Wed, Aug 23, 2023

Q2 2023 Threat Landscape Report: All Roads Lead to Supply Chain Infiltrations

/en/our-team/george-glass

George Glass

/en/our-team/laurie-iacono

Laurie Iacono

/en/our-team/keith-wojcieszek

Keith Wojcieszek

Download the Report

Q2 Threat Timeline

Sector Analysis

Threat Incident Types

Case Study

Malware Trend Analysis

Kroll’s findings for Q2 2023 reveal a notable shift toward increased supply chain risk, driven not only by the CLOP ransomware gang’s exploitation of the MOVEit transfer vulnerability, but by a rise in email compromise attacks. This and other key security trends are shaping a threat landscape in which diverse cyber threats are present.

While CLOP ransomware activity dominated the headlines in Q2, analysis of Kroll engagement data painted a more complex picture of the threat environment. Looking at the numbers, CLOP activity increased by 33% over Q1, with the mass exploitation event also driving up incidences of CVE/exploits for initial access. Even with the volume of cases related to this event, Kroll observed other concerning shifts within the landscape as email compromise engagements rose by 8% and phishing continued to dominate the initial access category. From an industry perspective, attacks on the financial services sector increased by 2%, while attacks on healthcare rose by 2%—a small but modest increase that propelled the sector to the top five most targeted industries for the first time in two quarters.

Our analysis of incidents in Q2 highlights several areas in which actors have evolved their tactics to bypass common security controls(such as multi-factor authentication) and continue to prey on organizations via third-parties and trusted relationships.

Q2 2023 Timeline

VoIP communications company 3CX confirm that a North Korean hacking group was behind a major supply chain attack it underwent in March 2023. This is attributed to a cluster named UNC4736.
The FBI seize the domains and infrastructure for stolen credentials market, Genesis, in Operation Cookie Monster—a major blow to the cybercriminal world.
Microsoft attribute recent attacks on PaperCut servers to the CLOP and LockBit ransomware operations, which used the vulnerabilities to steal corporate data.

Sector Analysis - Health and Wealth Under Attack

Q2 2023 Threat Landscape Report: All Roads Lead to Supply Chain Infiltrations

Most Targeted Industry by Sector - Past Three Quarters

Sector Analysis - Health and Wealth Under Attack

In Q2, Kroll observed increases in attacks targeting the financial services, health care and technology and telecommunications sectors. A review of financial services cases identified that the most observed threat incident type was email compromise.

In addition, while the financial services sector is not typically targeted by ransomware, the CLOP group’s ransomware activity impacted small- to mid-sized regional banks. Kroll also observed a number of cases in which financial institutions were affected by the CLOP exploitation when a third party they worked with was posted to a CLOP victim publication site, exposing data related to their customers. This type of activity and its impact underscores the fragility of organizational interdependence and its potential role in supply chain attacks.

The rise in attacks on health care aligns with our findings outlined in our Data Breach Report that it was the most breached industry of 2022.

Threat Incident Types

Most Popular Threat Incident Types - Past Three Quarters

Threat Incident Types

Spotlight: Email Compromise Evolves and Evades

Incidences of email compromise increased by 8% in the second quarter of 2023.

Kroll defines an email compromise event as one where email accounts are accessed maliciously by a third party, a phishing email or spam campaign is identified or an organization’s email is used or compromised in a fraud scheme (such as business email compromise).

Business Email Compromise Attack Chain

While it is a well-recognized security concern, email compromise is sometimes overlooked in the mass media in comparison to more headline-grabbing threats such as ransomware.

Despite this, it remains a viable threat to organizations and was associated with more than $2.4 billion in total losses in 2021, according to the Internet Crimes Complaint Center (IC3) annual report.

Financial losses from business email compromises have grown ten-fold since the agency first started reporting them in 2015.

A review of Kroll cases associated with business email compromise indicate a familiar pattern of change to activity, as seen below.

Valid credentials for a user’s inbox are gathered via a phishing email.
The account is accessed by a threat actor, who then uses that access to take over additional email accounts.
During their time in the network, the threat actor is frequently observed creating inbox rules to conceal their activity.
Once actors are embedded into accounts, they begin to carry out some type of fraud. This may take the form of:
- Using the access to contact a known third-party—such as the victim’s financial institution—to authorize a fraudulent wire fraud transfer
- Sending emails from the unauthorized accounts to other users inside or outside the organization, directing them to change or update bank account information or issue a wire fraud transfer

Case Study: MFA Fatigue Leads to Attempted Fraud

How Attackers Bypass Multi-factor Authentication Methods

Case Study: MFA Fatigue Leads to Attempted Fraud

As previously stated, the most common vector for business email compromise is valid credentials harvested from a phishing email. Kroll has previously reported on the ways in which attackers bypass multi-factor authentication methods. We continue to see actors using such tactics to gain access to systems.

In one Kroll case during Q2, a user inadvertently granted access via an MFA push notification when a threat actor initially logged into the webmail version of their inbox. Once inside the network, the threat actor leveraged this access to add a secondary MFA device to the email account.

The threat actor was able to pivot access from this one account to multiple ones in the system. Once inside these accounts, analysis revealed that the actor commonly searched for terms related to wire fraud or payment activity to identify additional internal and external accounts of interest.

The threat actor created rules once inside the inbox to conceal their activity. This included rules that archived messages from certain senders or that moved messages with a certain document type into an RSS folder, marking them as read.

In this case, log analysis revealed that the actors were able to obtain and view a number of documents with sensitive data while they were in the system.

Ultimately, the actors reached out to the victim’s financial institution to initiate a fraudulent wire transfer. In this case, the financial institution identified the requests as suspicious and reported them to the victim organization, helping them to identify the activity and avoid financial losses.

Email Compromise and Current Phishing Tactics

During Q2, Kroll has been tracking an uptick in activity pertaining to global spam campaigns designed to harvest user credentials that leverage open redirects.

Open redirects are vulnerabilities that occur when a website accepts user-supplied input as part of a URL parameter in a redirect link, without proper validation or sanitization. This vulnerability can be exploited by an attacker to craft a malicious URL that appears legitimate but redirects the user to a different, potentially harmful website designed to capture credentials in order to access a victim’s network.

Alongside this, threat actors are leveraging phishing kits that can alter the phishing landing page on the fly based on arguments passed from the redirect links, making the websites appear more trustworthy to the victim.

Spotlight: MOVEIt Transfer Flaw Exploited

Top 10 Ransomware Variants - Q2 2023

Spotlight: MOVEIt Transfer Flaw Exploited

On May 31, Kroll began receiving reports that a zero-day vulnerability in MOVEit transfer was being actively exploited to gain access to MOVEit servers. The vulnerability, assigned CVE-2023-34362, allowed unauthenticated attackers to gain access to the MOVEit database and manipulate its contents. Upon initial notification, Kroll observed threat actors using the vulnerability to upload a web shell and exfiltrate data.

Within days of the vulnerability being published, the CLOP ransomware gang took public credit as the actors behind the attack, indicating that they would begin sending ransom demands to impacted companies on June 14.

Initial Kroll analysis of the MOVEit cases across their client base identified that similar activity targeting MOVEit servers had been observed as far back as 2021, suggesting that the CLOP ransomware group had likely identified the zero-day years earlier and had spent some time creating automated tools to aid them in conducting the mass-exploitation event.

Initial Access

Top 4 Initial Access Methods - Past Three Quarters

Initial Access

With respect to initial access, Kroll saw the most quarter-over-quarter increases associated with CVE/exploit, most of that driven by the CLOP ransomware exploitation of MOVEit transfer software. Phishing remained the top initial access vector most typically associated with email compromise.

Kroll also continues to track a cluster of LockBit 3.0 attacks leveraging victim’s VPN for initial access (External Remote Services).

Kroll observed clear evidence of a password spray attack occurring in some cases where logging was available. In nearly all these cases, Kroll observed an overlap of indicators of compromise related to the threat actor IP range and threat actor host name. A notable point is that several of the cases observed in this trend had multi-factor authentication associated with VPN access. However, a lack of knowledge about default settings and misconfigurations allowed for the MFA bypass.

In several cases investigated by Kroll, access was successfully gained using generic and easily guessable usernames and passwords such as “intern” and “payroll.” or terms that were more unique and specific to the victims’ network usernames that were likely found on paste sites or via attacker reconnaissance.

Password spraying targets the use of commonly used passwords, especially frequently seen default passwords such as the season and year(for example, "Summer2023.") In one instance, Kroll observed successful access through the victim’s VPN, harnessing usernames associated with former employees who had never been removed as authorized users from the network. This event highlights the importance of scheduled user audits in helping to prevent unauthorized access via accounts that are no longer needed or used within the environment.

During Kroll’s investigation into this cluster of events, it was noted that in some cases the victims had established multi-factor authentication (MFA) protection for the VPNs that were eventually breached by threat actors. In both instances, the victims had relied on their DUO MFA application default setting which allowed for unenrolled users to gain access, meaning that a dormant account was allowed to authenticate via DUO MFA—gaining access through the VPN to the network. In another instance, the victim misconfigured their setting, essentially not requiring MFA to access the VPN for certain users. Recommendations for avoiding these types of security breaches include the enforcement of MFA for all users and understanding settings before implementation to avoid a re-enrollment scenario.

Malware Trends & Analysis

Kroll Top 10

Malware Trends & Analysis

Kroll actively tracks malware command and control infrastructure, submissions to public sandboxes and active incident response (IR) and managed detection and response (MDR) case data to generate lists of the most active malware strains for comparison.

This quarter, Kroll observed a significant uptick in QAKBOT activity in both casework and from uploads to public sandboxes, matching our knowledge that sizeable malspam campaigns delivering QAKBOT occurred in Q2. It is important to remember that QAKBOT is commonly delivered via reply chain email attacks and can therefore spread easily from one organization to another, as victims are far more likely to open a malicious attachment from a known third party than a cold email. Kroll also observed increases in AMADEY and AGENTTESLA.

Notably, REDLINESTEALER stays in the top three malware strains detected in both open-source uploads and in Kroll’s own casework.

Third-Party Risk Emerges as a Notable Threat Amid Continued Volatility

Our findings for Q2 2023 reflect continued instability in the threat landscape. The activity of the CLOP ransomware group and the increase in email compromise attacks add up to supply chain risk becoming a notable threat. Often less prioritized as a security issue by organizations, third-party risk is now presenting as a key area of concern due to shifting threat actor behaviors and priorities.

In Q1 2023, we highlighted the trend of reinvention among threat actors, and Q2 is no different. Attackers continue to successfully transform and adapt, with our findings highlighting the importance of leveraging continuously updated and reviewed security approaches. Just one example of this type of evolution in Q2 is the use of open redirect abuse in phishing attacks. It is important to note that these types of pivots aren’t only being made in relation to tactics and techniques. They are also being undertaken on an industry level, as seen in the impact of CLOP ransomware activity on regional banks, even though the financial services sector is not usually targeted by ransomware. That’s not to say that the use of established attack techniques has stalled; threat actors also continue to achieve their goals through the use of tried-and-tested approaches such as phishing. In response, organizations should ensure that they have a comprehensive cybersecurity strategy, whether that’s for the cloud or on-premises.

While some sectors were more targeted than others in Q2—notably health care, making it one of the top five targeted industries for the first time in two quarters—all sectors need to prepare to respond to entrenched and emerging security threats.

The key underlying security trend of this quarter also requires organizations to look closer to home in order to address their cyber risk. The rise in supply chain risk calls for businesses to confirm the strength and security of their relationships with their business partners and suppliers. Alongside this, they should ensure that they have robust and proactive support from a trusted security partner. Doing so will mean that they are better positioned to weather the variable conditions in the threat and economic landscape in the months ahead.

Download the Report

Stay Ahead with Kroll

Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Cyber and Data Resilience

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

24x7 Incident Response

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Penetration Testing Services

Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Kroll Responder MDR

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Cyber Risk Retainer

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.

Ransomware Preparedness Assessment

Cloud Security Services

Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.

Cloud Security Services

Notification, Call Centers and Monitoring

Kroll’s data breach notification, call centers and monitoring team brings global breach response expertise to efficiently manage regulatory and reputational needs.

Notification, Call Centers and Monitoring

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.

Virtual CISO (vCISO) Advisory Services

Explore Insights

Q3 2023 Threat Landscape Report: Social Engineering Takes Center Stage

Threat Intelligence