The number of active attacks on known security vulnerabilities reached record levels last year.
Security intelligence specialist VulnCheck reported that the 2024 calendar year saw a total of 768 CVE-listed vulnerabilities come under fire from threat actors in the wild. That figure is a 20% increase from 2023, when 639 vulnerabilities were actively attacked.
“2024 marked another banner year for threat actors targeting the exploitation of vulnerabilities,” Vulncheck said in its report.
“Exploitation disclosures came from various sources, including product companies, security vendors, government agencies, non-profits, and media outlets worldwide.”
Perhaps more concerning was the finding that nearly a quarter of those attacks came prior to the vulnerability having a CVE entry released, also known as a “zero day” flaw. VulnCheck found that 23.6% of the attacks it observed matched that criteria.
Additionally, it was found that half of the attacks were targeting flaws within 192 days of their CVE publication. From there, threat actors tend to take their time, as 25% of the observed attacks were for CVE entries older than two years.
This would suggest that a sizable portion of attackers prefer to go after the low-hanging fruit, targeting systems and applications that are poorly maintained or have been completely forgotten by administrators and network defenders.
In fact, that share of the market seems to be increasing as 2024 actually saw a decrease in zero-day attacks.
“In 2024, 23.6% of [known exploited vulnerabilities] were known to be exploited on or before the day their CVEs were publicly disclosed, a slight decrease from 2023's 27%,” the VulnCheck team explained.
“Despite the buzz around ‘zero-day’ exploitation, these findings indicate that exploitation can happen at any time in a vulnerability's lifecycle.”
Interestingly, the report found that there was something of a pattern to the way zero-days were found to be exploited in the wild.
“By analyzing reported exploitation by month, we gain a better understanding of the volume of CVEs that are likely to require immediate attention as they are discovered to be exploited in the wild,” VulnCheck explained.
“While the baseline of exploited CVEs ranged from 30-50 per month, notable spikes were observed during certain periods.”
In the case of 2024, VulnCheck saw a spike in January when ShadowServer began sharing its research data on KEVs, introducing a number of flaws that had previously been going under the radar.
Another spike came in April and May, as presentations from the RSA security conference revealed additional threat actors. Other jumps in disclosures came in July when F5 and CISA released reports on new attacks, and in September when the FlexTyphoon botnet hit.
In short, exploit reports tend to come in bunches and largely occur in clusters around major security breaches or significant industry events. This should prompt administrators and network defenders to keep a close eye on the news wire and be sure to update their systems and security policies when a major event occurs.