Name: Mid-Year Cyber Intelligence Brief: 2025 Threats & Trends
Uploaded: 2025-07-22T03:01:11.816Z
Duration: 45 min 8 s
Description: Mid-Year Cyber Intelligence Brief: 2025 Threats & Trends

Transcript for "Mid-Year Cyber Intelligence Brief: 2025 Threats & Trends": Okay. We are live. Hello, everyone, and welcome to today's session. My name is David Contreras. I'm the global campaign manager at LastPass, and I'll be your host for today. Before we begin, just wanted to walk you through a few house housekeeping notes. A collection is being recorded and will be available on demand. We'll send you the recording within the next twenty four hours or so. We have a lot of content to cover today, but please feel free to drop your questions in the chat, and we'll make sure that to address them as soon as we can. And lastly, please don't forget to complete the exit survey at the end of the presentation. I would really appreciate your feedback. Today, we are joined by my colleague, Stephanie Schneider, from the time team. And she is gonna walk us through some of the key traditions that the time team made at the beginning of the year and how they played out, so far. In the context of that, of course, she's gonna walk us through some real case studies and some of the she's gonna be doing an analysis of the trends that the time team has observed, and it's gonna be the guiding principle for the rest of the year. But yeah. Lastly, please be sure to stay until the end of the presentation because we have some exciting exciting news to share with with everyone. Without any further delay, I'll invite my colleague Stephanie to join us in the chat. Stephanie, thank you so much for being here today. We have hosted a few of these sessions in the past, but those for for those in the audience who may not be familiar with you or with the time team, could you start maybe by telling us a little bit about yourself and your role? And with that, please take it away. Thanks so much, David. And good morning, good afternoon, everybody. I'm Stephanie Schneider with the TIME team, which stands for threat intelligence mitigation and escalation. So our team is focused on really protecting our community by monitoring for analyzing and mitigating threats that are targeting our customers as well as our company and our broader industry. Across the team, we have nearly fifty years of intelligence and cyber experience, and our goal within LastPass is really to provide timely, actionable intelligence to stakeholders that allow our security teams to protect our customers, their data, and the company. And, that's just a little bit about what we do here, which is a great segue into some of the, trends and activity that we've been tracking. So at the end of twenty twenty four, you may have joined us for that webinar or, read our blog post, but we made several threat predictions, and we've continued to monitor these trends throughout the year, really just keeping a finger on the pulse, making sure that, you know, we're aware of the threats and how those are evolving. And for today's webinar, we wanted to focus on a few of those key trends in this webinar and revisit those, and see kind of where they're at, as we just passed about midway through the year. So the first one that we'll talk about is the use of AI and, related technologies that we said would continue to evolve with, LLMs and deep stakes combining the power fraud and account takeover attacks. And we have seen so far to date that hackers are increasingly using AI to really enhance their campaigns. They're using methods like creating deep fake content, crafting sophisticated phishing emails. So that's something that, we'll dive into deeper in just a moment here. Another trend is infostealers. We saw a huge increase in infostealer activity over the last few years, really. And although there were some major wins with takedowns on law enforcement last year and continuing into this year, we're still seeing that these are an unstoppable force. It seems they're continuing to spread and evolve to counteract defenses, and we see, new groups emerging all the time. Speaking of unstoppable forces in the cybercrime landscape, ransomware has also continued to, pose a significant threat to entities of all sizes, especially small and medium sized businesses. And, you know, these groups are prioritizing their reconnaissance and, their speed to increase their chances of success. And then for our last prediction that we'll be looking at today, is related to compromised identities in hybrid on premises and cloud environments that will continue to pose significant threats. We've seen, these identity driven threats targeting hybrid environments continuing to pose this really elevated risk given the expanded attack surface that they create. So now that we've got you a little bit warmed up with a kind of a preview of what we'll be diving in today, we wanted to, ask this poll question, to kind of get your read, on which of the following you think is the biggest risk when employees use Gen AI tools like ChatGPT or Copilot at work. So if you don't mind dropping your comments, or, you know, just participating in our little poll, we would greatly appreciate it. We'd love to see your answers and kind of where you, where you're finding that that that risk is. And it's kind of getting at SaaS and AI apps which can introduce vulnerabilities, whether they're being used legitimately with or without approval, things like vulnerabilities and software misconfigurations, data leakage. So we'll close that pool out in just a moment here. Thank you for participating. Alright. I think that got a lot of good responses. So diving right in, start off with AI because everyone wants to talk about AI all the time, so that's as good a place to start as any. So this year, we're seeing these, an increase in, really activity, but also reporting is getting so much attention on, you know, both the upsides of AI. People are, still seem very excited, to to use this technology to their benefit. I mean, it's it's great for, enhancing, you know, being more efficient and, you know, just used in a variety of positive ways. But on the flip side, it also introduces, a lot of, vulnerabilities. For instance, we'll talk about Linda McDonald's AI hiring robot, that recently, caused a data breach. And so there there's just a lot of, malicious uses of AI as well. AI now generates the majority of spam and malicious emails. A report by Barracuda, they collaborated with Columbia University and University of Chicago. These researchers analyzed spam emails from back from back in February 2022 when ChatGPT first appeared on the scene up until April, and they found that over half of malicious and spam emails are now generated using AI tools. Now this could be due to a few factors. It's kind of hard to say, but, one possible explanation is the launch of new AI models that are used by attackers, or maybe changes in the types of spam emails that are sent by attackers. So we're seeing we, you know, we we we knew that, AI would likely lead to this increase, and now we're already starting to see, that in effect and will probably continue throughout the rest of the year this increase in AI generated, malicious, emails and such. AI is also making for actors more effective. Like, they are able to bypass traditional security measures, like getting around email detection systems. Part of that is, you know, they're able to, mimic real life people. They're making fewer, errors in their campaigns or in their grammar. So, they're really able to, you know, harness this to to do a range of malicious activity. Deep dive technology is another area, where this has become more accessible and affordable. Cybercriminals are now using inexpensive services kind of similar to phishing as a service where it's super easy, to to use and implement. And we've seen that, you know, your customer bypass seems to be really the biggest application for a deep fake creation, likely because it allows cyber criminals to, kind of open anonymous crypto exchange accounts they can use to wander money, so it's very profitable for them. Also, an interesting aspect to this is, foreign developed AI tools, which we've seen kind of coming out over the last year or two, and and further back. But, this is really I have to preface this because this is from a a biased Western centric view, but, these tools can pose a potential national security threat like China's DeepSeek. They recently were in the hot seat, with, the Czech Republic recently issuing a formal warning that they feel it's that DeepSeek is a national security risk and other countries have banned it, like Italy, India, Canada, South Korea, I believe, and more. So, basically, they found that the DeepSeq chatbot is collecting all content, all the content that a user is providing and then storing it and then making it accessible to the Chinese government. And interestingly, they're also storing, that information in China. So this is all kind of, you know, part of this, really part of this, concern around data sovereignty, privacy, and potential espionage risk of bad actors misusing, information that, that people feed these tools. Also, thinking back to the poll question, there are some insights into risks associated with the use of AI that I included here, on the graph to the right is this chart. So 72% of GenAI logins occur via personal identities. They circumvent established corporate security controls and, present significant access management challenges. Also, 60% of corporate account logins to GenAI tools lack single sign on, which create vulnerabilities that attackers can exploit. And, also, only 11% of GenAI connections utilize fully secured corporate identities with enforced SSO, which kind of highlights this area for security improvement. Looking ahead on the horizon as far as AI is concerned, we're looking at AI agents, which Gartner claims could accelerate the time it takes Red Hatters to take over accounts by 50%. So this is looking a few years out, but this is such a a quickly developing space and one that will, certainly continue to keep a close eye on the, related threats. Our next trend is looking at the rise of identity based threats and stealers. Identity based attacks are one of the most effective ways that hackers can gain initial access, so no surprise. This is, you know, something that we see right after this code too because it's a lot easier to get access via exposed credentials, for instance, and just log in rather than trying to find another way and and burn, resources, time, things like that. So according to eCentire, identity driven threats increased over a 150% between 2023 and 2025, and they now represent almost sixty percent of all confirmed threat cases during quarter one of twenty twenty five. Within the identity driven threats, info stealers are a huge cornerstone cornerstone of cybercrime in 2025. They really kind of allow these devastating or enable these devastating follow on attacks like ransomware, for example. And attackers are increasingly using stealthier tactics like info stealers to steal credentials. In fact, nearly 50% of all cyberattacks led to stolen credentials or data in 2024. There's this general shift towards browser based threats, including info stealing malware delivered directly through compromised browsers because in part because it bypasses traditional email filters, so it's effective. And we see phishing remain really a primary delivery, mechanism, and new attack factors like click fix, have also emerged and surged in use. And click fix is, something we've seen pop up several times so far in 2025. This is really, basically manipulates users into executing malicious commands, but it's hidden behind, a prompt that that seems very innocuous. In the 2025 alone, the number of data breach events has increased more than 36% quarter over quarter, and the total number of breached records surged by over a 186. I know I just threw a lot of numbers at y'all, but, basically, this indicates just this general shift towards more impactful breaches. So they're affecting a larger volume of personal data like emails, passwords, and credit card numbers. Also of note, small and medium sized businesses, health care, and technology sectors are particularly vulnerable to info stealers and info stealer powered attacks like ransomware. Verizon also put out a report that highlights another blind spot for organizations, which is security risks, that are posed by unmanaged or bring your own device systems or BYOD. Infostealer malware infections take advantage of this gap between enterprise control and user behavior. And what they found was about 50% of compromised devices with corporate logins were non managed systems. So a lot of these devices mixed personal and business credentials, which allows Red Hatters to pivot, into corporate networks fairly easily. We've also seen a lot of exposed credentials and reporting, in the news about, most recently the 16,000,000,000 credentials that were leaked, earlier this year. This is becoming pretty standard every couple of months. There seems to be a new significant breach, and this one got a lot of media attention because 16,000,000,000 numbers is is a lot it's a big number. And we wrote a blog post about this to put it into perspective. But, basically, this is not anything new. The credentials were already out there, but this really does highlight the concern about what credentials are out there, how cyber criminals are using them, and there's other data in there too, that stealers frequently steal, like metadata, cookies, things like that. But really this highlights the importance of using unique complex credentials, monitoring for exposures, taking actions like that. But, really, threat actors are just trying to take this data and use it to gain access to other systems. So, it's not and and what I should say also, a lot of that that number of that 16,000,000,000, credentials was a bit inflated, because there's, likely a lot of repeat credentials. It's also a compilation of of older exposed credentials as well. So, stuff within there is just really not net new. I also wanted to mention a couple of changes that we saw in the Steeler landscape, so far this year. One of the major, changes was that Loomis Steeler, was one of the largest in market share, and became a major player in the the Steeler landscape before it was disrupted by law enforcement in May. And this takedown's really a major win for law enforcement. We've seen it kind of disrupt the initial access broker ecosystem a bit so far, but it's still time will tell, you know, just what that impact is given the resiliency of the infostealer market. Others will likely quickly step in and fill the gaps left after the Luma takedown, like Accreed, Vidar. You know, others have already kind of stepped up and increased their share. So it's probably not going anywhere, despite those takedowns. And, last but not least, you know, just looking forward to where we expect this threat to go over the next several months is, we expect that attackers will likely leverage AI and automation and continue to develop more sophisticated tools that will, likely further scale these attacks. Next up, ransomware. And ransomware, I should just preface, is it's been with us for a while, so I just wanted to highlight some of the changes that we've seen, because, really, for the last several years now, ransomware has remained a significant driver of threat activity and financial losses. And we saw actually a really strong start at the beginning of twenty twenty five. This has dropped off a bit in the second quarter. And looking back at q one, there's a couple of reasons for this really high amount of activity we saw. First was CLOP. They were a primary driver of that increase we saw accounted for about seventeen percent of the victims in q one. They exploited a vulnerability in a managed file transfer application in late twenty twenty four and have continued to actively post victims. So that kind of explains that, the number of victims in the beginning of the year. Ransom hub was also, very, prolific, but, they were one of those ransomware groups that were, that were taken down as you can see in the bullets below along with the list of several other, takedowns and arrests that occurred earlier this year. So with kind of the takedown of and arrest of these groups, we've also seen, kind of these second tier ransomware as a service group stepping up to fill the void. Groups like Quillen, Akira, and Play, really trying to kind of make a name for themselves and take out that space in the in those, in this space. And, here, I list the the takedowns and arrests. The one I wanted to just highlight was the, these these are ransoms these are cyber criminal groups, but that last one is DPRK or North Korea, which has been involved in IT worker scams for a while now. And the last year or so, the scope and scale of this threat has continued to expand. Reports came out saying that, the activity increased targeting from US to Europe so that geographic scope has expanded. They've intensified their extortion tactics. And really the whole reason why DPRK even is is conducting this type of activity is, it it generates revenue for the regime. It allows them to get around sanctions. And also, these these, North Korean operatives pose as legitimate remote workers to infiltrate companies, collect sensitive information, things like that. In late June, the US department, Department of Justice announced an arrest and a crackdown on laptop farms that allegedly facilitate North Korean tech worker impersonations across The US. So another win, but, that will likely not cause a huge dent in this activity. We'll probably see, this continue since, like I said, that is a pretty significant source of income, for the North Korean government. We also saw some ransomware, target a range of victims and sectors, but manufacturing came out on top. It was really a key focus throughout the first half of twenty twenty five. And there's also a significant year over year increase. So, you know, why manufacturing? You know, if we think about kind of what all depends on this sector, it makes sense. Right? Productors are you know, recognize that there is probably a high operational pressure, in this area, and there's also persistent vulnerabilities in IT networks that make them particularly particularly susceptible to cyberattacks. I also wanted to highlight some recent activities we've seen from Scattered Spider, which has been around for a while now. They're well known for their simple but effective social engineering tactics like targeted phishing and phone impersonations or phishing, and they we've seen them go after credentials of third party IT providers to get initial access to systems. Recently, they've targeted major retailers, and most recently, they've pivoted to the insurance and aviation industries. And they, are also indications that Scattered Spider will expand to other verticals with researchers recently finding some 500 suspected phishing domains that appear to target manufacturing as well as medical technology, financial services, enterprise platforms, and more. So really, they're they're very opportunistic and I think this is an interesting example of, ransomware group that doesn't really have sophisticated tactics, but they are very effective and opportunistic in nature. So, I wanted to highlight that recent activity that we've been tracking. Moving on to third party and you know, or to sorry. Hybrid and, cloud environment. So hybrid environments combine on prem and cloud resources, and this creates a larger attack surface. Surface. In hybrid environments, a compromised identity on either the on prem or cloud side can lead to significant security risks, and then attackers can leverage compromised credentials to conduct, various activities. They can escalate their privileges, perform lateral movement, potentially compromise the entire infrastructure. And as companies continue to shift to this hybrid IT environment, productors will follow suit. Interestingly, Steelers going after cloud logins are popular. This has been reflected in a relatively high volume of cloud service logins advertised in illicit markets selling Steeler malware outputs. And we've also, you know, have two very prolific cybercriminal groups, Blackbosta and Scattered Spider, which have targeted hybrid environments. Earlier this year, there were some leaked internal chats from Blackbasta that revealed that the group operates as a ransomware as a service with general repeatable techniques for mostly going after hybrid environments. And the black fast Black Fast, exploits hybrid access vectors, and they pivot laterally between cloud and on prem using compromised credentials. Scattered Spider, on the other hand, primarily targets cloud environments, but has also demonstrated, their ability to pivot onto hybrid infrastructure. So we'll continue to monitor for, additional activities and trends. You know, this is certainly, only going to be an increasing, threat vector for a variety of threat actors to take advantage of. So next, I wanted to dive into some sector spotlights and talk about, some recent case studies that we've observed and dive in, talk about kind of what happened and, you know, how did it happen and, how you can take some preventative measures so that, to avoid, similar types of attacks. In our first case study, we're circling back to the McDonald's AI chatbot I mentioned earlier. This was a really recent, data breach where the personal information of McDonald's job applicants was exposed after security researchers accessed records. They, basically it it's all basically due to poor identity access management of a third party vendor's administrator account. Basically, the, researchers thought, hey. Like, maybe we should let's see if we can get access to this account. They tried, admin as the username, and password was one two three four five six. So, like, laughably, very simple and very common, usernames and passwords to try. And lo and behold, it worked, and they got access to that, admin account. That account also appeared to be inactive. Its last login was in 2019, and this is really, a prime target for, cyberattacks because inactive accounts like that can provide attackers with a foothold to the network and move laterally, access critical systems as we saw here in the case of these researchers, moving around this and gaining access to the system. And, the the breach occurred through vulnerabilities in the systems operated by, this AI powered chatbot that was involved for, McDonald's hiring process. So, this is also interesting from the AI perspective because as AI powered bots get implemented to really help companies streamline the hiring process or, you know, find other efficiencies. This new technology, also introduces vulnerabilities. This breach also shows how third party AI systems can create security risks, restoring, and securing data. Luckily, the researchers were the only ones who accessed that data, but the bad guys could have used that for spear phishing attacks like payroll scams, other malicious activity. In response to the breach, Paradox AI, the the the provider of this AI powered chatbot, implemented new security measures, including updated password requirements and API endpoint patches. And they're also launching a bug bounty program to identify future vulnerabilities. So some pro protective measures that, you could take to or McDonald's, or Paradox AI could have taken to, prevent this type of attack is, one, enforcing strong password guidelines and MFA. That could have been enough to protect the admin account, by not allowing something as easy as admin and +1 23456. You know, and there's, some really great guidelines, recommended in the National Institute of Standards and Technologies proposed federal guidelines. Those guidelines are expected to be finalized in later this year. But we at LastPass Labs wrote a blog post about it, going into detail about what those guidelines are. That's a great resource, that you could check out. Also, password managers can help protect accounts by generating strong, unique passwords and then storing them securely in an encrypted vault. This prevents the use of using weak easily guest passwords. You know, these ones like one two three four five six, or, you know, your dog's name. Things like that are really easy to guess, and hackers can very easily, you know, crack that. And then also regularly review and audit credentials. So delete inactive accounts, follow the principle of least privilege to make sure that only the necessary personnel have access to sensitive data. For our next case study, we're gonna jump over to Australia. So, multiple large Australian superannuation funds were hit with the credential stuffing campaign in March. And, these some these are some of the country's largest, superannuation funds. They confirmed that some of their members' accounts were breached in these attacks. And the threat actors were, trying to, transfer funds over, and the success, kind of varied across the various, affected organizations. Basically, to to conduct this attack, the attackers took stolen credentials from stealers, which is very easy to get, and oftentimes they're, for sale in their blood for as little as $10. And then they used a botnet to kind of plug and chug those passwords, see if users, reused the same passwords across accounts. Oftentimes, unfortunately, we we see that happen. And so they were able to, you know, do this credential stuffing attack. And then they also took advantage of accounts without MFA in place. And so without MFA as that extra layer of security, it was just off to the races. They plugged in the the username password, and they they got access. So, again, a really simple attack and pretty easily preventable in this case. One way to prevent this type of attack is to use complex and unique passwords. Again, using a password manager could help with this. Also enforcing MFA, it's not 100 foolproof. There are ways to bypass MFA, but it is better than nothing at all. And also credential exposure monitoring. So, you know, in in these cases, likely the for some at least some of the credentials were available for who knows how long on the dark web. So you can actually go and check using some really great resources out there, like have I been pwned, check if your account credentials have been compromised, and other data breaches. And if if they are, then, please change your passwords immediately. Last for our, last case study, wanted to highlight a nation state actor, named it's a Russia state actor named void blizzard, AKA laundry bear. Pick your favorite name. They're both pretty great. And this group often uses, stolen credentials to gain initial access and exfiltrate data for entities from entities. So, primarily, they're going against, strategic sectors in Europe, NATO countries, The US. And there are a couple of recent campaigns. One in April, Boyd Blizzard used some really direct methods to steal passwords. They they sent fake emails that were designed to trick people into giving away their login information, and they went after over 20 NGO organizations in Europe and The US. Basically, for this account, hackers posed as an organizer from a European defense and security summit and then sent the spear phishing email with a fake invitation and a malicious QR code that directed to a legitimate looking credential phishing page that spoofed the Microsoft ensure authentication page, and they took the input username and password and cookies. And that's how they got initial access. The same group was also responsible for a pass the cookie attack against Dutch police in 2024. And, this just recently the details of this more recently came out. But in the September of 2024, they used, pass the cookie attack method. That gave them access to employee accounts, and they exfiltrated contact information of all Dutch police staff. And that access cookie was stolen with the help of an info stealer and was later purchased by Void Blizzard on the dark net. So a couple of interesting things about this these activities. Right? The group's use of credentials via info stealers is of interest to us in particular. I just talked about, you know, kind of the the threats that we're tracking with stealers. And this really mirrors a growing trend where state sponsored actors are using something as simple as info stealers for high impact attacks. The other thing I wanted to highlight here is this pass the cookie attack because this is something that we expect to see more of when we're talking about, info stealer threats, you know, as we're rolling out past keys, and integrating that into, you know, LastPass the services more and more. We see that adoption across the industry, you know, and and and across just corporations in general. We've already seen threat actors talk about how this is going to be the next step is targeting session tokens and not just, you know, password credentials. So that's why Steelers are now grabbing those as well, but just highlighting that's probably where where we'll see more activity, as past key adoption gets picked up. It'll be around these session tokens. So a few prevention measures just to to hit on here. One, you can implement a a sign in risk policy that automatically triggers access blocks or MFA requests when suspicious sign in attempts are detected based on factors like unusual location or maybe they're, that's coming from a different device. Also, again, MFA, MFA, MFA, we won't stop talking about that. And use phishing resistant authentication methods like passkeys, which are, you know, harder for threat actors to, to fake or steal. And then lastly, endpoint security to prevent info stealing malware and safeguard user devices. So with that, I think we're, that's all the time I have for today. So I can pass it over to David for a very exciting announcement. Yeah. I'm back. Thank you, Stephanie, for the presentation and for sharing the insights. And so, exciting news for the audience. If you enjoy the presentation today and if you enjoy the insights as well and also if you enjoy podcast, so I'm excited to share with everyone that we are bringing the two of them together. And the Stephanie and Mike Kosak, the the the as part of the of the time team, they are producing a a podcast series, so we can share more of these insights with all of you directly directly, directly to your phones or, like, whatever podcasting you have that that you use directly to your ears. And so and we're still like, hey. Like, we're working through the the details, but I have included a QR code so that you can subscribe to it. And as soon as the first episode hits, which is gonna be shortly, like, you're gonna get it directly directly there. So, with that said, and, unfortunately, we, ran out of the the time that we have scheduled for today, so we won't be able to take, some of the questions that you submitted on the chatbot. And and but we are going to capture the questions and address them in later on. So for the last few seconds, if you have any questions, just drop them there. Just wanted to close the presentation today. Stephanie, thank you so much for sharing this with the audience. And as part of the last question, thank you to everyone to for participating today. Thank you. Thank you. Bye bye.