The Optiv Global Threat Intelligence Center (gTIC) is proud to support Optiv and its customers with cyber threat intelligence based on foundational intelligence and security practices to support resilience, proactive risk management and situational awareness.

2024 Threat Recap

Over the last 12 months, the most relevant threats observed against organizations across all business verticals were ransomware, email thread hijacking and business email compromise (BEC), denial of service (DoS) and the exploitation of vulnerabilities in exposed services and software. While these types of attacks impact multiple business verticals, the adversary tactics, motivations and objectives differ.

The ransomware ecosystem saw dramatic changes throughout 2023 and 2024, with large groups disbanding, exit scamming or being disrupted by law enforcement activity. Developers and affiliates of once prominent groups like Alphv, Lockbit 3.0 and Cl0p (aka Clop) regrouped or splintered into new active groups or source code from older or established cartels were leveraged to create new strains resulting in new active groups like RansomHub, Play, Inc/Lynx and BianLian. While names changed, many techniques and tooling overlapped across multiple groups, which aligns with one of the gTIC’s long-standing assessments of proven techniques and tools being reused across both cybercriminal and state-sponsored groups.

Adversary techniques and tooling remained predominantly consistent with what has been observed in past years. Optiv’s gTIC has previously assessed with High Confidence that techniques and tooling will not only remain largely unchanged (the “weakest link” approach), but will also overlap across multiple cybercriminal and state-sponsored threat groups. Exploitation of vulnerabilities in perimeter devices like VPN clients and firewall appliances were observed as Initial Access attack vectors in multiple attacks, as multiple critical vulnerabilities were disclosed in products like Ivanti Connect Secure. The focus and popularity of VPN exploitation in 2024 was reminiscent of campaigns observed in 2019 and 2020 following the disclosure of 0-day and N-day vulnerabilities in multiple VPN clients and perimeter devices like Citrix ADC/Gateway, Palo Alto Global Protect and Pulse Secure Connect (aka: Ivanti Connect Secure) and Fortinet FortiGate.

Achieving administrator-level privileges or access to highly sensitive environments to create or manipulate user credential like domain controllers/servers, Active Directory and VMware ESXi were also observed as key objectives during most cyberattacks and intrusion attempts in 2024. The use and exploitation of both enterprise and open-source remote administrator and penetration testing tools and platforms also remained consistent with significant overlap across multiple groups. Open-source tools like Aterra RMM, AnyDesk and TeamViewer, as well as SplashTop/Bomgar, are frequently downloaded and leveraged by adversaries during post-exploitation activities for Lateral Movement, Discovery and Privilege Escalation. Additionally, enterprise remote administration and network management software and dashboards like Zoho ManageEngine, SolarWinds and ConnectWise are also exploited for Lateral Movement Discovery and Privilege Escalation. Critical vulnerabilities and compromises and abuse of data management and protection services like Veeam and Snowflake also continued to highlight the need for third-party risk management and protection of user credentials.

2025 Forward Estimates

Optiv's gTIC assesses with High Confidence that over the next 12 months, threat actors will continue to leverage popular tools and known vulnerabilities in ubiquitous software and services that allow for Reconnaissance, Initial Access, Lateral Movement, Discovery and Privilege Escalation to access sensitive and critical systems. Many of these tools and exploits have been in use for years and are usually available on open-source repositories and forums. It is Almost Certain that fake or malicious social media posts and spear phishing with malicious links and attachments will be the most common technique for Initial Access by all cyber adversary types. Other techniques will Likely continue to rely on internal risks that are not known or have not been remediated by the victim organization such as lack of multifactor authentication (MFA), using weak/default passwords and authentication, lack of least-privilege or acceptable use policies and leaving high-risk ports, services and perimeter devices exposed or insecure (e.g., VPN clients, firewall appliances and NAS devices). The abuse and exploitation of legitimate and popular remote access and IT management tools and file transfer software will also continue to be abused by cybercriminals and state-sponsored groups, as these services enable multiple Techniques for Discovery, Execution and Lateral Movement.

While Initial Access techniques and procedures in 2025 will Likely mirror the techniques seen in past years (e.g., phishing, spear phishing, VPN and firewall appliance exploitation), the gTIC assesses with Moderate Confidence that Defense Evasion will be the focus for innovation. While techniques around MFA bypass have emerged over the past 24 months, 2024 saw an increase in malicious campaigns targeting and manipulating endpoint detection and response (EDR) services. The use of tools available on the dark web and on public repositories, as well as using living-off-the-land (LOL) techniques to manipulate or disrupt EDR processes, communications and logging will Likely increase over the next 12 months.

Optiv's gTIC has published a comprehensive list of the aforementioned software and services, which we refer to as the gTIC’s Prioritized Software Services. The list describes products and services that are widely used across enterprises and known to be frequently exploited by threat actors, with the intent to support asset inventory, hardening and vulnerability prioritization efforts.

With our comprehensive intelligence services and capabilities, we sincerely look forward to continuing to serve our customers.