Q3 2023 Threat Landscape Report: Social Engineering Takes Center Stage
by Laurie Iacono, Keith Wojcieszek, George Glass
Wed, Feb 21, 2024
Kroll’s Q4 analysis shows ransomware groups increasingly gaining initial access through external remote services. The quarter presented a complex security landscape with a mix of both positive and negative trends: positively, activity associated with larger ransomware-as-a-service (RaaS) operations, like LOCKBIT and BLACKCAT, declined. However, negative patterns continued, like the ongoing focus of threat actors on the professional services industry (continuing a key trend from Q3 and earlier on in 2023).
Interestingly, there was a notable drop in phishing attempts in Q4 in comparison to Q3. However, this was counterbalanced by the continued evolution of these phishing tactics, for example with a rise in the use of QR codes. Linked to this, yet another trend we observed following on from Q3 was the ongoing dominance of business email compromise (BEC) attacks.
Kroll observed the renewal of other familiar threats in Q4, such as a rise in ransomware. Even previously terminated malware groups, like the one behind QAKBOT, regrouped and redefined their strategies (with, for example, a reply-chain phishing campaign delivering PIKABOT). These and other trends observed in Q4 2023 point to a testing 2024 for organizations.
Q4 saw activity from a wide range of ransomware groups, with some key players continuing with campaigns observed earlier in 2023. Kroll observed declines in activity associated with larger ransomware-as-a-service (RaaS) operations such as LOCKBIT and BLACKCAT.
Following an extremely active Q3, BLACKCAT made headlines multiple times during Q4. First, with their move to report a victim company to the Securities and Exchange Commission (SEC) as a new pressure tactic. By the end of the quarter, BLACKCAT found themselves in the crosshairs of international law enforcement as their victim publication site was seized by the Department of Justice on December 19 and then “unseized” by BLACKCAT operators who promptly moved victim notifications to a different site. To date, the “new” BLACKCAT site continues to post victims.
In October 2023, Kroll identified an uptick in engagements involving AKIRA ransomware, a trend that has continued into early 2024. Kroll observed that in the majority of cases, initial activity could be tracked back to a Cisco ASA VPN service. It is likely that this activity reflected previous reporting that affiliates distributing AKIRA were targeting VPNs failing to enforce MFA and exploiting a zero-day vulnerability in Cisco ASA and Firepower Threat Defense (FTD) services. CVE-2023-20269 allows unauthenticated users to run a brute-force attack to identify valid credentials and establish a clientless SSL VPN session. Cisco updated their advisory in October to include a patch, available via software upgrade.
Intrusion activity following access included persistence via remote management monitoring tools, such as AnyDesk, and internal network discovery via tools, such as Advanced IP Scanner and NetScan. During this time, the actor used WinSCP for exfiltration and WinRar for compression. They then leveraged RDP or remote services creation to laterally move across systems before escalating privileges into a domain admin-level account within two days of network access. Shortly after privilege escalation, AKIRA ransomware was deployed to encrypt systems.
Looking at these cases side-by-side highlights the similarities in activity we see between ransomware variants. While this presents a challenge for clustering activity for attribution, it also provides opportunities for defenders to protect themselves against a number of different attackers by setting up overarching rules capable of detecting and defeating this type of activity.
Kroll actively tracks malware C2 infrastructure, submissions to public sandboxes and active IR and MDR case data to generate lists of the most active malware strains for comparison.
Top 10 Malware Strains – Q4 2023
Like Q3, Q4 saw some dramatic changes to the malware and ransomware landscape, with many being a direct result of law enforcement activity to disrupt and degrade the infrastructure of some of the most prolific types. In August, the QAKBOT botnet was heavily disrupted, leading to infrastructure changes and a significant drop in QAKBOT infections in Q3. However, the attempts of threat actors to rebuild the botnet put it firmly back in the top 10 list in Q4. In yet another twist to the tale, although QAKBOT is featured high up on our quarterly trend list, we did not observe any successful infections.
Notably, the threat actor tracked by Kroll as KTA248 (TA577, TR), as well as one of the actors operating huge QAKBOT campaigns, began deploying new malware strains to gain initial access into corporate environments. This meant that while in Q3 we saw significant increases in DARKGATE, PIKABOT tops our list for Q4. Both malware strains are operated by KTA248 as a potential successor to QAKBOT. Kroll observed a significant overlap between PIKABOT and QAKBOT infrastructure from early- to mid-2023. In November, Kroll noted a reply-chain phishing campaign delivering PIKABOT.
Infostealers also make up more of the quarterly top 10 in Q4, with LUMMASTEALER (LUMMAC2) and STEALC seeing significant upticks. Throughout 2023, and especially in Q4, Kroll witnessed significant increases in infostealer activity, the development of capabilities and new entrants to the market.
Q4 2023 saw the strengthening of the trend in which infostealer malware has become its own ecosystem in the cybercriminal underground. Infostealer logs are a significant factor in the initial access broker market: threat actors who specialize in selling access they have gained to corporate environments to ransomware operators who then complete the attack chain and extort the victim.
Infostealers are most commonly deployed via phishing, malvertising and fake or misleading posts on social media. This means there is often little specific targeting of individuals or organizations, although this is possible. Threat actors hope to infect as many individuals as possible to collect as many credentials as they can. However, this often presents an unseen risk to corporate environments as employees' personal machines can become infected. These might contain credentials that provide access to corporate credentials or present a threat from their reuse, enabling threat actors to test them against edge services such as VPN, email platforms or application gateways.
One of the most common varieties of infostealer we currently encounter is REDLINESTEALER.
REDLINESTEALER, or simply REDLINE, is available on underground forums through a monthly subscription service that gives an attacker access to the REDLINE panel and the ability to pack the malware and collect the logs of stolen information. Its main functionality is to steal data such as passwords, credit card information, usernames, locations, cookies and hardware configuration from infected systems. REDLINE collects this data from a number of sources, including installed browsers, such as SQLite databases, VPN credentials and Cryptocurrency wallets, such as files containing *.wallet
If REDLINE is found to have been executed on a device, it is safe to consider that any credentials stored locally on that device have been compromised. REDLINE can also download files, making it likely that further payloads could be deployed to a victim device should a threat actor require more functionality depending on their objectives (e.g., high bandwidth data exfiltration or ransomware).
In Q4, Kroll investigated a surge in cases in which users downloaded a file associated with REDLINE. In this instance, the lure was a PDF converter software, where it was likely that the users were searching for a legitimate copy of a tool or, as in some cases, victims were searching for innocuous phrases such as “printable calendars” or “business models.” However, the malicious “pdfconvertercompare[.]com" site was presented early in the search results. This site is still active and serving malware as of January 2024.
Because infostealer malware is commonly sold as part of a service, threat actors running the services will often look to free services as a scalable solution to control the malware and use it as a method of exfiltration. Infostealers are sold directly on Telegram and use the same service to control and host extracted victim data. Similarly, VIDAR has used Steam usernames to host C2 information and many infostealers will use services such as Discord for storage of exfiltrated data. For these reasons, Kroll recommends blocking Steam, Telegram and Discord domains if they are not used for business activities.
To defend against ransomware, Kroll recommends that organizations:
Q4’s rise in the use of external remote services as a ransomware attack vector sets the tone for what is already looking to be a demanding year ahead. With the popularity of remote or hybrid working, organizations must be vigilant in ensuring they have strong defenses in place both centrally and at perimeter level.
Our analysis for Q4 shows a mix of positive and negative trends, very much setting a pattern of “two steps forward, three steps back” in terms of progress for organizations seeking to strengthen their security posture amid a shifting threat landscape.
To counter the continued volatility underlined by our findings for Q4, organizations can benefit by adopting a consistent approach to advancing their security. Achieving this involves working strategically with a trusted long-term security partner capable of aligning closely with their particular security concerns and the changing threat climate. This requires the capacity to support organizations’ efforts in preparing for known threats as well as emerging ones, such as the potential for more sophisticated voice-related phishing and other types of social engineering.
The increased use of external remote services by ransomware groups and the advance of other types of threats, such as infostealer malware, highlights that there is no area of security about which organizations can afford to be complacent. Those taking action now will be more likely to achieve the level of cyber maturity required to meet the security challenges of 2024.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.
Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.
Kroll’s data breach notification, call centers and monitoring team brings global breach response expertise to efficiently manage regulatory and reputational needs.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
by Laurie Iacono, Keith Wojcieszek, George Glass
by George Glass, Laurie Iacono, Keith Wojcieszek
by Laurie Iacono, Keith Wojcieszek, George Glass
by Laurie Iacono, Keith Wojcieszek, George Glass