Malware Activity:
Researchers Detail New Information-Stealer, "ExelaStealer," Capabilities and Premium Pricing
“ExelaStealer,” a newly discovered information-stealing malware, has been observed being offered for sale in hacking forums as well as in a dedicated Telegram channel run by its operators “quicaxd.” ExelaStealer is mainly written in Python and described as a "largely open-source infostealer with paid customizations available from the threat actor." The paid-for version of ExelaStealer currently costs $20 per month, $45 for three (3) months, and $120 for a lifetime license, which allows threat actors of all levels to conduct malicious cyberattacks using the malware. Researchers noted that there is evidence that ExelaStealer is being distributed through an executable that disguises as a PDF document, which is commonly observed being used in phishing attacks and watering hole attacks.
The info stealer currently targets Windows users and has the capability to exfiltrate passwords, Discord tokens, screenshots, keystrokes, credit cards, cookies, session data, and clipboard data. Researchers explained that the first public mention of ExelaStealer occurred in August 2023. Technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Threat Actor Activity:
International Law Enforcement Takes Down Ragnar Locker's Key Developer and Ransomware Infrastructure
Officials at Europol announced on October 20, 2023, that the suspected developer of the Ragnar Locker ransomware group had been arrested by law enforcement in Paris, France. Law enforcement also conducted a search of the unnamed key target's house in Czechia, seized the group's ransomware infrastructure in the Netherlands, Germany, and Sweden, and took down the group's associated Tor data leak website. The successful takedown of one of the oldest continuously operating ransomware groups is another big step toward the international effort to stop ransomware operators and cybercriminals.
The French National Gendarmerie, along with law enforcement authorities from Czechia, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the United States, conducted several raids and other coordinated operations to get the suspected developer of Ragnar group in front of the examining magistrates of the Paris Judicial Court.
The Ragnar Locker ransomware gang first emerged in December 2019 and is believed to have conducted attacks against as many as one hundred sixty-eight (168) international companies since 2020, primarily targeting critical infrastructure entities across the world with notorious attacks on the computer chip manufacturer ADATA, aviation giants Dassault Falcon and Air Portugal, and the Greece natural gas operator DESFA. The Federal Bureau of Investigation (FBI) released another study detailing that the group's ransomware had been deployed on the networks of at least fifty-two (52) critical infrastructure organizations between April 2020 and March 2022 in the United States alone.
Ragnar Locker, which is the name of both the group and their ransomware strain, did not operate in the typical fashion of modern ransomware gangs who often deploy Ransomware-as-a-Service (RaaS) tactics. The group instead operated semi-privately and avoided the active recruitment of affiliates. There was a detailed organizational structure consisting of researchers who oversaw discovering vulnerabilities combined with proficient hackers to deploy the ransomware once vulnerabilities had been discovered. The gang was well-known for double extortion, demanding ransoms for the data decryption tool and the guarantee of not releasing sensitive stolen information. CTIX analysts will continue to report on the ongoing dance between international law enforcement collaboration and cybercriminal activities.
- The Hacker News: Ragnar Locker Article
- Bleeping Computer: Ragnar Locker Article
- The Record: Ragnar Locker Article
Vulnerabilities:
Critical Zero-day Bugs in Cisco Devices Under Active Exploitation to Deliver Malware to Thousands of Vulnerable Systems
Cisco, the IT services, and product solutions manufacturer, has disclosed the chaining-together of two (2) critical zero-day vulnerabilities that have been actively exploited by unknown threat actors to deliver the malicious Lua backdoor to thousands of enterprise network devices. The flaws affect the web UI feature of Cisco's Internetworking Operating System (IOS). The first vulnerability in the attack chain tracked as CVE-2023-20198 (with a CVSS score of 10/10), allows remote unauthenticated attackers to create accounts with privilege level 15 access, allowing them to create local user and password combinations and facilitating the complete takeover of vulnerable systems. The second flaw, tracked as CVE-2023-20273 (with a CVSS score of 7.2/10) is a privilege escalation vulnerability used alongside the first bug, allowing the threat actor to escalate the permissions of the newly created user to root.
Although this attack chain could be devastating if exploited, it only impacts enterprise networking devices with the web UI feature enabled and exposed to the public internet or to untrusted networks. Administrators were urged to completely disable the HTTP server feature before the vulnerabilities were patched on October 22, 2023. CTIX analysts recommend that all administrators responsible for the affected devices ensure that they are running the most up-to-date firmware to prevent a network compromise.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
