Cyber attack red alert on screens showing Verizon DBIR report on vulnerability exploitation

2024 Verizon DBIR: Major Surge in Unpatched Vulnerability Exploitation Due to MOVEit, Most Breaches Involve Non-Malicious Human Error

The headline items from the 2024 Verizon DBIR include a 180% jump in vulnerability exploitation from 2023’s numbers, and non-malicious employee elements continuing to play a role in over two-thirds of breaches as phishing remains a major threat.

The annual report draws on recorded security incidents to track trends in breaches, hacking attempts and vulnerability exploitation. The 2024 study draws on 30,458 security incidents and 10,626 confirmed breaches, numbers that have about doubled since 2023.

Verizon DBIR finds patching, phishing are still major issues for organizations

One of the big takeaway numbers from this year’s Verizon DBIR is that 68% of breaches involved some sort of “non-malicious human element,” such as an employee being phished or losing control of credentials in some other manner. That number has stayed roughly steady from the prior year’s report. However, a larger number of breaches this year contained what the survey calls an “error” from inside of the house, such as an accidental misconfiguration or unintentional exposure of sensitive data. The researchers now believe that such errors are more common than present research indicates.

32% of the year’s breaches involved ransomware. However, 9% of all breaches in 2023 were “pure extortion” capers, usually a ransomware gang opting not to deploy their ransomware and simply threaten the victim with public leak or sale at auction of their stolen data. This is a significant new trend, as these extortion-only attacks were exceedingly rare prior to last year. Whether ransomware or extortion, threat actors are asking a median of 1.34% of company annual revenue as payment. However, there is huge variance in 80% of these requests with a range of demands from 0.13% to 8.30%.

And while ransomware is still king, pretexting is on the rise as a means of attack for financially motivated threat actors. This is the approach generally used during a business email compromise (BEC) scheme, and is now seen in about 25% of attacks aimed at separating an organization from its money.

The other major takeaway number from the Verizon DBIR is the major spike in vulnerability exploitation as the critical component of a breach, at a 180% increase from the previous year’s numbers. However, there is something of an asterisk attached to this spike as it includes the rampage connected to the MOVEit breach that began unfolding nearly a year ago. The Cl0p ransomware gang made careful use of a zero-day vulnerability they appear to have discovered, choosing to quietly extort downstream victims rather than make noise locking up systems with ransomware. In total, the group hit about 2,500 victims from late May through late October 2023.

15% of the year’s breaches involved a third party, to include software vulnerability exploitation. That number is up from 9% in the prior Verizon DBIR. This is another area in which the massive MOVEit breach drove a good deal of growth, as third-party data processors or custodian sites appear to have been a “fairly common” point of entry. While vulnerability exploitation was the most common action variety in supply chain breaches, backdoor/C2 approaches and extortion were both nearly as common.

Nick Rago, Vice President, Product Strategy at Salt Security, expects to see supply chain attacks continue to rise: “As architectures become increasingly complex, combined with more dependencies on third party code and services, supply chain attacks targeting software dependencies and operational third-party providers will continue to escalate. Especially as threats actor techniques become more stealth and harder to detect. In the wake of successful attacks over the past year, social engineering attacks are set to continue and with more sophistication. As a result, zero-trust mindsets should be applied to every communication medium, including corporate email, text message, or phone call. The education and re-education of employees must continue. API attacks will also continue to increase at an alarming rate as organizations struggle to manage the chaos of API sprawl stemming from API-first innovation and digitalization. On the flip side, it is likely organizations will allocate more budget towards API security in the new year given its increased importance.”

Major growth in internal sources of breaches, but most attributable to non-malicious mistakes; vulnerability exploitation common for months

One number that initially appears to be eye-popping is that the share of breaches caused by internal actors soared from 20% in the prior Verizon DBIR to 35% this time out, making up nearly all of the breaches not involving an external hacker. However, 73% of those breaches were attributed to “miscellaneous errors” not considered malicious.

In terms of overall breach perpetrators, known organized cyber crime groups were responsible for a little over 60% of all attacks. “End users” represent 26%, mostly overlapping with the “miscellaneous error” category caused by non-malicious insiders who made some sort of mistake. While state-sponsored hackers tend to grab the biggest headlines, they only represent about 5% of all attacks.

Tom Kellermann, SVP of Cyber Strategy at Contrast Security, sees the Russia issue as the central point to address: “Ransomware groups enjoy a pax mafioso with Russian intelligence services. The cybercriminals not only enjoy protection from prosecution, but they are armed with zero days by Russian intel to sow havoc in western cyberspace thus creating a free fire zone.”

One interesting side note from the Verizon DBIR is that the researchers still feel that generative AI is not enough of a threat to create a special category or tracking segment for. Deep reading of cyber criminal forums apparently indicate that the interest is definitely there, but the application has not been figured out yet beyond writing in foreign languages and polishing up phishing messages. The one area that has shown some growth is in deepfake attacks, often as part of a BEC scheme, that deploy faked audio to convince an employee to issue a payment. In terms of vulnerability exploitation, the researchers do not feel that a breakthrough is imminent.

Patrick Harr, CEO at SlashNext, notes that while AI is not yet a serious hacking issue it is an inevitability that must be prepared for sooner rather than later: “With the rapid growth of AI technology, combined with limited regulation, it’s important for the tech industry to develop tools and processes that can assist in protecting AI technology systems. Everything in security needs to become more human ID-centric rather than network-centric. At the end of the day, we are far better off by providing access through human identity-centric methods and using AI to make that human a super-human. So rather than relying on a training simulation approach for users, we can rely on AI augmentation for that, so users don’t have to be tricked into clicking on bad phishing links, for example. We have to shift our posture from a network-centric to a human-centric security posture.”

“This problem will not go away and will only get worse. Anywhere there is money and opportunity and data, which is across every industry, there will be attacks. This is a horizontal problem for all industries, not a vertical problem. The bad guys will always look for wherever the most sensitive data is based to target their attacks,” added Harr.

Though AI is not yet a key part of it, the researchers consider this to be a sort of “vulnerability exploitation era.” Organized ransomware gangs are more aggressively seeking and deploying zero-day vulnerabilities, and are finding plenty of footing as vulnerability identification and patching continues to lag. 85% of critical vulnerabilities are still unremediated at 30 days after discovery, 47% are still out there at 60 days, and 20% continue to linger after a full half of a year. After an entire year, cyber criminals can still find 8% to exploit. As the report notes, enterprises are shooting for standard patching within 30 to 60 days and expedited response to critical vulnerabilities within 15 days. The data indicates many organizations are still struggling to keep up with the load.

Ted Miracco, CEO of Approov, notes that vulnerability exploitation is likely the first order of business for most organizations: “The fact that it takes 55 days for organizations to remediate 50% of critical vulnerabilities listed in the CISA’s KEV catalog after patches are available points to a significant gap, that presents a critical window of opportunity for attackers to exploit known vulnerabilities. It is crucial for organizations to streamline their vulnerability scanning and patching procedures to outpace malicious activities. Without timely and comprehensive vulnerability information, organizations are at an extreme disadvantage in securing their systems against known exploits.”