Mass Internet Exploitation in 2024: A Technical Overview

In 2024, mass internet exploitation trends revealed a landscape characterized by relentless automation, the persistent targeting of legacy vulnerabilities, and the rapid weaponization of new exposures. Attackers aren't just targeting newly disclosed vulnerabilities; they're reviving old, forgotten CVEs and automating mass exploitation at scale. Organizations relying on static risk models and advisory updates are missing key signals of active threats.

Key Trends in 2024

• The resurgence of legacy vulnerabilities: A significant portion, 40%, of exploited vulnerabilities in 2024, originated in 2020 or earlier, with some dating back to the 1990s. This underscores the necessity of addressing technical debt and maintaining vigilance over older systems.
• Home router exploits: The most exploited vulnerability of 2024 targeted home internet routers, which fueled massive botnets employed in global cyberattacks. Threat actors are hijacking home internet routers, including ISP-provided fiber modems, to build botnets and launch cyberattacks worldwide.
• Rapid weaponization: Attackers are now exploiting vulnerabilities within hours of their disclosure. This rapid weaponization makes real-time defense more critical than ever.
• Ransomware exploitation: Ransomware groups are actively leveraging known exploited vulnerabilities, with 28% of the CVEs in CISA's Known Exploited Vulnerabilities (KEV) catalog being utilized by ransomware groups in 2024. GreyNoise tracked this exploitation.
• Automation dominance: The volume of daily unique IPv4 observations demonstrates that automated scanning and exploitation has truly become the norm, not the exception.

Attackers persistently target legacy vulnerabilities due to multiple factors.

Key reasons include:

• Legacy systems remain in production. Apache HTTP Server path traversal and Shell Shock are examples of vulnerabilities that continue to pose threats to older systems.
• Simplicity and effectiveness. Some older vulnerabilities, like PHPUnit's RCE (CVE-2024-4577), remain actively exploited because they only require a classic HTTP request to execute arbitrary PHP code, making them ideal for automated attacks. This particular vulnerability is present in widely-used applications like WordPress plugins, Drupal modules, and Moodle, giving it a significant presence on the internet.
• Integration into modern attack chains. Older vulnerabilities are combined with newer vulnerabilities in modern attack chains, which amplify their impact. This combination allows attackers to leverage code execution, credential theft, and persistent access.
• Automation and scale: Attackers have developed sophisticated automation tools to scan for and exploit these exposures at scale. They can exploit mistakes like failure to block access to .git files or properly use .gitignore. Once initial access is gained, attackers can escalate privileges, deploy scanning functions, and gain access to private repositories.
• Technical debt and lack of attention: Organizations often struggle with comprehensive vulnerability management programs, making them likely to miss patching "vintage" vulnerabilities. The continued exploitation of decades-old CVEs suggests that patching only the newest vulnerabilities is a flawed strategy.
• Profitability: Legacy vulnerabilities like CVE-2014-8361 and CVE-2018-10561 remain among the most targeted in 2024, proving old flaws are still profitable for attackers.
• Easy access and check for botnets X Server Connection Attempt is baked into a vast array of botnets, and is also a quick and easy check to make, and can score dividends if someone leaves their X11 configuration in a promiscuous state. Shellshock also remains an attractive target for all the same reasons.

Notable Attack Vectors

The report sheds light on specific attack vectors and vulnerabilities that were heavily exploited in 2024:

• GPON Routers: The most active CVE was GPON CVE-2018-10561 Router Worm, which targeted ISP-provided fiber modems, primarily for botnet recruitment in the Asia-Pacific region.
• D-Link and Ivanti devices D-Link and Ivanti devices were among the most heavily exploited in 2024, posing critical security risks for businesses and governments.
• Web server components: Vulnerabilities such as Apache HTTP Server path traversal and Shell Shock remain persistent threats for legacy systems still in production.

Defense Strategies

To counter these trends, organizations should take concrete steps to bolster their defenses:

• Prioritize patching: Focus on patching new vulnerabilities and legacy vulnerabilities through sophisticated automation.
• Real-time Visibility: Defenders need real-time intelligence to filter noise, reduce alert fatigue, and focus resources on actively exploited threats.
• Harden network devices: Prioritize hardening network device configurations, especially UPnP and management interfaces.
• Implement continuous security posture monitoring: Focus on both legacy and emerging threats.
• Maintain asset inventories: Maintain comprehensive asset inventories with automated patch deployment capabilities.
• Deploy robust detection engineering: Across all attack vectors to identify exploitation attempts across all affected vectors.

Key trends include:

• Revival of old vulnerabilities Attackers are reviving old, forgotten CVEs and automating mass exploitation at scale [1]. 40% of exploited vulnerabilities in 2024 were from 2020 or earlier, with some dating back to the 1990s [2].
• Home internet router exploits The most exploited vulnerability of 2024 targeted home internet routers, fueling massive botnets used in global cyberattacks [2].
• Rapid exploitation Attackers are exploiting vulnerabilities within hours of disclosure, making real-time defense more critical [2].
• Ransomware exploitation Ransomware groups leveraged 28% of the CVEs in CISA's Known Exploited Vulnerabilities catalog that GreyNoise tracked in 2024 [2].
• Entrenchment of mass exploitation Mass exploitation is becoming more entrenched and isn't slowing down [2].
• Automation and weaponization Mass exploitation in 2024 was characterized by relentless automation, persistent targeting of legacy vulnerabilities, and the rapid weaponization of new exposures [3].
  
• Pre-2024: Exploitation of vulnerabilities dating back to the 1990s, 2000s, and early 2010s continue, emphasizing the persistence of legacy vulnerabilities.
• Early 2024:
• Increased exploitation of Ivanti products via a pattern of critical vulnerabilities being discovered.
• Increased exploitation of D-Link products due to critical flaws across multiple product lines.
• VMware products begin being targeted, especially by ransomware groups.
• May 2024: A surge of over 12,000 hacked Android devices is detected, indicating growing mobile threats.
• Throughout 2024:
• Mass exploitation of vulnerabilities in home internet routers, driving massive botnets.
• Attackers exploit vulnerabilities within hours of their disclosure.
• Ransomware groups actively leverage known exploited vulnerabilities.
• GreyNoise detects exploitation of vulnerabilities before they are added to CISA's Known Exploited Vulnerabilities (KEV) catalog in many cases.
• GreyNoise Global Observation Grid (GOG) improves its data collection and processing capabilities.
• GPON Router Worm CVE-2018-10561 is the most active vulnerability based on unique IPv4s.
• Automated reconnaissance and ENV/Git crawlers are active in reconnaissance of internet assets.
• X Server Connection Attempt becomes baked into a vast array of botnets.
• 2025 (Report Publication): GreyNoise publishes its report, highlighting trends and key findings from 2024.

Conclusion

The mass exploitation landscape of 2024 demands a proactive and adaptive approach to cybersecurity. By understanding the trends, vulnerabilities, and attack vectors outlined in this report, organizations can take meaningful steps to strengthen their defenses and mitigate the risks posed by mass internet exploitation.