2024 CERT Report: Trends, analysis, and lessons for 2025

In 2024, the CERT-Wavestone incident response team managed 20 major incidents for which forensic investigations were carried out. These incidents addressed more than 10 different business sectors, corresponding to the major targets also identified by the ANSSI.

Cybersecurity

Download the CERT-Wavestone 2024 Report

CERT-Wavestone 2024 Report

2024 key takeaways

Attackers’ main motivation remains financial gain, involved in 50% of the managed incidents. The most common extortion method is still ransomware.
The main entry point for attackers is the exploitation of vulnerabilities on Internet exposed websites.
Opportunistic attacks dominate the sample. They are triggered more and more rapidly and aim notably at compromising sensitive business data and backups. They target not only small organizations, but also large corporations through their less mature subsidiaries and partners.
Artificial Intelligence is a new weapon for cybercriminals, and an opportunity for new and unfamiliar attacks (e.g. poisoning, evasion and oracle).
To face these threats, we recommend investing in the security measures that have the greatest impact (identity management, monitoring and backup security), without forgetting the less controlled perimeters (e.g. subsidiaries, AI and cloud).

Motivations: the lure of profit still unchallenged

Attackers mainly motivated by money

With 50% of incidents managed by the CERT-Wavestone, financial motivation dominates the ranking, with ransomware as the predominant method.

Spying, fraud and data theft on the rise:

Acts of espionage are increasing: these attacks are fueled by a tense geopolitical context.
Fraud and data theft are also increasing, each accounting for 29% of financially motivated attacks in 2024.
The proportion of attacks with no clear motivation is also on the rise: 35% of incidents handled in 2024, compared with 29% in 2023.

Vulnerabilities on Internet exposed websites, the first entry point into the Information System (IS)

With 40% of the incidents handled in 2024, the main entry point into the IS is the exploitation of vulnerabilities on Internet exposed websites. This is notably due to the ability of attackers to deploy automated vulnerability exploitation tools more and more rapidly – just a few days following their publication.

With 20% of incidents associated to both phishing and intrusion on remote access systems complete the podium and remain highly used intrusion vectors.

Subsidiaries, business data, backups and speed of attacks: the 4 main trends of 2024

Large companies affected through their subsidiaries

The cybersecurity progress of major corporations protects them against the most common threats, but their less mature subsidiaries remain vulnerable. This is proven with 66% of incidents targeting large corporations directed at their subsidiaries.

A subsidiary of a banking and insurance group was attacked through a critical vulnerability in a component exposed to the Internet and not kept up to date. Then, the attacker took advantage of permissive filtering rules to propagate within the information system, extract data and launch a ransomware.

Compromising business data: the attackers’ prime objective

Whether for espionage or ransomware, data theft remains one of the main impacts of cyber-attacks. 77% of attacks processed by CERT-Wavestone involved proven data theft.

An attacker maintained persistent in accessing information system of an industrial company for 2 years. They exfiltrated emails at regular intervals. Its presence was only revealed when a phishing campaign was carried out from one of the compromised addresses.

Backups: attackers’ target of choice for blocking the rebuild of the IS

Deleting backups is an increasingly common objective for attackers to position ransom payment as the only option for their victims. In the field, 90% of ransomware attacks directly or indirectly targeted backups.

In the healthcare sector, an attacker obtained administrator rights to the Active Directory. They then disabled the creation of new backups and neutralized the alert system monitoring their implementation. Finally, the attacker waited about ten days before launching their ransomware attack, ensuring that the victim had no recent backups to restore from.

Attacks are being launched ever more rapidly, putting companies’ vigilance and responsiveness to the test

The shortest time between the attacker’s intrusion into the IS and the launch of his attack is only 3 days. To tackle these ever-shorter timeframes, the automated detection and response capabilities of SOCs and CERTs are key to counter efficiently cyber-attacks.

An attacker performed a brute force attack to gain access to a local VPN gateway account. In less than 2 hours, they elevated their privileges and compromised the Active Directory domain through service accounts. Over the next 2 days, the attacker exfiltrated massive amounts of data and then launched their ransomware attack over a weekend.

Artificial Intelligence, a new weapon for cybercriminals

Artificial Intelligence is a new weapon for cybercriminals, through:

The generation of malicious scripts, making easier for people with little expertise to find vulnerabilities and carry out attacks.
Deepfake, facilitating identity theft (and especially president scams) through fake audio or video.
The improvement of phishing possibilities by automating and perfecting these attacks to make them even more realistic.

Artificial Intelligence also represents opportunities for new and unfamiliar attacks:

Poisoning attacks: the attacker manipulates the AI’s training data to compromise the integrity of the model.
Oracle attacks: by interacting with the AI model, the attacker attempts to extract information about the training data or the model itself.
Evasion attacks: these involve the careful modification of input data to lead the model to erroneous decisions.

Our recommendations

To face these threats, the security measures that have the greatest impact are the following:

End-to-end control of identity management
Complete IS monitoring
Backups protection

The less managed perimeters must also be considered. In particular, it is key to:

Monitor subsidiaries cyber maturity and secure associated interconnections
Apply the least privilege principle to the cloud and automatically monitor the application of hardening
Secure all Artificial Intelligence systems

CERT-Wavestone 2024 report methodology

The CERT-Wavestone 2024 report is based on data observed between August 2023 and September 2024. This study addresses 20 major cyber incidents and crises managed by Wavestone over the period.

Facing a cyber incident? Discover our offer ou contact our experts.

Authors

Gérôme Billois

Partner – France, Paris

Wavestone
LinkedIn
Quentin Perceval

Senior Manager – France, Paris

Wavestone
LinkedIn
Eric Oblet

Manager – France, Paris

Wavestone
LinkedIn

Share this content

2024 Report: Trends, analysis, and lessons for 2025 from a year of incident response