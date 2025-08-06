Cyber attackers are finding new ways in through the overlooked and unconventional network corners. Forescout’s 2025H1 Threat Review reveals a surge in advanced tactics, with zero-day exploits up 46 percent and ransomware attacks averaging 20 per day.

Based on an analysis of over 23,000 vulnerabilities and 885 threat actors across 159 countries, the report shows adversaries are increasingly targeting non-traditional equipment like edge devices, IP cameras, and BSD servers. These footholds often enable lateral movement across IT, OT, and IoT environments, allowing attackers to reach deeper into networks and compromise critical systems.

“We’re seeing attackers gain initial access through overlooked IoT devices or infostealers, then use lateral movement to pivot across IT, OT, and IoT environments,” said Sai Molige, Senior Manager of Threat Hunting at Forescout. “Our ValleyRAT hunt, which uncovered the Chinese threat actor Silver Fox targeting healthcare systems, is a prime example. These attackers exploit blind spots to quietly escalate access.”

“From hospitals to medical devices to critical infrastructure, it is all being targeted through zero-day exploits, unconventional entry points, and nation-backed hacktivism,” said Barry Mainz, CEO of Forescout. “You can’t defend critical infrastructure with yesterday’s tools. Security must be continuous, proactive, and device-agnostic.”

Exploits shift to older vulnerabilities and unconventional devices, zero days increase

47% of newly exploited vulnerabilities were originally published before 2025.

Published vulnerabilities rose 15%, with 45% rated high or critical.

Zero-day exploitation increased 46%, and CVEs added to CISA KEV jumped 80%.

Modbus accounted for 57% of OT protocol traffic in Forescout honeypots.

Ransomware actors increasingly targeted non-traditional equipment, such as edge devices, IP cameras and BSD servers, which often lack EDR, making them ideal entry points for undetected lateral movement and underscoring the need for integrated detection solutions.

Ransomware rises 36% year over year, with 3,649 documented attacks in H1

Attacks grew in frequency to 608 per month, or roughly 20 per day.

The U.S. was the top target, accounting for 53% of all incidents.

The top sectors targeted were services, manufacturing, technology, retail and healthcare.

New attack vectors included IP cameras and BSD systems, amplifying lateral movement across enterprise environments.

Healthcare is under siege, averaging two healthcare breaches per day

In the first half of 2025, the healthcare sector emerged as the most impacted vertical for data breaches.

Nearly 30 million individuals were affected by breaches in H1 2025.

76% of breaches stemmed from hacking or IT incidents.

62% of breaches involved data stored on network servers; 24% were on email systems.

Researchers identified trojanized DICOM imaging software delivering malware directly to patient systems.

Lines blur between hacktivists and state-sponsored actors

Researchers tracked 137 threat actor updates in H1 2025, with 40% attributed to state-sponsored groups and 9% as hacktivists. The remaining 51% were cybercriminals, such as ransomware groups.

Iran-affiliated groups like GhostSec and Arabian Ghosts targeted programmable logic controllers (PLCs) linked to Israeli media and water systems.

CyberAv3ngers amplified unverified claims before major OT attacks in 2023–2024, echoing similar tactics now under a new identity: APT IRAN.

APT IRAN, CyberAv3ngers and other Iranian hacktivist personas form a continuum of Iranian threats to OT/ICS.

“Hacktivist operations are no longer just symbolic or isolated. They’re evolving into coordinated campaigns targeting critical infrastructure with real-world consequences,” said Daniel dos Santos, Head of Research at Forescout. “What we’re seeing from Iranian-aligned groups is a shift toward more aggressive, state-influenced disruption tactics masked as activism. As geopolitical tensions escalate, these actors are becoming faster, louder and harder to attribute, and that makes their threat even more urgent for defenders to address.”

Steps to reduce risk and build cyber resiliency