DDoS overtakes ransomware as most active cyber threat in Europe


Almost half of cyberattacks in the European Union are denial of service attacks (DDoS), putting NoName057 at the top of the most active threat actors’ list.

Ransomware is the next most active threat, followed by data breaches, which now mostly happen in the cloud, according to a new report by the European Union Agency for Cybersecurity (ENISA).

The organization has seen “a significant increase” in cybersecurity events in the EU. From July 2023 to June 2024, the top threats were attacks against availability (DDoS) and ransomware.

ADVERTISEMENT

The EU suffered a total of 4,120 attacks that could be attributed to various types of denial of service (DoS, DDoS, RDoS). That’s 41.1% of total cyberattacks analyzed in the Threat Landscape report by ENISA.

Ransomware’s share was 25.8%, which corresponds to 2,590 attacks, followed by 1,910 data incidents (19%)

Among the observed 11,079 incidents, 322 attacks targeted two or more EU member states.

“Geopolitics continued to be a strong driver for cyber malicious operations,” ENISA said.

Most cyberattacks targeted organizations in the public administration (19%), transport (11%), and finance (9%) sectors.

NoName057, a pro-Russian hacktivist group known for its distributed denial-of-service (DDoS), took the crown of the most active threat actor, as ENISA attributed 30.48% of all cyberattacks to it.

“The war in Ukraine continues to catalyze a surge in hacktivist activity, with numerous groups aligning themselves with either side of the conflict. Attacks are often retaliatory, aiming to disrupt services and send political messages,” ENISA said.

However, DDoS attacks are often considered nuisances and do not necessarily indicate a high severity. Threat actors often claim victims with no real impact on those victims.

ADVERTISEMENT

Meanwhile, ransomware attacks, despite dropping to second place measuring by activity, remained at a high level, around 1,000 claims per quarter globally, with LockBit, Cl0p, and PLAY being the most prevalent strains.

Cl0p, which was one of the most active groups in 2023, exploiting two different zero-days in their campaigns, has remained inactive during the first half of 2024

Despite the take-down operation, named Operation Cronos, LockBit maintained “consistent activity” throughout the entire period. ENISA notes that the extent of its resurgence has been exaggerated, as a substantial portion of LockBit claimed victims were either reuploads of previous attacks or misattributed to the group.

“Data leak sites have started being considered to be unreliable. Many of the data leaks posted are duplicates of previous attacks or wrongly attributed to the LockBit ransomware group.”

The past year marked an advancement in cybercrime actors’ defensive evasion techniques. They evaded detection using ‘living off the land’ (LOTL) techniques, meaning they blended into legitimate environments to mask malicious activities. Cybercriminals extended their stealth techniques into the cloud, using trusted sites and legitimate services to avoid detection and disguise communications as ordinary traffic.

“A trend known as ‘double-dipping’ has increased, where victims are targeted multiple times. This malicious practice involves re-victimizing organizations through various methods. Cybercriminals may exploit previously identified vulnerabilities or use stolen credentials to launch subsequent attacks on the same victim,” ENISA said.

Over 19,000 vulnerabilities identified

A total of 19,754 vulnerabilities (CVEs) that had encoded their severity score information were identified during the period, with 9.3% falling into the ‘critical’ category and 21.8% categorized as ‘high’ severity.

Many critical vulnerabilities were specifically related to web vulnerabilities, affecting websites, web applications, and underlying internet infrastructure, which are often prime targets for attackers seeking unauthorized access.

ADVERTISEMENT

The most concerning ones were the 123 ones included in the CISA Known Exploited Vulnerabilities list.

Data breaches happen in the cloud

Data incidents, such as breaches, leaks, and manipulation, are on the rise. ENISA witnessed a 78% increase compared to the previous period.

According to IBM, 82% of all data breaches involved data stored in the cloud, with 39% spanning multiple environments (e.g., cloud and on-premises).

Information manipulation yet to experience AI moment

Incidents of malicious manipulation seem to be on the rise. They are one of the key elements of Russia’s war against Ukraine, and this year has been marked by many major events and elections.

Influence campaigns are supported by widespread digital presence – threat actors creating inauthentic accounts and websites.

AI-enabled information manipulation, while it has been observed, is still on a limited scale.

“The extent to which AI is used to disseminate content is not fully clear, although it is happening. For example, NewsGuard has identified over 1,000 AI-generated news and information sites operating with little to no human oversight,” ENISA noted.

“The effectiveness of AI-supported campaigns has been disputed, however, and it seems that this is rather an exploration phase to assess how AI can be exploited in this context, and evolution is expected.”

ADVERTISEMENT

Among other trends, ENISA noted a recent surge in mobile banking trojans. Research indicates a 200% year-over-year growth in malicious banking applications.

Since 2004, the total number of breached accounts has reached 17.2 billion, with approximately 6.5 billion being unique email addresses, according to Surfshark.