Q1 2024 Cyber Threat Landscape Report: Insider Threat & Phishing Evolve Under AI Auspices

In Q1 2024, we saw an evolution in techniques used by attackers, some of which may point to longer term trends in the variation and sophistication of attacks faced by organizations. In particular, with regards to phishing, we saw SMS and voice-based tactics being used, which raises concern around the potential for deep fakes and AI-type technologies to further enhance the effectiveness of phishing attacks.

In the same vein, one insider threat case investigated by Kroll this quarter saw employee impersonation take place, another area where AI-type technology could be especially effective. Additionally this quarter, Kroll’s investigation into the ScreenConnect CVE shows attackers getting faster in their exploitation of CVEs.

Two industries are the focus in Q1 2024: technology/telecoms and construction. The former saw significant growth in insider threat cases, potentially a result of increased supply chain risk. The latter saw steady growth in email compromise over the past year, which could be driven by the nature of work in this industry, meaning that employees are often working via mobile devices or on site, where they may be more susceptible to attack.  

Q1 2024 Threat Timeline

Malware Trends and Analysis

Kroll actively tracks malware C2 infrastructure, submissions to public sandboxes and active incident response (IR) and MDR case data to generate lists of the most active malware strains for comparison. In Q1, the most notable changes were a drop in activity from QAKBOT and PIKABOT. Kroll’s Cyber Threat Intelligence team believes that this is due to a shift in KTA248 behavior toward other malware strains, such as ICEDID and ICENOVA (LATRODECTUS).

Top 10 Malware Strains—Q1 2024

In Q1, Kroll observed an uptick in threat actors leveraging WebDAV for use with remote file access for Windows. WebDAV is a protocol that allows a standard way for users and web services to communicate over the Hypertext Transfer Protocol (HTTP) to create, modify and move documents. WebDAV offers the ability for multiple users to work simultaneously on the same content.

Kroll observed actors leveraging vulnerabilities in Microsoft SmartScreen software (CVE-2023-36025 and CVE-2024-21412) that allow attackers to send an internet shortcut with an embedded malicious URL that is designed to bypass security controls. Kroll observed multiple campaigns using the technique to distribute multiple malware variants, including TIMBERSTEALER, DARKME, DARKGATE and ICENOVA.

WebDAV has a long history of security issues, particularly when associated with Windows file-sharing technologies. Previously, we have seen issues such as the leaking of user New Technology Lan Manager (NTLM) hashes and now more recently, SmartScreen bypass vulnerabilities. These vulnerabilities aren’t the only reason WebDAV is attractive to an attacker. Due to its integration into Windows, it is harder to detect than a suspicious process making its own connections. This is because with WebDAV, it is often the case that Windows file sharing is owning the actual network interaction, and the malicious process is ostensibly accessing a file. WebDAV also provides an attacker with a simple means of remote file transfer with minimal code, as even a basic batch script can download a file with a copy command. It is recommended where possible to block WebDAV traffic at the perimeter.