Key Insights for Houston Businesses from the CheckPoint State of Cyber Security 2025 Report

The CheckPoint State of Cyber Security 2025 report provides a comprehensive analysis of the evolving cyber threat environment. As we navigate through an increasingly complex digital world, understanding these threats is crucial for organizations of all sizes. Let’s examine the key findings from this report and what they mean for your security posture.

  Disinformation and Influence Operations

The report highlights how disinformation campaigns reached unprecedented complexity in 2024, fueled by the integration of AI and large language models. Nation-states like China, Russia, and Iran deployed advanced tactics to manipulate public opinion and interfere with elections.

AI was utilized in at least one-third of worldwide elections between September 2023 and February 2024. These operations featured AI-generated deepfake videos portraying false endorsements, misleading public service announcements, and fabricated news segments featuring political figures.

  Disruption Preparation – Possible “Red Buttons”

While some nations engaged in high-impact attacks, others like China adopted a quieter approach, infiltrating critical systems to establish potential “red button” capabilities for future large-scale disruptions.

Chinese APT group Volt Typhoon exemplified this by exploiting firewalls and routers in US critical infrastructure. Using living-off-the-land techniques, the group maintained a covert presence while positioning itself for future actions.

Another Chinese-linked group, Salt Typhoon, targeted major internet service providers including AT&T and Verizon, exploiting vulnerabilities to intercept and manipulate network traffic.

  “Hacktivist” Groups

The boundaries of state-backed cyber warfare became increasingly blurred as nations relied on a sprawling network of online personas to serve their geopolitical agendas. Many of these self-described independent “hacktivists” were actually fronts for state-sponsored APT groups.

A notable trend in 2024 was the formation of alliances, where disparate groups united under shared banners to create stronger, more cohesive fronts. Groups such as the Holy League symbolized shared strategic goals among Russian and Iranian-affiliated actors.

Iranian-backed hacktivist groups intensified their activities against Israeli and Albanian targets, with groups like Handala Hack conducting defacement campaigns and leak operations.

  Impact from Law Enforcement on Ransomware

Law enforcement operations made significant impacts on the ransomware ecosystem in 2024. Operation Cronos, led by the UK’s National Crime Agency and the FBI, struck a significant blow to LockBit, the dominant group in the Ransomware-as-a-Service (RaaS) ecosystem.

The operation seized LockBit’s data leak sites, dismantled their infrastructure, and exposed their operations and affiliate networks. This critically damaged LockBit’s reputation in cybercriminal circles, leading to a significant decline in their activity.

Another major RaaS actor, ALPHV, also exited the scene following law enforcement operations and internal disputes with affiliates. However, these developments did little to curb the overall volume of ransomware attacks, as independent affiliates simply migrated to other platforms.

  Healthcare Targeting and Rising Data Leak Extortion

The report notes a troubling trend of ransomware groups increasingly targeting healthcare organizations. Healthcare and medical organizations now account for 10% of all publicly reported ransomware victims, making it the second most targeted sector in 2024, trailing only manufacturing.

In February 2024, a Phobos ransomware attack targeted Romania’s healthcare system, directly impacting 25 hospitals and causing operational disruptions at over 100 additional facilities. In June, Synnovis, a crucial pathology services provider for major London hospitals, was hit by the Qilin ransomware group, leading to the cancellation of over 6,000 medical appointments and procedures.

This targeting comes alongside a shift from encryption-based attacks to data exfiltration extortion (DXF). Threat actors are finding that stealing sensitive data and threatening to leak it is more efficient and profitable than encrypting systems.

  From Infostealer Logs to Full Breaches

Infostealers have emerged as a significant threat as the broader criminal ecosystem has matured and specialized. They serve as the first step toward full-scale corporate network breaches, primarily targeting browser data to extract credentials for accessing corporate resources.

Over 70% of devices infected by infostealers are personal rather than corporate, highlighting how these tools exploit the blurred lines between personal and professional device usage. Stealers are marketed on the Dark Web as Malware-as-a-Service (MaaS), lowering the barrier to entry for would-be cybercriminals.

  Cloud: The Ever-Expanding Attack Surface

Cloud infrastructure became integral to most organizations’ IT frameworks in 2024, but this widespread adoption has introduced new security vulnerabilities.

The complexity of administering cloud infrastructure adds a significant layer of vulnerability. Administrators are often overwhelmed by the multitude of settings and configurations required to secure their environments effectively, leading to exposed resources or penetrable environments.

An example of such administrative complexity was seen when Microsoft failed to secure its own Azure environment, allowing the Midnight Blizzard threat group to breach its production environment and access internal systems, source code, and executives’ emails.

Integrating on-premises resources with cloud services through Identity and Access Management providers has created pathways for bidirectional lateral movement, allowing attackers to pivot between environments.

  The Evolving Threat of Edge Devices and ORBs

Both cybercriminals and state-sponsored actors significantly increased their exploitation of edge devices like routers, firewalls, and VPN appliances as initial access vectors.

These devices are particularly appealing given their lack of dedicated security solutions and are often exploited to set up anonymization infrastructure known as Operational Relay Boxes (ORBs).

A notable example is the Raptor Train botnet, orchestrated by the Chinese APT group Flax Typhoon, which assembled over 200,000 compromised devices including SOHO routers, NAS systems, and IP cameras.

Corporate edge devices increasingly faced zero-day exploitation as attackers repurposed them for broader network penetration. In early 2024, high-severity vulnerabilities were discovered in Ivanti Connect Secure and Palo Alto Networks’ PAN-OS GlobalProtect, allowing for remote code execution and multifactor bypass.

  Global Analysis

The report shows a significant increase in cyberattacks, with the average number of weekly attacks per organization reaching 1,673—44% higher than in 2023. The education sector experienced the highest volume with a 75% year-over-year increase, surpassing an average of 3,574 weekly attacks per week.

Infostealers and multipurpose malware saw significant increases in 2024. Infostealer infection attempts increased by 58% compared to 2023, reflecting a maturing ecosystem and increasing demand for stolen logs. Multipurpose malware affected 39% of organizations, a 25% increase from 2023.

Email remains the dominant initial attack vector, with 68% of attacks originating from email. However, web-delivered attacks rose to 32%, primarily attributed to infected-website-based malware distribution frameworks.

The most prevalent malware families included FakeUpdates (SocGholish), AgentTesla, and Lumma, while manufacturing emerged as the most targeted sector for ransomware, followed by healthcare.

  Incident Response Perspective

In 2024, security alerts became the leading trigger for incidents at 35%, surpassing service disruptions (26%) as the primary indicator for initiating incident response. This shift indicates a significant rise in security team expertise and advancements in detection technologies.

Command and Control (C2) communication emerged as the most common security alert triggering incident response, followed by Credential Access attempts. User reports primarily focused on overt malicious activities like file encryption from ransomware attacks, but increasingly included suspicious MFA attempts not initiated by users.

Ransomware continued to dominate the threat environment, with LockBit, Akira, and Black Basta being the most prevalent families in incident response cases. Notably, 11% of ransomware attacks specifically targeted VMware ESXi servers, allowing attackers to render multiple critical servers inaccessible by compromising a single device.

  Industry Predictions for the Future of Cyber Security

Looking forward, the report offers several predictions for 2025:

1. Cloud-based platforms will increasingly serve as the foundation for cybersecurity, with AI-driven integration proving more effective than standalone tools.
2. The risk of data breaches caused by employees inadvertently sharing sensitive information with AI platforms will grow, requiring stricter controls on AI tools.
3. AI-powered financial crime will become more prevalent, particularly for Business Email Compromise and Know Your Customer bypass methods.
4. Supply-chain attacks on open-source projects will rise following the sophisticated multi-year operation that inserted a backdoor into Linux XZ Utils.
5. Cybercrime ecosystems will become more decentralized in response to law enforcement successes against major ransomware operations.
6. Organizations will face increasing pressure from new cybersecurity regulations and stricter cyber insurance standards.
7. The global shortage of cybersecurity professionals will pose a significant challenge for organizations trying to defend against the rising complexity and volume of cyber threats.

  CISO Recommendations

Based on the insights gained from the 2024 incidents, the report offers actionable recommendations for cybersecurity professionals:

1. Adopt a multi-layered security strategy including regular data backups, employee training, robust email filtering, and endpoint detection and response tools.
2. Prioritize advanced cloud security solutions including API security, identity management, and a zero-trust architecture.
3. Leverage AI for prevention and detection to enhance security and streamline response efforts.
4. Gain 360-degree visibility across your attack surface to identify threats across multiple systems.
5. Develop a customer-trust program to ensure compliance with rapidly changing regulations.
6. Implement a robust vulnerability and risk management program, prioritizing external-facing assets and critical systems.
7. Choose a security manufacturer with a proven track record of effective security practices and prompt patch releases.
8. Optimize security operations using AI to improve efficiency in threat management.
9. Focus on resilience and incident response by ensuring operations are effectively segregated and regularly updating disaster recovery plans.

 How CinchOps Can Help Secure Your Business

In light of the threats and recommendations highlighted in the CheckPoint report, CinchOps offers comprehensive security solutions designed to address these evolving challenges. Our expert team provides:

• Multi-layered security architecture that protects against ransomware, infostealers, and other advanced threats
• Cloud security expertise to secure your hybrid environments and prevent lateral movement
• Advanced AI-powered threat detection and prevention systems
• Comprehensive visibility across your entire attack surface
• Compliance management to navigate the increasingly complex regulatory environment
• Vulnerability management with prioritized remediation
• Incident response planning and support
• Security operations optimization to address the skills gap

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

Don’t wait until you become another statistic in next year’s report. Contact CinchOps today to schedule a security assessment and learn how we can help strengthen your cybersecurity posture against these evolving threats.

FREE CYBERSECURITY ASSESSMENT