In this episode of Big Reports in Five Minutes, Earl Duby shares Forescout’s 2024 Threat Review. You’ll want to learn about the alarming increase in VPN vulnerabilities targeted primarily by state actors, reflecting a resurgence in ransomware activities.
Earl covers key statistics and provides a thorough analysis of the current state of cyber threats and offers advice on how to fortify your organization against these evolving risks. Tune in to get equipped with the knowledge you need to enhance your cybersecurity posture.
Link for full report!
https://www.forescout.com/press-releases/2024h1-threat-report/
Transcript:
(0:00) All right, welcome back to our next episode of Big Reports in Five Minutes, give or take.(0:08) So in today’s episode, I want to talk about this report from (0:11) Forescout. It’s called the 2024 First Half Threat Review.
(0:17) Now, unlike a lot of the other big reports that we do here in five minutes, (0:21) this is kind of a small report, but there was a couple, there were a couple interesting (0:27) nuggets in here that I wanted to bring up. So I thought I would pull that into this episode. (0:33) So this is from Forescout, which is big in the operational technology field.
They do a lot of (0:40) vulnerability management for shop floor equipment, but they also do a lot of other (0:44) things in the enterprise space. So they get a lot of telemetry, a lot of data that they’re (0:50) processing. And so there’s some pretty cool statistics in here that they’ve collected over (0:55) the first half of the year from their clients and from their technology.
One of the things they (1:02) point out right off the shoot here is massive targeting of VPN vulnerabilities. So, you know, (1:11) if you’ve been paying any attention at all to the security space, you know that VPN technology is (1:15) under heavy assault from mostly state actors that are trying to get in and either do espionage, (1:22) stealing trade secrets, or generally monitoring government activities as they’re, you know, (1:30) trying to either disrupt things or get a foot ahead on their competition. So this report talks (1:39) a bit about the VPN technologies, especially focusing on Ivanti, Cisco, ASA, and the Fortinet (1:48) VPN, which has just been attacked recently if you’ve been paying attention to the news.
(1:55) You know, one thing that they point out here is that the motivations behind these attacks(2:00) typically include espionage, data theft, and sometimes the disruption of critical services.(2:05) So with this war going on in the Ukraine, with China stepping up its efforts to steal (2:12) intellectual property, you’re seeing this big influx of attacks against VPN technologies. (2:20) So there’s a few examples in the report which I thought were noteworthy.
Then they move on to just (2:26) generally the state of vulnerabilities, and this is what really caught my attention (2:32) and why I wanted to bring this to you guys. So looking at the Forescout technology, (2:40) and then Forescout was looking at a few of the third-party data repositories out there, (2:47) they noted that in the first half of 2024, there have been 23,668 vulnerabilities published. (2:57) So just think about that number.
In a six-month period of time, there have been 23,668 vulnerabilities (3:05) published, which is an average of 11 new vulnerabilities per day. These are the ones (3:11) that are discovered and published, not to mention all the other things that are out there like zero (3:18) days and some things that don’t get published because the technology companies themselves (3:24) aren’t ready to let people know that they’re there. So these are publicly disclosed 111 (3:31) vulnerabilities per day.
And then if you look at the total vulnerabilities (3:38) overall, that’s an increase of 7,112 vulnerabilities compared to the first half of last year, (3:46) which amounts to about a 43 percent increase. So just let that soak in for a second. (3:54) From the first half of last year to the first half of this year, (3:59) published vulnerabilities have increased by 43 percent.
This is incredible statistics. (4:08) And you can look at this chart here and see that if you look out over the last three years, (4:14) so 2022, 23, and 24, by month, you can see that the trend is definitely on the upshoot. (4:23) So this is just another reminder that vulnerability management is a critical (4:31) function of any security program.
And if you don’t have a security program, vulnerability (4:37) management is a critical function of risk management. And whatever company you’re running, (4:42) you need to have good risk management practices, which should include vulnerability management (4:48) so that you’re not, you know, falling prey to exploits of these vulnerabilities. (4:56) So speaking of exploits, you know, a key term to keep in mind is known exploitable vulnerabilities, (5:03) or KEVs.
This is kept track of, for the most part, by CISA, which is our cybersecurity and (5:14) infrastructure security agency of the federal government. They keep track of all these known(5:18) exploitable vulnerabilities, and it’s a good source of reference material as you’re trying (5:25) to figure out how to protect your company, because anything that’s in the known vulnerability or(5:30) known exploitable vulnerability database are things that you should be actively trying to(5:35) resolve within your organization. So what this report here says that 87 new KEVs were added to (5:46) the catalog over the first half of the year, which brings the total to 1140 known exploitable (5:54) vulnerabilities that are in this database.
So again, check that database out, cross-reference that to (6:02) any vulnerabilities that you’re finding in your environment, and those should be the first ones (6:07) that you’re trying to resolve or remediate. Then there’s another good chart in here that (6:17) just talks about how many of these KEVs are released each month. And then another thing that (6:25) is important is, you know, everyone seems to be on this mindset that, you know, well, we’ll just deal (6:33) with the new vulnerabilities that are released, and, you know, because those are probably the (6:37) most likely to be exploited.
What CISA points out, and then what Forescout puts into their report, (6:45) is that 46% of the new additions into that known exploitable vulnerability database (6:52) are from before 2024. So nearly half of the new known exploitable vulnerabilities are from (7:00) past years. So these are vulnerabilities that have existed for years and maybe didn’t have an exploit, (7:07) but now they have an exploit because attackers realize that generally people are keeping up (7:14) to date with current patches, but anything that they haven’t done in the past, they’re not going (7:18) back and fixing.
So if you can find an exploit for an old vulnerability, those are generally (7:25) going to be unchecked. Then the next thing that this report talks about is just threat actor by (7:36) origin. So this is probably not news to anybody who’s been paying attention, but just to reiterate (7:43) it, the number one country for having threat actors is China.
So they’re using a population (7:54) of, I think, around 287 threat actors that Forescout is monitoring. Well, they say they (8:02) monitor 740 threat actors, but 387 have done something in the last six months that, you know, (8:11) pulled them into this report, and of this report, China is leading the way with the number of threat (8:17) actors, followed by Russia and Iran. So obviously no big news there, but just reiterating it again, (8:27) but when you couple that with the next chart, which is the number of targeted countries by (8:33) threat actor, the United States is leading the way.
So the United States isn’t even on the list of (8:41) threat actors by country of origin, but they’re the number one country on the countries being (8:48) targeted by threat actors. So, you know, just kind of goes to show you how this game is being played. (8:55) You know, China has the largest number of threat actors, and the United States has the most number (9:01) of threat actors attacking them.
And then we get into ransomware. So ransomware, according to (9:10) this Forescout report, they went through and they looked at a bunch of public websites that (9:18) track blockchains and track ransom payments, and so they came up with the number 3085 ransomware (9:27) attacks in the first half of 2024, which is an increase of 6% over the first six months of last (9:35) year. So again, ransomware attacks are, this is just another reinforcement of the idea that ransomware(9:41) attacks are on the rise.
This comes out to 441 attacks per month or 15 attacks per day. Now again, (9:52) this is just the ransomware that results in a ransom payment, because that’s all that would (9:58) show up in a blockchain analysis. So what we have here is 15 ransomware payments made per day, (10:08) and when you couple that with 111 vulnerabilities by, you know, showing up by day, (10:17) you know, if you’re not actively resolving your vulnerabilities, you are just really playing, (10:24) you know, a game of Russian roulette with your network, because the vulnerabilities are increasing, (10:30) the attacks are increasing, and we have very active, you know, adversarial states that are attacking us, (10:39) you know, on a daily basis.
So, and there’s another interesting chart in here which says that 50% (10:46) of all ransomware attacks are against the U.S. Last year it was 48%, we’ve increased to 50%, (10:54) so if you are, you know, in the U.S., you don’t have a good vulnerability management program, (11:03) you know, the time is definitely ticking. And then the last piece of this report that I wanted (11:12) to talk about is they have a section called mitigation recommendations, and the key point (11:17) that they pull out here is that you really need to start protecting your VPN connectivity. You know, (11:24) the number of attacks against VPNs coupled with the rise in ransomware and the number of (11:32) vulnerabilities that are being discovered in VPN technology and security appliances is really,(11:38) you know, pulling together a perfect storm of, you know, really bad things happening to VPN (11:46) tool sets.
So, start focusing more on your perimeter defenses, especially around VPN (11:54) technology, because the adversary is definitely looking for exploits in that technology. And one (12:01) way that you can protect those VPN tunnels and those different perimeter defenses is by (12:07) enabling multi-factor authentication. So, that’s something we’ve been preaching here for a long (12:13) time is the VPN is important, MFA everything.
You know, the more you can put MFA on anything (12:21) that’s internet facing, the more secure your organization is going to be, you know, at least (12:26) for now, you know, until, you know, we find a more advanced way of protecting those technologies, (12:36) but for now, MFA everything. So, with that, you know, as we always say, (12:42) you know, stay safe out there. We’ll see you next time and thanks for joining.
