Earlier this year, Mandiant Consulting’s incident response team traced an attack by a China-linked spy group to the compromise of an edge device in its client’s network, but because the appliance was a closed system, the attack victim had to request a forensic image from the network appliance manufacturer.
Two months later, the customer is still waiting.
This difficulty in detecting – and then investigating – edge equipment compromises highlights why many attackers nationwide are increasingly targeting firewalls, email gateways, VPNs and other devices, says Charles Carmakal, CTO of Mandiant Consulting at Google Cloud. Threat groups not only escape detection longer, but even when defenders become aware of the attack, investigating the incident is much more difficult.
It’s an issue Mandiant deals with “all the time,” he says.
“We have much better telemetry for Windows computers today, largely due to the maturity of EDR [endpoint detection and response] solutions,” says Carmakal. “Telemetry on edge devices… is often completely non-existent. In order to triage and forensically examine the device, you need to get a forensic image, but you can’t just open the device and take out the hard drive.”
The transition of attackers to espionage leveraging edge devices is one of the top trends Google Cloud’s Mandiant Consulting has noticed in 2023, according to the M-Trends 2024 report released on April 23. Overall, in 2023 the company tracked and reported on more than two dozen global campaigns and events related to its investigations.
The length of time an attacker is active on a compromised system before detection, known as dwell time, has continued to shrink, reaching 10 days in 2023, compared to 16 days the previous year. Ransomware accounted for 23% of Mandiant investigations in 2023, up from 18% in 2022. Companies became aware of the majority of incidents (54%) because a third party – often the attacker themselves, in the case of ransomware – informed the victim.
Because ransomware often notifies victims, external detection has risen to 54%. Source: Mandiant by Google Cloud
Attackers move to less visible environments
While edge devices require expert attackers to compromise and control them, these high-availability environments usually also offer their own utilities and features to handle native formats and functionality. By “living off the land” and using built-in capabilities, attackers can create more reliable malware and still run less risk of detection, due to the lack of visibility defenders have into the internal operations of devices.
“[M]“All of these devices undergo rigorous testing regimes by the manufacturer during development to ensure their stability,” Mandiant said in the report. “China-nexus malware developers exploit the built-in functionality included in these systems… taking advantage of native capabilities [that can] reduce the overall complexity of the malware by instead weaponizing existing capabilities within that have been rigorously tested by the organization.”
In one incident, Mandiant consultants discovered the BoldMove backdoor malware, Chinese attackers managed to infect a Fortinet device, disabling two logging features and allowing the attacker to go undetected for a longer period. BoldMove was created specifically for Fortinet environments.
Incident response efforts are also often hampered by the lack of easy access for consultants and defenders to the underlying operating system. With no way to analyze the underlying code to identify compromised devices, responders often fail to determine the root cause of a compromise, says Mandiant’s Carmakal.
“Some vendors refuse to provide forensic images, [which] I understand that… because they have a lot of intellectual property on the device,” he says. “Companies need to understand the scope and scope of a compromise, and if it starts on a network device, and you need to look at it.”
Take advantage of the increased use, more data loss sites
Attackers have doubled their use of exploits as the initial entry point for attacks, with 38% of attacks Mandiant investigated where an initial vector could result starting with an exploit. Phishing, in second place, accounts for 17% of initial attack actions. In third place, prior compromises inadvertently left exploitable accounted for 15% of all initial access vectors.
“Attackers continue to leverage effective tactics to gain access to targeted environments and conduct their operations,” the Mandiant report states. “As the most prevalent infection vectors fluctuate, organizations must focus on in-depth defense strategies. This approach can help mitigate the impact of initial intrusion methods, both common and less frequent.”
Finally, Mandiant investigators also observed an increase in data leakage sites (DLS) over time, which now account for more than a third (36%) of all financial attacks.