SonicWall 2024 Mid-Year Cyber Threat Report: IoT Madness, PowerShell Problems and More

The first half of 2024 is in the rearview mirror, and SonicWall's 2024 Mid-Year Cyber Threat Report uses the data we gathered in that time to paint a clearer picture of the current threat landscape and industry trends. Business email compromise (BEC) attacks are on the rise, supply chain attacks and the risks associated with them are increasing and IoT malware is becoming more and more of an issue. Plus, we provide a SOC perspective on the year's threats and trends so far. And to measure it all, we have a more accurate system in place.

Goodbye HITS, Hello TICKS

As threats evolve to be more dangerous and our protection evolves alongside them, the importance of the way we're measuring threats is often overlooked. For the 2024 Mid-Year Cyber Threat Report, we decided it was time for a change.

Previously, we were counting every hit (HITS) against a firewall, which is akin to counting every single raindrop in a rainstorm and can lead to an inflated view of what's actually going on. The TICKS metric works by counting the number of hours a firewall is under attack rather than every single hit. To take the rain analogy further, saying "We had three million raindrops this afternoon," vs "It rained hard for an hour this afternoon," is a pretty stark difference. TICKS is more consistent, simplifies comparisons and data interpretations, and overall significantly improves the way we're analyzing and reporting telemetry data. It also allows us to better break down exactly how much of your revenue was at risk and protected by SonicWall, but for more information on that you'll need to check out the full report.

Threat Roundup

Business Email Compromise (BEC): Business Email Compromise (BEC) attacks have been on the rise. In fact, there are ten BEC events reported for every one ransomware event, with 70% of BEC events involving a variety of different social engineering methods.

IoT Malware: Internet of Things (IoT) malware spiked 107% in the first half of 2024, and among devices that were under fire, those devices spent an average of 52.8 hours under attack.

Cloud Attacks: 83% of customer-received alerts from our managed services team are related to cloud apps and compromised credentials, which means the growth of cloud as an attack surface is continuing into 2024 and beyond.

Supply Chain Attacks Continue to Rise

If we've learned anything about supply chain attacks in 2024 so far, it's that they're becoming more common, more impactful and more difficult to deal with. This year, we've already seen several high-profile supply chain vulnerabilities, such as the JetBrains TeamCity authentication bypass vulnerability, which attackers were able to exploit to gain control of affected systems - sometimes complete control. In fact, 16% of SonicWall customers were targeted with attacks attempting to exploit this vulnerability. A majority of these attacks (83%) occurred in March, with a steep decline in the months that followed.

It wasn't just new vulnerabilities that led to supply chain attacks - the first half of this year has shown that old dogs can learn new tricks. We found that Log4j and Heartbleed are still significant threats, especially to small- to medium-sized businesses (SMBs) with more limited resources.

PowerShell: Useful for Good and Evil?

PowerShell is awesome. It has incredibly powerful scripting capabilities and deep integration with Windows operating systems. As an automation tool, it may be the absolute best there is. Unfortunately, the same features that make it an incredible tool for any developer also make it an incredible tool for cybercriminals. In fact, more than 90% of major malware families are utilizing PowerShell for nefarious purposes - AgentTesla, GuLoader, AsyncRat, DBatLoader and LokiBot all abuse it.

While it's becoming more common now, this has also been happening for a while, with some reports indicating a huge spike in PowerShell-based attacks going back to 2020. While PowerShell has made efforts to thwart these bad actors, they've simply found workarounds and continued plugging away.

The Dramatic Rise In Internet of Things (IoT) Attacks

Attacks on IoT devices have risen an absurd 107% year-over-year in the first half of 2024. And the reason for the increase in attacks is likely simpler than you think - security on IoT devices tends to be bad. Many attackers prefer easier targets, and IoT devices are among the easiest targets. Combine this with the fact that more mainstream operating systems like Windows are getting better security, and the choice for these bad actors becomes even easier. One of the biggest factors in this dramatic increase is CVE-2023-1389, which is a TP-Link command injection vulnerability. This vulnerability has impacted 21% of SMBs by itself. Combine that with other IoT attacks and the meteoric rise begins to make sense. And with these devices often being directly tied to critical infrastructure, one wonders when manufacturers may start to take security more seriously.