Full Report
Ransomware groups last year achieved lateral movement within an average of 48 minutes after gaining initial access to targeted environments, threat intelligence experts said. The post Cybercriminals picked up the pace on attacks last year appeared first on CyberScoop.
Analysis Summary
# Incident Report: Accelerating Threat Actor Efficiency and Data Theft
## Executive Summary
Threat actors significantly increased their operational speed in the past year, compressing the time required for lateral movement and data exfiltration to record lows, often leveraging legitimate tools and stolen administrative credentials. Multiple firms reported average lateral movement times around 48 minutes, with the fastest instances occurring in under a minute, signaling a race against time for defenders. The primary impact shifted heavily towards data exfiltration, which now occurs much faster than data encryption in ransomware scenarios.
## Incident Details
- Discovery Date: Ongoing reporting throughout the past year (2023/early 2024 timeframe referenced)
- Incident Date: Ongoing reporting across 2023/2024
- Affected Organization: Various organizations targeted; specific municipal government and service provider mentioned.
- Sector: General (Attack trends across multiple sectors)
- Geography: Not explicitly stated, but global observations reported by firms.
## Timeline of Events
### Initial Access
- Date/Time: Variable, but access achieved rapidly in some cases (e.g., less than 5 hours to exfiltration in 25% of Unit 42 cases).
- Vector: Compromised VPN lacking MFA (RansomHub case); Social engineering of a help desk to gain privileged access credentials (Scattered Spider/Muddled Libra case).
- Details: Attackers are concentrating on obtaining authorized administrative credentials quickly.
### Lateral Movement
- Date/Time: Average breakout time observed at 48 minutes (CrowdStrike, ReliaQuest). Fastest recorded time was 51 seconds.
- Vector: Abuse of legitimate system tools and rapidly escalating privileges.
- Details: Attackers are efficiently moving across the network, often utilizing the compromised privileged access manager accounts.
### Data Exfiltration/Impact
- Date/Time: Median time from intrusion to exfiltration dropped to about 2 days (down from 9-10 days previously). In 1 in 5 cases, data was exfiltrated in less than an hour.
- Impact: Large-scale data theft (e.g., 500 GB stolen in one municipal case within 7 hours). 80% of observed breaches involved data exfiltration, compared to only 20% involving encryption.
### Detection & Response
- Detection: Defenders are often unaware until activity is too late due to the speed of operations and use of defense evasion techniques.
- Response Actions: Specific response actions are not detailed for the generalized trend, but specific groups deactivated SIEM logging.
## Attack Methodology
- Initial Access: Compromised VPNs without MFA; Social Engineering against help desks.
- Persistence: Creating secondary authentication paths (e.g., secondary MFA servers); Escalating privileges to maintain long-term access.
- Privilege Escalation: Rapidly achieving domain-privileged accounts (Observed within 40 minutes by Scattered Spider).
- Defense Evasion: Abuse of legitimate system tools; Disabling security telemetry tooling, including SIEM logging.
- Credential Access: Retrieving stored credentials from privileged access managers; Compromising domain-privileged accounts.
- Discovery: General reconnaissance (implied by speed of movement).
- Lateral Movement: Utilizing compromised authorized credentials and legitimate tools for swift movement (average 48 minutes).
- Collection: Gaining access to password management vaults.
- Exfiltration: Executing data theft at unprecedented speeds (median 2 days).
- Impact: Primarily data theft (extortion focus), with encryption becoming less common (20% of observed breaches).
## Impact Assessment
- Financial: Not specified, but pressure is high due to the speed favoring extortion.
- Data Breach: Significant volumes of data compromised (e.g., 500 GB mentioned in one incident). Highly sensitive data likely targeted given focus on privileged accounts.
- Operational: Disruption implied by the need for rapid action, but specific operational downtime is not detailed.
- Reputational: Implied damage due to high-profile data loss incidents.
## Indicators of Compromise
- Network indicators: Not detailed/defanged (Focus is on attacker TTPs).
- File indicators: Not detailed.
- Behavioral indicators: Rapid privilege escalation; Disabling SIEM logging; Use of legitimate system tools for malicious actions; Establishing secondary MFA mechanisms.
## Response Actions
- Containment: Not detailed for the general trend.
- Eradication: Not detailed.
- Recovery: Not detailed.
## Lessons Learned
- Cybercriminals are iterating and improving faster than many targeted enterprises can defend.
- The speed of attack (especially lateral movement and exfiltration) is the primary challenge defenders face.
- Adversaries are concentrating on high-value targets: administrative credentials and cloud security telemetry.
- Data exfiltration is now prioritized over data encryption in the ransomware lifecycle.
## Recommendations
- Mandate and enforce Multi-Factor Authentication (MFA) across all remote access points, especially VPNs.
- Implement robust monitoring and alerting for lateral movement, especially activity occurring within minutes of initial access.
- Improve detection capabilities regarding the misuse/abuse of legitimate system administration tools ("living off the land").
- Strengthen controls around Privileged Access Management (PAM) vaults and SIEM visibility to counter attempts to disable logging.