While significant progress is being made by global organisations in relation to threat detection and response, adversaries continue to surface, innovate, and adapt to target environments with diverse cyber attacks including new extortion and ransomware tactics, techniques, and procedures (TTPs).
The data comes from Mandiant’s M-Trends 2022 report based on investigations of targeted attack activity conducted between October 1, 2020 and December 31, 2021. Among its various findings are insights into prevalent attack vectors, most targeted industries, and an increase in espionage activity linked to China.
Intrusion dwell times drop, internal vs. external detection significant
According to the research, global median dwell time, which is calculated as the median number of days an attacker is present in a target’s environment before being detected, decreased from 24 days in 2020 to 21 days in 2021.
However, it was discovered that exactly how an incident is detected significantly impacts dwell time figures. For example, the global median dwell time for incidents that were identified externally dropped from 73 to 28 days, but incidents that were identified internally saw a lengthening of global median dwell time from 12 to 18 days.
External entities detected and notified organisations 62 per cent faster in 2021 compared to 2020, something Mandiant owed to improved external detection capabilities and more established communications and outreach programs.
Interestingly, while median dwell time for internal detections was slower compared to 2020, internal detections were still 36 per cent faster than external notifications, the report stated.
In EMEA and Asia Pacific regions, most intrusions in 2021 were identified by external third parties, 62 per cent and 76 per cent respectively, whilst in the Americas, most intrusions were detected internally by organisations themselves (60 per cent).
As for dwell time distribution, Mandiant found that things approved at both ends of the spectrum; 55 per cent of investigations had dwell times of 30 days or fewer with 67 per cent of these discovered in one week or less.
An observed spike in dwell times between 90 and 300 days in 20 per cent of investigations could indicate intrusions going undetected until more impactful actions occur following infection and reconnaissance phases of attack lifecycles, or disparity between organisational detection capabilities and the types of attacks they face, Mandiant said.
However, fewer intrusions are going undetected for extensive periods of time, with only eight per cent having a dwell time of more than a year, it added.
New threat groups emerge, ransomware attackers evolve TTPs
Mandiant tracked more than 1,100 new threat groups during the reporting period, graduating two to named threat groups FIN12 and FIN13.
FIN12 is a financially motivated threat group behind prolific Ryuk ransomware attacks dating back to at least October 2018, while FIN13 is a financially motivated threat group that targets organisations based in Mexico, the report stated.
Mandiant also began tracking 733 new malware families, of which 86 per cent were not publicly available, continuing the trend of availability of new malware families being restricted or likely privately developed, according to the report.
Of the newly tracked malware families, the top five categories were backdoors (31 per cent), downloaders (13 per cent), droppers (13 per cent), ransomware (seven per cent), launchers (five per cent) and credential stealers (five per cent). These remained consistent with previous years, Mandiant said.
Generally, Beacon, Sunburst, Metasploit, SystemBC, Lockbit, and Ryuk.B were the malware families most frequently seen during intrusions across the reporting period.
Regarding ransomware, Mandiant observed attackers using new TTPs to deploy ransomware rapidly and efficiently throughout business environments, noting that the pervasive usage of virtualisation infrastructure in corporate environments (such as vCenter Server) has made it a prime target for ransomware attackers.
Throughout 2021, VMWare vSphere and ESXi platforms were targeted by multiple threat actors, including those associated with Hive, Conti, Blackcat, and DarkSide.
Attackers were detected turning on ESXi Shells and enabling direct access via SSH (TCP/22) to ESXi servers to ensure that ESXi host access remained available, creating new (local) accounts for use on ESXi servers, and changing root account passwords to ensure organisations could not easily regain control of their infrastructure.
Once access to ESXi servers was obtained, threat actors used SSH access to upload their encryptor (binary) and any shell scripts that were required, Mandiant stated.
They used shell scripts to discover where virtual machines were located on ESXi datastores, forcefully stop any running virtual machines, optionally delete snapshots and then iterate through datastores to encrypt all virtual machine disk and configuration files.
China reinvents cyber operations, ramps up espionage activity
Along with new and emerging threat groups and innovations in ransomware TTPs, Mandiant also discovered significant shifts in China’s approach to cyber operations to align with the implementation of the nation’s 14th Five-Year Plan in 2021.
The report warned that the national-level priorities included in the plan signal an upcoming increase in China-nexus actors conducting intrusion attempts against intellectual property or other strategically important economic concerns, as well as defence industry products and other dual-use technologies over the next few years.
Mandiant noted multiple Chinese cyber espionage actor sets using the same malware families across the reporting period, suggesting the possibility of a “Grand Quartermaster” developer.
Government organisations were the most targeted sector across all industries globally, with seven of the active 36 Chinese APT and UNC groups collecting sensitive information from public entities, according to the report. Mandiant suggested that some of the identified Chinese cyber espionage activity in 2021 relates to existing APTs or other clusters of UNCs.
Exploits most common attack vector, business and financial services most targeted sectors
Exploits were the most frequently identified initial infection vector in 2021, with 37 per cent of attacks beginning with an exploit, an eight per cent increase over 2020.
Supply chain compromise was the second most prevalent initial infection vector, accounting for 17 per cent of intrusions in 2021 compared to less than one per cent in 2020. Of note, 86 per cent of supply chain compromise intrusions in 2021 were related to the SolarWinds breach and Sunburst.
Interestingly, the research found that far fewer intrusions were initiated via phishing in 2021, comprising only 11 per cent compared to 23 per cent in 2020. Mandiant said this reflects organisations’ improving ability to detect and block phishing emails as well as enhanced security training of employees to recognise and report phishing attempts.
Financially motivated intrusions continued to be a mainstay in 2021, with attackers seeking monetary gain in 30 per cent of intrusions through methods such as extortion, ransom, payment card theft, and illicit transfers. Actors also prioritised data theft as a primary mission objective, with Mandiant identifying the theft of data in 29 per cent of intrusions.
As for industries most targeted by adversaries, business/professional and financial services topped the list across the globe, accounting for 14 per cent of attacks, respectively. Healthcare (11 per cent), retail and hospitality (10 per cent), and tech and government (both at nine per cent) rounded out the top five.
Organisations must respond to cyber threats with resilience
“This year’s M-Trends report reveals fresh insight into how threat actors are evolving and using new techniques to gain access into target environments,” stated Jurgen Kutscher, executive vice president, service delivery, at Mandiant.
“In light of the continued increased use of exploits as an initial compromise vector, organisations need to maintain focus on executing on security fundamentals – such as asset, risk and patch management.”
Multi-faceted extortion and ransomware continue to pose huge challenges for organisations of all sizes and across all industries, with a specific rise in attacks targeting virtualisation infrastructure, he added.
“The key to building resilience lies in preparation. Developing a robust preparedness plan and well-documented and tested recovery process can help organisations successfully navigate an attack and quickly return to normal business operations.”