State-Funded Hackers Account for Most Incidences of Software Flaws Exploitation
In the first half of 2025, the cybersecurity landscape has seen a significant shift, with an increase in the number and sophistication of threats. Here's a rundown of the key findings from the recent cybersecurity report.
Ransomware Groups and Social Engineering Attacks
The report noted an uptick in the use of ClickFix social engineering attacks by ransomware actors. This method, which involves manipulating victims into copying and pasting a malicious script, has been employed by some ransomware groups, such as the Interlock gang, who were observed using ClickFix in campaigns in January and February 2025.
State-Sponsored Actors and Preferred Targets
State-sponsored threat actors, primarily motivated by espionage and surveillance, accounted for 53% of the vulnerability exploits in H1 2025. The suspected China-linked group UNC5221 emerged as the most active, exploiting the highest number of vulnerabilities. Interestingly, UNC5221 demonstrated a preference for Ivanti products, including Endpoint Manager Mobile, Connect Secure, and Policy Secure.
Exploitation of Edge Security and Remote Access Tools
Researchers predicted that the exploitation of edge security appliances, remote access tools, and other gateway-layer software will remain a top priority for both state-sponsored and financially-motivated groups. These systems, acting as intermediaries for encrypted traffic and privileged access, make high-reward targets.
Remote Code Execution and BYOI Techniques
Thirty percent of the exploited Common Vulnerabilities and Exposures (CVEs) enabled remote code execution (RCE), granting attackers full control over the target system. Furthermore, ransomware groups have increased their use of bring-your-own-installer (BYOI) techniques and custom payloads for endpoint detection and response (EDR) evasion.
Authentication and Network-Based Exploits
A majority of the exploited vulnerabilities (69%) in H1 2025 did not require authentication, indicating a growing trend towards zero-day exploits. Over half of the exploited vulnerabilities (48%) could be exploited remotely over a network.
The Growing Number of CVEs and Microsoft as the Most Targeted Vendor
The total number of disclosed CVEs grew 16% year-over-year. Microsoft was the most targeted vendor, with the tech giant's products accounting for 17% of exploitations.
The Future of ClickFix
The tactic ClickFix is expected to remain a favored initial access technique for the rest of 2025 unless widespread mitigations reduce its effectiveness. However, due to the lack of specific information about which state-sponsored groups exploited the highest number of vulnerabilities in H1 2025 or their preferred targets, the full extent of ClickFix's impact remains to be seen.
In conclusion, the cybersecurity landscape in H1 2025 has been marked by an increase in the number and sophistication of threats, with ransomware groups and state-sponsored actors leveraging social engineering attacks, zero-day exploits, and BYOI techniques to gain access to systems. As we move forward, it is crucial for organisations to stay vigilant and implement robust security measures to protect against these threats.
