Wed, May 17, 2023
Kroll’s findings for Q1 2023 highlight fragmented threat actor groups and a continued evolution in attack methods and approaches, which, alongside other key shifts in behavior, have concerning implications for organizations in many sectors.
In Q1 2023, Kroll observed a 57% increase in the overall targeting of the professional services sector from the end of 2022. Ransomware propelled this increase as the sector, particularly legal firms, was the most likely target of extortion and encryption attacks in Q1.
Overall, ransomware accounted for 30% of Q1 cases and 26% of email compromise cases, both remaining closely aligned with the 2022 levels. In Q1, Kroll noted a 56% increase in the number of unique ransomware variants observed. While well-known ransomware-as-a-service (RaaS) operations such as LOCKBIT continue to dominate the ransomware landscape, Kroll observed a number of lesser-known variants during the quarter. Some of these were new but others were established groups that had not been observed for several quarters. The rise in these lesser-known variants, specifically ones such as XORIST, highlights the number of independent attackers conducting ransomware operations outside of the established RaaS groups.
Phishing continues to lead the pack when it comes to initial access across all cases. Drilling into ransomware cases shows that legacy vulnerabilities such as ProxyShell and Log4j are more likely to be exploited to gain a foothold into the system.
No matter how actors get into a network, data around toolkit deployment during the Kroll Intrusion Lifecycle indicates that actors are using exfiltration tools as standard across a wide variety of threat incident types. As such, enabling organizations to detect actions within a network that denotes staging for exfiltration may help stop attackers in their tracks.
In Q1 2023, Kroll observed that ransomware and email compromise continue to be the most impactful threats against organizations.
Kroll also noted a rise in web compromise, most typically against the retail sector, highlighting that threat actors attack for financial gain.
In Q1, Kroll observed an increase in all but one of our tracked malware or malicious tool families across our active cases and OSINT collection.
Kroll detected an increase in the use of SLIVER, a cross-platform adversary emulation framework and among one of the growing numbers of public, open-source C2 frameworks, although relatively new to the scene.
Due to the public, open-source nature of this tooling, Kroll predicts SLIVER and other similar frameworks will continue to be deployed in more campaigns by threat actors.
As observed in Q4 2022, the manufacturing and technology/telecommunications sectors continued to be targeted by ransomware gangs in the first quarter of 2023.
However, professional services saw a 57% quarter-over-quarter increase and was the most frequent target of ransomware attacks in Q1. Many attacks against the professional services sector in Q1 impacted legal firms. Similar to the Google Ads abuse tactic leveraged in many late 2022 attacks, Kroll observed an ongoing SEO poisoning campaign by the actors behind GOOTLOADER malware.
This involved them targeting legal professionals searching for standard contracts and templates, as shown in the image.
GOOTLOADER infections typically led to large-scale exfiltration of sensitive data and, in some instances, extortion threats by established threat actor groups.
In cases from March and April 2023, we observed users downloading zip files that contained a malicious JavaScript file identified as GOOTLOADER. This zip file was likely hosted on a compromised website, acting as a watering hole-style attack, with the social engineering theme revolving around business documentation such as contracts or taxes. Once the malicious JavaScript file is executed by the user, a second JavaScript file is dropped into the “Appdata\Roaming\Adobe” directory and is executed by the first script. This second JavaScript file spawns Windows PowerShell (powershell.exe), which we have observed connecting to command-and-control (C2) IPs and domains and performing various host enumeration commands.
The initial script was also observed creating registry keys and a scheduled task that pointed to the second JavaScript file for persistence.
In these cases, further malicious actions were prevented; however, GOOTLOADER has additionally been observed in the wild leading to installations of further payloads including “GOOTKIT,” a sophisticated banking trojan.
Although large RaaS operations such as LOCKBIT dominated the ransomware landscape in Q1, Kroll also observed a 56% increase in unique variants from the previous quarter. This rise in unique variants included new variants such as CACTUS, DARKSKY and NOKOYAWA, and others familiar, but not observed in several quarters, such as XORIST and RANSRECOVERY.
Kroll has identified an increase in “one-off” ransomware variants that tend to use well-known builders. While these incidents do not typically include data exfiltration and do not extort through the threat of data release, it is likely that a server will be encrypted. A ransom note is created which details a contact email address, an amount of cryptocurrency required for decryption and an extremely short deadline for a response. Kroll has observed a number of XORIST-based encryptors that enable the threat actor to create a unique file extension. This builder, along with video tutorials, is available online. Initial entry is normally provided by an exposed remote service or a common vulnerability. It is likely that the increase of these incidents is in part due to several of the RaaS groups being dismantled and the ease of entry to conduct encryption. As access is not provided by a RaaS group, typically the threat actor does not explore the network as widely as a traditional ransomware actor and may only encrypt the server where they landed.
Looking across all threat incident types in Q1, phishing remained the number one initial exploit method. Of cases that started with a phishing lure, malicious links were the most likely path to infection. During Q1, Kroll observed phishing attachments continuing to evolve following the Mark-of-the-Web changes to Microsoft. While the latter half of 2022 saw actors turn to container files (.lnk or .iso) for phishing lures, early 2023 marked the rise of Microsoft OneNote (.xml) files being used to deliver malware. In February 2023, Kroll identified several instances of clients downloading malicious OneNote attachments as part of an ongoing QAKBOT campaign dubbed “QakNote.” QAKBOT itself was originally used as a banking trojan but has evolved over the years to include a variety of techniques, such as the ability to move laterally within the environment, use of C2 servers and, in the event of being unnoticed by the user, lead to ransomware (such as BLACKBASTA or ROYAL).
Towards the latter half of Q1, Kroll directly observed an increase in infections following QAKBOT campaigns that leveraged PDF lures. The name of the PDF varies, with references to invoices, complaints and management information. Once opened, the PDF usually contains an image of a logo of a productivity suite application or cloud-based document storage service. The image is commonly followed by a piece of social engineering text encouraging the user to click a button labeled “open.” In some cases, the button is followed by a password.
Inside the PDFs, the button is a hyperlink to a zip file, which, once clicked on, will be downloaded. The zip file is often password-protected, with the password displayed to the user in the PDF, providing false reassurance to the victim. This also serves as a detection evasion measure because antivirus products cannot open the zip to inspect the files. The zip contains either a Windows Script, .wsf file, or a JavaScript, .js file. When these scripts are executed, they will spawn the Windows Script (wscript.exe) that, in turn, spawns PowerShell to download the next stage.
Although requiring several stages in user interaction, this phishing social engineering technique for initial access remains successful for threat actors in 2023, with QAKBOT, in particular, being observed.
Valid accounts and external remote services continue to be the top methods for attackers to gain a foothold into systems, highlighting the ongoing popularity of info-stealer malware and threat actor exploitation of open remote desktop instances.
Drilling into ransomware cases only, Kroll observed that CVE/Exploit and remote services are the top vectors for access. Legacy vulnerabilities such as Log4j and ProxyShell continue to be leveraged by ransomware actors attempting to exploit systems.
Once threat actors are on systems, tools helping them to exfiltrate data are frequently observed as a common attack technique. Kroll frequently observes data exfiltration across threat incident types. While some of these attacks ultimately lead to encryption, Kroll also saw a number of cases this quarter in which exfiltration followed by an extortion attempt was the main mission execution by the threat actor.
Groups such as LUNAMOTH were observed using this tactic via a callback phishing scheme, prompting users to call a customer service number to avoid a renewal fee for an unwanted service. Once the user is connected with the fraudulent number, they are prompted to accept a remote access management tool that allows the threat actor to exfiltrate data from their system. They are then subsequently extorted to pay a fee or risk publication of the stolen data.
After an extended hiatus, CLOP ransomware group reactivated during this past quarter. Following its claim to have attacked over 130 companies via a zero-day exploit in the Go Anywhere file transfer system, Kroll observed a 380% increase in victim postings to their actor-controlled site, with nearly 100 companies posted in March. In Kroll’s review, such attacks only focused on data exfiltration and extortion.
Other groups took advantage of the extortionary landscape, launching mass campaigns claiming to have exfiltrated files and requesting payment through an email message. Such messages signed by various groups (MIDNIGHTGROUP, SILENTRANSOMGROUP, etc.) were sent to thousands of recipients at hundreds of companies throughout March 2023.
In Kroll’s observation, such claims were the act of opportunistic, financially motivated actors and did not indicate that unauthorized access onto the network had occurred.
Large-scale RaaS groups, such as BLACKBASTA, include exfiltration as a standard operating procedure, highlighting that detecting the first signs of exfiltration is an important step in preventing an incoming cyberattack.
Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.
Kroll’s data breach notification, call centers and monitoring team brings global breach response expertise to efficiently manage regulatory and reputational needs.
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.
by Tiernan Connolly, Hannah Rossiter
by Laurie Iacono, Dan Ryan, Michael Carulli
by Alex Cowperthwaite
by George Glass, Keith Wojcieszek, Laurie Iacono
