Financial gains, data theft, dwell time: Of the intrusions Mandiant investigated in 2024, 35% were financially motivated, with ransomware alone representing 21% of all intrusions, according to the company’s data.Financial gains were realized via data theft for the purpose of extortion, cryptomining, cryptocurrency theft, business email compromise, and cases in which attackers monetized their access by selling it to other groups. North Korean IT employment fraud also fell under this category.Data theft was a goal in 37% of attacks, and though some of these intrusions overlap with the financially motivated ones, data theft operations also included cyberespionage activity and the theft of credentials and other information useful for further reconnaissance and lateral movement.”Mandiant identified attackers, such as the Russian cyber espionage actor APT28 and Chinese cyber espionage groups including APT41, conducting more targeted data theft,” the incident responders wrote in their report. “APT28 conducted selective data theft, demonstrating interest in personnel-related data, as well as email content and documents relevant to geopolitical topics consistent with Russian interests. In a campaign targeting multiple organizations in Europe, the Middle East, and Africa (EMEA) and Japan and Asia Pacific (JAPAC), APT41 leveraged SQLULDR2 to export data from Oracle Databases and used PINEGROVE to systematically and efficiently exfiltrate large volumes of sensitive data from the compromised networks, transferring to OneDrive to enable exfiltration and subsequent analysis.”What’s worrying is that in over half of intrusions (57%) the victim organizations learned about the compromise of their networks and systems from a third-party rather than discovering them through internal means. In 14% of cases, organizations were notified directly by attackers, usually in the form of ransom notes, but 43% of cases involved external entities such as a cybersecurity company or law enforcement agencies.The average time attackers spent inside a network until being discovered last year was 11 days, a one-day increase over 2023, though still a major improvement versus a decade ago when the average discovery time was 205 days. Attacker dwell time, as Mandiant calls it, has steadily decreased over the years, which is a good sign, but remains high on average for intrusions discovered by external parties, 26 days.”The prevailing trend across Mandiant investigations from 2018 to 2024 is toward shorter and shorter dwell times,” the company said. “Comparing 2023 to 2024, the percentage of investigations that were discovered in one week or less increased from 43.3% to 45.1%.”
New threat groups rising faster than new malware: Mandiant tracks threat groups according to three categories: advanced persistent threat (APT), financial threat (FIN), and uncategorized (UNC), which is the designation for malicious activity clusters that cannot be confidently linked to an existing known group. Mandiant tracks more than 4,500 UNC groups, 44 known APT groups, and 13 FIN groups.The company started tracking 737 new threat clusters during 2024, of which 233 Mandiant encountered in its incident response investigations. Overall, 55% of the threat groups active last year were financially motivated, 8% were motivated by cyberespionage, and 2% had political motivations (hacktivism). For 35% of the newly tracked groups the company was not able to establish a clear motivation.In terms of new malware, Mandiant started tracking 632 new malware families in 2024, 83 of which were used in intrusions the company investigated. This brings the total number of malware families tracked by Mandiant to over 5,500.Last year saw a lower number of new malware families observed during investigations than in 2023, consistent with a downward trend observed for the past three years, the company said.”This decrease showcases threat actors’ continued willingness to leverage tools already present within the targeted environment as well as their ability to use and misuse tools rather than constructing new malware or configuring known post-exploitation tools,” the incident responders wrote in their report. “A growing number of compromises use no malware at all.”In terms of malware types, 35% of the families observed were categorized as backdoors, 14% as ransomware, 8% as droppers, 7% as downloaders, 6% as tunnelers, and 5% as credential stealers. Various utilities, data miners, rootkits, keyloggers, and point-of-sale malware were also observed, among others.The malware program most frequently observed during intrusions remained the Beacon implant from the Cobalt Strike red-teaming tool. This frequently abused tool was observed in over 5% of intrusions, a sharp drop compared to 2021 when it was used 21% of the time. The decline is the result of a law enforcement operation last year that disrupted 600 command-and-control servers for unlicensed versions of Cobalt Strike.The next most prevalent malware programs observed were GootLoader, a JavaScript-based downloader and dropper; WIREFIRE, a Python web shell for Ivanti Pulse Secure appliances; SystemBC, a proxy tunneler with a custom communication protocol that can also execute additional payloads from a C2 server; and the Akira, RansomHub, LockBit and Basta ransomware programs.
Stolen and weak credentials fuel ransomware and cloud compromises: In terms of ransomware, the most common infection vector observed by Mandiant last year were brute-force attacks (26%), such as password spraying and use of common default credentials, followed by stolen credentials and exploits (21% each), prior compromises resulting in sold access (15%), and third-party compromises (10%).Cloud accounts and assets were compromised through phishing (39%), stolen credentials (35%), SIM swapping (6%), and voice phishing (6%). Over two-thirds of cloud compromises resulted in data theft and 38% were financially motivated with data extortion, business email compromise, ransomware, and cryptocurrency fraud being leading goals.”Mandiant also noted use of prior compromise, exploits, third-party compromise, brute-force attacks, and malicious insiders, specifically North Korean IT workers applying for jobs under false pretenses, in order to gain access to cloud systems,” the company said.
Addressing the credentials problem: To combat the threat from stolen credentials and phishing Mandiant recommends implementing multi-factor authentication (MFA) methods that are resistant to adversary-in-the-middle (AiTM), such as FIDO2-compliant hardware security keys, certificate-based authentication, or mobile authenticator apps.Enforcing strict policies to separate personal and corporate device use, reviewing the security controls of third-party suppliers and contractors, disabling browser auto-fill functions, restricting third-party cookies, and disabling unapproved browser extensions can also help prevent credential theft. Finally, continuous security awareness training can help employees detect sophisticated social engineering attempts and ensure they don’t download software from untrusted locations.
Addressing the credentials problem: To combat the threat from stolen credentials and phishing Mandiant recommends implementing multi-factor authentication (MFA) methods that are resistant to adversary-in-the-middle (AiTM), such as FIDO2-compliant hardware security keys, certificate-based authentication, or mobile authenticator apps.Enforcing strict policies to separate personal and corporate device use, reviewing the security controls of third-party suppliers and contractors, disabling browser auto-fill functions, restricting third-party cookies, and disabling unapproved browser extensions can also help prevent credential theft. Finally, continuous security awareness training can help employees detect sophisticated social engineering attempts and ensure they don’t download software from untrusted locations.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3970097/the-state-of-intrusions-stolen-credentials-and-perimeter-exploits-on-the-rise-as-phishing-wanes.html
