Cloudflare Blocks 230 Billion Daily Threats: Key Findings

The sheer scale of modern cyber threats is staggering, with advanced networks now intercepting over 230 billion malicious attempts every single day. This astronomical figure underscores a fundamental shift: cyberattacks have become a routine, automated business for adversaries. The latest research reveals critical trends in how these breaches now originate and evolve, moving far beyond simple password guessing to sophisticated, automated campaigns that exploit fundamental gaps in digital infrastructure.

A recent in-depth analysis from a leading security team provides a comprehensive view of activity observed through the previous year. The findings are drawn from global network telemetry that processes a significant portion of the world’s internet traffic, offering a unique vantage point. Security leaders emphasize that the dynamic nature of these threats requires organizations to abandon reactive measures. The only effective defense is a strategy powered by real-time, actionable intelligence that anticipates adversarial moves.

A major trend is the move away from traditional credential theft. Attackers now heavily favor information-stealing malware, which harvests active session tokens directly from compromised devices. This method provides direct access to already-logged-in accounts, completely circumventing multi-factor authentication protections. Research indicates that over half of all ransomware incidents in the past year can be traced back to this type of credential theft. Global law enforcement operations have targeted the infrastructure of prominent stealers, but analysts are already monitoring successor variants designed to accelerate the timeline from initial infection to full ransomware deployment down to mere hours.

The automation of attacks is further evidenced by login attempt data. An overwhelming majority of all login tries are performed by bots. Even among attempts that appear human, nearly half use credentials that were previously exposed in other data breaches, highlighting the massive, automated reuse of stolen data across the internet.

Adversaries are also increasingly leveraging legitimate cloud platforms as their attack infrastructure. Nation-state groups from various regions are routing malicious traffic through services like AWS, Google Cloud, and Azure, as well as common software-as-a-service applications. This tactic, sometimes called “Living off the XaaS,” makes malicious activity far harder to distinguish from normal business traffic because it originates from trusted providers. Specific campaigns have used tools like Google Calendar to hide encrypted commands and have established long-term presence on compromised enterprise infrastructure.

Groups linked to China, for instance, have persistently targeted telecommunications firms, government networks, and IT service providers in North America. This activity has been connected to several high-profile breaches, with a clear pattern of seeking persistent access to critical systems that could be leveraged for future disruption.

Email remains a primary attack vector, with widespread failures in basic authentication protocols enabling phishing at an industrial scale. An examination of hundreds of millions of emails found that nearly half failed standard security checks for sender verification. These gaps allow “phishing-as-a-service” operations to easily send spoofed messages that convincingly appear to come from trusted sources like internal colleagues or major brands. The most impersonated entities included Microsoft, Facebook, and financial services. Furthermore, business email compromise schemes attempted to steal over a hundred million dollars, with fraudsters deliberately calibrating request amounts to fly under typical financial approval thresholds.

Distributed Denial-of-Service (DDoS) attacks also surged to unprecedented levels, with the total number more than doubling. Notably, network-layer attacks more than tripled year-over-year. The security team documented nearly twenty new record-breaking attacks, with the largest reaching a magnitude nearly six times greater than the previous year’s peak. Most of these assaults were short, lasting under ten minutes, which effectively eliminates the possibility of human-led response and demands fully automated defenses.

A particularly concerning development involves state-sponsored operatives from North Korea infiltrating remote workforces. Using AI-generated deepfake profiles and sophisticated schemes to fake U.S. residency, these individuals secure positions at Western companies. Once employed, they divert salary payments to the regime and can create footholds for further malicious access inside corporate networks. Telltale signs of such activity include login alerts showing impossible travel, the use of software to simulate activity, and artifacts in video call metadata.

The manufacturing and critical infrastructure sectors were disproportionately targeted by ransomware, accounting for over half of all attacks. This focus is driven by the extreme operational and financial pressure these industries face during downtime, making them more likely to pay ransoms.

All these trends point to a single, urgent conclusion: security can no longer be an afterthought. The only sustainable path forward is to build security in at the beginning, adopting a “Secure by Design” philosophy that integrates robust protections into the very architecture of applications and systems from their inception.

(Source: HelpNet Security)