Rapid7's 2024 report reveals surge in zero-day exploits

Rapid7 has unveiled its 2024 Attack Intelligence Report, shedding light on the evolving landscape of cyber threats and offering critical insights for security practitioners. The report draws upon extensive research, incorporating more than 1,500 curated data points on vulnerabilities and exploits, analysis of over 180 advanced threat campaigns, and multiple ransomware incidents. The findings are bolstered by data from trillions of security events tracked through Rapid7’s managed detection and response (MDR) services and threat analytics.

One of the significant revelations from the report is the prevalence of zero-day vulnerabilities, which in 2023 accounted for 53% of mass compromise events—this marks the second time in three years that zero-days have surpassed n-day vulnerabilities in causing widespread breaches. This trend mirrors the figures from 2021, where 52% of such events were attributed to zero-day exploits. The report highlights a “pronounced shift” in attack dynamics, with 23% of widespread threat CVEs in 2023 and early 2024 resulting from highly orchestrated zero-day attacks executed by single adversaries targeting multiple organisations simultaneously, often using custom tools like proprietary exploits and backdoors.

Caitlin Condon, Rapid7’s director of vulnerability intelligence and the primary author of the report, remarks, “Our data shows 2021 to have been the dividing line between a ‘then’ and a ‘now’ in zero-day attacks.” Condon adds that the period since has seen a consistent reduction in the median time between vulnerability disclosure and exploitation. She also notes the shift in ransomware attack patterns, where entire public-facing systems have been taken offline for extended periods.

The report identifies several key trends shaping the current security landscape. Mass compromise events stemming from the exploitation of network edge devices have nearly doubled since the start of 2023, with 36% of widely exploited vulnerabilities occurring in network perimeter technologies. In 2023, 60% of analysed vulnerabilities in network and security appliances were targeted as zero-days. Memory corruption exploits remain popular among skilled adversaries, but simpler vulnerabilities, such as command injection and improper authentication, are increasingly exploited.

Multi-factor authentication (MFA) deficiencies are another critical concern, with 41% of incidents observed by Rapid7’s MDR services in 2023 resulting from missing or unenforced MFA on internet-facing systems like VPNs and virtual desktop infrastructure. Additionally, Rapid7 Labs tracked over 5,600 ransomware incidents in 2023 and early 2024. Notably, the number of unique ransomware families reported dropped significantly, from 95 in 2022 to 43 in 2023.

Condon characterises the current cyber threat environment as “a mature, well-organised cybercrime ecosystem at work, with increasingly sophisticated mechanisms to gain access, establish persistence, and evade detection.” She stresses the importance of implementing zero-day patching procedures for critical technologies in mitigating these threats.