Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Welcome to the 20th edition of the Cloudflare DDoS Threat Report, marking five years since our first report in 2020. Published quarterly, this report offers a comprehensive analysis of the evolving threat landscape of Distributed Denial of Service (DDoS) attacks based on data from the Cloudflare network. In this edition, we focus on the fourth quarter of 2024 and look back at the year as a whole.

As more organizations move to software-as-a-service (SaaS), remote access to applications and data is concentrated among a smaller set of identity providers. These identity providers, such as Okta, must absorb growing volumes of credential-based attacks. Okta consistently reports high volumes of credential stuffing, password spraying and phishing attacks against its customers. Additionally, red teams are discovering new patterns of abuse relevant to Okta products.

There’s a dark joke in cybersecurity: each year ends with an unwelcome holiday surprise—a major security incident. This timing isn’t random. Threat actors target this timing, knowing security teams operate with skeleton crews that impact detection, investigation and response times. It’s a calculated strategy that works reliably, year after year. And now there’s another holiday surprise to add to the list—the recent attack on the U.S. Treasury Department.

In December 2024, Cyberhaven fell victim to a sophisticated cyberattack that exploited a phishing campaign targeting its Chrome Web Store account. This breach compromised over 400,000 users by injecting malicious code into its browser extension, exfiltrating sensitive data such as cookies and session tokens. The incident has drawn significant attention due to Cyberhaven's role as a cybersecurity provider and the broader implications for browser extension security.

A new and growing threat has emerged, targeting vulnerable PHP servers with a sophisticated cryptocurrency mining attack. This exploit takes advantage of misconfigured or unpatched PHP servers, allowing malicious actors to gain unauthorized access and deploy mining malware. The campaign focuses on exploiting vulnerabilities in PHP, particularly CVE-2024-4577, which has already been linked to several exploit attempts and continues to affect systems worldwide.

Ransomware groups claimed responsibility for 5,461 attacks in 2024, with 1,204 of these attacks being publicly confirmed by victim organizations, according to Comparitech’s latest Ransomware Roundup report. The average ransom demand was more than $3.5 million, and the average ransom paid was $9.5 million. Many of these attacks involved data theft extortion, leading to the breach of nearly 200 million records.

The recent Codefinger ransomware attack has sent shockwaves through the IT community, specifically targeting businesses relying on AWS S3 storage services. This breach highlights the importance of prioritizing security “best practices” to protect even the most reliable platforms.

Japan’s National Police Agency (NPA) has attributed more than 200 cyber incidents over the past five years to the China-aligned threat actor “MirrorFace,” Infosecurity Magazine reports.