Chinese and Russian hackers have shifted their focus to edge devices, such as VPN appliances, firewalls, routers, and Internet of Things (IoT) tools, as part of a marked increase in espionage attacks, according to a report by Google security firm Mandiant.
The report, which forms part of Mandiant’s annual investigation into cyber incidents, highlights a significant change in tactics employed by espionage hackers based in China and Russia. Traditionally, these hackers relied on phishing emails containing malware to infiltrate systems. However, in the past year, there has been a notable increase in exploiting zero-day vulnerabilities found in commonly used devices.
Charles Carmakal, the chief technology officer at Mandiant, emphasized the deliberate effort by the Chinese government to identify zero-day vulnerabilities and develop malware specifically tailored for edge devices. He noted that Chinese espionage operators are deploying less malware on Windows computers due to advancements in Endpoint Detection and Response (EDR) solutions, which increase the likelihood of detection. Instead, hackers are focusing on exploiting vulnerabilities in edge devices to evade detection and prolong their presence within breached systems.
Mandiant reported a significant growth in zero-day usage, with a more than 50% increase compared to the previous year, both by espionage groups and financially motivated attackers. In incidents handled by Mandiant, over a third of intrusions began with an exploit, representing a 6% increase from the previous year, while phishing emails decreased by 22%. The third most common entry point for hackers was through previously compromised systems repurposed for new attacks.
The report underscores the importance of an effective threat hunt program and comprehensive investigations to detect and remediate breaches promptly. Despite the shift towards exploiting zero-day vulnerabilities, the dwell time—the duration hackers remain undetected within breached systems—decreased to its lowest level ever recorded at 10 days, indicating improved internal detection capabilities by companies.
Furthermore, the report highlights that zero-day vulnerabilities are no longer solely exploited by state-backed espionage hackers, with an increasing number of criminal groups also leveraging them for cyberattacks. One notable example cited in the report is the MOVEit file transfer attacks in 2023, where a Russia-based ransomware gang, known as Clop, exploited a vulnerability in MOVEit to target over 2,500 organizations worldwide.
Following the MOVEit vulnerability, the most commonly exploited vulnerabilities by both espionage and criminal groups were found in Oracle E-Business Suite and Barracuda Email Security Gateway, both of which are edge devices.
Despite the concerning trend of increased targeting of edge devices, the report also contains some positive findings. Companies are improving their internal detection capabilities, with 46% of incidents in 2023 being detected internally, compared to 37% in the previous year.
In summary, the report highlights the evolving tactics of Chinese and Russian hackers, who are increasingly focusing on exploiting zero-day vulnerabilities in edge devices for espionage attacks. It emphasizes the importance of proactive threat detection and remediation measures to mitigate the risk of cyber intrusions.
Leave a Reply