Thoughts From The Nest

Blog, updates, and release notes


Hello Perchy people. I’m happy to be back with the first threat report from Perch in 2020. I took a much-needed vacation, but the threats did not. This week we’re discussing an unpatched Citrix vulnerability with POCs available, a critical vulnerability in Microsoft’s CryptoAPI disclosed by the NSA, a recent emotet campaign targeting the United Nations, and a new strain of malware used by Iranian-linked APT34 dubbed POWDESK. Citrix vulnerability running wild In a research report published in December 2019, security researchers observed ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers, which are vulnerable to attacks exploiting CVE-2019-19781.

Read More


Happy Holidays from Perch! In this release of the usually weekly threat report we have a few threaty threats scrooging up the holidays and melting your change freezes. Emotet has gotten into the holiday spirit and is planning a Christmas party, your invitation is on the way. Threat actors on Perchy’s naughty list are leveraging ConnectWise Control to spread ransomware. And, critical code execution gifts in industrial control systems and routers pave the way for new Echobot variants.

Read More

Release Notes

December 17, 2019


New
Added support for short links to queries in Perchybana


New
Added maps in Perchybana


New
Added block list enhancements


New
Added ability to uninstall integrations


New
Added event notifications Perchybana link to provide columns and use correct index pattern


New
Added pagination to monitored assets table


New
Added update for create indicator page


New
Modernized sensor pages


New
Added SentinelOne log integration


New
Added ability to add a new team as an MSP


Bugfix
Fixed observable relationship to default to OR, not AND


Bugfix
Fixed appearance of prompt for user credentials in Perchybana


Bugfix
Fixed notifications not being removed from table when deleted


Bugfix
Fixed sensor names occasionally returning unknown


Bugfix
Fixed ability to save event notifications


Bugfix
Fixed the monitored assets page error when trying to edit an asset


Bugfix
Fixed private network counts not being displayed on sensor detail page


Bugfix
Fixed Perchybana link for event notification alerts which did not bring the time range of alerts that fired


Bugfix
Fixed Elasticsearch query not changing after event notification details update


Bugfix
Fixed communities with no analyst activity throws error


Bugfix
Fixed Perchybana appearing as a window in window within Perch


Bugfix
Fixed sensor details pages



In this week’s usually weekly threat report we have a bunch of new attacker tools which covers the Buer loader, CStealer malware, CallerSpy mobile malware, and PyXie Remote Access Trojan (RAT). We’ve also got a cautionary tale for the threat actors that create and operate these tools with the takedown of a RAT from Down Under. Buer loads up baddies with new loader tool Since late August 2019, a new downloader, Buer, has appeared recently in a variety of threat campaigns.

Read More


In this week’s usually weekly threat report MageCart pops back on the scene with Macy’s, Phineas Phisher lands a suspected Cayman money laundering bank, Roboto botnet targets Webmin, and two new backdoors get the spotlighted. MageCart goes card-skimming at Macy’s Macy’s recently announced a data breach caused by implanted Magecart card-skimming code in Macy’s online payment portal. According to Macy’s notice, the company was alerted to a suspicious connection between macys.

Read More


We’re back with another edition of the usually weekly threat report. This week we’re highlighting two critical vulnerabilities, a case of business email compromise for a medical school, and a Trickbot campaign targeting U.S. government offices. Chrome vulnerability on Exploit.in with YouTube demo If you haven’t updated Chrome recently, you might want to. In early November, a critical use-after-free vulnerability was disclosed for Google Chrome (CVE-2019-13720). Earlier this week a Proof-of-Concept exploit for the vulnerability was posted on YouTube by Tony Stack.

Read More


In this week’s threat report, we have a spooky threat actor just in time for Halloween. The Perch Security Operations Center (SOC) has discovered a threat campaign targeting a number of unpatched Drupal servers and other vulnerable web-server workloads in the United States in September. After analyzing the related malware that was building a botnet, they are ready to report. The Lucifer botnet was leveraged to send phishing emails taking advantage of a change in EU financial service regulations.

Read More


“Cisco is partnering with Perch Security to deliver a new security solution for managed service providers (MSPs) who are challenged by an evolving threat landscape. MSPs are on front lines of protecting their clients against data breaches, malware, ransomware and other attacks for which they are often unprepared. To address these threats, Cisco is applying its security expertise and portfolio to MSPs in partnership with Perch to bring them the tools that will strengthen their security posture and better protect both themselves and their clients.

Read More

Release Notes

October 21, 2019


New
Added debugging information for integrations


New
Added CISCO AMP4E integration


New
Improved performance for alerts and related API calls


New
Created an immutable token for winlogbeats


Bugfix
Fixed indicator details view


Bugfix
Fixed customer contacts


Bugfix
Fixed Elasticsearch errors for large customers


Bugfix
Fixed ConnectWise Automate app feature for Isolate Host Script represented as a number in the UI


Bugfix
Fixed SQS message generation


Bugfix
Fixed suppression for IP generating alerts for given IP


Bugfix
Fixed MSP organizations setting up new subordinate orgs for their customers being marked as MSP


Bugfix
Fixed event notifications missing Index Types


Bugfix
Fixed alerts for app crashes when False Positive is clicked


Bugfix
Fixed event notifications which encounter Null Pointer Exception in ES Query


Bugfix
Fixed special characters in notification name breaking Perchybana links


Bugfix
Fixed new event notifications with simple schedule fails


Bugfix
Fixed TypeError in alert processing suppression counts


Bugfix
Fixed View in Perchybana links


Bugfix
Fixed Perchybana 414 Request-URI too large


Bugfix
Fixed FFIEC report export


Bugfix
Fixed when user checks Perchybana and Create Index Pattern is displayed



A new MSP cybersecurity conference is set to launch in January 2020. The event, hosted by Perch Security, is dubbed PerchyCon. The Tampa, Florida-based conference is designed for MSP and MSSP owners as well as infosec practitioners. Perch Security offers co-managed threat detection and response (MDR) services. The company has a growing base of MSP partners, plus investment backing from ConnectWise and Fishtech Group. Get the full article here.

Read More