Mandiant releases the M-Trends 2023 Report, which provides crucial threat intelligence straight from the field.

Mandiant Inc.'s M-Trends 2023 report was presented today. 

Now in its 14th year, this annual report offers up-to-date information and knowledgeable analysis of the constantly changing threat landscape based on Mandiant frontline investigations and remediations of global high-impact cyber-attacks.

The updated info shows how far organisations worldwide have come in fortifying their defences against more capable foes. 

While our industry is improving its cyber security, it is evident from M-Trends 2023 that we are up against constantly changing, highly advanced adversaries. 

A few trends from 2021, such as the growth of malware families and the rise of nation-state-backed actors engaging in cyberespionage, persisted in 2022. Organisations must continue vigilance and strengthen their cyber security posture with cutting-edge cyber defence capabilities. Continuous testing of overall response capabilities and validating cyber resilience against these most recent threats are equally important. Jurgen Kutscher, vice president of Mandiant Consulting at Google Cloud.

The average global stay time decreases to just over two weeks.

The global median dwell time, calculated as the median number of days an attacker is present in a target's environment before being detected, continues to decline year over year, down to 16 days in 2022, according to the M-Trends 2023 report. With a median global dwell time of 21 days in 2021, this is the shortest median dwell time across all M-Trends reporting periods. 

Mandiant observed a general increase in the number of organisations alerted by an external entity of historical or ongoing compromise when comparing how threats were detected. For example, an external entity notified organisations with their headquarters in the Americas in 55% of incidents, up from 40% of incidents the year before.

This region has had the highest percentage of external notifications in the Americas over the past six years. Similarly, in 74% of investigations in 2022 compared to 62% in 2021, organisations in Europe, the Middle East, and Africa (EMEA) were informed of an intrusion by an external entity.

Between 2021 and 2022, Mandiant experts noticed a decline in the proportion of their global investigations involving ransomware. Ransomware was a factor in 18% of studies in 2022 compared to 23% in 2021. Since before 2020, this represents the smallest percentage of Mandiant investigations involving ransomware. 

The slight decrease in ransomware-related attacks that we noticed may not have had a single cause, but several changes to the operating environment have probably played a role. These factors include—but are not limited to—ongoing government and law enforcement disruption efforts targeting ransomware services and individuals, which at the very least require actors to retool or forge new alliances; the conflict in Ukraine; actors needing to modify their initial access operations to a world where macros may frequently be disabled by default; and organisations possibly improving at detecting and preventing or recovering from ransomware ev Sandra Joyce, vice president of Mandiant Intelligence at Google Cloud.

Global Malware Families and Cyberespionage Rise 

Mandiant discovered significant information operations and cyber espionage before and after Russia's invasion of Ukraine on February 24, 2022. The fact that Mandiant observed UNC2589 and APT28 activity before the invasion of Ukraine and more destructive cyberattacks in Ukraine during the first four months of 2022 than in the previous eight years is particularly noteworthy.

Mandiant started monitoring 588 new malware families in 2022, demonstrating how adversaries continue diversifying their toolkits. The top five categories of newly discovered malware families were backdoors (34%), downloaders (14%), droppers (11%), ransomware (7%) and launchers (5%). These malware classifications have stayed the same, and backdoors continue to make up just under one-third of the newly tracked malware families.

The most frequent malware family that Mandiant discovered during investigations was BEACON, a multipurpose backdoor, similar to previous years. BEACON was found in 15% of all intrusions that Mandiant investigated in 2022.

It continues to be the intrusion type that is most frequently discovered worldwide. It has been utilised by a wide range of threat groups that Mandiant has been tracking, including financial threat groups, over 700 UNC groups, and threat groups supported by nation-states such as Iran, China, and Russia. According to the report, BEACON's widespread availability and the malware's high degree of customizability and usability are likely responsible for its ubiquity. 

Mandiant has looked into several intrusions committed by recent adversaries who are becoming more competent and proficient. They use information from darknet markets for cybercrime, run convincing social engineering over voice and text messages, and even try to bribe employees to gain access to networks.

“Despite having vital security programmes, these organisations still face a significant risk from these groups because it is difficult to counter their tactics. Protecting against these threat actors should be one of the design objectives for organisations as they continue to develop their security teams, infrastructure, and capabilities”, Charles Carmakal, CTO at Google Cloud and Mandiant Consulting said.

M-Trends' mission is to provide security experts with information on the most recent attacker activity as observed firsthand on the front lines, backed by actionable intelligence to strengthen organisations' security postures in the face of a changing threat environment. Mandiant offers insight into some of the most prolific threat actors and their evolving tactics, techniques, and procedures to achieve this goal. 

A total of 2,300+ Mandiant techniques and subsequent findings have been linked to the ATT&CK framework due to Mandiant's mapping of an additional 150 Mandiant processes to the updated MITRE ATT&CK® framework to support this goal. Therefore, the likelihood that a particular technique will be used during an

intrusion should be considered when deciding which security measures to implement. 

The following are additional insights from the M-Trends 2023 Report:

Infection vector: At 32%, exploits continued to be adversaries' most widely used initial infection vector for the third consecutive year. Exploits continued to be a crucial weapon for adversaries to use against their targets, even though this decreased from the 37% of intrusions identified in 2021. The second most frequently used vector, phishing, represented 22% of intrusions compared to 12% in 2021.

Industries at risk: Government-related organisations' response efforts accounted for 25% of all investigations, in contrast to 9% in 2021. This mainly reflects Mandiant's support for the cyber threat activity directed at Ukraine. The following four most targeted sectors from 2022 align with what Mandiant experts saw in 2021, with competitors favouring the business & professional services, financial, high-tech, and healthcare sectors. These sectors remain prime targets for individuals with economic and espionage motives.

Credential theft: Mandiant investigations found that, compared to previous years, widespread information-stealing malware and the buying of credentials increased in 2022. Researchers have found that credentials were frequently stolen outside the organisation's environment and then used against it, possibly due to reused passwords or personal accounts on company-owned devices.

Data theft will be the adversaries' top priority in 40% of intrusions in 2022, according to Mandiant experts. Moreover, threat actors have been caught trying to steal or successfully completing data theft operations more frequently in 2022 than in previous years, according to Mandiant's defences. 

North Korea's Use of Crypto: In 2022, DPRK operators showed a greater interest in stealing—and using—cryptocurrency in addition to traditional intelligence collection missions and disruptive attacks. These operations have been very profitable and will probably continue throughout 2023. Check out Mandiant's APT43 report for more information on how North Korean threat actors use cybercrime to pay for their espionage activities. 

Before you go..

You can get RedWires AU for free right now. Your donation, no matter how big or small, will help us keep doing honest journalism.

The readers of Redwires AU are the engine that drives our publication. Add your support to the effort to create a sustainable future for journalism that does not make compromises in the AU.

In the world we live in now, accurate and thorough reporting and analysis are becoming more and more important. To stop the spread of false information, it's very important that everyone in Australia has access to good reporting.

The Redwires AU contributes to society by opening up access to information and resources for all people, rather than just a select few.

Our only goal is to educate the general public more thoroughly. If you believe in what we're trying to accomplish here, please consider making a contribution right away to ensure our success in the years to come.

Upgrade your subscription to get the most out of it. Join the growing number of people around the world who believe in the power of independent media.