Wed, May 22, 2024

Q1 2024 Threat Landscape Report: Insider Threat & Phishing Evolve Under AI Auspices

In Q1 2024, we saw an evolution in techniques used by attackers, some of which may point to longer term trends in the variation and sophistication of attacks faced by organizations. In particular, with regards to phishing, we saw SMS and voice-based tactics being used, which raises concern around the potential for deep fakes and AI-type technologies to further enhance the effectiveness of phishing attacks.

In the same vein, one insider threat case investigated by Kroll this quarter saw employee impersonation take place, another area where AI-type technology could be especially effective. Additionally this quarter, Kroll’s investigation into the ScreenConnect CVE shows attackers getting faster in their exploitation of CVEs.

Two industries are the focus in Q1 2024: technology/telecoms and construction. The former saw significant growth in insider threat cases, potentially a result of increased supply chain risk. The latter saw steady growth in email compromise over the past year, which could be driven by the nature of work in this industry, meaning that employees are often working via mobile devices or on site, where they may be more susceptible to attack.  

Q1 2024 Threat Timeline

  • Two zero-day vulnerabilities identified in Ivanti Connect Secure and Ivanti Policy Secure Gateways.
  • AKIRA ransomware tactics, techniques and procedures (TTPs) evolve, with threat actors targeting companies with vulnerable interfacing Cisco ASA or FTD devices, then wiping those companies’ backups before deploying the ransomware.

Sector Analysis—Professional Services Continues to be Top Target

Sector Analysis
Most Targeted Industry by Sector Over the Past Three Quarters

The sectors targeted by threat actors in Q1 2024 were consistent with previous quarters. Professional services remained the focus for attacks, accounting for 24% of cases, while manufacturing continued to rank at second place, with 13% of cases, followed by financial services and health care at 9% and 8% respectively.

 

Sector Spotlight: Business Email Compromise Becomes an Issue for Construction Industry

Incident Response Cases in the Construction Industry Over the Past Five Quarters

Incident Response Cases in the Construction Industry Over the Past Five Quarters

 

Q1 2024 Construction Sector—Threat Incident Types

Incident Response Cases in the Construction Industry Over the Past Five Quarters

 

In Q1 2024, attacks against the construction sector accounted for nearly 6% of all Kroll incident response engagements. This was double the sector’s peak of 3% in Q1 2023. Attacks against the construction sector are most likely to be some form of business email compromise (BEC). A review of cases indicates that carefully crafted phishing lures designed to mirror document-signing programs are a common way to socially engineer victims into giving up their credentials and, in some cases, their multi-factor authentication (MFA) prompts using an attacker-in-the-middle methodology.

Construction firms may be targeted in this way for several different purposes. One is for financial gain, as a result of social engineering campaigns that redirect vendor payments to a fraudulent bank account.

 

In other cases, the construction company is used as the pivot point for downstream attacks. In these cases, actors use unauthorized access to a user’s email inbox to phish other clients. For example, sending out fake requests for document signature to multiple vendors to gain credentials from those vendors and extend their victim access.

The reason for these rising attacks may be because the industry involves many digital sign-ins via mobile devices on sites. An employee may be more likely to fall for a phishing lure if they are receiving the email on the road, making them potentially less vigilant about the signs of a fraudulent email.

Threat Incident Types: Variation in Phishing Techniques Signals an Evolution in Tactics

Threat Incident Types
Most Popular Threat Incident Types—Past Three Quarters

In Q1 2024, Kroll observed a slight increase in email compromise, with it remaining the most common type of threat incident. Interestingly, the percentage of ransomware cases declined in Q1, potentially as a result of disruptions affecting the large ransomware-as-a-service variants such as LockBit and BlackCat.

Phishing was the most likely vector for email compromise incidents. Kroll observed that in Q1, while phishing was typically synonymous with an email message, actors continued to evolve tactics and introduce others, such as SMS lures and voice phishing, which seem to be rising in popularity.

For many firms, security controls put into place to decrease the likelihood of BEC attacks include the verbal authentication of C-level personnel (such as chief executive or financial officers). Despite the fact that these were intended to add an extra layer of authentication for requests undertaken strictly through email, Kroll has observed cases in which actors are likely using commonly available deep fake tools to clone the voices of CEOs and CFOs.

Case Study: Evidence of Voice Cloning Highlight Risk of Deep Fakes

Case Study: Evidence of Voice Cloning Highlight Risk of Deep Fakes

In one such case, Kroll noted repeated voicemail messages simulating the CEO’s voice to authorize fraudulent transactions. The messages were upwards of five minutes long, potentially to increase the likelihood of the scam being actioned. While employees may be more suspicious of a short message cloning the CEO’s voice, a longer message—which leverages publicly available voice recordings of the CEO—arguably seems more legitimate. Such attempts highlight the increased risk that deep fakes and other AI-type technologies pose to organizations.

Technology and Telecoms Industry Most Susceptible to Insider Threat, Highlighting Threat of Supply Chain Attacks

Q1 2024—Insider Threat Incidents by Sector
Q1 2024—Insider Threat Incidents by Sector

A review of Kroll engagements for insider threat revealed insights into the sectors most vulnerable to such attacks. In Q1, Kroll observed that cases impacting the technology/telecom sector were most likely to be insider threat cases.  With most technology providers working with multiple downstream customers, an insider with access to multiple technology providers may have the ability to cascade malicious activity to clients, posing the risk of a supply chain attack.

Q1 2024—Insider Threat Incidents by Sector
Proportion of Intentional vs. Unintentional Insider Threat Cases

For the first time, we also split out the proportion of insider threat engagements deemed to be intentional versus those deemed to be unintentional. In 90% of cases, Kroll observes the insider threat being intentional, and therefore arguably malicious in intent, as opposed to accidental. This highlights the importance of insider threat not being overlooked as a threat incident type by companies.

Case Study: Employee Impersonation Insider Threat

Case Study: Employee Impersonation Insider Threat

In one case observed by Kroll in Q1, an employee onboarded by a third-party contracting firm began displaying suspicious behavior. The employee, who had been given access to confidential and sensitive information due to their job role, frequently delayed communication and stopped communicating altogether once more serious questions were raised about the legitimacy of his identity.

In this case, Kroll was able to help the company identify that the employed individual was accessing the network from a different country to the one they claimed to reside in. Kroll also helped identify the data at risk associated with the employee. 

Although Kroll did not observe the use of deep fake technology in enhancing the employee impersonation, this case does highlight how sophisticated AI technology could result in more convincing campaigns of this type.

Ransomware Variants Q1 2024

Ransomware Variants Q1 2024
Top 10 Ransomware Variants Q1 2024

The AKIRA ransomware group took the lead in Q1 2024 with 27% of cases and LOCKBIT slipped into second place with 15% of cases. We also saw a significant drop in PLAY ransomware group activity, from 11% of cases in Q4 2023 to 5% in Q1 2024.

Phishing Dominates Initial Access Methods

Top 4 Initial Access Methods—Past Three Quarters
Top 4 Initial Access Methods—Past Three Quarters

Phishing remained the top initial access vector across all threat incident types. For events where phishing was the main initial access vector, the threat type was most likely to be email compromise.

Kroll continued to observe an increase in attacks that began with a social engineering nexus and observed increases for incidents that started with threat actors exploiting public-facing applications, such as Cisco’s Adaptive Security Appliance (ASA) virtual private networks and ScreenConnect remote management tools. Attacks targeting known vulnerabilities were most likely to result in a ransomware incident.

 

Initial Access Spotlight: ScreenConnect CVE Exploited in Less Than 48 Hours by Range of Threat Actor Types

On February 19, software firm ConnectWise notified clients of two vulnerabilities (CVE-2024-1708 and CVE-2024-1709) impacting on-premise versions of their remote management tool, ScreenConnect (versions 23.9.7 and prior). The CVEs could allow attackers to bypass authentication measures to create administrative level accounts. Once those admin accounts are created, attackers would have system administrator level privileges.

In the immediate aftermath of the publication, Kroll responded to many engagements where attackers exploited this vulnerability to behave maliciously in victim’s networks. On the managed detection and response (MDR) side, Kroll was able to identify and quarantine exploitation activity before it progressed to a full-blown incident. In at least one case, Kroll identified a file containing a new malware, TODDLERSHARK, related to the Kimsuky threat actor group.

 

On the incident response side, Kroll observed that a majority of its ScreenConnect cases had an initial access date of February 21, indicating that actors were exploiting the vulnerability within less than 48 hours of the original announcement.

Based on a review of these cases, Kroll observed a wide range of threat actors leveraging the vulnerability. 

In Kroll’s review, cases occurring within the first five days of the publication were more likely to be associated with larger-scale threat actor groups. Three weeks on from the publication date, fewer cases were observed, likely due to widespread patching. Cases observed during this time period were more likely to be associated with lone wolf actors or less sophisticated threat actor groups.

 

Malware Trends and Analysis

Kroll actively tracks malware C2 infrastructure, submissions to public sandboxes and active incident response (IR) and MDR case data to generate lists of the most active malware strains for comparison. In Q1, the most notable changes were a drop in activity from QAKBOT and PIKABOT. Kroll’s Cyber Threat Intelligence team believes that this is due to a shift in KTA248 behavior toward other malware strains, such as ICEDID and ICENOVA (LATRODECTUS).

Malware Trends and Analysis

Top 10 Malware Strains—Q1 2024

In Q1, Kroll observed an uptick in threat actors leveraging WebDAV for use with remote file access for Windows. WebDAV is a protocol that allows a standard way for users and web services to communicate over the Hypertext Transfer Protocol (HTTP) to create, modify and move documents. WebDAV offers the ability for multiple users to work simultaneously on the same content.

Kroll observed actors leveraging vulnerabilities in Microsoft SmartScreen software (CVE-2023-36025 and CVE-2024-21412) that allow attackers to send an internet shortcut with an embedded malicious URL that is designed to bypass security controls. Kroll observed multiple campaigns using the technique to distribute multiple malware variants, including TIMBERSTEALER, DARKME, DARKGATE and ICENOVA.

WebDAV has a long history of security issues, particularly when associated with Windows file-sharing technologies. Previously, we have seen issues such as the leaking of user New Technology Lan Manager (NTLM) hashes and now more recently, SmartScreen bypass vulnerabilities. These vulnerabilities aren’t the only reason WebDAV is attractive to an attacker. Due to its integration into Windows, it is harder to detect than a suspicious process making its own connections. This is because with WebDAV, it is often the case that Windows file sharing is owning the actual network interaction, and the malicious process is ostensibly accessing a file. WebDAV also provides an attacker with a simple means of remote file transfer with minimal code, as even a basic batch script can download a file with a copy command. It is recommended where possible to block WebDAV traffic at the perimeter.


Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.


Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.


Notification, Call Centers and Monitoring

Kroll’s data breach notification, call centers and monitoring team brings global breach response expertise to efficiently manage regulatory and reputational needs.

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.