2024 will be remembered as an important chapter in cybersecurity, especially with regards to the rapidly shifting vulnerability landscape. While this blog doesn’t aim to recount every detail or provide a full-fledged analysis, it does highlight some of the year’s most significant vulnerability exploitations. From large-scale campaigns and the rise of new threat actors, to remarkable law enforcement takedowns, record-setting ransomware payments, and the global CrowdStrike outage that disrupted millions, 2024 brought both progress and peril. Perhaps the most concerning takeaway is the widening gap between attackers and defenders, with adversaries outpacing defenses at an accelerating rate, eventually with the help of AI. Read on for a closer look.

1. A year of audacious cyber attacks

The cybersecurity landscape in 2024 has been marked by increasingly audacious attacks, with threat actors demonstrating a new level of boldness and sophistication. Among other events, 2024 will be remembered for Salt Typhoon infiltrating nine major U.S. telecom companies and compromising sensitive communications data and federal wiretapping systems; Russia's APT29 breach of Microsoft's Azure, gaining access to source code repositories and internal systems; and particularly devastating attacks targeting the healthcare sector, such as the ransomware attacks against Change Healthcare (compromising 100 million individuals) and Ascension (disrupting 140 hospitals). 

Notably, all 3 of these sectors, Healthcare, IT, and Communications, are among the 16 USA critical infrastructure sectors listed by CISA.

2. Attackers’ tactics are accelerating

The rapid exploitation of vulnerabilities intensified and accelerated in 2024. Several high-profile incidents notably highlighted the speed of vulnerability weaponization. Less than 24 hours after the disclosure of the FortiJump vulnerability (CVE-2024-47575), dozens of organizations worldwide had already been compromised. Additionally, the campaign targeting the infamous ConnectWise ScreenConnect flaw (CVE-2024-1709) began not longer than 48 hours after disclosure.

The speed of exploitation has become so rapid that, according to some statistics, 25% of CVEs were exploited on the same day they were published, with 75% being exploited within 19 days of disclosure. As reported by researchers at Mandiant / Google Cloud, the average time-to-exploit vulnerabilities plummeted to just five days. This is down from 32 days in just the year prior.

3. AI finally demonstrated its potential for exploiting vulnerabilities

Concerning vulnerabilities, 2024 has been the year AI transformed from a curiosity to a serious cybersecurity weapon. No longer limited to creating fake content for disinformation operations, LLMs have finally proven their potential for adversaries hunting vulnerabilities. Iranian state actors used ChatGPT to explore weaknesses in water systems they targeted. An academic research paper stirred controversy in concluding that LLM agents can autonomously exploit most of 1-day vulnerabilities based upon their description. Another report posited that LLMs can trick vulnerability scoring systems such as EPSS. 

Be advised: 2025 could mark the emergence of the first real-world, fully AI-driven exploitation campaigns, enabling attackers to exploit vulnerabilities at an unprecedented, industrial scale.

4. Defenses improved.. but still lag behind  

In 2024, many cybersecurity companies have released new solutions that leverage artificial intelligence to detect and respond to threats more efficiently. However, the slow pace of vulnerability remediation remained a significant concern, with organizations struggling to keep up with the rapid exploitation of new vulnerabilities. 

According to the 2024 Verizon Data Breach Investigation Report, a majority of vulnerabilities listed in CISA's KEV Catalog even remained unresolved 60 days after being added. This alarming trend is punctuated by the fact that it takes organizations an average of 55 days to patch just 50% of critical web vulnerabilities.

5. Mitigating risk with existing controls

While it is challenging to substantiate scientifically, we believe organizations could have taken stronger measures to mitigate the risk of breaches. In most mass exploitation campaigns of 2024, mitigations were made available shortly after the publication of proof-of-concept (POC) exploits or the first signs of active exploitation. By adopting vendors' recommended workarounds or using the compensating controls in their existing security tools to mitigate specific vulnerabilities, companies can significantly reduce the likelihood of compromise. Doing so buys the organization the time it needs to schedule remediation of root cause, such as patching during maintenance windows.

6. Web Applications Remain Prime Targets

Vulnerabilities in web applications continued to be the most targeted in 2024 and according to Verizon's Data Breach Investigation Report, they now account for nearly 50% of breach incidents. Unfortunately, security controls are not always adapted to this threat. For instance, as detailed in Zafran’s recent research, a misconfiguration bug in the implementation of popular web application firewall (WAF) services impacts domains owned by nearly 40% of Fortune 100 companies. 

7.  The CrowdStrike incident showed that leading security products are not immune

The CrowdStrike outage on July 19, 2024, which caused worldwide widespread disruption across various sectors, served as a stark reminder of the dangers of over-reliance on single security products. Although this incident was not the result of a cyberattack but rather a failure in a trusted security solution, it illustrated how the consolidation of cybersecurity services within a few major providers increases the potential impact of breaches.

Summary

As sophisticated adversaries evolve, boldly targeting critical infrastructure sectors and continuing to accelerate their tactics, so too must cybersecurity defenders evolve. Transforming vulnerability management through applied context will help cybersecurity practitioners pinpoint the vulnerabilities most likely to be exploited. And by prioritizing mitigation of these specific exposures via the compensating controls already in their security stack, cybersecurity teams can quickly reduce risk and buy their business stakeholders the time they need to remediate root cause. 

If you would like to discuss how Zafran can help transform exposure management for your enterprise, please reach out. We look to the lessons of 2024 to shape the path forward in realizing a more secure 2025.