Threat Snapshot 2 Blurring Boundaries 3 Vulnerability Intelligence 4 Stolen Access Credentials 6 Tips 7 16 Ransomware 5 Key Findings 1 In addition, five of the vulnerabilities were confirmed by CISA as known to have been exploited in the wild, according to CISA’s Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities were found to be targeted by prolific ransomware gangs and/or nation-state actors, aligning with the two most active threat actor types reviewed above, which are cyber- criminals and nation-state actors. There is no one vulnerability that dominated the discourse, showing that threat actors are targeting a wide variety of vulnerabilities. CVE-2024-3094 which was the most mentioned vulnerability, as described earlier, is the XZ Utils backdoor. Of note, while we would expect that the most discussed vulnerability among threat actors would be a vulnerability that they can use to get access to victims, the XZ Utils cannot be exploited, and threat actors discussed it out of pure curiosity and interest. On the other hand, CVE-2024-3400, CVE-2024-21887 and CVE-2024-21762 are vulnerabilities in Palo Alto, Ivanti and Fortinet (respectively). These CVEs are highly exploitable and are in the top ten mentioned CVEs for a reason. Organizations’ edge devices, such as the above, were one of the most favorable targets of threat actors in 2024. In most cases these vulnerabilities were zero-day vulnerabilities, meaning that they were detected after already having been exploited in the wild. The Ivanti vulnerability, CVE-2024-21762, a command injection in ConnectSecure, was exploited together with another vulnerability CVE-2023-46805 (authentication bypass), and was detected on January 10, 2024, and found to be exploited by Chinese threat actors since December of 2023. 21 The Palo Alto vulnerability, CVE-2024-3400, which is also a command injection in GlobalProtect, was detected on April 10, 2024, after it was found to be exploited by the Iranian threat actor Pioneer Kitten. According to researchers, this vulnerability had already been exploited successfully since March 26, 2024. 22 There were not many details about Fortinet vulnerability CVE-2024-21762, when the initial advisory came out. According to the advisory, this is an out-of-bounds write vulnerability in FortiOS and FortiProxy, that has potentially been exploited in the wild. 23 Threat Snapshot 2 Key Findings 1 Blurring Boundaries 3 Vulnerability Intelligence 4 Stolen Access Credentials 6 Tips 7 Ransomware 5