Thoughts From The Nest

Blog, updates, and release notes


Let’s see what’s poppin’ in this week’s threat report. Or, getting popped as it were. We’ve got ransomware in Texas, implanted code at Webmin, the return of a banking trojan that’s gone the way of polymorphic malware, and the 2019 mid-year breach update. Giddy-up, partner! Texas Ransomware Massacre In a coordinated ransomware massacre, at least 20 local government entities across the Lone Star state have been hit, and hackers are asking for $2.

Read More


This week we’re focusing heavily on Windows. We have some new vulnerabilities, device driver design flaws, and a malspam campaign leveraging Office documents. Let’s get this party started. Seven Microsoft Windows vulnerabilities According to a Microsoft advisory published yesterday, August 13, 2019, seven new vulnerabilities have been disclosed with patches released – three of which are rated as ‘important’ and four are rated as ‘critical.’ Exploits have been developed by researchers so we should expect to see exploits for these vulnerabilities running wild soon.

Read More


We’ve got a lot of wild botnet and phishing activity in this week’s threat report. Let’s get this party started. Richard’s First Echobot First observed in May 2019, a new variant of Echobot Botnet is picking up steam targeting various Internet-of-Things (IoT) devices, including routers, cameras, smart home hubs, network-attached storage systems, servers, and more. We expect to see this IoT focused botnet evolve to add exploits for the Urgent/11 vulnerabilities we discussed in the Perch Monthly User’s Meeting.

Read More


What’s cooking this week? WatchBog and Trickbot learn some new tricks while some big names suffer embarrassing breaches. Let’s start off with the biggest data breach from last week. Capital One breached by… open S3 buckets Paige Thompson, a former Systems Engineer for Amazon Web Services, also known as erratic, has been labeled responsible for the Capital One breach affecting about 100M people in the U.S. and 6M in Canada.

Read More

Release Notes

July 30, 2019


New
Added new settings for the organization-wide email integration


New
Curated queries now available in Perchybana


Bugfix
Handle users who fail to or do not authorize Perch


Bugfix
Handle scenario where observable is not found


Bugfix
Fixed backtest endpoint issues


Bugfix
Fixed edit preferences function for users


Bugfix
Fixed Office365 integration authorize button and issues


Bugfix
Improve messaging around integration configuration


Bugfix
Fixed Office365 invalid nonce errors


Bugfix
Fixed Perchybana field mappings


Bugfix
Fix for some alerts that are not displayed in indicator details


Bugfix
Fix for sensor outage emails with an undefined sensor name


Bugfix
Fix an error thrown leaving ConnectWise Automate


Bugfix
Show loading text in the organization picker


Bugfix
Allow all users to access monitored assets reporting


Bugfix
Show ConnectWise Manage product list labels


Bugfix
Show closed escalations on homepage


Bugfix
Fix Perchybana displaying 404 for new users



Let’s get this party started. Russian FSB’s secret projects exposed, new Office 365 (O365) phishing campaign underway, universities at risk to phishing, and newly disclosed vulnerabilities, Brushaloader and Watchbog go wild. Oh, and a ProFTP vulnerability hits the streets. FSB contracted breached for 7.5TB A group of hackers named 0v1ru$ have breached Sytech, a contractor for FSB, Russia’s national intelligence service, on July 13, 2019. The group was able to hack into SyTech’s Active Directory server where they accessed the company’s entire network, including a JIRA instance.

Read More


Let’s get going with some of the top threats we’re highlighting this week. Notably, there have been a number of advisories released by different governments related to ongoing campaigns and new critical vulnerabilities. Watch out for DNS hijacking campaigns The UK’s National Cyber Security Centre (NCSC) has released an advisory highlighting a large scale global Domain Name Systems (DNS) hijacking campaign. DNS is the service responsible for translating domain names to IP addresses hosting services.

Read More


The days of email scamming has evolved into something far more effective and profitable. One of the earlier and well-known email scams were the Nigerian Prince emails. As I’m sure you recall, these emails would offer you something along the lines of $20 million dollars in exchange for transferring funds out of Nigeria. Today’s attacks are much more sophisticated, as state sponsored and organized crime syndicates use spear phishing, invoice scams, employee payroll direct deposit changes, along with a host of others.

Read More


This week we’re focusing on breaches. How would you know if you’ve been breached? How would a breach impact your enterprise? Major brands are paying fines for past breaches and technology providers are unaware of compromise – this could impact the viability of their business. We be doing everything we can to be good stewards and detect lingering threats. Major brands fined for fairly recent breaches Two large enterprises are ordered to pay fines this week.

Read More


PCM customer impacted by Office 365 business email compromise Perch now has Office 365 log collection in beta testing. And, in good timing! A breach at large solution provider, PCM Inc., allowed hackers to access Microsoft Office 365 email and file sharing systems for some of the company’s clients. California-based PCM had more than 2,000 customers in 2018. According to Krebs’ sources, attackers stole administrative credentials that PCM uses to manage client accounts within Office 365, a cloud-based file and email sharing service run by Microsoft Corp.

Read More