Kroll's Top Threat Intelligence Blogs of 2023 | Redscan
Contact Us

Contact Us

Please get in touch using the form below

1000 characters left
View our privacy policy

From CACTUS to Colour-Blind, the Kroll Cyber Threat Intelligence team has observed and shared updates about a wide range of threats over the past year.

In this blog post, we share some of our most popular threat intelligence updates of 2023.


1. The MOVEit Transfer vulnerability: discovery, analysis and exfiltration methods

The impact of the MOVEit Transfer vulnerability meant it was no surprise that these Kroll updates were among our most-read threat intelligence article of 2023. Our first MOVEit article reported that a zero-day vulnerability in MOVEit Transfer was being actively exploited to gain access to MOVEit servers. We had observed threat actors using this vulnerability to upload a web shell, exfiltrate data and initiate intrusion life cycles. As of June 2, 2023, the vulnerability was assigned CVE-2023-34362.

The second MOVEit article discussed how, in June, the CLOP ransomware group publicly claimed responsibility for exploitation of a zero-day vulnerability in the MOVEit Transfer secure file transfer web application (CVE-2023-34362). While Kroll analysis of the exploitation confirmed that threat actors were using this vulnerability to upload a web shell and exfiltrate data, our Kroll forensic review also identified activity indicating that the CLOP threat actors were likely experimenting with ways to exploit this particular vulnerability as far back as 2021—highlighting the sophisticated knowledge and planning that go into mass exploitation events such as these.

We published a third MOVEit update in July, focusing on our identification of two different file exfiltration methodologies leveraged by threat actors, primarily CLOP, during engagements throughout May and June 2023.

For a full debrief on the MOVEit Transfer vulnerability, check out our webinar replay page.

Read More


2. CACTUS ransomware: prickly new variant evades detection

Another of our most-visited threat intelligence articles of the year was our update about our identification of a new ransomware strain which we named CACTUS, active since at least March 2023, and observed leveraging documented vulnerabilities in virtual private network (VPN) appliances in order to gain initial access. Once inside the network, CACTUS actors attempt to enumerate local and network user accounts as well as reachable endpoints before creating new user accounts and leveraging custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks.

Read More


3. Proof of concept developed for Ghostscript code execution vulnerability

In July, we shared that Ghostscript, an open-source interpreter for the PostScript language and PDF files, had recently disclosed a vulnerability prior to the 10.01.2 version. The vulnerability CVE-2023-36664 was assigned a CVSS score of 9.8 that could allow for code execution caused by Ghostscript mishandling permission validation for pipe devices (with the %pipe% or the | pipe character prefix). Because Ghostscript can be executed in many different ways, an exploitation of a vulnerability might not be limited to one application or be immediately obvious. We shared information about a viable exploit that we developed for this vulnerability and our work in using it to advance detection efforts.

Read More


4. Black Basta technical analysis

With a surge in double extortion ransomware attacks by Black Basta, a notorious ransomware-as-a-service (RaaS) threat group, in another of our most-visited articles of 2023, we outlined how we had identified tactics, techniques and procedures (TTPs) used by Black Basta to conduct double-extortion ransomware campaigns. While the actor is sophisticated, we have observed Black Basta sometimes utilising similar TTPs across multiple incidents, making it important for potential victims to educate themselves and adopt proactive countermeasures.

Read More


5. Royal ransomware deep dive

Royal ransomware proved to be another top concern for organizations this year. In an article in February, we explained how the group brought together threat actors previously associated with Roy/Zeon, Conti and TrickBot malware, escalating attacks to focus on top-tier corporations for larger ransoms from the start of 2023. Their ransoms reportedly ranged from $250,000 to over $2 million. While the Royal group had first been observed primarily targeting systems running Windows operating system, reports surfaced in February 2023 of a variant capable of compromising Linux/virtual machines.

Read More


6. Deep dive into GOOTLOADER malware and its infection chain

Our June update on the GOOTLOADER malware proved to be another highly popular article. We observed an increase in the number of active GOOTLOADER malware campaigns targeting a variety of sectors, including the legal, financial and professional services sectors. The analysis of Kroll cases identified that GOOTLOADER was delivered into victim environments via search engine optimization (SEO), using compromised WordPress sites that host malicious documents masquerading as generic legal and contract templates.

Following the initial GOOTLOADER compromise, further tooling such as COBALTSTRIKE, SYSTEMBC and open-source scripts were observed being deployed into victim environments. Our view continues to be that the goal of these attacks is currently corporate espionage; however, this can move to extortion and ransoming the organisation very quickly. It all depends on the actors and their motives.

Read More


7. Microsoft Teams used as initial access for DARKGATE malware

In October, we shared news about our observation of DARKGATE malware being delivered to users through files shared in Microsoft Teams messages, targeting the transportation and hospitality sectors. Files hosted to public SharePoint sites were downloaded and executed by victims, which led to batch scripts copying the AutoIT interpreter and scripts from adversary-controlled infrastructure. The DARKGATE payload was injected into a running process and further AutoIT scripts were created and used for persistence in the user’s Start Menu.

This activity appeared to be part of a wider DARKGATE campaign, also reported across open-source. The surge in Microsoft Teams-related social engineering activities has been observed since Q2 2023, coinciding with the discovery of a vulnerability in Microsoft Teams. This vulnerability required organisational configuration changes and heightened user awareness for effective mitigation. Organisations that have not made the configuration changes can still be impacted, although the campaign is no longer being as active as observed during Q2 2023.

Read More


8. PyPI packages used to deliver Python remote access tools

In March, we shared news about our identification of a fully featured information stealer and remote access tool (RAT) in the Python Package Index (PyPI) that we named “Colour-Blind.” The malicious package was found as part of a project to obtain more awareness of initial attack vectors and uses a tool developed by Kroll’s threat intelligence team. The “Colour-Blind” malware points to the democratisation of cybercrime that could lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others.

Read More


Get the latest intel updates in your inbox

Stay prepared for the emerging threats of 2024 and beyond with our regular threat intelligence reports, which draw on over 3,000 yearly incident response engagements. From our quarterly Cyber Threat Landscape Reports sharing the latest trends and real-life case studies, to ad hoc security updates in response to breaking security news, sign up here to receive breaking threat intelligence before anyone else, along with periodic news, alerts and exclusive invitations from Kroll.

Sign Up Here