Threat reports


This week we’re covering: Another round of COVID-19 miscreants targeting healthcare organizations and using the pandemic as a lure A de-evolution in FIN7 tactics that move from phishing e-mails to phishing snail-mails Details on a critical vulnerability in a popular WordPress plugin that allows site hijacking Sodin Holding NEDA Ransom FBI report on Orangeworm RAT Kwampirs targeting healthcare On March 30, 2020, the FBI released new information on a Kwampirs Remote Access Trojan (RAT) campaign by Orangeworm (aka Gorgon Group) targeting healthcare.

Read More


It should be no surprise that hackers are breaking their promises. The World Health Organization, FedEx, and U.S. Human Health Services are being used in COVID-19 lures. In other hacking news, Russian FSB nabs 30 hackers in coordinated raids and the window of opportunity is open for two unpatched Windows code execution vulnerabilities being actively exploited. Threat actors using COVID-19 information as a lure The spread of coronavirus disease 2019 (COVID-19) has led to a change in the attack surface of many organizations.

Read More


In this week’s threat report, we’re covering a new capability in the evolution of Trickbot, critical vulnerabilities in Adobe Reader and Adobe Acrobat, a code execution proof of concept (PoC) for Joomla, and a blog post by Sodinokibi ransomware team that could shake up stock prices. Trickbot learns new RDP brute force trick On March 18, 2020, researchers identified a new module for Trickbot banking Trojan called “rdpScanDll.” This new module bruteforces the Remote Desktop Protocol (RDP) and targets a specific list of victims operating in the telecommunication, education, and financial services industries in the United States and Hong Kong.

Read More


In this issue of the usually weekly threat report, we’ve got some hot news. Keep on the lookout for a new worm on the heels of a SMBv3 buffer overflow, Microsoft disrupts the Necurs Botnet, hackers are actively exploiting Microsoft Exchange, and Magecart skims cards with a little help from Cloudflare. Let’s get this party started. SMBv3 Buffer Overflow breaks ground for new worm On March 10, 2020, Cisco Talos and Fortinet researchers leaked a new worm-able vulnerability in the Microsoft Server Message Block (SMB) protocol before Microsoft’s regular Patch Tuesday update cycle.

Read More


This week we’ve got a warning from CISA on threats to critical U.S. infrastructure, we’re going phishing in Puerto Rico, celebrating Valentine’s day with the FBI, and listening to chatter on the dark Web for upcoming threats. Let’s get this party started. CISA warning for critical U.S. infrastructure On February 18, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations across all U.S. critical infrastructure sectors about a recent ransomware attack that affected a natural gas compression facility.

Read More


It’s time for another usually weekly threat report. Last week we were really busy with a successful PerchyCon 2020. But we’ve gotten some interesting threats that we need to make you aware of this week. Cisco Discovery Protocol vulnerability impacts millions Cisco has disclosed five 0-day vulnerabilities in the Cisco Discovery Protocol (CDP) collectively dubbed “CDPwn.” CDP is a Cisco proprietary Layer 2 (Data Link Layer) network protocol that is used to share information about directly connected Cisco equipment.

Read More


Hello Perchy people. I’m happy to be back with the first threat report from Perch in 2020. I took a much-needed vacation, but the threats did not. This week we’re discussing an unpatched Citrix vulnerability with POCs available, a critical vulnerability in Microsoft’s CryptoAPI disclosed by the NSA, a recent emotet campaign targeting the United Nations, and a new strain of malware used by Iranian-linked APT34 dubbed POWDESK. Citrix vulnerability running wild In a research report published in December 2019, security researchers observed ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers, which are vulnerable to attacks exploiting CVE-2019-19781.

Read More


Happy Holidays from Perch! In this release of the usually weekly threat report we have a few threaty threats scrooging up the holidays and melting your change freezes. Emotet has gotten into the holiday spirit and is planning a Christmas party, your invitation is on the way. Threat actors on Perchy’s naughty list are leveraging ConnectWise Control to spread ransomware. And, critical code execution gifts in industrial control systems and routers pave the way for new Echobot variants.

Read More


In this week’s usually weekly threat report we have a bunch of new attacker tools which covers the Buer loader, CStealer malware, CallerSpy mobile malware, and PyXie Remote Access Trojan (RAT). We’ve also got a cautionary tale for the threat actors that create and operate these tools with the takedown of a RAT from Down Under. Buer loads up baddies with new loader tool Since late August 2019, a new downloader, Buer, has appeared recently in a variety of threat campaigns.

Read More


In this week’s usually weekly threat report MageCart pops back on the scene with Macy’s, Phineas Phisher lands a suspected Cayman money laundering bank, Roboto botnet targets Webmin, and two new backdoors get the spotlighted. MageCart goes card-skimming at Macy’s Macy’s recently announced a data breach caused by implanted Magecart card-skimming code in Macy’s online payment portal. According to Macy’s notice, the company was alerted to a suspicious connection between macys.

Read More