Global investigations involving ransomware decreased five per cent between 2021 and 2022, according to a new report from cybersecurity firm, Mandiant.
Mandiant, now part of Alphabet‘s (NASDAQ: GOOG) Google Cloud, released its M-Trends 2023 report on Tuesday providing an expert analysis and timely data on the ever-evolving threat landscape based on Mandiant’s investigations and remediations of high-impact cyber attacks worldwide.
This is the 14th year of the annual report, and it highlights the progress organizations globally have made in strengthening their defenses against increasingly sophisticated adversaries.
Sandra Joyce, the VP for Mandiant Intelligence at Google Cloud, states that while they have any data regarding the causes for the drop in ransomware-related attacks, there have been multiple shifts in the environment that could have caused these figures.
These factors include ongoing government and law enforcement disruption efforts targeting ransomware services and individuals, which require actors to retool or establish new partnerships.
In addition, the conflict in Ukraine and the need for actors to adjust their initial access operations to a world where macros may often be disabled by default could have played a role. Furthermore, organizations could be improving at detecting, preventing, or recovering from ransomware events more quickly.
The M-Trends 2023 report states that the global median dwell time, which is the median number of days an attacker remains undetected in a target’s environment, continues to decrease year-over-year, reaching a new low of 16 days in 2022. This is the shortest median global dwell time reported by M-Trends to date, as compared to 21 days in 2021.
#MTrends is #Live!! A must read in the industry providing insight and metrics derived straight from the trenches! Tons of work from multiple teams to put this on every year! Great work! https://t.co/EswYTLKFMy
— Dan Perez (@MrDanPerez) April 18, 2023
Read more: NortonLifeLock wants to educate you on cybersecurity
Read more: The Mugglehead technology roundup: secure communication edition
More organizations being alerted by third parties of ongoing compromises
Mandiant observed an increase in the number of organizations that were alerted by an external entity of historic or ongoing compromise when comparing how threats were detected. In 55 per cent of incidents, organizations headquartered in the Americas were notified by an external entity, compared to 40 per cent of incidents last year. This is the highest percentage of external notifications that the Americas has seen over the past six years.
Similarly, organizations in Europe, the Middle East, and Africa (EMEA) were alerted of an intrusion by an external entity in 74 per cent of investigations in 2022, compared to 62 per cent in 2021.
This indicates a significant increase in the number of organizations in EMEA that were notified by an external entity of historic or ongoing compromise, suggesting an improved level of cooperation and information sharing between external entities and organizations.
Mandiant’s investigations revealed extensive cyber espionage and information operations before and after Russia’s invasion of Ukraine on February 24, 2022. Mandiant particularly noticed the activities of hacking groups, UNC2589 and APT28, before the invasion and observed more destructive cyber attacks in Ukraine during the first four months of 2022 than in the previous eight years.
Additionally, in 2022, Mandiant started tracking 588 new malware families, indicating that adversaries are continuing to expand their toolsets. The top five categories of the newly tracked malware families were backdoors (34 per cent), downloaders (14 per cent), droppers (11 per cent), ransomware (7 per cent), and launchers (5 per cent). These malware categories have remained consistent over the years, with backdoors consistently representing more than one-third of the newly tracked malware families.
Read more: Google Cloud and Mandiant join forces to fight cyber crime
Read more: Duck Creek Technologies opens up the power of the cloud for insurance companies
Multi-function backdoor commonly used by Russia, China and Iran
Mandiant found that BEACON, a multi-function backdoor, remained the most common malware family identified in investigations, consistent with previous years. In 2022, BEACON was detected in 15 per cent of all intrusions investigated by Mandiant, and it has been widely used by various threat groups, including nation-state backed groups attributed to China, Russia, and Iran, as well as financial threat groups and over 700 UNC groups.
The ubiquity of BEACON is likely due to its common availability and the malware’s ease of use, combined with its high customizability, according to the report. It remains the most frequently observed malware family across regions.
The goal of the M-Trends report is to provide security professionals with actionable insights on the latest attacker activity observed directly on the frontlines. This information helps improve organizations’ security postures in an ever-changing threat landscape. To achieve this objective, Mandiant sheds light on some of the most prolific threat actors and their evolving tactics, techniques, and procedures.
Moreover, Mandiant has mapped an additional 150 Mandiant techniques to the updated MITRE ATT&CK® framework, bringing the total number of techniques and findings associated with the ATT&CK framework to over 2,300.
This information helps organizations prioritize which security measures to implement based on the likelihood of a specific technique being used during an intrusion. The ultimate aim of these efforts is to enhance organizations’ security capabilities and preparedness in the face of evolving cyber threats.
Exploits remained the most leveraged initial infection vector used by adversaries at 32 per cent, while phishing represented 22 per cent of intrusions in 2022, a significant increase from 12 per cent in 2021. The continued use of exploits highlights the importance of patching and updating software to prevent attacks.
Read more: Rogers Cybersecure Catalyst program to help resolve Canada’s cybersecurity labour shortage
Read more: Safend pulls in $600K endpoint cybersecurity government contract
Government-related organizations are primary target of investigations
Government-related organizations were the primary target in 25 per cent of all investigations, reflecting Mandiant’s investigative support of cyber threat activity targeting Ukraine. Business & professional services, financial, high tech, and healthcare industries were the next most targeted, consistent with Mandiant’s observations in 2021. These industries remain attractive targets for both financially and espionage motivated actors.
Mandiant investigations uncovered a rise in the prevalence of credential theft through widespread information stealer malware and credential purchasing in 2022. Investigations revealed that credentials were often stolen outside of the organization’s environment and then used against the organization, possibly due to reused passwords or personal accounts on corporate devices. Organizations should implement two-factor authentication and regular password changes to reduce the risks associated with credential theft.
Intruders prioritized data theft in 40 per cent of intrusions in 2022, with threat actors attempting to steal or completing data theft operations more often than in previous years. This highlights the importance of data protection measures, such as encryption, access control, and data loss prevention, to safeguard sensitive information from being compromised.
In 2022, North Korean operators showed more interest in stealing and using cryptocurrency alongside their traditional intelligence collection missions and disruptive attacks. These operations have been highly lucrative and are expected to continue throughout 2023. Mandiant’s APT43 report provides more information on how North Korean threat actors use cybercrime to fund their espionage operations.
“Mandiant has investigated several intrusions carried out by newer adversaries that are becoming increasingly savvy and effective, said Charles Carmakal, CTO of Mandiant Consulting.
“They leverage data from underground cybercrime markets, conduct convincing social engineering schemes over voice calls and text messages, and even attempt to bribe employees to obtain access to networks.
These groups present a considerable danger to companies, including those with strong security measures, since their tactics are difficult to safeguard against, according to Carmakal. Therefore, companies should make it a priority to incorporate protection against these threat actors into their design goals as they work to strengthen their security teams, infrastructure, and capabilities.
The data presented in M-Trends 2023 is the result of Mandiant Consulting’s investigations into targeted attack activity carried out from January 1, 2022, to December 31, 2022. To ensure the protection of targets and their data, any sensitive information gathered has been anonymized.
Follow Joseph Morton on Twitter
joseph@mugglehead.com
