In August 2021, threat actors started to exploit ProxyShell vulnerabilities in certain Microsoft Exchange Server versions. Today, not only is Kroll seeing actors continue to leverage ProxyShell in larger network intrusions but also now organizations must also be on guard for the so-called ProxyNotShell vulnerabilities, which surfaced in September 2022.
Kroll has observed threat actors abusing Google Ads to deploy malware masquerading as legitimate downloads or software that has been “cracked” or modified to remove or disable features such as copy protection or adware. As part of our analysis of this trend and threat, we have identified specifically that VIDAR malware, an information-stealing trojan, is using Google Ads to advertise spoofed domains and redirect users to fraudulent sites or malware downloads.
Kroll analysts have identified new tactics used by threat actors associated with the AvosLocker ransomware. Critical vulnerabilities have been exploited within Veeam Backup and Replication, which may be an attempt to hide activity from detection technologies. The proxy tool “Chisel” has been identified, which can encrypt traffic through a victim’s firewall and could be used as a further evasion technique.
As organizations continue to move their business operations into the cloud, the expanded attack surface generated by the “digital transformation” continues to present new opportunities for threat actors. Luckily, strategies to mitigate these new risks do exist and, as always, these center around the techniques and tactics of the adversaries.
In Q3 2022, Kroll saw insider threat peak to its highest quarterly level to date, accounting for nearly 35% of all unauthorized access threat incidents. Kroll also observed a number of malware infections via USB this quarter, potentially pointing to wider external factors that may encourage insider threat, such as an increasingly fluid labor market and economic turbulence.
As the number of high-profile cyberattacks and data breaches has increased in recent years, more companies have made investments to better secure their systems and develop incident response plans. While these are essential concerns, a firm’s obligations don’t simply end when a threat is removed from the network and they are able to resume normal operations. They must also notify those whose data may have been impacted by the breach.
The increase in successful cyberattacks driven by both an explosion of ransomware activity and a series of high profile zero-day vulnerabilities, is forcing cyber insurers to further scrutinize the companies they insure and the policies they offer.
All organizations should have access to the skills needed to detect and contain threats. But, typically, only the very largest enterprises can afford the millions in annual staff and infrastructure investments required to maintain a Security Operations Center (SOC).
The nature of LinkedIn’s professional environment facilitates communication among individuals from various backgrounds across industries. However, threat actors have been known to exploit the business networking platform for malicious aims, including intelligence gathering, identity theft and spear phishing. A number of fake profiles identified on the site have been observed targeting individuals in diverse sectors, particularly those with roles in government, cyber security and education.
Rclone is a data syncing tool often used by threat actors to exfiltrate data during a ransomware attack. Typically, the actors deploy Rclone after gaining remote access to the victim’s network. However, recently, Kroll experts have noted the use of Rclone in M365, using credentials stolen through network compromises or phishing attacks with minimal privileges to stealthily exfiltrate large amounts of SharePoint/OneDrive data.
