Kroll’s latest threat landscape report shows an evolution in techniques used by attackers, some of which may point to longer term trends in the variation and sophistication of attacks faced by organisations.
In Q1 2024, Kroll observed SMS and voice-based tactics being used in phishing attacks, raising concern around the potential for deep fakes and AI technologies to further enhance the effectiveness of phishing attacks.
Linked to this, one insider threat case investigated by Kroll in Q1 saw employee impersonation take place, another area in which AI-related technology could be especially impactful. These, as well as other notable trends from the previous quarter, are discussed in the report, Insider Threat & Phishing Evolve Under AI Auspices.
Professional services remain top target
The sectors targeted by threat actors in Q1 2024 were consistent with previous quarters. Professional services remained the focus for attacks, accounting for 24% of cases, while manufacturing continued to rank at second place, with 13% of cases, followed by financial services and healthcare at 9% and 8% respectively.
Variation in phishing techniques signals an evolution in tactics
In Q1 2024, Kroll observed a slight increase in email compromise, with it remaining the most common type of threat incident. Phishing was the most likely vector for email compromise incidents, with Kroll observing that while phishing was typically synonymous with an email message, actors continued to evolve tactics and introduce others.
For many firms, security controls put into place to decrease the likelihood of BEC attacks include the verbal authentication of C-level personnel. Even though these were intended to add an extra layer of authentication for requests undertaken strictly through email, Kroll has observed cases in which actors are likely using commonly available deep fake tools to clone the voices of CEOs and CFOs.
Technology and telecoms industry most susceptible to insider threat
Kroll observed that cases impacting the technology/telecom sector were most likely to be insider threat cases. With most technology providers working with multiple downstream customers, an insider with access to multiple technology providers may have the ability to cascade malicious activity to clients, posing the risk of a supply chain attack.
For the first time, we also split out the proportion of insider threat engagements deemed to be intentional versus those deemed to be unintentional. In 90% of cases, Kroll observes the insider threat being intentional, and likely malicious in intent, as opposed to accidental.
AKIRA group takes the lead
The AKIRA ransomware group took the lead in Q1 2024 with 27% of cases and LOCKBIT slipped into second place with 15% of cases. We also saw a significant drop in PLAY ransomware group activity, from 11% of cases in Q4 2023 to 5% in Q1 2024.
QAKBOT and PIKABOT malware activity decreases
The most notable changes in malware behaviour in Q1 were drops in activity from QAKBOT and PIKABOT. Kroll’s Cyber Threat Intelligence team believes that this is due to a shift in KTA248 behavior toward other malware strains, such as ICEDID and ICENOVA (LATRODECTUS).
Evolving threats signal need for breadth of cyber protection
Kroll’s findings for the first quarter of 2024 highlight the value of a broad cyber protection strategy for organisations. The increase in insider threats means that businesses must ensure they are prepared to tackle the threat from within, as well as addressing increasingly varying types of external risks.
Faced by the growing AI challenge, organisations can no longer risk relying on purely defensive or one-dimensional approaches to security. Instead, they must ensure that their vigilance translates into a strategy that proactively addresses all layers of the attack surface.
Adapting in this climate means collaborating with a security partner capable of scaling up, with the breadth of vision and solutions to ensure that organisations can stay ahead at every stage of the threat lifecycle. Only by doing so can companies ensure they remain resilient in the face of formidable security challenges.
