Espionage attempts from Chinese and Russian cybercriminals are noticeably on the rise, with a shift in target towards edge devices. This includes tools such as Virtual Private Network appliances, firewalls, routers, and Internet of Things devices, as stated by the cybersecurity company Mandiant, affiliated with Google.
The organization disclosed the results as a segment of its yearly review on cyber probes that Mandiant participated in the previous year.
The chief technology officer at Mandiant, Charles Carmakal, informed Recorded Future News about a notable change in strategies employed by cyber spies from China and Russia. Previously, the method of operation was consistent—workers were attacked with harmful phishing emails embedded with malware, providing the hackers an entry point into the system.
Carmakal stated in the previous year that the prevalent method of infiltrating businesses was by identifying a zero-day flaw in commonly used devices.
In my opinion, the Chinese government is intentionally striving to discover zero-day vulnerabilities and create malware for edge devices. Interestingly, we are witnessing a decrease in the use of malware by Chinese espionage operators on Windows computers than ever before.
The rationale behind this is that Endpoint Detection and Response solutions have significantly improved. Deploying malware on a Windows PC now carries a higher risk of detection compared to doing the same on a VPN appliance.
Mandiant observed an over 50% increase in the utilization of zero-day compared to 2022, by both spy networks and attackers driven by financial gains.
Mandiant observed that 38% of breaches they dealt with began with an exploit, which is a 6% rise compared to the previous year, while just 17% of breaches initiated from phishing emails, showing a significant decrease of 22%. The third primary method employed by hackers to infiltrate systems involved utilizing past breaches for launching new assaults.
Carmakal and Vice President of Mandiant Consulting, Jurgen Kutscher, both acknowledged that the change was largely because espionage hackers were focusing more on staying undetected.
Infiltration via weaknesses enables cybercriminals to remain undetected within systems for extended periods, even as phishing emails are increasingly identified by security measures. Despite this, the duration that these cybercriminals linger in compromised systems before discovery, referred to as “dwell time,” has surprisingly dropped to the shortest span ever noted, at 10 days, marking a decrease of six days from 2022.
“Perpetrators are employing strategies to avoid being caught and to persist on systems for extended periods, primarily by exploiting zero-day vulnerabilities,” Kutscher further explained. “This underscores the critical need for a potent program to hunt threats, coupled with thorough probes and rectification processes in case of a security breach.”
The study highlighted that zero-day vulnerabilities are not solely exploited by state-sponsored espionage hackers anymore. There has been a noticeable rise in the number of criminal groups taking advantage of these vulnerabilities, as was notably observed in 2023 during the MOVEit file transfer assaults.
Mandiant researchers discovered that a ransomware group based in Russia, referred to as Clop, initiated an internet scan for susceptible cases of MOVEit 12 days prior to starting data theft from over 2,500 global organizations.
Following the exposure of the MOVEit flaw, the most frequently exploited weak points by espionage and criminal organizations were found in the Oracle E-Business Suite and the Barracuda Email Security Gateway. Both the MOVEit and the Barracuda product are perimeter devices.
The report did carry a few optimistic points. Businesses are improving in recognizing breaches from within, instead of getting notifications about attacks from hackers or security analysts. The percentage of compromises spotted internally in 2023 increased to 46% of the incidents that Mandiant managed, a rise from 37% in the previous year.