Understanding 2024 cyber attack trends

Mandiant has released the M-Trends 2025 report, which outlines global cyber attack trends based on their own incident response engagements from 2024.

Key trends and insights

In 2024, Mandiant handled more incidents in the financial sector than in any other industry: 17.4%. Other popular targets? Companies in business and professional services (11.1%), high tech (10.6%), government (9.5%), and healthcare (9.3%).

Exploitation of a vulnerability is still the most common initial infection vector (33%), followed by stolen credentials (16%), email phishing (14%) and web compromise (9%).

(In 34% of 2024 intrusions they handled, Mandiant could not determine how the attackers gained the initial foothold. “Although numerous factors can contribute to an unknown vector, this considerable proportion indicates potential deficiencies in enterprise logging and detection capabilities,” the company said.)

As every year, attackers are using a wide variety of malware, but 2024 was marked by the resurgence of info-stealers, which contributed to the resurgence in the use of stolen credentials as a means of initial access.

Initial infection vector, 2022-2024 (Source: Mandiant)

The most frequently exploited vulnerabilities by attackers in 2024 were those in edge security devices (firewalls, VPNs, network access control solutions, etc.) by Palo Alto Networks, Ivanti, and Fortinet.

Another interesting thing last year was the rise if “insider threat” as an initial infection vector, fueled by a surge in North Korean IT workers securing employment under false pretenses and using the gained access to company networks for further compromise and extortion.

For ransomware-related intrusions, the most common initial infection vector was brute-force (password spraying, use of default credentials, high-volume RDP login attempts) – 26%, followed by stolend credentials (21%), exploit (21%), prior compromise (15%) and third-party compromise (10%).

Organization’s cloud assets are most often compromised through email phishing (39%) and stolen credentials (35%).

“In 2024, Mandiant responded to more breaches that involved a cloud component than ever before. In the investigations Mandiant performed, three major themes contributed to threat actor successes in these environments: identity solutions that lack sufficient security controls; improperly secured on-premises integrations; and poor visibility into extended cloud attack surface,” the company noted.

“Taken as a whole, these factors signal a need for a security approach that bridges the gaps between on-premises and cloud, while also recognizing that the cloud’s attack surface is not isolated, but part of an interconnected ecosystem that demands proactive integrated defenses.

Mandiant has also pointed out that its red teamers often find sensitive data in publicly accessible repositories, which means attackers can do it, as well.

“Network file shares, SharePoint sites, Jira instances, Confluence spaces, and GitHub repositories often contain a wealth of valuable information (i.e., credentials, private keys, financial documents, personally identifiable information (PII), and intellectual property). This data, typically accessible to employees with standard privileges, presents a significant security risk that many organizations fail to recognize,” they added.

Advice for organizations and defenders

Based on the report, Mandiant highlighted these core security recommendations:

• Implement FIDO2-compliant multifactor authentication (MFA): to prevent intrusions via stolen credentials
• Audit and secure internet-exposed infrastructure: to prevent brute-force attacks, particularly those targeting VPNs and Remote Desktop Protocol (RDP) interfaces using default or weak credentials
• Block endpoint scripts and apply content filtering to mitigate risks from web compromises such as SEO poisoning and malicious advertisements
• Enforce strict policies against browser-based credential storage to reduce exposure to infostealer malware
• Regularly patch all systems and software to minimize the exploitation window of newly disclosed vulnerabilities
• Detect and deter insider threats, including fraudulent employment, by implementing strict data verification checks, additional scrutiny in the hiring process and monitoring post-hiring
• Use network segmentation and monitor for lateral movement
• Invest in internal detection and logging capabilities: to reduce dwell time and reliance on external notifications
• Monitor cloud identity and access activity to prevent abuse of single sign-on (SSO) systems
• Apply threat intelligence to prioritize defense based on common attacker techniques: to align defenses with observed MITRE ATT&CK techniques like command and script execution (T1059) and data encryption for impact (T1486).

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!