Paul Scott

Paul Scott
on July 9, 2020

MSPs warned: You’re being hunted

MSPs warned: You’re being hunted

It’s another week in Perchy paradise, and in this week’s threat report we’re going to cover:

  • US Secret Service issues warning to MSPs
  • F5 fires back with their own perfect 10
  • Purple Fox learns some new tricks
  • EMERALD MAGPIE indicted by US DoJ

Secret Service warning for MSPs

The United States Secret Service released a warning on an increase in hacks involving compromised Managed Service Providers (MSPs).

According to the Secret Service, cybercriminals are targeting MSPs to conduct their attacks at scale and infect multiple companies through the same vector.

Buffalo Jumping is a tactic we noticed and predicted would increase in Perch’s 2020 MSP Threat Report. In the report, we defined a buffalo jump as an incident impacting multiple clients of a compromised MSP. A buffalo jump is like a supply chain attack at scale.

Targeting MSPs for a buffalo jump scales even better if threat actors target specific MSP software. That’s exactly what Perch observed after the ConnectWise disclosure of CVE-2020-14159. Two weeks ago, we published research on ENRAGED DUCK, a threat actor that responded to the disclosure with some aggressive scanning and exploitation attempts.

MSPs utilize multiple open source and enterprise software applications in the facilitation of remote administration. In the event of an MSP compromise, these applications are often used by bad actors to access their customer’s networks and conduct attacks.

Cybercriminals are leveraging compromised MSPs to conduct a variety of attacks, including point-of-sale intrusions, business email compromise (BEC), and ransomware attacks.

Best practices for MSPs:

• Have a well-defined service level agreement.

• Ensure remote administration tools are patched and up to date.

• Enforce least privilege for access to resources.

• Have well-defined security controls that comply with end user’s regulatory compliance.

• Perform annual data audits.

• Take into consideration local, state, and federal data compliance standards.

• Proactively conduct cyber training and education programs for employees.

Best practices for MSP Customers:

• Audit Service Level Agreements (SLAs).

• Audit remote administration tools being utilized in your environment.

• Enforce two-factor authentication for all remote logins.

F5 joins Citrix and Palo Alto in critical vulnerability party

There have been some major vulnerabilities recently disclosed in Citrix ADC, PAN OS, and now F5 BIG-IP.

F5 Networks recently disclosed a critical remote code execution vulnerability, CVE-2020-5902, impacting its BIG-IP device.

The vulnerability is rated “critical” and has a CVSS score of 10. BIG-IP devices are multi-purpose networking devices that are one of the most-used networking products. Clients using BIG-IP devices and solutions includes governments, Fortune 500 firms, banks, internet services providers, and consumer brands such as Microsoft, Oracle, and Facebook.

By July 4, multiple sources reported that unidentified threat actors were exploiting this vulnerability in an attempt to steal credentials.

On July 5, several security researchers shared proofs-of-concept for CVE-2020-5902 that would allow users to exfiltrate data from or execute commands on vulnerable devices. One of these example exploits was released as a Metasploit module.

CVE-2020-5902 allows an attacker to access the Traffic Management User Interface (TMUI) of the BIG-IP application delivery controller (ADC) without authentication and conduct remote code execution (RCE) attacks.

Additionally, it allows hackers to exfiltrate user credentials and traverse the device’s internal network. The following BIG-IP versions were identified as being vulnerable to attacks: 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, and 15.1.x.

F5 Networks released a patch for the devices on June 30, 2020. Organizations should update their BIG-IP devices to version,,, or to prevent the risk of malicious exploit of this vulnerability.

A detailed description of all the steps needed to implement mitigations can be found at F5’s CVE-2020-5902 security advisory.

Purple Fox learns new tricks

We have an update on Purple Fox, last covered by Perch in 2019. Purple Fox’s exploit kit (EK) has been updated to now include two exploits targeting critical, high-severity Microsoft flaws: CVE-2020-0674 and CVE-2019-1458.

The Purple Fox EK already targets two older Microsoft flaws, CVE-2018-8120 and CVE-2015-1701, and is known for distributing Purple Fox malware. The newly added exploits prove that Purple Fox operators continue to stay up to date on exploitable vulnerabilities and are modifying the exploit kit accordingly.

The updates were discovered in late June 2020 when researchers uncovered a malvertising campaign through which Purple Fox EK successfully exploited Internet Explorer 11 via CVE-2020-0674 on Windows 10.

CVE-2020-0674 is a critical scripting engine memory corruption vulnerability in Internet Explorer and was first disclosed by Microsoft in a January 2020 out-of-band security advisory. The flaw allows attackers to execute arbitrary code in the context of the current user. CVE-2020-0674 was patched in February 2020.

CVE-2019-1458 is a high-severity elevation-of-privilege vulnerability in Win32k, which has an exploit circulating in the wild (used in attacks like Operation WizardOpium). The exploit allows attackers to gain higher privileges on a compromised machine and avoid protection mechanisms in the Google Chrome browser.

The flaw, which has a CVSS score of 7.8 out of 10, was fixed by Microsoft as part of its December 2019 Patch Tuesday release.


Perch has been tracking and reporting on EMERALD MAGPIE, a threat actor selling backdoor access to hundreds of organizations worldwide, over the last two years.

In Perch’s 2020 MSP Threat Report, we spotlighted EMERALD MAGPIE as a threat actor for MSPs to be aware of. EMERALD MAGPIE infamously offered to sell access and source code to three major US anti-virus vendors.

The US Department of Justice (DoJ) claims the cybercriminal, who identified on underground forums as “FXMSP,” is a 37-year-old Kazakhstan citizen. The unsealed indictment from July 7 charges Andrey Turchin with running an ambitious hacking enterprise.

From at least October 2017 to December 2018, Turchin is accused of selling network access to companies, educational establishments, and government entities worldwide.

The five-count indictment charges Turchin with two counts of computer fraud and abuse, access device fraud, conspiracy to commit wire fraud, and conspiracy to commit computer hacking – all offenses that can be punishable by decades in prison.

EMERALD MAGPIE collected shiny network access baubles by scanning for open Remote Desktop Protocol (RDP) ports and conducting brute-force attacks to gain a foothold in networks.

Once inside, EMERALD MAGPIE would deploy malware, establish persistence, and exfiltrate credentials. The group monetized infections by selling access to other cybercriminals.

The DoJ says that at least 300 organizations worldwide were victims, including 30 in the United States. Network access offerings sold from thousands of dollars to over $100,000, depending on the organization.

EMERALD MAGPIE has made “a substantial but unknown amount in illicit profits,” prosecutors added, while compromised organizations have faced damage limitation bills reaching tens of millions of dollars to clean up their networks. In last week’s threat report, we covered some research on EMERALD MAGPIE earning estimates.

US Attorney Brian Moran commended Kazakhstan for assisting in the investigation, but prosecutors did not confirm if Turchin has been arrested on these charges. EMERALD MAGPIE’s time is limited.

That’s all for this week. Keep it Perchy!

  • Paul

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to

Next: The dreadful 10: Palo Alto’s vuln earns perfect CVSS score

Share this on:

Paul Scott

Paul Scott
on July 9, 2020

Perchy Subscribe to our blog