One threat intelligence researcher told us that 2024 was a "wild ride" in terms of threat actor activity. Unfortunately, 2025 doesn't look like things will be any calmer.
To stay on top of the latest trends in ransomware and other cybercriminal activities as we enter the new year, Infosecurity spoke to some leading counter-threat intelligence experts about their analysis of trends in 2024 and what organizations should be mindful of as we enter 2025.
A Flourishing Ransomware Ecosystem
The ransomware ecosystem continues to evolve and adapt to new protections put in place by defenders. One dominant trend is the growth of ransomware-as-a-service (RaaS).
Mei Danowski, an Independent Threat Intelligence Researcher and Co-Founder of the Natto Thoughts newsletter, noted that cross-collaboration among threat actors will likely continue in 2025. This will help them amplify the scale, sophistication and impact of cyber-attacks.
"Various types of threat actors from multiple countries make contact on online forums and marketplaces to share advanced malware AI-driven attack tools, and stolen data," she told Infosecurity.
“Cybercriminals offer specialized services ranging from pentesting and initial access, to malware development, translation, ransom negotiation, and even government relations.”
This thriving market in RaaS lowers the skills barrier for would-be attackers and cybercriminals.
"Then, there are the cybersecurity companies like i-SOON in China, which offer legitimate pentesting services but also data theft. And finally, there are the hackers in uniform, the nation-state or advanced persistent threat (APT) actors. They also hang out on the underground forums to observe and to buy," she said.
Nation-state actors are increasingly making use of tools and services that the cybercriminals have already developed, as well as setting up supposedly independent front companies to hide their own malicious activities, Danowski said.
Network Edge Devices Remain Vulnerable
Firewalls, VPNs, switches and routers remain vulnerable to threats. Notably, in 2024, the US disabled hundreds of routers to take down a cyber espionage campaign conducted by Volt Typhoon in which obsolete Cisco and NetGear routers were targeted.
“These network edge devices continue to get overlooked in security monitoring and patch management, making them prime targets for both nation-state adversaries as well as cybercriminals,” commented Will Thomas, SANS Instructor and Cyber Threat Intelligence Researcher.
“As we saw in 2024, the consequences of being targeted via a network edge device can be severe.”Will Thomas
Failure to adequately monitor edge devices combined with delayed patching for known vulnerabilities leaves them open to exploit.
“As we saw in 2024, the consequences of being targeted via a network edge device can be severe. Two notable China-nexus adversaries known as Salt Typhoon and Volt Typhoon were responsible for sweeping telecommunications breaches via network edge devices,” Thomas noted.
As we head into 2025, China is likely to move away from social engineering campaigns towards a focus on flaws in the network edge.
His advice to organizations to counter this trend in 2025 included prioritizing visibility into the network edge, implementing continuous monitoring and logging for unusual behavior.
“Adopting a rigorous round-the-clock vulnerability management program is also key to ensure edge devices are patched quickly after vulnerabilities are disclosed. Organizations can also go further by segmenting their networks to prevent lateral movement and limit the impact of successful exploitation,” Thomas told Infosecurity.
Threat Actors Continue to Test AI to its Limits
Now, AI is a firm fixture in the global zeitgeist. It is being used by both threat actors and defenders to improve their capabilities.
Ashley Jess, Senior Intelligence Analyst at Intel 471, said that the advancement of artificial intelligence (AI) remained a topic of interest to underground threat actors in 2024.
She noted, “Primarily, actors are leveraging deepfake technology or are using GPT models — both legitimate and illicit — for simple tasks such as image creation, translations or phishing email templates to support criminal activities including know-your-customer (KYC) bypass, telephone-oriented attack delivery (TOAD), phishing attacks and other social engineering schemes like pig butchering.”
Intel 471 has also observed cybercriminals advertising a handful of specific AI-based tools this year – including tools used for data exfiltration and malware, or to analyze the success of cybercriminal lures.
Jess noted that this indicates that more advanced malicious uses for AI are on the way, especially as the technology improves.
“AI-driven techniques, especially deepfakes, have the potential to bypass traditional identity verification measures.”Etay Maor
Etay Maor, Chief Security Strategist at Cato Networks & founding member of Cato CTRL, commented, “AI-driven techniques, especially deepfakes, have the potential to bypass traditional identity verification measures, including multifactor authentication (MFA).”
He said that as we enter 2025, deepfake tools will become an even bigger problem as they become more accessible and convincing.
“On top of that, we’re heading toward a cybersecurity battlefield where both attackers and defenders are armed with AI. Success in this space will come down to who can stay the most agile and creative. It’s a high-stakes game, and the competition is only going to heat up,” Maor said.
Cloud Environments Become a Prime Target
According to a report by Thales, 44% of organizations have experienced a cloud data breach, with 14% reporting having had an incident in the past 12 months.
While the cloud is not new, it is becoming an attractive target for cybercriminals and nation-state actors alike.
“As organizations have become increasingly de-perimeterized it has catalyzed the infostealer industry.”Tim West
Tim West, Director of Threat Intelligence and Outreach at WithSecure, said: “The use of legitimate tooling and functionality to complete illegitimate tasks will be a key theme that network defenders will have to grapple with in 2025 – continuing from 2024. We have started to observe known cloud services used as nodes in attacks, not only limited to command-and-control (C2) infrastructure.”
“As organizations have become increasingly de-perimeterized it has catalyzed the infostealer industry and theft of identity/authentication material activities will continue to be a key trend, although this does not mean mass edge service exploitation will cease in 2025.”
Beware Non-Technical Attack Techniques
While cybercriminals are actively advancing their technical prowess, especially nation-state actors, less technical attacks that target high-value individuals via social engineering will continue to dominate.
“Although personalized scams require more effort and can’t be executed on the same scale as technical attacks, they can be more rewarding, making them attractive to the criminals who are willing to put in the work,” noted Rafe Pilling, Director of Threat Intelligence, Secureworks Counter Threat Unit.
They have been targeted by groups like Lapsus$ and Scattered Spider, often involves tricking helpdesk staff into granting access to user accounts, bypassing a stack of technical controls.
West noted, “Direct email phishing will of course continue, but campaigns that utilize better social engineering, and alternate platforms (i.e. Microsoft Teams) that are able to separate malicious elements (i.e. malware) from initial contact efforts (i.e. an email) will see more success,” West noted.
Alongside West, Pilling also highlighted how Microsoft Teams is being used to directly contact employees and eventually spread malware.
In December, a threat actor was observed using vishing via Microsoft Teams to deploy DarkGate malware and gain remote control over the victim’s computer network.
“High-end CEO fraud scams can lead to executives unknowingly transferring large sums of money to scammers. And generative AI technologies are enhancing these attacks, enabling real-time falsification of audio and video to make scams more convincing,” Pilling said.
Ultimately, employees will remain a significant target for cyber criminals. Meaning employee education about scams and fraud will remain critical to a mature security strategy.
Threat Actors Relish in Remote Access
Cybercriminals are turning from traditional hacking tools towards exploiting popular remote access software like TeamViewer, AnyDesk, and others. By abusing these tools, they can gain unauthorized access to systems.
In the DarkGate malware case an attacker instructed its victim to download AnyDesk and manipulated them into entering their credentials into the app.
Greg Linares, Principal Threat Intelligence Analyst at Huntress, noted that threat actors abusing legitimate remote monitoring and management (RMM) software to access compromised systems, exfiltrate data, deploy malware and move laterally within networks.
They can also install rouge RMM instances to maintain persistent access.
“This tactic is particularly effective because RMM software is often allow listed by security solutions, enabling attackers to fly under the radar and evade detection,” Linares said.
“To combat this growing threat, businesses must proactively monitor their networks for any signs of unauthorized RMM usage, prioritize robust authentication measures like multi-factor authentication, restrict RMM access to trusted users and devices, and conduct regular audits to identify and remove any outdated or unnecessary RMM installations,” he added.
Conclusion
As we reflect on the tumultuous landscape of 2024, it's clear that the cybersecurity challenges we face are growing more complex. The insights from leading counter threat intelligence experts underscore the importance of proactive cybersecurity.
“Organizations must improve collaboration across industries and governments, enhance threat intelligence sharing and adopt proactive defenses. Businesses that fail to adapt risk being outmatched by an increasingly specialized and capable threat actor ecosystem,” Danowski said.
Looking ahead to 2025, it's crucial for cybersecurity practitioners to remain informed about emerging trends and adapt their defenses accordingly.