Threat Actors Increasingly Targeting Vulnerabilities for Initial Access
The exploitation of vulnerabilities in software and operating systems is becoming far more common for initial access to networks, with phishing declining in prevalence, according to Mandiant’s M-Trends 2024 Report. Manidant, part of Google Cloud, is a leading provider of dynamic cyber defense, threat intelligence, and incident response services. The latest report is based on data from Mandiant Consulting investigations of targeted attack activity conducted between January 1, 2023, and December 31, 2023.
Exploited software vulnerabilities were the initial access method in 38% of intrusions investigated by Manidant, up 6% from 2022, with phishing used for initial access in 17% of incidents, down from 22% in 2022. Attackers are increasingly targeting edge devices and are exploiting a wide variety of vulnerabilities. In 2023, Mandiant identified 97 unique zero-day vulnerabilities being exploited in the wild, up 56% from 2022. The exploitation of zero day vulnerabilities used to be limited to a small number of threat actors, typically nation-state cyberespionage groups. While state-sponsored threat actors continue to target zero-day flaws, especially China-nexus threat actors, ransomware and data extortion groups are increasingly acquiring and utilizing 0days, helped by the rise of commercially available turnkey exploit kits.
Threat actors are combining exploits of zero-day flaws with living-off-the-land techniques, which involve native, legitimate tools within a system to allow them to maintain persistence for longer and avoid detection. One of the reasons for the decline in phishing as an initial attack vector is the widespread adoption of multifactor authentication (MFA). While MFA is effective at preventing phishing attacks, Mandiant has identified an increase in the use of web proxies and adversary-in-the-middle phishing pages that can steal credentials and login session tokens to bypass MFA. Defenses can be improved against these attacks by adopting phishing-resistant MFA.
Mandiant has also observed an increase in malware, with 626 new malware families identified in 2023, more than any other year to date. The most common malware families were backdoors (33%), downloaders (16%), droppers (15%), credential stealers (7%) and ransomware (5%). The industries most commonly targeted by threat actors were financial services (17%), business and professional services (13%), high technology (12%), retail and hospitality (9%), and healthcare (8%), with attacks increasingly targeting cloud environments, as more organizations transition to the cloud. The most likely reason for targeting these sectors is they store a wealth of sensitive information, including proprietary business data, personally identifiable information, protected health information, and financial records.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Mandiant’s data show that organizations are getting better at identifying intrusions. Last year, attackers were present in networks for a median of 10 days before the intrusions were detected, down from a median of 16 days in 2022. “Defenders should be proud, but organizations must remain vigilant. A key theme throughout M-Trends 2024 is that attackers are taking steps to evade detection and remain on systems for longer, and one of the ways they accomplish this is through the use of zero-day vulnerabilities,” Jurgen Kutscher, Vice President, Mandiant Consulting at Google Cloud, told The HIPAA Journal. “This further highlights the importance of an effective threat hunt program, as well as the need for comprehensive investigations and remediation in the event of a breach.”
