Webinar Replay: Q4 2023 Threat Landscape Report—Threat Actors Breach the Outer Limits

February 21, 2024
Our Quarterly Threat Landscape reports are fueled by frontline incident response intel and elite analysts.
Q4 2023 Cyber Threat Landscape Report: Threat Actors Breach the outer limits

The fourth quarter of 2023 saw cybersecurity threats continue to increase in sophistication. In Q4, Kroll observed ransomware groups increasingly gaining initial access through external remote services and previously terminated malware groups, like the one behind QAKBOT, regrouped and redefined their strategies. These and other trends observed in Q4 2023 point to a testing 2024 for organizations.

In this briefing, Kroll’s cyber threat intelligence leaders Keith Wojcieszek, Laurie Iacono and George Glass  explore key insights and trends from thousands of cyber incidents handled worldwide each year. They outline the critical issues that organizations should be aware of, including the sectors hit the hardest and active ransomware groups.

The briefing covers:

  • Year-on-year 8% rise in incidents in the professional services sector
  • The critical changes in attacker behavior, including initial access methods
  • The increased activity among emerging ransomware actors, AKIRA and PLAY
  • Phishing as the most common attack vector and a 10% increase in valid account attacks

Key Sections From the Webinar

Ransomware Attacks Increase in Q4 Across Sectors

Sector Analysis and Threat Incident Type

The professional services sector continues to be very attractive for threat actors. The sector once again ranks first as the most impacted in Q4, and overall witnessed an 8% year-over-year increase in attacks from 2022 to 2023. Kroll previously reported on specific campaigns targeting the legal industry, that impacted those numbers. The health care sector also witnessed a slight uptick in activity in Q4 2023, which was ransomware-focused. Learn why:

External Remote Services Yields Initial Access

Spotlight: Ransomware and Initial Access Method

Although LOCKBIT (22%) was the most active variant in Q4 2023, Kroll observed a decline in activity associated with larger ransomware-as-a-service (RaaS) operators. The uptick in activity was accounted for by AKIRA, PLAY, INC and CACTUS. Looking at ransomware cases, the most likely initial access method was external remote services (73%), presenting another key area of concern for organizations.

Phishing (41%) remains the top initial access method in 2023 as it continues to evolve and threat actors try new and more sophisticated ways to tempt users into clicking on their malicious links. Learn more:

AKIRA and PLAY Ransomware Attack Chain

From the Frontline: Case Studies

In this section, Kroll experts analyze how ransomware variants AKIRA and PLAY exploited vulnerabilities within an organization for initial access. PLAY ransomware leveraged the CitrixBleed vulnerability to gain access to a professional services firm, while AKIRA ransomware gained initial access by targeting VPNs failing to enforce Multi Factor Authentication (MFA) and exploiting a zero-day vulnerability in Cisco ASA and Firepower Threat Defense (FTD) services. Learn more:

Kroll Top 10 Malware Strains

Malware Trend Analysis

Kroll actively tracks malware command and control infrastructure, submissions to public sandboxes, and active incident response (IR) and managed detection and response (MDR) case data to generate lists of the most active malware strains for comparison.

In Q3, the QAKBOT malware was heavily disrupted; however, the threat actors attempt to rebuild the botnet and put it firmly back in the top 10 list in Q4. Although QAKBOT is featured high up on our quarterly trend list, we did not observe any successful infections. Q4 2023 rather belonged to the infostealers, like LUMMASTEALER (LUMMAC2) and STEALC seeing significant upticks. Throughout 2023, and especially in Q4, Kroll witnessed significant increases in infostealer activity, the development of capabilities and new entrants to the market. Learn more:

Minimizing Impact

Summary Best Practices

Q4’s rise in the use of external remote services as a ransomware attack vector sets the tone for what is already looking to be a demanding year ahead.

The increased use of external remote services by ransomware groups and the advance of other types of threats, such as infostealer malware, highlights that there is no area of security about which organizations can afford to be complacent. Those taking action now will be more likely to achieve the level of cyber maturity required to meet the security challenges of 2024. This starts with applying a number of key security controls to improve overall security posture. Learn what your business should consider:

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Malware Analysis and Reverse Engineering

Kroll’s Malware Analysis and Reverse Engineering team draws from decades of private and public-sector experience, across all industries, to deliver actionable findings through in-depth technical analysis of benign and malicious code.

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.

Office 365 Security, Forensics and Incident Response

Digital forensic experts investigate hundreds of Office 365 incidents per year and help strengthen your security.