Kroll’s Q4 analysis shows ransomware groups increasingly gaining initial access through external remote services. The quarter presented a complex security landscape with a mix of both positive and negative trends: positively, activity associated with larger ransomware-as-a-service (RaaS) operations, like LOCKBIT and BLACKCAT, declined. However, negative patterns continued, like the ongoing focus of threat actors on the professional services industry (continuing a key trend from Q3 and earlier on in 2023).

Interestingly, there was a notable drop in phishing attempts in Q4 in comparison to Q3. However, this was counterbalanced by the continued evolution of these phishing tactics, for example with a rise in the use of QR codes. Linked to this, yet another trend we observed following on from Q3 was the ongoing dominance of business email compromise (BEC) attacks. 

Kroll observed the renewal of other familiar threats in Q4, such as a rise in ransomware. Even previously terminated malware groups, like the one behind QAKBOT, regrouped and redefined their strategies (with, for example, a reply-chain phishing campaign delivering PIKABOT). These and other trends observed in Q4 2023 point to a testing 2024 for organizations.

Q4 2023 Threat Timeline

  • Multiple vulnerabilities are announced, ranging from those identified in Linux-based mail transfer agent EXIM to issues in application security software F5-BIG-IP.
  • By month’s end, two vulnerabilities in Cisco IOS XE and Citrix Netscaler products are under widespread exploitation by numerous threat actor groups.

Sector Analysis—Professional Services Remain a Key Focus For Attackers

Q4 2023 Cyber Threat Landscape Report: Threat Actors Breach the Outer Limits
Top 5 Impacted Sectors: 2022 Vs. 2023 (All Threat Incident Types)
In Q4, Kroll observed that attackers focused heavily on the professional services industry, with slight increases also observed in the health care sector, particularly in respect to ransomware activity. The focus on the professional services industry is the continuation of a trend noted throughout 2023 and follows an sharp increase in cases impacting the sector from 2022 to 2023.

Threat Incident Types

Threat Incident Types
Year-on-Year Comparison: Most Common Threat Incident Types 2022 Vs. 2023
Kroll continued to see email compromise dominate as an incident type in Q4. As expected after a lull in Q3, ransomware rebounded during the fourth quarter, accounting for 23% of all cases.

Ransomware 2023

Top 10 Ransomware Variants
Top 10 Ransomware Variants – Q4 2023

Q4 saw activity from a wide range of ransomware groups, with some key players continuing with campaigns observed earlier in 2023. Kroll observed declines in activity associated with larger ransomware-as-a-service (RaaS) operations such as LOCKBIT and BLACKCAT.

Following an extremely active Q3, BLACKCAT made headlines multiple times during Q4. First, with their move to report a victim company to the Securities and Exchange Commission (SEC) as a new pressure tactic. By the end of the quarter, BLACKCAT found themselves in the crosshairs of international law enforcement as their victim publication site was seized by the Department of Justice on December 19 and then “unseized” by BLACKCAT operators who promptly moved victim notifications to a different site. To date, the “new” BLACKCAT site continues to post victims.

AKIRA & PLAY Emerge as Top RAAS Groups

The Most Prolific Ransomware Variants of 2023
The Most Prolific Ransomware Variants of 2023
Kroll also observed upticks in activity by several variants, including AKIRA, PLAY, INC and CACTUS during Q4. Looking at ransomware cases, the most likely initial access method was external remote services, presenting another key area of concern for organizations.

External Remote Services Yields Initial Access

External Remote Services Yields Initial Access
Year-on-Year Comparison: Most Common Initial Access Methods 2022 Vs. 2023
Although lower in volume than in Q3, phishing continued to be the most likely initial access vector for Kroll engagements. Similar to 2022, phishing continues to evolve as threat actors try new and more sophisticated ways to tempt users into clicking on their malicious links. In Q4, Kroll analysts reported on a rise in the use of QR codes in phishing campaigns. Such tactics make defense more challenging as users may be less likely to perceive these codes as being suspicious, increasing the possibility of them accessing the links via personal devices, which are outside of corporate security monitoring.

Ransomware Cases in Initial Access Methods

Ransomware Cases in Initial Access Methods
Percentage of Ransomware Cases in Initial Access Methods Throughout 2023
Kroll also observed an increase in external remote services used for initial access, particularly by ransomware actors. Looking at these cases, Kroll identified that in most cases, actors are either exploiting a known vulnerability, such as CitrixBleed (CVE-2023-4966), or accessing a VPN that lacks multi-factor authentication (MFA) through valid credentials or brute-force attacks. As will be discussed later in the report, valid credentials may be obtained in a variety of ways, such as through dark web markets that sell data harvested from information-stealing malware.

Case Study: PLAY Ransomware Exploits Citrix Bleed Vulnerability

Case Study: PLAY Ransomware
PLAY Ransomware, Payload Delivery Process
A threat actor leveraged the CitrixBleed vulnerability to gain access to a professional services firm.  Once inside the network, they conducted internal scouting to discover and enumerate domain accounts, trusted domains, permission groups and remote systems. The actor then used Powershell to deploy tools, including Mimikatz, to obtain credentials for lateral movement and privilege escalation. They maintained their persistence in the network via a remote access trojan and used several tactics to evade detection (e.g., clearing logs and stopping services such as back-ups and Exchange). Data was exfiltrated from the system via WinSCP and compressed using WinRar. Lateral movement was achieved via remote desktop protocol (RDP) and the ultimate execution of the PLAY ransomware payload was delivered via Group Policy Objects across multiple hosts.

AKIRA Ransomware Leverages Vulnerability & Lack of MFA on VPN

Case Study: AKIRA Ransomware
AKIRA Ransomware Attack Chain

In October 2023, Kroll identified an uptick in engagements involving AKIRA ransomware, a trend that has continued into early 2024. Kroll observed that in the majority of cases, initial activity could be tracked back to a Cisco ASA VPN service. It is likely that this activity reflected previous reporting that affiliates distributing AKIRA were targeting VPNs failing to enforce MFA and exploiting a zero-day vulnerability in Cisco ASA and Firepower Threat Defense (FTD) services. CVE-2023-20269 allows unauthenticated users to run a brute-force attack to identify valid credentials and establish a clientless SSL VPN session. Cisco updated their advisory in October to include a patch, available via software upgrade.

Intrusion activity following access included persistence via remote management monitoring tools, such as AnyDesk, and internal network discovery via tools, such as Advanced IP Scanner and NetScan. During this time, the actor used WinSCP for exfiltration and WinRar for compression. They then leveraged RDP or remote services creation to laterally move across systems before escalating privileges into a domain admin-level account within two days of network access. Shortly after privilege escalation, AKIRA ransomware was deployed to encrypt systems.

 

Looking at these cases side-by-side highlights the similarities in activity we see between ransomware variants. While this presents a challenge for clustering activity for attribution, it also provides opportunities for defenders to protect themselves against a number of different attackers by setting up overarching rules capable of detecting and defeating this type of activity.

Malware Trends and Analysis

Kroll actively tracks malware C2 infrastructure, submissions to public sandboxes and active IR and MDR case data to generate lists of the most active malware strains for comparison.

Q4 2023 Cyber Threat Landscape Report: Threat Actors Breach the Outer Limits

Top 10 Malware Strains – Q4 2023

Malware and Ransomware Steal the Limelight

Like Q3, Q4 saw some dramatic changes to the malware and ransomware landscape, with many being a direct result of law enforcement activity to disrupt and degrade the infrastructure of some of the most prolific types. In August, the QAKBOT botnet was heavily disrupted, leading to infrastructure changes and a significant drop in QAKBOT infections in Q3. However, the attempts of threat actors to rebuild the botnet put it firmly back in the top 10 list in Q4. In yet another twist to the tale, although QAKBOT is featured high up on our quarterly trend list, we did not observe any successful infections. 

Notably, the threat actor tracked by Kroll as KTA248 (TA577, TR), as well as one of the actors operating huge QAKBOT campaigns, began deploying new malware strains to gain initial access into corporate environments. This meant that while in Q3 we saw significant increases in DARKGATE, PIKABOT tops our list for Q4. Both malware strains are operated by KTA248 as a potential successor to QAKBOT. Kroll observed a significant overlap between PIKABOT and QAKBOT infrastructure from early- to mid-2023. In November, Kroll noted a reply-chain phishing campaign delivering PIKABOT.

Infostealers also make up more of the quarterly top 10 in Q4, with LUMMASTEALER (LUMMAC2) and STEALC seeing significant upticks. Throughout 2023, and especially in Q4, Kroll witnessed significant increases in infostealer activity, the development of capabilities and new entrants to the market.

Underground Usage of Infostealer Malware on the Rise

Q4 2023 saw the strengthening of the trend in which infostealer malware has become its own ecosystem in the cybercriminal underground. Infostealer logs are a significant factor in the initial access broker market: threat actors who specialize in selling access they have gained to corporate environments to ransomware operators who then complete the attack chain and extort the victim.

Infostealers are most commonly deployed via phishing, malvertising and fake or misleading posts on social media. This means there is often little specific targeting of individuals or organizations, although this is possible. Threat actors hope to infect as many individuals as possible to collect as many credentials as they can. However, this often presents an unseen risk to corporate environments as employees' personal machines can become infected. These might contain credentials that provide access to corporate credentials or present a threat from their reuse, enabling threat actors to test them against edge services such as VPN, email platforms or application gateways.

One of the most common varieties of infostealer we currently encounter is REDLINESTEALER.

REDLINESTEALER

REDLINESTEALER, or simply REDLINE, is available on underground forums through a monthly subscription service that gives an attacker access to the REDLINE panel and the ability to pack the malware and collect the logs of stolen information. Its main functionality is to steal data such as passwords, credit card information, usernames, locations, cookies and hardware configuration from infected systems. REDLINE collects this data from a number of sources, including installed browsers, such as SQLite databases, VPN credentials and Cryptocurrency wallets, such as files containing *.wallet

If REDLINE is found to have been executed on a device, it is safe to consider that any credentials stored locally on that device have been compromised. REDLINE can also download files, making it likely that further payloads could be deployed to a victim device should a threat actor require more functionality depending on their objectives (e.g., high bandwidth data exfiltration or ransomware).

In Q4, Kroll investigated a surge in cases in which users downloaded a file associated with REDLINE. In this instance, the lure was a PDF converter software, where it was likely that the users were searching for a legitimate copy of a tool or, as in some cases, victims were searching for innocuous phrases such as “printable calendars” or “business models.” However, the malicious “pdfconvertercompare[.]com" site was presented early in the search results. This site is still active and serving malware as of January 2024.

Free Exfiltration Mechanisms Scale up the Infostealer Threat

Because infostealer malware is commonly sold as part of a service, threat actors running the services will often look to free services as a scalable solution to control the malware and use it as a method of exfiltration. Infostealers are sold directly on Telegram and use the same service to control and host extracted victim data. Similarly, VIDAR has used Steam usernames to host C2 information and many infostealers will use services such as Discord for storage of exfiltrated data. For these reasons, Kroll recommends blocking Steam, Telegram and Discord domains if they are not used for business activities.


Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.


Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.


Notification, Call Centers and Monitoring

Kroll’s data breach notification, call centers and monitoring team brings global breach response expertise to efficiently manage regulatory and reputational needs.

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.