ENISA Threat Landscape 2024 identifies availability, ransomware, data attacks as key cybersecurity threats


The European Union Agency for Cybersecurity (ENISA) disclosed that seven prime cybersecurity threats were identified in 2024, with threats against availability topping the chart and followed by ransomware and threats against data. Highlighting findings on the cybersecurity threat landscape during a yearlong geopolitical escalation, the report provides a relevant deep-dive on each one of them by analyzing several thousand publicly reported cybersecurity incidents and events. The release of the annual ENISA Threat Landscape 2024 report coincided with the ‘Threathunt 2030’ conference on cybersecurity threat foresight in Athens.

“Throughout the latter part of 2023 and the initial half of 2024, there was a notable escalation in cybersecurity attacks, setting new benchmarks in both the variety and number of incidents, as well as their consequences,” ENISA wrote in its 131-page report titled ‘ENISA Threat Landscape 2024’. “The ongoing regional conflicts still remain a significant factor shaping the cybersecurity landscape. The phenomenon of hacktivism has seen steady expansion, with major events taking place (e.g. European Elections) providing the motivation for increased hacktivist activity.”

Focused on the threat landscape, the seven prime cybersecurity threats were identified, with threats against availability topping the chart and followed by ransomware and threats against data. The report provides a deep-dive on each one of them by analyzing several thousand publicly reported cybersecurity incidents and events across ransomware, malware, social engineering, threats against data, threats against availability including denial of service, information manipulation and interference; and supply chain attacks. 

It also noted that for another year, distributed-denial-of-service (DDoS) and ransomware attacks led in the rankings as the most reported forms of attacks, accounting for more than half of the observed events. It is notable that, compared to last year’s findings, there was an inversion in the rankings, with DDoS attacks moving to first place and ransomware dropping to second. ENISA Threat Landscape 2024 is based on and analyses more than 11,000 incidents in total. The sectoral analysis conducted revealed that the most target sector was public administration at 19 percent, followed by transport at 11 percent. 

The ENISA Threat Landscape 2024 report is complemented by a detailed analysis of the vulnerability landscape during 2023 and 2024, as well as a detailed analysis of four distinct threat actors’ categories, covering state-nexus actors; cybercrime actors, and hacker-for-hire actors; private sector offensive actors (PSOA); and hacktivists.

“Especially for 2024, foresight is key for cybersecurity strategic planning,” Juhan Lepassaar, executive director at the EU Agency for Cybersecurity, highlighted in a media statement. “Technological evolution, the current geopolitical situation, along with the cybersecurity landscape call for preparedness against anticipated or not-anticipated challenges and threats.”

The ENISA Threat Landscape 2024 report said it observed 11,079 incidents, including 322 incidents specifically targeting two or more EU Member States, which shows a timeline of when the events were first reported through open-source channels. In addition, throughout this iteration of the ENISA Threat Landscape 2024, it can be seen that ransomware and DDoS remained the two prime threats for the EU.

The report disclosed that when it comes to ‘Living Off Trusted Sites’ (LOTS), cyber attackers extended their stealth techniques into the cloud, using trusted sites and legitimate services to avoid detection and disguising Command and Control communications (C2) as ordinary traffic or innocuous messages on platforms like Slack and Telegram. Also, geopolitics continued to be a strong driver for cyber malicious operations, while advancements in defensive evasion techniques as cybercrime groups, especially ransomware operators, evaded detection by using Living Off The Land (LOTL) techniques to blend into environments and mask their malicious activities. There has been a sharp increase in business email compromise (BEC) incidents.

The data also pointed to extortion by weaponizing disclosure requirements, pushing companies to fulfill extortion demands ahead of the required reporting deadline. Ransomware attacks appear to have stabilized in quite high numbers regarding the previous reporting period, with ever more impactful law enforcement operations, such as Operation Chronos and Operation Endgame. Also, when it comes to AI tools for cyber criminals, cyber hackers use tools such as FraudGPT and large language models to co-author scam emails and generate malicious PowerShell scripts. 19,754 vulnerabilities were identified with 9.3 percent falling into the ‘critical’ category and 21.8 percent were categorized as ‘high.’

The ENISA Threat Landscape 2024 report also detailed that information stealers continue to be heavily used by threat actors due to the popularity of IABs (initial access brokers) and downloaders. Information stealers are now essential components in attack chains. Also, hacktivists overlap their activities with state-nexus actors with a notable trend being the increasing similarity between state-nexus actors and alleged hacktivist activities. Data leak sites have started being considered to be unreliable. Many of the data leaks posted are duplicates of previous attacks or wrongly attributed to the Lockbit ransomware group. This follows the disruption of their operations by Operation Chronos.

The report also pointed to a recent surge in mobile banking trojans with a concomitant increase in the complexity of their attack vectors. Malware-as-a-Service (MaaS) offerings continued to be a significant and rapidly evolving threat, particularly since mid-2023. Supply chain compromises through social engineering are emerging. For example, in March 2024, backdoor code was introduced in an open-source project XZ Utils, a set of tools and libraries used for data compression. 

Data compromise increased in 2023-2024. There was a rise in data compromises leading up to 2021 and although this trend remained relatively stable in 2022, it began to increase once more in 2023 and showed signs of maintaining this momentum in 2024. DDoS-for-Hire allows large-scale attacks to be launched by unskilled users having access to DDoS services. Information manipulation continues to be a key element of Russia’s war of aggression against Ukraine, although an effort to further localize content and, at the same time, to globalize its presence is observed. Also,  manipulating information in response to specific news seems to have increased, probably because 2024 has been marked by many major events, elections in particular.

The ENISA Threat Landscape 2024 report noted that the threat of AI-enabled information manipulation has been observed, but still on a limited -albeit evolving – scale. For example, some threat actors are experimenting with AI for information manipulation seemingly to assess how AI can be exploited in this context. It added that the vulnerability was considered critical, as it allowed for easy remote code execution through SSH. This was possible as the malicious actor was made maintainer of the project after a long-lasting social engineering campaign. 

The report disclosed that ransomware appears to target different sectors indiscriminately during this reporting period, with business services affected in 18 percent of ransomware events; manufacturing (17 percent out of ransomware events), and health (8 percent out of ransomware events) being more affected. Data-related threats targeted all sectors, with the ones that hold personal information being more affected. 

Out of data-related events, these affected the general public (15 percent), public administration (12 percent), digital infrastructure (10 percent), finance (9 percent), and business services (8 percent). Also, 29 percent of the events involving malware affected the general public, followed by malware infections in digital infrastructure (25 percent) and in public administration (11 percent). 9 percent of observed malware events affect all sectors.

Furthermore, out of the observed events related to social engineering, 28 percent focused on the general public, followed by digital infrastructure (15 percent), public administration (10 percent), and finance (10 percent) sectors. Likewise, information manipulation campaigns targeted the general public in most of the collected events.

In the context of the European landscape, it is notable that LockBit ransomware has again emerged as a prominent Ransomware-as-a-Service (RaaS) group, being responsible for more than half of the recorded ransomware incidents during the reporting period Furthermore, two other ransomware groups, 8Base and Cl0p, have also played significant roles in this cybersecurity landscape, contributing to the complexity and diversity of ransomware attacks across the EU. 

In April, the European Commission’s Joint Research Centre (JRC) and the European Union Agency for Cybersecurity (ENISA) released a Cyber Resilience Act Requirements Standards Mapping report. The document aims to align existing cybersecurity and vulnerability standardization outputs with the qualifications required for products with digital elements under the Cyber Resilience Act.

Comments