×

Irish Information Security Forum

The CISO Monthly Roundup

Source: revolutionaries.zscaler.com
Release Date: Sept 05, 2023

 

The CISO Monthly Roundup provides the latest threat research from the ThreatLabz team, along with CISO insights on other cyber-related subjects. Over the past month, ThreatLabz deconstructed Ducktail operations, analyzed Statc Stealer, JanelaRAT, Agniane Stealer, provided insights on SEC cybersecurity policies, and issued NetScaler security advisories.

 

 


A deep dive into DuckTail


In May, Zscaler ThreatLabz began an intensive three-month analysis that gave us valuable insight and critical information about DuckTail’s operational framework. 

 

Zscaler have documented an extensive analysis of DuckTail’s intrusion techniques, compromise tactics, post-compromise procedures, and activities in the underground economy. Many of these insights have not been previously documented, but are now available to help others understand their targets and strategic motives.

ducktail cyber actor threat diagram

Figure 1: DuckTail abuses social media and cloud platforms over multiple attack stages

 

The Zscaler team discovered DuckTail threat actors primarily use social engineering to target users working in digital marketing and advertising so they can gain access to business accounts. They often create fake job postings on LinkedIn as a lure, then send applicants malware disguised as interview-related material. Once threat actors gain access to these accounts, they abuse security features to lock out victims. The group uses Telegram to perform C2 communications. Compromised accounts are sold on a Vietnamese underground market.

Learn more about DuckTail

 

 


Studying Statc Stealer


The Zscaler ThreatLabz team has recently uncovered Statc Stealer, an information-stealing malware that specifically targets Windows-powered devices.

 

It spreads via a malicious Google advertisement that infects computers when clicked. Statc infiltrates systems, steals sensitive data, and employs sophisticated evasion techniques to avoid detection. In our detailed analysis, we unveil the malware’s distribution methods and evasion strategies to provide crucial insights for safeguarding against this threat.

 

Static stealer Cyber attack overviewFigure 2: Statc Stealer attack chain

 

Statc Stealer exhibits a wide variety of stealing capabilities. It captures sensitive data and passwords from multiple browsers, cryptocurrency wallets, and messaging apps. The malware uses techniques such as filename checks and encryption to evade analysis and detection. Statc Stealer’s ability to exploit various apps for data theft highlights the importance of implementing comprehensive security measures. 

Read full Statc Stealer analysis here

 

 


Analyzing JanelaRAT


ThreatLabz recently discovered a Portuguese-speaking threat group targeting financial and crypto data in Latin American organizations. The adversaries are using a heavily modified variant of BX RAT, so Zscaler are calling their current malware JanelaRAT.

 

 

In its bid to steal data, JanelaRAT employs several tactics, techniques, and procedures (TTPs) such as DLL side-loading, dynamic C2 infrastructure, and a multi-stage attack.

janelrat malware cyber attack method

 

 

 Figure 3: End-to-end attack chain of the campaign used to distribute JanelaRAT

 

JanelaRAT can capture Windows title strings to steal relevant financial and banking data. It uses dynamic socket configuration that allows it to rotate C2 domains daily. It also performs DLL side-loading techniques using legitimate processes (like VMWare and Microsoft) to evade endpoint detection.

Read more about JanelaRat here

 

 

 


Agniane Stealer: The dark web’s crypto threat


Agniane Stealer, a service sold on the dark web, steals sensitive information like credentials, session details, and crypto wallet data.

 

Zscaler believe Agniane Stealer belongs to the Malware-as-a-Service (MaaS) platform Cinoshi Project, as the two share similar code structures. During their investigation they discovered a Telegram channel sharing updates and pricing information for this malware.

agniane project details

 

 Figure 4: Project information indicating that Agniane Stealer is very likely part of the Cinoshi Project

 

Agniane Stealer exfiltrates data from web browsers, Telegram sessions, Discord tokens, Steam, WinSCP, Filezilla sessions, crypto extensions, and crypto wallets. In its quest to remain undetected, Agniane Stealer looks for various types of security analysis software like malware sandboxes, emulators, and VirtualBox. It also leverages WMI to obtain CPU information, GPU details, and identify installed antivirus software. Agniane Stealer transfers stolen information to its command-and-control (C&C) servers and then removes its subfolder from the compromised machine. 

Read full analysis of Agniane Stealer

 

 

 


 

The impact of the SEC’s new cybersecurity policies - CISO perspective


The U.S. Securities and Exchange Commission’s (SEC) new cybersecurity policies, introduced in July 2023, demand public companies promptly report significant cyber incidents and share details about their cybersecurity strategies.

 

These new regulations aim to enhance transparency and cyber accountability by fostering informed stakeholders and encouraging robust risk management.

  • These rules enforce swift reporting within four business days through Form 8-K, with exceptions for limited delays due to national security. 
  • The definition of a cybersecurity incident is expanded to include related unauthorized events for more comprehensive reporting. 
  • From December 15, 2023, annual Form 10-K reports must include information on cybersecurity risk management, strategy, and governance, although board members’ expertise disclosure is optional. 
  • Compliance deadlines vary by company size and disclosure type.

Read full article here

 

 

 


Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)


Citrix issued a security advisory highlighting a critical vulnerability (CVE2023-3519) with a CVSS score of 9.8 on July 18.

 

The vulnerability has gained considerable attention due to reports of its use in active zero-day attacks. When successfully exploited, attackers can install web shells on crucial infrastructure.

 

Attack chain citrix threat advisory

Figure 5: Attack chain of Citrix Gateway CVE-2023-3519 unauthenticated remote code execution

 

The exploitation of  CVE-2023-3519 involves triggering a stack buffer overflow through a specially crafted HTTP GET request, potentially leading to arbitrary code execution with “root” privileges. The attack chain includes uploading a file with a web shell and exploiting privilege escalation mechanisms to access Active Directory credentials.

 

The advisory also highlights other vulnerabilities: 

 

  • CVE-2023-3466 - A reflected Cross-Site Scripting (XSS) flaw that requires accessing an attacker-controlled link while on the NetScaler’s IP (NSIP).
  • CVE-2023-3467 - A Privilege Escalation vulnerability needing authenticated access to NSIP or SNIP, with management interface access.

 

Users are advised to upgrade affected applications. Countermeasures, including network-segmentation controls, have thwarted attempts to exploit the vulnerability. 

Read full report here

 

 

IISF Logo

If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:
secretary@iisf.ie

By post:

David Cahill

Information Security

GPO, 1-117
D01 F5P2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

 


Forum SPONSORS 

Invitations for Annual Sponsorship of IISF has now reopened.

Sponsorship of IISF Opportunity
(your logo & profile link here)

 

Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more

 

secured by edgescan digital security radar logo

© iiSf. All rights reserved. CRN: 3400036GH  - Privacy  - Sponsorship  - Cybersecurity News Index  - Cybersecurity Resources  - X  - Produced by
LinkedIn Twitter