SAN FRANCISCO -- Adversary groups associated with China and North Korea are becoming increasingly innovative, from choosing specific targets to leveraging zero-day vulnerability exploits, Mandiant and Google executives warned during a panel discussion at RSA Conference 2023.
Sandra Joyce, executive vice president and head of global intelligence at Mandiant, moderated Google's Threat Intelligence media briefing Monday to kick off RSA Conference 2023. Joining her were panelists Kristen Dennesen, reporting analyst at Google's Threat Analysis Group; John Hultquist, vice president of Mandiant intelligence analysis at Google Cloud; and Charles Carmakal, CTO of Mandiant consulting at Google Cloud.
The panel discussion addressed ransomware trends, current geopolitical observations, and the evolution of state-sponsored threat groups. Though most of the threat groups have been a known risk to enterprises for decades, one group stood out for its progression despite its infancy: teenagers in the U.S.
The panelists highlighted adversary group advancements such as North Korea-associated actors being more motivated to go after cryptocurrency, targeting vulnerability researchers and increasing supply chain compromises. Hultquist warned he's seen North Korean threat actors try new techniques now more than ever.
Additionally, he observed vast improvements in Chinese threat actors' infrastructure. One example Hultquist provided was the ability to hide their infrastructure in Soho routers through a network of proxies. Russian threat actors are doing the same, he said.
Carmakal added that Chinese threat actors are becoming specific in the types of targeted organizations. Defense contractors, government entities, telecommunications, and technology companies are particularly preferred.
Even more alarming is an increase in Chinese-nexus actors exploiting zero-day vulnerabilities in edge devices or systems that don't support endpoint detection and response (EDR) tools. He highlighted recent attacks that targeted products such as Sonicwall and Fortinet VPN appliances and VMware hypervisors.
"The initial attack started with zero-day vulnerability exploitation. And what we're finding is these actors are deploying malware on Fortinet firewalls or VMware hypervisors, and it's hard for companies to discover the problem," Carmakal said during the panel. "Even as a customer, even if you have administrative access, you don't have the ability to view processes, view files on the file system, or acquire memory or install security telemetry."
The problem doesn't end with Chinese-nexus groups, the panelists said. There's been a spike in the overall threat landscape of attackers exploiting zero-day vulnerabilities at increasing speed.
While state-sponsored groups from adversarial nations are showing increased capabilities, Carmakal raised concern about an entirely different threat group: teenagers from the U.S. and the U.K.
Mandiant has seen young individuals break into some of the biggest organizations, he said. Carmakal attributed the group's success to effective social engineering campaigns. For example, they can convince users to log in to anydesk.com, download the anydesk client and then provision remote access to the attacker.
"They're one of the most prevalent threat actors in the U.S. today and are really hard to defend against," Carmakal said.
Another factor that contributes to teenagers as young as 13 being successful is the personal savvy. Carmakal observed threat actors' ability to send convincing text messages with malicious links to employees' work or personal cell phones. Targets consists of tech support or call center employees.
Like the targeting of edge devices that don't support EDR, Carmakal said these messages are not monitored by the enterprise. The network traffic between the work or personal cell phone and lookalike website is traversing through the cellular network, which enterprises cannot monitor. The increase in hybrid work means personal devices and work devices are often intertwined.
Teenagers are also skilled at making attacks personal to the organization and individual by harassing employees and family members of employees, Carmakal warned.
"It's one thing to pay to get a decryptor. It's a different story if you're an executive at the company and your daughter is getting harassed by a threat actor," Carmakal said.
While discussing a shift in ransomware trends, Hultquist said multi-faceted extortion, which often involves the theft and potential exposure of sensitive data, is the number one way in which financially motivated cybercriminals monetize their intrusions. It's more effective than the disruption caused by ransomware deployment that encrypts systems, he said.
Additionally, ransomware groups select targets they think will pay out, which is why critical infrastructure remains at risk. Activity around those entities did drop off for a while, Hultquist said, but "it's alive and well again."
He was also concerned about the upcoming 2024 presidential election. Mandiant observed "serious" activity from Russia and Iran around the last election, and Hultquist expects to see the same this time, with potentially other players the company hasn't considered yet.
"We are uniquely vulnerable during elections in this country more than others," he said.