• United States



UK Editor

Attack dwell times drop, ransomware TTPs evolve, China ramps up espionage activity

Apr 19, 20226 mins

M-Trends 2022 report delivers detailed assessment of the evolving global cyber threat landscape highlighting prevalent attack vectors and most targeted industries.

Security system alert, warning of a cyberattack.
Credit: Matejmo / Getty Images

While significant progress is being made by global organizations in relation to threat detection and response, adversaries continue to surface, innovate, and adapt to target environments with diverse cyberattacks including new extortion and ransomware tactics, techniques, and procedures (TTPs). The data comes from Mandiant’s M-Trends 2022 report based on investigations of targeted attack activity conducted between October 1, 2020 and December 31, 2021. Among its various findings are insights into prevalent attack vectors, most targeted industries, and an increase in espionage activity linked to China.

Intrusion dwell times drop, internal vs. external detection significant

According to the research, global median dwell time, which is calculated as the median number of days an attacker is present in a target’s environment before being detected, decreased from 24 days in 2020 to 21 days in 2021. However, it was discovered that exactly how an incident is detected significantly impacts dwell time figures. For example, the global median dwell time for incidents that were identified externally dropped from 73 to 28 days, but incidents that were identified internally saw a lengthening of global median dwell time from 12 to 18 days.

External entities detected and notified organizations 62% faster in 2021 compared to 2020, something Mandiant owed to improved external detection capabilities and more established communications and outreach programs. Interestingly, while median dwell time for internal detections was slower compared to 2020, internal detections were still 36% faster than external notifications, the report stated. In EMEA and APAC regions, most intrusions in 2021 were identified by external third parties, 62% and 76% respectively, whilst in the Americas, most intrusions were detected internally by organizations themselves (60%).

As for dwell time distribution, Mandiant found that things approved at both ends of the spectrum; 55% of investigations had dwell times of 30 days or fewer with 67% of these discovered in one week or less. An observed spike in dwell times between 90 and 300 days in 20% of investigations could indicate intrusions going undetected until more impactful actions occur following infection and reconnaissance phases of attack lifecycles, or disparity between organizational detection capabilities and the types of attacks they face, Mandiant said. However, fewer intrusions are going undetected for extensive periods of time, with only 8% having a dwell time of more than a year, it added.

New threat groups emerge, ransomware attackers evolve TTPs

Mandiant tracked more than 1,100 new threat groups during the reporting period, graduating two to named threat groups FIN12 and FIN13. FIN12 is a financially motivated threat group behind prolific Ryuk ransomware attacks dating back to at least October 2018, while FIN13 is a financially motivated threat group that targets organizations based in Mexico, the report stated.

Mandiant also began tracking 733 new malware families, of which 86% were not publicly available, continuing the trend of availability of new malware families being restricted or likely privately developed, according to the report. Of the newly tracked malware families, the top five categories were backdoors (31%), downloaders (13%), droppers (13%), ransomware (7%), launchers (5%) and credential stealers (5%). These remained consistent with previous years, Mandiant said. Generally, Beacon, Sunburst, Metasploit, SystemBC, Lockbit, and Ryuk.B were the malware families most frequently seen during intrusions across the reporting period.

Regarding ransomware, Mandiant observed attackers using new TTPs to deploy ransomware rapidly and efficiently throughout business environments, noting that the pervasive usage of virtualization infrastructure in corporate environments (such as vCenter Server) has made it a prime target for ransomware attackers. Throughout 2021, VMWare vSphere and ESXi platforms were targeted by multiple threat actors, including those associated with Hive, Conti, Blackcat, and DarkSide.

Attackers were detected turning on ESXi Shells and enabling direct access via SSH (TCP/22) to ESXi servers to ensure that ESXi host access remained available, creating new (local) accounts for use on ESXi servers, and changing root account passwords to ensure organizations could not easily regain control of their infrastructure. Once access to ESXi servers was obtained, threat actors used SSH access to upload their encryptor (binary) and any shell scripts that were required, Mandiant stated. They used shell scripts to discover where virtual machines were located on ESXi datastores, forcefully stop any running virtual machines, optionally delete snapshots and then iterate through datastores to encrypt all virtual machine disk and configuration files.

China reinvents cyber operations, ramps up espionage activity

Along with new and emerging threat groups and innovations in ransomware TTPs, Mandiant also discovered significant shifts in China’s approach to cyber operations to align with the implementation of the nation’s 14th Five-Year Plan in 2021. The report warned that the national-level priorities included in the plan signal an upcoming increase in China-nexus actors conducting intrusion attempts against intellectual property or other strategically important economic concerns, as well as defense industry products and other dual-use technologies over the next few years. Mandiant noted multiple Chinese cyber espionage actor sets using the same malware families across the reporting period, suggesting the possibility of a “Grand Quartermaster” developer.

Government organizations were the most targeted sector across all industries globally, with seven of the active 36 Chinese APT and UNC groups collecting sensitive information from public entities, according to the report. Mandiant suggested that some of the identified Chinese cyber espionage activity in 2021 relates to existing APTs or other clusters of UNCs.

Exploits most common attack vector, business and financial services most targeted sectors

Exploits were the most frequently identified initial infection vector in 2021, with 37% of attacks beginning with an exploit, an 8% increase over 2020. Supply chain compromise was the second most prevalent initial infection vector, accounting for 17% of intrusions in 2021 compared to less than 1% in 2020. Of note, 86% of supply chain compromise intrusions in 2021 were related to the SolarWinds breach and Sunburst.

Interestingly, the research found that far fewer intrusions were initiated via phishing in 2021, comprising only 11% compared to 23% in 2020. Mandiant said this reflects organizations’ improving ability to detect and block phishing emails as well as enhanced security training of employees to recognize and report phishing attempts.

Financially motivated intrusions continued to be a mainstay in 2021, with attackers seeking monetary gain in 30% of intrusions through methods such as extortion, ransom, payment card theft, and illicit transfers. Actors also prioritized data theft as a primary mission objective, with Mandiant identifying the theft of data in 29% of intrusions.

As for industries most targeted by adversaries, business/professional and financial services topped the list across the globe, accounting for 14% of attacks, respectively. Healthcare (11%), retail and hospitality (10%), and tech and government (both at 9%) rounded out the top five.

Organizations must respond to cyber threats with resilience

“This year’s M-Trends report reveals fresh insight into how threat actors are evolving and using new techniques to gain access into target environments,” stated Jurgen Kutscher, executive vice president, service delivery, at Mandiant in a press release. “In light of the continued increased use of exploits as an initial compromise vector, organizations need to maintain focus on executing on security fundamentals – such as asset, risk and patch management.”

Multi-faceted extortion and ransomware continue to pose huge challenges for organizations of all sizes and across all industries, with a specific rise in attacks targeting virtualization infrastructure, he added. “The key to building resilience lies in preparation. Developing a robust preparedness plan and well-documented and tested recovery process can help organizations successfully navigate an attack and quickly return to normal business operations.”

UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author