Threat Predictions 2025: An Attacker’s POV
Threat Predictions 2025: An Attacker’s POV
It's that time of year again when security and threat predictions for the year to come are being discussed. Usually, these predictions are written in the views of defenders. As we enter 2025, which is expected to witness a number of sweeping changes, such as the explosion of attack surfaces, the maturation of cloud, Gen AI, and more, it imperative to assess security threats from multiple perspectives.
We being an offensive-first cybersecurity company routinely operate in the dark corners of the threat landscape and are able to see things from an attacker’s perspective, which allows us to form a holistic security approach. The threat predictions covered here are a reflection of this philosophy, anecdotal findings from our offensive security projects including exposure assessment and adversarial validation efforts at various global organizations, and thus represents the views of our experts who have been in the trenches. And we also wondered, why should only defenders have all the fun telling their views? Wouldn't it be great if a security company could share things from the adversarial point of view? So here we are, with a few handpicked threat predictions for 2025, as seen and "liked" by a modern attacker. Enjoy!
1. Zero-days will continue to have more news value, but attackers will always ‘love’ exploiting their favorite vulnerabilities!
In recent times, zero-day vulnerabilities have captured media attention, often portrayed as catalysts of catastrophic cyber-attacks and data breach incidents. While these undisclosed flaws certainly warrant concern due to their potential to be exploited before patches are released, attackers always prefer targeting known vulnerabilities, as they remain their tried and tested tricks. These familiar weaknesses, such as unpatched systems or outdated software, offer a more reliable and accessible avenue for further exploitation, to the extent of gaining full system takeover. From a threat actor’s POV, writing a zero-day is not only expensive, but time consuming too. Even as “cybercrime-as-a-service” continues to flourish, cyber baddies find it obviously more rewarding to exploit publicly known vulnerabilities, particularly the ones with critical impact, as this gives threat actors a significantly low-cost and yet high-impact attack arsenal which they can use for considerably long time.
In this recently updated cybersecurity advisory from CISA (Cybersecurity and Infrastructure Security Agency), it becomes evidently clear how cyber attackers frequently exploit known vulnerabilities to their advantage.
As a result, organizations should focus not only on defending against zero-days but also on maintaining robust security hygiene, such as regular updates and patch management, to mitigate the risks posed by these well-known vulnerabilities.
However, as global businesses embark on accelerating digital transformation, moving more things to the cloud, adding more apps and driving greater convergence of IT and OT, the scope of finding more vulnerabilities is becoming only more lucrative for cyber criminals. And the year 2025 is likely to witness further rise in such attacks.
Infopercept offensive project findings: In more than 90% projects, we discovered how our experts were able to infiltrate client infrastructure using known exposures, including vulnerabilities and configuration errors, in both internal as well as external attack surfaces.
2. For attackers, it's not about launching the next ransomware attack. They have their eyes on the prize - and it is the likely rise in ransomware attack scenarios.
As technology landscape advances, and as more thing connect to the internet, security negligence remains a critical issue that can lead to an increase in ransomware attacks. Misconfigurations in systems is one such example, which may create vulnerabilities that cybercriminals can use as backdoors. Moreover, when these systems are not regularly updated or patched, they become easy targets for attackers who take advantage of known vulnerabilities. Similarly, the absence of multifactor authentication creates another layer of risk, for it allows unauthorized access with minimal effort. One of the largest ransomware attacks in recent times at Change Healthcare in the United States is a case in point. It is believed to be the largest ever reported data breach in US which compromised protected health information of more than 100 million American people. The scenario that led to this extensive ransomware attack is being heavily criticized as 'egregious negligence', as attackers were able to use stolen credentials and were able to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops, which did not have multifactor authentication turned on! Chances are, other verticals and businesses too might suffer from either similar or different form of security negligence as they embrace modern tech without keeping their SecOps in tandem. Another risk comes from the growing adoption of AI by businesses across verticals. While AI augurs well for business, it also represents a novel opportunity in the hands of cyber criminals, to create more compelling phishing, smishing and Business Email Compromise (BEC) threats. Therefore, prioritizing robust security practices is crucial in mitigating the risk of ransomware threats. It is only through threat exposure management that extends beyond basic security hygiene and posture correction that a business can reduce the number of scenarios that could lead to a data breach.
Infopercept offensive project findings: In over 50% of Red Ops and offensive exercises we conducted this year for customers across verticals, our Red Team members could have successfully launched a ransomware attack, if they had been attackers! From weak authentication and poor configuration to compromised credentials, Infopercept’s offensive experts found multiple scenarios that could easily lead to a massive data breach or a damaging ransomware attack causing huge financial, reputational and regulatory damage.
3. DevSecOps awareness will grow but attackers are loving the way app appetite is likely to spiral out of security control!
In spite of the buzz around DevSecOps and how it is becoming a standard security practice, businesses are likely to raise several security concerns given the pace at which AI and low-code, no-code tools are accelerating application development and deployment on cloud infrastructure. While these technologies are necessary, over reliance and security negligence can lead to major implications. Today, when both IT and security teams feel overwhelmed by the ever-growing volume of alerts, logs and incidents, it is quite obvious to see value in automation, however, over reliance on automation without adding human judgement/instinct and expertise can create security compromises. Both B2B and B2C organizations are increasingly driving their enterprises with app-driven business ecosystems, particularly in healthcare, financial services, and banking verticals. And each vertical can have multiple product or service streams, with each having a dedicated app, with a web as well as mobile instance. This explains the scale and magnitude of potential risk, which may also invite potentially large burden from regulatory compliance violations. This burgeoning “Appetite” is likely to be among the prime targets of cyber criminals as they see a very lucrative attack vector in the form of build pipelines and app infrastructure. Now, there is an interesting topic emerging to save this ailing situation: "hyper automation". However, it needs to be remembered that hyper automation only represents a complex interaction of multiple technologies and can be prone to various risks. State of Connected World 2023 report by the World Economic Forum reveals that only 4% of organizations are confident that users of connected devices and related technologies are protected against cyberattacks. This speaks volumes about how porous and vulnerable today’s digital ecosystem is, which is largely driven by apps.
4. Businesses will continue to productize and utilize Gen AI. And attackers will weaponize.
Businesses across verticals are increasingly embedding Gen AI in their applications and digital infrastructure to reap the benefits of speed and automation. Interestingly, attackers have much to gain from Gen AI –both in terms of speed/automation and accuracy. Armed with this new innovative capability, cyber criminals can now launch highly tailored and targeted attacks that seem too convincing and have high probability to succeed. AI technology is identified as the top risk associated with misinformation and disinformation in the World Economic Forum's Global Risks Report 2024. Clearly, the stakes are high. Beyond this identified risk of misinformation, attackers can also find ways to manipulate Gen AI, feed malicious prompts and alter its responses to extract sensitive information or cause data breach. A former Gartner analyst said this on LinkedIn, indicating a warning message about the abuse of Gen AI, “Generative AI has been found to be quite vulnerable to adversarial prompt injections, jailbreaks and data poisoning. It requires Generative AI Runtime Defense (GARD) be used to actively defend the large language model API sand their use cases.”
Over the next year, as this Gen AI adoption trend proliferates and becomes entrenched, so will be its security impact among the organizations that embrace the move. The new attack vector introduces an aspect of organizational vulnerability that is not yet fully understood by most people. While Gen AI has intrigued many tech-savvy businesses for a long time, and now when almost everyone is on the Gen AI gravy train, in the light of these security concerns, it remains to be seen if this will be a shot in the arm or an act of shooting oneself in the foot!
5. Cloud-centric digital transformation set to become cloudier. Thanks to increased security complexities and compliance mandate.
At this juncture, it is fair to say that cloud adoption is significantly widespread and as we move into 2025, everything-cloud (apps, platforms, storage, containers etc.) will become more integrated into enterprise business workflows and operations. Cloud is only poised to become more complex and layered as an attack vector. This is clearly evident from a recent report published by the Cloud Security Alliance (CSA), which outlines a number of security areas that are likely to be exploited or targeted by attackers. The report lists the following vulnerabilities & security weaknesses as the top threats to the cloud infrastructure:
· Misconfiguration and inadequate change control
· Identity and Access Management
· Insecure interfaces and APIs
· Inadequate selection/implementation of cloud security strategy
· Insecure third-party resources
· Insecure software development
· Accidental cloud disclosure
· System vulnerabilities
· Limited cloud visibility/observability
· Unauthenticated resource sharing
· Advanced Persistent Threats
Adding the findings of the report to a Gartner estimate of more than 85% of organizations adopting a cloud-first strategy by 2025 increases the concern of the report's findings. Without cloud-native technologies and architectures, they are unlikely to be able to fully implement their digital strategies. The report from the Cloud Security Alliance lays emphasis on a fact that is often easily forgotten, and it is “despite all the tech, it is still a people problem”. Human mistakes, negligence or errors, whether deliberate or unintentional, can cause serious security events. Misconfiguration & Inadequate Change Control for example, tops the chart of the top threats to the cloud in 2025. Using automation can help only partially and such incidents will force organizations to consider a more holistic approach beyond posture correction.
Infopercept offensive project findings: This could be a real shocker, as nearly 100% of our offensive findings revealed one common loophole in clients’ cloud infrastructure and multi-cloud setup, and it relates to misconfigurations and sub-optimal security set up.
6. Dark web treasure chest will expand
Cybercrime-as-a-Service (CaaS) is already a thriving marketplace on the dark web with several segments beneath it, including Ransomware-as-a-Service, Phishing-as-a-Service, DDoS-as-a-Service etc. This trend will only become more bold and buoyant threat actors are set to cast a wider net in 2025. And with ever expanding attack surface and growing list of vulnerabilities, including exposed credentials and cloud secrets, dark web will witness absolute frenzy. Attackers will also have an opportunity to further enhance their CaaS offerings with Gen AI and automation.
Infopercept offensive project findings: Attackers often turn to Cybercrime-as-a-Service offerings such as access brokers to make their effort of breaching a target network a tad easy. However, what if they hit the jackpot through the dark web, making the entire process of conducting a cyber heist absolutely effortless! Interestingly, Infopercept’s offensive experts were able to locate access credentials for more than 60% customers on the dark web, and hence did not need to perform IP address spoofing or phishing to gain keys to the castle. This serves as alarming evidence highlighting how easy it is for attackers to gain access to sensitive credentials if dark web monitoring is not accounted for.
7. They’re going to get High on Low-Code, No Code.
And we can’t wait to drill holes!
The IT industry has come to rely heavily on CI/CD pipeline automation and using low-code/no code (LCNC) to bake security via DevSecOps in making secure apps. And even as this templatized approach with an intuitive drag-and-drop interface has made the process much faster and less iterative, it still remains susceptible to errors and loopholes such as vulnerable components, data leakage, account impersonation by an adversary, security misconfiguration etc. In the wake of unprecedented security complexity and plurality of things, the need for business-led application development, testing and product engineering has never been more pressing than it is today. Businesses and IT teams considering adopting and leveraging low-code/no-code need to understand key challenges involved and ensure ways to overcome these limitations. Unfortunately, this is not happening and increased use of LCNC is yet another opportunity for attackers, who can manage to fly below the radar by exploiting unknown vulnerabilities in such technologies. Business productivity and automation do matter, but the need of the hour is to ensure this is not happening at the expense of organization’ security, compliance and data privacy. There will be an increase in LCNCs and related automation technologies in the year 2025. Until organizations' security and technology leaders work together to use LCNC to build security applications tailored to fit their unique business models, their risk appetite, and their threat exposure management program objectives, attackers will have many opportunities to penetrate their systems using LCNC.
8. Attackers likely to benefit from escalating cyber tug of war
Even as technology advances and cyber risk becomes more pressing, security leaders, CISOs in particular will continue facing a never-ending cyber tug of war. The latest global risk report highlights how modern businesses are operating in an ocean of risks. And despite the fact that cyber risk does emerge among the top risks presenting a material crisis, the security gatekeepers will have to brace up for some more challenges. The immediate challenge arises from the way expectations from a CISO function are changing, both for the organizations they represent and regulators. Shifting from a technical role to a owning the responsibility of managing an organization’s broad threat exposure and risk management, particularly when the global macroeconomic forecast is highly uncertain and cyber adversaries represent a serious threat, CISOs have a lot on their plate. And as disruptive technologies and tools’ sprawl enhance the attack surface and add more vulnerabilities, including the ones that are known and never-seen-before, their struggle is only going to get worse with fewer resources, constant internal conflict in owning incident resolution, and gaining rightful proximity and influence on the top leadership. Moreover, as cybersecurity grows more complex, the issue of skills shortage turns of only more persistent. All of these together remains a more rewarding opportunity to cyber baddies.
Infopercept offensive project findings: The security experts at Infopercept often witness this scenario, sadly at large and mission-critical businesses, where IT and security infrastructure are not coordinated effectively, regardless of best-in-class security solutions. Due to this, we have seen how various risks and vulnerabilities reported at the start of the quarter keep resurfacing in subsequent findings as 'unresolved', revealing the sorry state of business, IT, and cybersecurity conflict.
