Recent cyber events are a stark reminder that our work as defenders is never done. Critical
vulnerabilities such as “Log4Shell” highlight the dangers of the unknown and the complexity of
patching. The supply chain is as attractive a target as ever, providing a potential entry point into
multiple vendors. And we must remain vigilant about protecting our industrial control systems,
especially given that 1 in 7 multifaceted extortion attacks leak critical operational technology
Mandiant responders are on the frontlines every day, investigating and analyzing the latest
attacks and threats, and understanding how best to respond to and mitigate them. Everything
we learn is passed on to our customers through our various services, giving them a muchneeded advantage in a constantly evolving threat landscape.
Every year the M-Trends report provides some of that same critical intelligence to the greater
security community. M-Trends 2022 continues that tradition, offering details on the evolving
cyber landscape, mitigation recommendations, and a wide variety of security incident-related
Let’s start with a win for defenders: the global median dwell time has continued its decline
in 2021. For intrusions investigated between October 1, 2020 through December 31, 2021, the
median number of days between compromise and detection was 21 days (down from 24 days in
2020). Although this may demonstrate improved visibility and response, the pervasiveness of
ransomware has helped drive this number down.
Ransomware and multifaceted extortion continue to be concerning. We highlight an increase
in targeting of virtualization infrastructure and offer mitigations. We also provide guidance on
ransomware preparedness (via red teaming) and recovery operations.
Other topics covered in M-Trends 2022 include:
By the Numbers The global median dwell time for intrusions identified by external third parties and disclosed to the victims dropped to 28 days from 73 days in 2020, a stellar improvement. In less desirable news, when the initial infection vector was identified, supply chain compromise accounted for 17% of intrusions in 2021 compared to less than 1% in 2020.
Other signature metrics include detection by source, industry targeting, threat groups, malware and attacker techniques.
Recently Graduated Threat Groups A detailed analysis of two financially motivated groups we graduated in 2021: FIN12 and FIN13. We also highlight two noteworthy uncategorized groups: UNC2891 and UNC1151.
Microsoft Exchange Case Study Our observations responding to more than 20 incidents involving exploitation of on-premises Microsoft Exchange servers. In one testament to dedicated investigation and analysis, the deployment of cryptocurrency coinminers by one financially-motivated threat group led to the discovery of two nation-state actors in the same environments.
China Cyber Operations We review China’s realignment and retooling, explore reemerging espionage activity and highlight actors such as APT10 and APT41.
Misconfiguration Mitigations We observed various compromises due to misconfigurations when using on-premises Active Directory with Azure Active Directory to achieve a single integrated identity solution.
M-Trends 2022 builds on our transparency to continue providing critical knowledge to those tasked with defending organizations. The information in this report has been sanitized to protect identities of victims and their data.