Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Threat Intelligence

Threat Indicators Show 2024 Is Already Promising to be Worse Than 2023

In just the first two months of 2024, threat intelligence firm Flashpoint has logged dramatic increases in all major threat indicators.

Threat Intelligence Report

While 2023 was a difficult year for cybersecurity teams, 2024 is likely to be worse. In just the first two months of 2024, threat intelligence firm Flashpoint has logged dramatic increases in all major threat indicators.

By Flashpoint’s numbers, there were 6,077 recorded data breaches in 2023, with attackers accessing more than 17 billion personal records (up 34.5% on 2022’s figures). In the first two months of 2024, this increased by 429% over the first two months of 2023.

The US suffered more than 60% of all breaches in 2023 (3,804). This was a 19.8% increase over 2022’s figures. The first two months of 2024 have seen a further increase of 30% over the same period of 2023.

Ransomware attacks increased by 84% in 2023 over 2022. The first two months of 2024 saw a further 23% increase over the first two months of 2023.

Despite the large numbers involved, one attack and one attacker stood out during 2023: the MOVEit attacks (leveraging CVE 2023-34362), and the LockBit ransomware group. The MOVEit attacks account for 19.3% of all reported 2023 attacks. LockBit claimed 1.049 victims, around 20% of all known ransomware attacks in 2023.

LockBit’s operations were disrupted on February 20, 2024 when international law enforcement seized servers and arrested some individuals (Operation Cronus). LockBit rapidly created a new Dark Web blog and claimed that operations would continue as normal. Flashpoint is not so sure. Its report (PDF) says, “Indications are suggesting that Operation Cronos has had a more significant impact on their operations than they are willing to admit.” Time will tell whether, in what form, and to what extent LockBit may or may not resurface during 2024.

Such detailed figures beg one major question: how does Flashpoint gather its intelligence? Unknown unknowns bedevil all statistics. The firm recognizes this reality and stresses that its figures come from publicly recorded figures. The reality – if different – could only be worse, not better. 

Flashpoint’s VP of intelligence operations, Ian Gray, explained the firm’s data collection methodology. Teams of analysts monitor the Dark Web’s leak sites, ransomware blogs, public disclosures, and known vulnerabilities from NVD (supplemented, added Gray, “with vulnerabilities that we’ve collected through other data sources such as social media.”) 

Advertisement. Scroll to continue reading.

The report separately notes, “One major blind spot occurs when enterprises strictly rely on the Common Vulnerabilities and Exposure (CVE) database, which is missing over 100,000 vulnerabilities—nearly a third of known vulnerability risk.” The effort and detail used in the collection of known threats leads Gray to comment, “It all gives us a bit of ground truth” in the firm’s intelligence collection and threat analysis.

Reinforcing Flashpoint’s ‘ground truth’ assertion, and shining a light on the CVE blind spot, is the report’s assertion, “As of February 2024, Flashpoint analysts have cataloged 330 vulnerabilities that were discovered being exploited in the wild, that still do not have a CVE ID.” These vulnerabilities apply to companies including Adobe, Apple, Google, Microsoft, Siemens, and SolarWinds.

The combination of incomplete CVE records and the variability of severity ratings dependent on which version of CVSS is used adds to the problem all companies face: triaging vulnerabilities for patching or other remediation. Flashpoint recommends using a Venn diagram analysis for known high severity vulnerabilities using ‘remotely exploitable’, ‘public exploit’, and ‘available solution’ as the vectors.

This process would isolate around 4600 vulnerabilities to prioritize from a total of 12285 vulnerabilities.

Notably, he sees only a limited role for AI in Flashpoint’s future. “I don’t see [AI] as something that could help identify future threats,” he told SecurityWeek.” I think that we still need to rely upon analysts to do that. It requires a lot of due diligence and just understanding the landscape – which I don’t think current AI models or tools can do. So, we’ll only be using gen-AI in limited use cases, primarily for summarization of what our human intelligence collects and analyzes.”

Flashpoint’s USP is that none of their intelligence is based on guesswork. The firm only gathers data that is publicly available – but it does it more thoroughly, and intelligently than individual companies could do for themselves. “That’s part of our value proposition. Everything we provide is out there and open source,” said Gray. “But there’s so much of it even if you have time to find it. Our methods find it and our analysts provide the curation and vetting.”

Related: Using Threat Intelligence to Get Smarter About Ransomware

Related: Mapping Threat Intelligence to the NIST Compliance Framework

Related: Threat Intelligence Firm Flashpoint Raises $34 Million

Related: Cyble Raises $24 Million for AI-Powered Threat Intelligence Platform

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Cybercrime

The top five categories of Bad Bot attacks are fake account creation, account takeovers, scraping, account management, and in-product abuse.

Cybercrime

Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Threat Intelligence

A new research report discusses the five most exploited vulnerabilities of 2022, and the five key risks that security teams should consider.