A macro look at the most pressing cybersecurity risks

Forescout’s 2024H1 Threat Review is a new report that reviews the current state of vulnerabilities, threat actors, and ransomware attacks in the first half of 2024 and compares them to H1 2023.

“Attackers are looking for any weak point to breach IT, IoT, and OT devices, and organizations that don’t know what they have connected to their networks or if it’s secured are being caught flat-footed,” said Barry Mainz, Forescout CEO. “To mitigate these extensive threats, organizations must enhance their visibility across network infrastructure, build proactive security measures, and consider replacing outdated VPN solutions. Comprehensive security strategies, including having visibility into all devices and robust access controls, are crucial to protect against these emerging and expanding threats.”

Vulnerabilities surged by 43%

• Published vulnerabilities spiked by 43% compared to H1 2023, with 23,668 vulnerabilities reported in H1 2024
• The average number of new CVEs per day was 111 or 3,381 per month; 7,112 more than H1 2023
• 20% of exploited vulnerabilities affected VPN and network infrastructure

Ransomware groups expanded 55% and attacks climbed 6%

• Ransomware attacks continued to steadily climb by 6% to 3,085 incidents, up from 2,899 during the same period last year, averaging 441 per month or 15 per day
• The U.S. experienced half of all attacks, up from 48% in 2023
• Government, financial services organizations, and technology companies were the top three targets
• The number of active ransomware groups expanded by 55%

U.S., Germany, and India were top targets

• 387 of the 740 threat actors that Forescout tracks were active in H1 2024.
• The U.S., Germany, and India were the most targeted, with the U.S. targeted twice as often as Germany and India
• The 387 active actors are predominantly cybercriminals (50%), including ransomware groups, state-sponsored actors (40%) and hacktivists, originating, in order of frequency of attacks, from China, Russia, and Iran

State-sponsored actors using hacktivist fronts

• State-sponsored actors are using hacktivist fronts to target critical infrastructure
• Groups like Predatory Sparrow and Karma Power have been linked to significant attacks under the guise of hacktivism
• Factors driving this shift may be the increased visibility of hacking campaigns, and the need to create a facade to obscure cyberwarfare activities

Massive VPN and network infrastructure targeting

• In H1 2024, 15 new CVEs in the CISA known exploited vulnerabilities (KEV) catalog targeted infrastructure and security appliances from vendors like Ivanti, Citrix, Fortinet, Cisco, Palo Alto Networks, Check Point, and D-Link
• This accounts for nearly 20% of new vulnerabilities in the CISA KEV
• These attacks frequently utilized zero-days or recently disclosed and unpatched vulnerabilities
• Forescout research also found that routers and wireless access points are the riskiest IT devices in 2024

“Attackers are shifting from targeting managed endpoints to unmanaged perimeter devices, due to their lack of visibility and security telemetry,” said Elisa Constante, VP of Research at Forescout Research – Vedere Labs. “To combat this, organizations must extend visibility and proactive controls to these areas. Key steps include ensuring device visibility, assessing risks, disabling unused services, patching vulnerabilities, enforcing strong credentials and MFA, avoiding direct internet exposure, and segmenting networks. These steps will help reduce breach risks and strengthen overall security.”