1、EMBARGOSPECIAL REPORT:MANDIANT M-TRENDS 20231M-Trends2024 Special ReportGoogle Cloud Security Special Report:Mandiant M-Trends 2024������2Table of ContentsIntroduction 3By the Numbers 5 Global Trends 6 Campaigns and Global Events 31 Regional Trends 34 Americas 34 JAPAC 39 EMEA 44 MITRE ATT&CK 49Articles 6
2、0 Chinese Espionage Operations Targeting The Visibility Gap 61 Attacker Operations Involving Zero-Days Vary Depending on Motivation 66 Evolution of Phishing Amid Shifting Secu������rity Controls 70 Ho���w Attackers Leverage AiTM to Overcome MFA 75 Cloud Intrusion Trends 78 Artificial Intelligence in Red(and
3、Purple)Team ������Operations 81Conclusion 83 Bibliography 85SPECIAL REPORT:MANDIANT M-TRENDS 20233EMBARGOM-Trends2024 Specia�����l ReportGoogle Cloud Security IntroductionSpecial Report:Mandiant M-Trends 20244One of the big takeaways from our 2023 engagements,and consequently a key theme of M-Trends 2024,is th
4、at attackers are focusing more on evasion.They are aiming to avoid detection technologies(such as endpoint det���ection and response)and maintain persistence on networks for as long as possible,either by targeting edge devices,leveraging“living off t������he land”and other techniques,or through the use of ze
5、ro-day vulnerabilities in security and other solutions prevalent throughout enterprises.Despite a��������ttackers efforts to evade detection,defenders are continuing to get better at identifying compromises.The global median dwell timedwell time is the number of days an attacker is on a system from compromi
6、se to detectioncontinued its downward trend in 2023,and is now 10 days(from 16 days in the previous year).Its a big victory for the good guys,but ransomware is still a key factor in driving down dwell time since it tends to be detected more quick����ly.Fur�����thermore,Mandiant red teams typically achieve th
7、eir objectives in 5 to 7 da�������ys,so defenders must remain vigilant.M-Trends 2024 features data and other security metrics that readers have come to expect,highlights zero-day use by espionage and financially-motivated attackers,and dives deep into evasive actions conducted particularly by Chinese espio
8、nage groups.Other key takeaways in this report include:Evolving phishing trends such as a��������ttacker use of social media,SMS and other communications technologies Tactics to bypass multi-factor authentication such as������� adversary-in-the-middle and other techniques Cloud intrusion trends such as targeting o
9、f cloud infrastructure as well as attacker use of cloud resources Use of AI in red and purple ������team engagements,with a focus on how new technologies can help produce better outcomes for organizationsMandiant consultants are always on the frontlines,investigating and analyzing the lates�������t cyber attacks
10、,and understanding how best to defend against them.Consultants proactively assess clients against the latest attacker tactics,techniques and procedures,and help �����with remediation,transformation and education.Through the release of our annual M-Trends report,we share our learnings with the greater sec
11、urity community,building on our dedication to providing critical knowledge to those tasked with defending organizations.The information in this report has been sanitized to protect the identities of victims and their data.SPECIAL REPORT:MANDIANT M-TRENDS 20235EMBARG�������OM-TrendsBy the numbersSpecial Rep
12、ort:�������Mandiant M-Trends 20246Detection by SourceIn 2023,more than half of compromised organizations(54%)first learned of a compromise from an external source,while 46%first identified evidence of a compromise internally.However,separating out ransomware-related intrusions reveals that it was much more
13、 common for an organization to learn of a ransomware-related incident fr������om an external source.For ransomware-related intrusions,70%of organizations were externally notified,in most cases,via a ransom deman������d from the attacker.For intrusions that were not linked to ransomware,the ratio of internal ver
14、sus external discovery was even,50%to 50%.Of the internally discovered intrusions,85%did not involve ransomware.The percentage of externally notified intrusion�����s decreased from 63%in 2022 to 54%in 2023.M�������andiant also responded to more ransomware-related intrusions in 2023 than in 2022.Ransomware event
15、s are most often discovered through external means.Despite this,Mandiant observed a nine point drop in external notifications.This year-over-year shift,along with the high proportion of internally dis�����covered compromises in cases other than ransomware,suggests that organizations are experiencing high
16、er rates of success in detecting malicious behavior on their networks.Global������ TrendsInternal detection is when an organiza�������tion independently discovers it has been compromised,such as through an internal security appliance alert or internal personnel notification of suspicious activity.External notifi
17、cation is when an ou�������tside entity,such as law enforcement agencies,cybers������ecurity companies,or industry partners,informs an organization it has been compromised.In some cases,attackers will perform this notification,such as through a ransom note.The metrics reported in M-Trends 2024 are based on Mandi
18、ant Consulting investigations of targeted attack activity conducted between January 1,2023 and December 31,2023.50403�������020Investigations(percent)200002220236%94%37%37%63%63%46%33%67%31%69%47%53%53%53%47%47%62%38%59%41%47%53%59%41%54%Detection by S
19、ource,2011-2023External DetectionInternal DetectionDetection by Source,2011-2023Special Report:Mandiant M-Trends 20247Ransomware-Related IntrusionsIn ����70%of cases,organizations learned of ransomware-related intrusions ���from external sources.Organizations were notified of a ransomware incident by an at
20、tacker ransom note in three fourths of those intrusions.This is consistent with the extortion business model in which at�������tackers intentionally and abruptly notify organizations of a ransomware intrusion and ������demand payment.The remaining quarter of external notifications for ransomware intrusions came
21、from external partners,such as law enforcement or security companies.In 2022,attacker notifications represented two thirds of external notifications for ransomware intrusions,compared to one third coming from external partners.A ransomware-related intrusion pro����vides access for or is associated with
22、an attacker that has the primary goal������ of encrypting data,with the intention of extracting payment f�����rom the target in order to avoid further harm or to undo the malicious action.020406080Intrusions (Percent)RansomwareNon-Ransomware70%50%30%50%Internal DetectionExternal DetectionDetection by Source,20
23、23Ransomware External Notifica�����tion Source,2023Adversary Notification76%External Partner24%Ransomware External������ Notification Source,2023Special Report:Mandiant M-Trends 20248Dwell TimeGlobal median dwell time continued a downward trend marking another notable shortest time period between initial intru
24、sion and detection for all M-Trends reporting periods.In 2023,most organizations detected intrusions within 10 days �����of the initial intrusion.This is a decline of nearly one week compared to 16 days in 2022.Mandiant defenders observed notable improvements in global median dwell time in 2023 acro�����ss al
25、l notification sources.With the shorte�����st periods across the board,global median dwell time for external notification sources decreased to 13 days in 2023 from 19 days in 2022.This likely indicates improved communication between organizations targeted and external parties making notifications.Another
26、 likely explanation for this decrease could be the incr�����ease of ransomware-related adversary notifications.Maintaining the ongoing trend,when defenders detect adversary intrusions internally,they do so faster than the overall median dwell time.The global median dwell time for intrusions detected inte
27、rnally was nine days in 2023,down from 13 days in 2022 and from 18 days in 2021.Dwell time is calculated as the number of days an attacker is present in a compromised enviro�����nment before they are detected.The median represents a value at the midpoint of a dataset sorte�����d by magnitude.Global Median Dwe
28、ll Time,000212022External320������46242116All1013Internal568057.550.5301218139Global Median Dwell Time,2011-2023Change in Median Dwell Timedays in 2022days in 20231610Special Report:Mandiant M-Trends 20249Global Dw
29、ell Time DistributionDwell time distributio�����n measures the percentage of Mandiant-investigated intrusions with a specific range of dwell time.In 2023,Mandiant experts continued to see intrusions detected earli������er,with 43%of intrusions being detected in one week or less.Nearly two thirds of all intrusi
30、ons in 2023 were detected within 30 days.This likely indicates that detection capabilities continue to improve across organizations,allowing defenders to be notified of threats during the initial infection or reconnaissance phases of the targeted attack lifecycle,similar to������ previous M-Trends reports
31、.Mandiant observed a decrease in in�����trusions that remain undiscovered for long periods of time compared to previous years.In 2023,6%of investigations identified activity that remained undetected for between 1 and 5 years,compared to 11%in 2022 and �����higher percentages prior to 2020.Although organizatio
32、ns are still facing intrusions that go undetected for longer periods of time,defenders will likely see the distribution of dwell time move������� to the left as external parties,such as security vendors and law enforcement,increase their involvement and pace of notifications.However,detection capabilities
33、and continuous hunting throughout environments have been effective at unearthing long-standing in������trusions.As actionable information is shared,detection capabilities will continue to improve.Broad����ly,the long-term trends of declining median dwell time and increasing rates of internal discovery of comp
34、romises indicate that organizations have made meaningful,measurable improvements in their defensive capabilities.20222021202337.4%17.7%26.2%10.7%0.3%7.8%22.2%18.5%29.2%9.3%2.3%18.5%42.0%16.0%24.0%7.0%0.0%11.0%43.3%22.7%22.3%5.4%0.2%6.0%35.3%17�������.2%26.7%6.6%1.2%13.0%202020192018Global Dwell Time Distri
35、bution,2018-20231 week or less30 days or less6 months or less1 year or less5 years or less5 years or more15.0%16.0%36.0%1������3.0%1.1%18.0%Global Dwell Time Distribution,2018-2023Specia������l Report:Mandiant M-Trends 202410Investigations Involving RansomwareIn 2023,global investigations involving ransomware i
36、ncreased five percentage points to 23%������of investigations in 2023 compared to 18%in 2022.This brings the percentage of ransomware-related intrusions back to where it was previously in 2021.Globally,organizations detected ransomware or received a ransom demand faster in 2023in five days compared to nin
37、e days in 2022regardless of �������notification source.Non-ransomware-related intrusions were detected in 13 days,compared to 17 days in 2022.Intrusions involving ransomware were detected in six days when the notification came from an internal source,compared to 12 days in 2022.Defenders were notified of r
38、ansomware-related intrusions from an external party in five days in 2023,two days quicker than what was observed in 2022.7 Days6050403020100Percent of InvestigationsAll InvestigationsRansomwareInvestigationsNon-RansomwareInvestigati������ons30200400150907007 Days7 Days9001
39、0Median Days5Median Days13Medi������an Days14Global Dwell Time by Investigation Type,2023Change in Global Investigations Involving Ransomwarein 2022in 202318%23%Change in Global Dwell Time Ransomwaredays in 2022days in 202395Change in Global Dwell Time Non-Ransomwaredays in 2022days in 20231713Special Rep
40�������、ort:Mandiant M-Trends 202411Ransomware attacks have continued to be a driving factor in reducing dwell time over the years.However,in 2023,Mandiant experts observed notable improvements in decreased dwell����� time across all notification sources and investigation types.Intrusions that did not involve ra
41、nsomware were identified in a shorter period of time in 2023.Notably,intrusions that occurred in 2023 were identified internally in little over a week,with nine days between initial intrusion and detection,compared to 13 days in 2022.Organizations were notified by an external par�����ty of an intrusion o
42、ne week faster in 2023,resulting in a 20-day median dwell time for externally notified,non-ransomware-related intrusions,compared to 27 days in 2022.Global Median Dwell Time by Detection SourceGlobal Median Dwell Time by����� Detection Source05�������10152025RansomwareNon-Ransomware56920Dwell Time(Days)Internal
43、 DetectionExternal DetectionSpecial Report:Mandiant M-Trends 202412Industry TargetingIn 2023,M�����andiant most frequently responded to intrusions at financial services organizations,followed by business and professional services,high tech,retail and ����hospitality,and healthcare.All of these sectors have a
44、ccess to a variety of sensitive information,including proprietary business information,per����sonally identifiable information(PII),protected health information(PHI),and financial���� data.Attackers have also abused service providers and technology organizations to facilitate third-party compromises or to o
45、btain access to data���� or networks belonging to many organizations through a single compromise.Mandiant consistently finds these sectors toward the top of the list for share of investigations.Government sector investigations declined from first to tied for fifth with healthc�������are in 2023,potentially ref
46、lecting fewer n����ew investigations related to the war in Ukraine compared to 2022.17.3%13.3%12.4%8�������.6%8.1%8.1%7.9%6.2%5.3%4.1%1.3%0.9%0.8%0.8%1.3%1.7%2.1%Percent of InvestigationsIndustryHigh TechHealthcareGovernmentRetail and HospitalityFinancialEntertainment and MediaTransportation and LogisticsEduca
47、tionUtilitiesOtherConstruction and EngineeringEnergyTelecommunicationsNonprofitsAgricultural an�����d ForestryAerospace and DefenseBusiness and Professional Services51015200Global Industries Targeted,2023Special Report:Mandiant M-Trends 202413Targeted AttacksInitial Infection VectorIn 2023,Mandiant exper
48、ts once again saw exploits used as the most prevalent adversary initial infection vector.In intrusions where the initial intrusion vector was identified,38%of intrusions start������ed with an exploit.This is a six percentage point increase from 2022,consistent with what defenders faced in 2021.For more in
49、formation,please see“Attacker Operations Involving Zero-Days Vary Depending on Motivation”.Phishing remained the second most common intrusion vector.However it declined in 2023,with 17%of intrusions,compared to 22%in 2022.Phishing remains an effective method �����to establish an initial foothold and a po
50、pular threat vector for adversaries.Full analysis can be found in“Evolution of Phishing Among Shifting Security Controls”.Prior compromises were the third most significant intrusion vector used by attackers in 2023.Mandiant investigators noted a three percentage ����point increase in 2023 compared to wh
51、at was observed in 2022 with 15%of intrusions beginning with access provided����� by a prior compromise.This increase is likely related to the ransomware ecosystem and the continued partnership between ransomware affiliates and various malware operators selling initial access.ExploitPhishingPrior Comprom
52、is����eStolen CredentialsBrute ForceWebCompromiseServerCompromiseThird-PartyCompromisePhishing(Social Media)SIM SwapOther Initial Infection Vector(When Identified)38%17%10%6%3%2%1%1%2%15%5%Initial Infection Vector(When Identified)Special Report:Mandiant M-Trends 202414Stolen credenti������als pose a serious s
53、ecurity risk to organizations and were �����the fourth most notable initial intrusion vector in 2023.Attackers often obtain credentials due to password reuse or users inadvertently downloading trojanized software on corporate �������devices.Infostealers are frequently delivered through trojanized software.In 20
54、23,10%of intrusions began ������with evidence of stolen credentials,compared to 14%observed in 2022.The prevalence of both widespread information stealer malware and credential purchasing continue to challenge defenders.Brute-force attacks round out the top five initial intrusion vectors observed in 2023,
55、representing 6%of intrusions.Proper im�������plementation of multi-factor authentication has been pivotal to slowing down attackers in their attempts to compromise environments.Attackers continue to leverage effective tactics to gain access to target environments and conduct their opera������tions.While the most
56、 popular infection vectors fluctuate,organizations must focus on defense-in-depth strategies.This approach can help mitigate the impact of both common and less frequent initial intrusion methods.In 2023,when the initial intrusi������on vector was identified,an exploit was observed 38%of the time.Mandiant
57、c�������ontinues to observe both cyber e�����spionage and financially motivated attackers leveraging zero-day vulnerabilities to conduct their operations.The most prevalent vulnerability Mandiant investigators observed in 2023 was CVE-2023-34362,1 an SQL injection vulnerability in MOVEit Transfer that Mandiant
58、rated as high risk.2 The second most prevalent vulnerability was CVE-2022-21587,a critical unauthenticated file upload vulnerability in Oracle E-Bus�������iness Suite.The third most prevalent vulnerability in 2023 was CVE-2023-2868.CVE-2023-2868 is a critical command injection vulnerability in Barracuda Em
59、ail Security Gateways(physical appliances).These vulnerabilities were heavily exploited by attackers,and notabl��������y the first and third most targeted vulnerabilities were related to edge devices.For more information on the continued targeting of these devices,please see Chinese Espionage Operations Tar
60、geting The Visibility Gap.�������However,Mandiant experts also observed attackers continued use of exploits throughout the attack lifecycle to maintain access,move laterally,and complete their mission.Mandiant continues to observe a handful of vulnerabilities related to older technologies,such as Microsoft
61、 Access 2003(CVE-2008-2463),3 Microsoft Windows Server 2016(CVE-2017-0144),4 and Telerik(CVE-2019-18935).5MOVEit TransferCVE-2023-34362Oracle Web ApplicationsDesktopIntegratorCVE-2022-21587Barracuda ESGCVE-2023-2868Most Frequently See������������n VulnerabilitiesSpecial Report:Mandiant M-Trends 202415Post-Compr
62、omise ActivityFinancial GainThe proportion of intrusions Mandiant responded to that served����� financially motivated objectives ������increased from more than a quarter of all investigations,26%,in 2022 to more than a third,36%,in 2023.Ransomware-related intrusions represented almost two thirds of financially
63、 motivated intrusions and 23%of all 2023 intrusions.The remaining financially motivated intrusions included data theft extortion without ransomware �����encryption,attackers establishing initial access to facilitate other operations,business email compromise(BEC)fraud,and cryptocurrency theft events.Mand
64、iant attributed several financially motivated intrusions to likely North Korean6 state-sponsored attackers,including cryptocurrency theft������� and IT worker wage theft.Mandiant continues to track North Korean threat groups that con��duct financially motivated activity to cover both operational costs as wel
65、l as larger scale activity intended to generate revenue for the state.7 The upward trend����� in ransomware and other extortion-related investigations in 2023 is consistent with Mandiant and open-source observations of a marked increase in listings on data leak sites(DLS)and extortion revenue estimates.8
66、 DLS are websites where the illicitly retrieved data of companies that refuse to pay a ransom are published.While this data is skewed toward targets who refused to pay attackers ransom demand������s,it is still useful for understanding broad trends in extorti�������on operations.The FIN11 MOVEit exploitation cam
67、paign and UNC39449 activity described in the Evolution of Phishing section showcase the prevalence of extortion intrusions withou���t ransomware encryption.2020202%30%26%36%Direct Financial GainNo Direct Financial Gain ObservedFinancial Gain,2020-2023Ransomware23%Financial Gain36%05001000150
6������8、0Q1Q2Q3Q42021Q1Q2Q3Q42022Q1Q2Q3Q42023Count of DLS Listings per Quarter,2021-2023Special Report:Mandiant M-Trends 202416Observable Data TheftNo Observable Data TheftData Theft,2%29%40%37%D��������ata Theft,2020-2023Data TheftMandiant identified data theft in 37%of 2023 intrusions,wh
69、ich is slightly lower than the 40%of intrusions reported in 2022.In 11%of intrusions,attackers directly monetized stolen data through extortion.In an additional 7%,they used a combination of data theft,ransomware,and ex�����tortion,also known as multifaceted extortion.Mandiant also observed attackers ste
70、al credentials and other data likely to facilitate reconnaissance of target networ������ks.Several cases �������involved large-scale data theft that included intellectual property.Mandiant also identified instances of targeted or selective data theft by groups such as the Russian cyber espionage group APT2910 an
71、d the suspected Chinese cyber espionage cluster UNC4841.11Data Theft:37%Multifaceted�������� Extortion7%Extorti��������on11%Data Theft37%Special Report:Mandiant M-Trends 202417EnvironmentIn 2023,Mandiant experts continued to observe attackers use compromised architecture to conduct email spam,distribute botnets,and
72、 perform some types of cryptomining activity.During the past three years,intrusions related to compromised architecture have been heavily automated �������following the mass exploitation of vulnerabilities.Publicly released proof-of-concept(PoC)code for new exploits increases the ease of automating attacks
73、,a������ccelerating the attack cycle for adversaries������ abusing compromised infrastructure.Publicly available PoC code for vulnerabilities makes it simple for attackers to automate their exploits using scanning tools.In 2023,Mandiant noted a decrease in the number of investigations that identified multiple t
74、hreat groups in a single environment.In 17%�����of investigations,Mandiant experts uncovered more than one threat group operating in the target environment.This likely is related to the volume of targeted zero-days that Mandiant investigated.The 10 percentage point decrease from 2022(27%)suggests a posit
75、ive trend,potentially resulting from defenders efforts to limit the ability of additional atta�����ckers to infiltrate environments.Compromised Architecturein 2022in 20236%6%Multiple Threat Groups Identified (per environment)in 2022in 202327%17%Special Report:Mandiant M-Trends 202418Threat GroupsMandiant
76、 tracks more than 4,000 threat groups,719 of which were newly tracked in 2023.Mandiant investigators encountered 316 different threat groups when responding to intrusions in 2023,22����0 groups were both newly tracked and observed in Mandiant investigations in 2023.These ������counts are largely in line with
77、2022 observations.For example in 2022,265 groups were both newly tracked and observed in Mandiant investigations������.In 2023,organizations faced intrusions by two named advanced persistent threat(APT)groups from Russia and Iran;four named financial threat(FIN)groups;and 310 uncategorized(UNC)groups.Whil
78、e 253 of these UNC groups were newly identif�����ied,Mandiant has tracked the remaining 57 UNC groups for periods ranging from one to 10 years.This distribution of threat groups suggests that organizations contend with both established and new threats on a regular basis.316Newly Tracked Threat GroupsNewl
79、y Tracked and Observed Thr��������eat GroupsObserved Threat Groups719220316Total Groups4000+1644132023 ActiveGeolocations2023 ActivityTotal Tracked EffortsMandiant tracks Advanced Persistent Threat(APT)groups 0-43.Over the years,APT11 and APT13 were merged into other groups and subsequently deprecated resul
80、ting in 42 APT groups actively tracked by Mandi��������ant.Active espionage UNC Groups from Russia Iran North Korea China1172Active APT Groups from Russia IranOther UNCs from China Russia India Switzerland 29ActiveUNC Groups Active financially motivated UNCs from Russia North Korea Iran China NigeriaActive
81、FIN Groups������ fromU����nited States Malaysia The PhilippinesMexico UkraineFINActive FIN GroupsActive APT groups(1 group graduated)Identifiedin 2023(189 Merged)APTUNC31042719Observed threat group is a threat group Mandiant investigators encountered during incident response investigations.Special Report:Mand
82、iant M-Trends 202419More than half of the attackers observed in 2023(52%)were primarily motivated by financial gain,and 10%principally pursued espionage activities.A very ������small percentage,just 2%,included threat clusters Mandiant judged to be operating for hacktivist motivations,attackers focused on
83、 disruption or destr����uction,and pentesters.For the re������maining 36%of threat clusters,there was not sufficient evidence to determine a specific motivation with a high degree of confidence.Compared to 2022,Mandiant observed modest declines in the proportion of attackers pursuing objectives of espionage,d
84、isruption and destruction,hacktivism,and influence operations.Financially motivat�������ed groups made up a larger share of observed attackers in 2023,52%,compared to 48%in 2022,a shift at least partially explained by the growth in ransomware-and extortion-related activity in 2023.GraduationIn 2023,Mandian
85、������t graduated one new named threat group,APT43,and merged 189 activity clusters into other threat groups based on extensive research into activity overlaps.For details on how Mandiant defines and references UNC groups and merges,please see,“How������� Mandiant Tracks Uncategorized Threat Actors.”12APT43 is a
86、 prolific cyber operator that supports the interests���� of the North Korean Government.The group combines moderately sophisticated technical capabilities with aggressive social engineering tactics,especially against South Korean and U.S.government organizations,academics,and think tanks focused on geop
87、olitical issues surrounding the Korean Penin����sula.In addition to its espionage campaigns������,we believe APT43 funds itself through cyber crime operations to support its primary mission of collecting strategic intelligence.The group creates numerous spoofed and fraudulent personas for use in social engine
88、ering as well as cover identities for purchasing operational tooling and infrastructure.APT43 has collaborated with other North Korean espionage operators on multiple operations,underscoring the major role APT43 plays in���� North Koreas cyber apparatus.For more details,see the full APT43 report.13UNC G
89、roup When Mandiant encounters new threat activity that cannot confidently be linked to an existing group,an UNC group designation is created to tie together������ observable artifacts associated with the activity cluster.As new information and artifacts are discovered that can be tied back to the same act
90、ivity cluster,Mandiant analysts build on the initial understanding of the attacker,potentially merging it with other tracked threat clusters and ultimately graduatin�������g the UNC to an APT or FIN group.Threat Groups(Percent)0204060Financial GainUnknownEspionageOther36%52%10%2%Observed Threat Groups by G
91、oal,2023APT43Special Report:Mandiant M-Trends 202420MalwareIn 2023,Mandiant began tracking 626 new malware families,128 of which were seen in incident response investigations.This is the highest number of net new malware families Mand�����iant has identified in a single year to date.However,this figure i
92、s not drastically higher than the 588 malware families that were newly tracked in 2022,which suggests that adversaries could be increasing their toolsets at a similar rate.While Mandiant observed an increase in the number of newly tracked malware families in 2023,the total �����number of observed familie
93、s declined from 321 to 277.This decr�������ease may reflect the increas����ed use of previously established tools and/or the rising number of compromises that use no malware at all.Of all 277 malware families observed in intrusions,128 were newly tracked in 2023.Newly Tracked Malware FamiliesNewly Tracked and
94、Observed Malware FamiliesObserved Malware Families626128227Special Report:Mandiant M-Trends 202421New Malw����are Families �����by CategoryThe top five malware categories have remained relatively consistent year over year.Of the 626 newly tracked malware families,the top five categories include backdoors(33%
95、),downloaders(16%),droppers(15%),credential stealers(7%),and ransomware(5%).Newly tr���acked credential stealers return to the top five categories in 2023 after a brief hiatus observed in 2022.Another notable change in rankings is the decrease in newly tracked ransomware families,from 7%of malware fami
96、lies to 5%of newly tracked families in 2023.Although Man�����diant responded to a similar proportion of ransomware intrusions in 2023 as in 2021,the decline in net new ransomware families may reflect the prevalence of ransomware strains that existed prior to 2023,such as LOCKBIT,ALPHV,BASTA,and ROYALLOCK
97、ER.15%DownloaderBackdoorDropper33%OtherCredentialStealerDatamineLauncherRansomware1516%7%5%5%4%15%Newly Tracked Malware Families by Category,2023A malware category describes a malware familys primary purpose.Each malware family is assigned only one category that best describes its �������primary purpose,re
98、gardless of functionality for more than one category.Special Report:Mandiant M-Trends 202422Observed Malware Families by CategoryObserved malware family categories were also relatively consistent with the findi�������ngs from previous years.Mandiant experts observed 277 malware families during investigatio
99、ns conducted in 2023.Backdoors remain the favorite among attackers,making up 34%of the observed malware dataset.This is up one percentage po����int from 2022.The remaining observed malware family categories show ransomware(11%),droppers(9%),downloaders(9%),and tunnelers(6%)rounding out the top five.Mand
100、iant continues to see���� a rise in attacker use of remote administration tools and other utilities to conduct their operations,noted in the ����continued increase in the“Other”category year over year.Of the 20%of malware families in this category,8%represent legitimate utilities or remote administration to
101、ols.While not inherently malicious,attackers often leverage these tools in intrusions to evade detection,demonstrati������ng their continued resourcefulness.To remain undetected and carry out further operations,attackers use living-off-the-land(LotL)techniques by employing system tools that are already in
�������102、 the environment or they abuse remote administrator tools that are less likely to be flagged by default in security technologies like Endpoint Detection and Response tooling.An observed malware family is a malware family identified during an investigation by Mandiant experts.OtherDropperBackdoorRans
103、omwareDownloader TunnelerLauncher34%20%11%9%8%CredentialTheftDatamine6%4%4%4%Observed Malware Families by ���Category,2023Special Report:Mandiant M-Trends 202423Malware CategoryPrimary PurposeBackdoorA program whose primary purpose is to allow an attacker to issue interactive commands to the system on
104、which it is installed.Credential StealerA utility whose primary purpose is to access,copy,or steal authentication credentials.DatamineA utility whose primary purpose is to gather data,typica�����lly for theft.Excludes utilities that gather data such as credentials used for the purpose of escalating privi
105、leges or information used for system or network reconnaissance.DownloaderA program whose sole purpose is to download(and perhaps launch)a file f�������rom a specified address and which does not provide any addition���������al functionality or support any other interactive commands.DropperA program whose primary pur
106、pose is to extract,install,and potentially launch or execute one or more fil������es.LauncherA program whose primary purpose is to launch one or more files.Differs from a dropper or an installer in that it does not contain or configure the ����file,but merely executes or loads it.RansomwareA program whose pri
107、mary purpose is ������to perform some malicious action(such as encrypting data)with the goal of extracting payment from the target in order to avoid or undo the malicious action.TunnelerA program that proxies or tunnels network traffic.OtherIncludes other categories,such as utilities,remote admin technolo
108、gies,keyloggers,and point of sale.Observed Malware Families 2022 to 2023Backdoor33%34%Ransomware10%11%Dropper9%9%Downloader10%8%Tunneler5%6%La�������uncher5%4%Other28%20%Special Report:Mandiant M-Trends 202424Malware by AvailabilityMalware family availability for both newly tracked and observed malware fam
109、ilies remains more heavily weighted toward non-public in 2023,similar to previous M-Trends reporting.In both categories,malware families are more often privately developed or have restricted avai������lability.Adversaries traditionally use a variety of non-public malware to conduct their operations.Howeve
110、r,the share of publicly available malware families observed in investigations has increased by one percentage point from 2021 to 2022 and again from 2022 to 2023 to arrive at 30%.The increased use of publicly available malware likely reflects the ris������e in financially motivated attackers who prioritiz
111、e speed and efficiency over long-term stealth.A publicly available tool or malware family is readily obtainable without restriction.This includes tools that are freely available on the internet as well as tools that are sold or purchas�����ed,as long as they can be purchased by any buyer.A non-public too
112、l o�����r malware family is,to the best of our knowledge,not publ�����icly available(either for free or for sale).They may include tools that are privately developed,held or used,as well as tools that are shared among or sold to a restricted set of customers.Newly Tracked Malware Familiesby Availability,2023P
113、ublicNon-Public8614%Newly Trac�����ked Malware Families by Availability,2023PublicNon-Public7030%Observed Malware Families by Availability,2023Special Report:Mandiant M-Trends 202425Most Frequently Seen MalwareBEACON remains the most frequently observed malware family in Mandiant investigations globally
114、and was identified in 10%of all intrusions.While BEACON remains the favorite among attackers,during the past three years Mandiant has seen a decrease ����in BEACON usage.In 2021,28%of intrusions had at least one BEACON backdoor used.At the time,ransomware groups were actively compromising organizations
115、across the globe and frequently used BEACON to conduct operations.In 2022,there was a global decrease in ransomware-related intrusions,and once again the usage of BEACON reflected that decrease.However,in 2023,Mandiant defenders noted BEACON usage at an all time low,despi��������te an increase in ransomware
116、 intrusions.This decrease could align with attackers moving to evade endpoint security technology with memory resident malware,utilizing third-party remote administration tools,and employing more LotL techniques,or the abuse o�������f native tools and processes on a system.Another�������� possibility could be that
117、 attackers are migrating away from the command and control(C2)framework Cobalt Strike and the use of BEACON as their primary backdoor.As robust security community driven detections have created increased mitigations for �����the Cobalt Strike framework,attackers will������� increasingly turn to other C2 avenues
118、 such as SLIVER,Brute Ratel,and Mythic,to support operations.ALPHV and LOCKBIT were the second and fifth most frequently observed malware families,respectively,in 2023.Mandiant encountered ALPHV ransomware in 5%of Mandiant led i�����������nvestigations in 2023 compared to 2%in 2022.The third and sixth most pre
119、valent malware families Mandiant observed were related to the first and third most exploited vulnerabilities.LEMURLOOT(5%)and SEASPY(2%)are backdoors used by attac��������kers follow������ing exploitation of the MOVEit and Barracuda technologies respectively.The remaining frequently observed malware families have
120、 been used by multiple attackers,some also in conjunction with ALPHV,LOCKBIT,LEMURLOOT and SEASPY.Most Frequently Seen Malware F������amilies,202302468101210%5%5%5%4%2%2%2%BEACONALPHVLEMURLOOTSYST��������EMBCLOCKBITSEASPYMETASPLOITREGEORGMost Frequently Seen Malware Families,2023BEACON Usage,%20%20202
121、02120222023Seen in%of InvestigationsBEACON Usage,2020-2023Special Report:Mandiant M-Trends 202426BEACONA backdoor written in C/C+that is part of th��������e Cobalt Strike framework.Supported backd������oor commands include shell command execution,file transfer,file execution,and file management.BEACON can also ca
122、pture keystrokes and screenshots as well as ac�������t as a proxy server.BEACON may also be tasked with harvesting system credentials,port scanning,and enumerating systems on a network.BEACON communicates with a C2 server via HTTP or DNS.Mandiant has seen BEACON used by a wide range of named threat groups
123、including APT19,APT32,APT40,APT41,FIN6,FIN7,FIN9,FIN11,FIN12 and FIN13,as well as more than 800 UNC groups.ALPHVRansomware written in Rust.The ransomware may contain a plaintext JSON confi�������guration that specifies the ransomware functionality.ALPHV may be able to escalate its privileges and bypass������ UAC
124、,likely contains AES and ChaCha20(or Salsa)encryption functionality,may use the Restart Manager as������ part of its operations,deletes volume shadow copies,may enumerate disk volumes and network shares,and may kill processes and services.M������andiant has seen more than 20 UNC groups with financial gain goals
125、 use ALPHV.LEMURLOOTLEMURLOOT is a web shell written in C#tailored to interact with the MOVEit T��ransfer platform.The malware authenticates incoming connections via a hard-coded password and can run commands that will download files from the MOVEit Transfer system,extract its Azure system settings,re
126、trieve detailed record information,create and insert a particular user,or delete this same user.Data returned to the system interacting with LEMURLOOT is Gzip compressed.Based���� on Mandiant observations,FIN11 is the primary user of LEMURLOOT.SYSTEMBCA tunneler written in C that retrieves proxy-related
127、������ commands from a C2 server using a custom binary protocol over TCP.A C2 server directs SYSTEMBC to act as a proxy between the C2 server and a remote system.SYSTEMBC is also capable of retrieving additional payloads via HTTP.Some variants may use the Tor network for this purpose.Downloaded payloads m
128、ay be written to disk or mapped directly into memory prior to execution.SYSTEMBC is often used to hide���� network traffic associated with other malware families.Observed families include DANABOT,SMOKELOADER,and URSNIF.Mandiant has seen FIN12 and more than ���40 UNC groups with financial gain goals use SYS
129、TEMBC.LOCKBITA ransomware written in C that encrypts files stored locally and on network shares.LOCKBIT can also identify additional systems on a network and propagate via SMB.Prior to encrypting files,LOCKBIT clears event logs,deletes volume shadow copies,and terminates proce������sses and services that
130、may impact its ability to encrypt files.LOCKBIT has been observed using the file extension“.lock�������bit”for encrypted files.Mandiant has seen more than 30 UNC groups with financial gain goals use LOCKBIT.SEASPYSEASPY is a backdoor that establishes a PCAP filter on port 25(SMTP)and is activated when a“ma
131、gic packet”is received.SEASPY masquerades as a legitimate Barracuda Network Service and changes its process in memory for further evasion.Mandiant has only seen UNC4841 use SEASPY.METASPLOITA penetrati����on testing framework whose features include vulnerability testing,netw�������ork enumeration,payload gener
132、ation and execution,and defense evasion.The framework contains exploits ����for numerous applications and popular operating systems such as Windows,Linux,�����and macOS.METASPLOIT is commonly used to generate a stager payload,which is responsible for downloading and executing the frameworks METERPRETER backd
133、oor.Mandiant has seen APT32,APT41,APT43,FIN6,FIN7��,FIN11,FIN13,and more than 160 UNC groups use Metasploit.REGEORGAn open-source utility used to tunnel webshell traffic.Mandiant has seen APT28,APT29,APT41 and 30 UNC groups use REGE�������ORG.Special Report:Mandiant M-Trends 202427Notable Law Enforcement Act
134、ionsIn a December 2023 press release,the United States Federal Bureau of Investigation(FBI)reported14 that ALPHV,also known as BlackCat,had targeted more tha�������n 1,000 organizations.The FBIs press release also outlined the disruption campaign and the development of a decryption tool that allowed the FB
135、I������� to offer help to a number of impacted organizations.Mandiant tracks the ALPHV ransomware operator as UNC3507,and several other clusters of activity as affiliates,most notably UNC3944,UNC4696,and UNC4896.The fifth most frequently observed malware family across 2023 Mandiant investigations was LOCKB
136、IT.LOCKBIT ransomware appeared in 4%of investigations compared to 2%in 2022.The LOCKBIT data leak site listed more targets than any other extortion group in 2023 by a significant margin.In June 2023,the United States Department of Justice(DOJ)announced criminal ch�����arges15 against a LOCKBIT affiliate,
137、the third individual charged by the DOJ for their role in the global LOCKBIT ransomware operation.Since LOCKBIT first appeared in early 2020,the DOJ has noted that there have been more than 1,400 attacks conducted by LOCKBIT ���ransomware-as-a-service(RaaS)affiliates.International law enforcement conti
138、nued to pursue LOCKBIT activity,announcing seizure of the LOCKBIT data leak site and back-end infrastructure in“Opera�������tion Cronos”in February 2024.16 Mandiant tracks the LOCKBIT ransomware operator as UNC2758 and five other notable affiliate groups.Ransomware families like ALPHV and LOCKBIT operate w
139、ithin their own criminal ecosystems.Following the December 2023 law enforcement disruption of ALPHV,the oper������ators of the LOCKBIT ransomware service attempted t������o take advantage of the situation by appealing to ALPHV affiliates and attempting to undercut negotiation processes ALPHV targets had already
140、 engaged in.Despite these disruptions and arrest������s by law enforcement,ransomware groups remain resilient and adapt quickly,mitigating the impact on their operations.While law enforcement efforts have yielded decryptors and temporary slowdowns,the profitability of ransomware incentivizes financially m
141、otivated adversaries to continue their attacks,highlighting the need for organizations to maintain strong security practices.ALPHVOPERATORUNC3507AFFIILIATEUNC4696RANSOMWARE AS A SERVICEAFFILIATEAFFILIATEAFFIILIATEUNC4896AFFIILIATEUNC3944AFF����ILIAT����EAFFILIATEAFFILIATELOCKBITAFFIILIATEUNC2727AFFIILIATEUN
142、C3753AFFILIATEAFFILIATEAFFILIATEAFFILIATEAFFILIATEOPERATORUNC2758AFFIILIATEUNC2465AFFIILIATEUNC3622AFFIILIATEUNC2165RANSOMWARE AS A SERVICESpecial Report:Mandiant M-Trends 2�������02428O��������perating System EffectivenessIn 2023,Mandiant noted a slight increase in newly tracked malware effective on Linux systems
143、 at 16%,compared to 12%in 2022.Notably,observed ������malware effective on Linux has increased to 31%of all malware observed in 2023,compared to 15%in 2022.Similar to previous M-Trends reporting per����iods,most newly tracked and observed malware families still remain effective on Windows.The apparent decline
144、 in the percentage of Windows-related malware from 2022 to 2023 likely refle�������cts the greater share of Lin�����ux-related malware rather than a true decline in malware effective on Windows.The operating system effectiveness of a malware family is the operating system(s)that the malware can be used against.
145、040206080100Windows Linux MacOSUnixAndroidBSD VMKerneliOS83%79%4%1%1%1%1%0%1%1%1%1%4%3%16%11%Effectiveness of Ne������wly Tracked Malware Famil������ies by Operating System OS Only(Global)Effectiveness of Newly Tracked Malware Families by Operating System(Global)Operating System Effectiveness of Newly Tracked M
146、a��������lware Families,2023040206080100Windows Linux������ MacOSUnixAndroidBSD VMKernel67%79%8%2%2%1%1%0%1%0%1%1%31%17%Effectiveness of Observed Malware Families by Operating System OS OnlyEffectiveness of Observed Malware Families by Operating SystemOperating System Effectiveness of Observed Malware Families,20
147、23Special Report:Mandiant M-Trends 202429Threat Techniques Since M-Trends 2020,Mandiant has supported the community by mapping findings presented in M-Trends to the MITRE ATT&CK framework.As organizations continue to strengthen their secu�����rity measures,they can work to prioritize implementing detecti
148、on capabilities based on techniques and sub-techniques used in intrusions.Mandiant provides metrics around the most frequently observed techniques that adversaries used a�����s a resource to organizations as they make decisions o�����n how to further improve their security capabilities.Mandiant has mapped an
149、additional 1,200+Mandiant techniques to the updated MITRE ATT&CK framework,bringing the total to 3,500+Mandiant techniques and subsequent findings associ�������ated with the ATT&CK framework.In 2023,the MITRE ATT&CK framework was updated to version 14.1,resulting in ATT&CK for Enterprise now containing 201
150、 techni������ques and 427 sub-techniques.MITRE ATT&CK Techniques Used Most Frequently,2023Mandiant experts observed adversaries use 74%of MITRE ATT&CK techniques and 44%of sub-techniques during 2023 intrusions.Nearly three quarters of mapped ATT&CK techniques and almost half of the sub-techniques were act
151、ively observed in intrusions Mandiant �������investigated in 2023.This breadth of techniques and sub-techniques is at the same magnitude that Mandiant defenders observed in 2022.The techniques that attackers used in 2023 are consistent with those observed in 2022,with the top 10 most frequentl�����y seen techni
152、ques showing little variance over the last several years.In more than half of investigations,Mandiant investigators noted the use of a command or s���������������cripting interpreter(T1059)by attackers.Notable differences in the 2023 dataset is the presence of System Owner or User Discovery(T1033)and use of exploi
153、ts against a public-facing application(T1190)in the top 10 list of observed techniques.These two techniques correlate with the rise of ransomware-related intrusions and the increase in exploit use,specifically mass exploitation campaigns observed in 2�������023.It is unsurprising that the top five observed
154、 sub-techniques are PowerShell(T1059.001),Web Protocols(T1071.001),Remote Desktop Protocol(T1021.001),Service Execution(T1569.002),and File Deletion(T1070.004),as this is the fourth consecutive year they have dominated the charts.Attackers like������ly favor these sub-techniques because they utilize readi
155、ly available tools within a system,making them easy to abuse.Their history of successful compromises,combined with the ability to sometimes evade security measures,ma�������kes them a highly effective part of an attackers toolkit.This persistent trend reveals the standard tactics attackers employ to achiev
156、e their objectives.Organizations must prioritize detecting these sub-techniques if they havent done so already.MITRE A���������TT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.The ATT&CK knowledge base is used as a foundation for the developme
157、nt of specific threat models and methodologies in the private sector,government,and the cybersecurity product and service community.MITRE ATT&CK Techniques Used Most Frequently,2023Observed in Mandiant Investigations74%MITRE ������ATT&CK Techniques Used Most Frequently,2023Special Report:Mandiant M-Trends
158、 202430Top 5 Most Fre�����quently Seen MITRE ATT&CK Sub-Techniques1T1059.001:PowerShell32.3%2T1071.001:Web Protocols29.6%3T1021.001:Remote Desktop Protocol28.3%4T1569.002:Service Execution26.8%5T1070.004:File Deletion26.6%Top 10 Most Frequently Seen Techniques1T1059:Command and Scripting I��������nterpreter52.3%
159、2T1027:Obfuscated Files or Information46.5%3T1083:File and Directory Discovery38.������6%4T1021:Remote Services37.3%5T1082:System Information Discovery37.1%6T1070:Indic������ator Removal35.1%7T1071:Application Layer Protocol34.0%8T1033:System Owner/User Discovery31.7%9T1140:Deobfuscate/Decode Files or Informati
160、on31.5%10T1190:Exploit Public-Facing Application28.7%The observed MITRE ATT&CK techniques mapped to the Mandiant Targeted Attack Lifecycle can be found in the appendix of this report.Special Report:Mandiant M-Trends 202431When Ma����ndiant experts observe that multiple organizations are actively being i
161、mpacted by similar threat activity,a campaign or global event is created.A Campaign is a set of activity in which one or more threat groups coordinate to achieve a single objective.Larger scale Global Events can encompass m��������ultiple threat groups pursuing multiple disparate objectives,but using simila
162、r tactics,often exploiting a vulnerability.Campaigns and Global Events(CGE)provide clients with notification of emerging and active threat activity.Over the course of each campai�����gn and global event,Mandiant dynamically updates potential targets with new data as more in������formation is received and analy
163、zed.This intelligence includes indicators of compromise,context surrounding key������ events,and defensive and prevention measures based directly on data collected from Mandiant inve�����stigations and other Mandiant research.Campaigns and Global Events provide Mandiant clients with the critical intelligence n
164、eeded to defend against todays most dangerous threats.Early identification of active exploits means attacks can b������e halted quickly,minimizing damage.CGEs facilitate rapid collaboration between teams,ensuring a swift response.As Mandiant uncovers new threat data,CGE users receive immediate������ updates,ena
165、bling them to refine defenses and pinpoint the attacks full imp�������act.Mandiant tracked and reported 25 campaigns and������� global events in 2023 related to Mandiant Consulting investigations.These campaigns affected organizations across the Americas,EMEA,and JAPAC from 21 industry verticals.Campaigns are a s
16���6、et of impactful intru�����sions conducted by an attacker or multiple attackers in cooperation toward a single objective at multiple targets within a relevant timeframe.17Global events are a set of impactful intrusions conducted by multiple unrelated adversaries in parallel campaigns involving a similar t
167、heme,target,or resource.Campaigns&Global EventsSpecial Report:Mandiant M-Trends 202432The FIN11 MOVEit exploitation campaign represents a promin�������ent example of this type of event.The CVE-2023-3436������2 Retrospective Timeline illustrates observations related to FIN11s18 exploitation of this vulnerability.
168、19Mandiant investigators observed FIN11 scanning the internet beginning on May 15,2023,using infrastructure that was subsequently used to exploit the MOVEit zero-day vulnerability.Based on analysis from Mandiant incident respon�����se engagements,the earliest evidence of exploi����tation of CVE-2023-34362 oc
169、curred twelve days later,on May 27,2023.The evidence also indicates that FIN11 began stealing data from numerous organizations via MOVEit technology within 16 hours of the first exploitation of the vulnerability.On May 31,2023,Progress disclosed the vulnerability,patche�������d its cloud-based service,and
170、released a patch for on-premises implementations.I�����t was not until 10 days following the first successful exploitation of the vulnerability,on June 6,2023,that FIN11 claimed responsibility for the camp������aign on the CL0P_-LEAKS DLS.The first PoC was made publicly available three days later,on June 9,202
171、3.Notably,from late 2020 to 2023,20 FIN11 demonstrated a pattern of exploiting vulnerabilities in four different file transfer applications,likely���� because this type of campaign offers FIN11 several advantages.A working exploit allows FIN11 to������� compromise many targets at once.Specific targeting of fil
172、e transfer software provides tactical advantages and supports FIN11s business model of data theft extortion.����FIN11 can obtain target files directly from the file transfer appliance without additional lateral movement into target environments,which would require time and effort on the part of the atta
173、cker a����nd create more opportunities for defenders to detect the intrusion.06-02 Mandiant Containment&Hardening Guide PublishedOther Threat Groups Scanning ActivityConfirmed FIN11 activity05-15MandiantOSINT05-28 Progre�������ss Software is notified by customersof issue05-30 Progress Software took down cloud
174、services05-31 Progress Software releases������� patch*and restored cloud services and disclosed CVE--02 ����CVE-2023-34362 Added to CISAs Known Exploited Vulnerabilities Catalog06-06 Post on the CL0P_-LEAKS DLS claimed responsibility06-09 PoC exploit for CVE-2023-34362 first publicly available06-23
175、 CVE-2023-34362 was required to be remediated*MOVEit Cloud an������d on-prem versions of MOVEit TransferMayJulyJune05-31Data Exfil Ends05-27Data Exfil StartsFirst observed FIN11 scanningFirst knownexploitation of CVE-2023-34362 occurredCVE-2023-34362 Retrospective TimelineSpecial Report:Mandiant M-Trends
176、202433Jan 23 Feb Mar April May Jun Jul Aug Sep Oct Nov Dec Jan 24 FebFinancially Motivated Group Gains Access via Drive-By Downloads of FAKEUPDATESFinancially Motivated Group Exp������loits CVE-2022-21587UNC2633 Resurfaces to Distribute QAKBOT via OneNote phishing at�������tachmentsUNC2500 Resurfaces to Distribu
177、te QAKBOT via OneNote phishing attachmentsSuspected Chinese Espionage Group Exploits IBM Aspera Faspex to Gain Initial AccessExploitation of CVE-2022-47986 in IBM���� Aspera FaspexUNC4736 Conducts Cascading Supply Chain CompromiseUNC3944 Conducts SMS Phishing and Data Theft ExtortionSuspected Rus�����sian Gr
178、oup Targets Ukrain�����e with SMOKELOADERFIN11 Exploits a Critical Vulnerability in MOVEit MFT for Data Theft ExtortionFinancially Motivated Group Conducts ALPHV Ransomware and Data Theft and ExtortionFinancially Motivated Group Uses Social Media and SEO Poisoni������ng to Deliver PAPERDROP and DANABOTSuspecte
179、d DPRK Group Levera������ges SaaS Provider in a Targeted Supply Chain AttackExploitation of Multiple Vulnerabilities in Ivanti ProductsSuspected Chinese Group Exploits Citrix Zero-Day CVE-202�����3-3519Financially Motivated Group Distributes DARKGATE via Microsoft TeamsExploitation of CVE-2023-4966 in Citrix N
1������80、etscaler/ADC AppliancesExploitat��������ion of CVE-2023-42793 in JetBrains TeamCity ProductsSuspected Financially Motivated Group Conducts Phishing/Adversary-in-the-Middle CampaignUnknown Threat Group Exploits CVE-2023-20198UNC2500 Resurfaces to Distribute Phishing Emails with Links to Download Various Payl
181、oadsFinancially Motivated Group Uses DARKGATE Access to Deploy BASTA RansomwareFinancially Motivated Group Exploits Atlassian Vulnerabilities for Extortion OperationsExploitation of CVE-2023-46805 and CVE-2024-21887 in Ivanti ProductsFinancially motivated Esp������ionageMultiple/unknown2023 Campaigns and
182、Global Events Related to Mandiant Incident Response Investigation�������sSuspected Chinese Espionage Group Exploits CVE-2023-46805 and CVE-2024-21887Indust�����ries AffectedManufacturing Legal&Professional Services Financial Services Healthcare Technology Media&EntertainmentChemicals&Materials Education Energy&
183、UtilitiesRetail����� Insurance Pharmaceuticals Telecommunications Automotive Civil Society&Non-Profits Construction&Engineering Government Oil&Gas Transportation Other Special Report:Mandiant M-Trends 202434Regional TrendsDetection by Source������In the Americas in 2023,51%of organizations first learned of a c
1������84、ompromise from an external source,while 49%identified evidence of a compromise internally.This split appears to be consistent with a long-term global trend toward a balance of internal versus external discovery.This is also consiste�������nt with observations in the Americas from 2022,continuing a trend to
185、ward higher rates of external notifications overall compared to 20172021.Growth in ransomware-related intrusions over the last four years has li�������kely contributed to this shift in notification source.Isolating ransomware-related intrusions from all other compromises exposes a strong divergence in noti
186、fication sources in ransomware versus non-ransomware-related intrusions.Approximately two thirds of ransomware-related intrusions in the Americas were externally notifiedmost frequently by the att�����ackers themselves in the form of a ransom note.In contrast,organizations in the region����� first discovered
187、evidence of a compromise internally in slightly more than half of cases that were not related to ransomware encryption e������vents.Americas Average Trend Internal Detection(Percent)020406080020020020202120222023�����Detection by SourceAmericas,2017-2023External Detection(Percent)Detectio
188、n by SourceAmericas,2017-2023The metrics reported in this ������section are based on Mandiant Consulting investigations affecting organizations that are located in North,Central,or South America.43%6%Non-Ransomware,InternalRansomware,Internal34%17%Non-Ransomware,External�������Ransomware,ExternalDetection by Sou
189、rce Americas,2023AmericasSpecial Report:Mandiant M-Trends 202435Americas Median Dwell TimeIn 2023,organiza�����tions located in the Americas detected intrusions at the same pace as in 2022.Median dwell time in the Americas was 10 days.External parties notified these organizations of intrusions in 13 days
190、,compared to 12 days in 2022.However,when intrusions were detected internally,organizations uncovered malicious activity in eight days in 2023 compared to �����nine days in the previous year.2023Dwell Time(Days)Americas Median Dwell Time,0800Dwell Time(Days)2001920202
191、02120229975.5124.542.571104137.54660320435External Internal All Americas Median Dwell Time,2016-2023Dwell time is calculated as the number of days an attacker is present in a targe��������t environment before they are detected.The median represents a value at the midpoint of a dataset
192、sorted by magnitude.Change in Americas Median Dwell Timedays in 2022days in 20231010Special Report:Mandiant M-Trends 20���2436Dwell Time DistributionOrganizations in the Americas region continue to improve their detection capabilities.Organizations detected 45%of intrusions in one week or less,a rate t
193、hat is similar to that seen in 2022.In 68.5%of investigations conducted by Mandiant,defenders were made awa�������re of intrusions in 30 days or less,a four percentage-point increase in investigations compared to 2022.Consistent with t�������rends seen globally,organizations continue to identify intrusions that h
194、ad remained undetected for longer periods of time.Organization����s located in the Americas region saw a small increase in intrusions detected in five years or less and a decrease in intrusions that were undetected for more than five years.44.5%19.4%26.2%4.5%2.6������%2.8%38.8%18.0%28.2%11.1%3.6%0.4%45.0%23.5
195、%22.3%4.8%4.2%0.3%1 week or less30 days or less6 months or less1 year or less5 years or less5 years or more202220212023 Americas Dwell Time Distribution,2021-2023Special Report:Mandiant M-������Trends 202437Investigations Involving RansomwareOrganizations located in the Americas detected overall intrusion
196、s related to ransomware in six days compared to five days seen in the previous M-Trends reporting period.This could be explai����ned by the slight increase in investigations involving ransomware,or it������ could be a slight variation in the ransomware attackers ability to conduct operations.In intrusions rel
197、ated to ransomware,targeted organizations detected malicious activity internally in seven days,compared to six days when an external party made organizations aware of an intrusion.In intrusions that did not involve ransomware,internal detection remained the fa�����stest way for organizations to be notifi
198、ed of an in������trusion,with a dwell time of eight days.When they did not detect an intrusion internally,organizations in the Americas were notified of intrusions within a median of 19 days b�������y an external party.Percent of InvestigationsAll InvestigationsRansomwareInvestigationsNon-RansomwareInvestigation
199、s9040302010030147 Days2004009030147 Days30900147 Days10Median Days6Median Days12Median DaysAmericas Dwe������ll Time by Investigation Type,2023RansomwareNon-Ransomware0519Dwell Time(Days)Internal DetectionExternal DetectionAmericas Median D�����well Time by Detection
200、 SourceChange in Americas Investigations Involving R������ansomwarein 2022in 202322%23%Change in Americas Median Dwell TimeRansomwaredays in 2022days in 202356Change in Americas Median Dwell TimeNon-Ransomwaredays in 2022days in 20231212Special Report:Mandiant M-Trends 202438Most Frequently Seen Initial I
201、nfection Vectors by RegionExploit41%Phishing18%Prior Compromise14%AMERICASTargeted AttacksInitial Infection VectorOrganizations in the Americas faced threats similar to those experienced by �����organizations across the globe.In 41%of intrusions that had an initial infection vector identified,an exploit
202、was the source of attacker activity in the region.Phishing was used as an initial vector in 18%of intrusions.Rounding out the top three,attackers leveraged prior compromised access gained from another threat group or malware in 14%of intrusions.Threat Groups Prevalent Threat Grou�������p Targeting Americas
203、The most frequently observed attacker in the Americas in 2023 was FIN11,a financially motivated threat group.The majority of FIN11 intrusions Mandia�����nt investigated were re�����lated to the widespread campaign exploiting CVE-2023-34362 in the MOVEit Transfer secure managed file transfer(MFT)software.21 Ma
204、ndiant also investigated intrusions in which FIN11 explo������ited CVE-2023-0669 in GoAnywhere MFT.Although FIN11 has deployed the CLOP ransomware in the past,in these campaigns the attacker focused on data theft extortion with no ransomware encryption.Counts of listings from the CL0P_-LEAKS DLS corrobo������ra
205、te Mandiants investigative findings and demonstrate the scale FIN11 was able to achieve through these focused vulnerability exploitation campaigns.050100150Listings200JanFebMarAprMayJunJulAugSepO�������ctNovDecCVE-2023-0669 disclosedGo����Anywhere MFTCVE-2023-34362 disclosed MOVEit Transfer secure MFTListings
206������、Posted to CL0P_-LEAKS DLS,2023Special Report:Mandiant M-Trends 202439The metrics reported in this section are based on Mandiant Consulting investigations affecting organizations in Ja�������pan and Asia Pacific(JAPAC).43%24%26%7%Non-Ransomware,InternalNon-Ransomware,ExternalRansomware,InternalRansomware,Ex
207、ternalDetection by Source JAPAC,2023Detection by SourceFor intrusions in the JAPAC region in 2023,organizations were notified of compromises from external sources i�����n 69%of cases,while 31%of intrusions were discovered int��������ernally.This continues a long-term trend in JAPAC of internal detections represe
208、nting a declining proportion of overall notification sourc�����es.In line with global numbers,organizations located in JAPAC were notified more often of intrusions via external notifications.In 2023 in JAPAC,organizations learned of ransomware-related infections from external sources in three forths of c
209、ases.JAPAC InternalA�����verage Trend 020406080020020020202120222023Internal Detection(Percent)External Detection(Percent)Detection by SourceJAPAC,2017-2023JAPACSpecial Report:Mandiant M-Trends 202440JAPAC Median Dwell Time Organizations in the JAPAC region continued to detect intru
210、�������sions more quickly year over year.This was true for both notification s��������ources.Median dwell time in JAPAC achieved its quickest time of nine days from initial infection to detection,compared to 33 days in 2022.Organizations identified an intrusion internally in six days in JAPAC,compared to 19 days s
211、een in 2022.Organizations received external notification�����s of malicious������� activity in nine days,just over one week,compared to nearly two months in 2022.External Internal All EMEA200022202320.52046335869922020025030035040045050011001000J
212、APAC Median Dwell Time,2016-2023Change in JAPAC Median Dwell Timedays in 2022days in 2023339Special Report:Mandiant ��������M-Trends 202441Dwell Time DistributionIn 2023,targeted attacker activity was detected in 48%of intrusions in JAPAC in one week or less.Continuing with observations both globally and ye
�������213、ar over year in the region,the number of intrusions detected sooner continues to increase,showing the resilience of defenders.Over the past three years,Mandiant has seen fewer intrusions remain undetected for longer periods of time in the JAPAC region.37.7%11.7%21.6%8.4%16.7%5.0%36.4%23.6%20.0%3.6%3
214、.6%12.7%48.1%18.5%20.4%7.4%5.6%0.0%1 �����week or less30 days or less6 months or less1 year or less5 years or less5 years or more202220212023JAPAC Dwell Time Distribution,2021-2023Special Report:Mandiant M-Trends 202442Investigations Involving RansomwareJAPAC saw little movement in the volume of ransomwa
215、re-related intrusions,with a small increase to 33%of investigations conducted in the region in 2023.However,dwell time for ransomware-related intrusions declined to three days compared to 19 days in 2022.This sharp decrease is likely a cause of the ��������quick moving ransomware families used in intrusions
216、 over the years.Mandiant has observed ransomware-related intrusions balance speed and thoroughness of com������promise.Attackers who deploy ransomware want to move fast enough to reduce the �������chance of detection,but also be meticulous enough to ensure potential damage that is sufficient to increase the like
217、lihood of maximum ransom payment.Organizations detected non-ransomware-related intrusions quicker in 2023 in slightly more than �����half the time observed in 2022.The median dwell time in the JAPAC region for non-ransomware-related intrusions was 26 days in 2023.Organizations were notified of an intrusi
21��������8、on in six days by an internal security product or team member.Externally,however,organizations were notified of an intrusion 37 days after the malicious activity initially began.Percent of InvestigationsAll InvestigationsRansomwareInves�����tigationsNon-RansomwareInvestigations9Median Days9040
219、3020100307 Days150907 Days400307 Days141504003Median Days26Media�����n DaysJAPAC Dwell Time by Investigation Type,2023RansomwareNon-Ransomware211637Dwell Time(Days)00Internal DetectionExternal DetectionJAPAC Median Dwell Time by Detection SourceChange in JAPAC Investigations Involving Ransomwa
�����220、rein 2022in 202332%33%Change in JAPAC Median Dwell TimeRansomwaredays in 2022days in 2023193Change in JAPAC Dwell Time Non�������-Ransomaredays in 2022days in 202360 26Special Report:Mandiant M-Trends 202443JAPACExploit39%Phishing18%Prior Compromise15%Targeted AttacksInitial Infection VectorMandiant invest
221、igators identified that organizations in JAPAC were impacted by exploits in 39%of investigations when an initial infection vector was identified.In nearly a fifth(18%)of investigations,attackers leveraged brute-force techniques to gain initial access in the reg����ion.Rounding out the top three most see
222、n i�����nitial infection vectors in the region w�������as the use of access obtained by a prior compromise.In 15%of intrusions,Mandiant investigators identified evidence that an attacker leveraged access originally obtained by another attacker through either purchased access or by leveraging unsecured backdoor
223、access.The increase in prior compromise usage is likely representative of the inner workings of the criminal ransomware ecosystem.Threat GroupsPrevalent Threat Group Targeting JAPACIn the Japan and Asia Pacif������ic region in 2023,Mandiant investigators most often encountered suspected Chinese cyber espi
224、onage cluster UNC4841.Beginning in at least October 2022,UNC4841 exploited a zero-day vulnerability,CVE-2023-2868,in Barracuda Email Security Gateway(ESG)appliances in a campaign targeting public and���� private organizations worldwide.22 In several cases,Mandiant observed evidence of UNC4841 searching
225、for and exfiltrating data relevant to Chinese politic�������al or strategic interests.In the set of entities that UNC4841 selected for focused data theft,Mandiant uncovered shell scripts that targeted email domains and users from Ministries of Foreign Affairs of ASEAN member nations as well as individuals
226、within foreign trade offices and academic research organizations in Taiwan and Hong Kong.In this campaign,UNC4841 took a number of ������steps to disguise its activity.For example,it inserted malware in or used the names of legitimate Barracuda modules and phishing messages that were designed to be interc
227、epted by spam filters and avoid further investigation by security teams.Notably,after the initial vulnerability disclosure and remediation efforts,UNC4841 responded agg������ressivel�������y,rapidly altering its malware,deploying additional persistence mechanisms,and moving laterally to maintain access to target
228、 environments.Further analysis on this can be found in Attacker Operations Involving Zero-Days Vary Depending on Moti������vation.Special Report:Mandiant M-Trends 202444Detection by SourceIn case������s Mandiant investigated in 2023 in EMEA,organizations first discovered evidence of a compromise internally 46%o
229、f the time,while organizations were externally notified of compromises in 54%of intrusions.This split matches global numbers for 2023 and reverses a long-term trend toward declining rates of internal notifications for the reg������ion.Organizations in EMEA identified ransomware-related intrusions internal
230、ly slightly more frequentl�����y than through external notifications such as a ransom note.The majority of non-ransomware-related intrusions were identified by external security partners.020406080020020020202120222023EMEA InternalAverage Trend Internal Detection(Percent)Detection by
231、 SourceEMEA,2017-2023External Detection(Percent)Detection by SourceEMEA,2017-2023Non-Ransomware,InternalRansomware,InternalNon-Ransomware,ExternalRansomware,External46%32%9%13%Detection by Source EMEA,2023The metrics reported in this section are based on Mandia�����nt Consulting investigations affecting
232、organizations in Eur������ope,the Middle East,and Africa(EMEA�����).EMEASpecial Report:Mandiant M-Trends 202445EMEA Median Dwell TimeOrganizations in EMEA detected intrusions in 22 days in 2023 compared to 20 days in 2022.Dwell time for intrusions detected externally decreased to just under two weeks,at 12 day
233、s in 2023 compared to 18 seen in 2022.Organizations detected intrusions internally in 23 days in 2023 ��������compared to 33 days in 2022.Over the years,dwell time has varied across detection sources in EMEA.The general trend shows that medi����an dwell time continues to decrease year over year,with median dwel
234、l time in 2022 resulting in th������e shortest time period seen in the region.The small variation seen in 2023 could be the result of regional data normalizing,following the notable portion of Mandiants work in Ukraine in 2022.05005������0045035025020028317530524.5177
235、4746933486020 213301Dwell Time(Days)External Internal All EMEA Median Dwell Time,2016-2023Change in EMEA Median Dwell Timedays in 2022days in 202320 22Special Report:Mandiant M-Trends 202446Dwell Time DistributionThis�������� year in EMEA,organizations saw intrusions go undetected for
236、longer periods of time compared to previous years,with 14%of investigations conducted in the region remaining undetected for up to five years.However,in 2023,organizations saw less than 1%of investigations go undetected for more than five years.41.6�����%12.2%17.7%10.2%11.5%7.0%33.0%14.0%22.0%12.0%14.0%6
237、.0%35.9%20.5%23.1%6.4%14.1%0.0%202220212��������0231 week or less30 days or less6 months or less1 year or less5 years or less5 years or m�����oreEMEA Dwell Time Distribution,2021-2023Special Report:Mandiant M-Trends 202447EMEA Dwell Time by Investigation Type,2023Percent of InvestigationsAll InvestigationsRansom
238、wareInvestigationsNon-RansomwareInvestigations807060504030201007 Days7003014 Days7 Days9040020015070022Median Days8Median Days31Median DaysEMEA Dwell Time by Investigation Type,20232035010Dwell Time(Days)00RansomwareNon-Ransom�����wareEMEA Median Dwell Time by Detection S
239、ourceInvestigations Involving RansomwareOrganizations working with Mandiant in EMEA �������saw ransomware-related intrusions return to a volume previously seen in 2021.Nearly a quarter of the investigations conducted in the region were ransomware-related,22%in 2023 compared to 7%in 2022.The median dwell ti
240、me for ransomware-related intrusions decreased in the region.Ransomware intrusions were detected in little more than one week,with eight days compared to 33 days in 2022.Internal detectio������n of ransomware intrusions in EMEA took 3 days,compared to 20 days for external notifications.Intrusions not rela
241、ted to ransomware were detected in 31 days in 2023,compared to�������� 19 days in 2022.Non-ransomware-related intrusions remain und���������etected for longer periods of time if they are detected by an internal source.Change in EMEA Investigations Involving Ransomwarein 2022in 20237%22%Change in EMEA Median Dwell Ti
242、meRansomwaredays in 2022days in 2023338Change in EMEA Dwell Time Non-Ransomaredays in 2022days in 20231931Special Report:Mandiant M-Trends 202448EMEAExploit37%Prior Compromise21%Phishing16%Targeted AttacksInitial Infection Vect�������orIn EMEA,Mandiant inves��������tigators noted intrusions began with an exploit i
243、n 36%of intrusions when an initial infection ����vector was identified.Organizations in EMEA also faced attackers abusing prior access in 21%of intrusions and phishing in 16%of intrusions.Threat GroupsPrevalent Threat Group Targeting EMEAMandiant investigated a variety of intrusions in EMEA in 2023,incl
244、uding compromises attributed to UNC4393.UNC4393 is a financially motivated threat cluster that has monetized access by deploying BASTA ransomware.This cluster does not work alone but rather relies on other attackers to obtain initial access into������ target environments.Throughout most of 2023,Mandiant f
245、ound that UNC2500 and UNC2633 QAKBOT infections consistently preceded UNC4393 activity in target environm��������ents.In August 2023,an international law enforcement effort disrupted the QAKBOT botnet,23 which forced UNC2500 to shift to alternative malware payloads to continue operations.Starting in������ mid-Sep
246、tember 2��������023,Mandiant observed UNC2500 begin distributing DARKGATE payloads,which UNC4393 leveraged to ultimately deploy BASTA ransomware.Mandiant regularly observes evidence that multiple attackers were involved in different stages of a compromise,and prior compromise was the third most common initi
247、al access vector for 2023 Mandiant incident responses.The complexity of multi-attacker intrusi�������ons and the speed with which attacker tactics,techniques,and procedures(TTPs)evolve underscores the importance of implementing defense-in-depth strategies to minimize the impact of an attacker gaining a foo
248、thold in an environment.Special Report:Mandiant M-Trends 202449Initial CompromiseInitial������� AccessT1190:Exploit Public-Facing Application28.7%T1133:External Remote Services20.3%T1566:Phishing16.3%T1566.001:Spearphishing Attachment5.1%T1566.002:Spearphishing Link3.2%T1566.004:Spearphishing Voice1.9%T156
249、6.003:Spearphishing via Service0.8%T1������078:Valid Accounts11.3%T1078.004:Cloud Accounts2.1%T1078.001:Default Accounts0.2%T1189:Drive-by Compromise3.4%T1195:Supply Chain Compromise0.8%T1195.002:Compromise Software Supply Chain0.6%T1199:Trusted Relationship0.8%T1091:Replication Through Removable Media0.6
250、%T1200:Hardware Additions0.2%Initial Reconnais���sanceReconnaissanceT1595:Active Scanning1.1%T1595.001:Scanning IP Blocks0.6%T1595.002:Vulnerability Scanning0.6%Resource DevelopmentT1608:Stage Capabilities12.8%T1608.003:Install Digital Certificate6.6%T1608.005:Link Target2.6%T1608.001:Upload Malware2.1
251、%T1608.002:Upload Tool0.9%T1608.006:SEO Poisoning 0.9%T1�������583:Acquire Infrastructure5.4%T1583.003:Virtual Private Server5.4%T1584:Compromise Infrastructure3.2%T1587:Develop Capabilities2.3%T1587.002:Code Signing Certifi�����cates1.3%T1587.003:Digital Certificates0.9%T1588:Obtain Capabilities1.5%T1588.004:D
252、�������igital Certificates1.1%T1588.003:Code Signing Certificates0.4%T1585:Establish Accounts0.2%T1585.002:Email Accounts0.2%MITRE ATT&CKTechniques Related to Mandiant Targeted Attack Lifecycle,2023Mandiants Targeted Attack Lifecycle is the predictable sequence of events cyber attackers use to carry out th
253、eir attacks.Special Repo�����rt:Mandiant M-Trends 202450Establish FootholdPersistenceT1543:Create or Modify System Process28.3%T1543.003:Windows Service16.7%T1543.002:Systemd Service0.9%T1543.004:Launch Daemon0.4%T1543.001:Launch Agent0.2%T1098:Acc����ount Manipulation18.6%T1098.005:Device Registration2.1%T1
254、098.004:SSH Authorized Keys1.7%T1098.001:Additional Cloud Credentials������0.4%T1053:Scheduled Task/Job18.0%T1053.005:Scheduled Task14.8%T1053.003:Cron1.7%T1003:OS Credential Dumping16.9%T1003.003:NTDS 7.1%T1003.001:LSASS Memory5.4%T1003.002:Security Account Manager3.0%T1003.008:/etc/passwd and/etc/shadow
255、2.4%T1003.006:DCSync 0.4%T1003.004:LSA Secrets 0.2%T1505:Server Software Component14.4%T1505.003:Web Shell14.3%T1505.001:SQL Stored Procedures 0.2%T1505.004:IIS Components 0.2%T1136:Create Accoun�����t11.8%T1136.001:Local Account5.4%T1136.002:Domain Account1.1%T1136.003:Cloud Account0.6%T1574:Hij�������ack Exec
256、ution Flow10.3%T1574.011:Services Registry Permissions Weakness8.6%T1574.002:DLL Side-Loading1.1%T1574.001:DLL Search Order Hijacking0.4%T1574.008:Path Interception by Search Order Hijacking0.4%T1574.006:Dynamic Linker Hijacking0.2%T1547:Boot or Logon Autostart Execution9.6%T1547.������001:Registry Run Ke
257、ys/Startup Folder7.1%T1547.009:Shortcut Modification2.6%T1547.004:Winlogon Helper DLL0.4%T1547.011:Plist Modification0.2%T1552:Unsecured Credentials8.8%T1552.002:Credential����s in Registry 2.4%T1552.004:Private Keys1.7��%T1552.001:Credentials In Files1.3%T1552.003:Bash History 0.9%T1552.006:Group Policy
258、Preferences0.8%T1555.005:Password Managers 0.8%T1056:Input Capture 8.1%T1056.001:Keylogging7.5%T1056.002:GUI Input Capture 0.6%T1056.003:Web Port�����al Capture0.2%Special Report:Mandiant M-Trends 202451T1110:Brute Force7.3%T1110.001:Password Guessing 2.8%T1110.003:Password Spraying 1.1%T1110.004:Credent
259、ial Stuf�����fing 0.8%T1555:Credentials from Password Stores5.4%T1555.003:Credentials from Web Browsers 3.2%T1555.004:Windows Credential Manager2.8%T1555.006:Cloud Secrets Management Stores 0.9%T1555.005:Password Managers0.8%T1555.001:Keychain 0.2%T1546:Event Triggered Execution3.4%T1546.003:Windows Mana
260、gement Instrumentation Event Subscription2.8%T1546.008:Accessibility Features0.4%T1546.010:AppInit DLLs0.2%T1546.015:Co��������mponent Object Model Hijacking0.2%T1111:Multi-Factor Authentication Interception3.2%T��������1558:Steal or Forge Kerberos Tickets3.2%T1558.003:Kerberoasting1.7%T1556:Modify Authentication P
261、rocess 1.7%T1556.006:Multi-Factor Authentication1.1%T1556.002:Password Filter DLL0.2%T1556.003:Pluggable Authentication Modules0.2%T1037:Boot or Logon Initialization Scripts 0.9%T1037.004:RC Scripts0.�����6%T1187:Forced Authentication 0.8%T1539:Steal Web ������Session Cookie0.8%T1649:Steal or Forge Authenticat
262、ion Certificates 0.4%�����T1557:Adversary-in-the-Middle0.2%T1557.00:LLMNR/NBT-NS Poisoning and SMB Relay 0.2%T1621:Multi-Factor Authentication Request Generation0.2%Special Report:Mandiant M-Trends 202452Escalate PrivilegesPrivilege EscalationT1543:Create or Modify System Pro�����cess28.3%T1543.003:Windows Se
263、rvice16.7%T1543.005:Scheduled Task 14.8%T1543.002:Systemd Service0.9%T1543.004:Launch Daemon 0.4%T1543.001:Launch Agent 0.2%T1055:Proces�������s Injection25.1%T1055.003:Thread Execution Hijacking1.3%T1055.004:Asynchronous Procedure Call0.9%T1055.0������01:Dynamic-link Library Injection0.8%T1055.002:Portable Exec
264、utable Injection0.4%T1055.012:Process Hollowing0.4%T1053 Scheduled Task/Job18%T1053.003:Cron 1.7%T1134:Access Token Manipulation13.7%������T1134.001:Token Impersonation/Theft4.9%T1������134.004:Parent PID Spoofing0.6%T1547:Boot or Logon Autostart Execution9.6%T1547.001:Registry Run Keys/Startup Folder7.1%T1547.
265、009:Shortcut Mod����ification2.6%T1547.004:Winlogon Helper DLL0.4%T1547.011:Plist Modification0.2%T1546:����Event Triggered Execution3.4%T1546.003:Windows Management Instrumentation Event Subscription2.8%T1546.008:Accessibility Features0.4%T1546.010:AppInit DLLs0.2%T1546.015:Component Object Model Hijacking
266、0.2%T1484:Domain Policy Modification1.5%T1484.001:Group Policy Modification1.5%T1037:Boot or Logon Initialization Scripts0.9%T1037.004:RC Scripts0.6%T1548:Abuse Elevation Control Mechanism0.8%T1548.002:Bypass User Account Control0.8%T1068:Exp����loitation for Privilege Escalation0.6%Special Report:Mandi
267、ant M-Trends 202453Internal ReconnaissanceDiscoveryT1083:File and Directory Discovery38.6%T1082:System Information Discovery37.1%T1033:System Owner/User Discovery31.7%T1087:Account Discovery28.1%T108�����7.002:Domain Account15.0%T1087.001:Local Account10.5%T1087.004:Cloud Account 0.8%T1012:Query Registry
268、24.8%T������1016:System Network Configuration Discovery23.5%T1016.001:Internet Connection Discovery5.3%T1622:Debugger Evasion21.8%T1057:Process Discovery18.9%����T1003:OS Credential Dumping16.9%T1003.003:NTDS7.1%T1003.001:LSASS Memory5.4%T1003.002:Security Account Manager 3.0%T1003.008:/etc/passwd and/etc/sha
269、dow 2.4%T1003.006:DCSync 0.4%T1003.004:LSA Secrets 0.2%T1518:Software Discovery16.3%T1518.001:Security Software Discovery 1.3%T1614:System Location Discovery15.9%T1614.001:System Language Discovery9.6%T1069:Permissi��������on Groups Discovery14.8%T1069.002:Domain Groups11.1%T1069.001:Local Groups 1.3%T1069.
270、003:Cloud Groups 1.1%T1������482:Domain Trust Discovery12.6%T1497:Virtualization/Sandbox Evasion12.2%T1497.001:System Checks10.1%T1007:System Service Discovery11.4%T1552:Unsecure������d Credentials8.8%T1552.002:Credentials in Registry 2.4%T1552.004:Private Keys 1.7%T1552.001:Credentials In Files1.3%T1552.003:Ba
271、sh History 0.9%T1552.006:Group Poli�������cy Preferences0.8%T1049:System Network Connections Discovery8.1%T1056:Input Capture8.1%T1056.001:Keylogging 7.5%T1056.002:GUI Input Capture 0.6%T1056.003:Web Portal Capture 0.2%T1110:Brute Force7.3%T1110.001:Password Guessing 2.8%T1110.003:Password Spraying�������� 1.1%T11
272、10.004:Cr�������edential Stuffing 0.8%T1010:Application Window Discovery7.1%Special Report:Mandiant M-Trends 202454T1135:Network Share Discovery6.8%T1555:Credentials from Password Stores5.4%T1555.003:Credentials from Web Browsers3.2%T1555.004:W������indows Credential Manager 2.8%T1555.006:Cloud Secrets Managemen
273、t Stores 0.9%T1555.005:Password Managers 0.8%T155�������5.001:Keychain 0.2%T1046:Network Service Discovery3.4%T1111:Multi-Factor Authentication Interception3.2%T1558:Steal or Forge Kerberos Tickets3.2%T1558.003:Kerberoasting 1.7%T1018:Remote System Discovery 2.8%T1556:Modify Authentication Process1.7%T1556
274、.006:Multi-Factor Authentication1.1%T1556.002:Password Filter DLL��������0.2%T1556.003:Pluggable Authentication Modules0.2%T1580:Cloud Infrastructure Discovery1.5%T1124:System Time Discovery 1.3%T1619:Cloud Storage Object Discovery1.3%T1040:Network Sniffing 0.8%T1615:Group Policy Discovery 0.8%T1187:Forced
275、Authentication0.8%T1539:Ste�����al Web Session Cookie0.8%T1526:Cloud Service Discovery 0.6%T1120:Peripheral Device Discovery0.4%T1201:Password Policy Discovery0.4%T1538:Cloud Service Dashboar�����d0.4%T1649:Steal or Forge Authentication Certificates0.4%T1217:Browser Bookmark Discovery0.2%T1557:Adversary-in-th
276、e-Middle 0.2%T1557.001:LLMNR/NBT-NS Poisoning and SMB Relay 0.2%T1621:Multi-Factor Authentication Request Generation 0.2%Special Report:Mandiant M-Trends 2�����02455Lateral MovementLateral MovementT1021:Remote Services37.3%T1021.001:Remote Desktop Protocol28.3%T1021.004:SSH10.3%T1021.��������002:SMB/Windows Admi
277、n Shares10.1%T1021.006:Windows Remote Management1.3%T1021.005:VNC0.8%T1570:Lateral Tool Transfer2.3%�������T1563:Remote Service Session Hijacking2.1%T1563.002:RDP Hijacking0.4%T1550:Use Alternate Authentication Material1.7%T1550.001:Application Access Token 1.1%T1550��������.002:Pass the Hash0.6%T1550.004:Web Sess
278、ion Cookie 0.2%T1534:Internal Spearphishing0.6%T1091:Replication Through Removable Media0.6%T1072:Software Deployment Tools0.2%T1080:Taint Shared Content0.2%Special Report:Mandiant M-Trends 20245�������6Maintain PresencePersistenceT1027:Obfuscated Files or Information46.5%T1027.009:Embedded Payloads9.6%T10
279、27.002:Software Packing 8.6%T1027.010:Command Obfuscation3.9%T1027.004:Compile After Delivery1.3%T1027.005:Indicator Removal fromTools 0.4%T1027.001:Binary Padding 0.�����2%T1027.003:Steganography 0.2%T1027.0������08:Stripped Payloads 0.2%T1070:Indicator Removal 35.1%T1070.004:File Deletion 26.6%T1070.009:Clea
280、r Persistence 9.0%T1070.006:Timestomp7.1%T1070.001:Clear Windows Event Logs5.6%T1070.007:Clear Network Connection History and Configurations 3.4%T1070.005:Network Share Connection Removal 1.1%T1070.003:Clear Command History 0.6%T1070.002:Clear Linux or Mac ����System Logs 0.4%T1070.008:Clear Mailbox Dat
281、a 0.2%T1140:Deobfuscate/Decode Files or Information 31.5%T1543:Create or Modify System Process 28.3%T1543.���������003:Windows Service 16.7%T1543.002:Systemd Service 0.9%T1543.004:Launch Daemon 0.4%T1543.001:Launch Agent 0.2%T1112:Modify Registry 26.5%T1564:Hide Artifacts 19.5%T1564.003:Hidden Window 14.8%T1
282、564.001:Hidden Files and Direc�������tories 4.7%T1564.008:Email Hiding Rules2.1%T1546.008:Accessibility Features 0.4%T1564.011:Ignore Process Interrupts0.2%T1562:Impair Defenses 18.6%T1562.001:Disable or Modify Tools 13.3%T1562.004:Disable or Modify System Firewall 7.9%T1562.002:Disable Windows Event Loggi
283、ng 4.3%T1562.010:Downgrade Attack0.9%T1562.003:Impair Command History Logging0.9%T1�������562.009:Safe Mode Boot 0.2%T1053:Scheduled Task/Job 18.0%Special Report:Mandiant M-Trends 202457T1218:System Binary Proxy Execution16.1%T1218.011:Rundll32 12.9%T1218.010:Regsvr32 1.7%T1218.005:Mshta 1.3%T1218.007:Msie
284、xec 0.9%T1218.014:MMC 0.4%T1218.001:Compiled HTML File 0.2%T1036:Masqueradi�����ng11.8%T1036.001:Invalid Code Signature6.8%T1036.008:Masquerade File Type0.8%T1036.005:Match Legitimate Name or����� Location0.8%T1036.003:Rename System Utilities0.2%T1547:Boot or Logon Autostart Execution9.6%T1547.001:Registry Ru
285、n Keys /Startup Folder7.1%T1547.009:Shortcut Modification2.6%T1547.004:Winlogon Helper DLL0.4%T1547.011:Plist Modification 0.2%T1202:Indirect Command Execution8.������6%T1620:Reflective Code Loading 8.������6%T1222:File and Directory Permissions Modification 7.9%T1222.002:Linux and Mac File and Directory Permis
286、sions Modification 4.1%T1222.001:Windows File an����d Directory Permissions Modification 1.1%T1546:Event Triggered Execution 3.4%T1546.003:Windows Management Instrum�������entation Event Subscription 2.8%T1564.010:Process Argument Spoofing 0.2%T1546.010:AppInit DLLs0.2%T1546.015:Component Object Model Hijackin
287、g0.2%T1556:Modify Authentication Process 1.7%T1556.006:Multi-Factor Authentication 1.1%T1556.002:Password Filter DLL0.2%T1556.003:Pluggable Authentication Modules0.2%T1037:Boot or Logon Initialization Scripts0.9%T1037.004:RC Scripts 0.6%T1006:Direct V�����olume Access0.8%T1553:Subvert Trust Controls 0.8%
288、T1553.002:Code Signing0.6%T1553.005:Mark-of-the-Web Bypass0.2%T1578:Modify Cloud Compute Infrastructure 0.6%T1578.002:Create Cloud Instance0.6%T1578.005:Modify Cloud Compute Configurations 0.2%T1207:Rogue Domai������n Controller 0.4%T1014:Rootkit 0.4%T1480:Execution Guardrails 0.2%T1601:Modify System Imag
289、e 0.2%T1601.001:Patch System Image 0.2%T1647:Plist File Modification 0.2%T1127:Trusted Developer Utilities Proxy Execution0.2%T1127.001:MSBuild������ 0.2%T1220:XSL Script Processing0.2%Special Report:Mandiant M-Trends 202458Mission Complet������ionCollectionT1213:Data from Information Repositories16.7%T1213.002
290、:Sharep�������oint8.4%T1213.001:Confluence0.4%T1213.003:Code Repositories 0.2%T1560:Archive Collected Data14.6%T1560.001:Archive via Utility7.5%T156�������0.002:Archive via Library0.8%T1056:Input Capture8.1%T1056.001:Keylogging7.5%T1056.002:GUI Input Capture 0.6%T1056.003:Web Portal Capture 0.2%T1074:Data Staged5
291、.4%T1074.001:Local Data Staging4.7%T1074.002:Remote Data Staging0.4%T1115:Clipboard Data5.3%T1113:Screen Captu�����re4.7%T1125:Video Capture3.9%T1114:Email Collection2.4%T1114.002:Remote Email Collection0.6%T1114.001:Local Email Collection0.2%T1039:Data from Network Shared Device1������.7%T1005:Data from Local
292、 System0.8%T1530:Data from Cloud Storage0.6%T1602:Data from Configuration Repository0.4%T1602.002:Network Device Configuration Dump0.4%T1119:Automated Collection0.2%T1123:Audio Capture0.2%T1557:Adversary-in-the-Middle0.2%T1557.001:LLMNR/NBT-NS Poisoning and SMB Relay0.2%ExfiltrationT1567����:Exfiltratio
293、n Over Web Service5.6%T1567.002:Exfiltration to Cloud Storage2.4%T1567.003:Exfiltration to Text Storage Sites0.2%T1041:Exfiltration Over C2 Channel3.6%T1020:Automated Exfiltration1.1%T1052:Exfiltration Over Physical Medium0.2����%T1052.001:Exfiltration over USB0.2%Special Report:Mandiant M-Trends 202459
294、ImpactT1486:Data Encrypted for Impact25.5%T1489:Service Stop15.9%T1657:Financial Theft 7.9%T1529:System Shutdown/Reboot6.9%T1490:Inhibit System Recovery5.8%T1485:Data Destruction2.8%T1496:Resource Hijacking2.3%T1565:Data Manipulation2.3%T1565.001:Stored Data Ma����nipulation2.3%T1531:Account Access Remo
295、val1.7%T1491:Defacement1.1%T1491.002:External Defacement0.2%T1561:Disk Wipe0.6%T1561.001:Disk Content Wipe0.4%T1498:Network Denial of Service0.2%T1498.001:Direct Network Flood0.2%T1499:Endpoint Denial of Service0.2%SPECIAL REPORT:MANDIANT M-TRENDS 202360EMBARGOArticlesSpecial Report:Mandiant M����-Trend
296、s 202461Endpoint detection and response(EDR)platforms ha������ve become commonplace among companies seeking to expand the visibility into endpoint activity necessary to provide a baseline of security monitoring.This increase in visibility has forced attackers to evolve in order to maintain operational eff
297、icacy.While some attackers have invested in EDR bypass techniques,others have,instead,chosen to focus on areas of the corporate environment where in-depth visibility remains uncommon.While EDR agents have become a standar�����d part of security deployments������,many specialized appliances that either segment
298、or host assets critical to the organization often lack simi�������lar levels of visibility.These systems have become a new preferred safe haven for attackers as it enables them to maintain long-term persistence with lower risk of detection due to the gap in visibility.Common examples of devices that������� rarely
299、 support EDR deployment are firewalls,email filtering products,virtualization platforms,and virtual private network(VPN)solutions.To further complicate matters,the platforms on which these appliances are built may be proprietary or otherwise locked down,such that forens������ic analysis efforts are hinder
300、ed.Exploits for these devices are exceedingly valuable to attackers,primarily because they ty��������pically require no user interaction to succeed,which helps to minimize the chance of detection.If an attacker possesses an exploit for a zero-day vulnerability on these devices,they are often able to gain ac
301、cess to a target environment and remain undetected for an extended period of time.Furthermore,the attacker can use the exploit to gain access to additional targets or reestablish access to the same target if it is disrupted.Mandiant observed a ��������range of attackers targeting devices that matched this p
302、rofile in 2023.Sandworm24 continued to leverage access via compromised network edge infrastructure to enable their wartime operations in Ukraine.The financially motivated group FIN1125 exploited a zero-day in MOVEit Transfer software to steal data as part of their data theft extortion operat�������ions.In
303、the past year alone,Mandiant has investigated several high-profile cases of suspected Chinese espionage operations �������leveraging zero-day and n-day vulnerabilities to target syst������ems where visibility has been difficult to instrument.Chinese Espionage Operations Targeting The Visibility GapCustom Malware
304、 for Edge DevicesSecurity and networking devices that sit at the logical perimeter of a network and host services on the������ internet are often referred to as“edge devices.”Mandiant has observed a trend in which China-nexus attackers have gained access to edge devices ����via exploitation of vulnerabilities
305、,particularly zero-days,and subsequently deployed custom malware ecosystems.These malware ecosystems have typically consisted of several distinct code families that attackers operate in unison,and are���� usually custom developed or tailored for the target edge device and underlying operating system.Dev
306、eloping malware for these managed appliances is a non-trivial task.Vendors typically do not enable direct access to the operating system or filesystem for appliance device owners or users.In order to operationalize attacks within this class of platf������orm,attackers must maintain a resource intensive ma
307、lware development lifecycle that,by necessity,maintains fle�����xibility and a high degree of technical acumen.While this process requires a substantial investment,it also produces clear results when leveraged successfully by attackers.Remaining Undetected In general,custom malware may go undetected for
308、long periods of time since there is unlikely to be specific detections in place for the malware.This is particularly true for edge devices,where n����etwork defenders may have little to no means for monitoring and detection of malware act�������ivity.Malware authors may also take special care to ensure that th
309、e malware hinders forensic investigation by circumvent���ing or clearing logging systems in place on the device.Even after the malware has been discovered and exposed by the security community,it is often a non-trivial task for a device owner to identify if they have been impacted,since off-the-shelf s
310、ecurity products typically will not support edge devices.Furthermore,it is sometimes the case that exploitation attempts of zero-day vulnerabilities leave little or no reliable evidence behind.This is often exacerbated by the fact that the attack may have occurred month����s or even years prior to detec
311、tion.Additionally,there are often challenges with traditional forensic techniques as these devices are typically kept under tight control by manufacturers,adding to the already complex nature of investigating thes����e types of compromises.Zero-day:Vulnerabilit����ies disclosed before patches are made avail
312、able.N-day:Vulnerabilities first exploited after patches were made available.Special Report:Mandiant M-Trends 202462Example:BOLDMOVEBOLDMOVE is a bac��������kdoor used by suspect�����ed Chinese espionage groups that has both Windows and Linux variants containing a core set of features.Mandiant identified a custo
313、m variant of the Linux version of BOLDMOVE,which contained an extended set of features to remain undetected on Fortinet devices.This variant of BOLDMOVE disabled the migl�������ogd and syslogd logging daemons on the appliance,and contained a command to patch memory address space for these logging functions
314、.These customizations of the BOLDMOVE backdoor are suspected to have e������nabled the attacker to remain undetected for a longer period of time than they would h������ave otherwise been able to through traditional means.Reduced Complexity,Increased ReliabilityEdge devices such as email security gateway applian
315、ces and VPNs are typically high-availability devices that run for months or years at a time without being rebooted.As such,many of these devices are put through rigorous testing regimes by the manufacturer ����during development to ensure their stability.China-nexus malware developers take advantage of
316、the built-in functionality included in these s�����ystems,which benefits them in several ways.In general,leveraging native capabilities will enable attackers to reduce the overall complexity of the malware by instead weaponiz�������ing existing features within that have been rigorously tested by the organizatio
317、n.For example,for devices that use proprietary software components such as custom ��������file formats or configuration files,attackers may be able to leverage built-������in functions to parse or process these files rather than developing their own implementation.This concept is analogous to living-off-the-land,
318、and is particularly effective on edge devices since these native device operations are likely not being monitored by network defenders and,as such,may go unnot������iced.Example:THINCRUSTDuring an UNC3886 compromise,Mandiant discovered a backdo������or deployed to FortiAnalyzer and FortiManager devices named TH
319、INCRUST,which disguised its command and control(C2)communications as legitimate API calls to the devices.UNC3886,a suspected Chinese espionage group,appended the P������ython-based backdoor code into legitimate web framework files that were responsible for providing the API int������erface for the appliance.Thi
320、s gave UNC3886 the ability to harness the native API implementation to access and �����send commands to THINCRUST by simply interacting with a ne�����w endpoint URL,which they had added.By leveraging existing capabilities built into the appliance,UNC3886 was able to simplify their malware while maintaining th
321、e reliability necessary for continued operations.Tailored Capabilities and Smaller FootprintCustom malware for edge devices may only include the capabilities required to achieve the attackers mission obje�������ctives.Malware used to exploit vulnerabilities may never be used again once the vulnerabilities
322、are discovered and patched,as the cost to maintain and repurpose the������� code often outweighs the benefits.By developing relatively simple malware that serves only to provide the attackers with the desired functionality on the target device,attackers ar������e able to achieve their goals while minimizing thei
323、r overall footprint.In the sam������e vein,the requirement for complex obfuscation is likely lessened since the primary objective of the attacker is to remain undetected entirely,rather than hinder the analysis of the malware once��� it has been discovered.By the time the malware is discovered,the vulnerabil
324、i����ty and campaign would have already been exposed,and the attackers operations typically come to a close.Example:TABLEFLIPAfter losing access to a FortiManager device during one incident due to access control lists change,UNC3886 adapted to the situation by deployin�����g a network traffic redirection uti
325、lity named TABLEFLIP.TABLEFLIP passively listens on all active interfaces for specialized ������command packets that contain an XOR encoded IP address and port to redirect traffic to using iptables commands.UNC3886 deployed TABLEFLIP alongside the publicly available REPTILE rootkit to act as a reverse she
326、ll,and successfully gained access back to the FortiManager device.The ability to produce purpose-built malware in response to cha������nges in an ongoing operation places defenders at a disadvantage when facing capable and ag�����ile attackers with nation-state backing.Living off the land:Attacker use of legit
327、imate,pre-installed tools and software���� within a target environment,notably to evade detection.Special Report:Mandiant M-Trends 202463Attribution ChallengesCustom malware developed for edge devices may stifle attribution for cyber threat intelligence analysts.These malware families,and potentially th
328、e entire ecosystem,could be almost entirely unique when compared to existing malware because of the target operating system and tailored c�������apabilities.As such,they may not contain code or other overlaps analysts traditionally find between related malware families that contribute to the technical attr
329、ibution analysis.Example:SEASPRAY and WHIRLPOOLSEASPRAY is a launcher written in Lua that UNC4841 injected into legitimate Barracuda Email Security Gate������way(ESG)modules.SEASPRAY registers an event handler for incoming emails,and launches an external������ binary,which Mandiant tracks as WHIRLPOOL,when cert
330、ain markers are present.WHIRLPOOL is a simple TLS reverse shell utility that receives a C2 IP address and port to connect to from SEASPRAY at runtime.Because SEASPRAY was a relatively�� simple implementation������ that consisted of a few lines of code that were specific to the Barracuda ESG appliances,it di
331、d not offer much value in terms of attribution.Similarly,WHIRLPOOL was a simple and generic T�����LS reverse shell that did not contain any embedded C2 server information that could be analyzed.Usage of such malware on edge devices presented significant challenges for analysts performing attribution anal
332、ysis.In-Depth Know�����ledge of Edge DevicesMandiant has observed several instances where China-ne�����xus attackers demonstrated a high level of in-depth knowledge when targeting edge devices.The degree of knowledge spanned not only the malware used during the attack,but also the zero-day vulnerabilities use
333、�����d to gain access to these devices.Example:DEPTHCHARGEDEPTHCHARGE is a passive backdoor that Mandiant observed UNC4841 begin to deploy about one week after Barracudas initial public notification of the ESG zero-day campaign.This was followed by more rapid deployment to what Mandiant assessed were high-value targets,once Barracuda announced plans to replace affected devices.The timing of the acceler
sgpjbg002
工作日 8:30 - 17:30
会员动态:
报告分类
新质生产力
ChatGPT
新能源汽车
大模型
Sora
机器人
微短剧
芯片
薪酬
白皮书
低空经济
数据要素
创新药
人工智能
AI产业
信息科技
互联网
消费经济
汽车交通
电商零售
传媒娱乐
医药健康
投资金融
能源环境
地产开发
传统产业
全球化
其它
扫码登录
手机快捷登录
账号登录
