Paul Ditty

View Original

Mandiant M-Trends 2023: Attackers Won’t Back Down

In its 2023 M-Trends Special Report, Mandiant is calling 2022 “the year of the aggressive threat actor.” The incident response company observed a willingness among adversaries to do whatever it took to achieve their objectives, which weren’t always financially motivated. They employed bullying tactics, impersonated employees, and were relentless in their use of phishing. But defenders claimed some victories, too.

Dwell Time is Down, Data Theft is Up

One success metric that defenders witnessed last year included a drop in attackers’ global median dwell time, from 21 days in 2021 to 16 in 2022. This overall improvement in detection “reflects a growing recognition of the critical role partnerships and information exchange play in building a resilient cybersecurity ecosystem,” Mandiant notes. However, dwell time involving ransomware increased from five days to nine days, which means adversaries were able to go undetected for longer periods of time, often because they employed “living off the land” techniques where they leverage their victim’s native tools, applications, and protocols to evade security controls and detection.

Another interesting statistic highlights a small drop in a common motivation for attacks: The proportion of adversaries seeking financial gain decreased from 30 percent to 26 percent in 2022. However, data theft increased from 29 percent to 40 percent, which implies threat actors are stealing information for other purposes rather than holding the data for ransom.

Targeted Attacks and Industries

Cyber espionage proved highly prevalent in 2022, with 25 percent of attacks targeting government bodies—a sharp jump from 9 percent the previous year. The primary reason for this increase comes from the Russian invasion of Ukraine, Mandiant points out. Several countries contributed to intrusions and to intelligence gathering efforts while a volunteer cyber army came to Ukraine’s aid to defend and perform counter reconnaissance.

Professional businesses and financial institutions followed governments in most attacks that Mandiant documented, at 14 percent and 12 percent, respectively. These numbers remain consistent with the previous year. As Mandiant reports, “These industries remain attractive targets for both financially and espionage motivated actors.”

Attack Vectors and Infiltration Techniques

Exploits remained the most common infection vector, comprising 32 percent of globally identified attacks, followed by phishing and stolen credentials. Of these exploits, the Log4j vulnerability (CVE-2021-44228) was identified most frequently, followed by F5 Big-IP iControl REST (CVE-2022-1388) and VMware Workspace ONE Access and Identity Manager (CVE-2022-22954). Each threat was notable for its ease of exploitation, and even after being patched, these threats managed to cause considerable damage. (It’s worth noting that ExtraHop Reveal(x) provides detections for these and other vulnerabilities.)

Mandiant continued to see BEACON malware represented as the most recognized malware in investigations at 15 percent in 2022, down from 28 percent in 2021. These backdoor attacks often utilize the Cobalt Strike platform. LockBit and Basta malware each accounted for 2 percent of all attacks. An interesting omission was SUNBURST, which was responsible for nine percent of malware investigations in 2021 but didn’t make this year’s list.

Threat Actors are Breaking the Rules

While financial gain has dropped in motivation over the past few years, it’s still the primary focus for 48 percent of threat groups, Mandiant notes. The other motivations appear to be infiltrating and causing havoc for the mere sake of bragging rights. Phishing attacks rose significantly, from 12 percent in 2021 to 22 percent of all attacks last year. Mandiant points to a new method beyond email scams: attackers creating cloud-based call centers to impersonate employees and steal credentials, known as voice phishing, or “vishing.”

“We’re seeing attackers cause bigger impacts with less skills,” the report says. “They’re also more brazen, and willing to get much more aggressive and personal to achieve their goals. They will bully and threaten, and ignore the traditional cyber rules of engagement. It’s not enough to just protect systems these days, employees need to be protected as well.”

Cyber hygiene isn’t enough to stop this new era of aggressive cyber attackers, the report concludes. Companies, municipalities, financial institutions—any organization with sensitive data—should implement a zero trust security mindset. Even as cybersecurity measures improve, adversaries have repeatedly shown they will find a way to gain access.