The state of intrusions: Stolen credentials and perimeter exploits on the rise, as phishing wanes

The next most prevalent malware programs observed were GootLoader, a JavaScript-based downloader and dropper; WIREFIRE, a Python web shell for Ivanti Pulse Secure appliances; SystemBC, a proxy tunneler with a custom communication protocol that can also execute additional payloads from a C2 server; and the Akira, RansomHub, LockBit and Basta ransomware programs.

Stolen and weak credentials fuel ransomware and cloud compromises

In terms of ransomware, the most common infection vector observed by Mandiant last year were brute-force attacks (26%), such as password spraying and use of common default credentials, followed by stolen credentials and exploits (21% each), prior compromises resulting in sold access (15%), and third-party compromises (10%).

Cloud accounts and assets were compromised through phishing (39%), stolen credentials (35%), SIM swapping (6%), and voice phishing (6%). Over two-thirds of cloud compromises resulted in data theft and 38% were financially motivated with data extortion, business email compromise, ransomware, and cryptocurrency fraud being leading goals.