All news with #rapid7 tag

🕵️ State-aligned Iranian operatives are posing as a ransomware affiliate to conceal espionage and cyber-sabotage, according to research by Rapid7. The group, linked to MuddyWater (aka Seedworm), impersonated the Chaos ransomware-as-a-service brand while using social engineering over Microsoft Teams—including interactive screensharing—to harvest credentials and bypass MFA. Operators used remote management tools like DWAgent for persistence and followed intrusions with extortion messaging and leak-site posts, but prioritized data exfiltration over encryption.

🔍 The Iranian state-sponsored group MuddyWater disguised a cyber-espionage operation as a Chaos ransomware attack, leveraging Microsoft Teams social engineering to harvest credentials and manipulate MFA. Attackers used fake Quick Assist phishing pages or tricked victims into typing passwords into local files, then moved laterally via AnyDesk, DWAgent, and RDP to establish persistence. Rapid7 links the campaign to MuddyWater with moderate confidence, noting a signed loader (ms_upd.exe) that drops a backdoor (Game.exe) with anti-analysis checks.

🛡️ Rapid7 says an Iranian government-linked APT posed as a Chaos ransomware affiliate to mask espionage and prepositioning in an intrusion in early 2026. The actor, identified as MuddyWater (aka Seedworm/Static Kitten/Mango Sandstorm), used interactive Microsoft Teams social engineering to harvest credentials and manipulate MFA. They established persistence with DWAgent and AnyDesk, exfiltrated data, and initiated extortion negotiations without deploying a ransomware payload.

🔒 AWS Network Firewall supports expanded managed rule groups from AWS Marketplace partners, allowing rule groups to include up to 10 million domain indicators and 1 million IP addresses. Partners including Infoblox, Lumen, and ThreatSTOP are adding protections for high-risk domains, command-and-control blocking, and sanctions compliance. Managed rules from sellers like Check Point, Fortinet, Rapid7, and Trend Micro provide ready-to-deploy, continuously updated protections and are now available in additional regions.

⚠️ Rapid7's Cyber Threat Landscape Report shows confirmed exploitation of newly disclosed high- and critical-severity vulnerabilities surged 105% year-over-year, while median time to CISA KEV inclusion fell to 5.0 days and mean time-to-exploit dropped to 28.5 days. Industry observers cite the industrialization of cybercrime and the use of AI to speed discovery and exploit development. Experts warn that patches increasingly act as roadmaps for attackers, and urge adoption of secure-by-design, aggressive pre-release testing, and faster isolation or rebuild capabilities to counter the collapsing patch window.

🔒 A long-running espionage campaign attributed to China-linked threat cluster Red Menshen has embedded stealthy kernel-level implants into telecom networks to maintain persistent, low-noise access. Rapid7 highlights BPFDoor, a Linux backdoor that leverages Berkeley Packet Filter functionality to trigger shells only when a specifically crafted "magic" packet is seen, avoiding open listeners and conventional C2 channels. The actor also deploys CrossC2, Sliver, TinyShell, credential harvesting tools and a controller that can operate inside victim environments to enable lateral movement and covert monitoring.

🔍 Rapid7's 2026 Global Threat Landscape Report finds AI and automation compressed the window between vulnerability disclosure and exploitation in 2025, turning what once unfolded over weeks into days or even minutes. The median time to inclusion on CISA's Known Exploited Vulnerabilities catalog fell from 8.5 days to five, and the mean dropped from 61 to 28.5 days. Confirmed exploitation of CVSS 7–10 flaws rose 105% YoY to 146 incidents, with deserialization, authentication bypass and memory corruption among the most targeted issues. Rapid7 urges CISOs to adopt pre-emptive security that reduces attack surface, prioritizes material risk and improves contextual detection and response.

🛡️ Rapid7 and Microsoft researchers have documented a ClickFix operation that compromised over 250 WordPress sites to distribute fileless infostealers using counterfeit Cloudflare CAPTCHA prompts. The injected JavaScript hides from administrators and coerces visitors into pasting obfuscated commands that launch an in-memory DoubleDonut loader, which injects payloads into legitimate Windows processes. Observed payloads include a new Vidar variant and two previously undocumented stealers—Impure Stealer (.NET) and VodkaStealer (C++)—both using advanced encoding, encryption and sandbox-detection checks. Site owners are urged to restrict public admin access, tighten credentials and apply the published IOCs and YARA rules.

🔒 AWS Network Firewall now supports managed rule groups from AWS Partners, enabling customers to deploy partner-maintained, automatically updated security rules directly into firewall policies. You can subscribe and deploy these pre-configured rule groups via the AWS Network Firewall console or through AWS Marketplace, with consolidated billing and potential long-term pricing benefits. Available sellers include Check Point, Fortinet, Infoblox, Lumen, Rapid7, ThreatSTOP, and Trend Micro in all AWS commercial regions where the services are offered.

🔒 Researchers report the 'Crimson Collective' has been targeting long-term AWS credentials and IAM accounts to steal data and extort companies. Using open-source tools like TruffleHog, the attackers locate exposed AWS keys, create new IAM users and access keys, then escalate privileges by attaching AdministratorAccess. They snapshot RDS and EBS volumes, export data to S3, and send extortion notices via AWS SES. Rapid7 urges organisations to audit keys, enforce least privilege, and scan for exposed secrets.

🔒 Rapid7 disclosed an unpatched vulnerability in OnePlus's OxygenOS (CVE-2025-10184) that allows any installed app to access SMS content and metadata without SMS permissions. The fault arises from modified Telephony content providers whose manifests omit a required write permission and accept unsanitized input. By abusing a blind SQL-injection vector an attacker can infer SMS text one character at a time. OnePlus has acknowledged the report and is investigating; users should minimize installed apps and avoid SMS-based 2FA.