IT Brief US - Technology news for CIOs & IT decision-makers
United States
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
MFA
#
Cloud Security
#
EDR

Mandiant report finds rise in financially motivated cyber attacks

Today
Author image
By Sean Mitchell, Publisher

Mandiant has released the findings of its 16th annual M-Trends report, offering insights into global cyber attack trends and incident response data from 2024.

The report outlines a marked increase in financially motivated cyber threat activity worldwide, with 55% of the threat groups tracked by Mandiant in 2024 pursuing financial gain, up from 52% in 2023 and 48% in 2022. By contrast, 8% of groups were driven by espionage, showing a slight decrease from 10% the previous year.

Analysis of the methods used by attackers shows that direct exploits remained the most common initial infection vector, accounting for 33% of incidents for the fifth consecutive year. Stolen credentials constituted 16% of incidents in 2024, making it the second most frequent means of initial access and the first time it has reached this share. Email phishing accounted for 14%, web compromises 9%, and prior compromises 8% among top access vectors.

The industries most frequently targeted in 2024 remained consistent, with financial organisations making up 17.4% of attacks, followed by business and professional services at 11.1%, high tech at 10.6%, government at 9.5%, and healthcare at 9.3%.

Organisational detection of breaches remains an area for improvement. In 2024, 57% of compromises were first identified by external sources, such as law enforcement and cybersecurity vendors, who accounted for 43% of alerts, and adversaries themselves, often through ransom notes, who accounted for 14%. Only 43% of compromises were detected internally. The median dwell time – the period between initial compromise and detection – rose to 11 days globally, compared with 10 days in 2023. Dwell time was longer when breaches were reported by external entities (26 days) and shorter when adversaries notified organisations directly (5 days), as often occurs in ransomware incidents; internal detection resulted in a 10-day median dwell time.

Vivek Chudgar, Managing Director, Mandiant Consulting, JAPAC, commented on regional and global trends: "The findings in this year's M-Trends report reinforce a critical truth for organisations across JAPAC; threat actors continue to adapt and innovate, and so must our defences. With exploits accounting for 64% of initial infection vectors in our region — which is nearly double the global average — it's clear that attackers are laser-focused on exploiting vulnerabilities at scale.

"At the same time, nearly 70% of compromises were detected by external parties underscores a continued need to improve internal visibility and response capabilities. As financially motivated threats grow more sophisticated, our collective resilience depends on proactive threat intelligence, faster detection, and a relentless focus on closing security gaps before adversaries can exploit them."

The report notes a rise in the use of infostealer malware, with attackers increasingly deploying such tools to harvest credentials that are then used for initial access. Stolen credentials now constitute a significant infection vector, reflecting their popularity among attackers. Gaps introduced during cloud migrations and unsecured data repositories were also identified as common exploitation points. Attackers are targeting these vulnerable environments to obtain credentials and other sensitive information.

Mandiant's analysis further highlights that advanced groups, especially those with ties to China, are deploying custom malware ecosystems, exploiting zero-day vulnerabilities, leveraging proxy networks resembling botnets, and focusing on edge devices and platforms lacking traditional endpoint detection and response. Such actors also use custom obfuscators to keep their presence undetected for longer durations on compromised systems.

The report also addresses activity by North Korean and Iranian actors. North Korea was observed deploying citizens as remote IT contractors under false identities, reportedly to generate revenue for national interests. Iranian-affiliated groups increased operations in 2024, particularly targeting Israeli entities and employing varied tactics to boost intrusion success.

Emerging trends in cyber attacks include increased targeting of cloud-based stores of centralised authority, such as single sign-on portals, and an uptick in attempts to exploit Web3 technologies including cryptocurrencies and blockchain platforms for theft, money laundering, and financing illicit activity.

Mandiant's recommendations for organisations include implementing a layered security approach based on strong fundamentals such as vulnerability management and least privilege, enforcing FIDO2-compliant multi-factor authentication—especially on privileged accounts—investment in advanced detection tools, and developing effective incident response plans. The company further advises improving logging and monitoring practices, conducting threat hunting exercises, and securing cloud environments through regular assessments and robust controls.

Additional guidance involves mitigating insider risk via thorough employee vetting, monitoring for suspicious activity, and enforcing strict access controls. Mandiant encourages organisations to prioritise up-to-date threat intelligence, regularly review security policies, and adapt strategies to address the continually evolving threat landscape.

The M-Trends 2025 report is based on data drawn from over 450,000 hours of frontline investigations by Mandiant Consulting between January and December 2024, offering comprehensive metrics and insights for defenders tasked with organisational cyber protection.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Cybercrime losses soar to USD $16.6 billion in 2024, outpacing US box office
AI use in enterprises soars but brings surge in cyber risks
Datadog acquires Metaplane to boost AI & data observability
Armis offers free access to real-time cyber threat database
Devo and Detecteam unite to automate detection for cyber teams
Top stories
Chinese APT group linked to cyber attack on US defence firm
Zenity secures ChatGPT Enterprise use with expanded AI oversight
Law firms advised to strengthen tech basics before embracing AI
Most firms unprepared for GenAI surge despite competitiveness
Datadog acquires Metaplane to boost AI-ready data monitoring