The recently published “2024 Attack Intelligence Report” by Rapid7 revealed disturbing trends in vulnerability exploitation and ransomware attacks that plagued enterprises from January 2023 to mid-February 2024. The report highlighted the alarming fact that attackers leveraged more zero-day vulnerabilities than known vulnerabilities in widespread threat campaigns during this period.
According to the research conducted by Rapid7, over 210 vulnerabilities disclosed since the end of 2019 were analyzed, with more than 60 of them being exploited in the past year. Notably, the report pointed out that mass compromise attack campaigns, such as the ones targeting Progress Software’s MoveIt Transfer and Ivanti Connect Secure VPN, saw a higher prevalence of zero-day vulnerability exploitation compared to known vulnerabilities. Zero-day attacks were particularly prevalent throughout 2023.
In a surprising turn of events, the report stated that for the second time in three years, more mass compromise events occurred due to zero-day vulnerabilities rather than known vulnerabilities. Around 53% of new widespread threat vulnerabilities witnessed in the early months of 2024 were exploited before software vendors could release patches, reminiscent of the levels seen in 2021 after a slight decline in 2022.
The data presented in the report focused on vulnerabilities that led to mass compromise events. Examples included the exploitation of CVE-2023-34362 by the Clop ransomware gang against MoveIt Transfer customers and a remote code execution flaw (CVE-2023-0669) in Fortra’s GoAnywhere managed file transfer (MFT) product. Rapid7 also highlighted the attacks on Cisco products and Citrix’s NetScaler ADC and NetScaler Gateway, with an emphasis on the severe vulnerability tracked as CVE-2023-3519.
One of the significant findings of the report was the exploitation of the Ivanti Connect Secure and Policy Secure authentication bypass flaw (CVE-2023-46805) by a Chinese nation state threat actor to compromise CISA, confirmed by the agency in March. Additionally, Mitre, the manager of the CVE system, disclosed a breach by an unnamed nation-state actor exploiting Ivanti flaws in April.
Caitlin Condon, director of vulnerability intelligence at Rapid7, emphasized the sophistication of adversaries in orchestrating attacks with zero-days and custom payloads, highlighting the challenges faced by software producers in balancing security with operational continuity. Condon also noted a shift in exploitation trends towards simpler root causes in software vulnerabilities, urging enterprises to prioritize penetration testing and address basic flaws in their systems.
Furthermore, the report discussed the prevalence of nation-state actors and APT groups in exploiting vulnerabilities in network edge devices, particularly VPNs with inadequate multifactor authentication (MFA). It identified a high level of activity from Chinese-backed campaigns in comparison to Russian, North Korean, and Iranian-affiliated groups. Ransomware gangs were also highlighted for their increased data theft and extortion activities, alongside the persistence of traditional ransomware attacks targeting public-facing applications and unsecured network perimeters.
Another concerning trend outlined in the report was the issue of vendors silently patching vulnerabilities, depriving organizations of critical information needed to prioritize patching efforts effectively. This practice, combined with the privatization of vulnerability and exploit information, poses significant challenges to cybersecurity efforts by limiting transparency and hindering informed decision-making.
Overall, the “2024 Attack Intelligence Report” by Rapid7 shed light on the evolving threat landscape characterized by the exploitation of zero-day vulnerabilities, sophisticated attack techniques, and the need for enhanced collaboration between security researchers, vendors, and enterprises to address the growing cybersecurity challenges effectively. As the threat landscape continues to evolve, proactive measures and information sharing will be crucial in defending against increasingly sophisticated cyber threats.