Thoughts From The Nest

Blog, updates, and release notes


This week we’ve got a warning from CISA on threats to critical U.S. infrastructure, we’re going phishing in Puerto Rico, celebrating Valentine’s day with the FBI, and listening to chatter on the dark Web for upcoming threats. Let’s get this party started. CISA warning for critical U.S. infrastructure On February 18, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations across all U.S. critical infrastructure sectors about a recent ransomware attack that affected a natural gas compression facility.

Read More

Release Notes

February 12, 2020


New
2FA enabled status will display when viewing list of users
New
New integration added for Microsoft teams
New
Added triggered event notification history page
New
Event notifications can now execute Watcher record
New
Enhanced printable view of suppression data
New
Event notifications now support additional custom recipients
New
Event notification email includes View in Perch link
New
New integration for Webroot
New
Event notifications now perform post-processing on watch results to store triggering values
Bugfix
Fixed sensor command formatting
Bugfix
Fixed email integration configuration
Bugfix
Fixed ConnectWise Automate issues with 2FA
Bugfix
Fixed report history download link prompting for API credentials on scheduled reports
Bugfix
Fixed issue with newly created orgs not showing up in org picker
Bugfix
Fixed issues with Sophos Central
Bugfix
Fixed Cisco AMP integration collection issues
Bugfix
Fixed Try Again button on registration final page for setup
Bugfix
Fixed issues with sensor table when ordered by name
Bugfix
Fixed select drop downs hidden by modal
Bugfix
Fixed ConnectWise Manage product list not loading on billing tab
Bugfix
Fixed users not being redirected to Perchybana after login
Bugfix
Fixed scheduled reports and default email recipients being auto selected
Bugfix
Fixed alert details history not displaying
Bugfix
Fixed Cisco Umbrella event subtype

It’s time for another usually weekly threat report. Last week we were really busy with a successful PerchyCon 2020. But we’ve gotten some interesting threats that we need to make you aware of this week. Cisco Discovery Protocol vulnerability impacts millions Cisco has disclosed five 0-day vulnerabilities in the Cisco Discovery Protocol (CDP) collectively dubbed “CDPwn.” CDP is a Cisco proprietary Layer 2 (Data Link Layer) network protocol that is used to share information about directly connected Cisco equipment.

Read More


Hello Perchy people. I’m happy to be back with the first threat report from Perch in 2020. I took a much-needed vacation, but the threats did not. This week we’re discussing an unpatched Citrix vulnerability with POCs available, a critical vulnerability in Microsoft’s CryptoAPI disclosed by the NSA, a recent emotet campaign targeting the United Nations, and a new strain of malware used by Iranian-linked APT34 dubbed POWDESK. Citrix vulnerability running wild In a research report published in December 2019, security researchers observed ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers, which are vulnerable to attacks exploiting CVE-2019-19781.

Read More


Happy Holidays from Perch! In this release of the usually weekly threat report we have a few threaty threats scrooging up the holidays and melting your change freezes. Emotet has gotten into the holiday spirit and is planning a Christmas party, your invitation is on the way. Threat actors on Perchy’s naughty list are leveraging ConnectWise Control to spread ransomware. And, critical code execution gifts in industrial control systems and routers pave the way for new Echobot variants.

Read More

Release Notes

December 17, 2019


New
Added support for short links to queries in Perchybana
New
Added maps in Perchybana
New
Added block list enhancements
New
Added ability to uninstall integrations
New
Added event notifications Perchybana link to provide columns and use correct index pattern
New
Added pagination to monitored assets table
New
Added update for create indicator page
New
Modernized sensor pages
New
Added SentinelOne log integration
New
Added ability to add a new team as an MSP
Bugfix
Fixed observable relationship to default to OR, not AND
Bugfix
Fixed appearance of prompt for user credentials in Perchybana
Bugfix
Fixed notifications not being removed from table when deleted
Bugfix
Fixed sensor names occasionally returning unknown
Bugfix
Fixed ability to save event notifications
Bugfix
Fixed the monitored assets page error when trying to edit an asset
Bugfix
Fixed private network counts not being displayed on sensor detail page
Bugfix
Fixed Perchybana link for event notification alerts which did not bring the time range of alerts that fired
Bugfix
Fixed Elasticsearch query not changing after event notification details update
Bugfix
Fixed communities with no analyst activity throws error
Bugfix
Fixed Perchybana appearing as a window in window within Perch
Bugfix
Fixed sensor details pages

In this week’s usually weekly threat report we have a bunch of new attacker tools which covers the Buer loader, CStealer malware, CallerSpy mobile malware, and PyXie Remote Access Trojan (RAT). We’ve also got a cautionary tale for the threat actors that create and operate these tools with the takedown of a RAT from Down Under. Buer loads up baddies with new loader tool Since late August 2019, a new downloader, Buer, has appeared recently in a variety of threat campaigns.

Read More


In this week’s usually weekly threat report MageCart pops back on the scene with Macy’s, Phineas Phisher lands a suspected Cayman money laundering bank, Roboto botnet targets Webmin, and two new backdoors get the spotlighted. MageCart goes card-skimming at Macy’s Macy’s recently announced a data breach caused by implanted Magecart card-skimming code in Macy’s online payment portal. According to Macy’s notice, the company was alerted to a suspicious connection between macys.

Read More


We’re back with another edition of the usually weekly threat report. This week we’re highlighting two critical vulnerabilities, a case of business email compromise for a medical school, and a Trickbot campaign targeting U.S. government offices. Chrome vulnerability on Exploit.in with YouTube demo If you haven’t updated Chrome recently, you might want to. In early November, a critical use-after-free vulnerability was disclosed for Google Chrome (CVE-2019-13720). Earlier this week a Proof-of-Concept exploit for the vulnerability was posted on YouTube by Tony Stack.

Read More


In this week’s threat report, we have a spooky threat actor just in time for Halloween. The Perch Security Operations Center (SOC) has discovered a threat campaign targeting a number of unpatched Drupal servers and other vulnerable web-server workloads in the United States in September. After analyzing the related malware that was building a botnet, they are ready to report. The Lucifer botnet was leveraged to send phishing emails taking advantage of a change in EU financial service regulations.

Read More