FortiGuard Labs 2025 Global Threat Landscape Report delves into how cybercriminals are operating faster, scaling their efforts, and relying on automation at every stage of an attack.
For organisations, this means exposure can grow quickly if systems are not consistently monitored, maintained, and protected. As Fortinet puts it “The question is no longer if an organization will be targeted - it’s a matter of when and how quickly.”
We’ve compiled the report’s key insights and what they mean for your organisation below.
Automated Scanning Is Rising Rapidly
A major increase in automated reconnaissance was recorded in 2024, with active global scanning rising by 16.7%.
Of the billions of attacks FortiGuard Labs observed, approximately 36,000 scans per second, the focus was on exposed protocols such as SIP, RDP, and Modbus TCP.
These scans help identify weaknesses before defenders can patch them. A responsive approach to data security is no longer sufficient, continuous visibility of your environment is essential.
Stolen Credentials Are Fuelling a Growing Underground Market
FortiGuard Labs recorded a 42% increase in compromised credentials for sale, with over 100 billion records shared across darknet forums in 2024.
Infostealers like Redline and Vidar were linked to a 500% increase in stolen credential logs, making account takeover attempts far easier for attackers.
You can reduce the risk by strengthening identity security, implementing MFA where possible, and never reusing credentials across systems.
Exploitation Attempts Surpassed 97 billion in 2024
More than 97 billion exploitation attempts were detected and Asia–Pacific accounted for the largest share at 42%. Attackers frequently targeted older and still-unpatched vulnerabilities such as:
- CVE‑2017‑0147 (SMB) – 26.7% of attempts
- Log4j CVE‑2021‑44228 – 11.6%
- CVE‑2019‑18935 (Netcore IoT devices) – 8%
Known vulnerabilities remain effective attack points when updates are missed. Regular patching and endpoint protection are essential steps you can take to limit this exposure.
IoT Devices Continue to Be Easy Targets
Over 20% of exploitation attempts focused on IoT devices such as routers and cameras. Many attacks rely on defaults like unchanged passwords, outdated firmware, and publicly exposed management interfaces.
Commonly targeted devices included Netcore Netis routers (18.4% of attacks) and GoAhead-based cameras (10.5%). Routers, particularly those manufactured by Netcore, TP-Link, and D-Link, received the highest percentage of attacks.
With so many IoT systems deployed in modern workplaces, Computer One can help you ensure these devices are inventoried, secured, and kept up to date.
Post‑Exploitation Tactics Are Becoming Stealthier
Once attackers gain access, many rely on “living off the land” techniques, using trusted system tools to hide their presence.
Common behaviours observed by FortiGuard include:
- Abuse of RDP in 88% of incidents.
- Use of RATs such as Xeno RAT, SparkRAT, AsyncRAT and Trickbot.
- Manipulation of Active Directory via DCSync and DCShadow techniques.
- Covert communication using SSL and DNS tunnelling.
These techniques make attacks harder to detect without continual behavioural monitoring or advanced threat analytics.
Cloud Misconfigurations Remain a Major Weakness
Cloud incidents were strongly linked to misconfigurations, excessive permissions, leaked credentials and insecure APIs. Key observations include:
- 70% of cloud identity compromises involved logins from unusual locations.
- Attackers frequently invoked new APIs on behalf of compromised accounts.
- Multi-stage cloud attacks using credential theft, reconnaissance and API abuse are increasingly common.
Reduce your risk by reviewing permissions regularly, rotating credentials, and monitor cloud activity logs for anomalies.
AI-enabled cybercrime is the new frontier
AI-driven tools, allow those without technical knowledge an enhanced ability to perpetrate wide-reaching, convincing phishing campaigns. The most common use of these tools are:
DeepFaceLab and Faceswap: generate realistic videos to bypass biometric facial recognition software.
FraudGPT and WormGPT: restriction-free production of convincing phishing emails, fake business communications and fraudulent legal documents.
BlackmailerV3: Scrapes personal and corporate data to populate blackmail emails. Primarily used in CEO fraud attempts, false legal threats and sextortion scams.
AI-generated phishing pages (EvilProxy, Robin Banks): mimic legitimate login portals to steal credentials for banking, cloud services, and enterprise platforms. Some have the ability to compromise MFA protected credentials.
ElevenLabs and Voicemy.ai: clone voices for vishing (voice fishing) or deepfake scam calls, or to bypass voice authentication systems.
AI-powered social engineering bots (Goose, Telegram fraud bots): impersonate customer support to procure sensitive information such as access credentials or financial information.
Most of these tools rely on common social-engineering tactics. Help circumvent these by ensuring your organisation’s frontline maintain strong data governance, accompanied by regular cyber-security training.
Ransomware Groups Are Fragmenting but Still Effective
Thirteen new ransomware groups emerged, yet four major groups still accounted for 37% of observed attacks. The most targeted sectors were manufacturing (17%), business services (11%), construction (9%) and retail (9%).
The ability to purchase infostealers for as little as $150, or automate sophisticated exploit kits, creates a much lower barrier to entry for cybercriminals and means ransomware remains a persistent threat.
What This Means for Your Organisation
Cyber-attacks are faster, broader, and more automated than ever. The best defence lies in reducing the opportunities attackers can use.
At a minimum you should always:
- Keep systems patched and limit exposed services
- Strengthen identity security and rotate credentials
- Review IoT and cloud deployments for misconfigurations
- Monitor for unusual login behaviour and new API activity
A Managed Services Provider, such as Computer One, provides consistent visibility, disciplined maintenance, and expert support, to significantly reduce your organisation’s likelihood and impact of an attack.
If you’d like help improving your security posture or would like a deeper assessment of your environment, visit our website or call 1300 667 871.
