Threat Intelligence
Q1 2024 Cyber Threat Landscape Report: Insider Threat & Phishing Evolve Under AI Auspices
by Laurie Iacono, Keith Wojcieszek, George Glass
![Q1 2024 Cyber Threat Landscape Report: Insider Threat & Phishing Evolve Under AI Auspices](/-/jssmedia/kroll-images/insights/q1-2024-threat-landscape-report/thumbnail.png?mw=1080)
Tue, Jun 11, 2024
In November 2023, the Cybersecurity & Infrastructure Security Agency (CISA) published guidance for addressing vulnerability CVE-2023-4966, affecting Citrix NetScaler ADC and NetScaler Gateway. This vulnerability is also known as Citrix Bleed.
According to CISA: “The affected products contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not impacted. Exploitation of this vulnerability could allow for the disclosure of sensitive information, including session authentication token information that may allow a threat actor to “hijack” a user’s session.”
The vulnerability has been widely exploited by many types of attackers, including the PLAY Ransomware group, as shown in the case we investigate below.
PLAY Ransomware, also known as PLAY or PlayCrypt, is a ransomware-as-a-service (RaaS) group first observed in June 2022. The group both encrypts and exfiltrates victim data to demand a “double extortion” ransom to: (1) receive a decryption tool and (2) avoid data publication on its dark web data leak site. The group is known to primarily target small-to-medium sized organizations, managed service providers (MSPs) and government entities. Kroll’s analysis has found that, of the group’s known victims, PLAY heavily focuses on entities in North America (60%) and Europe (33%).
Play Ransom Note – ReadMe.txt
Industries Targeted by PLAY Group
PLAY is known to use intermittent or “partial” encryption on files to render the data unusable. Rather than encrypting entire files, PLAY targets only specific data segments of each processed file. This allows for faster overall encryption and can decrease the detection rate of antivirus software using static analysis to detect ransomware infections.
The following infographic illustrates activities observed by Kroll’s Cyber Threat Intelligence (CTI) team following a four-day period after PLAY used the Citrix Bleed vulnerability to gain access to a professional services firm. Once inside the network, the threat actor conducted internal scouting to discover and enumerate domain accounts, trusted domains, permission groups and remote systems.
The actor then used Powershell to deploy tools, including Mimikatz, which was leveraged to obtain credentials for lateral movement and privilege escalation. They maintained their persistence in the network via a remote access trojan and used several tactics to evade detection, such as clearing logs and stopping services (e.g., back-ups and Exchange). Data was exfiltrated from the system via WinSCP and compressed using WinRar. Lateral movement was achieved via RDP and the ultimate execution of the PLAY payload was delivered via Group Policy Objects across multiple hosts.
Kroll Intrusion Lifecycle Stage | ATT&CK Technique |
---|---|
Initial Exploitation | T1133 External Remote Services |
Internal Scouting | T1087.002 – Account Discovery – Domain Account |
Toolkit Deployment | T1219 – Remote Access Software |
Exfiltration | T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (WinSCP) |
Lateral Movement | T1003.004 – OS Credential Dumping: LSA Secrets (Mimikatz) |
Mission Execution | T1486 – Data Encrypted for Impact |
The similarities between ransomware variants provide opportunities for defenders to protect themselves against a number of different attackers by setting up overarching rules capable of detecting and defeating this type of activity. To defend against threat actors like PLAY, Kroll’s CTI team advises organizations to take the following next steps:
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.
Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Kroll’s Malware Analysis and Reverse Engineering team draws from decades of private and public-sector experience, across all industries, to deliver actionable findings through in-depth technical analysis of benign and malicious code.
by Laurie Iacono, Keith Wojcieszek, George Glass
by Laurie Iacono, Keith Wojcieszek, George Glass