2024’s threat landscape in review

The beginning of a new year is both a time to look ahead and a time of reflection, and looking back at 2024 through a cyber security lens reveals a year of tumult.

It was a year of emerging ransomware groups jostling among established players, of ever-advancing tactics to penetrate networks and get past their defenders, and of competition between strains of malware.

Security researchers at Rapid7 Labs and Managed Services were able to keep a particularly close eye on the threat landscape as it has evolved over the last 12 months, and here are some of their observations of 2024.

Ransomware

“The 2024 ransomware landscape was all about pushing boundaries, with several groups striving to make a name for themselves in extortion circles,” Rapid7’s researchers said in a recent blog post.

The cyber security firm observed 33 new, or newly rebranded, ransomware groups emerge in 2024, for a total of 75 active groups. Between them, these ransomware operations made 5,477 posts to their respective darknet leak sites in an effort to intimidate and extort their victims.

One of the most prolific of the new actors was RansomHub, which actually managed to snag the slot of the second-most active ransomware operation for the year, with 573 victims listed as of the end of November. The leader, though, was LockBit, which listed 579 posts in the same period, despite being relatively inactive in the last couple of months of the year.

LockBit’s last victim was, curiously enough, an Australian one. The gang attacked the Western Australia-based TPG Aged Care in early October 2204.

VIEW ALL

One thing that Rapid7 has observed, as have we at Cyber Daily, is that some groups go through extended periods of relative silence.

“Several groups have periods in which they seemingly ‘go dark’, where we do not see posts to their leak sites for weeks at a time,” Rapid7 said.

“It may be that these groups are using this time to rework their infrastructure, or perhaps they are receiving quick payouts from victims wishing to avoid reputational damage and the negative press associated with a breach coming to light.”

Malware

In 2024, three malware strains were responsible for 28 per cent of all incidents that Rapid7 responded to.

“Several forms of malware have been at the front of the pack throughout 2024 across all industries,” Rapid7 said.

“SocGholish, GootLoader, and AsyncRAT led the charge with a heady mix of remote access and credential theft.”

SocGholish, also known as FakeUpdates, is used mainly for drive-bay attacks and website compromise attacks, which hijack websites and offer fake Java and similar updates to their users, but which is actually any of a range of malicious payloads. This was seen in 14 per cent of all malware incidents.

GoatLoader was seen in 10 per cent of all observed incidents. This malware is commonly seen in SEO poisoning campaigns and is often used to deploy penetration software such as Cobalt Strike based on popular search engine queries. AsyncRAT took third place with four per cent of all attacks. This remote access Trojan has been used for keylogging and info-stealing since 2019 and is clearly still a popular tool among hackers.

Initial access

Systems lacking multifactor authentication were the main cause of unauthorised access to networks in 2024, with a staggering 56 per cent of all incidents being traced back to this access vector. More alarming still were the year-on-year figures for the third quarter of the year.

“Roughly 40 per cent of the incidents the Rapid7 Managed Services team saw in Q3 2023 were remote access to systems with missing or lax enforcement of MFA, particularly for VPNs and virtual desktop infrastructure (VDI),” Rapid7 said.

“In Q3 2024, fully two-thirds (67 per cent) of incident responses involved abuse of valid accounts and missing or lax enforcement of MFA – once again, mainly on VPNs and VDI, though exposed RDP also added a small number of incidents to remote access counts.”

Exploitation of known vulnerabilities, on the other hand, accounted for 17 per cent of all cyber incidents. The year 2024 saw a mix of new and older vulnerabilities taken advantage of, including CVE-2024-3400 in Palo Alto Networks PAN-OS, CVE-2024-24919 in Check Point Security Gateways, and CVE-2024-1709 in ConnectWise ScreenConnect.

One piece of good news, though, is that Rapid7 saw less exploitation of zero-day vulnerabilities in 2024 compared to 2023.

“The threat landscape in 2024 saw a host of new ransomware actors creating chaos in novel ways, but it also showed that attackers are willing to use tried and true techniques to breach defences,” Rapid7 said.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.