Forescout published its “2024H1 Threat Review”. The new report reviews the current state of vulnerabilities, threat actors, and ransomware attacks in the first half of 2024 and compares them to H1 2023.

“Attackers are looking for any weak point to breach IT, IoT, and OT devices, and organisations that don’t know what they have connected to their networks or if it’s secured are being caught flat footed,” said Barry Mainz, Forescout CEO. “To mitigate these extensive threats, organisations must enhance their visibility across network infrastructure, build proactive security measures, and consider replacing outdated VPN solutions. Comprehensive security strategies, including having visibility into all devices and robust access controls, are crucial to protect against these emerging and expanding threats.”

Forescout Research – Vedere Labs “2024H1 Threat Review” Key Findings

Vulnerabilities Surged by 43%

• Published vulnerabilities spiked by 43% compared to H1 2023, with 23,668 vulnerabilities reported in H1 2024
• The average number of new CVEs per day was 111 or 3,381 per month; 7,112 more than H1 2023
• 20% of exploited vulnerabilities affected VPN and network infrastructure, emphasising the need for better device security

Ransomware Groups Expanded 55% and Attacks Climbed 6%

• Ransomware attacks continued to steadily climb by 6% to 3,085 incidents, up from 2,899 during the same period last year, averaging 441 per month or 15 per day
• The U.S. experienced half of all attacks, up from 48% in 2023
• Government, financial services organizations, and technology companies were the top three targets
• The number of active ransomware groups expanded 55% 

U.S., Germany, and India Were Top Targets

• 387 (52%) of the 740 threat actors that Forescout tracks were active in 1H 2024. (Live group tracking information is available in this Forescout dashboard.)
• The U.S., Germany, and India were the most targeted, with the U.S. targeted twice as often as Germany  and India
• The 387 active actors are predominantly cybercriminals (50%), including ransomware groups, state-sponsored actors (40%) and hacktivists, originating, in order of frequency of attacks, from China, Russia, and Iran 

State-Sponsored Actors Using Hacktivist Fronts

• State-sponsored actors using hacktivist fronts to target critical infrastructure
• Groups like Predatory Sparrow and Karma Power have been linked to significant attacks under the guise of hacktivism
• Factors driving this shift may be the increased visibility of hacking campaigns, and the need to create a façade to obscure cyberwarfare activities

Massive VPN and Network Infrastructure Targeting

• In H1 2024, 15 new CVEs in the CISA known exploited vulnerabilities (KEV) catalog targeted infrastructure and security appliances from vendors like Ivanti, Citrix, Fortinet, Cisco, Palo Alto Networks, Check Point, and D-Link
• This accounts for nearly 20% of new vulnerabilities in the CISA KEV
• These attacks frequently utilized zero-days or recently disclosed and unpatched vulnerabilities
• Forescout research also found that routers and wireless access points are the riskiest IT devices in 2024

“Attackers are shifting from targeting managed endpoints to unmanaged perimeter devices, due to their lack of visibility and security telemetry,” said Elisa Constante, Vice President of Research at Forescout Research – Vedere Labs. “To combat this, organisations must extend visibility and proactive controls to these areas. Key steps include ensuring device visibility, assessing risks, disabling unused services, patching vulnerabilities, enforcing strong credentials and MFA, avoiding direct internet exposure, and segmenting networks. These steps will help reduce breach risks and strengthen overall security.”