Scan and exploit
Threat actors will continue to rush to exploit vulnerabilities, usually within hours of proof-of-concept exploits being released and sometimes even as soon as the vulnerabilities are disclosed. Reviewing the patch can provide them with valuable clues about how to exploit the vulnerability. This means that prompt patching, especially of perimeter devices, will remain as essential as ever in 2025.
AI
With commercially available large language models continuing to clamp down on threat actor abuse and misuse, threat actors will gravitate to open-source models that they �self-host or to those made available on underground markets.
AITM
Threat actors will increasingly use automated phishing and adversary-in-the-middle platforms that steal credentials and tokens, thus bypassing older multi-factor authentication implementations. In the face of this, organizations will be forced to accelerate deployment of phishing-resistant authentication methods like passkeys.
NORTH KOREA
North Korean threat actors will continue to leverage job-themed ruses in their attacks. In particular, CTU researchers anticipate continued uncovering of the widespread North Korean fraudulent worker scheme and the threat actors' infiltration of hundreds of companies.
China will continue to focus on its political, military and economic priorities when collecting intelligence via cyber (or any other) means. The targeting will therefore change little but can always be swayed by political developments around the world.
In terms of more tactical elements: Chinese state sponsored threats will develop zero-day exploits for network perimeter devices that are deemed to be vulnerable targets (there are several firewall and VPN devices/vendors that fall into this category).
Chinese state sponsored threats will be driven toward further emphasizing stealth in its operations by the continuing strategy of the U.S. to employ sanctions and indict specific named individuals connected with cyber intrusions.
China will continue to seek to understand as much as it can about Western (particularly U.S.) technology used on the battlefield in Ukraine to prepare countermeasures for a possible future invasion of Taiwan. Its cyberespionage operations will likely be similarly geared to such preparations.
CHINA
New and existing patriotic hacktivist groups will continue to target perceived enemies. They will disrupt websites via DDoS attacks, probe and manipulate poorly protected internet facing devices, and use these attacks to boost follower counts and promote their ideological positions.
Hacktivism
Ransomware
Opportunistic ransomware and data exfiltration attacks will continue at a high tempo into 2025 as ransomware affiliates, displaced in 2024 from disrupted ransomware operations such as LockBit and ALPHV/BlackCat, continue to form new allegiances with new entrants, previously lower profile groups, or rebranded returnees. Many affiliates will continue to work with multiple groups, some continuing to experiment with operating on their own behalf using leaked ransomware builders. Being able to detect and disrupt attacks at an early stage before data can be stolen or encrypted will remain essential for organizations in all sectors.
v v v
READ THE STATE OF THE THREAT REPORT
