CISOs seeking insights into the latest cyberattack trends should note that cybercriminals’ initial access methods appear to be shifting, as data from both Verizon and Google-owned Mandiant underscored similar findings about intrusion techniques in separate reports.
According to Mandiant, stolen credentials were responsible for more intrusions last year than phishing and were second only to exploits as attackers’ most frequent initial access method. This observation tracks with the findings of other security companies that noted a sharp rise in the sale and use of infostealers over the past 12 months.
Mandiant’s incident responders identified vulnerability exploits as the initial cause in 33% of intrusions they investigated in 2024, followed by stolen credentials (16% vs. 10% in 2023) and phishing (14%). Despite new approaches to making its social engineering trickery more effective, phishing has seen a steady decline as an initial access method over the past two years, having accounted for nearly 1 in 4 compromises in 2022 and 17% in 2023.
“While email phishing remains a common and effective method for obtaining initial access, adversaries can obtain credentials in a variety of ways, including purchasing leaked or stolen credentials on underground forums, mining large data leaks for credentials, and actively pursuing credentials by infecting users with keyloggers and infostealers,” wrote Mandiant’s incident responders in their annual M-Trends report. “The continued prevalence of phishing and credential theft underscores the importance of implementing multifactor authentication (MFA), preferably FIDO2-compliant MFA methods.”
Exploits along the perimeter
For the fifth year in a row, the undisputed leader of initial access methods remains exploited vulnerabilities, the main infection vector in 1 in 3 intrusions, though a 5% drop versus 2023. Most notable, however, is a clear shift toward network perimeter devices, a trend echoed by Verizon in its report, with security appliances increasingly being targeted over the past year through zero-day vulnerabilities.
Atop the list of frequently exploited vulnerabilities observed by Mandiant was CVE-2024-3400, a zero-day command injection in the GlobalProtect secure VPN feature of Palo Alto Networks’ PAN-OS software. This was followed by CVE-2023-46805 and CVE-2024-21887, two vulnerabilities impacting Ivanti Connect Secure VPN and Ivanti Policy Secure appliances. A SQL injection vulnerability in the FortiClient Endpoint Management Server (CVE-2023-48788) came in third place.
Other noteworthy initial access vectors included web compromises (9%), prior compromises where existing access was sold to other groups by initial access brokers (8%), brute-force password guessing attacks (7%), and insider threats (5%), primarily fueled by a new trend of North Korean IT workers seeking employment under false pretenses.
Financial gains, data theft, dwell time
Of the intrusions Mandiant investigated in 2024, 35% were financially motivated, with ransomware alone representing 21% of all intrusions, according to the company’s data.
Financial gains were realized via data theft for the purpose of extortion, cryptomining, cryptocurrency theft, business email compromise, and cases in which attackers monetized their access by selling it to other groups. North Korean IT employment fraud also fell under this category.
Data theft was a goal in 37% of attacks, and though some of these intrusions overlap with the financially motivated ones, data theft operations also included cyberespionage activity and the theft of credentials and other information useful for further reconnaissance and lateral movement.
“Mandiant identified attackers, such as the Russian cyber espionage actor APT28 and Chinese cyber espionage groups including APT41, conducting more targeted data theft,” the incident responders wrote in their report. “APT28 conducted selective data theft, demonstrating interest in personnel-related data, as well as email content and documents relevant to geopolitical topics consistent with Russian interests. In a campaign targeting multiple organizations in Europe, the Middle East, and Africa (EMEA) and Japan and Asia Pacific (JAPAC), APT41 leveraged SQLULDR2 to export data from Oracle Databases and used PINEGROVE to systematically and efficiently exfiltrate large volumes of sensitive data from the compromised networks, transferring to OneDrive to enable exfiltration and subsequent analysis.”
What’s worrying is that in over half of intrusions (57%) the victim organizations learned about the compromise of their networks and systems from a third-party rather than discovering them through internal means. In 14% of cases, organizations were notified directly by attackers, usually in the form of ransom notes, but 43% of cases involved external entities such as a cybersecurity company or law enforcement agencies.
The average time attackers spent inside a network until being discovered last year was 11 days, a one-day increase over 2023, though still a major improvement versus a decade ago when the average discovery time was 205 days. Attacker dwell time, as Mandiant calls it, has steadily decreased over the years, which is a good sign, but remains high on average for intrusions discovered by external parties — 26 days.
“The prevailing trend across Mandiant investigations from 2018 to 2024 is toward shorter and shorter dwell times,” the company said. “Comparing 2023 to 2024, the percentage of investigations that were discovered in one week or less increased from 43.3% to 45.1%.”
New threat groups rising faster than new malware
Mandiant tracks threat groups according to three categories: advanced persistent threat (APT), financial threat (FIN), and uncategorized (UNC), which is the designation for malicious activity clusters that cannot be confidently linked to an existing known group. Mandiant tracks more than 4,500 UNC groups, 44 known APT groups, and 13 FIN groups.
The company started tracking 737 new threat clusters during 2024, of which 233 Mandiant encountered in its incident response investigations. Overall, 55% of the threat groups active last year were financially motivated, 8% were motivated by cyberespionage, and 2% had political motivations (hacktivism). For 35% of the newly tracked groups the company was not able to establish a clear motivation.
In terms of new malware, Mandiant started tracking 632 new malware families in 2024, 83 of which were used in intrusions the company investigated. This brings the total number of malware families tracked by Mandiant to over 5,500.
Last year saw a lower number of new malware families observed during investigations than in 2023, consistent with a downward trend observed for the past three years, the company said.
“This decrease showcases threat actors’ continued willingness to leverage tools already present within the targeted environment as well as their ability to use and misuse tools rather than constructing new malware or configuring known post-exploitation tools,” the incident responders wrote in their report. “A growing number of compromises use no malware at all.”
In terms of malware types, 35% of the families observed were categorized as backdoors, 14% as ransomware, 8% as droppers, 7% as downloaders, 6% as tunnelers, and 5% as credential stealers. Various utilities, data miners, rootkits, keyloggers, and point-of-sale malware were also observed, among others.
The malware program most frequently observed during intrusions remained the Beacon implant from the Cobalt Strike red-teaming tool. This frequently abused tool was observed in over 5% of intrusions, a sharp drop compared to 2021 when it was used 21% of the time. The decline is the result of a law enforcement operation last year that disrupted 600 command-and-control servers for unlicensed versions of Cobalt Strike.
The next most prevalent malware programs observed were GootLoader, a JavaScript-based downloader and dropper; WIREFIRE, a Python web shell for Ivanti Pulse Secure appliances; SystemBC, a proxy tunneler with a custom communication protocol that can also execute additional payloads from a C2 server; and the Akira, RansomHub, LockBit and Basta ransomware programs.
Stolen and weak credentials fuel ransomware and cloud compromises
In terms of ransomware, the most common infection vector observed by Mandiant last year were brute-force attacks (26%), such as password spraying and use of common default credentials, followed by stolen credentials and exploits (21% each), prior compromises resulting in sold access (15%), and third-party compromises (10%).
Cloud accounts and assets were compromised through phishing (39%), stolen credentials (35%), SIM swapping (6%), and voice phishing (6%). Over two-thirds of cloud compromises resulted in data theft and 38% were financially motivated with data extortion, business email compromise, ransomware, and cryptocurrency fraud being leading goals.
“Mandiant also noted use of prior compromise, exploits, third-party compromise, brute-force attacks, and malicious insiders — specifically North Korean IT workers applying for jobs under false pretenses — in order to gain access to cloud systems,” the company said.
Addressing the credentials problem
To combat the threat from stolen credentials and phishing Mandiant recommends implementing multi-factor authentication (MFA) methods that are resistant to adversary-in-the-middle (AiTM), such as FIDO2-compliant hardware security keys, certificate-based authentication, or mobile authenticator apps.
Enforcing strict policies to separate personal and corporate device use, reviewing the security controls of third-party suppliers and contractors, disabling browser auto-fill functions, restricting third-party cookies, and disabling unapproved browser extensions can also help prevent credential theft. Finally, continuous security awareness training can help employees detect sophisticated social engineering attempts and ensure they don’t download software from untrusted locations.
The original article found on Cyberattacke auf berlin.de | CSO Online Read More
.webp)
