A notable shift toward increased supply chain risk was driven not only by the CLOP ransomware gang’s exploitation of the MOVEit transfer
vulnerability, but by a rise in email compromise attacks, according to a risk consultancy and investigative firm. This and other key security
trends are shaping a threat landscape in which diverse cyber threats are present, says Kroll in its latest Threat Landscape Report, covering the second quarter of 2023.
While CLOP ransomware activity dominated the headlines in the quarter, the firm says that its analysis of Kroll engagement data painted a more complex picture. Looking at the numbers, CLOP activity increased by 33 per cent over the first quarter, with the mass exploitation event also driving up incidences of CVE/exploits for initial access. Even with the volume of cases related to this event, the firm observed other concerning shifts within the landscape – email compromise engagements rose by 8pc and phishing continued to dominate in terms of the initial access.
Kroll defines an email compromise event as one where email accounts are accessed maliciously by a third party, a phishing email or spam campaign is identified or an organisation’s email is used or compromised in a fraud scheme (such as business email compromise). The firm adds that email compromise is sometimes overlooked in the mass media in comparison to more headline-grabbing threats, such as ransomware.
The firm points to a familiar pattern in ’email compromise’:
– Valid credentials for a user’s inbox are gathered via a phishing email.
– The account is accessed by a threat actor, who then uses that access to take over additional email accounts.
– During their time in the network, the threat actor is frequently observed creating in-box rules to conceal their activity.
– Once actors are embedded into accounts, they begin to carry out some type of fraud. This may take the form of:
– Using the access to contact a known third-party—such as the victim’s financial institution — to authorise a fraudulent wire fraud transfer
– Sending emails from the unauthorised accounts to other users inside or outside the organisation, directing them to change or update bank account information or issue a wire fraud transfer.
From an industry perspective, attacks on the financial services sector increased by 2pc, while attacks on healthcare (the most breached industry of 2022) rose by 2pc — a small but modest increase that propelled the sector to the top five most targeted industries for the first time in two quarters. In several areas, according to the firm, the threat actors have evolved their tactics to bypass common security controls (such as multi-factor authentication) and continue to prey via third-parties and trusted relationships.
Similarly the firm’s recent fraud and financial crime survey found that most companies anticipate an increase in financial crime risks over the next 12 months and have doubts about the capacity of governments to keep pace with technological change and the increase in crime.