Paul Scott

Paul Scott
on May 23, 2019

Threat Report Thursday May 23rd 2019

Threat Report

Mea Culpa! I know I usually post this on Wednesday, but it’s been a very busy week at Perch. I’m working out of our Florida nest to meet new partners and collaborate with existing and new Perch threat intelligence partners. Lots of neat stuff happening this week, but I’m going to keep it short and sweet. No summary intro, we’re going in hot. Let’s get this party started.

Sandbox escaper drops 0-days and 0-day PoCs on Twitter

One on my new favorite security researchers to follow is SandboxEscaper because of her impeccable timing for releases just after a Microsoft Patch Tuesday. The chaos is exciting. We previously covered 0-day drops by the researcher in past threat reports. Check out SandboxEscaper’s GitHub. Or, read more on the hacker news. Also, some demo YouTube videos were posted online by SandboxEscaper.

Holy Secure-backups, Batman! Baltimore systems still being held ransom after two weeks.

Are you surprised to hear that Baltimore is still being held hostage by Ransomware after two weeks? Hackers are demanding 13 bitcoin or approximately 100,000 dollars by some estimates. City systems are still down. Surely it would be cheaper for them to just pay the ransom if they didn’t have proper back-ups. Friends, check on your back-ups. And, don’t let your backups be over written with infected backups. Or, don’t let attackers delete your backups. Good backups are the best defense against ransomware.

Baltimore Mayor Bernard C. “Jack” Young said in a statement on Friday that it’s unclear when the city’s systems would be available.

“I am not able to provide you with an exact timeline on when all systems will be restored. Like any large enterprise, we have thousands of systems and applications. Our focus is getting critical services back online, and doing so in a manner that ensures we keep security as one of our top priorities throughout this process. You may see partial services beginning to restore within a matter of weeks, while some of our more intricate systems may take months in the recovery process,” he said.

“Some systems are being rebuilt,” said Young. “We are well into the restorative process, and as I’ve indicated, are cooperating with the FBI on their investigation. Due to that investigation, we are not able to share information about the attack.”

BlueKeep is coming. Don’t mess up your RDP patches.

Security researchers have created working exploits for the remote code execution vulnerability in Microsoft’s Remote Desktop Services, tracked as CVE-2019-0708 and dubbed BlueKeep. We can expect that the threaty BlueKeep wave is about to begin.

CVE-2019-0708 confirmed exploitable

We covered this vulnerability last week, noting that Microsoft released patches for previously EoL OS versions. If you didn’t update then, please update now. The original patch did not fully cover the vulnerability. Make sure you have the latest patch for this vulnerability. If you need an IDS signature to detect this wave check out this baby.

alert tcp any any -> any 3389 (msg:"NCC GROUP RDP connection setup with MS_T120 channel, potential CVE-2019-0708"; flow:to_server,established; content:"|03 00|"; offset:0; depth:2; content:"|02 f0|"; distance:2; within:2; content:"|00 05 00 14 7c 00 01|"; within:512; content:"|03 c0|"; distance:3; within:384; content:"MS_T120|00|"; distance:6; within:372; threshold: type limit, track by_src, count 2, seconds 600; classtype:bad-unknown; reference:url,; sid:1; rev:1;)

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to

Next: Threat Report Wednesday May 15th 2019

Share this on:

Paul Scott

Paul Scott
on May 23, 2019

Perchy Subscribe to our blog