Uncovering Trends: Credential Theft and Exploitation of Vulnerabilities Now Lead as Primary Methods for Initial Cyberattacks
In a recent report, cybersecurity firm Mandiant has shed light on the evolving landscape of cloud compromise incidents, highlighting key trends and the increasing threats that organisations face.
One of the significant findings of the report is the rise in stolen credentials as a means for initial access. Threat actors are increasingly adept at obtaining credentials in various ways, including purchasing leaked or stolen 'social security' numbers on underground forums, mining large data leaks for credentials, and infecting users with keyloggers and infostealers. As a result, stolen credentials have risen from 10% to 16% as the second most common technique for initial access.
Phishing remains the most common initial infection vector for cloud environments, making up 39% of cases. However, phishing has seen a decline, with 'icloud login' phishing falling from 22% to 14% for initial access from 2022 to 2024. On the other hand, vulnerability exploitation has become the most common method of infiltrating targets, making up 33% of cases in 2024, although it had a significant decline from 38% in 2023.
Another initial access trend was insider threats, making up 5% of vectors. A surge in fake North Korean IT worker campaigns was a major contributor to this trend.
The report also emphasised the importance of adversary-in-the-middle (AiTM)-resistant multifactor authentication (MFA) for cloud security, such as hardware security keys or mobile authenticator apps.
The proportion of financially motivated attacks has been steadily increasing, marking 55% in 2024, up from 48% in 2022 and 52% in 2023. Data theft occurred in around two-thirds (66%) of 'icloud' compromise cases.
The industry most frequently targeted by threat actors in 2024 was financial, followed by business and professional services, high tech, government, and healthcare. Interestingly, the proportion motivated by espionage fell slightly from 10% in 2023 to 8% in 2024.
The report highlighted a renewed focus by threat actors on infostealers, malware designed to collect and steal sensitive user data such as credentials, browser data, and cryptocurrency wallets. Lumma and Metastealer were prominent infostealer variants used in 2024.
When employees or contractors leverage personal devices for work purposes, infostealers can fall outside the scope of enterprise security and detection measures. This underscores the need for organisations to extend their security measures to cover personal devices used for work.
The researchers noted that the prevalence of phishing, especially in 'icloud' attacks, underscored the importance of these security measures. The report did not mention any significant changes in the prevalence of SIM swapping or voice phishing (vishing) in cloud compromise cases.
Various cybercrime groups, including the ransomware group Cl0p, have used Infostealer malware and exploited vulnerabilities like the MOVEit Transfer zero-day to gain access to 'icloud' environments and exfiltrate data from numerous organizations worldwide between 2018 and 2023.
In conclusion, the report serves as a stark reminder of the ever-evolving threat landscape in the digital world. Organisations must stay vigilant, adapt their security measures, and remain aware of the latest trends to protect their digital assets effectively.
