Thoughts From The Nest

Blog, updates, and release notes


In this week’s threat report, we’re shining the spotlight on Hoplight and friends, phishing with LokiBot, meeting Purple Fox, juking Windows Defender, and discovering the weak, hardcoded passwords botnets love on the radio. Hoplight in the spotlight with Electricfish and Bad Call DHS, FBI, DoD, and CyberCommand have been busy dropping dimes on North Korean state-sponsored hackers, uploading several samples for malware, and RATs. Eleven samples were released by U.

Read More


Have you been pwnd by the threats in this week’s report? This week includes active campaigns for landing AZORult malware, WordPress exploitation, a couple of breaches, and some state sponsored DDoS with the Great Canon. WordPress campaign creates rogue admins In this new WordPress campaign, the attackers are exploiting known vulnerabilities in WordPress plugins to create rogue admin accounts on WordPress sites across the internet. Known vulnerabilities in WordPress are exploited to inject malicious JavaScript into the front end of the victim’s sites, redirecting site visitors to potentially harmful content like malware dropper and fraud sites.

Read More


Let’s see what’s poppin’ in this week’s threat report. We’re covering a hosting provider that lost personally identifiable information (PII) for 14M domain owners. Privilege escalation in Windows software that would allow malware to persist. And a popular trojan is now free on the dark Web. Hostinger’s DB, with PII for 14M people, popped The Web hosting provider, Hostinger, disclosed a security incident that impacted its platform and users. The incident was discovered on August 23, 2019.

Read More


Let’s see what’s poppin’ in this week’s threat report. Or, getting popped as it were. We’ve got ransomware in Texas, implanted code at Webmin, the return of a banking trojan that’s gone the way of polymorphic malware, and the 2019 mid-year breach update. Giddy-up, partner! Texas Ransomware Massacre In a coordinated ransomware massacre, at least 20 local government entities across the Lone Star state have been hit, and hackers are asking for $2.

Read More


This week we’re focusing heavily on Windows. We have some new vulnerabilities, device driver design flaws, and a malspam campaign leveraging Office documents. Let’s get this party started. Seven Microsoft Windows vulnerabilities According to a Microsoft advisory published yesterday, August 13, 2019, seven new vulnerabilities have been disclosed with patches released – three of which are rated as ‘important’ and four are rated as ‘critical.’ Exploits have been developed by researchers so we should expect to see exploits for these vulnerabilities running wild soon.

Read More


We’ve got a lot of wild botnet and phishing activity in this week’s threat report. Let’s get this party started. Richard’s First Echobot First observed in May 2019, a new variant of Echobot Botnet is picking up steam targeting various Internet-of-Things (IoT) devices, including routers, cameras, smart home hubs, network-attached storage systems, servers, and more. We expect to see this IoT focused botnet evolve to add exploits for the Urgent/11 vulnerabilities we discussed in the Perch Monthly User’s Meeting.

Read More


What’s cooking this week? WatchBog and Trickbot learn some new tricks while some big names suffer embarrassing breaches. Let’s start off with the biggest data breach from last week. Capital One breached by… open S3 buckets Paige Thompson, a former Systems Engineer for Amazon Web Services, also known as erratic, has been labeled responsible for the Capital One breach affecting about 100M people in the U.S. and 6M in Canada.

Read More

Release Notes

July 30, 2019


New
Added new settings for the organization-wide email integration


New
Curated queries now available in Perchybana


Bugfix
Handle users who fail to or do not authorize Perch


Bugfix
Handle scenario where observable is not found


Bugfix
Fixed backtest endpoint issues


Bugfix
Fixed edit preferences function for users


Bugfix
Fixed Office365 integration authorize button and issues


Bugfix
Improve messaging around integration configuration


Bugfix
Fixed Office365 invalid nonce errors


Bugfix
Fixed Perchybana field mappings


Bugfix
Fix for some alerts that are not displayed in indicator details


Bugfix
Fix for sensor outage emails with an undefined sensor name


Bugfix
Fix an error thrown leaving ConnectWise Automate


Bugfix
Show loading text in the organization picker


Bugfix
Allow all users to access monitored assets reporting


Bugfix
Show ConnectWise Manage product list labels


Bugfix
Show closed escalations on homepage


Bugfix
Fix Perchybana displaying 404 for new users



Let’s get this party started. Russian FSB’s secret projects exposed, new Office 365 (O365) phishing campaign underway, universities at risk to phishing, and newly disclosed vulnerabilities, Brushaloader and Watchbog go wild. Oh, and a ProFTP vulnerability hits the streets. FSB contracted breached for 7.5TB A group of hackers named 0v1ru$ have breached Sytech, a contractor for FSB, Russia’s national intelligence service, on July 13, 2019. The group was able to hack into SyTech’s Active Directory server where they accessed the company’s entire network, including a JIRA instance.

Read More


Let’s get going with some of the top threats we’re highlighting this week. Notably, there have been a number of advisories released by different governments related to ongoing campaigns and new critical vulnerabilities. Watch out for DNS hijacking campaigns The UK’s National Cyber Security Centre (NCSC) has released an advisory highlighting a large scale global Domain Name Systems (DNS) hijacking campaign. DNS is the service responsible for translating domain names to IP addresses hosting services.

Read More