Security Advisory – Ducktail Infostealer Facebook Attack

On 26 of July, the company “WithSecure” released a new security research focusing on Infostealer malware that is targeting Facebook business accounts and various other social media sites of public exposed people (commonly known as “influencers”). The adversaries, which’s operation is called “DUCKTAIL”, are directly targeting employees of that “Influencers” and try to gather the session cookies of those administrators. The targets will be identified by searching through LinkedIn and public exposed information. When the attackers found an applicable victim, they are sending phishing mails or calling directly to try them to download a malware and execute it. After the execution they are stealing all data from the browsers of that device and circumvent a multifactor approach. Password solutions and MFA won’t solve this problem.

How to protect myself from that?

If you are a customer of Zettasecure there is no need to do something by yourself. We already implemented different SIGMA rules in your organization to detect various stages of the attack lifecycle and will notify your company in case something has been detected.

If you are not a customer, consider implementing the following:

  • Use an updated Endpoint Detection and Response solution (Like SentinelOne Complete).
  • Conduct an awareness training on how to detect phishing mails properly.
  • Assess your attack surface to know which employees might be affected.
  • Review your Facebook Business users -> Business Manager > Settings > People.
  • Revoke access from unknown users and check all your devices.
  • Review your YouTube Brand Account users-> Settings > Account > Add or remove manager(s). Revoke access from unknown users and check all your devices.
  • Logout after every session and login at the next one. A password manager would help you with that.
  • Use MFA on all manager accounts.

How to detect if I am currently affected?

Check for the following Indicators of Compromises (IoCs) in your infrastructure. ->

Leave a Reply

Your email address will not be published. Required fields are marked *