2025 Cybersecurity Threats

2025 begins with much the same characteristics as 2024 – more vulnerabilities, increased exploitation, and shorter breakout times for attacks.

What our Threat Hunters are Seeing

What can we learn about the scope and nature of security threats in 2025 after reviewing the 2024 statistics and trends? Short answer – unpredictable sameness. This year, learn how to spot new threats and protect yourself and your organization.

2024 Cybersecurity Trends

Edge Device Vulnerabilities

 In 2024, there was a continued rise in the exploitation of vulnerable edge devices, including VPNs, firewalls, and other edge services. This coincided with a significant increase in identified vulnerabilities, with 52% of those named vulnerabilities relating to initial access exploitations. Many of these vulnerabilities were exploited within 24 hours of being made public. Breakout times are shrinking, with the average eCrime breakout time dropping to just 48 minutes.

Social Engineering - Vishing

Social engineering attacks continue to evolve, with CrowdStrike observing a nearly 5x increase in vishing (voice mail phishing attacks) in 2024. This often comes in the form of fake IT support calls that trick victims into giving direct access to the threat actor, thinking they are “helping”.

Attacking with Commercial Software

Once access has been obtained through a compromised edge device, compromised user, compromised credentials, or other access methods, attackers use open-source or commercial software to carry out their attacks without resorting to traditional malware. This makes EDR solutions increasingly more important than traditional AV detection methods, as antivirus alerts won’t trigger on these tools.

Ransomware – Where recovery is more costly than paying

Finally, ransomware remains a significant concern for many organizations. Threat actors aim to disrupt business operations and recovery processes sufficiently to secure payment from the victim organization. The goal of the attacks was to make recovery more costly than paying to receive the unlock key for encrypted systems and data.

Infostealer Malware

Infostealer malware had a huge impact in 2024. SOCRadar identified almost 6 million email/password combinations from infostealer logs on the Dark Web and other sources. This type of malware steals saved passwords from browsers, as well as other personal data such as credit card information and crypto wallets. It can also include keyloggers to capture other sensitive information. This data is then sent back to the threat actor, who in turn sells the stolen information on various cybercrime forums. Passwords harvested from infostealer logs are then used by threat actors to gain initial access to target environments.

What to Expect in 2025

2025 begins with much the same characteristics as 2024 – more vulnerabilities, increased exploitation, and shorter breakout times for attacks.

Ransomware – Now paying to prevent the release of data

Ransomware remains a threat, but its impact is starting to fade as attackers adapt to the new realities of protection. Most organizations have built robust and secure backup and recovery processes, making it a relatively trivial effort to restore an encrypted server or endpoint. As a result, the attackers are primarily focused on capturing sensitive data and extorting companies to prevent the release of this information.

This is often more lucrative and more difficult to detect and prevent for the victim organization. Ransomware deployment is often done now as an attempt to obfuscate the actions of the attacker, making it difficult to validate what sensitive data was accessed and exported.

Once the data has been exported, it is often very difficult to recover it or prevent its exposure. Because there are currently no significant mitigation measures to recover data once it has been exfiltrated, this is becoming the main focus of most attacks.

Social Engineering – AI to Enhance Believability

Social Engineering trends will increasingly rely on the use of AI to enhance the believability of phishing, vishing, smishing, and other ‘urgent response needed’ attacks. This makes awareness and validation of requests even more crucial in 2025. The success of such attacks has led to an increase in attacks on cloud infrastructure, primarily through the abuse of valid accounts—credentials compromised without the use of multi-factor authentication (MFA).

Social Engineering – Is the User Human?

Finally, a newer form of Social Engineering attack is gaining strength through the first quarter of 2025. This is the ‘ClickFix’ or ‘Fake Captcha’ attack, where the victim attempts to access a website or service and is asked to run a script or command on their computer to fix an issue or be granted access to the website as a way of verifying they are human. This is common through watering hole attacks, where the attacker compromises a legitimate third-party site to provide a false prompt that ultimately compromises both the host and the user.

More Infostealer Malware

Infostealer malware will continue to be a threat in 2025 and beyond, with attackers continually adapting their methods to exploit new vulnerabilities and technologies. In 2025, Infostealer malware has become more sophisticated, utilizing advanced techniques to evade detection and extraction of sensitive information. These malware variants often employ encryption, obfuscation, and polymorphic methods to bypass traditional security measures.

How do you protect against 2025 threats?

There are three things that provide the most success for any organization looking to reduce the risk of compromise.

1. Establish a patch management program for all devices, but especially for edge devices. These devices should be updated monthly, at a minimum, and within 24 hours of an identified vulnerability. While this is most critical for edge devices, it is also important for internal devices and systems to reduce the impact if an internal device is compromised.
2. Enable MFA for all systems possible. Use MFA that performs push notifications instead of text codes or rolling codes whenever possible. Any public system used by your organization must have MFA as a priority for any access – VPN’s, web portals, cloud infrastructure, email systems, SaaS offerings, etc. The use of MFA significantly reduces the risk of successful compromise of a system or environment, even if the original credential is compromised.
3. Review your monitoring and auditing solutions to ensure you are identifying and capturing ALL the security risks within the environment. Attackers are smart and are learning how to avoid endpoint detection by exploiting systems that CAN’T have endpoint detection installed. This includes IoT devices, network devices, and outdated (legacy) systems. (Note: The PacketWatch solution monitors these network connections to identify suspicious behavior, malicious Command and Control functions, and data transfer anomalies that most other solutions cannot.)

Conclusion

2024 was marked by a significant increase in vulnerability exploitation, credential abuse, and social engineering attacks. 2025 promises to include much of the same, but from unpredictable angles and unpredictable outcomes from the attackers.

Novel attack methods, such as AI-enhanced vishing and smishing, will target end-user devices and credentials for use in part of the attack chain.

Ransomware will continue to occur, but the primary focus of those attacks will be to cover the attacker's tracks, rather than attempting to receive payment. The focus of most attacks moving forward will be on capturing, exfiltrating, and selling sensitive data on the dark web.

Mitigating these threats is similar to 2024:

• Patch Management
• Multi-factor Authentication (MFA)
• Monitoring

2025, however, will focus on monitoring network activity and reviewing edge device logs (read about being proactive), rather than reacting to alerts from endpoints and SIEMs. While none of these mitigation efforts are new, the changes from last year highlight the need to adapt to the new realities of attack vectors and methods.

Next Steps

If you need help assessing or protecting your environment in 2025, please contact us to learn more about our proactive services and solutions.

Todd Welfelt has an Information Technology career spanning more than 25 years. He has turned his extensive experience with hands-on management and maintenance of computer systems into practical assessment and implementation of security tools to meet the needs of compliance frameworks, as well as provide real-world risk reduction.

John Garner has worked in Cyber Security for over 10 years. His experience includes different analyst roles in various SOCs, security engineering for cyber ranges, and threat intelligence at PacketWatch.