Threat Actors Accelerate Transition from Reconnaissance to Compromise

Cybercriminals are leveraging automation across the entire attack chain, drastically reducing the time from reconnaissance to compromise.

The data shows a staggering 16.7% global increase in scans, with over 36,000 scans per second targeting not just exposed ports but delving into operational technology (OT), cloud APIs, and identity layers.

Sophisticated tools probe SIP-based VoIP systems, RDP servers, and industrial protocols like Modbus TCP, mapping vulnerabilities continuously.

This industrial-scale automation extends to phishing and malware creation, with AI-driven platforms like FraudGPT and ElevenLabs enabling the production of hyper-realistic phishing lures, deepfake videos, and cloned executive voices.

The rise of Cybercrime-as-a-Service (CaaS) marketplaces further lowers the entry barrier, allowing even novice attackers to purchase access, tools, and infrastructure, thus amplifying the volume and success rate of cyberattacks.

Credentials and Cloud Misconfigurations Drive Exploits

The report highlights a 42% surge in stolen credentials on darknet forums, totaling over 100 billion unique records including emails, passwords, and multifactor bypass data.

Infostealer malware such as Redline and Vidar has fueled a 500% spike in credential log activity, harvested in real-time by Initial Access Brokers (IABs) for turnkey infiltration into corporate VPNs and admin panels.

These credentials underpin ransomware and espionage, making brute force obsolete as attackers simply buy their way into networks.

Simultaneously, cloud environments remain a critical attack vector due to over-permissioned identities and credential leaks in public code repositories.

FortiCNAPP telemetry reveals that 25% of cloud incidents start with reconnaissance like API enumeration, followed by privilege escalation and lateral movement via legitimate services, often within hours of legitimate user activity, blending seamlessly into normal traffic.

Exploitation and Post-Breach Precision Define Modern Threats

Exploitation attempts are rampant, with Fortinet’s sensors logging over 97 billion attempts in the latter half of 2024, targeting outdated vulnerabilities like CVE-2017-0147 and CVE-2021-44228.

IoT devices, including routers and cameras with default credentials, account for over 20% of exploits, often recruited into botnets or used for persistence.

Post-breach, attackers demonstrate surgical precision, with 88% of lateral movement cases involving RDP and Remote Access Trojans (RATs) like Xeno RAT enabling data exfiltration.

Techniques like living-off-the-land, using legitimate tools such as PowerShell and WMI, alongside Active Directory manipulation via DCSync, render traditional detection ineffective.

Encrypted command-and-control channels and DNS tunneling further cloak malicious activity, underscoring the need for a paradigm shift in defense strategies.

The report urges a move toward Continuous Threat Exposure Management (CTEM), emphasizing real-time monitoring across cloud, OT, and IoT, risk-based vulnerability prioritization, and automated detection to shrink dwell times.

As threat actors optimize for speed and stealth, defenders must match their pace, leveraging integrated solutions like the Fortinet Security Fabric to unify threat intelligence and response across digital infrastructures.

This is no longer just a technical challenge but a critical business continuity imperative in the face of an evolving global threat landscape.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!