Q4 2023 Cyber Threat Landscape Report: Threat Actors Breach the Outer Limits
by Laurie Iacono, Keith Wojcieszek, George Glass
The fourth quarter of 2023 saw cybersecurity threats continue to increase in sophistication. In Q4, Kroll observed ransomware groups increasingly gaining initial access through external remote services and previously terminated malware groups, like the one behind QAKBOT, regrouped and redefined their strategies. These and other trends observed in Q4 2023 point to a testing 2024 for organizations.
In this briefing, Kroll’s cyber threat intelligence leaders Keith Wojcieszek, Laurie Iacono and George Glass explore key insights and trends from thousands of cyber incidents handled worldwide each year. They outline the critical issues that organizations should be aware of, including the sectors hit the hardest and active ransomware groups.
The briefing covers:
The professional services sector continues to be very attractive for threat actors. The sector once again ranks first as the most impacted in Q4, and overall witnessed an 8% year-over-year increase in attacks from 2022 to 2023. Kroll previously reported on specific campaigns targeting the legal industry, that impacted those numbers. The health care sector also witnessed a slight uptick in activity in Q4 2023, which was ransomware-focused. Learn why:
Although LOCKBIT (22%) was the most active variant in Q4 2023, Kroll observed a decline in activity associated with larger ransomware-as-a-service (RaaS) operators. The uptick in activity was accounted for by AKIRA, PLAY, INC and CACTUS. Looking at ransomware cases, the most likely initial access method was external remote services (73%), presenting another key area of concern for organizations.
Phishing (41%) remains the top initial access method in 2023 as it continues to evolve and threat actors try new and more sophisticated ways to tempt users into clicking on their malicious links. Learn more:
In this section, Kroll experts analyze how ransomware variants AKIRA and PLAY exploited vulnerabilities within an organization for initial access. PLAY ransomware leveraged the CitrixBleed vulnerability to gain access to a professional services firm, while AKIRA ransomware gained initial access by targeting VPNs failing to enforce Multi Factor Authentication (MFA) and exploiting a zero-day vulnerability in Cisco ASA and Firepower Threat Defense (FTD) services. Learn more:
Kroll actively tracks malware command and control infrastructure, submissions to public sandboxes, and active incident response (IR) and managed detection and response (MDR) case data to generate lists of the most active malware strains for comparison.
In Q3, the QAKBOT malware was heavily disrupted; however, the threat actors attempt to rebuild the botnet and put it firmly back in the top 10 list in Q4. Although QAKBOT is featured high up on our quarterly trend list, we did not observe any successful infections. Q4 2023 rather belonged to the infostealers, like LUMMASTEALER (LUMMAC2) and STEALC seeing significant upticks. Throughout 2023, and especially in Q4, Kroll witnessed significant increases in infostealer activity, the development of capabilities and new entrants to the market. Learn more:
Q4’s rise in the use of external remote services as a ransomware attack vector sets the tone for what is already looking to be a demanding year ahead.
The increased use of external remote services by ransomware groups and the advance of other types of threats, such as infostealer malware, highlights that there is no area of security about which organizations can afford to be complacent. Those taking action now will be more likely to achieve the level of cyber maturity required to meet the security challenges of 2024. This starts with applying a number of key security controls to improve overall security posture. Learn what your business should consider:
by Laurie Iacono, Keith Wojcieszek, George Glass
by Laurie Iacono, Keith Wojcieszek, George Glass
by George Glass, Laurie Iacono, Keith Wojcieszek
by Laurie Iacono, Keith Wojcieszek, George Glass
Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Kroll’s Malware Analysis and Reverse Engineering team draws from decades of private and public-sector experience, across all industries, to deliver actionable findings through in-depth technical analysis of benign and malicious code.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
Digital forensic experts investigate hundreds of Office 365 incidents per year and help strengthen your security.