Full Report
A rewind of the year across the threat landscape and at Pulsedive.
Analysis Summary
# Main Topic
A review of the significant cybersecurity incidents and trends observed throughout 2024, focusing on notable exploitation of public-facing infrastructure, major law enforcement actions, and high-impact events like the CrowdStrike service disruption.
## Key Points
- The exploitation of public-facing infrastructure, particularly network appliances, remained a critical ongoing theme throughout the year.
- Significant events included major law enforcement takedowns and the widespread systems outage caused by a problematic CrowdStrike detection update.
- Several critical, actively exploited vulnerabilities in major security products defined the threat landscape for defenders.
## Threat Actors
- Threat actors actively exploited newly disclosed vulnerabilities immediately after disclosure.
- Specific ransomware groups, such as **Black Basta**, were noted for high-impact attacks, exemplified by their targeting of Synnovis, which severely disrupted hospital operations.
- Threat actors capitalized on the CrowdStrike outage by deploying phishing campaigns offering fake recovery solutions for financial gain.
## TTPs
- **Exploitation of Public-Facing Appliances:** Targeted vulnerabilities in hardware/software like PAN-OS and Ivanti CSA for gaining initial access.
- **Information Stealing:** Proliferation of malware families like **'Aggneiane'** and **'Mystic Stealer'** aimed at credential harvesting and secondary malware deployment.
- **Service Disruption Exploitation:** After the CrowdStrike outage, threat actors engaged in credential harvesting and social engineering via phishing, posing as recovery service providers.
## Affected Systems
- **Firewalls and Networking Appliances:** Specifically, Palo Alto Networks' Global Protect feature in PAN-OS (versions 5.6.0, 5.6.1) and Ivanti Cloud Services Application (CSA) (versions 4.6 Patch 518 and before).
- **Endpoints/Workstations:** Users running vulnerable versions of FortiClientWindows were impacted by authentication bypass flaws.
- **Enterprise Infrastructure:** The CrowdStrike Blue Screen of Death (BSOD) outage affected Windows systems globally reliant on the Falcon sensor update.
- **Healthcare Sector:** Hospitals, evidenced by the Synnovis ransomware incident.
## Mitigations
- **Vulnerability Patching:** Immediately address critical vulnerabilities, such as CVE-2024-3400 (PAN-OS) and CVE-2024-8190 (Ivanti CSA).
- **Configuration Management:** Review and validate security configurations, particularly following agent/sensor updates (as seen in the CrowdStrike incident).
- **Defense in Depth:** Maintain strong email filtering and user awareness training to defend against phishing attempts arising from external events.
- **Specific Vulnerability Patches Mentioned:** Organizations needed to update PAN-OS versions to mitigate CVE-2024-3400 and apply patches for affected FortiClientWindows versions to counter CVE-2024-47575.
## Conclusion
The year 2024 was characterized by the rapid weaponization of vulnerabilities in essential security infrastructure, demonstrating the urgency for organizations to prioritize patching internet-facing assets. Furthermore, high-impact, systemic incidents like the CrowdStrike outage can create immediate secondary opportunities for financially motivated threat actors, emphasizing the need for resilient security operations that assume intermittent service availability.