5 Big Takeaways From Mandiant’s 2024 Threat Report

The new M-Trends report details how ransomware, zero-day attacks and other major cyber threats evolved last year.

The discovery of compromised systems continues to accelerate thanks both to improved detection tools and increased ransomware activity, according to Mandiant’s M-Trends threat report for 2024 that was released Tuesday.

The analysis is the 15th annual M-Trends report from Google Cloud-owned Mandiant. The report is based upon data produced by Mandiant investigations throughout 2023.

Ransomware “tends to be a lot faster moving than other threat vectors,” said Jurgen Kutscher, vice president at Mandiant Consulting. However, the increased speed of detection “is still a positive [development] to see,” Kutscher said in an interview.

In combination with other encouraging findings from the report such as an improvement in internal detection of attacks, “you do clearly see that defenders are getting better,” he said. “They're getting faster at responding, at detecting these types of attacks. And I think that's always important to highlight in our industry.”

Ultimately, “we want to show the industry that the investments that organizations are making — that the training, the continued improvements in technology, in processes, in threat intelligence — is having a positive impact here,” Kutscher told CRN.

Other key findings in Mandiant’s 2024 M-Trends report included a rise in exploitation of vulnerabilities, more targeting of enterprise systems and an increase in China-linked attacks.

What follows are five big takeaways from Mandiant’s 2024 M-Trends threat report.

Further Reduction In Dwell Time

In a largely positive sign for cyber defense, Mandiant reported another major drop in “dwell time,” or the amount of time before the compromise of a system is detected. In 2023, the global median dwell time dropped to 10 days, compared to 16 days in the prior M-Trends report and “its lowest point in over a decade,” the company said in the report. Notably, that’s down from the median dwell time of 101 days in 2017.

Among the drivers of the dwell time reduction is an improvement in the proportion of compromises detected internally, which rose to 46 percent of compromises from 37 percent the year before, Mandiant reported.

Increased Ransomware Attacks

The second major driver for the dwell time reduction is less encouraging, with an increased proportion of ransomware attacks also accounting for some of the acceleration in detection, according to Mandiant. In 2023, Mandiant found that 23 percent of incidents involved ransomware compared to 18 percent in 2022 — and back to where things were in 2021.

Mandiant’s ransomware tally also includes data extortion attacks, such as last year’s widely felt MOVEit exploitation campaign, which may have been a factor in the increase, Kutscher acknowledged. He also pointed to Russia’s invasion of Ukraine in 2022 as a factor that may have suppressed the proportion of ransomware attacks that year, which delivered less disruption to cybercriminals in 2023 by contrast.

Exploits Of Vulnerabilities On The Rise

In 2023, exploiting a vulnerability remained the most common method for initial intrusion, accounting for 38 percent of compromises. That was up from 32 percent the year before. Remaining at No. 2 was phishing, which declined to 17 percent of initial infections last year from 22 percent in 2022.

The most frequently exploited vulnerability in 2023 was the flaw in MOVEit Transfer (CVE-2023-34362) that spawned a widespread wave of data theft and extortion incidents. At No. 2 was a vulnerability in Oracle’s E-Business Suite (CVE-2022-21587) and the third most-exploited was the critical vulnerability in Barracuda Email Security Gateways (CVE-2023-2868). “Notably the first and third most targeted vulnerabilities were related to edge devices,” Mandiant said in the report.

“Most victim organizations do not have an easy mechanism to detect the compromise of these types of edge devices,” Kutscher said. “As such, they give attackers a strong position to maintain long-term persistence.”

Enterprise Products Targeted

As underscored by the most frequently exploited vulnerabilities in 2023 — involving managed file-transfer, business software and email gateways — attackers are increasingly targeting enterprise-focused technologies, according to Mandiant’s findings. In particular, attackers have brought a greater focus on discovering and exploiting zero-day vulnerabilities in enterprise products, such as the flaws in MOVEit and Barracuda ESG. Mandiant researchers observed 36 zero-day flaws targeting enterprise-specific technologies that were exploited in 2023. While an exact comparison figure for the year before was not available, Mandiant disclosed that 22 enterprise technologies were observed being targeted for zero-day exploitation in 2022.

The makers of consumer technology products, meanwhile, have “really made great progress of building much better processes and controls that have made it more difficult to find zero days,” Kutscher said. The rise in zero-day exploits of enterprise systems “also shows the commitment and the investment that a lot of these threat actors are making,” he said.

In total, Mandiant reports that it tracked 97 different zero-day vulnerabilities that were exploited in 2023, up about 56 percent from a year earlier.

China-Linked Attacks Intensify

A major driving force behind the increase in exploits of zero-day vulnerabilities is the expansion of activities by China-linked attackers, Mandiant said in its M-Trends report. “People’s Republic of China (PRC) cyber espionage groups were the most prolific attackers to exploit zero-days in 2023, and demonstrated a focus on stealth in their zero-day exploitation campaigns,” the report authors said. “The state-sponsored groups tracked by Mandiant primarily utilize zero-days for intelligence gathering and strategic advantage.”

Mandiant researchers said that edge devices have been a particular focus. “Mandiant has observed a trend in which China-nexus attackers have gained access to edge devices via exploitation of vulnerabilities, particularly zero-days, and subsequently deployed custom malware ecosystems,” the report authors wrote.

Edge devices — including email gateway appliances and VPNs — often will run for months or even years without a reboot, Mandiant noted in the report. “China-nexus malware developers take advantage of the built-in functionality included in these systems, which benefits them in several ways,” the report authors wrote.

In “several instances,” Mandiant researchers said they have observed that “China-nexus attackers demonstrated a high level of in-depth knowledge when targeting edge devices.” This knowledge “spanned not only the malware used during the attack, but also the zero-day vulnerabilities used to gain access to these devices,” the authors wrote.