Threat reports


Hello Perchy people. I’m happy to be back with the first threat report from Perch in 2020. I took a much-needed vacation, but the threats did not. This week we’re discussing an unpatched Citrix vulnerability with POCs available, a critical vulnerability in Microsoft’s CryptoAPI disclosed by the NSA, a recent emotet campaign targeting the United Nations, and a new strain of malware used by Iranian-linked APT34 dubbed POWDESK. Citrix vulnerability running wild In a research report published in December 2019, security researchers observed ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers, which are vulnerable to attacks exploiting CVE-2019-19781.

Read More


Happy Holidays from Perch! In this release of the usually weekly threat report we have a few threaty threats scrooging up the holidays and melting your change freezes. Emotet has gotten into the holiday spirit and is planning a Christmas party, your invitation is on the way. Threat actors on Perchy’s naughty list are leveraging ConnectWise Control to spread ransomware. And, critical code execution gifts in industrial control systems and routers pave the way for new Echobot variants.

Read More


In this week’s usually weekly threat report we have a bunch of new attacker tools which covers the Buer loader, CStealer malware, CallerSpy mobile malware, and PyXie Remote Access Trojan (RAT). We’ve also got a cautionary tale for the threat actors that create and operate these tools with the takedown of a RAT from Down Under. Buer loads up baddies with new loader tool Since late August 2019, a new downloader, Buer, has appeared recently in a variety of threat campaigns.

Read More


In this week’s usually weekly threat report MageCart pops back on the scene with Macy’s, Phineas Phisher lands a suspected Cayman money laundering bank, Roboto botnet targets Webmin, and two new backdoors get the spotlighted. MageCart goes card-skimming at Macy’s Macy’s recently announced a data breach caused by implanted Magecart card-skimming code in Macy’s online payment portal. According to Macy’s notice, the company was alerted to a suspicious connection between macys.

Read More


We’re back with another edition of the usually weekly threat report. This week we’re highlighting two critical vulnerabilities, a case of business email compromise for a medical school, and a Trickbot campaign targeting U.S. government offices. Chrome vulnerability on Exploit.in with YouTube demo If you haven’t updated Chrome recently, you might want to. In early November, a critical use-after-free vulnerability was disclosed for Google Chrome (CVE-2019-13720). Earlier this week a Proof-of-Concept exploit for the vulnerability was posted on YouTube by Tony Stack.

Read More


In this week’s threat report, we have a spooky threat actor just in time for Halloween. The Perch Security Operations Center (SOC) has discovered a threat campaign targeting a number of unpatched Drupal servers and other vulnerable web-server workloads in the United States in September. After analyzing the related malware that was building a botnet, they are ready to report. The Lucifer botnet was leveraged to send phishing emails taking advantage of a change in EU financial service regulations.

Read More


Did you miss us last week? We’ve been busy investigating some recent threats and have an update for you in this week’s threat report. Hackers get hacked for 26M cards, APT35 returns with a new campaign using non-standard link shorteners, Diamond Fox gets demo’d on YouTube, and Bishopfox releases Pwn Pulse POC. Hackers pilfer underground hack store for 26M stolen credit cards One of the largest underground stores for buying stolen credit card data, BriansClub, was hacked.

Read More


Threat actors are focusing their attention on a number of different industries in this week’s threat report. U.S. Oil and Gas RATs, defense contractors with sensitive info hit by ransomware, and a bunch of well-known online publishers are targeted for malvertising. It’s a good week to join your industry’s ISAC/ISAO if you have one. In addition to the industry focused infections, we’ve got another critical EXIM vulnerability and new Windows malware, Nodersok, is teaching lessons about living-off-the-land.

Read More


In this week’s threat report, we’re covering some out-of-band critical patches released by Microsoft to prevent code execution, a malspam campaign targeting U.S. utilities, some new variants info stealing malware for Mac, and a 0-day in popular forum software. Microsoft releases emergency patches Microsoft released two out-of-band security updates for a remote code execution vulnerability tracked “CVE-2019-1367” and a denial-of-service vulnerability tracked “CVE-2019-1255”. CVE-2019-1367 allows attackers to execute arbitrary code in the context of the current user.

Read More


In this week’s threat report we’re covering a variety of topics. Summer is over and the fall malspam campaigns have arrived, multiple open databases have led to a loss of valuable data, and a wiry new malware dropper jumps into action. Let’s get this party started. Summer vacation is over for Emotet Emotet infected hosts began communicating with command and control infrastructure, which pushed updates to the bots, and started a new malspam campaign on 9/16/19 after taking summer off.

Read More