Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

Our 2024 Threat Report: Attack Volume Up 114%

Forescout Research - Vedere Labs | January 23, 2025

With an increasing number of cyberattacks, rising costs, and escalating geopolitical tensions around the world, cybersecurity will continue to be top of mind for organizations in 2025.

In our new threat report roundup, we look back at 900 million attacks observed in the threat landscape of 2024. This is up 114% from last year’s 420 million attacks.

We also offer organizations tactical insights and strategic recommendations for improved defense in 2025 in our recommended mitigation section below.

2024 Threat Report Key Findings

Origination

  • Attacks from 213 countries:
    • The top 10 countries accounted for 78% of the malicious traffic.
    • Russia takes over China among the most common origin of attacks.
    • 57% of attacks came from IPs managed by ISPs, 33% from organizations in business, government and other sectors, and 10% from hosting or cloud providers.
    • This reflects a continued increase in the use of compromised devices to launch attacks directly, via “residential proxies” or using new advanced techniques such as ORB networks.

Attack Service Type

  • Web applications were again the most attacked service type followed by remote management protocols:
    • Remote management services were often targeted with specific usernames linked to databases, cloud and DevOps infrastructure.
    • Web applications were more often targeted with vulnerability exploits.

Exploits

  • Exploits against network infrastructure devices became the second most popular category:
    • Exploits against software libraries and IoT devices decreased proportionally.
    • Only 27% of exploited vulnerabilities appeared in CISA KEV (down from 25% in 2023).
    • At least 25 vulnerabilities on OT and industrial IoT devices exploited by botnets and automated attacks do not show on their list.
  • Post-exploitation actions focused on discovery (84%, up from 25% in 2023), persistence (12%) and execution (4%).

OT and Building Automation Attacks

  • Five OT protocols were consistently targeted:
    • Modbus continues to dominate with 40% of attacks, Ethernet/IP comes second with 28%, followed by Step7, DNP3 and BACnet with around 8% each.
    • There is an increase in attacks on popular building automation protocols such as BACnet, Fox and KNX.
    • Most attacks still target protocols used in industrial automation.

Go deeper: Join our 2024 Threat Report webinar with Daniel Dos Santos, Head of Research, and VP of Security Intelligence, Rik Ferguson.

Register

Threat Actor Breakdown

  • Threat actors targeted 176 countries:
    • The United States was the most targeted by far with 264 actors taking aim.
    • In second place, Germany with 144, then India with 141.
    • The vast majority of threat actors originated from China (199), Russia (98) and Iran (55).
    • Together, these three countries accounted for 43% of threat actor groups in our database.
    • Government, financial services, and telecommunications were the industries most targeted by these actors.

Heat map: countries most targeted by threat actors

  • Attackers have increasingly been focusing on critical infrastructure (CI) targets:
    • The number of CI incidents increased by 10% from 2023 to 2024.
    • 57% of incidents targeted critical infrastructure sectors.
    • The proportion of incidents on CI changed drastically between 2022, when it was 34%, and 2023, when it was 58%.

Incident By Country Breakdown

  • The US has seen the most incidents by far, but CI incidents are becoming more globally distributed.
    • In three years, CI incidents have increased the number of countries by 192%. Those incidents affected 27 countries in 2022, 57 in 2023, and 79 in 2024:
    • After the US, countries and regions with most incidents are in Europe (Germany, France, Spain, Italy, and the UK) and Asia (Japan, India, Korea, Taiwan, and Singapore).

Vertical Industry Breakdown

  • Healthcare had the most incidents in 2023 and 2024, although the percentage decreased from 24% to 17%.
    • Financial services was also top 2 in both years but saw a relative increase from 12% to 17%.
    • Government jumped from fourth place in 2023 to third in 2024 while manufacturing jumped from sixth to fourth.
    • Most threat actors are cyber-criminals in healthcare, financial services and manufacturing.
    • Most threat actors are state-sponsored in government and energy.
    • Hacktivist activity is more common in the government sector.

Malware

  • Botnets were the most popular type of malware (29%, up from 22% in 2023), followed by information stealers (infostealers) and RATs:
    • There were no big changes in the common types of malware, but popular families and C2 servers have changed.
    • Mirai returned to the top as the most common malware we observe.
    • Lumma stealer (in second place) is the most popular new entry.
    • Although Cobalt Strike remains by far the most popular C2, the use of Viper has surged, surpassing even Sliver, which was gaining a lot of attention in 2023.

 

Recommended Mitigation

Throughout the threat report roundup, we include insights for defenders alongside each of the main findings. As we did last year, we recommend organizations focus on three key pillars of cybersecurity at a more strategic level:

Risk & Exposure Management

Start by identifying every asset connected to the network, its criticality, security posture, credentials and open ports. Then, change any default credentials and use strong, unique passwords for each device. Next, unused services should be disabled and vulnerabilities patched to prevent exploitation.

Finally, focus on risk mitigation using automated controls that do not rely only on security agents and apply to the whole enterprise, instead of silos like the IT network, the OT network, or specific device types.

Network Security

Do not expose unmanaged devices directly on the internet. Segment the network to isolate IT, IoT and OT devices, limiting network connections to only specifically allowed management and engineering workstations, or among unmanaged devices that need to communicate.

Segmentation should not happen only between IT and OT, but even within IT and OT networks to prevent lateral movement and data exfiltration. Restrict external communication paths and isolate or contain vulnerable devices in zones as a mitigating control, if they cannot be patched or until they can be patched.

Threat Detection & Response

Use an IoT/OT-aware, DPI-capable monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions such as vulnerability exploitation, password guessing or unauthorized use of OT protocols. Anomalous and malformed traffic should be blocked, or its presence should at least be alerted to network administrators.

Beyond network monitoring, threat detection and response solutions collect telemetry and logs from a wide range of sources including security tools, applications, infrastructure, cloud and other enrichment sources, to correlate attack signals, generate high-fidelity threats for analyst investigation and provide the ability to automate response actions across the enterprise.

Explore the Data

 

Demo RequestForescout PlatformTop of Page