In 2023, a quarter (25.6%) of incidents originated with a known vulnerability, according to the Arctic Wolf Labs 2024 Threat Report. And while zero-day vulnerabilities only accounted for a tiny percentage of incidents in 2023, two of them — the MOVEit Transfer Vulnerability and the GoAnywhereMFT Vulnerability — wreaked havoc around the globe.

On April 24, 2024, Cisco Talos and several government security agencies published details on a sophisticated threat campaign focused on espionage and gaining unauthorized access to sensitive information from targeted government entities and organizations in critical infrastructure. As part of that publication, Cisco disclosed CVE-2024-20353 and CVE-2024-20359, affecting Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, which were actively exploited in the documented campaign.

On April 16, 2024, Cisco Duo informed affected customers of a breach involving their SMS and VOIP multi-factor authentication (MFA) service provider. The breach occurred on April 1st due to a phishing attack, allowing unauthorized access to the provider’s systems, including SMS and VoIP MFA message logs for specific Duo accounts between March 1st and March 31st, 2024. Though the threat actor accessed message logs, they did not obtain message content.

On April 12, 2024, Delinea issued an advisory to address a critical authentication bypass vulnerability identified in the SOAP API component of its Secret Server product, available in both Cloud and On-Premises solutions. A threat actor could exploit this vulnerability to bypass authentication, gain administrative access, and extract sensitive information.

On April 16, 2024, Ivanti disclosed two critical vulnerabilities within its Avalanche Mobile Device Management (MDM) solution. These vulnerabilities, identified as CVE-2024-29204 and CVE-2024-24996, are heap overflow issues in the WLInfoRailService and WLAvalancheService components, respectively. Both vulnerabilities have been assigned a CVSS score of 9.8, indicating their critical nature due to the potential for unauthenticated Remote Code Execution (RCE) in low-complexity attacks.

In April of 2024, the FBI released a warning that threat actors are sending SMS phishing, also known as smishing, messages to individuals pretending to be toll road operators messaging about unpaid toll fees. This kind of attack is a common one, and targets more than just individuals –— think the MGM resorts breach of 2023 that started with a phishing call to an IT professional and ended up costing the casino millions.

Over the past decade, cybercrime has become a big business — a $1.5T industry with an entire ecosystem of criminal organizations run like legitimate organizations. Some even offer technical leadership, step-by-step instructions, and robust customer service via ransomware-as-a-service (RaaS), and the most brazen threat actors have even taken out pop-up ads selling their products.

The world is going cashless. The Federal Reserve Bank of San Francisco reported that cash was used in just 18% of all U.S. transactions in 2022. And that number will continue to decline. The widespread use of credit and debit cards, plus the rise of digital wallets and contactless payments, have reshaped the financial landscape in many wonderful ways — increasing flexibility as well as financial protection. However, it’s also increased the levels of fraud.

On April 12, 2024, Palo Alto Networks published a security advisory detailing an actively exploited maximum severity vulnerability (CVE-2024-3400, CVSS: 10.0) affecting the GlobalProtect feature of PAN-OS. This vulnerability affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls when configurations for both GlobalProtect gateway and device telemetry are enabled. An unauthenticated remote threat actor can exploit this vulnerability to execute arbitrary code with root privileges on the firewall.

On April 14, 2024, Palo Alto Networks (PAN) released hotfixes to address the maximum severity (CVSS: 10) vulnerability, CVE-2024-3400, affecting the GlobalProtect Feature of PAN-OS. An unauthenticated remote threat actor can exploit this vulnerability to execute arbitrary code with root privileges on the firewall. Volexity identified CVE-2024-3400 as a zero-day vulnerability and found that the threat actor UTA0218 was implanting a custom Python backdoor on firewall devices.

Threat actors looking to maximize the amount of money they can make and chaos they can cause have once again chosen the supply chain as their target of attack. On Thursday, April 11, the Cybersecurity & Infrastructure Agency (CISA) warned customers of Sisense, a company that provides data analytics services to thousands of international companies, that they should reset their credentials for Sisense services and look out for suspicious activity involving their services.

On April 11, 2024, CISA issued an cybersecurity advisory disclosing a compromise of customer data from Sisense. The previous day, cybersecurity journalist Brian Krebs had published an email sent to Sisense customers by the company’s CISO. The specific details of the compromise have not been made public at this time. Furthermore, Arctic Wolf has not observed any malicious activities conducted by threat actors using compromised credentials from Sisense.

10.93 million dollars USD. That’s the average cost of a healthcare breach in the U.S. It’s an alarming number that’s only continued to climb, increasing by over 53% in the past three years, according to IBM’s 2023 Cost of a Data Breach Report. In fact, the healthcare industry has had the highest average cost of a breach for 13 years running. It’s not just the costs that are climbing, either.

On March 29, 2024, a security researcher disclosed the discovery of malicious code in the most recent versions of XZ Utils data compression tools and libraries. The code contained a backdoor, which a remote threat actor can leverage to break sshd authentication (the service for SSH access) and gain unauthorized access to the system, potentially leading to Remote Code Execution (RCE).

There were nearly 29,000 vulnerabilities published in 2023, amounting to over 3,800 more common vulnerabilities and exposures (CVEs) being issued last year than in 2022. More troubling than the sheer volume of vulnerabilities in 2023 is that over half of them were given a CVSS score indicating high or critical severity — an increase of 57% YoY.

When 23andMe, the popular genetic data gathering and sharing organization, was breached in November of 2023, the threat actors responsible gained initial access by launching a credential stuffing attack. The attack, which involved hackers using credential stuffing, or entering known passwords and emails to see if a combination would work, only succeeded due to a lack of multi-factor authentication (MFA) in place in the compromised account.

In the face of increasingly frequent and severe cyber attacks, organizations with strong cybersecurity maturity are working hard to manage and mitigate their risk, while recognizing that these may no longer be enough.