Threat reports


Buckle up, we have a big threat report this week. First, let’s talk about the critical vulnerabilities everyone is talking about, then catch up on some APT news. Then, we’ll get to the fun stuff. Data from U.S. Customs and Border Patrol ended up on the DarkWeb and Radiohead makes hacking history with response to ransom demands. Critical vulnerability: EXIM If you weren’t aware there was a recently disclosed vulnerability to get code execution on Exim servers locally and remotely.

Read More


There’s a good mix of variety in top news over the last week. Let’s start with an update on the Norwegian MSP hack update. Then take a look at a leaked tool OilRig APT uses to brute force exchange servers. Finally, in crimeware we’re saying goodbye to GandCrab ransomware and hello to Monstercat’s RAT, KPOT Stealer. StonePanda took the heat for RedBravo in Norwegian MSP hack In early February, we spoke about a series of intrusions that were conducted between late-2017 and late-2018 by a Chinese state-sponsored actor against several companies, including a large Norwegian MSP.

Read More


The threats are out there but sometimes they’re in our own house too. Over the last week we’ve learned about a number of large data leaks and breaches. We should be having serious discussions about data security, but instead Germany suggests an end encryption. I’m not the only one throwing shade this week. Baddies are throwing Shade in a new ransomware campaign. Let’s dig in. One billion records breached last week Over the last week, the news was filled with disclosures from organizations about data leaks and data breaches.

Read More


Mea Culpa! I know I usually post this on Wednesday, but it’s been a very busy week at Perch. I’m working out of our Florida nest to meet new partners and collaborate with existing and new Perch threat intelligence partners. Lots of neat stuff happening this week, but I’m going to keep it short and sweet. No summary intro, we’re going in hot. Let’ get this party started. Sandbox escaper drops 0-days and 0-day PoCs on Twitter One on my new favorite security researchers to follow is SandboxEscaper because of her impeccable timing for releases just after a Microsoft Patch Tuesday.

Read More


Lot’s of big game hunting in this weekly threat report. Forbes.com just got popped by credit card skimming pro, MageCart. A number of nasty vulnerabilities are getting the spotlighted in WhatsApp, Windows Remote Desktop, and SQLite. And Hidden Cobra, aka Lazarus, drops a new tunneling tool titled Electricfish. Forbes Magazine compromised: MirrorThief skims MageCarts’ modus operandi We’ve covered MageCart a few different times over the last year, so I thought I’d make you aware of recent events in e-commerce skimming.

Read More


Get your hot keys ready, we have a boatload of indicators for you to copy and paste this week. But first, we need to cover some recent events in security. The IDF showed off military response to cyber threats with video release, APT Buckeye was hitting bullseyes a year early in timeline revelation, and ransomware was getting busy on both sides of the pond in two recently disclosed breaches.

Read More


This week we’re looking at some crime stats related to the rise of ransomware, a DHS directive on patch management, a new strain of ransomware that leveraged a 0-day, the return of Magecart, and finally a vulnerability and IoT devices that could help Mirai-variants grow up strong. The rise of Ransomware Cybercriminals have focused on businesses during Q1 2019, with consumer threats decreasing by 24% year over year while businesses have seen a 235% increase in the number of cyber-attacks.

Read More


Today we’re talking about some phishy fellows. Let’s start out with trends in phishing from 2018, then cover two APTs that lean on phishing with malicious documents to spread their malware infections and an IE 0-day that enables phishers to bring home the sensitive-data bacon. Finally, in completely unrelated news, we’re closing out with a critical CERT advisory for Broadcom Wi-Fi chips. Hold on to your dongles! State of the Phishy Union Since we’re talking about an IE 0-day vulnerability that’s best used through phishing and a threat actor who primarily phishes with maldocs, I thought it would be good to start with some findings on the state of the phishing in 2018 from Phishlabs.

Read More


We’ve got a quick update for you this week on some news that’s getting attention. APT34 leaks hack tools, Common VPN software has a critical vulnerability patched, and Microsoft underestimates the exploitability of a remote code execution vulnerability. Additionally, an information technology firm from India has been compromised and is being leveraged in attacks against their own customers. Let’s get going. APT34 hacking tools leak As reported by zdnet, yesterday some of the tools used by OilRig attack group have been leaked by a group of Iranian hackers called “Lab Dookhtegan”.

Read More


This week Skylight Cyber bursts Kaspersky’s Shadowhammer bubble. Dive into some Apache and PHP 0-days. Also, both Cisco and Georgia tech learn that there are no second chances in security. BARIUM likely responsible for Shadowhammer Kaspersky is slow dripping information on Shadowhammer, but the community is not waiting. Out of 57,000 observed infections Kaspersky identified only 600 targets Shadowhammer targeted for second stage infection. Shadowhammer identifies targets based a unique identifier assigned to a network interface controller (NIC), called a media access control address (MAC address).

Read More