Threat Intelligence
Q4 2023 Cyber Threat Landscape Report: Threat Actors Breach the Outer Limits
February 21, 2024
by Laurie Iacono, Keith Wojcieszek, George Glass
Webinar Replay: Q4 2023 Threat Landscape Report—Threat Actors Breach the Outer Limits
February 21, 2024
Our Quarterly Threat Landscape reports are fueled by frontline incident response intel and elite analysts.
The fourth quarter of 2023 saw cybersecurity threats continue to increase in sophistication. In Q4, Kroll observed ransomware groups increasingly gaining initial access through external remote services and previously terminated malware groups, like the one behind QAKBOT, regrouped and redefined their strategies. These and other trends observed in Q4 2023 point to a testing 2024 for organizations.
In this briefing, Kroll’s cyber threat intelligence leaders Keith Wojcieszek, Laurie Iacono and George Glass explore key insights and trends from thousands of cyber incidents handled worldwide each year. They outline the critical issues that organizations should be aware of, including the sectors hit the hardest and active ransomware groups.
The briefing covers:
- Year-on-year 8% rise in incidents in the professional services sector
- The critical changes in attacker behavior, including initial access methods
- The increased activity among emerging ransomware actors, AKIRA and PLAY
- Phishing as the most common attack vector and a 10% increase in valid account attacks
Key Sections From the Webinar
Ransomware Attacks Increase in Q4 Across Sectors
Ransomware Attacks Increase in Q4 Across Sectors
The professional services sector continues to be very attractive for threat actors. The sector once again ranks first as the most impacted in Q4, and overall witnessed an 8% year-over-year increase in attacks from 2022 to 2023. Kroll previously reported on specific campaigns targeting the legal industry, that impacted those numbers. The health care sector also witnessed a slight uptick in activity in Q4 2023, which was ransomware-focused. Learn why:
External Remote Services Yields Initial Access
External Remote Services Yields Initial Access
Although LOCKBIT (22%) was the most active variant in Q4 2023, Kroll observed a decline in activity associated with larger ransomware-as-a-service (RaaS) operators. The uptick in activity was accounted for by AKIRA, PLAY, INC and CACTUS. Looking at ransomware cases, the most likely initial access method was external remote services (73%), presenting another key area of concern for organizations.
Phishing (41%) remains the top initial access method in 2023 as it continues to evolve and threat actors try new and more sophisticated ways to tempt users into clicking on their malicious links. Learn more:
AKIRA and PLAY Ransomware Attack Chain
AKIRA and PLAY Ransomware Attack Chain
In this section, Kroll experts analyze how ransomware variants AKIRA and PLAY exploited vulnerabilities within an organization for initial access. PLAY ransomware leveraged the CitrixBleed vulnerability to gain access to a professional services firm, while AKIRA ransomware gained initial access by targeting VPNs failing to enforce Multi Factor Authentication (MFA) and exploiting a zero-day vulnerability in Cisco ASA and Firepower Threat Defense (FTD) services. Learn more:
Kroll Top 10 Malware Strains
Kroll Top 10 Malware Strains
Kroll actively tracks malware command and control infrastructure, submissions to public sandboxes, and active incident response (IR) and managed detection and response (MDR) case data to generate lists of the most active malware strains for comparison.
In Q3, the QAKBOT malware was heavily disrupted; however, the threat actors attempt to rebuild the botnet and put it firmly back in the top 10 list in Q4. Although QAKBOT is featured high up on our quarterly trend list, we did not observe any successful infections. Q4 2023 rather belonged to the infostealers, like LUMMASTEALER (LUMMAC2) and STEALC seeing significant upticks. Throughout 2023, and especially in Q4, Kroll witnessed significant increases in infostealer activity, the development of capabilities and new entrants to the market. Learn more:
Minimizing Impact
Minimizing Impact
Q4’s rise in the use of external remote services as a ransomware attack vector sets the tone for what is already looking to be a demanding year ahead.
The increased use of external remote services by ransomware groups and the advance of other types of threats, such as infostealer malware, highlights that there is no area of security about which organizations can afford to be complacent. Those taking action now will be more likely to achieve the level of cyber maturity required to meet the security challenges of 2024. This starts with applying a number of key security controls to improve overall security posture. Learn what your business should consider:
Related Insights
Threat Intelligence
Threat Intelligence
Q3 2023 Threat Landscape Report: Social Engineering Takes Center Stage
November 15, 2023
by Laurie Iacono, Keith Wojcieszek, George Glass
Threat Intelligence
Q2 2023 Threat Landscape Report: All Roads Lead to Supply Chain Infiltrations
August 23, 2023
by George Glass, Laurie Iacono, Keith Wojcieszek
Threat Intelligence
Q1 2023 Threat Landscape Report: Ransomware Groups Splinter, Swarm Professional Services
May 17, 2023
by Laurie Iacono, Keith Wojcieszek, George Glass
Cyber Risk
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll Responder MDR
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Computer Forensics
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
24x7 Incident Response
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Cyber Risk Retainer
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Malware Analysis and Reverse Engineering
Kroll’s Malware Analysis and Reverse Engineering team draws from decades of private and public-sector experience, across all industries, to deliver actionable findings through in-depth technical analysis of benign and malicious code.
Ransomware Preparedness Assessment
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
Office 365 Security, Forensics and Incident Response
Digital forensic experts investigate hundreds of Office 365 incidents per year and help strengthen your security.
Kroll is headquartered in New York with offices around the world.
55 East 52nd Street 17 Fl
New York NY 10055
Sign up to receive periodic news, reports, and invitations from Kroll.
Our privacy policy describes how your data will be processed.
© 2024 Kroll, LLC. All rights reserved.
Kroll is not affiliated with Kroll Bond Rating Agency,
Kroll OnTrack Inc. or their affiliated businesses. Read more.