Earlier this month, the United Nations (U.N.) released its latest Global Assessment Report on Disaster Risk Reduction (GAR2022). For those of us who assess risk for a living, it is a sobering read.

Kroll has recently observed a new malware strain called “Bumblebee” operating as a loader, delivered via phishing email, in order to deploy additional payloads for use in ransomware operations. The malware takes its name from the unique user-agent (since changed), which it used to connect to command and control (C2) servers. It was first reported by Google's Threat Analysis Group (TAG) in March 2022, with the first sample submitted to VirusTotal on March 1.

Kroll’s incident responders have seen threat actor groups becoming increasingly sophisticated and elusive in the tactics, techniques and procedures they employ to steal payment card data. One common method is to “scrape” the Track 1 or Track 2 data stored on the card’s magnetic stripe, which provides the cardholder account and personal information criminals need to make fraudulent “card-not-present” (CNP) transactions.

Kroll has been tracking Emotet since it was first identified in 2014, especially during its transition from a banking Trojan designed to primarily steal credentials and sensitive information to a multi-threat polymorphic downloader for more destructive malware. Today, Emotet operators stand as one of the most prominent initial access brokers, providing cybercriminals with access to organizations for a fee.

Multi-factor authentication (MFA) exploits and countermeasure tooling are evolving in real time and at a rapid pace. Some threat actors aim to bypass this security feature for financial gain, while other groups seek to control the flow of information.

In Q1 2022, Kroll observed a 54% increase in phishing attacks being used for initial access in comparison with Q4 2021. Email compromise and ransomware were the two most common threat incident types, highlighting the integral part played by end users in the intrusion lifecycle.

Across the thousands of cyber incidents that Kroll’s global team investigates every year, our experts are constantly on the hunt to spot established patterns of threat actor activity—and to discover new ones. In observing attack patterns, our experts discovered that threat actors like repeatability. Certain actors can be predictable not only in how they attack, but also in the tools and tactics they use once they have access.

Cyber risk has never been completely independent of world politics and international affairs, but in recent weeks, there has been a significant shift in alignment. The domain of physical war has closer ties to the digital sphere than ever before. As part of efforts to manage elevated cyber risk, it is vital to understand the short-term impact and longer-term risk of current events, and where focus should be placed to achieve the best defense.

The article below was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below: Kroll has investigated many different tactics that threat actors use to steal consumer data on e-commerce sites.

Having conducted more than 3,200 incident response engagements in 2021, Kroll’s Threat Intelligence team now tracks more than 200 ransomware threat actor groups. Kroll’s global Incident Response teams are very familiar with actions traditionally associated with a network intrusion, from initial access to lateral movement to privilege escalation to data exfiltration—and in the case of financially motivated actors, ransomware deployment.