Fortinet Global Threat Report 2025

Keypoints

– The report is structured into sections covering attack phases such as reconnaissance, initial access, post-exploitation, cloud threats, and adversary analysis, each detailing evolving tactics, tools, and attacker behaviors. – Reconnaissance efforts surged in 2024 with billions of automated scans weekly, targeting protocols like SIP, RDP, and industrial systems, facilitated by tools such as SIPVicious, Nmap, and Nessus. – Attackers leverage AI to enhance phishing, impersonation, and evasion tactics, deploying deepfakes, AI-generated malware, and sophisticated social engineering bots, significantly scaling threat operations. – Exploitation volume remained high, with over 97 billion attempts, exploiting vulnerabilities like CVE-2024-21887 within days of disclosure, especially targeting IoT devices, VPNs, and legacy systems. – Post-exploitation activities focus on stealthy lateral movement, privilege escalation, and command & control channels, utilizing tools like Trickbot, Cobalt Strike, and encrypted C2 via DNS and SSL. – Cloud attacks increasingly exploit misconfigurations, stolen credentials, and APIs, with 70% of breaches involving unusual login activity, highlighting the need for zero-trust and proactive identity management. – The threat landscape continues to evolve with expanding ransomware groups, sector targeting in manufacturing, retail, and government, and persistent nation-state activities, emphasizing the necessity for comprehensive, adaptive defense strategies.