2024 cyber threat landscape highlights key attack trends

Rapid7 has conducted an extensive analysis of the 2024 cyber threat landscape, focusing on ransomware activities, vulnerability exploits, and trends in malicious attacks, providing insights into the digital security challenges faced by organisations globally.

The organisation has highlighted that, throughout 2024, it engaged with hundreds of significant incidents related to ransomware and vulnerabilities. This was achieved through their Rapid7 Threat Engine, which analysed a vast quantity of data. "Staying ahead of adversaries requires more than just advanced tools; it requires the latest intelligence and collaborative insights from experts working from data that tells the whole story," the company stated.

Regarding ransomware, 2024 saw the emergence or rebranding of 33 threat actors, contributing to a total of 5,477 leak site posts from 75 active groups. RansomHub, a Ransomware-as-a-service (RaaS) group, was particularly active, posting 573 leak site entries since its inception in February, closely trailing behind LockBit's 579 posts.

Qilin, another ransomware group, has been active in sectors like healthcare. Noteworthy is the leak of under one million patient records after a failed extortion attempt demanding USD $50 million from hospitals in London. Qilin's ransom demands typically range from USD $50,000 to $800,000, supported by a robust affiliate programme.

A trend observed involves new groups pairing high-profile attacks with marketing manoeuvres to gain prominence. For example, Hellcat's USD $125,000 demand cleverly dubbed "French bread," intended to be paid in Monero cryptocurrency.

Several ransomware groups have been noted to "go dark" intermittently, likely to modify their infrastructure or avoid public exposure due to quick victim settlements.

The report also identified incident response trends involving old and new ransomware techniques. Attackers targeted various verticals like manufacturing and healthcare, with social engineering being a common tactic. For instance, one help desk employee was deceived into resetting a password, and an SEO poisoning attack involved distributing a trojanised disk analyser tool.

In 2024, SocGholish, GootLoader, and AsyncRAT were the most prevalent forms of malware. SocGholish emerged in 14% of cases; it uses compromised websites to trick users into accepting fake updates. GootLoader, seen in 10% of incidents, operates through SEO poisoning campaigns delivering malicious payloads under benign keywords. AsyncRAT, though representing 4% of cases, has been active in data theft and keylogging since 2019.

Vulnerability exploitation and systems without multifactor authentication (MFA) remained the dominant initial access vectors in 2024. Remote access accounted for 56% of incidents, with many involving lax enforcement of MFA, particularly affecting VPNs and virtual desktop infrastructures.

Rapid7 noted a consistent 13% prevalence of vulnerability exploitations in incidents over the years. This includes exploiting known vulnerabilities like CVE-2024-3400 in PAN-OS and CVE-2023-48788 in FortiClient, seen throughout the year.

While zero-day vulnerabilities were utilised, they constituted a smaller portion of major incidents compared to 2023. Some highly anticipated file transfer vulnerabilities anticipated to be exploited remained largely untouched.

Rapid7 identified a significant threat actor exploiting zero-day vulnerabilities globally for much of 2024, though the trend subsided in the second half. Vulnerabilities in FortiManager and Palo Alto Networks firewalls were highlighted, and widespread real-world attacks were confirmed subsequently.

The 2024 landscape underlined the importance of consistent security measures. Rapid7 emphasised the need for robust vulnerability management, defenses against phishing, regular patch updates, especially for zero-days, and strong MFA deployment to maintain organisational security.