Posts tagged Emergent Threat Response

8 min Incident Response

Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators

Rapid7 observes ongoing social engineering campaign consistent with Black Basta

3 min Emergent Threat Response

Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise

CVE-2024-4040 is an unauthenticated zero-day vulnerability in managed file transfer software CrushFTP. Successful exploitation allows for arbitrary file read as root, authentication bypass for administrator account access, and remote code execution.

4 min Emergent Threat Response

CVE-2024-3400: Critical Command Injection Vulnerability in Palo Alto Networks Firewalls

On Friday, April 12, Palo Alto Networks published an advisory on CVE-2024-3400, a CVSS 10 vulnerability in several versions of PAN-OS, the operating system that runs on the company’s firewalls. CVE-2024-3400 allows for arbitrary code execution as root.

3 min Emergent Threat Response

Backdoored XZ Utils (CVE-2024-3094)

On Friday, March 29, after investigating anomalous behavior in his Debian sid environment, developer Andres Freund contacted an open-source security mailing list to share that he had discovered an upstream backdoor in widely used command line tool XZ Utils (liblzma).

19 min Emergent Threat Response

CVE-2024-27198 and CVE-2024-27199: JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities (FIXED)

Rapid7’s vulnerability research team identified two new vulnerabilities affecting JetBrains TeamCity CI/CD server: CVE-2024-27198 and CVE-2024-27199, both of which are authentication bypasses.

3 min Vulnerability Management

High-Risk Vulnerabilities in ConnectWise ScreenConnect

On February 19, 2024 ConnectWise disclosed two vulnerabilities in their ScreenConnect remote access software. Both vulnerabilities affect ScreenConnect 23.9.7 and earlier.

7 min Incident Response

RCE to Sliver: IR Tales from the Field

Rapid7 Incident Response was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions.

2 min Emergent Threat Response

Critical Fortinet FortiOS CVE-2024-21762 Exploited

CVE-2024-21762 is a critical out-of-bounds write vulnerability in Fortinet's FortiOS operating system that is known to have been exploited in the wild. Fortinet SSL VPN vulnerabilities are frequent targets for state-sponsored and other motivated adversaries.

2 min Emergent Threat Response

CVE-2024-0204: Critical Authentication Bypass in Fortra GoAnywhere MFT

On January 22, 2024, Fortra published a security advisory on CVE-2024-0204, a critical authentication bypass affecting its GoAnywhere MFT secure managed file transfer product prior to version 7.4.1.

3 min Emergent Threat Response

Critical CVEs in Outdated Versions of Atlassian Confluence and VMware vCenter Server

Rapid7 is highlighting two critical vulnerabilities in outdated versions of widely deployed software this week. Atlassian disclosed [http://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html] CVE-2023-22527, a template injection vulnerability in Confluence Server with a maxed-out CVSS score of 10, while VMware pushed a fresh update to its October 2023 vCenter Server advisory [http://www.vmwar

6 min Emergent Threat Response

Zero-Day Exploitation of Ivanti Connect Secure and Policy Secure Gateways

Ivanti Connect Secure and Ivanti Policy Secure gateways have been exploited in the wild to gain access to corporate networks and conduct a range of nefarious activities, including backdooring legitimate files.

5 min Emergent Threat Response

CVE-2023-49103 - Critical Information Disclosure in ownCloud Graph API

On November 21, 2023, ownCloud disclosed CVE-2023-49103, an unauthenticated information disclosure vulnerability affecting ownCloud, when a vulnerable extension called “Graph API” (graphapi) is present.

3 min Emergent Threat Response

CVE-2023-47246: SysAid Zero-Day Vulnerability Exploited By Lace Tempest

A new zero-day vulnerability (CVE-2023-47246) in SysAid IT service management software is being exploited by the threat group responsible for the MOVEit Transfer attack in May 2023.

6 min Emergent Threat Response

Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518

Daniel Lydon and Conor Quinn contributed attacker behavior insights to this blog. As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment. We have confirmed that at least some of the exploits are targeting CVE-2023-22518 [http://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.ht

4 min Emergent Threat Response

Suspected Exploitation of Apache ActiveMQ CVE-2023-46604

Beginning Friday, October 27, Rapid7 Managed Detection and Response (MDR) identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer environments.