Emerging Threats

CISO Monthly Roundup, October 2023: Threatlabz Enterprise IoT and OT Threat Report, IdP vendor compromise, analysis of Mystic Stealer, BunnyLoader, and AvosLocker

Nov 06, 2023
CISO Monthly Roundup, October 2023 CISO Monthly Roundup, October 2023

The CISO Monthly Roundup provides the latest threat research from the ThreatLabz team, along with CISO insights on other cyber-related subjects. Over the past month, Threatlabz released the 2023 Enterprise IoT and OT Threat Report, examined IdP vendor compromise, and analyzed Mystic Stealer, BunnyLoader, and AvosLocker.


Zscaler ThreatLabz 2023 Enterprise IoT and OT Threat Report

The new 2023 Enterprise IoT and OT Threat Report sheds light on a concerning reality: while connected devices offer efficiency and convenience, they also serve as prime targets for cyberattacks. 

Figure 1: ThreatLabz 2023  Enterprise IoT and OT Threat Report is available now

This comprehensive report draws data from the Zscaler Zero Trust Exchange, the world’s largest inline security cloud. It provides an in-depth analysis of Internet of Things (IoT) devices and Operational Technology (OT). It offers critical insights into key malware families, vulnerabilities driving IoT attacks, the most vulnerable devices, and actionable best practices for improving IoT/OT security. Moreover, the report provides predictions for the future of IoT and OT security, making it an essential resource for enterprises seeking to safeguard their interconnected environments. Here are some key highlights:

  • IoT malware attacks grew more than 400% in the Zscaler cloud compared to the same period in 2022.
  • Routers were the most targeted device, likely due to their continuous connectivity, ubiquitous nature, and role as a central control point for network traffic. 
  • Manufacturing was the top targeted industry and bears the brunt of blocked malware attacks at 54.5% with an average of 6,000 attacks per week.

Get the full report 

Zscaler Zero Trust Exchange Coverage - Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection, Zscaler Private Access.

Responding and Defending Against IdP Vendor Compromise

In a recent security breach, Okta’s customer support system was compromised. Once inside the system, adversaries were able to view files uploaded by customers. The attackers extracted valid session tokens from some support cases and used them to access customer systems. This breach highlights the severe consequences of identity provider (IdP) compromises, including unauthorized account access, data breaches, financial loss, and identity theft. Threat actors employ various tactics, such as social engineering and phishing, to target IdPs and traditional security measures often prove insufficient in preventing such attacks. As a response to the data breach, our security experts have collected some recommendations, available in our article Responding and Defending Against IdP Vendor Compromise.

Figure 2: Attack sequence descriptions and techniques used in identity-driven attacks

To defend against IdP breaches, organizations are urged to adopt a Zero Trust Network Access (ZTNA) architecture. This reduces the attack surface, limits device access, and enforces stringent segmentation policies. Organizations can also use deception techniques, honeypots, and Identity Threat Detection & Response (ITDR) to find and contain identity-driven attacks. Other mitigation steps include strong identity posture management, using security best practices, and employing advanced MFA methods.

More on defending against IdP attacks

Zscaler Zero Trust Exchange Coverage - Advanced Cloud Sandbox, Advanced Threat Protection, SSL Inspection, Deception, ITDR.

Mystic Stealer Revisited

Mystic Stealer recently resurfaced with significant updates and enhancements including a notable change in its communication protocol. The malware has moved from its previous custom binary TCP-based protocol to an HTTP-based one for command and control (C&C) communication. This transition is believed to be a response to the challenges of communicating in corporate environments where internet-bound traffic on non-standard ports is often blocked. 

Figure 3: Mystic Stealer uploading screenshots from the victim machine to the C&C server

Another noteworthy addition to recent versions of Mystic Stealer is the expansion of its loader functionality. The improved loader enables malware to request and download additional second-stage payloads from C&C servers. This expanded functionality indicates that Mystic Stealer is not merely an information stealer but also serves as a gateway for threat actors to distribute and execute secondary malicious payloads. Threatlabz has seen adversaries using Mystic Stealer to distribute second-stage malware payloads including RedLine, DarkGate, and GCleaner.

Learn more in Mystic Stealer Revisited

Zscaler Zero Trust Exchange Coverage - Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.


Zscaler ThreatLabz recently uncovered a novel Malware-as-a-Service (MaaS) threat known as “BunnyLoader'' being sold on underground forums. Priced at $250 for lifetime access, BunnyLoader is a versatile C/C++ based malware loader that continuously evolves and adds new features to enhance its attack capabilities. Its functionality includes fileless execution, anti-analysis, keylogging, data exfiltration (including cryptocurrency wallets and credentials), remote command execution, and clipboard manipulation. 

Figure 4: BunnyLoader advertisement from criminal forums

Since its initial release in September 2023, BunnyLoader has undergone multiple updates to address bugs and add features. It has acquired new capabilities including anti-virus evasion, and expanding its list of targets to include web browsers, VPN clients, and messaging applications. The malware creates a registry entry to maintain persistence and uses several anti-sandbox techniques in its attack sequence. 

Read more about BunnyLoader

Zscaler Zero Trust Exchange Coverage - Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.

A Retrospective on AvosLocker

On October 11, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory for AvosLocker. The Zscaler ThreatLabz team has put together a deep dive into AvosLocker, a Ransomware-as-a-Service (RaaS) group that was last active in May. By examining their tactics and procedures (TTPs) the security community can learn to counteract similar threats. The AvosLocker ransomware group employed a double extortion strategy, stealing data before encryption and threatening to release it unless a ransom was paid. They hosted a data leak site where stolen data was published from July 2021 to June 2023.

Figure 5: Industry verticals targeted by double extortion attacks using AvosLocker

The AvosLocker ransomware group initially targeted Windows systems but later expanded to include a Linux version designed to attack VMware ESXi. They heavily targeted the education sector which accounted for 25% of their attacks. Their operations primarily affected the United States (72.2%). Their attack methods varied, with affiliates exploiting vulnerabilities and infiltrating networks through compromised RDP, VPN accounts, and the Zoho ManageEngine ServiceDesk Plus vulnerability. AvosLocker also executed the ransomware in Windows Safe Mode to maximize the number of files it could encrypt without detection. 

Zscaler Zero Trust Exchange Coverage - Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection.

Read more about AvosLocker


About ThreatLabz

ThreatLabz is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.


The Zscaler Zero Trust Exchange

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks over 150 million threats to its 7300+ customers, securing over 300 billion web transactions daily. The Zscaler ThreatLabz security research team uses state-of-the-art AI/ML and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.


What to read next:

Whole-of-state cybersecurity: What it means and why it matters 

Addressing the insecurity of verified identities

How optimizing your security can benefit your bottom line