Threats to Kenya’s cybersecurity landscape are becoming increasingly complex, with system attacks and brute force attempts driving a record-breaking 2.5 billion cyber threat detections between January and March this year, according to a new government report.
- •The data, published by the National Kenya Computer Incident Response Team Coordination Centre (KE-CIRT/CC), reveals a 201.85% increase in cyber threat events from the previous quarter.
- •System-based attacks accounted for the overwhelming majority, with more than 2.47 billion detections, followed by Bruce Force Attacks at 33.8 million detections, and Malware attacks at 24.55 million detections.
- •These attacks were largely enabled by misconfigured systems, outdated software, and the proliferation of insecure IoT devices.
“These ongoing global trends are largely driven by the rapid growth of Internet of Things (IoT) devices, which often lack comprehensive security features. Additionally, the continued widespread utilisation of botnets and other DDoS attack techniques have also contributed significantly to these trends. Botnets remain a key tool for malicious actors due to their decentralised structure, making them highly effective for large-scale attacks,” David Mugonyi, the CEO of the Communications Authority of Kenya (CA), said.
The report also highlights a rise in targeted exploitations of high-profile vulnerabilities, including FortiManager’s missing authentication bug (CVE-2024-47575) and a zero-day flaw in Windows’ Common Log File System (CVE-2024-49138). Both issues were being used by hackers before the companies fixed them, highlighting how even trusted systems can have dangerous security gaps.
Meanwhile, brute force attacks and web application exploits surged, as cyber criminals increasingly pursued login credentials and server access through credential stuffing and software injection techniques.
DDoS attacks saw a 75.63% decline, a drop attributed to improved mitigation protocols across government and health institutions. Yet the report warns that the growing availability of DDoS-as-a-Service—sometimes priced as low as US$5 per hour— predicting future surges likely.
Artificial intelligence also featured heavily in the report, both as a tool for attackers — by enhancing phishing campaigns and deep fake scams — and as a vital defensive layer for institutions that have implemented AI-driven threat detection and response systems.
The report states that 13.2 million cyber threat advisories were issued by KE-CIRT/CC during the quarter, a 14% increase from the previous period. The agency emphasized the need for organisations to adopt zero-trust frameworks, enforce strong access controls, and invest in cyber security training for staff.
“As the digital landscape evolves, so must our cyber defences. Let this year be one of increased awareness, collaboration and resilience in the face of emerging and persistent cyber threats,” Mugonyi added.
With Kenya pushing ahead on its digital transformation agenda, the report serves as a stark reminder that the faster the country goes digital, the more exposed its infrastructure becomes. KE-CIRT/CC’s recommendations include strengthening public-private collaboration, accelerating the application of patches that fix security flaws or bugs, and increasing funding for capacity building.
