IT or developers, and are usually ill-suited to their vulnerability management needs. Even more commonly, teams simply rely on spreadsheets and unwieldy reports. On the other end of the spectrum, some security teams…

Many security groups today use ticketing systems that were originally designed for IT or developers, and are usually ill-suited to their vulnerability management needs. Even more commonly, teams simply rely on spreadsheets and unwieldy reports. On the other end of the spectrum, some security teams build a self-service workflow for their remediators and run into lack of user adoption – remediators just are not logging in to the security console. At Rapid7, we think there has got to be a better way, so we've built Remediation Workflow Ticketing. What is "Remediation Workflow Ticketing?" Remediation Workflow Ticketing is a way to connect your Remediation Workflow to the systems that remediation work in on a daily basis. We've built a capability that simply integrates remediation projects with Atlassian JIRA to make it easier and more efficient to collaborate with vulnerability remediation teams. Security, IT, DevOps, Development, and Engineering may keep using their existing systems and workflow. The Remediation Workflow Ticketing Integration is not a replacement, but rather a complement to the native Remediation Workflow projects.  With this ticketing integration, users can enable the automated generation tickets for only the Remediation Workflow projects they see fit, saving increasingly more time as new work is added and must be tracked easily. Here's how you can get started... Easy setup and re-use of ticketing preferences A brief setup wizard asks for the minimal amount of information necessary – no need for complicated, tedious mappings between it and your ticketing system. Creating ticketing preferences does not automatically create tickets. Users can feel confident that their remediators will not be flooded with tickets while also being able to re-use preferences across projects. Users can designate the assignees of the tickets utilizing rules based on filters.  The filter query language is the same as the one today for Liveboard cards and Remediation Workflow Dynamic Projects.  Tickets that meet the filter criteria will be assigned to the ticketing system user of your choice.  Users can reuse these preferences, saving time and effort by no longer having to constantly remember and repeat assignment logic.  Deliver the right message to IT Tickets generated by the Remediation Workflow integration are targeted, precise, and contain the solution, vulnerability and asset information.  Security groups no longer have to spend valuable time to decipher, redact, and translate long reports into actionable work items. With powerful templating options, users can decide how much and how verbose they wish to be with the security data (i.e. context) or as terse as they want to be with what they share on the tickets to their remediators. This is helpful as security groups interface with and rely on multiple groups, each with its own way of working with security.  Using remediation variables, users can be strategic about managing their remediation orchestrations. Tracking progress User can quickly monitor the progress of their remediation by looking at the “Tickets” column in the list of projects.  While viewing a specific project, users can quickly see if a ticketing connection exists and whether it's enabled.  By inspecting further, users can access each individual ticket associated with a particular solution.  In short, users enjoy the flexibility of taking quick temperature reads of remediation tickets overall and also viewing individual tickets in full detail. How to get started The Remediation Workflow Ticketing Integration is a flexible way to gain greater visibility and control into your organization's remediation efforts, both big and small.  It extends and is also a great complement to the native capabilities of Remediation Workflow.  Security teams are freed from user management overhead and remediators do not have to disrupt their existing workflows.  Both teams benefit from having just the right amount of security context in their tickets. Get started today by going to Remediation Workflow - Project lists page and clicking on “Add a Ticketing Connection.”   Of course, you can also read more in our Help documentation for Remediation Workflow Ticketing Integration. If you are not a current customer of InsightVM, you can download a free 30-day trial and test drive this new capability as well.

Actionable Vulnerability Remediation Projects in InsightVM

Security practitioners and the remediating teams they collaborate with are increasingly asked to do more with less. They simply cannot remediate everything; it has never been more important to prioritize and drive remediations from start to finish. The Remediation Workflow capability in InsightVM was designed…

Security practitioners and the remediating teams they collaborate with are increasingly asked to do more with less. They simply cannot remediate everything; it has never been more important to prioritize and drive remediations from start to finish. The Remediation Workflow capability in InsightVM was designed to drive more effective remediation efforts by allowing users to project manage efforts both large and small. Remediation Workflow is designed for security practitioners, with the aim of getting them from where they are today to where they envision their security programs to be in the future. Vulnerability remediation can be a struggle Let's say a security team wants a set of 10 vulnerabilities remediated across a set of 500 assets.  This sounds simple, but in practice could entail months of effort across several remediation teams. There are many considerations: What's the most efficient way to eliminate 10 vulnerabilities across 500 assets? Which assets should be remediated first? The vulnerability is found across multiple OS's and platforms.  As a remediator, how do I track down the solution that is applicable to the asset I am trying to fix? How do I get the right instructions to the right asset owners/administrators? To address these questions through typical means i.e. by vulnerability and by asset means exposing the security team to theoretically 5,000 scenarios (10 vulnerabilities times 500 assets). This is most certainly an exaggeration, but doesn't the back and forth of remediation sometimes FEEL like there are 5,000 questions? We think there's a better way, and we've designed Remediation Projects to be driven by solutions, not vulnerabilities or assets. Solutions drive vulnerability remediation Solutions are the remediation steps to eliminate or mitigate a given vulnerability. A vulnerability may contain one or more solutions. Each solution may contain: The steps to perform the solution References to learn more about the solution or vulnerability Risk associated with the solution Here's the key: A single solution can remediate multiple vulnerabilities. You just have to know which solutions are shared across vulnerabilities. If you knew that, you could determine which solutions to execute on which assets to take down the greatest risk. This is precisely what Remediation Projects are designed to do: take the mindless work of finding the best solutions for the assets within scope. Creating Actionable Projects The objective of using a Remediation Project is to drive action in remediation. That's it. To that end, a project should be readily actionable by you and the project's assignees. What do we mean by actionable? The project should be able to be understood at a glance, without significant filtering, sorting or scrolling. The project should be attainable within a finite period of time. With these principles in mind, we have a few thoughts on how to create projects for action.  Start with Dynamic Projects We recommend creating dynamic projects first because the asset and vulnerability filters give you more visibility and control over the number of solutions that will populate the project.   Dynamic projects are very powerful and flexible.  They provide elastic scoping based on real time criteria on assets and vulnerabilities. In other words, any assets or vulnerabilities that meet the dynamic project's criteria will be included in the scope of the project.  Dynamic projects provide unprecedented ways to maintain oversight on a defined set of work and enable users to pivot quickly in the event there are spikes (numerous instances of a vulnerability found or an influx of matching assets enters the network). Any assets of a certain OS or platform family: Windows, Linux, servers, desktops, virtual hosts, etc. Any assets with vulnerabilities of a certain category: Critical, Exploitable, CVSS or Risk Scores over a certain threshold. Microsoft Patch Tuesday remediation tracking: Utilize the filter criteria such as vulnerability.title CONTAINS “msft-cve-2017” AND vulnerability.datePublished BETWEEN 03-01-2017 AND 04-01-2017. Mission-critical, legacy, or otherwise sensitive assets. Remediation response to 0-day. Determine your use case If you're seeking to drive vulnerability remediation efforts and monitor progress, then utilize the asset filters to help scope by asset ownership (owner tag or OS/Platform) and vulnerability filters to focus on remediations prioritized by risk, CVSS score, severity, category, and exploitability, etc. Projects are not just for assigning work. There are other uses for Remediation Workflow aside from delegating solutions to assigned remediators. Security Managers can utilize projects without assignees in order to ease ad-hoc and recurring reporting requests. Security Managers can define organization-wide project scopes and separate “sub” projects of increasingly smaller scope in order to have visibility into remediation progress quickly and without disturbing or disrupting remediators. Is your aim more geared towards reporting and monitoring? If so, create project with a due date and no assignees (unless they are required to aid in reporting).  Refine your project's scope As a project owner, you can edit your dynamic project's scope at any time. Because some solutions can remediate multiple vulnerabilities, a high number of assets and a high number of vulnerabilities do not necessarily guarantee that a large number of solutions will result. However, scoping dynamic projects to a small number of assets and a narrow set of vulnerabilities will help yield a project with a manageable amount of solutions. You can test results of the asset and vulnerability filters by hitting “Apply.” If your aim is to project manage and drive vulnerability remediation efforts, a dynamic project that is not too broad in scope is best in order to avoid solutions populating a project that are not really part of what you want to have actioned. Utilize the type-ahead behavior of the filters, as well as the Syntax Help/Query Dictionary (see below), in order to get a fuller sense of the filter criteria at your disposal.  Vulnerability Exploitability Skill set required to exploit the vulnerability Asset tags (owner, custom, location) Asset OS (family, architecture, vendor) Asset risk score Vulnerability severity, CVSS score Vulnerability title contains a certain string Vulnerability publish date How to Get Started Remediation Workflow provides a powerful and flexible way to define, monitor, manage, and drive remediation efforts big and small throughout your organization. Remediations can be challenging. Remediation Workflow reduces friction between security and IT teams with its solution centric approach that automatically incorporates solution, asset, and vulnerability data, empowering teams to get from start to remediated faster. Get started today by clicking on the Projects button in the left hand navigation menu, and if you need more details, you can find them in our Help documentation for Remediation Workflow.

Patch Tuesday - April 2017

This month's updates deliver vital client-side fixes, resolving publicly disclosed remote code execution (RCE) vulnerabilities for Internet Explorer and Microsoft Office that attackers are already exploiting in the wild. In particular, they've patched the CVE-2017-0199 zero-day flaw in Office and WordPad, which could allow an…

This month's updates deliver vital client-side fixes, resolving publicly disclosed remote code execution (RCE) vulnerabilities for Internet Explorer and Microsoft Office that attackers are already exploiting in the wild. In particular, they've patched the CVE-2017-0199 zero-day flaw in Office and WordPad, which could allow an attacker to run arbitrary code on a victim's system if they are able to successfully social engineer their target into opening or previewing a maliciously crafted document.Microsoft has also already issued a fix for their new version of Windows 10 (1703, also known as the "Creators Update"), which was only made generally available today. It addresses several RCE and elevation of privilege vulnerabilities.Data center admins can't rest easy, however. This month sees updates for all supported versions of Windows Server, with fixes across the board for RCE, privilege escalation, and denial of service (DoS) vulnerabilities.Administrators should be aware that after today, Windows Vista will no longer be supported. Any systems running Vista should be upgraded to a supported version in order to continue receiving security fixes. As the recent zero-day IIS exploit for Server 2003 R2 reminded us, attackers are happy to take advantage of obsolete systems still in use.It is also worth noting that information about this month's fixes are only available from Microsoft's Security Updates Guide. Instead of grouping related fixes under Security Bulletins such as MS16-XXX, their new system allows users to pivot on the vulnerability identifiers (CVEs) and KB article numbers. They also provide the ability to search and filter based on product, severity, and impact (e.g. RCE, DoS, etc.) which can help administrators prioritize how they roll out the updates. Please refer to this blog post for more details about how this affects Nexpose users.

Cisco Enable / Privileged Exec Support

In Nexpose version 6.4.28, we are adding support for privileged elevation on Cisco devices through enable command for those that are running SSH version 2.A fully privileged policy scan provides more accurate information on the target's compliance status, and the ability to…

In Nexpose version 6.4.28, we are adding support for privileged elevation on Cisco devices through enable command for those that are running SSH version 2.A fully privileged policy scan provides more accurate information on the target's compliance status, and the ability to do so through enable password, while keeping the actual user privilege low, adds an additional layer of security for your devices. This allows our users to run fully privileged policy scans on Cisco IOS without having to pre-configure the target with a user that has full privilege. Instead, they could enter the enable password in the credential window similar to how sudo elevation is set up.Simply navigate to the credential configuration page for SSH services and select Cisco Enable / privileged exec as your elevation type and enter your enable password as the elevation password, per the screenshot below:

Introducing Interactive Guides

Recently, Rapid7 took a step forward to deliver insight to our customers: our vulnerability management solutions now include the ability to deliver interactive guides. Guides are step-by-step workflows, built to deliver assistance to users at the right time. Guides are concise and may be absorbed…

Recently, Rapid7 took a step forward to deliver insight to our customers: our vulnerability management solutions now include the ability to deliver interactive guides. Guides are step-by-step workflows, built to deliver assistance to users at the right time. Guides are concise and may be absorbed with just a few clicks. They are available anytime on-demand within the user interface, so you can quickly and easily find the information you need, as you need it, where you will be applying it.Here's an example:How Guides WorkInteractive guides are powered by Pendo.io. As you navigate through the user interface, relevant guides are made available based on the area of the application in use. Pendo serves Rapid7 authored content directly to the user. The user's workstation must be connected to the internet to make use of these new capabilities. We understand this limits access for some of Rapid7's customers, but for most individuals, internet access has become as important as the keyboard or a monitor.To be clear, to receive guides, the user's workstation requires internet access. The machine hosting the Security Console does not require access to the internet.How are guides delivered in context?In order to determine which guides are relevant to a user in the moment, very specific information is transmitted to Pendo from the user's browser:The URL navigated toCSS element the user has clicked onA globally unique, random identifier for the userWith this information, Rapid7 is able to deliver very specific guidance to users when they need it, for improved experiences within the product. All data collected is anonymized, and all communications between the user's workstation and Pendo.io are encrypted with SSL/TLS. Is my Nexpose data transmitted?No data that is collected by Rapid7 Nexpose about your organization's assets or vulnerabilities is transmitted to Pendo or Rapid7:No personally identifiable information, such as email addresses, names or User IDs is transmitted.No vulnerability data is transmitted.No asset data is transmitted, inclusive of software, attributes, IP addresses, and other metadata.No information collected by Scan Engines or Agents is transmitted.To learn more on how Rapid7 and Pendo.io protect your information, please visit: http://rapid7.com/trust and http://www.pendo.io/support/trust/I don't see any guides. When will they be available?We're busy building guides right now. You can expect to see new guides in the coming weeks.What if I cannot participate, or do not want to participate?If your users have no access to the internet, then you won't be able to receive guides. No data will be transmitted and no guides will be delivered.If you do not wish to receive guides, you can easily disable the capability on the Security Console:Login to the machine hosting the Security Console as an administratorLocate and edit nsc.xml. The file is located in the “deploy/nsc/conf/nsc.xml” directory. For example “/opt/rapid7/deploy/nsc/conf/nsc.xml” in some Linux distributions. Make a copy of the file in case you need to revert the configuration.Edit or add the following element <Analytics enabled=”false” />. This element should be a direct child of <NexposeSecurityConsole />.This is a snippet of the nsc.xml file used to illustrate the format of the element. Your nsc.xml will differ.Changes will take effect during the next Console restart.Making inadvertent changes to the nsc.xml file can cause issues in your Security Console. Please contact Rapid7 Support for guidance or assistance.

Exploiting Macros via Email with Metasploit Pro Social Engineering

Currently, phishing is seen as one of the largest infiltration points for businesses around the globe, but there is more to social engineering than just phishing. Attackers may use email and USB keys to deliver malicious files to users in the hopes of gaining access…

Currently, phishing is seen as one of the largest infiltration points for businesses around the globe, but there is more to social engineering than just phishing. Attackers may use email and USB keys to deliver malicious files to users in the hopes of gaining access to an organization's network. Users that are likely unaware that unsolicited files, such as a Microsoft Word document with a macro, may be malicious and can be a major risk to an organization. Metasploit Pro can assist in the education of employees about these attack vectors. Metasploit Pro's Social Engineering functionality is often used for its phishing capabilities, but it has other options - such as USB key drops and emailing of malicious files - that are able to obtain sessions on a target's device. As part of an internal training engagement or penetration test, these features will give more insight into the organization's defenses against social engineering attacks. This post will cover emailing malicious files utilizing the current Microsoft Word macro file format module. To begin, start a new custom campaign and configure your email starting with the email header and target list, similar to a phishing campaign. For Attack Type, select Attach File, give the attachment a name and select File format exploit. Search for “macro” and select “Microsoft Office Word Malicious Macro Execution”. This will create a Microsoft Word document with a macro that will deliver a payload and open a shell back to Metasploit Pro. Configure your target settings (I'll be using the OS X Python target for this example) and payload options. Then use the “BODY” field for the content of the Word document. (You can use plain text or xml formatted data, which will be injected between the <p> and </p> tags of the Word xml document.) And click OK. Click “NEXT” and format your email. Save your changes and configure your email server if you haven't done so already. Launch your campaign and the email(s) will be sent to all the members of your target list and a listener will be opened for the payload. The recipients will need to enable macros in order for the payload to launch. All those that enable the macro on the specified platform will have a shell that connects back to your Metasploit instance. Your campaign findings will list the number of targets, recipients that opened the email and number of sessions opened. If any sessions are opened, you'll be able to interact with that session as you would any others via the Sessions page. And there you have it. Metasploit has successfully sent malicious files and opened sessions on remote targets via the Social Engineering feature without attempting a phish. For more on the Microsoft Office Word Malicious Macro Execution module, see sinn3r's post here: /2017/03/08/attacking-micr osoft-office-openoffice-with-metasploit-macro-exploits Interested in learning more about Metasploit Pro's phishing capabilities? Watch the video below to see how easy it is to build a phishing campaign targeting your users to test their ability to detect malicious emails:

Patch Tuesday - March 2017

Due in part to the delay of February's fixes, today's Patch Tuesday is a big one, comprising 18 bulletins split evenly between "Critical" and "Important" ratings. It's also significant as three of the bulletins (MS17-006, MS17-012, and MS17-013) contain fixes for…

Due in part to the delay of February's fixes, today's Patch Tuesday is a big one, comprising 18 bulletins split evenly between "Critical" and "Important" ratings. It's also significant as three of the bulletins (MS17-006, MS17-012, and MS17-013) contain fixes for vulnerabilities that were previously disclosed by external vendors and have exploit code publicly available. Administrators should prioritize these three updates before moving on to the remaining Critical and then Important ones. CVE-2017-0037 is a particularly nasty one, allowing attackers to remotely execute arbitrary code if a user visits a malicious web page using Internet Explorer 11 (or potentially Edge). CVE-2017-0038 allows remote attackers to glean potentially sensitive information from process heap memory due to an EMF file handling defect. And CVE-2017-0016 is a denial of service vulnerability that can crash Windows when connecting to a malicious SMB share. Exploit code for it has been publicly available since at least February 1st. The fact that Microsoft published security bulletins at all this month may come as a surprise to some, given that they announced their intention to transition away from the Security Bulletin model in favour of their Security Updates Guide after January's updates. February's out-of-band release of Adobe Flash Player fixes as MS17-005 hinted that they weren't quite done with the format, and the slew of bulletins issued this month confirms that it's not yet deprecated. Even so, the Rapid7 vulnerability content team is pressing forward with our promised changes to the way we identify Microsoft vulnerabilities. Instead of being bulletin-centric (e.g. "MS17-004: Security Update for Local Security Authority Subsystem Service (3216771)") vulnerabilities will be broken down by CVE. For example, MS17-017 is split across four separate CVE identifiers: msft-cve-2017-0050: Microsoft CVE-2017-0050: Windows Kernel Elevation of Privilege Vulnerability msft-cve-2017-0101: Microsoft CVE-2017-0101: Windows Elevation of Privilege Vulnerability msft-cve-2017-0102: Microsoft CVE-2017-0102: Windows Elevation of Privilege Vulnerability msft-cve-2017-0103: Microsoft CVE-2017-0103: Windows Registry Elevation of Privilege Vulnerability This provides a more accurate assessment of risk compared to the legacy approach, where a single bulletin could encompass many individual vulnerabilities. Indeed, across the 18 bulletins this month there are a total of 134 unique CVE identifiers. One last piece of administrivia this month that security teams should be aware of: the security-only updates for Windows 7, Server 2008 R2, Windows 8.1, and Server 2012 R2 do not include security updates for Internet Explorer. This aligns with how Microsoft has traditionally shipped IE fixes, but is a change back from how they've done it over the past several months. Happy patching!

Attacking Microsoft Office - OpenOffice with Metasploit Macro Exploits

It is fair to say that Microsoft Office and OpenOffice are some of the most popular applications in the world. We use them for writing papers, making slides for presentations, analyzing sales or financial data, and more. This software is so important to businesses that,…

It is fair to say that Microsoft Office and OpenOffice are some of the most popular applications in the world. We use them for writing papers, making slides for presentations, analyzing sales or financial data, and more. This software is so important to businesses that, even in developing countries, workers that are proficient in an Office suite can make a decent living based on this skill alone. Unfortunately, high popularity for software also means more high-value targets in the eyes of an attacker, and malware-infested Office macros are like an irritating rash that doesn't go away for IT professionals. A macro is a feature that allows users to create automated processes inside of a document used by software like Microsoft Word, Excel, or PowerPoint. This is used to enhance user experience, increase productivity, or automate otherwise manual tasks. But, in other words, it executes code. What kind of code? Well, pretty much whatever you want, even a Meterpreter session! Macro attacks are nothing new or unusual. A typical attack usually involves embedding malicious macro code in an Office document, sending it to the victim, and asking him or her very nicely to enable that code. The saddest part isn't how lame the attack is, since you are basically begging the victim to run your malware. It's that people have been falling for this trick for decades! The impact of such attacks should not be underestimated. In fact, malicious macros are often used in ransomware, and other high-profile breaches. For example, the Cerber Ransomware was a macro attack against Office 365 that put millions of users at risk. Since Office 365 is extremely popular in businesses, we expect it to be one of malicious macros' favorite audiences for quite some time. Yup, I think people call that social-engineering, and apparently it always works. I figured: "ok, why not, a shell is a shell. Let me write some exploits for these"... and that's how Metasploit's macro exploits were born: The Microsoft Office Macro Exploit This Microsoft Office macro exploit is specifically written for the Word document format. It has been tested against these environments: Microsoft Office 2010 for Windows Microsoft Office 2013 for Windows Microsoft Office 2016 for Windows Microsoft Office Word for Mac OS X 2011 The following demonstrates how to create a macro exploit for Microsoft Office for OS X, setting up a handler, as well as obtaining a session: If you actually have a valid certificate to sign the malicious macro, you can actually apply that by using Microsoft Office to sign it. Having a valid cert will not have the "Enable Content" prompt, Microsoft Office will just execute your code by default. However, this is obviously only ideal for internal use. Good certificates are expensive. The OpenOffice Macro Exploit The Apache OpenOffice macro exploit is specifically written for OpenOffice Writer (odt). It has been tested against these environments: Windows with Powershell support (which should be the case since Windows 7) Ubuntu Linux (which ships LibreOffice by default) OS X Unlike Microsoft, OpenOffice actually does not want to open any documents with macros, which means in order to attack, the victim has to manually do the following in advance: 1. Choose Tools -> Options -> Security 2. Click the Macro Security button 3. Change the security level to either medium to low. If the security level is set to medium, a prompt is presented to the user to either allow or disallow the macro. If set to low, the macro will run without warning. Now let's talk about how to use the exploit. The design for it is actually different than the Microsoft one: not only will it create the malicious document file, the module will also spawn a web server, and a payload handler. The purpose of the web server is when the victim runs the macro, the malicious code will download the final payload from our web server, and execute it. The following demonstrates how to use the exploit: Exploit Customization Although the Metasploit macro exploits work right out of the box, some cosmetic customizations are probably necessary to make the document look more legit and believable. To do this, you will need a copy of either Microsoft Office or OpenOffice (depending on the type of exploit you're using), and then: Generate the exploit Move the exploit to a platform with Office that can edit the document Open the document with Office, do your editing there. When you're done, simply click save. As long as you're not modifying the macro, it should still work Time to Play! Congratulations, young grasshopper! If you've read this far, and have not fallen asleep, then you are ready to start your journey of sweet Office macro pwnage. But before you leave, if you have never used Metasploit - a cyber weapon forged in the fires of um... Austin, Texas - then you shall download it here. If you already possess such power, then we strongly recommend you run msfupdate. Go now, embrace your destiny of pwnage, and let that glory be yours with Metasploit Office macro exploits.

February 2017 Patch Tuesday: Delayed

Earlier today Microsoft announced that they will be delaying this month's security updates due to finding a last-minute issue that could "impact some customers." This may be due to a glitch in their new process that they were not able to iron out in time…

Earlier today Microsoft announced that they will be delaying this month's security updates due to finding a last-minute issue that could "impact some customers." This may be due to a glitch in their new process that they were not able to iron out in time for today's planned release.We will be keeping an eye out for any updates and will, as always, provide timely coverage for the security vulnerabilities once they become public. There is no word yet of when that might be.

A Reminder About Upcoming Microsoft Vulnerability Content Changes

Update (February 14th): Microsoft has delayed the release of their February 2017 security updates due to a last-minute issue. As always, we will provide timely coverage for the vulnerabilities once Microsoft has published the updates.Next Tuesday (February 14th) will mark a major change in…

Update (February 14th): Microsoft has delayed the release of their February 2017 security updates due to a last-minute issue. As always, we will provide timely coverage for the vulnerabilities once Microsoft has published the updates.Next Tuesday (February 14th) will mark a major change in how Microsoft issues their security updates. Since October 2003, on the second Tuesday of each month (plus occasional bonus out-of-band updates) Microsoft has published a number of Security Bulletins detailing fixes to vulnerabilities in their software products. System administrators and security professionals are well familiar with identifiers of the form MS14-060, where the first two digits after MS refer to the year the bulletin was published and the last three increment over the course of the year. Each of these bulletins could include several vulnerabilities and/or Knowledge Base article identifiers (KBs).After last month's atypically small number of bulletins, MS17-004 is the last of this format. Microsoft has announced that their new single destination for security vulnerability information will be their Security Updates Guide (still in "preview" as of this writing). Instead of publishing bulletins to describe related vulnerabilities, the new Updates Guide breaks down fixes by CVE identifier, KB number, and product.What This Means For Nexpose UsersNexpose's existing Windows Hotfix vulnerability content uses Microsoft's bulletin numbers, for example, MS16-151: Security Update for Windows Kernel-Mode Drivers (3205651). If you have any habits or workflows that assume identifiers or titles in this particular format (e.g. filtering by vulnerability title), they will not include Windows Hotfix content from this coming Patch Tuesday onward. The new format will be CVE-based, with identifiers of the form msft-cve-yyyy-nnnn. Legacy content will not be changed to reflect this new format. However, to take the above MS16-151 as an example, it would become two distinct vulnerabilities:Microsoft CVE-2016-7259: Win32k Elevation of Privilege VulnerabilityMicrosoft CVE-2016-7260: Win32k Elevation of Privilege VulnerabilityIn case you are used to dealing with vulnerability IDs, these would be called msft-cve-2016-7259 and msft-cve-2016-7260 respectively.Although this may take some getting used to, it will result in more accurate risk scores, as described in this blog post from when we introduced a similar change for Adobe, Debian and Ubuntu security advisories.Check back next week after Microsoft issues February's updates; we will provide some more concrete examples of these changes, along with our standard analysis of the fixes.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now