Threat Intelligence

Mandiant M-Trends – 2023 Threat Intelligence – What Do You Need To Know?

Mandiant are market leaders recognised by enterprises, governments, and law enforcement agencies worldwide for their threat intelligence and expertise that drive dynamic security solutions.

Threats evolve, attackers are constantly changing their tactics, techniques and procedures, and defenders must adapt and stay relentless in their approach if they want to keep up. Their 2023 M-Trends Threat Intelligence report helps organisations frame the fight against cyber adversaries and enables defences to be bolstered ahead of an attack.

CyberCrowd partnered with Mandiant in 2022 to bring our customers their industry expertise, we have summarised the key takeaways from their report below.

M-trends provides an inside look at the evolving cyber threat landscape drawn from Mandiant incident response investigations and threat intelligence analysis of high-impact attacks and remediations around the globe across the last year.

Data from Mandiant Investigations

The metrics reported in M-Trends 2023 are based on Mandiant Consulting investigations of targeted attack activity conducted through 2022.

Detection by Source

Internal Detection – when an organisation independently discovers it has been compromised.

External Detection – when an outside entity informs and organisation that it has been compromised.

In 2022, Mandiant observed a general increase in the number of organisations that were alerted by an external entity of historic or ongoing compromise. Organisations were notified of breaches by external entities in 63% of incidents. This continues the trend observed in 2021 and brings the global detection rates closer to what defenders experienced in 2014.

Organisations in Europe, the Middle East and Africa (EMEA) were alerted of an intrusion by an external entity in 74% of investigations in 2022 compared to 62% in 2021.

A ransomware related intrusion provides access for, or is associated with, a malicious actor that has theprimary goal of encrypting data with the intention of extracting payment from the target in order to avoidfurther or undo the malicious action.

In 2022, external notifications were more prevalent as a notification source regardless of the investigation type. In intrusions related to ransomware, organisations were notified by an external entity in 70% of investigations.Organisations were predominantly notified by adversaries due to a fully executed ransomware event with 67% of investigations (8% of all investigations) detected due to a ransom note. Notifications from external partners comprise the remaining 33% of ransomware related investigations (4% of all investigations).

Dwell Time

Dwell time is calculated as the number of days an attacker is present in a victim environment before they are detected. The median represents a value at the midpoint of a data set sorted by magnitude.

Global median dwell time continued to improve year over year, with organisations detecting incidents in just over two weeks (16 Days) in 2022. This is the shortest global median dwell time from all M-Trends reporting periods.

Defenders continue to detect events faster than external entities notify. In 2022, the global median dwell time forintrusions detected internally was 13 days. Improvements in global median dwell time in 2022, regardless of detection source, enabled organisations to respond to incidents faster than ever before.

Organisations in EMEA detected incidents 58% faster in 2022 compared to 2021, with the overall median dwell time now less than three weeks.

Mandiant also noted that the global number of incidents involving ransomware fell to 18%, however the Median dwell time increased to 9 days in 2022.

Industry Targeting

Mandiant observed business/professional services, financial, high tech, and healthcare industries to be favored by adversaries. These industries remain attractive targets for both financially and espionage motivated actors.

Targeted Attacks

Exploits continued to be the most leveraged initial infection vector used by adversaries in Mandiant investigations conducted in 2022. In intrusions where the initial infection vector was identified, 32% of intrusions began with an exploit.

In 2022, phishing returned to the second most utilised vector for initial infection observed in intrusions, representing 22% of intrusions where the initial infection vector was identified.

Phishing continues to be a lucrative and mainstay vector for adversaries’ year over year.

In EMEA, phishing was leveraged by adversaries in 40% of investigations where an intrusion vector was identified. This variety of vectors used across regions likely indicates that adversaries are not leveraging the same attack paths to accomplish their missions.

Adversaries leveraged stolen credentials more often in 2022 than 2021 in investigations where the initial infection vector was identified, at 14% and 9% respectively.

Adversary Operations

Mandiant investigations where an adversary was identified seeking financial gain decreased in 2022 by 4%. However, financially motivated intrusions still comprised over a quarter of intrusions investigated by Mandiant.

In 40% of intrusions in 2022 data theft was prioritised. In 19% of those intrusions (8% of all intrusions) the data stolen was used by the threat actor during negotiations for payment.

Threat Groups

Mandiant track over 3500 threat groups, including 900+ newly tracked groups, 265 threat groups were first identified during Mandiant investigations in 2022. A total of 343 unique threat groups across all intrusions in 2022.

In more than a quarter of investigations Mandiant were able to identify multiple threat groups within the same environment, some threat groups were even seen working together to accomplish a central goal.

Malware

In 2022, Mandiant began tracking 588 new malware families to increase its knowledge base of malware. 49 new malware families were identified every month across 2022, compared to 45 new families in 2021.Of the 588 newly tracked malware families, the top five categories consisted of backdoors (34%), downloaders (14%), droppers (11%), ransomware (7%) and launchers (5%).

Threat Techniques

Mandiant continues to support the community by mapping its findings to the MITRE ATT&CK framework. Organisations should prioritise which security measures to implement based on the likelihood of a specific technique being used during an intrusion.

The Invasion of Ukraine – Cyber Operations during war time

Russia began amassing troops along its border with Ukraine in the fall of 2021, prompting warnings from U.S. and European officials of the threat of a Russian invasion. Mandiant identified extensive cyber espionage, disruptive and destructive cyber-attacks, and information operations leading up to and since Russia’s invasion of Ukraine on February 24, 2022.

Intrusion Activity

Mandiant observed multiple threat groups conducting intrusion campaigns in the timeframe leading up to the invasion. Most notably, we observed activity by UNC2589 and APT28 prior to the invasion of Ukraine.

Russia’s invasion of Ukraine has demonstrated the potential overlap of cyber operations and kinetic warfare as a new de facto standard. The war has consumed almost every aspect of Russia’s international relationships and has evolved as nearly the sole driver of cyber threat activity from Russia in 2022.

North Korea’s Financial Operations Continue to Evolve

Since at least 2016, threat actors associated with the Democratic People’s Republic of Korea (DPRK)
have expanded cyber operations beyond traditional espionage collection and disruptive attacks to leverage their capability for financially motivated campaigns and intrusions.

Alongside their traditional intelligence collection missions, in 2022 DPRK operators showed more interest in stealing-and using-crypto, with they activity expanding to new parts of the digital asset ecosystem as the regime looks to mitigate the economic impact sanctions.

For years, North Korea has reportedly conducted various illicit financial activities to fund the regime. The explosive growth of cryptocurrency is converging with aggressive and flexible North Korean cyber capabilities, making it natural that at least some North Korean threat groups would expand operations into this sector.

Shifting Focus and Uncommon Techniques Brought Threat Actors Success in 2022

In 2022, Mandiant investigated a series of high-profile intrusions that were successful and impactful to the targeted organisations despite significant deviations from common threat actor behaviours.

In early 2022, a group of cyber criminals made headlines when they began to target major international corporations in highly publicised, and often sensationalised, intrusions. The group, which Mandiant tracks as UNC3661 and is publicly referred to as “Lapsus,” conducted a wide range of malicious activity inside targeted organisations.

Both UNC3661 and UNC3944 relied on a combination of stolen credentials and clever social engineering to gain initial access to targeted environments. Once implanted inside an organisation’s network, both UNC3661 and UNC3944preferred to use tools available on the various endpoints on which they had gained access. This operating model, sometimes referred to as ‘Living off the Land’, removes the chance an attacker will be detected while transporting tools or malware into the environment. A common theme for both threat clusters is the oversized impact of theirintrusions without relying on zero-days, custom malware, or new tools.

While the evolution of cybercrime from ransomware to multifaceted extortion operations has seen an increase in direct interaction with the members of targeted organisations, the interactions under-taken by groups such as UNC3661 and UNC3944 bear a different flavour altogether. The activities put on display by these groups speak more to a confluence of financial motivation and a desire for notoriety.

The common thread between Lapsus and UNC3944 is simple; both groups realized the value in targeting credentials and accounts rather than endpoints.

Red Team Case Study

Mandiant’s Report also includes a case study from their red team, Mandiant red team engagements help organisations evaluate their security program’s capabilities against real-world attack scenarios and improve theirsecurity postures. Mandiant works with a wide range of clients, from financial institutions to manufacturers to global healthcare companies.

Mandiant has observed threat actors leverage non-traditional social engineering channels, including targeting users through platforms such as WhatsApp and LinkedIn, as well as using SMS and voice phishing (vishing).

Using a cloud-based service, they created a customized call centre with a telephone number similar to the customer’s own IT helpdesk number. This meant that the Caller ID of incoming calls from this number would look familiar, and any branch offices returning calls were less likely to think the number looked suspicious.

The red team called the reception desk at several branch offices to arrange an appointment for a “technician” to visit the site and install some new software. In reality, the “technician” would be a Mandiant employee, and the “software” was custom malware Mandiant created to allow remote access to the network while evading detection by defensive controls. Through the custom call centre setup, incoming calls were routed to a pool of red team members.

Once a branch office confirmed the appointment, the red team tasked a consultant in that region to visit the office the same week. The consultant arrived at the site wearing a badge that had been fabricated based on images of employee badges the red team had gathered during open-source intelligence gathering (OSINT).

Client staff at the regional office provided the red team operator unsupervised access to each workstation. The operator used this access to install Mandiant’s custom command and control (C2) malware on each machine, ensuring the malware would restart if the device rebooted by performing a “COM Hijacking” attack. 

The red team had gained access to the client’s internal network but had not yet obtained credentials for any internal users that could allow them to move through the internal network.

Mandiant queried the client’s internal Domain Controller’s Kerberos service and obtained a list of several thousand valid usernames. The list of usernames was then used in the password-spraying attack targeting the client’s Azure cloud infrastructure. Password spraying attacks differ from traditional brute-force password guessing attacks, in which an attacker tries thousands of passwords for each user account hoping to find valid credentials.

Mandiant used Domain Administrator credentials to obtain a session on a domain controller performing the synchronization. Using open-source tooling which operated solely in-memory, Mandiant harvested the cleartext MSOLaccount password.

Outcomes

The constantly evolving cybersecurity landscape continuously produces new challenges for defenders and attackers alike. Threat actors constantly innovate on their approach to social engineering, which, in turn, pushes security personnel to develop better protections and training for users. Hybrid on-premises networks connected to the cloud create unique challenges in security that require extensive planning and operational changes to address, while attackers operate without similar limitations and are guided only by their objectives.

Similarly, multiple layers of identity management and application deployment create a new verticality to clientenvironments that must be secured. It is not uncommon for misconfigurations to arise as the implementation and design phases of cloud service migrations meet the hard reality of business operations. Organisations should consider testing their cloud architecture deployments to promote resilience against motivated, agile adversaries.

2022 Campaigns and Global Events

Every security organisation understands there are simply too many threat actors and vulnerabilities to track, mitigate, or otherwise address while maintaining business operations.

It is imperative that organisations use a data-driven approach to prioritise security efforts based on relative risk and on-the-ground intelligence.

Mandiant gains knowledge of threat actors during frontline investigations, analysis of public reporting, information sharing, and other research. In 2022, Mandiant Intelligence established the Campaign and Global Events (CGE) team to illuminate high-impact, multi-targeted intrusion activity and provide actionable threat intelligence to defenders. Each Campaign or Global Event profile includes indicators of compromise, notable adversary host commands, and in-depth analysis and context surrounding the tactics, techniques, and procedures (TTPs) used by the threat actors, complete with mappings to the MITRE ATT&CK framework.

APT29

APT29 is a cyber espionage threat group that has leveraged innovative TTPs against humanitarian groups, think tanks, defence, and diplomatic institutions in Europe and North America. Following the continued tensions between Russia and Ukraine in the beginning of 2022, Mandiant established the Ukraine Crisis Resource Centre to monitor and prepare the wider community for a potential increase in Russian Cyber Activity.

APT29 Conducts Phishing Campaign Targeting Multiple National Government Agencies APT29 sent phishing emails designed to appear as administrative notices related to embassies that were relevant to the targeted organisations. The phishing emails utilized legitimate but co-opted email addresses to send emails containing malicious attachments.

APT29 is a highly active and sophisticated threat group that has conducted numerous high-profile incidents globally. Most notably, the SolarWinds supply chain compromise that affected governments and corporations worldwide hasbeen attributed to APT29 by Mandiant. APT29’s evasion techniques will likely continue as they seek to avoid detection and accomplish their mission.

BASTA Ransomware

In mid-2022, Mandiant observed a significant shift in financially motivated activity from threat actors suspected to be based in Eastern Europe. In conjunction with increased public coverage and scrutiny of CONTI-affiliated actors, BASTA (aka BlackBasta) ransomware emerged onto the scene. CONTI operators developed a prolific crime syndicate that aggressively leveraged ransomware to extort victims. At the time, Mandiant suspected BASTA to be a rebrand by CONTI ransomware operators and affiliates, as a logical next step to avoid the increased scrutiny.

Mandiant continues to cluster and track ransomware activity based on unique TTPs in order to evaluate the evolution of the criminal underground. While these two campaigns represent the use of BASTA ransomware, the components of the incidents shed light on how different actors’ complete missions using the same ransomware variants.

USB-based Compromises leading to Financially Motivated and Espionage Related Threat Actor Activity

Throughout 2022, Mandiant observed several campaigns involving the use of infected USB drives and other external drives to spread malicious payloads. Responsible actors include a financially motivated group thought to be associated with the larger Evil Corp ecosystem, and espionage groups acting in accordance with Chinese nation-state interests. In response, Mandiant initiated multiple campaigns to track activity and threat clusters associated with the USB-based compromise.

Compromised removable devices are an effective technique for gaining access to a targeted environment and have resulted in impactful breaches. Without strict technical controls on removable drive usage, this provides threat actors with continual opportunities to gain access to an environment.

Global Events – Notable Vulnerabilities

As new vulnerabilities are discovered, questions commonly arise around whether attackers are already using the vulnerability to further their goals.

Mandiant initiated nine Global Events based on a variety of assessment criteria, these come from over 20,000 reported vulnerabilities in 2022.

Log4Shell – On December 09, 2021, a vulnerability in the Java logging framework Log4j was publicised by the Lunasec team and dubbed Log4Shell. This allowed for arbitrary Java code execution through malicious user input when processed via the Java Naming and Directory Interface (JNDI) features in Log4j.

Follina – March of 2022, Mandiant observed multiple suspected Chinese espionage clusters exploiting a zero-day vulnerability in the Microsoft Diagnostic Tool (MSDT) that allowed for the execution of arbitrary code.

VMware Vulnerability Changing – May 18, 2022, the U.S. Cybersecurity, and Infrastructure Security Agency (CISA)issued an Emergency Directive4 regarding threat actors chaining vulnerabilities in VMware products to gain privileged access to target systems.

Every security organisation understands there are simply too many threat actors and vulnerabilities to track, mitigate, or otherwise address while maintaining business operations. It is imperative that organisations use a data-driven approach to prioritise security efforts based on relative risk and on-the-ground intelligence.

Notable and Recently Graduated Threat Groups

APT42 – In August 2022, Mandiant graduated UNC788 to APT42. Active since at least 2015,
APT42 is a sophisticated cyber threat group that conducts espionage operations using highly targeted spear phishing and social engineering techniques. APT42 likely operates on behalf of the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organisation (IRGC-IO) based on targeting patterns that align with the organisation’s operational mandates and priorities, including defending the regime against internal and external threats, pursuing perceived domestic enemies, and confronting “revolutionary” ideas emanating from the West.

APT42 activity poses a threat to foreign policy officials, commentators, and journalists working on Iran-related projects particularly those in the United States, the United Kingdom, and Israel. Additionally, the group’s surveillance activity highlights the real-world risk to individual targets, including Iranian dual-nationals, former government officials, and dissidents both inside Iran and those who previously left the country.

Given the long history of activity and imperviousness to infrastructure takedowns and media reports, we do not anticipate significant changes to APT42’s operational tactics and mandate. Nevertheless, the group has displayed an ability to rapidly alter its operational focus as Iran’s priorities changes over time with evolving domestic and geopolitical conditions.

Conclusion

Overall, attackers are not giving up. In fact, we’re seeing attackers cause bigger impacts with less skills. They’re also more brazen, and willing to get much more aggressive and personal to achieve their goals. They will bully and threaten and ignore the traditional cyber rules of engagement. It’s not enough to just protect systems these days, employees need to be protected as well.

At the heart of any cyber defence capability is the intelligence that drives it, and the best threat intelligence is gleaned directly from the frontlines. Mandiant will continue to share its frontline knowledge in M-Trends to improve our collective security awareness, understanding, and capabilities—and to ensure that organisations can stay relentless in their cyber security efforts.

If you would like to know more about our partnership with Mandiant and how we can help you, or if you have any questions surrounding their report, please contact us.