CERT-W Report 2025: Analysis of a year of incident response and the evolving threats
Published October 7, 2025
- Cybersecurity
Key lessons from 2025
- Financial gain remains the primary motivation, with ransomware being the most common, but espionage is on the rise.
- Phishing regains the top spot as the main entry point for cybercriminels.
- Exploitation of vulnerable web services and remote access also remains a major entry vector.
- AI, SaaS, and open-source packages expand the attack surface.
Cyber crises in 2025: Insights, trends, and action levers
In 2025, Wavestone’s Incident Response team was once again engaged in over twenty major crises, affecting organizations of various sizes and sectors. This report aims to highlight the key trends observed, illustrate the most striking scenarios, and shed light on the challenges organizations will face in the coming months.
Indeed, organizations must now be able to monitor an increasingly heterogeneous perimeter (SaaS, partners, open source) against ever-faster attackers. The fastest attack observed by our team lasted less than a day and a half from initial access to data exfiltration.
The report therefore has a dual objective: to provide a realistic overview of attacks observed in the field and to analyze cyber threat trends to offer concrete action levers to strengthen information system resilience.
Motivations: financial gain dominates, espionage on the rise
Analysis of the incidents we managed reveals a variety of motivations, but two dominant dynamics:
- Financial gain (65%): through ransomware (half of these attacks), business email compromise fraud, and resale of stolen data. Profit remains the primary driver for cybercriminals.
- Strategic data exploitation through espionage campaigns (17%, +7pts vs. 2024): several cases illustrate a growing interest in business-critical data itself (e.g. dark web publication following SQL injection, full JIRA database leak, or suspected intellectual property theft via a partner).
Other cases involve unclear or secondary motivations, but these two trends remain the most structurally significant.
Phishing: back as the leading entry point into information systems
The attacks analyzed highlight the main entry vectors used by cybercriminals:
- Phishing: with 38% of incidents originated from phishing campaigns, phishing is the most common entry point. It enabled the compromise of both standard users and privileged accounts (administrators, VIPs, service providers). Its resurgence (20% in 2024) is also due to attackers’ creativity in reinventing this technique. Notably, we observed cases of vishing, where phishing is conducted via phone channels, making identity verification much more complex.
- Exposed remote access: around five incidents were linked to vulnerable RDP or VPN services, compromised via brute force or opportunistic intrusions.
- Technical vulnerabilities: present in one out of five incidents, vulnerability exploitation remains a major entry point. Two significant cases in 2025 – CVE exploitation and SQL injection – led to data exfiltration from the targeted systems.
These findings align with global trends: phishing is the top intrusion vector in 2025, ahead of vulnerability exploitation and remote access (VPN, RDP).
Key takeaways from our incident response engagements
Incident analysis also confirms four underlying trends already identified in 2024 and still relevant in 2025:
- Backups are systematically targeted: in 90% of ransomware cases, backups were deleted or encrypted to prevent recovery and increase pressure to pay the ransom.
- Business data compromise remains a central objective: observed in 71% of attacks, whether for espionage or extortion purposes.
- Organizations’ vigilance and responsiveness are under pressure: the average time between intrusion and impact is just 1.5 days, reinforcing the need to reduce detection and response times through automation and AI.
- Partners and subsidiaries remain prime targets: 56% of attacks on large enterprises occurred via their subsidiaries or partners.
Emerging trends in 2025
Social engineering techniques are becoming increasingly multichannel and sophisticated:
- Vishing (fraudulent voice calls): in 2025, fraudulent calls surged. Voice deepfakes now allow attackers to mimic executives’ voices, making their messages far more convincing. Attackers exploit urgency or social pressure to prompt victims into action. Many clients were targeted with “CEO fraud” attempts, but one notable campaign in summer 2025 targeted Salesforce users. It began with vishing calls to IT support teams to obtain privileged accounts, which were then used to access online platforms legitimately.
- Quishing (malicious QR codes): An emerging technique where attackers send QR codes via email or documents. When scanned, victims are redirected to fraudulent sites. This method bypasses traditional email and link protections. Numerous cases were observed, especially in digital services accessible from public spaces (e.g., EV charging stations, public service kiosks, …).
These two vectors are increasingly combined in multichannel campaigns, making defense more complex. Organizations must intensify awareness efforts for both employees and customers and evolve internal processes to limit the impact when these techniques succeed.
The widespread adoption of cloud services has opened new attack surfaces for cybercriminals, with two rapidly growing attack channels:
- SaaS account compromise: stolen credentials (via phishing, vishing, infostealers) or password reuse remain the most common entry points. Poor MFA configuration or its absence leaves accounts vulnerable. Once compromised, these accounts provide access to sensitive business data or critical functions.
- Abuse of APIs and third-party applications: connected apps or integrated modules are increasingly exploited to siphon emails, exfiltrate files, or manipulate data flows.
- Recent campaigns have shown attackers’ growing interest in cloud CRMs, especially Salesforce. Misconfigured APIs or privileged accounts are exploited to steal customer data or initiate fraud.
This trend highlights how the speed of SaaS adoption often outpaces the maturity of security measures.
Software dependencies and external providers are weak links frequently exploited by attackers. Two major attacks illustrate this risk:
- The compromise of 18 npm packages, detected in early September 2025, to steal cryptocurrency from users running applications based on these packages.
- A major campaign in September 2025 compromised over 500 npm packages via a self-replicating worm, called “Shai-Hulud”. The worm injected malicious scripts into popular packages, stole secrets (npm tokens, GitHub credentials, API keys), and used GitHub workflows to exfiltrate data. It automatically spread to packages owned by compromised accounts, creating a cascading effect across the open-source ecosystem.
These dependencies significantly expand an organization’s attack surface. In both cases, the compromise of secrets granting modification rights enabled attackers to inject malicious code at scale into widely used open-source components.
Artificial intelligence doesn’t create entirely new attack scenarios, but it significantly enhances existing threats:
- Phishing & Deepfakes: AI enables the creation of multilingual, tailored phishing campaigns with personalized and convincing messages. Voice and visual deepfakes are used to impersonate executives or internal support teams, making fraudulent calls or unusual requests harder to detect.
- Malware Deployment: 2025 saw a rise in attackers using AI to refine their tools. Notably, ESET identified PromptLock, the first AI-powered ransomware. It operates via coded prompts that feed a local model, generating scripts capable of scanning, exfiltrating, or encrypting files based on automatic detection. Its danger lies in its adaptability, as it modifies its code at runtime, making signature-based detection far more difficult. While PromptLock currently appears to be more of a proof of concept than a widespread threat, it signals a direction attackers may pursue.
This trend, using AI to accelerate and automate malicious actions, while lowering the technical barrier to launch large-scale attacks, must also be embraced by defenders. SOCs and CSIRTs/CERTs should leverage AI to speed up response times and enhance detection capabilities.
Conclusion
The year 2025 confirms that cyberattacks are primarily opportunistic, fast-moving, and in some cases amplified by AI. Financial motivations dominate, backups and business data are systematically targeted, and SaaS environments or third-party providers are becoming critical entry points.
In response, organizations must not only strengthen traditional defenses – relying on automation and AI to accelerate detection and response – but also broaden their vigilance to include SaaS platforms and external partners.
Facing a cyber-incident?
Get in touch with the CERT-Wavestone:
- +33 1 49 03 27 26 (24/7/365 service)
- cert@wavestone.com (CET working hours)