Threat actors are getting more work from the private sector than from government-sponsored agencies, according to research from Mandiant, which found that organizations are increasingly falling prey to financial malware rather than espionage-oriented infections.The Mandiant team found that over the course of 2024 some 8% of malware infections were intended to be espionage attacks, down from 10% of attacks in the 2023 calendar year.The security firm reported that the change is in large part due to the growth in financially motivated malware attacks, as threat actors seek to turn a profit on stolen credentials and unsecured data.Rather than a decline in espionage, the security firm reported it believes there is a growth in private threat actors looking to make a quick buck on ransomware attacks.“One way they are doing this is through the use of infostealer malware, which is increasingly being used to enable intrusions using stolen credentials,” Mandiant noted.“Another growing trend is the targeting of unsecured data repositories, which is brought on by the lack of basic security hygiene.”The decrease in espionage attacks also seems to coincide with a change in the attack patterns of threat actors. The financially motivated threat actors also seem more prone to using attacks on known vulnerabilities, rather than the more subtle tactics employed by espionage actors looking to evade detection.”For intrusions in which an initial infection vector was identified, 33% began with exploitation of a vulnerability,” Mandiant said.“This is a decline from 2023, during which exploits represented the initial intrusion vector for 38% of intrusions, but nearly identical to the share of exploits in 2022, 32%.”Stolen credentials were also an increasingly popular method of intrusion, rising from 10% to 16% on the calendar year. Though a distant second to security exploits, the tactic is growing in popularity and should be a top concern for administrators going forward.“While email phishing remains a common and effective method for obtaining initial access, adversaries can obtain credentials in a variety of ways, including purchasing leaked or stolen credentials on underground forums, mining large data leaks for credentials, and actively pursuing credentials by infecting users with keyloggers and infostealers,” Mandiant said.The most popular method of intrusion was credited to the Pan-OS remote command injection vulnerability designated as CVE-2024-3400. The flaw was subject to near immediate exploitation by ransomware actors.“Within two weeks of its disclosure on April 12, 2024, and the publishing of proof-of-concept (PoC) code on April 13, 2024, Mandiant observed more than a dozen separately tracked groups exploiting this vulnerability,” Mandiant said.
