Fortinet threat report reveals record surge in automated cyberattacks

Fortinet announced the release of the 2025 Global Threat Landscape Report from FortiGuard Labs on May 8. The latest annual report is a snapshot of the active threat landscape and trends from 2024, including a comprehensive analysis across all tactics used in cyberattacks, as outlined in the MITRE ATT&CK framework.

“Our latest Global Threat Landscape Report makes one thing clear: Cybercriminals are accelerating their efforts, using AI and automation to operate at unprecedented speed and scale,” said Derek Manky, chief security strategist and global VP threat intelligence at Fortinet FortiGuard Labs. “The traditional security playbook is no longer enough. Organizsations must shift to a proactive, intelligence-led defense strategy powered by AI, zero trust, and continuous threat exposure management to stay ahead of today’s rapidly evolving threat landscape.”

The report shows that automated scanning hits record highs as attackers shift left to identify exposed targets early. To capitalise on newfound vulnerabilities, cybercriminals are deploying automated scanning on a global scale. Active scanning in cyberspace reached unprecedented levels in 2024, rising by 16.7 per cent worldwide on-year, highlighting a sophisticated and massive collection of information on exposed digital infrastructure. FortiGuard Labs observed billions of scans each month, equating to 36,000 scans per second, revealing an intensified focus on mapping exposed services such as SIP and RDP and OT/IoT protocols like Modbus TCP.

Darknet marketplaces fuel easy access to neatly packaged exploit kits. In 2024, cybercriminal forums increasingly operated as sophisticated marketplaces for exploit kits, with over 40,000 new vulnerabilities added to the National Vulnerability Database, a 39 per cent rise from 2023.

In addition to zero-day vulnerabilities circulating on the darknet, initial access brokers are increasingly offering corporate credentials (20 per cent), RDP access (19 per cent), admin panels (13 per cent), and web shells (12 per cent). Additionally, FortiGuard Labs observed a 500 per cent increase in the past year in logs available from systems compromised by infostealer malware, with 1.7 billion stolen credential records shared in these underground forums.

AI-powered cybercrime is scaling rapidly. Threat actors are harnessing AI to enhance phishing realism and evading traditional security controls, making cyberattacks more effective and difficult to detect. Tools like FraudGPT, BlackmailerV3, and ElevenLabs are fuelling more scalable, believable, and effective campaigns, without the ethical restrictions of publicly available AI tools.

Targeted attacks on critical sectors intensify. Industries such as manufacturing, healthcare, and financial services continue to experience a surge in tailored cyberattacks, with adversaries deploying sector-specific exploitations. In 2024, the most targeted sectors were manufacturing (17 per cent), business services (11 per cent), construction (9 per cent), and retail (9 per cent). Both nation-state actors and ransomware-as-a-service operators concentrated their efforts on these verticals, with the US bearing the brunt of attacks (61 per cent), followed by the UK (6 per cent), and Canada (5 per cent).

According to the report, cloud and the Internet of Things security risks are escalating. Cloud environments continue to be a top target, with adversaries exploiting persistent weaknesses such as open storage buckets, over-permissioned identities, and misconfigured services. In 70 per cent of observed incidents, attackers gained access through logins from unfamiliar geographies, highlighting the critical role of identity monitoring in cloud defence.

Another finding is that credentials are the currency of cybercrime. In 2024, cybercriminals shared over 100 billion compromised records on underground forums, a 42 per cent on-year spike, driven largely by the rise of “combo lists” containing stolen usernames, passwords, and email addresses.

More than half of darknet posts involved leaked databases, enabling attackers to automate credential-stuffing attacks at scale. Well-known groups like BestCombo, BloddyMery, and ValidMail were the most active cybercriminal groups during this time and continue to lower the barrier to entry by packaging and validating these credentials, fuelling a surge in account takeovers, financial fraud, and corporate espionage.

Fortinet’s Global Threat Landscape Report provides rich details on the latest attacker tactics and techniques while also delivering prescriptive recommendations and actionable insights. Designed to empower CISOs and security teams, the report offers strategies to counter threat actors before they strike, helping organisations stay ahead of emerging cyberthreats.

This year’s report includes a “CISO Playbook for Adversary Defence” that highlights a few strategic areas to focus on.

Organisations should shift from traditional threat detection to continuous threat exposure management. This proactive approach emphasises continuous attack surface management, real-world emulation of adversary behaviour, risk-based remediation prioritisation, and automation of detection and defence responses. Utilising breach and attack simulation tools to regularly assess endpoint, network, and cloud defences against real-world attack scenarios ensures resilience against lateral movement and exploitation.

Simulating real-world attacks is another measure. Organisations should conduct adversary emulation exercises, red and purple teaming, and leverage MITRE ATT&CK to test defences against threats like ransomware and espionage campaigns.

Likewise, it is necessary to reduce attack surface exposure. Organisations can deploy attack surface management tools to detect exposed assets, leaked credentials, and exploitable vulnerabilities while continuously monitoring darknet forums for emerging threats.

Meanwhile, organisations should prioritise high-risk vulnerabilities. They should focus remediation efforts on vulnerabilities actively discussed by cybercrime groups, and leverage risk-based prioritisation frameworks such as EPSS and CVSS for effective patch management.

Another strategy is to leverage dark web intelligence. This can be done by monitoring darknet marketplaces for emerging ransomware services and tracking hacktivist coordination efforts to preemptively mitigate threats like DDoS and web defacement attacks.

Threat actors increasingly targeting operational technology organisations Nearly one-third (31 per cent) of operational technology (OT) organisations reported more than six intrusions in the last year, up from 11 per cent the year before, according to Fortinet's latest findings.

Fortinet's research highlights link between cyber awareness and organisational risk Fortinet released its annual Security Awareness and Training Global Research Report on October 29, highlighting the crucial role a cyber-aware workforce plays in managing and mitigating organisational risk.

Fortinet expands OT Security Platform for critical infrastructure protection On March 11, Fortinet announced it has advanced its Operational Technology (OT) Security Platform to further support the protection of critical infrastructure and industrial sites.