FireEye published its annual report, titled M-Trend 2021, which is based on the data collected during the investigation on security incidents it managed. Most of the incidents investigated by Mandiant (59%) in 2020 were initially detected by the victims, a data that is an improvement of 12% from 2019.
Since its launch, Mandiant tracked more than 2,400 threat groups, 650 of them were tracked in 2020. Over the years, the experts combined or eliminated approximately 500 groups, leaving more than 1,900 distinct groups tracked at this time (+100 compared to 2019).
The threat actors tracked by Mandiant include nation-state actors, financially motivated groups, and uncategorized groups (known as UNCs).
“In 2020, Mandiant experts investigated intrusions that involved 246 distinct threat groups. Organizations faced intrusions by four named financial threat (FIN) groups; six named advanced persistent threat (APT) groups, including groups from the nation-states of China, Iran and Vietnam; and 236 uncategorized threat (UNC) groups. Of the 246 threat groups observed at intrusion clients, 161 of these threat groups were newly tracked threat groups in 2020.” reads the report published by FireEye.
In 2020, Mandiant researchers tracked more than 500 new malware families, while the experts observed 294 distinct malware families employed in attacks it investigated into compromised environments. Of the nearly 300 malware families observed by Mandiant experts during intrusions, 144 were malware families that Mandiant began tracking in 2020.
Mandiant provided a vertical analysis of the malware category distribution, which appears the same of the previous year. In 2020, the top five categories of malware involved in the incident were backdoors (36%), downloaders (16%), droppers (8%), launchers (7%) and
According to the report, 81% of newly tracked malware families were non-public, most of the malicious code tracked by the researchers was likely privately developed or their availability is restricted. In the latter scenario, the malware was shared among or sold to a restricted set of threat actors.
The top five malware families seen most frequently during intrusions investigated by the experts were BEACON, EMPIRE, MAZE, NETWALKER, and Metasploit. An interesting data that emerged from the report is the lack of cross-pollination with respect to the malware used across incidents.
“Just 3.4% of malware families seen during an incident were observed at 10 or more intrusions, and 70% percent of malware families seen were only observed during a single intrusion.” continues the report.
The majority of malware families observed by Mandiant during its investigations were Windows effective malware (94%), followed by Linux effective malware (8%) and MacOS effective malware (3%). 89% of the malware was only effective against Windows systems.
Additional information on TTPs used by threat actors is included in the report published by FireEye.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, FireEye)