It’s a new year for our cybersecurity roundup in 2025, and this time out we’ll be looking back at the end of last year and diving forward into January’s major cybersecurity news.
Let’s begin with some general observations:
- Cybersecurity is only getting more complex, on the basis of more unpredictable supply chains and the rapid adoption of fast-shifting technologies.
- Uncertainty, worldwide, is increasing both criminal opportunities and tension.
- Regulations, globally, are also increasing, which means added compliance needs for companies at the same time they’re facing more risk.
- Skills gaps continue to grow in the field.
And as detailed by the World Economic Forum in their new report for 2025, the security gap between small and large companies is also growing, with 35% of smaller players saying their security is insufficient (vs. just 5% in 2022), while larger companies are feeling safer, relatively speaking (7% 2025 vs. 13% in 2022).
Regardless of size, 72% of organizations are seeing an increase in cyber risks overall (see below for more findings).
But that’s why we’re here: to help you stay on top of emerging cybersecurity threats and trends with our bi-monthly roundups.
Catch up on our prior roundups for 2024 here:
2024 Year in Review
While we focus most on December (see breaches below), 2024 overall saw a continued frenzy in cybersecurity attacks, with a surge in state-sponsored cybercrime (alongside good old-fashioned independent crime) that repeatedly hit on the same vulnerabilities.
This was well-illustrated in the massive Snowflake breaches, where criminals used stolen credentials to compromise 165 corporate accounts (per Mandiant), enabling them to exfiltrate data from millions of users (Ticketmaster alone had some 560 million records stolen), across various organizations.
One of the largest identity-based cyberattacks in history, it took advantage of credentials obtained in prior infostealer infections—some dating back to 2020—enabling criminals to access Snowflake tenants not using multi-factor authentication (MFA).
With a simple SQL-based attack, vast amounts of customer data were extracted leading to ransom demands, followed by the posting of stolen information for sale on criminal marketplaces.
The incident was a kind we saw repeated throughout 2024 and showcases the need for strong identity protections, MFA enforcement, and proactive monitoring.
Identity-based attacks are famously difficult to track, as they involve using legitimate credentials, typically acquired in a prior attack stage. While that initial stage can make use of social engineering, it frequently works via malware that lingers on compromised systems undetected, offloading all sorts of data from a user’s system (including login credentials).
One means of distributing such infostealer malware is called maladvertising and works through hackers placing fake/malicious copies of real sites in the advertising area of search engines like Google.
Appearing above the real thing, these ads may even show you the real link, but when clicked on, redirect to a malicious variant, where the user is tricked into downloading malware. For great examples of this with screencaps, check out this writeup in Bleeping Computer.
Though these malicious ads get rapidly taken down, they pop right back up in slightly varied forms. They are one increasingly common way hackers perform step #1 above to open the door for downstream identity-based cyberattacks.
Researchers noted a 42% rise in US malvertising cases in late 2023, with a further 41% increase from July to September 2024.
Another area of risk is malware that can circumvent browser isolation, coming via QR codes, as also profiled by Mandiant. Exploiting a novel command-and-control (C2) bypass technique in browser isolation environments, attackers can embed commands in QR codes displayed on compromised web pages, allowing malware to extract and execute even in sandboxed browsers.
Once login credentials have been obtained and distributed, criminals enter the system and move laterally as necessary to get to customer data, the kind of attack that was rampant in the healthcare cybersecurity breaches in 2024, such as the nightmare at Change.
That breach shut down medical care nationwide, exposed over 100 million patient records, and resulted in substantial financial and reputational damage.
As headlined last time out, China’s Salt Typhoon infiltrated nine U.S. telecommunications companies (AT&T was among those hit through Snowflake, too) and stole over 3,000 sensitive files from the U.S. Treasury, with the fallout still ongoing.
North Korean hackers have made cryptocurrency theft a prime target, swiping some $660 million in 2023, and in 2024 stole a reported $1.34 billion, surpassing previous records.
Sticking with state-sponsored attacks, Russia’s Midnight Blizzard successfully breached Microsoft and Hewlett-Packard Enterprise (HPE), accessing executive email accounts and exfiltrating sensitive internal communications.
And of course there was the National Public Data breach, leaking the names, Social Security numbers, phone numbers, addresses, and dates of birth for some 1.3 million people. The company’s non-disclosure only increased rampant speculation, reinforcing hacker reports that the initial number was much larger.
Looking to 2025
As reported by Brian Krebs, Microsoft opened the new year with one of their biggest-ever drops of security updates, addressing a staggering 161 different security issues (including three-zero-day vulnerabilities already being attacked) all in one go.
For Windows users, it’s a good reminder to stay patched ASAP in this new year, beginning with these Microsoft cybersecurity updates.
Confidence, overall, isn’t great on the security front in this new year:
New Executive Order
The outgoing Biden administration made one final push for cybersecurity, requiring more than 50 agency actions in a 50-page directive. Focused on the surge in identity-based crimes, it seeks to promote the use of digital-identity documents (such as mobile drivers licenses) to more accurately validate individuals. It also mandates actions aimed to secure:
- Third-party software supply chains
- Phishing-resistant authentication
- Improved internet traffic detection
- More AI infusion into security
- Threats from adversarial countries
Still, many question its feasibility, given the changeover of administrations and its lack of focus on securing infrastructure.
AI Issues in Early 2025
As we’ve detailed regularly, AI-powered scams keep improving fast, with regular attacks now incorporating deepfake voices, AI posing as legit financial advisors, and ever-more sophisticated social-engineering tricks to deceive victims.
[PTP’s CEO and founder Nick Shah wrote a recent article profiling some of the phishing attack trends for 2025, as well as the importance of building a culture of cybersecurity.]
AI tools scrape online data—social media activity, corporate press releases, public filings—to improve phishing scams, and AI-generated phishing emails can also be harder to detect and filter, as they can rapidly rework messages easily.
Experts recommend setting up your own secret passcodes for authentication (within your family or team) and to remain skeptical and vigilant on requests using extreme urgency as a motivation to act.
AI scam awareness also begins by staying informed, and The PTP Report can help, with our bi-monthly roundups on AI in addition to cybersecurity.
Another area AI is exposing companies to risk is less obvious: employees entering sensitive information on public platforms like ChatGPT and Copilot.
Researchers at Harmonic Security (as reported by Dark Reading) analyzed thousands of workplace prompts to systems like Microsoft Copilot, OpenAI ChatGPT, Google Gemini, Anthropic’s Claude, and Perplexity and discovered that some 8.5% contained sensitive data. These included customer data (47%), employee data (27%), financial details (15%), security information (7%), and source code (6%).
NHI
Speaking of machines, identity-based attacks aren’t limited to people, with machine-to-machine identity theft, or non-human identity (NHI) attacks becoming an increasing problem. These occur when cryptographic keys are stolen, enabling criminals to generate their own authorization tokens, as for API access.
Cloudflare disclosed a significant NHI attack a year ago, with The New York Times suffering one in June, and Adobe late in 2024.
Most notably, the US Treasury hack may have been caused by NHI vulnerabilities, when a leaked API key allowed cybercriminal access through a third-party security provider.
The IoT Botnet Mayhem
Thousands of home and office routers and web cameras began 2025 infected with malware, according to reporting in Ars Technica. These vulnerabilities played a role in the Salt Typhoon attacks, through the crisis is worsening, with compromised machines being used to launch some of the most enormous distributed denial-of-service (DDoS) attacks ever seen.
Cloudflare blocked a 5.6 Tbps DDoS, the largest ever, driven by 13,000 Mirai-infected IoT devices. Other botnets, like the Murdoc and MikroTik-based networks, are also fueling attacks worldwide.
IoT devices often arrive running Linux that’s missing security updates, compounding other security issues—outdated firmware, default passwords, and exposed remote management. Hybrid botnets mixing IoT and cloud-based virtual machines are also emerging, making these devices and their capacity to be properly secured an area of concern as we start 2025.
Data Breach Updates
Before we go, let’s take a look back at the big data breaches of this period:
PIH Health Hospitals
On December 1, California-based healthcare provider PIH suffered a serious ransomware attack crippling operations. Attackers claimed to have exfiltrated some two terabytes of sensitive data, including 17 million patient records, containing home addresses, treatment records of cancer patients, test results and treatments, confidentiality agreements, and a number of nondisclosure agreements between PIH Health and other medical organizations.
Rhode Island Banking Data
A cyberattack on Rhode Island’s RIBridges system exposed the records of potentially hundreds of thousands of people who applied for government services (since 2016), such as SNAP and Medicaid.
The state and its vendor Deloitte confirmed the breach in December, stating there’s a “high probability” the breach contains Social Security and even bank account numbers, and that the attack was conducted by an international cybercrime group.
Malware found in the system may have also caused extreme damage, and the systems had to be brought down to deal with the attack.
While no fraud has yet been reported, Rhode Island is offering credit monitoring. The attack coincided with their health insurance open enrollment period, causing extensive delays.
The AT&T Leak Includes FBI Call Logs
Previously covered AT&T leaks were confirmed in this period to include FBI call and text logs with metadata, which can expose confidential informants. The agency is racing to contain the fallout and safeguard sources.
PowerSchool Breach May Include Millions of Student Records
PowerSchool, a K-12 educational technology platform serving over 60 million students, suffered a data breach in late December and is working with the FBI to diagnose the severity.
The hack once again gained access using stolen credentials and potentially exposed names, addresses, Social Security numbers, medical information, and grades of students and staff.
Though the company claims only some schools were affected, the exact number remains undisclosed. PowerSchool reportedly paid the ransom, being assured leaked data had been deleted.
Other Attacks:
- Volkswagen: Volkswagen’s Cariad unit suffered a data breach exposing personal information and specific location data for some 800,000 electric vehicles. According to The Verge, the vulnerability is believed to have come from misconfigurations in their Amazon cloud storage.
- Texas Tech University Health Sciences Center: According to the HIPAA Journal, PHI for some 1.46 million individuals was compromised in a massive data exfiltration that was disclosed in December. The ransom was not paid, and information may include personal details, Social Security numbers, driver’s license numbers, financial account information, health insurance information, diagnosis and treatment information, medical records numbers, and even billing and claims data.
- Ascension Health: An Ascension Health data breach from May finally identified affected parties, with the estimate of those impacted jumping from 500 to 5.6 million. As reported by the HIPAA Journal, this makes it the third largest healthcare breach of 2024, behind Change Healthcare’s 100 million and the Kaiser Foundation’s 13.4 million.
It’s a New Year: Address Cybersecurity Skills Gaps with PTP
One of the long-running cybersecurity trends is skills gaps, and as reported in the World Economic Forum’s report for 2025, they’re only getting worse.
PTP is here to help. With 27+ years as a top technical recruiting firm, we can help you find the best cybersecurity talent, no matter how specific the skills need. Cybersecurity is one of our core specialties, and we sincerely love being able to help organizations shore up against attacks and put into place solutions to help them identify and resolve episodes with less harm and expense.
Conclusion
As usual, our report is barely able to cover the top of the security iceberg, leaving us forced to excise some coverage in the interest of length.
But we’ll be back with our next edition at the end of March, continuing our coverage of the top cybersecurity threats in 2025, and hopefully there’s less to report on.
In the meantime, keep an eye on The PTP Report for more focused coverage of specific cybersecurity events and best practices and, as always, contact PTP for onsite or remote assistance with your own security needs.
Stay safe and stay vigilant!
References
Global Cybersecurity Outlook 2025, World Economic Forum
PowerSchool data breach leaks info of students and staff at schools across the US, The Verge
Personal Data of Rhode Island Residents Breached in Large Cyberattack, The New York Times
AT&T hack exposes agents’ call logs leaving FBI scrambling, Cybernews
The Worst Hacks of 2024, Wired
The Internet is (once again) awash with IoT botnets delivering record DDoSes, ArsTechnica
Hackers Claim to Have Stolen 17 Million Patient Records from PIH Health, The HIPAA Journal
(QR) Coding My Way Out of Here: C2 in Browser Isolation Environments, Google Cloud Threat Intelligence
Microsoft: Happy 2025. Here’s 161 Security Updates, Krebs on Security
Biden White House goes all out in final, sweeping cybersecurity order, CSO
Cyber pros skeptical of Biden’s last-minute cybersecurity executive order, Cybernews
Employees Enter Sensitive Data Into GenAI Prompts Far Too Often, Dark Reading
