Thu, Nov 21, 2024

Q3 2024 Threat Landscape Report: Rising Attacks on Tech and Telecoms Reinforce Need for Business Continuity Planning

/en/our-team/laurie-iacono

Laurie Iacono

/en/our-team/george-glass

George Glass

/en/our-team/keith-wojcieszek

Keith Wojcieszek

Q3 Threat Timeline

Sector Analysis

Threat Incident Types

Ransomware Variants

Malware Trend Analysis

A notable rise in attacks in Q3 2024 shows that threat actors are increasingly focusing on the tech and telecoms sector. This finding aligns with the wider global pattern of attacks against technology companies. Insider threat significantly impacted the sector during the quarter, alongside email compromise and ransomware. The pressure remains on other industries, however, with professional services retaining its status as the sector most targeted by attackers, and four of the five key sectors experiencing an increase in attacks this quarter.

Other reasons to remain vigilant are the rise in nation-state actor activity and the diversification in form and techniques by various ransomware groups. Insider threat and email compromise remain a key area of risk for business, having been the most observed threats in Q3. In a quarter that was defined by the global disruption resulting from the CrowdStrike IT outage, our findings point to a complex and fast-moving threat landscape. Read the report to gain the full picture of the past quarter’s security trends, plus key recommendations to help your organization stay resilient.

Q3 2024 Threat Timeline

On July 19, 2024, a change is pushed to CrowdStrike Falcon EDR sensor agents, causing crashes and ‘Blue Screen of Death’ (BSOD) on Windows systems, sending them into a boot loop as they try to load a faulty driver. The outage impacts critical operations across airports, hospitals, banks, critical national infrastructure and more.
The PLAY ransomware group expand their tactics by introducing a Linux variant that targets VMWare ESXi environments, which are utilized by businesses to host multiple virtual machines to run and host data. This has the potential to increase potential victim targets that could lead to more lucrative ransom negotiations.

Sector Spotlight: Technology and Telecoms Under Attack

Most Targeted Industry by Sector Over the Past Three Quarters

Sector Spotlight: Technology and Telecoms Under Attack

While Q3 2024 saw the professional services sector continue its long run as the industry most targeted by attackers, there was also an increase in attacks on the tech and telecoms sector. A jump of five percent compared with the previous quarter is particularly notable in a sector that has experienced relatively low levels of attacks in the past.

The fact that this significant change can occur in just one quarter is a reminder that shifts of this kind have the potential to happen fast in all industries. Four of the five key sectors have experienced an increase this quarter, with one other remaining at the same level as Q2. Although tech and telecoms is in the spotlight this time, overall trends point to the need for all industries to remain vigilant to the impact of evolving attacker tactics.

Case Study: MEDUSA Puts Tech Firm on Pause

Threat Actors Infiltrate Network Infrastructure

Case Study: MEDUSA Puts Tech Firm on Pause

Kroll observed an electronics manufacturing firm hit by MEDUSA ransomware suffer nearly a week of downtime. During this attack, threat actors were observed bypassing at least one of the client’s endpoint detection & response tools, which allowed the malware to spread across the network. Lack of visibility across the IT infrastructure also likely played a role in the extended post-attack downtime and recovery period, highlighting the importance of understanding network infrastructure prior to an attack taking place.

Diverse Threat Types Impact Tech Sector

Q3 2024 Tech and Telecom Sector – Top 4 Threat Incident Types

Diverse Threat Types Impact Tech Sector

Similar to reports from Q1, Kroll observed that insider threat is a significant risk factor for the tech and telecoms sector. Email compromise and ransomware are also adding to the security challenges experienced by this industry.

Incident Response Cases in the Tech & Telecom Sector Over the Past Five Quarters

Kroll’s observations of the continued targeting of the technology sector dovetails with other widely reported attacks on such firms in Q3. For instance, AT&T announced a data breach in early July that impacted phone records of nearly all customers, including phone numbers, text records and location-related data.

Global Headwinds Impacting Technology Sector

CrowdStrike IT Outage Causes Chaos

Although not a cyber attack, a July 19 outage involving Crowdstrike Falcon produced the “Blue Screen of Death” across thousands of organizations, grounding worldwide flights at one point.

The incident, caused by a faulty software update, was remediated, but not before highlighting the global chaos that unfolds when a widely-used technology tool is unavailable.

The event, now often referred to as the “largest IT outage in history” underscores the importance of business continuity planning.

Nation-State Actors Escalate Their Efforts

Nation-state actors ramped up their activities in Q3. Email security firm KnowBe4 revealed that it had been targeted by North Korean actors in July. The scheme, similar to one reported by Kroll in Q1, revolved around a remote employee impersonating a U.S. IT Worker in an attempt to infiltrate the organization.

In September, reports emerged that a campaign involving a China-based threat actor group had gained access to multiple U.S. telecommunications firms and internet service providers (ISP). It is interesting to note the level of focus on tech firms in this context, a pattern that again aligns with trends observed by Kroll.

Threat Incident Type: Ransomware Activity Becomes More Volatile

Most Popular Threat Incident Types Over the Past Three Quarters

Threat Incident Type: Ransomware Activity Becomes More Volatile

While insider threat and email compromise were the most observed threats in Q3, Kroll also noted the emergence of several new ransomware variants, highlighting possible rebrands and spin-offs following earlier law enforcement disruptions of LOCKBIT and the public exit of BLACKCAT/ALPHV earlier this year.

Ransomware Variants

Top 10 Ransomware Variants Q3 2024

Ransomware Variants

In Q3, Kroll observed a spike in activity related to the AKIRA ransomware gang. The majority of those cases targeted organizations with a vulnerable SonicWall VPN.

Kroll also observed the emergence of new ransomware gangs such as VANIR, MAD LIBERATOR, LYNX and CICADA.

Kroll analysts identified a leak site for the VANIR ransomware group appearing in July 2024. In September, the group’s operation was disrupted by the State Bureau of Investigation Baden-Württemberg. A press release from German law enforcement announced the seizure of the ransomware group’s data leak site and stated that the investigation into the identity of the threat actor(s) behind it is still ongoing.

MAD LIBERATOR was also identified in July 2024 by the creation of their data leak site. The groups state they are “comprised of hackers all over the world and do their best to help companies fix their security issues and recover their files.” MAD LIBERATOR encrypts files using the AES/RSA algorithm and is not an affiliate group.

Kroll observed cases involving LYNX ransomware, another group emerging around July 2024 with rumors of the group using INC source code. LYNX claims that it’s “core motivation” is to gain financial incentives and that it has a strict policy against targeting hospitals, government institutions and non-profit organizations since they play an important role in society.

Another new variant observed during the quarter was CICADA/CICADA3301 which carries out double-extortion tactics and operates a data leak site to use as a part of its campaign. Researchers have discovered overlaps in CICADA3301 and ALPHV/BLACKCAT, which could possibly indicate a rebrand or affiliates of the previous group working for this new ransomware operation. Researchers have also discovered that CICADA3301 may utilize or work with the Brutus botnet for initial access to corporate networks.

Initial Access Spotlight: External Remote Services and Valid Accounts

Top 4 Initial Access Methods—Past Three Quarters

Initial Access Spotlight: External Remote Services and Valid Accounts

In Q3 2024, external remote services and valid accounts were the most methods most likely to be used by ransomware actors to get into networks. A report in August highlighted the nation-state aspect of the ransomware ecosphere, as the U.S.’s Cybersecurity and Infrastructure Security Agency and FBI reported that Iranian actors were targeting industries, particularly information technology, with exploits related to VPN structure to gain access. These actors sometimes use this type of access for persistence and data exfiltration. They have also been observed selling initial access online.

Malware Spotlight – LUMMASTEALER / IDATLOADER

Q3 2024 Threat Landscape Report: Rising Attacks on Tech and Telecoms Reinforce Need for Business Continuity Planning

Top 10 Malware Strains Q3 2024

*(New) highlights the strain's debut in the Kroll top 10

Q3 marked a significant increase in information stealer attacks. Kroll has tracked highly effective social engineering techniques throughout Q2 and Q3. We previously detailed this technique in our Q2 report as part of an ongoing CLEARFAKE campaign, which socially engineers the user into entering malicious commands into a PowerShell or Command Prompt window. Kroll believes this technique was made popular in a DARKGATE distribution campaign that started in May, and was conducted by KTA248 (TA577, Tramp). This campaign used phishing to deliver an HTML attachment designed to look like a Microsoft Word window.

Q3 2024 Cyber Threat Landscape Report

Example of HTML Lure Rendered in Browser (Source: Kroll + VirusTotal)

This technique has evolved over the course of Q2 and Q3, with CLEARFAKE campaigns utilizing it as part of a fake browser update lure. A methodology referred to as ‘ClickFix’ has seen similar lures like fake browser updates or errors through social engineering which similarly sees the user tricked into executing malicious commands.

Kroll observed that the latest style of social engineering that tricks users into executing malicious commands was highly effective. This is because the newest methods are designed to look like security tooling such as CAPTCHAs, which are not typically covered in cybersecurity awareness training.

Q3 2024 Cyber Threat Landscape Report

Example of CAPTCHA Lure Rendered in Browser (Source: Kroll)

Kroll has seen this form of social engineering become highly effective at luring victims into installing information-stealing malware, specifically LUMMASTEALER which was being dropped by IDATLOADER. In Q3, LUMMASTEALER was the most common malware observed by the Kroll Responder service. This corroborates open-source reporting that information stealers continue to be a significant driver of the cybercrime underground market.

Achieving Cyber Resilience: Key Recommendations
The Pace of Attack Increases: Trends observed by Kroll in Q3 2024 demonstrate the speed at which threat actors can advance their tactics and areas of focus. The sudden rise in attacks on tech and telecoms in just one quarter alone demonstrates how quickly threat actors can evolve, leaving organizations struggling to keep up. Disruption is Interconnected: The wave of disruption that the global CrowdStrike IT outage created around the world in Q3 2024 demonstrates the impact of such events on organizations. In an increasingly interconnected and cloud-dependent world, this large-scale domino effect is highly unlikely to be a one-off. The only question is how well-prepared organizations are to act when the next incident occurs. One-Hit Approaches are Inadequate: The growing efforts of nation-state actors and the continued volatility of ransomware groups point to a landscape in which it is increasingly risky to rely on reactive, one-off approaches to security. With so many threat types and conflicting security requirements, it is imperative that companies fully embrace ongoing business continuity and incident response planning. Risk Grows Increasingly Complex: As the nature of security risk becomes more complex and variable, organizations must ensure that they view business continuity from a broad-ranging perspective. Mitigating risks requires significant collaboration and effort beyond cyber and technology teams to include business resilience and third-party/outsourcing functions. Despite this, many organizations still lack robust and sustainable solutions that will enable them to manage the associated risks. AI Generates Fresh Threats: With AI-generated malware found to be delivering ASYNCRAT via phishing emails this quarter, it is clear that the technology continues its rise as yet another weapon in threat actors’ armories. The growing use of these types of tools again highlights the risks of relying on traditional security approaches alone. With so many varying factors in play in Q3 2024 and likely to affect on security in the months ahead, the Kroll CTI team makes the following recommendations: Ensure that your organization prioritizes incident response planning. A well-structured plan will safeguard your employees, protect your data and ensure business function is maintained. Support incident response planning with regular testing and assessments to validate that processes are in place during an emergency. Regular testing can help you identify, monitor and analyze vulnerabilities in your information security systems. It can also enable you to identify potential data privacy and security compliance issues that may have been previously overlooked. Complete regular, customized incident response tabletop exercises led by seasoned experts. This will give the members of your incident response team a valuable opportunity to clarify and rehearse their roles and boost their confidence in carrying out their assigned duties in the event of an incident. Tabletop exercises will also highlight where guidance or information needs to be updated. Put in place a cyber risk retainer capable of enabling swift and strategic response in the event of an incident. As well as being fully configurable to your environment, this should be customizable to a level that enables you to access the type of proactive response and notification services required to fulfill your evolving security situation and business goals. Ensure your organization has key controls in place and that each capability and control implemented includes a combination of people, process and technologies to be fully effective. These controls also require good governance and metrics to provide ongoing assurance that they’re working properly and delivering return on investment—and to identify when they are not. Gain an expert external review of your existing business continuity plans to ensure alignment with evolving industry best practices and business needs. This is best achieved by working with a cyber security partner with the breadth of experience and offerings to enable you to achieve comprehensive cyber resilience.

Achieving Cyber Resilience: Key Recommendations

The Pace of Attack Increases: Trends observed by Kroll in Q3 2024 demonstrate the speed at which threat actors can advance their tactics and areas of focus. The sudden rise in attacks on tech and telecoms in just one quarter alone demonstrates how quickly threat actors can evolve, leaving organizations struggling to keep up.

Disruption is Interconnected: The wave of disruption that the global CrowdStrike IT outage created around the world in Q3 2024 demonstrates the impact of such events on organizations. In an increasingly interconnected and cloud-dependent world, this large-scale domino effect is highly unlikely to be a one-off. The only question is how well-prepared organizations are to act when the next incident occurs.

One-Hit Approaches are Inadequate: The growing efforts of nation-state actors and the continued volatility of ransomware groups point to a landscape in which it is increasingly risky to rely on reactive, one-off approaches to security. With so many threat types and conflicting security requirements, it is imperative that companies fully embrace ongoing business continuity and incident response planning.

Risk Grows Increasingly Complex: As the nature of security risk becomes more complex and variable, organizations must ensure that they view business continuity from a broad-ranging perspective. Mitigating risks requires significant collaboration and effort beyond cyber and technology teams to include business resilience and third-party/outsourcing functions. Despite this, many organizations still lack robust and sustainable solutions that will enable them to manage the associated risks.

AI Generates Fresh Threats: With AI-generated malware found to be delivering ASYNCRAT via phishing emails this quarter, it is clear that the technology continues its rise as yet another weapon in threat actors’ armories. The growing use of these types of tools again highlights the risks of relying on traditional security approaches alone.

With so many varying factors in play in Q3 2024 and likely to affect on security in the months ahead, the Kroll CTI team makes the following recommendations:

Ensure that your organization prioritizes incident response planning. A well-structured plan will safeguard your employees, protect your data and ensure business function is maintained.
Support incident response planning with regular testing and assessments to validate that processes are in place during an emergency. Regular testing can help you identify, monitor and analyze vulnerabilities in your information security systems. It can also enable you to identify potential data privacy and security compliance issues that may have been previously overlooked.
Complete regular, customized incident response tabletop exercises led by seasoned experts. This will give the members of your incident response team a valuable opportunity to clarify and rehearse their roles and boost their confidence in carrying out their assigned duties in the event of an incident. Tabletop exercises will also highlight where guidance or information needs to be updated.
Put in place a cyber risk retainer capable of enabling swift and strategic response in the event of an incident. As well as being fully configurable to your environment, this should be customizable to a level that enables you to access the type of proactive response and notification services required to fulfill your evolving security situation and business goals.
Ensure your organization has key controls in place and that each capability and control implemented includes a combination of people, process and technologies to be fully effective. These controls also require good governance and metrics to provide ongoing assurance that they’re working properly and delivering return on investment—and to identify when they are not.
Gain an expert external review of your existing business continuity plans to ensure alignment with evolving industry best practices and business needs. This is best achieved by working with a cyber security partner with the breadth of experience and offerings to enable you to achieve comprehensive cyber resilience.

Stay Ahead With Kroll

Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Cyber and Data Resilience

Cyber Threat Intelligence

Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.

Cyber Threat Intelligence

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

24x7 Incident Response

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Cyber Risk Retainer

Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Kroll Responder MDR

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.

Virtual CISO (vCISO) Advisory Services

Application Threat Modeling Services

Kroll helps development teams design and build internal application threat modeling programs to identify and manage their most pressing vulnerabilities.

Application Threat Modeling Services

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.

Ransomware Preparedness Assessment

Exlplore Insights

Q2 2024 Threat Landscape Report: Threat Actors Do Their Homework, Ransomware and Cloud Risks Accelerate

Threat Intelligence