Early Trends in 2025 – Source: securityboulevard.com

Updates from Enzoic’s Threat Research Team

A New Year Again

Here we are halfway through February– seems like 2025 is really cruising by. A lot has already happened in the cybersec world this year, and the Threat Research team here at Enzoic has certainly been busy as well, closing out data analysis from 2024, and looking at early trends in 2025. Regarding retrospective data, we have just released a study on stolen credentials that are linked to Fortune 500 company employees. Using the Fortune 500 companies as a sampling category can be a very helpful cross-sector bellwether, as it provides an easy way to segment a large sample size and look across industries for trends (Spoiler alert: the numbers of new stolen credentials are increasing, and it seems likely due to infostealers).

Cybercrime Forums Seized

Both the cybercriminals and law enforcement have been busy as well, so we’ve got a few things to talk about from recent weeks. Let’s start with the Feds: two long-standing hacking/stolen data forums, “Cracked” and “Nulled” were seized along with a few others.

Cracked and Nulled had outlived many versions of the more popular RaidForums and BreachForums, and were known for having a rather less-glamorous reputation due to poor data quality and a propensity for scams.

Still, their longevity had made them fixtures in the exposed data trading world despite the lack of high-value fresh data. The takedown, known as “Operation Talent”, also included the MySellIX and SellIX e-commerce service provider, which hosted marketplaces threat actors used to sell stolen data, and the StarkRDP cloud service provider, which provided Windows VM services that threat actors allegedly used to run credential stuffing services.

So why the crackdown? Last year’s CISA audit found that stolen credentials are a huge risk for federal agencies, and annual reports like the Verizon DBIR and IBM XForce confirm every year that compromised credentials are the leading entry vector in many types of attacks and breaches. Not to mention fraud from identity theft reaching new highs each year, up to $43 billion in the US alone for 2023. It’s great to see the FBI working to stem the flow of stolen data, and hopefully these operations will yield further leads in the fight against fraud and ATO.

Healthcare Breaches: A Grim Outlook

We wrote about healthcare data breaches at the end of last year, and 2025 is off to a great (i.e. terrible) start.

So far in January 2025 alone, the Department of Health and Human Services has received notification of 2,316,896 people’s health information being exposed in Hacking/IT incidents.

While the Change Healthcare breach blew last year’s stats out of the water, 2025 isn’t giving us much hope that anything has changed vis-à-vis hospital/medical office/healthcare facility cybersecurity postures. Willie Sutton may not have robbed hospitals, but for today’s fraudsters and ransomware operators, that’s where the money is. Health information is certainly sensitive by nature, but the associated personal identifying information used for billing and insurance purposes is a gold mine for fraudsters. A more direct line to profits also attracts the ransomware operators. Hospitals and care facilities aren’t necessarily known as bastions of cybersecurity, but they are known for administering important, time-critical interventions and procedures. This gives the cybercriminals significant leverage for their ransom demands, and thus it’s not surprising that healthcare retained its unfortunate position as the most-attacked sub-industry in 2024. With insurance companies and private equity owners milking hospitals, care facilities, and patients for every dollar they can extract, cybersecurity is not always a major budgetary priority, with staff and patients suffering the consequences. Some reports indicate that cybersec spending in healthcare is on the rise, but it’s not time to relax just yet. Small gains may not make up for the massive historical deficiencies and foundational problems that plague the vast attack surfaces of healthcare organizations (patient portals, EHRs, mobile apps, heart monitors, HR systems, etc). This is something we’ll be taking a closer look at this year as the industry data comes in.

What is Malvertising?

One last thing we’d like to touch on is the practice of ‘malvertising’, and how it ties in to stolen credentials.

Malvertising is a technique threat actors use to spread malware and steal credentials by placing legitimate-looking advertisements through vendors like Google and Meta, or directly with the sellers.

These ads may look just like any other, and advertise software, services, or be made to look similar to popular services or websites to mislead individuals. Malvertising has been around for a while, but it continues to be a big problem, especially with ads becoming so highly integrated into the web apps and services we all use. As it becomes harder to distinguish what is an ad and what is not, it becomes easier for threat actors to snare unsuspecting visitors, who may have thought they clicked on a legitimate search result. Early malvertising often involved tricking users into downloading viruses, trojans, or spyware. These days, we also need to look out for infostealers and fake login page clones. Threat actors may register URLs similar to those used by large companies, and put up fake login pages that resemble the target site, e.g. an online banking login, or popular email provider. When victims enter their login information, it is viewed and recorded by the malicious owners, who can use it for account take-over themselves, or distribute them on various platforms (like the recently seized forums we discussed earlier).

Hope for 2025

It’s pretty easy for cybersecurity to feel like a Sisyphean task, with every new year bringing new technologies, expanding attack surfaces, and legions of salivating threat actors. When the threats overwhelm, it’s a good time to go back to basics, and remember that good cybersecurity practices start with strong foundations.

Keeping systems and anti-virus definitions updated, training employees/users on good practices, and screening for compromised credentials pay dividends in preventing fraud, account take-over, system intrusion, ransomware, and all of the financial and social impacts that these crimes involve.

FAQs

Why are stolen credentials a growing concern for organizations?

Stolen credentials are a primary entry point for cybercriminals to execute account takeovers, data breaches, and ransomware attacks. These credentials are often obtained through infostealer malware or exposed databases and are then sold on dark web forums. Once in the wrong hands, they enable unauthorized access to corporate systems, leading to financial fraud, reputational damage, and compliance violations.

How can businesses mitigate the risks of healthcare data breaches?

Healthcare data breaches continue to rise due to the vast attack surface of hospitals and medical facilities, including EHR systems, patient portals, employee logins, and IoT medical devices. Most or all of these systems have a login flow that grants access to crucial data or can be a springboard for further access into the environment. To mitigate risks, organizations should invest in proactive cybersecurity measures such as compromised password monitoring. This directly addresses the #1 cause of a data breach, compromised credentials, as found by Verizon’s DBIR report and IBM’s Cost of a Data Breach report.

What is malvertising, and how does it contribute to stolen credentials?

Malvertising is a cyberattack technique where threat actors distribute malware or steal login credentials by embedding malicious code in seemingly legitimate online advertisements. These deceptive ads trick users into downloading infostealer malware or entering credentials on fake login pages. To prevent malvertising-related credential theft, organizations and individuals should monitor credentials to ensure they haven’t been captured and distributed on the dark web.

AUTHOR

Dylan Hudson

Dylan leads the Threat Research team at Enzoic, developing and implementing cutting-edge threat intelligence infrastructure to help protect users and organizations from cyberattacks. When not at work, he can be found hiking and biking in the Rocky Mountains or playing traditional Celtic music on various stringed instruments.

*** This is a Security Bloggers Network syndicated blog from Blog | Enzoic authored by Enzoic. Read the original post at: https://www.enzoic.com/blog/early-trends-2025/