Mandiant has launched the M-Tendencies 2025 report, which outlines international cyber assault developments based mostly on their very own incident response engagements from 2024.
Key developments and insights
In 2024, Mandiant dealt with extra incidents within the monetary sector than in some other business: 17.4%. Different standard targets? Corporations in enterprise {and professional} providers (11.1%), excessive tech (10.6%), authorities (9.5%), and healthcare (9.3%).
Exploitation of a vulnerability continues to be the commonest preliminary an infection vector (33%), adopted by stolen credentials (16%), electronic mail phishing (14%) and internet compromise (9%).
(In 34% of 2024 intrusions they dealt with, Mandiant couldn’t decide how the attackers gained the preliminary foothold. “Though quite a few components can contribute to an unknown vector, this appreciable proportion signifies potential deficiencies in enterprise logging and detection capabilities,” the corporate mentioned.)
As yearly, attackers are utilizing all kinds of malware, however 2024 was marked by the resurgence of info-stealers, which contributed to the resurgence in the usage of stolen credentials as a way of preliminary entry.
Preliminary an infection vector, 2022-2024 (Supply: Mandiant)
The most incessantly exploited vulnerabilities by attackers in 2024 have been these in edge safety gadgets (firewalls, VPNs, community entry management options, and so on.) by Palo Alto Networks, Ivanti, and Fortinet.
One other fascinating factor final 12 months was the rise of “insider menace” as an preliminary an infection vector, fueled by a surge in North Korean IT staff securing employment beneath false pretenses and utilizing the gained entry to firm networks for additional compromise and extortion.
For ransomware-related intrusions, the commonest preliminary an infection vector was brute-force (password spraying, use of default credentials, high-volume RDP login makes an attempt) – 26%, adopted by stolend credentials (21%), exploit (21%), prior compromise (15%) and third-party compromise (10%).
Group’s cloud belongings are most frequently compromised via electronic mail phishing (39%) and stolen credentials (35%).
“In 2024, Mandiant responded to extra breaches that concerned a cloud element than ever earlier than. Within the investigations Mandiant carried out, three main themes contributed to menace actor successes in these environments: identification options that lack ample safety controls; improperly secured on-premises integrations; and poor visibility into prolonged cloud assault floor,” the corporate famous.
“Taken as a complete, these components sign a necessity for a safety strategy that bridges the gaps between on-premises and cloud, whereas additionally recognizing that the cloud’s assault floor is just not remoted, however a part of an interconnected ecosystem that calls for proactive built-in defenses.
Mandiant has additionally identified that its pink teamers usually discover delicate information in publicly accessible repositories, which suggests attackers can do it, as properly.
“Community file shares, SharePoint websites, Jira situations, Confluence areas, and GitHub repositories usually include a wealth of useful data (i.e., credentials, non-public keys, monetary paperwork, personally identifiable data (PII), and mental property). This information, sometimes accessible to staff with customary privileges, presents a big safety threat that many organizations fail to acknowledge,” they added.
Recommendation for organizations and defenders
Primarily based on the report, Mandiant highlighted these core safety suggestions:
- Implement FIDO2-compliant multifactor authentication (MFA): to stop intrusions by way of stolen credentials
- Audit and safe internet-exposed infrastructure: to stop brute-force assaults, notably these focusing on VPNs and Distant Desktop Protocol (RDP) interfaces utilizing default or weak credentials
- Block endpoint scripts and apply content material filtering to mitigate dangers from internet compromises corresponding to web optimization poisoning and malicious ads
- Implement strict insurance policies towards browser-based credential storage to cut back publicity to infostealer malware
- Commonly patch all programs and software program to attenuate the exploitation window of newly disclosed vulnerabilities
- Detect and deter insider threats, together with fraudulent employment, by implementing strict information verification checks, extra scrutiny within the hiring course of and monitoring post-hiring
- Use community segmentation and monitor for lateral motion
- Spend money on inside detection and logging capabilities: to cut back dwell time and reliance on exterior notifications
- Monitor cloud identification and entry exercise to stop abuse of single sign-on (SSO) programs
- Apply menace intelligence to prioritize protection based mostly on widespread attacker strategies: to align defenses with noticed MITRE ATT&CK strategies like command and script execution (T1059) and information encryption for influence (T1486).
Subscribe to our breaking information e-mail alert to by no means miss out on the newest breaches, vulnerabilities and cybersecurity threats. Subscribe right here!
