Two vulnerabilities have been identified in RapidFire Tools Network Detective, a system assessment and reporting tool developed by Kaseya (RapidFire Tools). These issues significantly compromise the confidentiality and integrity of credentials gathered and processed during routine network scans, exposing sensitive data to both local attackers and potentially malicious insiders.
Vulnerability 1: Passwords in Cleartext
During its normal operation, Network Detective saves usernames and passwords in plain, readable text across several temporary files. These files are stored locally on the device and are not protected or hidden. In many cases, the credentials collected include privileged or administrative accounts, such as those used for VMware.
An attacker who gains access to the machine running the scan—whether physically, remotely, or through malware—can easily retrieve these passwords without needing to decrypt anything. This presents a serious risk to client infrastructure, especially when those credentials are reused or provide broad system access.
Vulnerability 2: Reversible Encryption
RapidFire Tools Network Detective uses a flawed method to encrypt passwords and other sensitive data during network scans. The encryption process is based on static, built-in values, which means it produces the same result every time for the same input. This makes it possible for anyone with access to the tool or encrypted data to easily reverse the encryption and retrieve original passwords.
This weakness puts client environments at risk, especially since the encrypted data often includes administrative credentials. The encryption does not follow modern security standards, and attackers do not need special tools or expertise to break it—only access to the files or application.
Analysis and Background
Network Detective, a product developed by RapidFire Tools (a Kaseya company), is designed to scan networks for vulnerabilities, misconfigurations, and compliance issues. It is used by managed service providers (MSPs), IT consultants, and internal IT departments to assess network health and generate reports. While commonly deployed as a standalone binary for one-off scans—often during sales or onboarding—Network Detective also supports scheduled, recurring scans in installed environments.
The application is typically configured via a step-by-step wizard, prompting users to define targets (e.g., IP ranges), scan types (e.g., HIPAA, PCI), and credentials for services such as Active Directory or VMware. This configuration is stored locally and reused for automated scans. Notably, the same binaries are used for both ad hoc and scheduled executions, meaning any vulnerabilities affect both deployment models equally.
Due to its ease of use and deep network visibility, the tool is often run with elevated privileges across production systems. Users implicitly trust the application to securely handle credentials and sensitive data. However, the issues discovered occur under default conditions, without requiring misuse or advanced manipulation—highlighting a significant risk for environments relying on the tool for security posture validation.
It's hard enough creating one air-gap-jumping tool. Researchers say the group GoldenJackal did it twice in five years.
An operation labeled TAG-100 by Insikt Group researchers deploys two types of backdoor malware — SparkRAT and Pantegana — that have only been spotted in limited ways previously.
Cheap ransomware is being sold for one-time use on dark web forums, allowing inexperienced freelancers to get into cybercrime without any interaction with affiliates.
Researchers at the intelligence unit at the cybersecurity firm Sophos found 19 ransomware varieties being offered for sale or advertised as under development on four forums from June 2023 to February 2024.
Google has confirmed a new security scheme which, it says, will help “secure, empower and advance our collective digital future” using AI. Part of this AI Cyber Defence Initiative includes open-sourcing the new, AI-powered, Magika tool that is already being used to help protect Gmail users from potentially problematic content.
Microsoft Threat Intelligence presents cases of threat actors misusing OAuth applications as automation tools in financially motivated attacks.
Microsoft’s Digital Crimes Unit (DCU), cybersecurity software company Fortra™ and Health Information Sharing and Analysis Center (Health-ISAC) are taking technical and legal action to disrupt cracked, legacy copies of Cobalt Strike and abused Microsoft software, which have been used by cybercriminals to distribute malware, including ransomware. This is a change in the way DCU has...
At the end of November 2022, OpenAI released ChatGPT, the new interface for its Large Language Model (LLM), which instantly created a flurry of interest in AI and its possible uses. However, ChatGPT has also added some spice to the modern cyber threat landscape as it quickly became apparent that code generation can help less-skilled threat actors effortlessly launch cyberattacks.
In Check Point Research’s (CPR) previous blog, we described how ChatGPT successfully conducted a full infection flow, from creating a convincing spear-phishing email to running a reverse shell, capable of accepting commands in English. The question at hand is whether this is just a hypothetical threat or if there are already threat actors using OpenAI technologies for malicious purposes.
CPR’s analysis of several major underground hacking communities shows that there are already first instances of cybercriminals using OpenAI to develop malicious tools. As we suspected, some of the cases clearly showed that many cybercriminals using OpenAI have no development skills at all. Although the tools that we present in this report are pretty basic, it’s only a matter of time until more sophisticated threat actors enhance the way they use AI-based tools for bad.
