Espionage activities by Chinese and Russian hackers are increasingly targeting peripheral devices such as VPN appliances, firewalls, routers, and Internet of Things (IoT) gadgets. This shift has been noted alongside a significant rise in spy attacks, as per the Google security company Mandiant.
The firm disclosed the results as a segment of its yearly review on cyber inquiries that Mandiant participated in the previous year.
The Chief Technology Officer of Mandiant, Charles Carmakal, informed Recorded Future News about a considerable change in the strategies employed by spy hackers from China and Russia. Previously, they witnessed a repetitive pattern where workers were attacked with harmful phishing emails laced with malware, granting these hackers initial access to the systems.
Carmakal mentioned that the prevalent method of infiltrating corporations in the previous year was through identifying an undiscovered flaw in commonly used devices.
It appears that the Chinese government is intently trying to detect zero-day vulnerabilities and create malware for peripheral devices. Interestingly, we’re observing a decrease in the use of malware on Windows computers by Chinese espionage agents than we’ve ever seen before.
The enhanced efficiency of Endpoint Detection and Response solutions is the primary cause behind this. The probability of detection is significantly greater when malware is introduced to a Windows computer compared to the same malware being deployed on a VPN appliance.
Mandiant observed an over 50% increase in the use of zero-day exploits in comparison to 2022, which was utilized by both spy networks and those driven by monetary gains.
Mandiant dealt with a situation where 38% of breaches began with an exploit, marking a 6% rise compared to the previous year. On the other hand, there was a 22% decrease in breaches initiated by phishing emails, which accounted for 17% of the total. The third leading cause of system infiltrations was hackers utilizing past breaches to facilitate new ones.
Carmakal and the Vice President of Mandiant Consulting, Jurgen Kutscher, both remarked that a portion of this transformation was a result of spy hackers placing a higher emphasis on evading discovery.
Intrusions via weak spots let cybercriminals linger within networks undetected for extended periods, whereas deceptive emails are more likely to be caught by security mechanisms. However, the duration cybercriminals stay in compromised systems before being found out — referred to as “dwell time” — surprisingly dropped to an all-time low of 10 days, a reduction of six days from 2022.
“Perpetrators are becoming more adept at avoiding identification and maintaining their presence on systems for extended periods. They achieve this by exploiting zero-day vulnerabilities,” Kutscher explained. “This underscores the crucial role of an efficient threat pursuit program and thorough investigations and problem-solving in case of a breach.”
The study pointed out that the realm of zero-day vulnerabilities is not solely occupied by government-sponsored cyber spies anymore. A rising trend of criminal organizations are found to be taking advantage of these vulnerabilities, with the most notable instance observed in 2023 in relation to the MOVEit file transfer assaults.
Mandiant researchers discovered that a ransomware group from Russia, referred to as Clop, initiated an internet scan for susceptible versions of MOVEit 12 days prior to starting their data theft from over 2,500 global organizations.
Following the security breach in MOVEit, the most common security weaknesses targeted by both intelligence and illicit organizations were found in Oracle E-Business Suite and Barracuda Email Security Gateway. Both the MOVEit and Barracuda solutions are peripheral devices.
The report conveyed a few optimistic updates. Businesses are improving in identifying security breaches on their own, instead of learning about them from either the perpetrators or security experts. In 2023, the rate of internal identification for security breaches increased to 46% of the incidents handled by Mandiant, a rise from 37% in the previous year, 2022.