Thoughts From The Nest

Blog, updates, and release notes


We’ve got a quick update for you this week on some news that’s getting attention. APT34 leaks hack tools, Common VPN software has a critical vulnerability patched, and Microsoft underestimates the exploitability of a remote code execution vulnerability. Additionally, an information technology firm from India has been compromised and is being leveraged in attacks against their own customers. Let’s get going. APT34 hacking tools leak As reported by zdnet, yesterday some of the tools used by OilRig attack group have been leaked by a group of Iranian hackers called “Lab Dookhtegan”.

Read More

Release Notes

April 8, 2019


New
Filter links to a single customer on indicator details
New
Extended storage for logs
New
Include recent flow_id in api response
New
New on-boarding wizard
Bugfix
Cannot click link to sensor and bring up sensor page
Bugfix
500 Error on Basic Authentication
Bugfix
Weekly update email doesn’t get complete data
Bugfix
Issue with 2FA logins due to email confirmation cage router
Bugfix
Community Pages/ View All - Recent True and False Positives not working
Bugfix
Redirect user back to original page after login
Bugfix
Contacts text field is losing focus on autosave

This week Skylight Cyber bursts Kaspersky’s Shadowhammer bubble. Dive into some Apache and PHP 0-days. Also, both Cisco and Georgia tech learn that there are no second chances in security. BARIUM likely responsible for Shadowhammer Kaspersky is slow dripping information on Shadowhammer, but the community is not waiting. Out of 57,000 observed infections Kaspersky identified only 600 targets Shadowhammer targeted for second stage infection. Shadowhammer identifies targets based a unique identifier assigned to a network interface controller (NIC), called a media access control address (MAC address).

Read More


Supply chain attacks have been a growing threat for years. For any growing business, a dependence upon partners allows for the business to focus on their core mission. In many cases, this can typically involve either making technology partnerships or adopting technology platforms through mergers and acquisitions. Any of these changes require analysis to determine what new risks may be incurred. This week we’re focusing on recent news related to supply chain attacks, and the risks of adopting new technology through adoption or acquisition.

Read More


ConnectWise today announced the launch of ConnectWise Identify™ which allows managed service providers (MSPs) to easily assess their own and their customers’ current security posture against a wide variety of malicious cybersecurity threats. The result is an easy-to-understand, customized risk report with remediation options, all from a single pane of glass, that has implications for the entire business, not just the network. View the rest of the article here.

Read More

Release Notes

March 25, 2019


New
Add sensor name to the Sensor Detail page
New
Org should persist on refresh
New
Improve Perchybana dashboard importing speed
New
Require users sign ToS
New
Confirm emails for new users
New
Sensor outage emails
Bugfix
Fix counting issue on new record creation
Bugfix
Suppression statistics always show 0%
Bugfix
2FA status shows as unknown
Bugfix
The remediation graph on the right isn’t displaying data
Bugfix
Sensor details does not load
Bugfix
IP Count for MSP isn’t showing when MSP is selected
Bugfix
Details page is too wide and scrolls on some screens
Bugfix
Inaccurate private IP counts
Bugfix
Use Indices Queries to select indexes, keeping URLs short

Ever wonder what attackers do once they get code execution to your hosts? Easy, they roll out ransomware or crypto miners to maximum effect. This week we’re focusing on rats, ransoms, and miners. RATS! Remote access trojans (RATs) on a corporate system may serve as a key pivot point to access information laterally within an enterprise network. By analyzing network metadata, Recorded Future analysts were able to identify RAT command-and-control (C2) servers, and more crucially, which corporate networks were communicating to those controllers.

Read More


This week we’re going learn about some 0-day vulnerabilities that have been running wild. Then we’re going to close out with some techniques red teamers and threat actors are using to bypass controls, pop shells, escalate privilege, and own your systems. Four horsemen of the exploit apocalypse ride wild In February, researchers reported to Microsoft that attackers in the wild were using a 0-day exploit to escalate Windows privileges. Microsoft has just released a patch crediting Kaspersky Lab researchers, Vasiliy Berdnikov and Boris Larin, with the discovery of a vulnerability in win32k.

Read More

Release Notes

March 11, 2019


New
Allow opening navigation links in new tabs
New
Child Customer IP counts
New
Make comments more accessible
New
Side navigation revamp
New
Add option to open some links in existing or new tab
Bugfix
Since You’ve Been Gone does not wrap or truncate
Bugfix
No Analyzers to Run
Bugfix
Noisy alerts cause alert queue to back up
Bugfix
Some ConnectWise companies are not returned in configuration dropdown

This week we’re focusing on ransomware. Let’s take a look at two new pieces of ransomware, a ransomware infrastructure service, how ransomware is distributed, and what you can do about it. Spoiler, if you don’t already have plans to secure backups of your mission critical data, you’re going to make some after this week’s threat report. Jokeroo RaaS is ready for your SaaS Last week I predicted a GandCrab variant would be released on a specific underground, and looky here.

Read More