JavaScript is not available.

frycos

@frycos

1h

No more reasons to hold back. Here's my blog I wrote days ago. frycos.github.io/vulns4free/202

Quote Tweet

1h

We just published details about the @fortraofficial GoAnywhere RCE from last week, which is now assigned CVE-2023-0669. It's pre-auth, being actively exploited, and is relative easy to reverse engineer from their mitigation steps attackerkb.com/topics/mg883Nb

Show this thread

11

18

CVE-2023-0669 | AttackerKB

1h

We just published details about the

@fortraofficial

GoAnywhere RCE from last week, which is now assigned CVE-2023-0669. It's pre-auth, being actively exploited, and is relative easy to reverse engineer from their mitigation steps

attackerkb.com

On February 1, 2023, Fortra (formerly HelpSystems) posted a security advisory for a remote pre-authentication remote code execution vulnerability in their GoAn…

1

9

16

Excellent work via

who details our latest

@rapid7

vulnerability disclosure details CVE-2023-22374: F5 BIG-IP Format String Vulnerability: rapid7.com/blog/post/2023 #infosec #cybersecurity #Vulnerability

10

6

ΔĐVΔŇĆ€Đ Ƥ€ŘŞƗŞŦ€ŇŦ Ŧ€ΩỮƗŁΔ is in beast mode

@shad0wbits

Feb 4

😂

6

45

283

Justin Elze

@HackingLZ

The landscape here has changed a lot between Citrix , popular file transfer solutions, VPN appliances, load balancers, and whatever else having some horrible vulnerabilities. You need to be able to triage and perform IR in the appliance space especially when it bridges networks.

2

11

Justin Elze

@HackingLZ

After the last few years removing your mangement interfaces from the internet should be an immediate priority.

9

27

173

If you're a GoAnywhere MFT customer, heads up — exploited zero-day vuln, no CVE, no patch (that we can tell). Mitigation available, has to be applied to every node.

Exploitation of GoAnywhere MFT zero-day vulnerability | Rapid7 Blog

A warning has been issued about an actively exploited zero-day vulnerability affecting on-premise instances of Fortra’s GoAnywhere MFT.

1

10

16

Christiaan Beek

@ChristiaanBeek

Exploitation of GoAnywhere MFT zero-day vulnerability rapid7.com/blog/post/2023 by

Exploitation of GoAnywhere MFT zero-day vulnerability | Rapid7 Blog

A warning has been issued about an actively exploited zero-day vulnerability affecting on-premise instances of Fortra’s GoAnywhere MFT.

5

Pete Kouretsos

@PKouretsos

Goodnight Moon, Goodnight Chinese high-altitude spy balloon, Goodnight stars, Goodnight air, Goodnight persistent overhead reconnaissance everywhere.

34

1,017

4,763

Why is it always that a bunch of vulns hit when

@NTKramer

goes on vacation? The only logical conclusion is that Glenn is secretly a threat actor.

2

12

Spencer McIntyre

@zeroSteiner

Feb 1

My next live stream will be Friday the 10th at 4:30 EST on twitch.tv/zerosteiner This one will be on the new features in

Spencer is an Open Source and Information Security enthusiast.

6.3, mostly kerberos with some AD CS sprinkled in. Come hangout and bring your questions!

twitch.tv

zeroSteiner - Twitch

10

17

Reading

's analysis on CVE-2021-22005 affecting VMWare vCenter & the new RCE vuln in VMWare vRealize I think its a good idea to point to my auditd config, which includes rules to monitor for crond modifications Analysis attackerkb.com/topics/15E0q0t github.com/Neo23x0/auditd

17

52

Feb 1

A few months ago, we found a format string vulnerability in an administrative endpoint of F5 BIG-IP's SOAP interface. I wrote a lot more details on Mastodon: infosec.exchange/@iagox86/10979 All the details are in our blog post as well:

CVE-2023-22374: F5 BIG-IP Format String Vulnerability | Rapid7 Blog

Rapid7 found an additional vulnerability in the appliance-mode REST interface. We disclosing it in accordance with our vulnerability disclosure policy.

33

95

Feb 1

Another day, another vulnerability disclosure from

— this time an authenticated format string bug in F5 BIG-IP.

CVE-2023-22374: F5 BIG-IP Format String Vulnerability | Rapid7 Blog

Rapid7 found an additional vulnerability in the appliance-mode REST interface. We disclosing it in accordance with our vulnerability disclosure policy.

1

32

56

Metasploit Framework 6.3 is out now🎉 New features include native Kerberos authentication support, streamlined Active Directory attack workflows (AD CS, AD DS), and new modules that request, forge, and convert tickets between formats.

Metasploit Framework 6.3 Released | Rapid7 Blog

2

269

786

Quote Tweet

0:35

Fully automated privilege escalation in MSF 6.3 with the new Certifried (CVE-2022–26923) module by @n00tmeg

Show this thread

1

10

Fully automated privilege escalation in MSF 6.3 with the new Certifried (CVE-2022–26923) module by

@n00tmeg

0:35

1.2K views

1

8

26

🧡

Quote Tweet

Many thanks to our dedicated hacker team and our brilliant open-source community, including (but not limited to) @DeanAsInSean @zeroSteiner @n00tmeg @k0pak4 @_smashery_ @Op3n4M3 @SpaceySpacek @tychos_moose @TrustedSec @TheColonial and many more folks not on social media!

Show this thread

1

2

MSF 6.3 also adds Kerberos ticket inspection and debugging, plus support for generating Keytab files to decrypt Kerberos network traffic in Wireshark.

1

9

29

GitHub Gist: instantly share code, notes, and snippets.

MSF 6.3 supports Kerberos authentication over HTTP, LDAP, MSSQL, SMB, and WinRM. Request TGTs and TGS with a password, NT hash, or encryption key — or request tickets via PKINIT with certs issued from AD CS. New authentication methods here:

gist.github.com

graph.md

1

10

31

n00py

@n00py1

Just managed to replicate a common GenericWrite/RBCD attack chain I usually do with Impacket but instead used pure MSF. Will blog it tomorrow for anyone curious how to use the new features

Quote Tweet

Metasploit Framework 6.3 is out now

New features include native Kerberos authentication support, streamlined Active Directory attack workflows (AD CS, AD DS), and new modules that request, forge, and convert tickets between formats. rapid7.com/blog/post/2023

Show this thread

3

17

90

Raj Samani

@Raj_Samani

Delighted to confirm that

Framework 6.3 is now Released. Includes Native Kerberos authentication over HTTP, LDAP, MSSQL, SMB, and WinRM and much much more! rapid7.com/blog/post/2023 #infosec #cybersecurity

12

13

Christiaan Beek

@ChristiaanBeek

Metasploit Framework 6.3 Released !!!!!! :

Metasploit Framework 6.3 Released | Rapid7 Blog

8

6

Simon Roses

@simonroses

Latest Metasploit release comes with cool stuff like AD attacks rapid7.com/blog/post/2023 #metasploit #Pentesting #cybersecurity

Metasploit Framework 6.3 Released | Rapid7 Blog

1

9

12

Good job

and

CC:

2

1

30

Spencer McIntyre

@zeroSteiner

My favorite part of the new Kerberos auth is the integrated ticket cache. TGTs are stored and used to obtain new TGSs. Tickets are fetched from the cache based on the SPN from the options. No having to manage a bunch of files and set environment variables.

Quote Tweet

MSF 6.3 supports Kerberos authentication over HTTP, LDAP, MSSQL, SMB, and WinRM. Request TGTs and TGS with a password, NT hash, or encryption key — or request tickets via PKINIT with certs issued from AD CS. New authentication methods here: gist.github.com/adfoster-r7/2b

Show this thread

1

8

28

Bananas fantastic work from the #Metasploit team here adding killer new features and simplifying complex attack workflows that are relevant to a huge percentage of modern environments

Quote Tweet

Metasploit Framework 6.3 is out now

New features include native Kerberos authentication support, streamlined Active Directory attack workflows (AD CS, AD DS), and new modules that request, forge, and convert tickets between formats. rapid7.com/blog/post/2023

Show this thread

1

9

19

Jan 27

This Friday we have updates to the Python Meterpreter, an adapter to run Python payloads on Windows, and a Cacti Unauth Command Injection. Thanks

@SpaceySpacek

!

Metasploit Weekly Wrap-Up | Rapid7 Blog

18

35

Matthew Green

@mgreen27

Just pushed my first round of a

@velocidex

hunt for a ManageEngine vulnerability rapid7.com/blog/post/2023 docs.velociraptor.app/exchange/artif

CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability | Rapid7 Blog

Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a vulnerability impacting at least 24 ManageEngine products.

1

12

24

Stephan Berger

@malmoeb

Jan 27

In today's investigation, we successfully found traces of exploitation with the

@velocidex

artifact ManageEngineLog from

@mgreen27

. 🙏 Keep in mind that, at least in the server we investigated, the logs were overwritten pretty quickly. No hits != all good. #Cybersecurity

Quote Tweet

Matthew Green

@mgreen27

Just pushed my first round of a @velocidex hunt for a ManageEngine vulnerability rapid7.com/blog/post/2023 docs.velociraptor.app/exchange/artif

Show this thread

7

20

Rapid7

@rapid7

Jan 25

We’ve updated our blog (published on 1/19), “CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability.” Check out our updated IOCs here 👉 r-7.co/3knzlQB

1

8

15

Raj Samani

@Raj_Samani

Jan 25

ICYMI coverage details and overview of CVE-2022-44877 - Exploitation of Control Web Panel available here via

rapid7.com/blog/post/2023 #infosec #cybersecurity

Exploitation of Control Web Panel CVE-2022-44877 | Rapid7 Blog

Security researcher Numan Türle published a proof-of-concept exploit for CVE-2022-44877 in early January. Exploitation has since been observed in the wild.

9

5

I just posted our #Rapid7 technical analysis of the recent vuln in #ManageEngine - CVE-2022-47966 (#cve202247966 / #CVE_2022_47966. Big thanks to

CVE-2022-47966 | AttackerKB

and my new co-worker

@stephenfewer

for their help on this one! I have a lot to learn from Stephen :)

attackerkb.com

## Description CVE-2022-47966 is an unauthenticated remote code execution vulnerability that affects two dozen Zoho ManageEngine products, including ADSelfServ…

24

50

Absolutely stellar root cause analysis of ManageEngine CVE-2022-47966 from

CVE-2022-47966 | AttackerKB

and

@stephenfewer

. TL;DR = exploitation not equally trivial across all affected products. There are also a number of vulns at play, which folks seem to be missing.

attackerkb.com

## Description CVE-2022-47966 is an unauthenticated remote code execution vulnerability that affects two dozen Zoho ManageEngine products, including ADSelfServ…

16

22

Our latest

analysis details CVE-2022-47966 a pre-authentication remote code execution (RCE) vulnerability where we are seeing active exploitation: rapid7.com/blog/post/2023 H/T

@NTKramer

#infosec #cybersecurity

14

21

Jan 19

If you ever need a crash course on "oh shit" multitasking, go talk to

@NTKramer

. Bring tacos.

1

5

Jacob Baines

@Junior_Baines

Jan 19

CVE-2022-47966: Works over GET as well (notable for our network signature writing friends). Additionally, those not familiar with XML transformation, you can execute arbitrary Java - not just getRuntime().exec(). I just developed a PoC that creates an in-memory reverse shell. 🤷

2

15

86

Rapid7

@rapid7

Jan 19

New emergent threat response: "CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability." Details ⤵️ (Note: emergent threat responses evolve quickly and as we learn more about this vulnerability, this blog post will evolve too.)

CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability | Rapid7 Blog

Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a vulnerability impacting at least 24 ManageEngine products.

7

13