Cyber Security Landscape 2024-2025: Evolving threats and attack vectors

The cyber security landscape in 2024-2025 is characterized by unprecedented dynamism and growing complexity, where global digitization, driven by technological advances and societal changes such as the spread of remote work, is constantly opening up new opportunities for innovation, but at the same time creating fertile ground for increasingly sophisticated and diverse cyber threats. We are seeing not only an alarming increase in the number and scale of attacks carried out, but also a constant evolution of tactics, techniques and procedures (TTPs) used by cybercriminals and state actors. This evolution is driven by both access to new technologies and the changing geopolitical environment. This is forcing organizations around the world to take a more proactive and integrated approach to security, moving away from the traditional reactive incident response model to building sustainable, dynamic cyber resilience. This article provides an in-depth analysis of key trends, key threats and innovative defense strategies that are shaping the current and future cyber environment.

Shortcuts

• What are the main evolving threats and attack vectors in 2024-2025 that organizations need to pay special attention to?
• How is artificial intelligence (AI) revolutionizing the methods of cybercriminals and what new challenges does it pose to defense systems?
• What specific security risks does the growing number of Internet of Things (IoT) devices pose, and what are the main reasons for this?
• What fundamental impact does the ongoing work on quantum computing have on current and future cyber security standards?
• What are the main and most acute threats to the security of Blockchain technology and the smart contracts implemented on it?
• How are traditional, but still threatening, persistent and advanced cyber threats such as malware and social engineering evolving?
• What are the main aspects and most serious consequences of data breaches for organizations and individuals in the current cyber threat landscape?
• What is the importance of the Catalog of Known Exploited Vulnerabilities (KEV) in an organization’s defense strategy, and why is patching alone not enough?
• What are the main implications of the increasingly pronounced intersection between the world of profit-motivated cybercrime and state-sponsored activities?

What are the main evolving threats and attack vectors in 2024-2025 that organizations need to pay special attention to?

The cyber threat landscape in 2024-2025 is extremely dynamic and is characterized by both the emergence of entirely new attack vectors and significant evolution of existing ones. Technological advances, particularly in areas such as artificial intelligence (AI), the Internet of Things (IoT), and the prospect of advances in quantum computing, are creating powerful new opportunities for defense systems, but at the same time providing cybercriminals with new, more sophisticated tools. Understanding these changes, their mechanisms and potential consequences is absolutely critical to effectively planning the security strategy and protecting the digital assets of any organization, regardless of size or industry.

We are seeing a disturbing trend toward a convergence of different types of threats, leading to multi-vector attacks that are much more difficult to detect and neutralize. An example of such synergy could be the combination of advanced social engineering techniques, often personalized with AI, with the simultaneous use of malicious software (malware) also powered by artificial intelligence. Another growing problem is the exploitation of vulnerabilities in global software and hardware supply chains to launch widespread, cascading ransomware campaigns that can cripple the operations of many related entities. Artificial intelligence significantly lowers the barrier to entry for creating advanced offensive tools, allowing even less tech-savvy attackers to access powerful capabilities. These tools are then combined with traditional but still effective methods, such as phishing, to dramatically increase the effectiveness of attacks.

At the same time, increasing globalization and ubiquitous digitization are leading to increasing complexity and interdependence within supply chains. Vulnerabilities detected in them are becoming an extremely attractive vector for widespread campaigns, as evidenced by analyses such as the Verizon DBIR 2025 report, indicating an alarming doubling in the number of security breaches involving third parties. Such a complex and dynamic situation forces organizations to adopt a holistic, integrated approach to defense strategy. It is becoming essential to integrate security at multiple levels - from endpoint protection to network, application, and data security to identity and access management - and to address the complex interdependencies between different types of threats. The use of isolated, siloed solutions for individual attack vectors is proving far from sufficient. It is becoming a necessity to implement integrated security platforms such as XDR (Extended Detection and Response), and to implement strategies based on the Zero Trust model, which are inherently better suited to address complex, multi-stage and often covert attacks.

📚 Read the complete guide: Ransomware: Ransomware - czym jest, jak się chronić, co robić po ataku

How is artificial intelligence (AI) revolutionizing the methods of cybercriminals and what new challenges does it pose to defense systems?

Artificial intelligence (AI) is fundamentally changing the cyber threat landscape, revolutionizing cybercriminals’ methods of operation and democratizing access to advanced tools and sophisticated attack techniques. AI significantly lowers the entry threshold, enabling even less tech-savvy actors to perform complex large-scale operations with unprecedented precision, speed and efficiency. One of the key areas of transformation is the process of generating and dynamically modifying malicious software (malware). Artificial intelligence is being used to create so-called “artificial intelligence. polymorphic and metamorphic malware capable of autonomously changing its source code, structure and behavior to effectively evade detection by traditional antivirus systems, endpoint detection and response (EDR) platforms and other signature-based defense mechanisms. Research shows that large language models (LLMs) can be effectively used to automatically rewrite existing malware samples, generating thousands of unique, functionally equivalent variants in a very short time. The effectiveness of such measures is alarming; according to global surveys, as many as 60% of the experts in the field of health and safety have been found to be in the same position. IT points to AI-enhanced malware as the most worrisome AI-generated threat, the mass emergence of which they expect in the near term.

AI is also driving a new generation of sophisticated phishing campaigns, deepfake fraud and voice cloning. It enables the creation of hyper-realistic and highly personalized phishing messages that are much harder to distinguish from authentic, legitimate communications, even for trained users. Deepfake technology, which uses generative neural networks (GANs) to create fake but highly convincing video and audio content, and advanced voice cloning techniques are increasingly being used to impersonate trusted individuals such as board members (known as “whaling” or “CEO fraud”), key customers or business partners. The purpose of such activities is to phish for confidential information, steal credentials, gain unauthorized access to systems or authorize fraudulent financial transactions. A high-profile example of the effectiveness of such methods was the recent deepfake attack on a Hong Kong-based multinational company, which led to financial losses in excess of $25 million. The statistics are alarming - 2024 has seen as much as a 442% increase in the number of attacks using social engineering techniques supported by generative AI.

Another important area in which AI supports the activities of cybercriminals is the automation of reconnaissance and vulnerability discovery processes. Advanced AI tools can instantly analyze vast amounts of publicly available data (OSINT), information from previous data leaks (e.g., the dark web), and scan network resources of potential victims. This allows them to build detailed profiles of their targets, identify their security vulnerabilities, and map their IT infrastructure. Moreover, there is evidence that AI is demonstrating the ability to autonomously find and, in some more advanced cases, even exploit previously unknown zero-day vulnerabilities, which poses a huge challenge for security teams. AI’s impact on the overall attack surface is therefore twofold: not only does it refine and scale existing attack methods, making them more effective, but it also creates entirely new threat vectors. Attacks can now also target the AI models themselves, for example, through training data poisoning techniques, attacks on the supply chain of AI models, or adversarial attacks aimed at manipulating or circumventing model performance.

What specific security risks does the growing number of Internet of Things (IoT) devices pose, and what are the main reasons for this?

The rapid, even exponential growth of Internet of Things (IoT) devices in almost every aspect of our lives - from consumer applications (smart homes, wearables) to industrial control systems (IIoT) to critical infrastructure (smart cities, energy, transportation) - is leading to a significant and alarming expansion of the global attack surface. Many of these devices, often designed with a focus on functionality and low cost rather than security, have alarmingly low levels of built-in security. Among the most common problems are the use of default, easy-to-guess administrator passwords, the lack of mechanisms for regular firmware updates, insufficient or completely ignored encryption of transmitted and stored data, and fundamentally weak access control and authorization mechanisms. Kaspersky’s report indicates that IoT devices are increasingly being used by cybercriminals as overlooked, poorly secured entry points into corporate networks, enabling them to bypass traditional perimeter security.

The specifics of attacks on IoT devices in critical sectors are of particular concern because of the potential catastrophic consequences. In the healthcare sector, vulnerable connected medical devices, such as remote patient vital signs monitoring systems, smart infusion pumps or pacemakers, can not only lead to the leakage of extremely sensitive patient data, but even pose a direct threat to patient health and life by manipulating the operation of these devices. In industry, attacks on Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems can result in serious disruption of production processes, damage to expensive equipment, theft of intellectual property, and in extreme cases lead to industrial disasters, environmental contamination and threats to public safety. Also, intelligent vehicles, increasingly equipped with advanced connectivity and autonomy systems, are becoming attractive targets for attacks to take control of critical vehicle functions such as steering, braking and acceleration systems.

One of the main reasons for the systemically low security level of many IoT devices is the lack of widely accepted, standardized security standards and certifications for these types of products, combined with strong market pressures known as “rush to market.” Many manufacturers, especially smaller companies or those entering the IoT market, prioritize quick time-to-market and minimizing production costs, often marginalizing or completely neglecting cybersecurity aspects at key stages of design (security by design) and development (secure development lifecycle). This results in the mass marketing of devices riddled with numerous security vulnerabilities that are often trivial to exploit. An additional problem is the long life cycle of many IoT devices, especially in industrial applications, and the difficulty of managing their updates on a large scale, leading to situations where thousands or even millions of vulnerable devices remain in use for many years without the necessary security patches.

What fundamental impact does the ongoing work on quantum computing have on current and future cyber security standards?

The development of quantum computers, while still largely in the stage of intensive research and experimentation, brings with it potentially revolutionary changes for the entire cybersecurity ecosystem, posing a fundamental, existential threat to most current cryptographic algorithms. The strength of most modern asymmetric cryptography systems, such as the commonly used RSA (Rivest-Shamir-Adleman) or ECC (Elliptic Curve Cryptography), which secure, among other things. Internet communications (SSL/TLS), digital signatures and data encryption, bases its resilience on the computational difficulty of certain mathematical problems. For RSA it is the problem of factorization of large prime numbers, and for ECC it is the problem of discrete logarithm on elliptic curves. Theoretically, a sufficiently powerful, stable quantum computer using, for example, Shor’s algorithm, would be able to solve these problems in a relatively short, practically feasible time, thus rendering current encryption methods completely useless and vulnerable to breaking. Also at risk are commonly used cryptographic hash functions and password hashing methods, which could be cracked much faster using the computing power of future quantum computers.

This danger is further compounded by a strategy of attacks dubbed “Store Now, Decrypt Later” (SNDL), or “Store Now, Decrypt Later.” It relies on the fact that cybercriminals and state actors are already actively intercepting and collecting large amounts of encrypted data (e.g., government communications, trade secrets, personal data), hoping to be able to decrypt it in the future, once quantum computers become mature, powerful and accessible enough. This phenomenon, also referred to as the “threat to datasets at rest,” significantly increases the urgency and necessity of working on new cryptographic standards resistant to quantum attacks and planning for their systematic adoption.

In response to these looming threats, the world of science and industry is vigorously developing the field of Post-Quantum Cryptography (PQC). PQC includes the design and standardization of new cryptographic algorithms to resist attacks using both classical computers and future powerful quantum computers. The U.S. National Institute of Standards and Technology (NIST) is playing a leading global role in this process, having conducted an open competition for PQC standards for several years. In August 2024, NIST published the first finalized FIPS (Federal Information Processing Standards) standards for PQC: FIPS 203 (Module-Lattice-Based Key-Encapsulation Mechanism Standard, based on the CRYSTALS-Kyber algorithm), FIPS 204 (Module-Lattice-Based Digital Signature Standard, based on CRYSTALS-Dilithium) and FIPS 205 (Stateless Hash-Based Digital Signature Standard, based on SPHINCS+). Moreover, in March 2025, NIST announced the selection of the HQC (Hamming Quasi-Cyclic) algorithm as the fifth backup algorithm for general encryption, which is based on a different mathematical basis (correction codes) than ML-KEM (CRYSTALS-Kyber, based on mathematical lattices). The standard for HQC is expected to be finalized in 2027, and work is also underway on a standard for the FALCON digital signature algorithm. Both NIST and other organizations, such as France’s Food and Drug Administration. ANSSI’s cybersecurity officers make detailed recommendations on the strategy and timeline for the transition to PQC. NIST recommends that organizations begin the process of planning for migration and testing of the published 2024 PQC standards. ANSSI, on the other hand, recommends in the interim period the use of hybrid approaches that combine proven, classic cryptographic algorithms with new, promising PQC algorithms to ensure security continuity. A key concept in the context of this transformation is becoming “crypto-agility,” or the ability of information systems to easily, quickly and securely replace cryptographic algorithms as new standards emerge, vulnerabilities are discovered in old algorithms or threats evolve.

What are the main and most acute threats to the security of Blockchain technology and the smart contracts implemented on it?

Blockchain technology, which offers unique features such as decentralization, transparency and immutability of stored data, is gaining popularity in many sectors, from finance (cryptocurrencies, DeFi) to supply chain management and voting systems. However, despite its revolutionary potential, the technology is not free of specific risks, especially in terms of vulnerabilities in the source code of smart contracts. Smart contracts, or self-executing programs running on blockchain, automate processes and eliminate the need for intermediaries, but errors in their code can lead to irreversible and often catastrophic financial losses. Some of the most common and severe vulnerabilities of smart contracts include:

• Reentrancy: An attacker exploits a vulnerability in a contract that allows multiple, recursive calls to a contract function before the previous execution finishes and updates the contract state (e.g., balance). This can lead to unauthorized transfer of funds or other undesirable operations. The most famous example of a reentrancy attack was the 2016 hack of decentralized autonomous organization The DAO, which led to the theft of millions of dollars worth of cryptocurrencies and the subsequent hard fork of the Ethereum network.

• Integer Overflow/Underflow: Occurs when arithmetic operations on numeric variables in a contract exceed the maximum or minimum value that the variable type can safely store. This leads to “wrapping” of values (e.g., the maximum value + 1 becomes the minimum value), which can be used by attackers to manipulate balances, entitlements or other critical values in the contract logic.

• Front-Running (Transaction Advance): An attacker observes publicly available, pending transactions in the blockchain’s transaction pool (mempool). If it identifies a transaction offering a profitable opportunity (e.g., a large buy order on a decentralized exchange that will affect the price of an asset), it sends its own transaction with a higher transaction fee (gas price) to be processed by miners earlier. This allows the attacker to benefit from the predictable price movement caused by the original transaction.

• Oracle Manipulation: Smart contracts often rely on external data sources, called oracles, to obtain information from the real world, such as current asset prices, sports event results or weather data. If the oracle is centralized, vulnerable to manipulation or provides unverified data, an attacker can provide false information to the contract, leading to improper execution and potential losses for users. It is estimated that about half of the critical vulnerabilities in smart contracts are due to project-specific logic flaws rather than general, known classes of vulnerabilities.

Other significant risks associated with blockchain technology include 51% attacks and the ever-present threat of private key theft. In blockchain networks based on the Proof-of-Work (PoW) consensus mechanism, a 51% attack involves a single actor or cooperating group taking over most of the network’s computing power (hashrate). This gives the attacker the ability to manipulate transaction histories, block confirmations of legitimate transactions, and even carry out so-called “blacklisting. double spending (double spending) of the same digital funds. The theft of private keys, which give full control over cryptocurrency wallets and other assets on the blockchain, is most often done through traditional methods such as phishing, malware that steals data, or advanced social engineering techniques. Due to the immutability of the blockchain, transactions made with stolen keys are virtually irreversible.

Key defensive mechanisms in the blockchain ecosystem primarily include rigorous security audits of smart contract code, conducted both manually by experienced blockchain experts. blockchain security, as well as using automated tools for static and dynamic code analysis. It is also important to constantly monitor the blockchain network for unusual activity, such as suspicious concentrations of mining power (which can signal preparations for a 51% attack) or suspicious transaction patterns. It is also essential to use proven, tested development libraries, secure coding practices (e.g., fail fast principle, avoiding complex external dependencies), and appropriate access control and privilege management mechanisms when creating and implementing smart contracts. Educating users on how to securely store private keys and recognize phishing attempts is also fundamental.

How are traditional, but still threatening, persistent and advanced cyber threats such as malware and social engineering evolving?

Despite the dynamic emergence of sophisticated new techniques and attack vectors, traditional cyber threats such as malware and social engineering have not only not lost their relevance, but continue to evolve, adapting to the changing technological environment and becoming more sophisticated and more difficult to combat. They remain one of the most serious and widespread risks for organizations and individual users.

Malware remains a ubiquitous threat, taking on new and more diverse forms. Among the most dangerous is ransomware, which not only encrypts the victim’s data, but often steals it before it is encrypted by threatening to publish it (known as double extortion). Other common types include spyware (software that spies, monitors user activity and steals data), computer viruses and worms (capable of self-replication and spreading across networks), cryptojacking (unauthorized use of a victim’s computing resources to mine cryptocurrencies) and the increasingly popular fileless malware. The latter type operates only in the system’s RAM, leaving no traces on the hard drive, making it much more difficult to detect by traditional file-scan-based antivirus systems. The Verizon Data Breach Investigations Report (DBIR) 2025 indicates that ransomware was present in as many as 44% of the breaches they analyzed, a significant increase from the 32% recorded the previous year. As mentioned earlier, the prospect of malware enhanced by artificial intelligence, capable of autonomous adaptation and evading detection, is a major concern for 60% of IT experts.

Social engineering remains one of the most effective and widely used methods by cybercriminals. This is because these techniques take advantage of human psychology, natural tendencies, cognitive errors and lack of awareness to manipulate victims and get them to take actions contrary to their interests or the organization’s security policy. This allows attackers to bypass even the most advanced technical security. The most common forms of social engineering are:

• Phishing: The mass sending of fraudulent e-mail, SMS (smishing) or instant messaging messages that impersonate legitimate institutions (banks, offices, courier companies) or known individuals. The goal is to phish for credentials (logins, passwords), credit card numbers or to get the victim to click on a malicious link leading to a malware-infested site.

• Spear Phishing: A more targeted and personalized form of phishing, targeting specific individuals or small groups, often based on prior reconnaissance and collection of target information.

• Vishing (Voice Phishing): Attacks carried out via phone calls where criminals impersonate employees of banks, tech support, law enforcement, or other trusted institutions to phish for confidential information or induce certain actions.

• Business Email Compromise (BEC) / CEO Fraud: Sophisticated attacks targeting enterprises by impersonating executives (e.g., CEO, CFO) or key business partners. The goal is to get employees (usually from finance or accounting departments) to make urgent unauthorized bank transfers, disclose confidential business information or change contractor data. Losses from BEC attacks in 2024 alone globally reached an astronomical $6.3 billion. The Verizon DBIR 2025 analysis found that human factors, including vulnerability to various forms of social engineering, contributed to as many as 60% of all security breaches investigated.

Attacks on networks and web applications also continue unabated and remain a serious threat. Distributed Denial of Service (DDoS) attacks, aimed at overloading servers, online services or the entire network infrastructure through a flood of fake Internet traffic generated from multiple distributed sources (botnets), can lead to long-term service disruptions and serious financial and reputational losses. The first half of 2024 saw an alarming 25% increase in the number of multi-vector DDoS attacks, including carpet bomb attacks that spread traffic across multiple IP addresses within a single subnet, making effective defense and mitigation much more difficult. Equally dangerous are attacks that exploit vulnerabilities in web applications, such as code injection, for example. SQL Injection (SQLi) or Cross-Site Scripting (XSS). SQL Injection involves the insertion of malicious SQL code into queries sent to a database, which can lead to unauthorized access to, modification of, deletion of, or even take control of the database server. XSS, on the other hand, allows malicious script to be injected on the client side (in the user’s browser), which can result in the theft of sessions, form data or redirection to malicious sites.

What are the main aspects and most serious consequences of data breaches for organizations and individuals in the current cyber threat landscape?

Data breaches remain one of the most serious, costly and prevalent consequences of successful cyber attacks, affecting organizations of all sizes, from virtually all sectors of the economy and government. Their consequences are multifaceted and long-term, affecting not only the finances and reputation of the attacked organization, but also directly the lives and safety of those whose data has been compromised.

An analysis of significant data breach incidents from 2024-2025 shows that the problem is pervasive and does not evade even the largest global corporations with theoretically advanced security systems. Many well-known companies, including tech giants such as Apple, Meta (formerly Facebook) and Twitter (now X), have reported security incidents leading to leaks of user or corporate data over the past 12-18 months. The scale of these violations is often enormous, numbering in the millions and sometimes even billions of records.

The following table, based on publicly available incident information, shows a selection of significant data breaches recorded in the 2024-2025 period, illustrating the variety of sectors attacked and types of data compromised:

Name of the organization	Date of disclosure/attack	Approximate number of affected people/records	Type of compromised data
National Public Data (NPD)	March 2024	ca. 1.3 billion people	Names, full residential addresses, dates of birth, social security numbers (SSN), phone numbers, email addresses
Ticketmaster	June 2024	ca. 560 million customers	Names, addresses, phone numbers, email addresses, order and ticket purchase history, partial (masked) payment card information
Ascension Health	April 2025	437,000 patients	Detailed patient information, possibly including medical data (although the exact extent has not been publicly detailed)
Dell	May 2024	49 million customers	Full home addresses of customers, details of orders placed and equipment purchased
Community Health Center, Inc.	January 2025	More than 1 million patients	Patient data (the exact extent of the compromised information has not been publicly detailed by the organization)
Frederick Health	March 2025	934,326 patients	Names, addresses, dates of birth, SSNs, driver’s license numbers, medical record numbers, detailed insurance and payment information
Truist Bank	June 2024	A small number of customers (employee data)	Bank employee data that was then offered for sale online on criminal forums
Fortinet	September 2024	”Small number” of customers	Customer data (the exact extent of the compromised information has not been publicly detailed by the company)

Table: Selected significant data breaches in 2024-2025.

The table above clearly illustrates the magnitude of the data breach problem, showing that it affects a wide variety of sectors - from data brokers (NPD), ticketing and entertainment services (Ticketmaster), the healthcare sector (Ascension Health, Community Health Center, Frederick Health), to technology manufacturers (Dell, Fortinet) and financial institutions (Truist Bank). They include huge numbers of affected people and a wide range of data. This enables an understanding of the real risks and potential multifaceted consequences for any organization processing any personal data or sensitive information.

The most commonly compromised types of data are primarily Personally Identifiable Information (PII), such as first and last names, full residential addresses, dates of birth, social security numbers (SSN in the US, PESEL in Poland), phone numbers, email addresses. Financial data, including credit and debit card numbers (along with CVV codes and expiration dates), e-banking access data, bank account information and transaction history, are equally common targets of attacks. Also extremely valuable to criminals are credentials such as usernames and passwords (often in the form of hashes, which can then be cracked), answers to security questions, or session tokens. In the case of the medical sector, sensitive Protected Health Information (PHI) deserves special protection, the leakage of which can have extremely harsh consequences for patients.

The consequences of such violations for organizations are manifold and often very costly. These include direct financial losses related to the costs of investigating the causes of the incident, recovering data, repairing systems, notifying affected individuals, providing them with support (such as credit monitoring), as well as potential fines and regulatory penalties. The Yahoo data breach, which affected some 3 billion user accounts, led to a significant $350 million reduction in the price of Verizon’s acquisition of the company, showing the direct impact of the incidents on the company’s value. In addition to financial losses, organizations also suffer an often irreparable loss of reputation and customer trust, which can lead to an exodus of customers, a decline in sales and difficulty in attracting new business partners. Not to forget the regulatory fines imposed by supervisory authorities (e.g., under RODO/GDPR in Europe), which can run into millions or even billions of euros. For individuals whose data has been stolen, the consequences can include identity theft, financial fraud, reputational damage and even blackmail or harassment.

What is the importance of the Catalog of Known Exploited Vulnerabilities (KEV) in an organization’s defense strategy, and why is patching alone not enough?

US Food and Drug Administration. The Cyber Security and Infrastructure Security Authority (CISA) maintains and regularly updates an extremely valuable tool for defenders - the Known Exploited Vulnerabilities (KEV) Directory. The catalog lists specific vulnerabilities in software and hardware for which there is credible evidence and confirmed information about their active use by cybercriminals in actual attacks. It is a key resource for organizations of all sizes to help prioritize vulnerability management activities and the patch management process. Instead of responding to every newly discovered vulnerability, organizations can focus their limited resources on those that pose the greatest, real and immediate threat. For example, in May 2025, CISA added three new actively exploited vulnerabilities to the KEV catalog: CVE-2024-12987 (OS Command Injection vulnerability in popular DrayTek Vigor routers), CVE-2025-4664 (Insufficient Policy Enforcement vulnerability in Google Chromium Loader) and CVE-2025-42999 (Critical Deserialization vulnerability in SAP NetWeaver software).

The significance of CISA’s Binding Operational Directive (BOD) 22-01 is that it imposes an absolute obligation on U.S. federal civilian agencies (FCEBs) to promptly patch vulnerabilities identified in the KEV catalog within a strict, short timeframe. Although the directive formally applies only to U.S. federal agencies, CISA strongly recommends that all organizations, both in the public and private sectors, around the world treat vulnerabilities in the KEV catalog as an absolute priority and remediate them as quickly as possible. This is intended to significantly reduce the global attack surface and limit the ability of cybercriminals to take advantage of known vulnerabilities.

However, it should be emphasized that there is a constant, dynamic race between the discovery of new vulnerabilities, their public disclosure (often with proof-of-concept exploit code), and their exploitation by attackers. New software and hardware devices inevitably contain bugs and vulnerabilities, often due to the fact that security is not designed from the very beginning of the product development process (security by design) or due to time pressure to get a product to market quickly. Both ethical security researchers and attackers themselves are systematically discovering these vulnerabilities. Some of these are responsibly reported to manufacturers and patched as part of regular update cycles, but others end up on the black market for exploits or are exploited as zero-day vulnerabilities before there is even an official security patch for them. Directories such as the KEV CISA indicate which known vulnerabilities are already being actively exploited, providing an extremely important guide for defenders in prioritizing remediation efforts.

Nevertheless, as the aforementioned Verizon DBIR report shows, stolen credentials (responsible for 22% of analyzed breaches) and exploitation of existing vulnerabilities (accounting for 20% of breaches) are the two main vectors of initial access to corporate systems. This suggests that both effective vulnerability management and robust protection of identities and access mechanisms are absolutely critical to ensuring security. Simply patching known vulnerabilities, even those in the KEV catalog, is not sufficient to build comprehensive resilience. Organizations also need to invest in mechanisms to proactively detect anomalous user and system behavior, advanced identity protection (including strong MFA multi-factor authentication for all users), and prepare for attacks that take advantage of as yet unknown vulnerabilities (zero-days) or creative new techniques to circumvent security. This requires investment not only in vulnerability scanning tools and patch management systems, but also in advanced technologies such as EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response) to detect abnormal behavior that may indicate an ongoing attack, and in precise, least privilege-based management of access to resources.

What are the main implications of the increasingly pronounced intersection between the world of profit-motivated cybercrime and state-sponsored activities?

We are seeing an increasingly clear and worrisome phenomenon of the permeation and blurring of the lines between traditional cybercrime motivated primarily by the desire for financial gain and sophisticated cyber operations sponsored or at least tolerated by states. Numerous incident reports and analyses indicate the direct or indirect involvement of state actors in incidents that would previously have been classified as purely criminal. Examples include the historic, gigantic breach of Yahoo user data, where a subsequent investigation revealed the involvement of individuals affiliated with one country’s secret service, or attacks on financial infrastructure (e.g., the SWIFT system, cryptocurrency exchanges) motivated not only by the desire for profit, but also by geopolitical objectives, such as economic destabilization of an adversary or circumvention of international sanctions.

At the same time, tools, techniques and procedures (TTPs), such as advanced ransomware variants, exploits for specific vulnerabilities (including zero-day), or platforms for launching massive DDoS attacks, are often shared, sold on the black market, or adapted between cybercrime groups and state actors. State actors with significant resources conduct long-term espionage (theft of intellectual property, state secrets), sabotage (attacks on critical infrastructure) and destabilization (disinformation campaigns, interference in electoral processes) operations. On the other hand, organized cybercrime groups primarily seek quick financial gain through ransomware, payment card data theft, fraud, etc. However, the growing market for cybercrime services, such as Ransomware-as-a-Service (RaaS), where ransomware developers share their tools with other groups in exchange for a share of the profits, and black market exploit trading, are making it easier for both categories of actors to access advanced offensive tools.

Moreover, there is a growing threat that state actors may use existing cybercrime groups as their intermediaries (so-called proxies) to carry out attacks they could not officially authorize. This allows states to maintain plausible deniability and makes it much more difficult to clearly attribute responsibility (attribution) for a given attack. Techniques such as exfiltrating data before it is encrypted in ransomware attacks (known as double extortion), commonly used by cybercrime groups, can also be extremely useful for espionage purposes carried out by state actors. As a result, a clear distinction between cybercrime and state attacks is becoming increasingly difficult, significantly complicating defense strategies, the ability to respond adequately (e.g., legally, diplomatically) and building effective deterrence mechanisms. Organizations must therefore be prepared for a wide range of attackers’ motivations and for increasingly sophisticated and difficult to predict TTPs, regardless of the assigned actor category. This requires having comprehensive, up-to-date and contextual threat analysis (threat intelligence) and flexible security strategies.

Key Takeaways:

Blurring the lines: cybercrime vs. state operations**:** It is becoming increasingly difficult to distinguish between profit-motivated attacks and state operations, complicating attribution and defense strategies, requiring comprehensive threat analysis.

Convergence and complexity of threats: Attacks are becoming multi-vector, combining, for example. AI in social engineering with advanced malware, and vulnerabilities in the supply chain are exploited on a massive scale, forcing a holistic approach to defense (XDR, Zero Trust).

AI as a double-edged sword: Artificial intelligence drastically lowers the threshold of entry for cybercriminals (malware generation, deepfake, reconnaissance automation), while creating new targets for attacks (AI models themselves).

IoT Risk Explosion: The huge number of poorly secured IoT devices in the consumer, industrial and critical sectors is significantly expanding the attack surface, often due to a lack of standards and market pressure.

Quantum Threat and PQC: The development of quantum computers poses a fundamental threat to current cryptography, forcing urgent work on post-quantum cryptography (PQC) and migration strategies (e.g., NIST standards, cryptocurrency).

Risks of Blockchain technology: Vulnerabilities of smart contracts (reentrancy, overflow), 51% attacks and theft of private keys require rigorous audits and defense mechanisms.

Evolution of traditional threats: Malware (ransomware, fileless), social engineering (BEC, vishing) and network attacks (DDoS) continue to evolve, becoming more advanced and more difficult to combat.

Data breaches - scale and consequences: Massive data breaches affect all sectors, leading to massive financial losses, reputational damage and serious consequences for those affected.

The role of KEV and the limitations of patching: CISA’s Catalog of Known Exploited Vulnerabilities (KEV) is key, but patching alone is not enough; proactive detection, identity protection and advanced EDR/XDR technologies are needed.

Related Terms

Learn key terms related to this article in our cybersecurity glossary:

• Ransomware — Ransomware is a type of malicious software (malware) that blocks access to a…
• Network Security — Network security is a set of practices, technologies, and strategies aimed at…
• Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
• Cybersecurity Incident Management — Cybersecurity incident management is the process of identifying, analyzing,…
• Wireless Network Security — Wireless network security refers to the measures and practices used to protect…

---

Learn More

Explore related articles in our knowledge base:

• Cyber Security Landscape 2024-2025: tactics, techniques and procedures (TTPs) of cyber criminals
• Cyber Threats 2023: Practical Guide Based on Fortinet Threat Landscape Report
• Cyber Security in a Small and Medium Business (SME): A practical guide to getting started
• Cyber security in logistics and transportation (TSL): How to protect the digital supply chain?
• Cyber Security Landscape 2024-2025: geopolitics and cyber warfare

---

Explore Our Services

Need cybersecurity support? Check out:

• Security Audits - comprehensive security assessment
• Penetration Testing - identify vulnerabilities in your infrastructure
• SOC as a Service - 24/7 security monitoring