Cyber Strategy
Cyber Secure
Cyber Operations
Cyber Response
Cyber ResilienceBackground
Within the dynamic and ever-evolving realm of cyber threat landscapes, new threats continually surface, and established ones quickly change. It is not only a goal but a necessity for organizations to keep ahead of these threats.
It’s critical to stop and consider the changing threat landscape as we negotiate the challenges of 2024. This is a rare chance to reflect on our successes and failures, comprehend the moments that have radically formed our surroundings, and take into account those that have softly impacted them. We can strengthen our plans and better prepare for the risks that lie ahead by drawing important lessons from our most recent experiences.
Background
Within the dynamic and ever-evolving realm of cyber threat landscapes, new threats continually surface, and established ones quickly change. It is not only a goal but a necessity for organizations to keep ahead of these threats.
It’s critical to stop and consider the changing threat landscape as we negotiate the challenges of 2024. This is a rare chance to reflect on our successes and failures, comprehend the moments that have radically formed our surroundings, and take into account those that have softly impacted them. We can strengthen our plans and better prepare for the risks that lie ahead by drawing important lessons from our most recent experiences.
2024 Mid-year Review:
There has been an annual increase in the number of CVEs reported between January and mid-July 2022–2024. From 14,249 in 2022 to 17,114 in 2023 and 22,254 in 2024, the CVE count increased sharply. Annually, there have been notable increases of 24%, 20%, and 30%, respectively, highlighting a consistent and notable rise in vulnerability discoveries. As a result of growing software complexity and increased technological use, there is a need for sophisticated and dynamic vulnerability management techniques to counteract increasing cybersecurity threats, which is reflected in the rise of CVEs.
Published vulnerabilities spiked by 43% compared to H1 2023, with 23,668 vulnerabilities reported in H1 2024 alone. This surge emphasizes the critical importance of prioritizing currently exploited vulnerabilities and incorporating threat data into vulnerability management platforms
Prioritizing currently exploited vulnerabilities, utilizing threat data, and scheduling frequent scans to find new vulnerabilities are essential for effectively mitigating such threats. An organization may find great value in an integrated vulnerability management platform that incorporates threat intelligence.
We are analyzing the frequency and distribution of strategies across these CVEs using the MITRE ATT&CK Framework to improve our understanding of these vulnerabilities. The following are important locations that need targeted security measures:
- Exploiting Public-Facing Applications:
Approximately half of all CVEs involve vulnerabilities in public-facing applications (T1190), making this a prime vector for first access. This emphasizes how crucial it is to evaluate and secure components that are exposed to the outside world to reduce risks.
- Lateral Movement via Remote Services:
Using remote services for lateral movement is a trend worth noting (T1210). This common attack methodology suggests that, after the entry is secured, attackers frequently use weaknesses to move across the network.
The surge in vulnerabilities has also been linked to an increase in ransomware activities. Ransomware groups expanded by 55% in H1 2024, with attacks climbing 6% from the previous year. The U.S., Germany, and India were the top targets for these attacks, highlighting the ongoing global challenge of ransomware.
While just a small percentage of known vulnerabilities (less than 1%) are weaponized, their impact is disproportionately huge and potentially disastrous. This emphasizes the importance of security solutions that prioritize high-risk vulnerabilities. Furthermore, the coupling of these vulnerabilities with different threat actors and ransomware operations necessitates increased focus and the adoption of strong incident response systems. Such preventative actions are critical for defending against the most severe attacks.
2024 Mid-year Review:
There has been an annual increase in the number of CVEs reported between January and mid-July 2022–2024. From 14,249 in 2022 to 17,114 in 2023 and 22,254 in 2024, the CVE count increased sharply. Annually, there have been notable increases of 24%, 20%, and 30%, respectively, highlighting a consistent and notable rise in vulnerability discoveries. As a result of growing software complexity and increased technological use, there is a need for sophisticated and dynamic vulnerability management techniques to counteract increasing cybersecurity threats, which is reflected in the rise of CVEs.
Published vulnerabilities spiked by 43% compared to H1 2023, with 23,668 vulnerabilities reported in H1 2024 alone. This surge emphasizes the critical importance of prioritizing currently exploited vulnerabilities and incorporating threat data into vulnerability management platforms
Prioritizing currently exploited vulnerabilities, utilizing threat data, and scheduling frequent scans to find new vulnerabilities are essential for effectively mitigating such threats. An organization may find great value in an integrated vulnerability management platform that incorporates threat intelligence.
We are analyzing the frequency and distribution of strategies across these CVEs using the MITRE ATT&CK Framework to improve our understanding of these vulnerabilities. The following are important locations that need targeted security measures:
- Exploiting Public-Facing Applications:
Approximately half of all CVEs involve vulnerabilities in public-facing applications (T1190), making this a prime vector for first access. This emphasizes how crucial it is to evaluate and secure components that are exposed to the outside world to reduce risks.
- Lateral Movement via Remote Services:
Using remote services for lateral movement is a trend worth noting (T1210). This common attack methodology suggests that, after the entry is secured, attackers frequently use weaknesses to move across the network.
The surge in vulnerabilities has also been linked to an increase in ransomware activities. Ransomware groups expanded by 55% in H1 2024, with attacks climbing 6% from the previous year. The U.S., Germany, and India were the top targets for these attacks, highlighting the ongoing global challenge of ransomware
While just a small percentage of known vulnerabilities (less than 1%) are weaponized, their impact is disproportionately huge and potentially disastrous. This emphasizes the importance of security solutions that prioritize high-risk vulnerabilities. Furthermore, the coupling of these vulnerabilities with different threat actors and ransomware operations necessitates increased focus and the adoption of strong incident response systems. Such preventative actions are critical for defending against the most severe attacks.
Top Incident in the H1 2024:
Polyfill JS Library Supply Chain Attack
In June 2024, a supply chain attack targeted the popular Polyfill JS library. A Chinese company obtained the domain (cdn.polyfill.io) and GitHub account of the library, resulting in the injection of malware into over 100,000 sites. This malware exploited the CVE-2024-38526 vulnerability and targeted mobile devices, diverting users to malicious sites and delaying execution to avoid detection by web analytics services. To prevent future exploitation of the issue, Cloudflare and Namecheap implemented real-time rewrites and temporarily suspended the domain.
Top Incident in the H1 2024:
Polyfill JS Library Supply Chain Attack
In June 2024, a supply chain attack targeted the popular Polyfill JS library. A Chinese company obtained the domain (cdn.polyfill.io) and GitHub account of the library, resulting in the injection of malware into over 100,000 sites. This malware exploited the CVE-2024-38526 vulnerability and targeted mobile devices, diverting users to malicious sites and delaying execution to avoid detection by web analytics services. To prevent future exploitation of the issue, Cloudflare and Namecheap implemented real-time rewrites and temporarily suspended the domain.
Top Data Breaches in the H1 2024:
Snowflake Data Breach:
A huge data breach that Snowflake encountered in May 2024 impacted hundreds of well-known customers, including Ticketmaster and Santander. The attack’s perpetrator, UNC5537, took advantage of credentials that had been stolen from customers. The attack affected over 165 organizations, and the threat actors were able to carry it out by logging into accounts that did not enable multi-factor authentication (MFA). Data from up to 560 million Ticketmaster users and maybe 30 million Santander customers were stolen as a result of the attack.
Mother of All Breaches (MOAB):
The “Mother of All Breaches” (MOAB) was discovered in January 2024, revealing 12 gigabytes of data including 26 billion records from various sources. It is still unclear where the breach originated, and no one is taking accountability. Personal information from websites including LinkedIn, Twitter, Adobe, and Tencent—which alone contributed 1.4 billion records—was compromised in this incident.
Bank of America Data Breach:
Bank of America disclosed a data breach in February 2024 that exposed the private data of 57,000 customers. The breach was caused by Infosys McCamish Systems (IMS), a third-party provider that was the target of a cyberattack in November 2023. Customers with deferred compensation plans had their names, residences, dates of birth, Social Security numbers, and financial account information exposed.
The attack was attributed to the LockBit ransomware group.
Trello Data Breach:
A threat actor going by the moniker “emo” compromised an unprotected API, causing Trello to experience a data breach in January 2024 that resulted in the exposure of over 15 million customers’ data. On a dark web forum, the leaked data—which included emails, usernames, complete names, and other account information—was up for sale.
Tangerine Telecom Data Breach:
The BlackCat/ALPHV ransomware gang targeted Tangerine Telecom in February 2024, resulting in a breach that affected 232,000 users.
Through the use of contractor-provided, hacked login credentials, the attackers gained access to a legacy customer database. Complete names, birth dates, email and mobile numbers, postal addresses, and Tangerine account numbers were among the stolen information.
France Travail Breach (March 2024):
The breach at France Travail, the French national unemployment agency, exposed the personal data of 43 million individuals, including sensitive information like social security numbers and contact details. This incident ranks as one of the largest in terms of affected individuals, highlighting the significant risks associated with national infrastructure.
Nissan Oceania Breach (March 2024):
Approximately 100,000 individuals were impacted by this breach, which involved the compromise of data from former and current employees, dealers, and customers across several brands, including Mitsubishi and Renault.
Cannes Hospital Attack:
In April 2024, the Hospital Simone Veil in Cannes was targeted by the LockBit 3.0 ransomware group, causing significant disruption. Despite attempts to extort the hospital, they refused to pay, focusing instead on recovering encrypted data
Cencora Breach:
Cencora (formerly AmerisourceBergen) reported a breach in February 2024 where data, possibly including personal information, was exfiltrated. While the attack’s impact on operations was minimal, it is noteworthy due to its scale and the involvement of healthcare-related data.
Top Data Breaches in the H1 2024:
Snowflake Data Breach:
A huge data breach that Snowflake encountered in May 2024 impacted hundreds of well-known customers, including Ticketmaster and Santander. The attack’s perpetrator, UNC5537, took advantage of credentials that had been stolen from customers. The attack affected over 165 organizations, and the threat actors were able to carry it out by logging into accounts that did not enable multi-factor authentication (MFA). Data from up to 560 million Ticketmaster users and maybe 30 million Santander customers were stolen as a result of the attack.
Mother of All Breaches (MOAB):
The “Mother of All Breaches” (MOAB) was discovered in January 2024, revealing 12 gigabytes of data including 26 billion records from various sources. It is still unclear where the breach originated, and no one is taking accountability. Personal information from websites including LinkedIn, Twitter, Adobe, and Tencent—which alone contributed 1.4 billion records—was compromised in this incident.
Bank of America Data Breach:
Bank of America disclosed a data breach in February 2024 that exposed the private data of 57,000 customers. The breach was caused by Infosys McCamish Systems (IMS), a third-party provider that was the target of a cyberattack in November 2023. Customers with deferred compensation plans had their names, residences, dates of birth, Social Security numbers, and financial account information exposed.
The attack was attributed to the LockBit ransomware group.
Trello Data Breach:
A threat actor going by the moniker “emo” compromised an unprotected API, causing Trello to experience a data breach in January 2024 that resulted in the exposure of over 15 million customers’ data. On a dark web forum, the leaked data—which included emails, usernames, complete names, and other account information—was up for sale.
Tangerine Telecom Data Breach:
The BlackCat/ALPHV ransomware gang targeted Tangerine Telecom in February 2024, resulting in a breach that affected 232,000 users.
Through the use of contractor-provided, hacked login credentials, the attackers gained access to a legacy customer database. Complete names, birth dates, email and mobile numbers, postal addresses, and Tangerine account numbers were among the stolen information.
France Travail Breach (March 2024):
The breach at France Travail, the French national unemployment agency, exposed the personal data of 43 million individuals, including sensitive information like social security numbers and contact details. This incident ranks as one of the largest in terms of affected individuals, highlighting the significant risks associated with national infrastructure
Nissan Oceania Breach (March 2024):
Approximately 100,000 individuals were impacted by this breach, which involved the compromise of data from former and current employees, dealers, and customers across several brands, including Mitsubishi and Renault.
Cannes Hospital Attack:
In April 2024, the Hospital Simone Veil in Cannes was targeted by the LockBit 3.0 ransomware group, causing significant disruption. Despite attempts to extort the hospital, they refused to pay, focusing instead on recovering encrypted data
Cencora Breach:
Cencora (formerly AmerisourceBergen) reported a breach in February 2024 where data, possibly including personal information, was exfiltrated. While the attack’s impact on operations was minimal, it is noteworthy due to its scale and the involvement of healthcare-related data.
Top vulnerabilities in the H1 2024:
In 2024, a specific set of vulnerabilities emerged as highly popular targets for cyberattacks. These vulnerabilities highlight emerging attack routes, emphasizing the critical need for strong defensive tactics.
Rank | CVE | Product | Vulnerability | CVSS | CISA KEV |
1 | CVE-2024-21887 | Ivanti Connect and Policy Secure Web | Command Injection | 9.1 | Yes |
2 | CVE-2023-46805 | Ivanti Connect and Policy Secure Web | Remote Authentication Bypass | 8.2 | Yes |
3 | CVE-2024-21412 | Microsoft Windows | Security Feature Bypass | 8.1 | Yes |
4 | CVE-2024-21893 | Ivanti Connect and Policy Secure Web | Privilege Escalation | 8.2 | Yes |
5 | CVE-2024-3400 | Palo Alto Networks (PAN-OS) | Command Injection | 10 | Yes |
6 | CVE-2024-1709 | ConnectWise ScreenConnect | Authentication Bypass | 10 | Yes |
7 | CVE-2024-20399 | Cisco NX-OS Software | CLI Command Injection | 6.7 | Yes |
8 | CVE-2024-23897 | Jenkins Core | Remote Code Execution | 9.8 | No |
9 | CVE-2024-21762 | Fortinet FortiOS | Out-of-Bound Write | 9.8 | Yes |
10 | CVE-2024-38112 | Microsoft Windows | MSHTML Platform Spoofing | 7.5 | Yes |
All of the vulnerabilities above are detailed on the CISA KEV, emphasizing their recognized significance, exploitation in the wild, and potential consequences. While not among the top ten, each poses a clear and present threat to network security and demands immediate attention from cybersecurity teams to successfully reduce risks and secure sensitive systems.
Top vulnerabilities in the H1 2024:
In 2024, a specific set of vulnerabilities emerged as highly popular targets for cyberattacks. These vulnerabilities highlight emerging attack routes, emphasizing the critical need for strong defensive tactics.
Rank | CVE | Product | Vulnerability | CVSS | CISA KEV |
1 | CVE-2024-21887 | Ivanti Connect and Policy Secure Web | Command Injection | 9.1 | Yes |
2 | CVE-2023-46805 | Ivanti Connect and Policy Secure Web | Remote Authentication Bypass | 8.2 | Yes |
3 | CVE-2024-21412 | Microsoft Windows | Security Feature Bypass | 8.1 | Yes |
4 | CVE-2024-21893 | Ivanti Connect and Policy Secure Web | Privilege Escalation | 8.2 | Yes |
5 | CVE-2024-3400 | Palo Alto Networks (PAN-OS) | Command Injection | 10 | Yes |
6 | CVE-2024-1709 | ConnectWise ScreenConnect | Authentication Bypass | 10 | Yes |
7 | CVE-2024-20399 | Cisco NX-OS Software | CLI Command Injection | 6.7 | Yes |
8 | CVE-2024-23897 | Jenkins Core | Remote Code Execution | 9.8 | No |
9 | CVE-2024-21762 | Fortinet FortiOS | Out-of-Bound Write | 9.8 | Yes |
10 | CVE-2024-38112 | Microsoft Windows | MSHTML Platform Spoofing | 7.5 | Yes |
All of the vulnerabilities above are detailed on the CISA KEV, emphasizing their recognized significance, exploitation in the wild, and potential consequences. While not among the top ten, each poses a clear and present threat to network security and demands immediate attention from cybersecurity teams to successfully reduce risks and secure sensitive systems.
Top Ransomware groups in the H1 2024:
The investigation found an upsurge in ransomware instances involving 67 separate groups. LockBit remains the most active ransomware group, responsible for 619 cases, as it has in prior years. LockBit ransomware is regularly updated and targets many industries, including government entities and huge organizations. Its ability to quickly adapt and target high-value entities makes it a huge threat to the cybersecurity landscape
RansomHub has targeted healthcare and education sectors by exploiting flaws in obsolete systems, closely following LockBit’s lead. The Playgroup has launched multiple high-profile attacks on financial institutions and huge enterprises.
Following closely behind LockBit, groups like RansomHub have notably targeted the healthcare and education sectors, taking advantage of outdated systems. The Playgroup has also launched several high-profile attacks on financial institutions and large enterprises.
Law enforcement agencies have made significant strides in disrupting ransomware operations in the first half of 2024. Notable takedowns included the disruption of the LockBit 3.0 operation and the arrest of key members from various ransomware groups. These efforts have somewhat curtailed their activities, though the threat remains prevalent
DDoS Attack Trends
In H1 2024, Distributed Denial of Service (DDoS) attacks have surged, affecting organizations across various sectors. DDoS attacks are becoming increasingly sophisticated, leveraging large botnets to overwhelm targets with excessive traffic.
- Increase in DDoS Incidents: NetScout reported a significant increase in DDoS attacks compared to H1 2023, with approximately 4 million incidents recorded. This reflects a substantial rise across the threat landscape. Additionally, the frequency and scale of Ransom DDoS (RDDoS) attacks have grown, where attackers combine ransomware with DDoS threats to extort victims.
- Targeted Industries: Key industries such as financial services, e-commerce, and telecommunications have been primary targets, leading to significant downtime and financial losses for affected organizations
Emerging Tactics: Attackers are employing new tactics, such as application-layer attacks, which are more challenging to mitigate because they mimic legitimate traffic patterns, making it difficult for traditional security measures to differentiate between valid users and attackers
Top DDoS Attacks in H1 2024
- Amazon Web Services (AWS) Attack:
In March 2024, AWS experienced one of the largest DDoS attacks recorded, peaking at 2.3 terabits per second (Tbps). The attack targeted multiple AWS services, causing service disruptions for several high-profile customers, including e-commerce platforms and streaming services. - Cloudflare DDoS Attack:
In January 2024, Cloudflare mitigated a massive DDoS attack that reached 1.5 Tbps, primarily targeting online gaming platforms. The attack utilized a combination of reflection and amplification techniques, demonstrating the evolving tactics employed by attackers. - European Financial Services Attack:
In February 2024, a major financial services provider in Europe faced a DDoS attack that exceeded 1 Tbps, disrupting online banking and trading services. This attack was notable not only for its scale but also for the targeted nature of the disruption during a peak trading period.
Top Ransomware groups in the H1 2024:
The investigation found an upsurge in ransomware instances involving 67 separate groups. LockBit remains the most active ransomware group, responsible for 619 cases, as it has in prior years. LockBit ransomware is regularly updated and targets many industries, including government entities and huge organizations. Its ability to quickly adapt and target high-value entities makes it a huge threat to the cybersecurity landscape
RansomHub has targeted healthcare and education sectors by exploiting flaws in obsolete systems, closely following LockBit’s lead. The Playgroup has launched multiple high-profile attacks on financial institutions and huge enterprises.
Following closely behind LockBit, groups like RansomHub have notably targeted the healthcare and education sectors, taking advantage of outdated systems. The Playgroup has also launched several high-profile attacks on financial institutions and large enterprises.
Law enforcement agencies have made significant strides in disrupting ransomware operations in the first half of 2024. Notable takedowns included the disruption of the LockBit 3.0 operation and the arrest of key members from various ransomware groups. These efforts have somewhat curtailed their activities, though the threat remains prevalent
DDoS Attack Trends
In H1 2024, Distributed Denial of Service (DDoS) attacks have surged, affecting organizations across various sectors. DDoS attacks are becoming increasingly sophisticated, leveraging large botnets to overwhelm targets with excessive traffic.
- Increase in DDoS Incidents: NetScout reported a significant increase in DDoS attacks compared to H1 2023, with approximately 4 million incidents recorded. This reflects a substantial rise across the threat landscape. Additionally, the frequency and scale of Ransom DDoS (RDDoS) attacks have grown, where attackers combine ransomware with DDoS threats to extort victims.
- Targeted Industries: Key industries such as financial services, e-commerce, and telecommunications have been primary targets, leading to significant downtime and financial losses for affected organizations.
- Emerging Tactics: Attackers are employing new tactics, such as application-layer attacks, which are more challenging to mitigate because they mimic legitimate traffic patterns, making it difficult for traditional security measures to differentiate between valid users and attackers
Top DDoS Attacks in H1 2024
- Amazon Web Services (AWS) Attack:
In March 2024, AWS experienced one of the largest DDoS attacks recorded, peaking at 2.3 terabits per second (Tbps). The attack targeted multiple AWS services, causing service disruptions for several high-profile customers, including e-commerce platforms and streaming services. - Cloudflare DDoS Attack:
In January 2024, Cloudflare mitigated a massive DDoS attack that reached 1.5 Tbps, primarily targeting online gaming platforms. The attack utilized a combination of reflection and amplification techniques, demonstrating the evolving tactics employed by attackers. - European Financial Services Attack:
In February 2024, a major financial services provider in Europe faced a DDoS attack that exceeded 1 Tbps, disrupting online banking and trading services. This attack was notable not only for its scale but also for the targeted nature of the disruption during a peak trading period.
Recommendations
- Implement Robust Encryption and Backup Procedures:
To protect against data encryption, enterprises should encrypt important data and periodically backup it to secure off-site locations. This reduces the impact of ransomware attacks by enabling organizations to recover encrypted data without paying the ransom.
- Advanced Threat Detection and Response:
Modern threat detection systems, such as machine learning and AI, can be used to detect odd data access or transfer patterns, which may indicate extortion attempts. Create a rapid incident response plan to limit and mitigate threats before they escalate.
- Vulnerability Management Program:
Create a vulnerability management program that includes frequent security assessments, penetration testing, and timely patching for software vulnerabilities. This minimizes the danger of unethical vulnerability disclosures and addresses security flaws before they are exploited.
- Zero Trust Architecture:
Implement a zero-trust security model to verify all network access attempts, regardless of location. This technique reduces the risk of access brokers by implementing stringent control and monitoring.
- Employee Education and Physical Security Measures:
Educate staff about cyber threats and physical security. This training covers spotting phishing efforts, safeguarding personal and workplace devices, and reporting suspicious activity. Improve physical security measures to prevent threats that combine cyber and physical aspects.
Recommendations
- Implement Robust Encryption and Backup Procedures:
To protect against data encryption, enterprises should encrypt important data and periodically backup it to secure off-site locations. This reduces the impact of ransomware attacks by enabling organizations to recover encrypted data without paying the ransom.
- Advanced Threat Detection and Response:
Modern threat detection systems, such as machine learning and AI, can be used to detect odd data access or transfer patterns, which may indicate extortion attempts. Create a rapid incident response plan to limit and mitigate threats before they escalate.
- Vulnerability Management Program:
Create a vulnerability management program that includes frequent security assessments, penetration testing, and timely patching for software vulnerabilities. This minimizes the danger of unethical vulnerability disclosures and addresses security flaws before they are exploited.
- Zero Trust Architecture:
Implement a zero-trust security model to verify all network access attempts, regardless of location. This technique reduces the risk of access brokers by implementing stringent control and monitoring.
- Employee Education and Physical Security Measures:
Educate staff about cyber threats and physical security. This training covers spotting phishing efforts, safeguarding personal and workplace devices, and reporting suspicious activity. Improve physical security measures to prevent threats that combine cyber and physical aspects.
See also:
Dubai