Editor’s Note:

This past week has been a stark reminder that cybercriminals are evolving faster than most organizations can adapt. The trends we’ve tracked indicate a significant shift in attacker methodologies, particularly in how they gain access, maintain persistence, and extort victims.

1. Initial access brokers (IABs) are flooding dark web markets with high-value corporate credentials. The sale of stolen VPN, RDP, and privileged admin accounts is fueling a rapid increase in double-extortion ransomware attacks—where exfiltration happens before encryption. If your organization is not actively hunting for unauthorized credential use, you’re already behind.

2. Nation-state actors, particularly China’s Silk Typhoon, are embedding themselves within IT supply chains. This is no longer just about attacking end targets—these groups are breaching trusted third-party providers (MSPs, cloud vendors, and software update mechanisms) to pivot into larger organizations. A breach at a vendor may be the first step toward compromising your network.

3. Fortinet’s latest zero-day vulnerabilities (CVE-2024-55591 & CVE-2025-24472) are a case study in rapid weaponization. Within days of a proof-of-concept exploit surfacing, ransomware operators had already integrated these vulnerabilities into active attack campaigns. The attack window between disclosure and mass exploitation is shrinking, leaving little room for reactive patching. If your organization still has unpatched FortiGate appliances, assume you’re already on an attacker’s target list.

4. Ransomware operations have entered a new phase—financial extortion is no longer just about encryption. Triple extortion (data theft + encryption + DDoS threats) is becoming a common tactic, particularly among ransomware-as-a-service (RaaS) affiliates. Security leaders need to move beyond traditional ransomware defenses and assume all critical data must be encrypted at rest to reduce the risk of exposure in extortion schemes.

The reality is clear: Threat actors are optimizing their business models. They have streamlined initial access through credential theft, automated exploitation, and dark web marketplaces. Your ability to adapt must match their speed.

This week’s report will provide a detailed breakdown of how these threats are evolving, where they are coming from, and the immediate actions required to mitigate risk. The security landscape is shifting, and organizations that fail to anticipate these changes will be caught off guard.

Now, let’s get into the intelligence that matters.

Board Summary: Business Impact & Financial Risks

Fortinet Firewall Zero-Day Exploits → Ransomware Deployments

Threat Overview

Fortinet CVE-2024-55591 & CVE-2025-24472 are actively exploited by threat actors to gain administrative control over enterprise firewalls, modify configurations, and facilitate ransomware deployment and espionage operations.

Attackers are leveraging these exploits to:

• Modify firewall rules and disable logging to evade detection

• Extract VPN credentials and escalate privileges for lateral movement

• Install backdoor access points, allowing persistent unauthorized entry

• Sell compromised access on underground marketplaces to ransomware affiliates

Business Risks

• Full Network Takeover: Attackers can bypass traditional endpoint security and establish command-and-control channels.

• Regulatory Penalties: GDPR, SEC, and DORA compliance mandates require disclosure if compromised credentials lead to data breaches.

• Financial Impact: Downtime, ransom payments, legal fees, and recovery costs can exceed $4M per incident.

Technical Breakdown: Attack Progression

Initial Exploitation

• Attackers scan for Fortinet devices with exposed management interfaces.

• They use CVE-2024-55591 to bypass authentication, gaining immediate administrative control.

Privilege Escalation & Persistence

• Security monitoring and logging are disabled.

• New administrator accounts are created to ensure long-term access, even if patches are applied.

• Firewall rules are modified to allow lateral movement into internal networks.

Credential Theft & Lateral Movement

• VPN credentials and SSH keys are extracted from firewall configurations.

• Attackers pivot into Active Directory, escalate privileges, and deploy SuperBlack ransomware.

Defensive Action Plan

Immediate Steps (Next 24 Hours)

• Patch FortiOS immediately (7.0.16+ / 7.2.5+)

• Conduct firewall audits for unauthorized administrative accounts

• Reset all firewall and VPN credentials, enforcing MFA on all remote access

• Block unauthorized outbound connections from security appliances

Ongoing Monitoring & Hardening

• Enable strict firewall logging policies to detect unauthorized rule changes

• Deploy deception technologies (honeypots) to detect unauthorized credential access

• Implement real-time alerting for any firewall configuration modifications

• Perform regular penetration testing focusing on firewall and VPN attack vectors

China’s Silk Typhoon APT Targeting IT Supply Chains

Threat Overview

Silk Typhoon, a China-sponsored APT group, has pivoted its attack strategy from direct enterprise targeting to infiltrating IT vendors, MSPs, and SaaS providers. This allows adversaries to leverage trusted third-party access to infiltrate high-value targets while remaining undetected.

Key Findings:

• Three MSPs and two cloud vendors were confirmed compromised, impacting hundreds of enterprise customers.

• Stolen SaaS authentication tokens, API keys, and privileged credentials were used to escalate privileges across multiple cloud environments.

• Silk Typhoon’s attack methodology mirrors that of APT40’s past software supply chain campaigns.

How These Attacks Work

• Exploiting MSP Access: Adversaries breach an IT vendor, compromising privileged accounts that allow access to downstream customers.

• Cloud Credential Abuse: Attackers steal API tokens and service account credentials to move across hybrid and multi-cloud environments.

• Supply Chain Malware Insertion: Compromised software updates inject backdoors that are deployed onto enterprise networks unknowingly.

Business Risks

• Data Exfiltration & Espionage: Intellectual property and sensitive enterprise data are stolen before the attack is detected.

• Compliance Violations: Enterprises remain legally responsible for vendor-related breaches under global regulatory frameworks.

• Supply Chain Service Disruptions: MSP and cloud provider breaches could result in operational outages affecting multiple customers.

Defensive Action Plan

Immediate Steps (Next 24 Hours)

• Conduct a full review of all third-party vendor access controls

• Monitor SaaS API activity for unauthorized authentication attempts

• Scan cloud environments for overprivileged service accounts

• Implement real-time alerting for abnormal third-party user behaviors

Ongoing Monitoring & Hardening

• Require IT vendors to enforce strong authentication and access control policies

• Deploy cloud security posture management (CSPM) solutions to detect misconfigurations

• Mandate continuous penetration testing of vendor access pathways

• Implement Zero Trust principles across all third-party integrations

Ransomware Surge – Medusa, CL0P, & Triple Extortion Escalation

Threat Overview

• Ransomware groups are increasingly shifting to extortion-based attacks, with stolen data used as leverage before encryption.

• Triple extortion models now include direct DDoS attacks on victims' public services.

• Ransomware-as-a-service (RaaS) affiliates are recruiting insiders for large-scale deployments.

Business Risks

• Regulatory fines for exposure of personally identifiable information (PII)

• Brand damage and legal exposure from exfiltrated data being sold on dark web forums

• Significant operational losses from downtime, ransom payments, and remediation efforts

Defensive Action Plan

Immediate Steps (Next 24 Hours)

• Enhance endpoint detection and response (EDR) rules for early-stage ransomware indicators

• Deploy deception techniques (fake privileged accounts) to detect ransomware pre-execution

• Isolate critical backups in an immutable, air-gapped environment

Ongoing Monitoring & Hardening

• Conduct red team exercises simulating ransomware affiliate tactics

• Monitor dark web intelligence sources for leaked corporate credentials

• Implement AI-based anomaly detection for user behavior analysis

Dark Web Intelligence: Cybercrime Trends & Emerging Threats

Fortinet Exploit Sales Have Skyrocketed

Threat intelligence sources confirm that Fortinet firewall credentials and exploits are now among the most frequently traded assets on dark web marketplaces. Initial access brokers (IABs) are actively monetizing compromised firewalls, providing ransomware affiliates and state-sponsored actors with ready-to-use entry points into corporate networks.

Key Findings

• Multiple underground forums have listed Fortinet administrator credentials for sale, with prices ranging from $2,000 to $5,000 per compromised device.

• Some access brokers are offering bulk sales of 10–50 compromised Fortinet firewalls to ransomware groups, significantly reducing the time required for network infiltration.

• Exploit kits containing automated tools to bypass logging and create persistent VPN tunnels are being advertised, allowing buyers to maintain access even after patches are applied.

Why This Matters

• Organizations that applied Fortinet patches late may still be compromised, as attackers create persistent access points before patching occurs.

• Enterprises relying on perimeter-based security should assume that any externally exposed firewall could be a potential breach point.

• The use of dark web marketplaces to distribute exploits is accelerating ransomware deployment cycles, meaning that attack windows are shortening.

Defensive Actions

• Conduct forensic analysis of Fortinet firewalls to detect any unauthorized admin accounts, firewall rule modifications, or outbound connections.

• Rotate all VPN credentials stored within Fortinet appliances, as they may have been extracted prior to patching.

• Implement deception techniques such as dummy admin accounts to detect and flag unauthorized login attempts.

• Monitor for mentions of company IP ranges and credentials on underground forums using dark web intelligence services.

Ransomware Gangs Are Paying Employees to Facilitate Attacks

Dark web recruitment activity indicates that ransomware operators are actively seeking insider assistance to bypass corporate defenses. Employees within IT departments, security teams, and finance divisions are being targeted with financial incentives to provide privileged access.

Key Findings

• Recruitment ads on cybercrime forums offer payouts ranging from $100,000 to $500,000 for employees willing to install malware or disable security controls.

• Multiple confirmed ransomware incidents this month involved insider collaboration, with employees providing VPN credentials or whitelisting attack infrastructure in firewall settings.

• Industries most targeted for insider recruitment include financial services, healthcare, and manufacturing, where privileged access to sensitive systems provides high-impact entry points.

Why This Matters

• The insider threat risk associated with ransomware is increasing, meaning traditional perimeter defenses and endpoint security tools are no longer sufficient deterrents.

• Organizations need to reconsider how privileged access is granted and monitored, especially for users with administrative control over security tools.

• Ransomware groups are adapting their playbooks to include human assets in the attack chain, reducing the need for technical exploit development.

Defensive Actions

• Implement behavioral monitoring to detect unusual activity by privileged accounts, such as logging in from new locations or modifying security configurations.

• Introduce financial disincentives for employees who assist cybercriminals, including contractual penalties and legal repercussions.

• Establish a cybersecurity whistleblower program, allowing employees to anonymously report suspicious recruitment attempts.

• Rotate administrative credentials regularly and enforce mandatory multi-party approval for critical system modifications.

Security Tool Effectiveness: What’s Detecting These Threats?

Fortinet Exploitation Detection

Solutions That Perform Well

• CrowdStrike Falcon, SentinelOne, and Microsoft Defender successfully detect Fortinet privilege escalation attempts.

• Palo Alto Cortex XDR and Darktrace identify anomalous firewall admin activity, flagging unauthorized configuration changes.

Where Defenses Fail

• Traditional firewalls often fail to detect unauthorized rule modifications that allow lateral movement post-compromise.

• Many SIEM solutions lack real-time alerting on firewall admin changes, allowing attackers to operate undetected.

Ransomware Deployment & Lateral Movement Detection

Solutions That Perform Well

• SentinelOne, Microsoft Defender ATP, and deception-based security tools detect ransomware payload execution in real time.

• Proactive threat-hunting techniques, including honey tokens and fake admin accounts, have proven effective at exposing ransomware operators before deployment.

Where Defenses Fail

• Most SOC teams detect ransomware after encryption begins, rather than identifying early-stage compromise indicators.

• Legacy antivirus solutions fail to detect ransomware that operates entirely within memory, bypassing file-based scanning.

Data Exfiltration Prevention

Solutions That Perform Well

• Symantec DLP, McAfee Skyhigh, and Microsoft Purview successfully prevent unauthorized file transfers.

• Cloud security posture management (CSPM) solutions like Wiz and Prisma Cloud effectively detect unauthorized SaaS data exfiltration.

Where Defenses Fail

• Encrypted exfiltration using trusted VPN tunnels often bypasses DLP and firewall controls.

• Many organizations lack visibility into third-party applications and APIs accessing sensitive data.

Monday Morning Threat Drill: SOC Team Exercise

Scenario:

Assume that SuperBlack ransomware operators have exploited a Fortinet firewall and gained persistent access through a hidden VPN tunnel. The attacker has created rogue admin accounts and disabled logging to evade detection.

Objective

This exercise simulates an advanced persistent attack using firewall exploitation as the initial access point. The SOC team will need to detect, contain, and neutralize the threat before ransomware deployment occurs.

Step 1: Identify Initial Compromise Indicators

• Check Fortinet firewall logs for the creation of new administrator accounts within the last 30 days.

• Identify any VPN connections originating from unknown IP addresses, particularly those associated with threat intelligence feeds.

Step 2: Perform a Red Team vs. Blue Team Simulation

• Red Team: Simulate an adversary escalating privileges within the firewall, disabling security controls, and pivoting into internal systems.

• Blue Team: Detect the attack using SIEM, EDR, and behavioral analytics tools, then implement containment measures.

Step 3: Measure Incident Response Performance

• Track how long it takes for the SOC team to identify the rogue administrator accounts.

• Assess the effectiveness of existing firewall monitoring rules in detecting unauthorized rule modifications.

• Test the ability to block an active ransomware deployment using automated containment policies.

General Cyber News & Emerging Threats

DDoS Attack Against X (Twitter) Disrupts Global Users

On March 10, 2025, the social media platform X suffered a massive DDoS attack, causing outages for more than 40,000 users worldwide.

Attribution: Pro-Palestinian hacktivist group Dark Storm Team claimed responsibility.

Impact:

• Service degradation across North America and Europe.

• Increased botnet traffic targeting X’s infrastructure, indicating a large-scale, coordinated attack.

Security Implications:

• DDoS-for-hire services are expanding, posing risks for enterprises and financial platforms.

• Organizations should monitor geopolitical tensions as potential catalysts for hacktivist-driven cyberattacks.

AI-Generated Malware on the Rise

On March 11, 2025, researchers detected a new AI-driven malware strain capable of dynamically modifying its execution flow to evade detection.

What Makes It Dangerous:

• The malware autonomously alters its code in response to security tools, making signature-based detection ineffective.

• AI-powered attacks can prioritize high-value targets based on contextual analysis of compromised environments.

Security Implications:

• Traditional endpoint security solutions must transition to behavior-based anomaly detection.

• Red teams should incorporate AI-driven malware tactics into penetration testing scenarios.

Visa’s Global Crackdown on Online Scams

On March 12, 2025, Visa’s fraud detection team announced a major disruption effort that prevented over $350M in fraudulent transactions.

Key Findings:

• AI voice-cloning scams are increasingly used for phishing attacks.

• Scam networks are leveraging paid advertising on social media to target victims.

Security Implications:

• Financial institutions must enhance fraud prevention with AI-based detection.

• Organizations should monitor for fake brand impersonation campaigns on social media platforms.

Final Considerations:

• Firewalls and security appliances are now prime adversary targets.

• Ransomware operators are shifting toward multi-layered extortion models.

• Nation-state actors are prioritizing IT supply chain infiltration.

• Organizations must transition from compliance-based security to proactive adversary detection.

Cybercriminals no longer need to write complex malware or exploit software vulnerabilities to breach an organization. They have found an easier, faster, and more effective way in—by targeting people. Social engineering has evolved from generic phishing emails to sophisticated, AI-driven deception tactics that can manipulate even the most security-conscious employees.

The numbers are staggering. Voice phishing, or vishing, saw a 442% increase in attacks last year. Criminals are no longer relying solely on fake emails. They are picking up the phone, impersonating IT staff, and convincing employees to hand over credentials. Deepfake technology is being used to clone voices and trick executives into authorizing wire transfers. AI-generated phishing emails are so convincing that their success rate is nearly five times higher than those written by humans.

The most dangerous part? These attacks do not require advanced hacking skills. They prey on human psychology—trust, urgency, fear, and authority. Attackers will flood an employee’s inbox with spam, then call pretending to be IT support, offering to “fix” the issue by gaining remote access to their system. They will pose as a CFO requesting an urgent bank transfer. They will target help desks, impersonate employees, and reset passwords. If one method fails, they pivot to another.

Most security strategies still focus on firewalls, endpoint protection, and access controls, but those measures are ineffective if an employee unknowingly opens the door for an attacker. Organizations need to reframe security as a human problem, not just a technical one. That means aggressive training programs, simulated attacks, and company-wide awareness initiatives. Employees should be skeptical by default. No IT team should ever request login credentials over the phone. No financial transaction should be approved without multi-step verification.

Security teams must also adapt. If vishing is increasing, organizations should be monitoring for unusual call patterns. If help desks are being targeted, security questions should be redesigned to make social engineering harder. If AI-generated phishing is outperforming human attempts, email security tools should be trained to detect anomalies, not just known threats.

The weakest link in cybersecurity has always been human behavior. The companies that survive the next wave of attacks will be those that acknowledge this reality and build defenses that do more than just protect networks—they protect people from themselves.

Cybercriminals are moving at speeds that most organizations are not equipped to handle. Last year, the average breakout time—the time it takes for an attacker to move laterally within a compromised network—dropped to 48 minutes. In the fastest observed case, it took just 51 seconds. That means by the time a security alert is triggered, the attacker could have already escalated privileges, exfiltrated data, and established persistence.

This is no longer a hypothetical risk. The traditional approach to cybersecurity, where teams react to alerts and investigate over hours or days, is no longer viable. If you are not detecting and responding in real time, you are losing.

Most organizations still operate with security workflows designed for a different era. They rely on alerts that generate too much noise, manual investigations that take too long, and response playbooks that assume there is time to analyze an incident before taking action. The data shows that assumption is flawed. By the time most companies confirm a breach, attackers have already spread across their network, making containment exponentially harder.

The companies that survive the next wave of cyber threats will be the ones that prioritize speed. A one-minute response plan is no longer an aggressive target; it is the minimum requirement. That means automating detection and response, ensuring security teams have real-time visibility, and eliminating bottlenecks that slow down decision-making. Security tools need to act as force multipliers, not obstacles. AI-driven detection, automated containment, and pre-approved response actions should be standard operating procedures. If an attacker moves in under a minute, your security stack should be moving in milliseconds.

Cyber resilience is about assuming compromise and engineering an environment where threats are neutralized before they escalate. This requires a shift from static defenses to dynamic, real-time decision-making. Teams need to be trained to react instantly, and response playbooks need to be built around automation. Security leaders should be asking one simple question: if an attacker breaches your environment right now, how quickly can you contain them?

For companies that still rely on outdated security models, the answer is probably too slow. The clock is already ticking.

Artificial intelligence is not just a tool for businesses looking to optimize workflows and automate processes. It has also become a weapon for cybercriminals who are using AI to scale their attacks, evade detection, and manipulate targets with unprecedented precision. The organizations that fail to recognize this shift will be left defenseless against an adversary that is getting smarter, faster, and more efficient.

Cybercriminals have always looked for ways to maximize impact with minimal effort. AI is the perfect enabler. Generative AI has made it easier to create convincing phishing emails, deepfake videos, and voice clones, allowing attackers to manipulate victims with social engineering tactics that are nearly impossible to distinguish from reality. A single AI-generated phishing campaign can now produce thousands of highly personalized emails in seconds, each tailored to the recipient’s role, interests, and behavioral patterns. The results are devastating. A recent study found that AI-generated phishing emails had a 54% click-through rate compared to 12% for human-written attempts.

But AI isn’t just improving deception. It is also being used to automate reconnaissance, identify vulnerabilities, and generate exploits. Large language models can analyze massive datasets and pinpoint weaknesses in corporate infrastructure, significantly reducing the time attackers need to plan and execute breaches. Criminal forums are already discussing ways to use AI to generate malware, optimize attack sequences, and even improve evasion techniques to bypass security tools.

This is an arms race. Security teams that rely on traditional defense mechanisms will fall behind. AI-powered threats require AI-powered defenses. Organizations must adopt AI-driven threat detection, real-time behavioral analysis, and automated response mechanisms to keep up. The days of static firewalls and signature-based antivirus solutions providing adequate protection are over. Cyber resilience now depends on machine learning models that can detect anomalies, predict attack patterns, and neutralize threats before they escalate.

Most businesses are unprepared for this shift. They have AI sprinkled into their marketing and customer service operations but have not integrated it into their security strategy. Meanwhile, cybercriminals are using AI to tear down defenses, manipulate employees, and accelerate breaches. The question isn’t whether AI will change cybersecurity. It already has. The only decision left is whether organizations will adapt—or be outpaced by an adversary that no longer needs human hands to launch an attack.

Cybercrime is no longer a niche problem or a side hustle for opportunistic hackers. It is a multi-billion-dollar industry with structured operations, specialized roles, and global reach. Criminal organizations have evolved into enterprise-grade operations, complete with research and development teams, strategic partnerships, and aggressive expansion plans. The modern cybercriminal doesn’t just hack into systems; they build scalable business models designed for efficiency, automation, and maximum return on investment.

Gone are the days when a breach meant a single actor targeting a single company. Today, cybercrime is a supply chain. Initial access brokers specialize in breaching organizations and selling entry points to the highest bidder. Ransomware-as-a-service providers offer turnkey attack platforms that require no technical expertise to deploy. Social engineering specialists manipulate employees into handing over credentials, feeding a global market where stolen logins and sensitive data are sold in bulk. Even the customer support model has been adopted, with cybercriminals offering troubleshooting assistance to affiliates running attacks.

This level of organization has made cyberattacks faster, more precise, and harder to detect. The time from initial compromise to lateral movement—known as breakout time—has hit an all-time low. On average, attackers move across networks within 48 minutes, with the fastest observed case taking just 51 seconds. That means by the time a company detects a breach, the attacker is already inside, exfiltrating data, escalating privileges, and preparing for the next phase of their attack.

The traditional approach to cybersecurity is fundamentally broken. Companies still rely on perimeter defenses, static detection rules, and compliance checklists while their adversaries innovate at an alarming rate. It is no longer enough to patch vulnerabilities and hope for the best. Organizations must assume they will be compromised and structure their defenses accordingly. That means continuous threat monitoring, real-time response capabilities, and a cyber resilience strategy that extends beyond the IT department.

For too long, cybersecurity has been treated as an operational expense, a necessary but inconvenient budget item. It needs to be viewed as a core function of business survival. Companies that fail to adapt will not just suffer breaches; they will suffer irreparable financial, operational, and reputational damage.

The real question is no longer whether an attack will happen. It is whether your organization is prepared to respond when it does.