Kroll’s Q4 analysis shows ransomware groups increasingly gaining initial access through external remote services. The quarter presented a complex security landscape with a mix of both positive and negative trends: positively, activity associated with larger ransomware-as-a-service (RaaS) operations, like LOCKBIT and BLACKCAT, declined.

While businesses might have become more prepared for direct cyberattacks, 2023 demonstrated that unfortunately a business is only as secure as the organizations within their environment. Third-party risk, which is to say any risk to an organization by external parties in its ecosystem or supply chain, was the headline culprit in 2023.

An authentication bypass vulnerability, tracked as CVE-2024-0204, was discovered in Fortra's GoAnywhere MFT versions prior to 7.4.1 and allows an unauthorized user to create an admin user via the administration portal. This vulnerability has a CVSS score of 9.8 with a high potential for exploitation, which we expect to see in the short term due to a proof of concept (PoC) being available. Fortra informed customers on December 4, 2023, of the flaw via an internal forum post.

Two vulnerabilities have been detected in in Citrix NetScaler ADC and NetScaler Gateway. These vulnerabilities are being tracked as CVE-2023-6549 and CVE-2023-6548 with CVSS scores of 8.2 and 5.5 respectively. They are under active exploitation, affecting the following product versions.

DARKGATE is Windows-based malware that is sold on the dark web. DARKGATE is a fully functional backdoor that can steal browser information, drop additional payloads, and steal keystrokes. Kroll previously noted DARKGATE’s distribution via Teams. When the DARKGATE payload runs on a victim system, it creates a randomly named folder within C:\ProgramData that contains encoded files. Within the randomly named folder is a short configuration file and the output of keystrokes logged on the system.