Social engineering in its many forms took center stage in Q3 2023. The quarter saw “human hacking” evolve from a long-standing security challenge to threat actors’ method of choice. This was evidenced by our observations of the dramatic escalation of social engineering tactics, with significant increases in phishing, smishing, valid accounts, voice phishing and other tactics—adding up to the highest volume of incidents we have seen in 2023.

The increasing volume of social engineering attacks is matched by a broadening range of approaches, whether that is via phone and SMS as the group K2A243 (SCATTERED SPIDER) is known to abuse novel email phishing scams, or directly via Microsoft Teams using DARKGATE malware. As part of the rise in social engineering, business email compromise (BEC) continues to grow steadily in popularity, with both established and newer threat actor groups using a range of tactics to access data and, in some cases, ransom the information.

In our analysis of all types of cases handled by Kroll, the professional services sector continued to rank first in Q3, with a high concentration of this activity related to legal firms. We also observed nominal rises in the targeting of the construction and manufacturing industries compared with the previous quarter

Our observations of malware for the quarter highlight some notable trends, including the fact that while the infamous QAKBOT malware has been disrupted, certain indicators suggest that its operators remain active.

Q3 2023 Timeline

  • Warning published about the possibility of threat actors using tools like TeamsPhisher to launch social engineering attacks via Microsoft Teams.
  • Chatter observed on the dark web indicates actors are interested in a malicious version of ChatGPT known as WormGPT.
  • New insights gained into the exfiltration methods used by the CLOP gang to steal data during the MOVEit mass exploitation event.

Sector Analysis - Professional Services Stay in the Spotlight

Most Targeted Industry by Sector - Past Three Quarters

In Q3, Kroll continued to see the professional services sector rank first across cases. Similarly to Q1, Kroll saw a high concentration of this activity related to legal firms, fueled by a rise in BEC across all sectors and specific campaigns targeting the legal industry, such as the BLACKCAT ransomware gang.

Kroll also observed nominal rises in the targeting of the manufacturing (2%) and construction sectors (1.5%) from the previous quarter. In Kroll’s observation, both sectors most frequently experienced BEC in the third quarter. For manufacturing, ransomware was the second most likely threat type to be observed, while insider threat was the second most likely threat type for construction. Manufacturing and critical infrastructure are often targeted by cybercriminals due to the potential to execute a catastrophic and high profile attack. The 2021 Colonial Pipeline ransomware attack is a key example of the potential dangers. Historically, the manufacturing sector has been a key focus for criminals as many businesses within the sector did not fully appreciate the size of their attack surface. While the industry is now better prepared to protect itself, the target on its back remains.

Threat Incident Types

Threat Incident Types
Most Popular Threat Incident Types - Past Three Quarters

BEC continues to increase steadily in popularity. According to the latest Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3), businesses lost more than $2.7 billion due to BEC. In Q3, Kroll saw an uptick in events related to email compromise, fueling that threat to account for nearly 47% of cases during the quarter. 

Ransomware Variants – Q3 2023

Sector Analysis - Professional Services Stay in the Spotlight
Top 10 Ransomware Variants – Q3 2023

Despite BEC taking center stage, ransomware remains an ever-present threat. While the total percentage of ransomware cases dropped in Q3 (-13.5%), the number of individual ransomware engagements was consistent with previous quarters. The most active groups observed in Q3 were LOCKBIT and BLACKCAT. Kroll also saw increases in activity around newer groups such as CACTUS, RHYSIDA and INC.

 

Case Study: BLACKCAT Impacting Manufacturers

Case Study: BLACKCAT Impacting Manufacturers
BLACKCAT Payload Attack Chain

In one Kroll case during Q3, threat actors used valid credentials to log into the VPN services of a manufacturing company. In the month following the first unauthorized access, Kroll identified several suspicious logins where actors likely conducted network reconnaissance, at one point executing exfiltration via FileZilla. Nearly six weeks after the first malicious access, actors were observed returning to the system for a period of two days. During that time they used MegaSync to exfiltrate data, as well as tools such as Advanced IP Scanner for network discovery and MimiKatz for credential collection. Ultimately, the actors deployed the BLACKCAT payload as a new service creation. During access, actors exfiltrated nearly 600 GB of data which was later exposed on the threat actor site. 

Case Study: RHYSIDA Goes After Health Care Sector

Case Study: RHYSIDA Goes After Health Care Sector
Threat Actors Access Health Care Network via Valid Accounts

Warnings issued in early August by multiple government agencies indicated that a new ransomware group, RHYSIDA, was targeting the health care sector. Changing trends in Kroll engagements mirrored this report in the third quarter. In one case impacting a large health care organization, actors accessed the system using compromised credentials (also known as valid accounts) coupled with a vulnerability in the client’s Citrix NetScaler environment. Shortly after access, the threat actors deployed SYSTEMBC, a Trojan malware that helps hide connections to a threat actor’s command and control (C2) infrastructure. The actors used multiple tools during the incident, including Advanced Port Scanner, for network discovery, AnyDesk for remote access and MegaSync for exfiltration. After files were successfully encrypted, the actors changed passwords to the system so that IT employees could not access the network.

Social Engineering Yields Initial Access

Social Engineering Yields Initial Access
Top 4 Initial Access Methods - Past Three Quarters

Social engineering, or what many refer to as “hacking humans,” is a leading cause of network breaches and unauthorized access to remote systems. Kroll saw social engineering tactics increase dramatically in the third quarter, with significant increases in phishing (8%), valid accounts (9%) and voice phishing (vishing), as well as other tactics (3%).

This rise in social engineering activity aligns with multiple open-source reports warning about these types of attacks via Microsoft Teams and the rise of activity by the group KTA243 (SCATTERED SPIDER), which uses phone- and SMS-based social engineering tactics to lure users into exposing their credentials.

Case Study: Fitness Subscription Phishing Putting People in a Spin

Fitness Subscription Phishing
Threat Actors Leverage Socially Engineering to Exfiltrated Data

In Q3, Kroll observed a number of cases where individuals from professional services firms received a fake email stating that their subscription for a popular fitness membership service was starting, effective that day, and that their payment card would be charged automatically on a monthly basis. In several cases, recipients responded to these prompts either by email or by phone to indicate that they did not order such a subscription. From there, recipients were socially engineered to download a Zoho Assist—a remote support software session. Once access was granted, actors exfiltrated files and then demanded a financial ransom to avoid data publication. 

 

Malware Trends and Analysis

Kroll actively tracks malware command and control infrastructure, submissions to public sandboxes and active incident response (IR) and managed detection and response (MDR) case data to generate lists of the most active malware strains for comparison.

Top 10 Malware Strains

Top 10 Malware Strains – Q3 2023 

A marked difference from the findings shared in the Q2 Threat Landscape Report is the absence of QAKBOT in the top 10 malware list. This is because the FBI disrupted the infamous botnet in August. Kroll has been tracking QAKBOT for many years. Also known as QBOT, PINKSLIPBOT and QUAKBOT, it is typically delivered via malspam and has been observed using reply-chain thread-hijacking attacks for some time, in order to increase clickthrough rate. After consistent updates and new modules, QAKBOT was used as an initial entry vector for many ransomware groups, including CONTI, PROLOCK, EGREGOR, REVIL, MEGACORTEX and BLACKBASTA. It is estimated that the botnet has infected 700,000 machines worldwide.

QAKBOT distributors, notably KTA248 (TA577), often took breaks throughout the year, and distribution of the malware dropped markedly from mid-June. The FBI disruption essentially cut communication with the command-and-control infrastructure layers of the botnet and issued an uninstall command to infected devices. 

Since the QAKBOT disruption, Kroll has observed a rise in relatively unseen malware strains, such as DARKGATE and PIKABOT, while other open-source stealer malware trends remain consistent. This indicates that QAKBOT operators are looking for a new initial access malware to deploy.

Kroll recently observed cases of DARKGATE malware being delivered to several organizations in the transportation and hospitality sectors through Microsoft Teams messages. This activity has also been highlighted throughout open-source reporting, sharing a number of key indicators with Kroll observations, such as common filenames, adversary infrastructure and similar domain name convention to host the initial download.

Defending Against the Social Engineering Threat: Key Recommendations

With social engineering on the rise in Q3, it is critical that businesses take proactive steps to ensure that they have adequate defenses in place. As this type of threat continues to diversify, organizations need to be vigilant about identifying and addressing all potential areas of attack. This starts with applying a number of key security controls to improve overall security posture. Businesses should also consider the following steps:

Phishing and Unauthorized Access

  • Provide regular training and awareness sessions for all users
  • Ensure detection with URL rewriting via email protection
  • Apply user behavior analytics, message trace logs, audit trace logs, etc.
  • Implement phishing-resistant authentication methods, such as devices enrolled in Fast IDentity Online (FIDO), especially for privileged users
  • Review and update IT helpdesk policies and exception handling procedures to address social engineering attacks aimed at enrolling or disabling multifactor authentication (MFA) and unauthorized devices
  • Use creative Conditional Access control (CAC) policies to reduce your attack surface. For example:
    • If your corporate device policy only includes Windows for desktop and iOS mobile devices, block Android and MacBooks from authenticating
    • Disable or limit the scope of allowed MFA methods, such as SMS and voice approval, or unused MFA application types
    • Consider blocking or flagging authentication attempts and enrollment from geographies outside the scope of your organization’s footprint
    • Limit the number of allowed MFA devices per user and require extra authentication factors when authorizing MFA devices
    • Review and reduce session token lifetimes and implement continuous access evaluation features (CAE), where available
 

Illicit Consent Grant

  • Manage app consent policies 
  • Limit the apps users can consent to (or disable altogether). Any previously consented application will still have consent after making changes
 

Detection

  • Use Microsoft 365 Defender portal (if licensed)
  • Remove all Oauth consent grants
  • Get AzureADPSPermissions.ps1

 

Familiar Threats Present Fresh Security Challenges

Our findings over the past two quarters highlight the fact that long-standing and sometimes more overlooked threats can quickly change in form and focus to become pressing security issues. While supply chain threats evolved in Q2 to become a key concern, social engineering followed a similar pattern in Q3. “Human hacking” has proven to be threat actors’ approach of choice over the past few months, adding further complexity to an already turbulent threat landscape. With diverse forms of social engineering now being leveraged, businesses must ensure that they have the up-to-date capabilities required to defend against them.

A look back at Q3 2022 illustrates how dramatically security conditions can change. The situation has shifted from a decline in ransomware attacks in 2022 to the current climate in which ransomware groups both new and old are adopting fresh tactics. Similarly, while email compromise plateaued in Q3 last year, it is rising across all sectors one year on. Another critical change from 2022 to 2023 is that global socioeconomic conditions have increased in volatility, with the potential to impact the cybersecurity status of businesses in many industries. Indeed, our findings from Q1 and Q2 2023 pointed to a continuation of fraught security conditions, due to the splintering of large ransomware groups and other shifts. This has been borne out by the trends we observed in Q3 and shows no sign of abating in the final quarter of 2023 and beyond. 

The challenge is not just external. As shown in other recent Kroll analysis, organizations are not only at risk from evolving threats but also from their own perception of their readiness to address those threats. By working with a trusted and field-proven security partner, businesses can ensure they are prepared to respond effectively to the challenges that lie ahead. Working toward true cyber maturity will ensure that organizations are better equipped to defend both against novel security challenges and the resurgence and reinvention of familiar threats. 

Download the Report


Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.


Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.


Notification, Call Centers and Monitoring

Kroll’s data breach notification, call centers and monitoring team brings global breach response expertise to efficiently manage regulatory and reputational needs.

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.