2023 Threat Roundup


The continuation of ongoing conflicts and the expansion of new ones, the emergence of critical vulnerabilities being mass exploited and the ever-increasing threat of cybercrime were some of the key events of 2023.

Forescout Vedere Labs analyzed attack-related data and the 2023 threat landscape to share with organizations tactical insights and strategic recommendations for improved defense.


Watch Webinar Read Report



Attacks, Jan. – Dec. 2023


Attacks per Second




Unique Malware Samples

On-demand Webinar: 2023 Trends in Cyberattacks, Exploits, and Malware

Join Forescout’s Research team for a deep dive into the cybersecurity landscape. From navigating conflicts to exploiting vulnerabilities and countering cybercrime, we’ll dissect pivotal events that will define the year ahead.

Top 10 Countries Originating Attacks

The Rise of China-Based Attacks

  • Attacks originated from 212 countries.
  • 10 countries accounted for 77% of all malicious traffic, with a spike in attacks from China.

Autonomous System Types Originating Attacks

More Compromised Devices

  • 48% of attacks came from IPs managed by ISPs, 32% from organizations in business, government and other sectors, and 10% from hosting or cloud providers.
  • This reflects an increase in the use of compromised devices to launch attacks, whether directly or via “residential proxies”.

Top Attacked Service Types

Attacked Services – Focusing on the Web and IoT

  • Web applications were the most attacked service type followed by remote management protocols.
  • Remote management services were often targeted with specific usernames linked to IoT devices, whereas web applications were often targeted with vulnerability exploits.

Distribution of Exploited Vulnerabilities by Software Type

Exploits – There’s Much Beyond KEV

  • Exploits against software libraries decreased partly because of Log4j exploits losing popularity.
  • Exploits against network infrastructure and IoT devices increased. The most targeted IoT devices were IP cameras, building automation and network attached storage.
  • Only 35% of exploited vulnerabilities appeared in CISA KEV.

Threats Unleashed Across 163 Countries

Threat actors have cast a digital net far and wide, impacting 163 countries. The United States stands as the primary target, bearing the brunt with 168 malicious actors setting their sights on the nation. Other countries include the United Kingdom (88), Germany (77), India (72), and Japan (66).

Attacks by OT Protocol (top 5)

OT Attacks

  • Five OT protocols were constantly targeted: Modbus, Ethernet/IP, Step7, DNP3 and IEC10X.
  • The remaining 2% are divided into many other protocols, of which the majority is BACnet.
  • Most attacks target protocols used in industrial automation and the power sector. Building automation protocols are less often scanned, but exploits against building automation are more common.

Distribution of Top 10 Commands Executed

Persistent Threats

  • Post-exploitation actions focused on persistence (50%, up from 3% in 2022), discovery and execution.
  • Most observed commands were for generic Linux systems, but there were also commands executed specifically for network operating systems that run on popular routers.

Distribution of Malware Types


  • RATs and infostealers are the most popular type of malware. Botnets and other downloaders come in third and fourth, followed by crypto miners and then a variety of other malware.
  • The most popular malware families were the Agent Tesla RAT, then variants of the Mirai botnet and the Redline infostealer.
  • Cobalt Strike remained the most popular command and control (C2) server, followed by Metasploit and the emerging Sliver C2.

Top 10 Targeted Industries

Threat Actors

  • Threat actors targeted 163 countries. The United States was the most targeted, followed by the UK, Germany, India and Japan.
  • Most threat actors were in China, Russia and Iran. Together, these three countries accounted for almost half the actors
  • Government, Financial Services and Media and Entertainment were the most targeted industries.

Dive into the research

In this comprehensive report, Forescout Research – Vedere Labs meticulously analyzed data pertaining to attacks, exploits, and malware observed throughout 2023. At a strategic level, we strongly advocate that organizations concentrate on enhancing cybersecurity through three fundamental pillars:
  • Begin by conducting a thorough assessment of every asset connected to the network, scrutinizing its security postures, known vulnerabilities, credentials, and open ports.
  • Avoid exposing unmanaged devices directly to the internet. Opt for network segmentation to isolate IT, IoT, and OT devices, restricting network connections to specifically designated management and engineering workstations.
  • Utilize an IoT/OT-aware, Deep Packet Inspection (DPI)-capable monitoring solution to detect and alert on malicious indicators and behaviors.

Strategic Recommendations: How Forescout can Help

  • Risk and exposure management. Identify, quantify and prioritize cybersecurity risk. Start by discovering and assessing every connected asset to gain real-time awareness of your attack surface.
  • Network security. Continuously monitor all connected assets to govern network access, using real-time traffic visibility to manage segmentation and dynamic control policies to mitigate and remediate risk.
  • Threat detection and response. Detect, investigate and respond to true threats and incidents using threat detection and response capabilities to collect telemetry and logs, correlate attack signals, generate high-fidelity detections and enable automated responses.
schedule a demo
Demo Request Forescout Platform Top of Page