Forescout Technologies, Inc. has announced key findings from its “2024 Threat Roundup” report, providing analysis of the evolving threat landscape. The Forescout Vedere Labs research highlights key trends from 2024, including threat actors, vulnerabilities, exploits, top targets and attacker locations, while drawing comparisons to 2023 and offering insights and strategic recommendations for improved defenses.
Top findings based on an analysis of 900 million attacks identified more than half of all attacks originated from IPs managed by ISPs, web applications were the most targeted service type, a concerning increase in actively exploited vulnerabilities not included in CISA’s KEV catalog and rising security incidents against critical infrastructure.
“Cybercrime, hacktivists, and state-sponsored actors are exploiting IT, IoT, OT and IoMT devices in critical infrastructure, leading to real-world consequences – planes grounded, production lines stopping, and essential services like patient care in hospitals grinding to a halt,” said Barry Mainz, Forescout CEO.
“Organizations that can’t see their full network are left vulnerable to these threats. To better defend against them, organizations must focus on risk and exposure management to understand their attack surface, network security to enforce Zero Trust, and threat detection and response to identify and contain threats before they can do damage and disrupt our lives.”
Key findings include:
Web applications are the most attacked service type
- Web applications were again the most attacked service type followed by remote management protocols.
- Attacks on web applications increased from 26% in 2022 and 2023 to 41% in 2024, with most attacks consisting of either scanning or exploit attempts. The increase represents a shift from mostly credential-based attacks to exploits on perimeter devices and applications.
- Accounts associated with databases are the most attacked. IoT device credentials consist of 6% of attacks (e.g., routers, cameras, DVRs, industrial and network equipment).
Exploits against network infrastructure are growing
- Exploits against network infrastructure devices became the second most popular category.
- Exploits against web applications rose from 36% in 2023 to 56% in 2024.
- Network infrastructure devices (routers, firewalls, VPNs, etc.) are the second largest category and increased from 3% (2022) to 11% (2023) and now 14% (2024).
- The percentage of exploited vulnerabilities not in CISA’s Known Exploited Vulnerabilities (KEV) increased from 65% to 73%.
- When Forescout’s AEE data was merged with observations from the Shadowserver foundation, a list of at least 25 vulnerabilities affecting OT and Industrial IoT devices were discovered that are exploited by botnets or automated attacks, which are not included in CISA’s KEV.
OT attacks increased, with building automation on the rise
- Attackers are constantly scanning popular OT protocols, with 79% targeting industrial automation, 12% on power sector, and the remaining on building automation. Building automation increased from 2% in 2023 to 9% in 2024.
- Most attacks are opportunistic, with a heavy interest in Modbus (33% in 2023 to 40% in 2024) and more fragmented interest in a lot of other protocols.
U.S. is the biggest critical infrastructure target, with incidents increasing across sectors
- Based on data from the European Repository of Cyber Incidents, since 2022, reported security incidents in critical infrastructure worldwide have grown by 668 percent.
- There were 10% more incidents for critical infrastructure sectors than in 2023 and more than half of all incidents (57%) affected critical infrastructure sectors.
- Healthcare was the top targeted sector in 2023 (24%) and 2024 (17%), followed by financial services (17%) and government (10%).
- The U.S. is the biggest target. Top targets after the U.S. are Europe (Germany, France, Spain, Italy and the UK) and Asia (Japan, India, Korea, Taiwan, Singapore).
China, Russia and Iran account for 43% of threat actor groups
- The top three countries targeted by the most threat actors are United States, Germany and India.
“OT environments are quickly becoming bigger targets for cybercriminals because these areas don’t have the robust security and monitoring measures found in traditional IT systems,” said Daniel dos Santos, Head of Research at Forescout.
“With critical infrastructure and industrial systems frequently exposed to vulnerabilities, attackers see these environments as prime opportunities to steal sensitive data or cause disruption. Organizations must work to strengthen their risk and exposure management, segment sensitive networks to prevent unauthorized lateral movement, and deploy IoT/OT-aware threat detection to allow for comprehensive visibility across the entire enterprise.”