Wed, Feb 26, 2025

Q4 2024 Cyber Threat Landscape: Gone Phishing. Evolving Techniques Keep Organizations on the Hook

/en/our-team/laurie-iacono

Laurie Iacono

/en/our-team/george-glass

George Glass

/en/our-team/keith-wojcieszek

Keith Wojcieszek

Malware Trend Analysis

Trends observed by Kroll in Q4 confirm that 2024 was a year of fragmentation and fast-moving evolution for cyber threats, and they suggest that 2025 is likely to be similar. A key trend was the ongoing development of phishing techniques and approaches, as phishing’s continuation as a dominant method for initial access in 2024 illustrated. Aligning with trends from last year and previous years, professional services stands out as 2024’s most targeted sector. However, patterns for other sectors are also concerning, with manufacturing remaining a firm favorite as a target for attackers. While incident volumes for the technology and telecommunications sector appear comparatively lower for the year as a whole, Kroll observed doubled activity against the sector in Q4.

Email compromise soared, making it the most commonly observed threat type of 2024. Ransomware attacks may have decreased in volume compared to 2023, but they proved a serious and impactful threat to industries such as financial services and healthcare throughout 2024. The ongoing threat around identity access management and the growth of information-stealing malware is highlighted by valid accounts, or the use of compromised credentials to log into networks. Read the report for more insights into the trends that defined 2024 and those that look set to shape the year ahead.

2024 Notable Cyber Activity

Chinese nation-state actors are observed exploiting a pair of critical zero-day vulnerabilities targeting devices that run Ivanti virtual private network (VPN) services. The exploited zero-day vulnerabilities are CVE-2023-46805 and CVE-2024-21887. The exploit attack impacts at least 492 out of 26,000 devices exposed to the internet.

Most Targeted Sectors in 2024

2024 Threat Incident Analysis

Most Popular Threat Incident Types in 2024

2024 Threat Incident Analysis

Email compromise was the most commonly observed threat type in 2024, accounting for nearly 46% of Kroll’s digital forensics and incident response engagements. Of email compromise events, the majority in this category related to financial fraud, such as bogus invoices, vendor impersonation or payroll diversion.

Ransomware accounted for 16% of engagements, down from 26% in 2023. While less frequently observed by Kroll in 2024, ransomware events account for the most serious impact to organizations—for example, disruption of critical business operations and data loss. The majority of ransomware cases involve some type of data theft and public “naming and shaming” if the organizations do not meet threat actor demands. Such events can result in reputational impact to the victims, particularly if confidential data is stolen and posted online. In addition, third-party interdependencies on trusted partners and vendors mean that a ransomware event at one organization could hamstring an entire ecosystem of businesses, as was seen in the Change Healthcare and CDK Global attacks in 2024.

Kroll saw a rise in activity around insider threat and observed actors increasingly targeting cloud systems for unauthorized access into networks.

2024 Ransomware Activity

Q4 2024 – Top 5 Ransomware Variants

2024 Ransomware Activity

There were significant shifts in the ransomware landscape in 2024 as large international law enforcement efforts either directly or indirectly led to the shutdown or cooldown of several major ransomware groups. BLACKCAT went dark shortly after the February 2024 Change Healthcare event. The LOCKBIT site was brought offline the same month. Although the site moved to a different location and continues to operate, the number of victims posted by the group has dropped to an all-time low compared to 2023.

With the decline of significant ransomware-as-a-service operations, Kroll saw a rise in lone-wolf ransomware actors, particularly those using the leaked version of LOCKBIT 3.0. AKIRA and RANSOMHUB. New entrant FOG was also active during the year.

In Q4, Kroll observed an increase in activity by BLACKBASTA and CLOP, both of which had been dormant for nearly a year prior. While BLACKBASTA leveraged email for initial access, CLOP took advantage of zero-day vulnerabilities in the file transfer platform Cleo Harmony (CVE-2024-50623 and CVE-2024-55956). While CLOP claimed public credit for the Cleo mass exploitation and threatened to dump data for numerous organizations on Christmas Day, Kroll also observed other ransomware groups taking advantage of the vulnerability for initial access, including CACTUS.

2024 Initial Access Analysis

Most Popular Initial Access Methods In 2024

2024 Initial Access Analysis

Phishing continued to be a dominant method for initial access in 2024. Compared to 2023, the use of valid accounts (27%) and social engineering (13%) were on the rise. Valid accounts, or the use of compromised credentials to log into networks, highlights the continuing threat around identity access management as information-stealing malware proliferates. Social engineering tactics observed in 2024 included CEO-spoofing that takes advantage of artificial intelligence (AI) to create realistic voice clones. In addition, threat actors targeted help-desk personnel for password resets and used telephone-oriented attack delivery to prime phishing victims into accepting their lures.

Ten percent of engagements started with threat actors leveraging external remote services such as VPNs while 8% related to the exploitation of software vulnerabilities. During 2024, significant vulnerability exploitation observed by Kroll centered on perimeter devices, such as VPNs and firewalls (see timeline).

Vulnerability Exploitation in 2024

Two zero-day vulnerabilities are discovered in Ivanti Connect Secure and Ivanti Policy Secure gateways. Tracked as CVE-2024-21887 and CVE-2023-46805, these vulnerabilities have CVSS scores of 9.1 and 8.2, respectively, and are actively exploited in the wild.

Spotlight on Phishing Methods

A consistent theme throughout 2024 was the evolution of phishing tactics as threat actors used new approaches to claim victims, such as delivering malicious activity through social media messages or via QR codes.

In October 2024, the Kroll Security Operations Center observed a threat actor targeting job recruiters on LinkedIn to deliver the MORE_EGGS backdoor.

In these instances, the recruiter was socially engineered to browse a malicious domain hosting a fake resume.

Upon visiting the domain, a zip file was installed on the victim’s computer containing the MORE_EGGS backdoor, giving actors a foothold into their computer.

Review of the activity indicated likely connections to FIN6, a financially-motivated threat group.

In November 2024, the Kroll Threat Intelligence team observed an increase in activity associated with a CorruptQR campaign, first reported by Any.Run in August 2024. The campaign delivers Office documents with corrupt header information. When the user tries to open the document, they are prompted to restore readable content in the document, an action which reconstructs the file and presents it to the end user as a QR code. Once scanned, the user is presented with a phishing page aimed at stealing their corporate credentials and session token. Kroll research associated this activity with the ONNX phishing-as-a-service (PhaaS) platform.

PhaaS platforms are fueling the proliferation of phishing activity that organizations are now seeing. In Q4 alone, Kroll observed multiple PhaaS platforms targeting users. New toolkits such as Mamba 2FA and Rockstar 2FA targeted Microsoft 365 accounts to capture credentials and authentication tokens for adversary-in-the-middle attacks. Kroll has also observed more threat actors advertising AI chatbots for sale on underground forums, claiming that they can be used to deliver phishing campaigns.

Case Study - Email “Bombing” for Access: BLACKBASTA

Email Bombing Attack Chain

Case Study - Email “Bombing” for Access: BLACKBASTA

Kroll observed a case in which an end user’s email inbox was flooded with messages from thousands of newsletters. The user was subsequently contacted by an actor claiming to be from their IT department and socially engineering the victim into downloading a remote support tool on their device. Once inside the network, the actor conducted network reconnaissance using Netscan and exfiltrated data over a three-day period. Ultimately, the network was encrypted with BLACKBASTA ransomware.

Malware Trends In Intelligence Collection

Malware Trends Analysis

In December 2024, Cyberhaven reported that their Chrome extension had been compromised, with malicious code inserted into the extension that sought to exfiltrate cookies, sessions and other browser credentials. The company noted that a phishing attack on an employee enabled the incident. This gave the threat actor credentials to their Google Chrome Web Store and the ability to upload the malicious code.

It became clear that the malicious code was information-stealing malware designed to harvest credentials, including passwords, cookies, tokens and other sensitive information entered into websites that the user browsed.

On the same day, the Kroll Security Operations Center also observed similar behavior, but from an end user perspective, in which the legitimate extension Bookmark Favicon Changer (FC) that was previously installed was updated to include the malicious code seen in the Cyberhaven reporting. The extension was observed attempting to connect to the IP address 149[.]28.124.84, which hosted the malicious domain bookmarkfc[.]info. This IP address was also used during the Cyberhaven extension compromise. Both extensions were updated on December 25, 2024, with a more recent update appearing for BookmarkFC on December 30, 2024, likely to remove the malicious code.

Kroll Threat Intelligence conducted further investigation into the IP address and identified an additional list of domains hosted on that IP address that are likely mimicking other compromised browser extensions.

One particularly interesting domain in this list appears to mimic Censor Tracker, which has a significant user base. This extension was last updated on December 25, aligning with the other observed malicious code updates. The range of extensions displays the potential widespread impact to users, particularly with the large user bases of some of the extensions.

It is worth noting that one of the mimicked extensions, Moonsift, had not been updated on the Chrome store since October 3, 2024, which was before this campaign. This suggests that either the domain registration is preemptive for future compromise or the threat actor was unsuccessful in phishing for credentials against the developer.

Based on initial findings from Kroll’s investigation, it appears that this campaign started around December 25, 2024. However, after conducting threat hunting across managed services customers, Kroll identified malicious activity beginning on December 9, 2024, in both EMEA and the U.S.

The information displayed in the graphs below shows logged events that contained either a Domain Name System (DNS) request or connection to a malicious domain or IP address that Kroll collated from firsthand observations or open-source reporting.

EDR events with connections

EMEA: EDR events with connections/DNS requests to malicious domains/IP addresses (Source: Kroll)

U.S.: EDR events with connections/DNS requests to malicious domains/IP addresses (Source: Kroll)

There does not appear to be any correlation among which domains appear over time; all the observed domains appear toward the start of the timeline and are seen throughout.

Best Practices for Addressing the Phishing Threat
With phishing keeping organizations very much on the hook in 2024 and in 2025 to date, it is vital that organizations take strategic steps to defend themselves. An effective response against this persistent yet constantly changing threat, alongside other concerning security trends, demands a sophisticated mix of continuous security monitoring, regular security testing and advanced threat intelligence accessible seamlessly through a trusted security partner. Achieving this will ensure organizations are better placed to safeguard against the many potential threats that lie ahead. Kroll’s Threat Intelligence Team recommends: Providing regular cybersecurity training sessions to educate all employees on the latest social engineering techniques and the risks associated with opening suspicious emails, downloading attachments or clicking on unknown links. Ensuring users have a way to report potential threats. Provide a method of reporting phishing emails to administrators, IT or cybersecurity teams. Establishing email security tools that can detect and block open redirect links in emails. Detecting or preventing QR-code phishing through a combination of stronger mobile device management controls, phishing-resistant multi-factor authentication (MFA) and updated cybersecurity training. Implementing phishing-resistant authentication methods, such as devices enrolled in Fast IDentity Online (FIDO), especially for privileged users. Reviewing and updating IT help-desk policies and exception-handling procedures to address social engineering attacks aimed at enrolling or disabling MFA and unauthorized devices. Reducing your attack surface by using creative conditional access control policies—for example, by limiting the number of allowed MFA devices per user and requiring extra authentication factors when authorizing MFA devices. Considering a managed detection and response service, such as Kroll Responder, with endpoint detection and response and key identity log ingestion capabilities to help detect and respond to identity attacks.

Best Practices for Addressing the Phishing Threat

With phishing keeping organizations very much on the hook in 2024 and in 2025 to date, it is vital that organizations take strategic steps to defend themselves. An effective response against this persistent yet constantly changing threat, alongside other concerning security trends, demands a sophisticated mix of continuous security monitoring, regular security testing and advanced threat intelligence accessible seamlessly through a trusted security partner. Achieving this will ensure organizations are better placed to safeguard against the many potential threats that lie ahead.

Kroll’s Threat Intelligence Team recommends:

Providing regular cybersecurity training sessions to educate all employees on the latest social engineering techniques and the risks associated with opening suspicious emails, downloading attachments or clicking on unknown links.
Ensuring users have a way to report potential threats. Provide a method of reporting phishing emails to administrators, IT or cybersecurity teams.
Establishing email security tools that can detect and block open redirect links in emails.
Detecting or preventing QR-code phishing through a combination of stronger mobile device management controls, phishing-resistant multi-factor authentication (MFA) and updated cybersecurity training.
Implementing phishing-resistant authentication methods, such as devices enrolled in Fast IDentity Online (FIDO), especially for privileged users.
Reviewing and updating IT help-desk policies and exception-handling procedures to address social engineering attacks aimed at enrolling or disabling MFA and unauthorized devices.
Reducing your attack surface by using creative conditional access control policies—for example, by limiting the number of allowed MFA devices per user and requiring extra authentication factors when authorizing MFA devices.
Considering a managed detection and response service, such as Kroll Responder, with endpoint detection and response and key identity log ingestion capabilities to help detect and respond to identity attacks.

Stay Ahead with Kroll

Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Cyber and Data Resilience

Cyber Threat Intelligence

Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.

Cyber Threat Intelligence

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

24x7 Incident Response

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Cyber Risk Retainer

Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Kroll Responder MDR

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.

Virtual CISO (vCISO) Advisory Services

Application Threat Modeling Services

Kroll helps development teams design and build internal application threat modeling programs to identify and manage their most pressing vulnerabilities.

Application Threat Modeling Services

Threat-Led Penetration Testing

Simulate real-world attacks, uncover vulnerabilities, and strengthen your defenses in line with DORA requirements with guidance from Kroll's offensive security experts.

Threat-Led Penetration Testing

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.

Ransomware Preparedness Assessment

Exlplore Insights

Q3 2024 Threat Landscape Report: Rising Attacks on Tech and Telecoms Reinforce Need for Business Continuity Planning

Threat Landscape