AI-powered cyberattacks surge as criminals exploit new tools

Fortinet has released its 2025 Global Threat Landscape Report through FortiGuard Labs, detailing cyberattack trends and tactics from 2024 and highlighting key shifts in the threat environment.

The report reveals a marked acceleration in cybercriminal activities, with an increasing reliance on automation, commoditised cyberattack tools, and the integration of artificial intelligence (AI) technologies to undermine conventional cybersecurity defences.

Derek Manky, Chief Security Strategist and Global Vice President of Threat Intelligence at Fortinet FortiGuard Labs, said, "Our latest Global Threat Landscape Report makes one thing clear: Cybercriminals are accelerating their efforts, using AI and automation to operate at unprecedented speed and scale. The traditional security playbook is no longer enough. Organisations must shift to a proactive, intelligence-led defence strategy powered by AI, zero trust, and continuous threat exposure management to stay ahead of today's rapidly evolving threat landscape."

Automated scanning activities experienced a notable surge during 2024, according to the report, with a 16.7 per cent year-over-year rise in automated scanning across digital infrastructure. FortiGuard Labs observed billions of scans each month, equating to approximately 36,000 scans per second globally.

Attackers are increasingly focusing on mapping exposed services such as Session Initiation Protocol (SIP) and Remote Desktop Protocol (RDP), as well as operational technology and Internet of Things (IoT) protocols such as Modbus TCP.

The report also highlights the growth of sophisticated marketplaces on cybercriminal forums in 2024, with over 40,000 new vulnerabilities added to the National Vulnerability Database, representing a 39 per cent increase from 2023. Initial access brokers are offering packages of corporate credentials (20 per cent), RDP access (19 per cent), admin panels (13 per cent), and web shells (12 per cent).

There has also been a 500 per cent increase in logs available from systems compromised by infostealing malware, with 1.7 billion stolen credential records shared on these underground platforms.

The deployment of AI-powered tools such as FraudGPT, BlackmailerV3, and ElevenLabs has enabled threat actors to enhance the realism and effectiveness of phishing campaigns while evading conventional security controls. These tools have fuelled more scalable, believable, and difficult-to-detect cyberattacks, with fewer ethical restrictions than their public counterparts.

Targeted attacks on critical industry sectors have intensified. Manufacturing (17 per cent), business services (11 per cent), construction (nine per cent), and retail (nine per cent) were the most commonly targeted sectors in 2024. The report notes that both nation-state threat actors and Ransomware-as-a-Service (RaaS) operators have focused on these industries. The United States faced the largest proportion of attacks (61 per cent), followed by the United Kingdom (six per cent), and Canada (five per cent).

Cloud and IoT security vulnerabilities continued to be exploited by adversaries, who frequently targeted weaknesses such as open storage buckets, excessive permissions, and misconfigured cloud services. Attackers gained access via logins from unfamiliar locations in 70 per cent of cloud-related incidents, underscoring the importance of identity monitoring for effective defence in cloud environments.

Compromised credentials remain a fundamental driver of cybercrime. In 2024, cybercriminals shared over 100 billion records on dark web forums, representing a 42 per cent annual increase, largely fuelled by the spread of "combo lists" of stolen usernames, passwords, and email addresses. More than half of the posts on darknet forums involved leaked databases, providing attackers with the means to automate large-scale credential-stuffing attacks.

Cybercriminal groups such as BestCombo, BloddyMery, and ValidMail played a significant role during this period, helping to lower the bar to entry and contributing to higher rates of account takeovers, financial fraud, and corporate espionage.

Fortinet's report outlines several strategic recommendations in its "CISO playbook for adversary defence," encouraging Chief Information Security Officers (CISOs) to adopt a proactive security posture. The report recommends a transition from traditional threat detection to continuous threat exposure management, emphasising attack surface management, real-world adversary emulation, prioritisation of high-risk vulnerabilities, and the automation of detection and defence responses across endpoints, networks, and cloud services. It also advocates for the use of breach and attack simulation tools to assess resilience against lateral movement and exploitation.

In addition, the report suggests simulating real-world attacks through adversary emulation exercises, red and purple teaming, and leveraging frameworks such as MITRE ATT&CK to prepare defences against threats like ransomware and espionage. Attack surface management tools should be deployed to detect exposed assets and leaked credentials while monitoring darknet forums for new threats.

Efforts should especially focus on vulnerabilities actively discussed by cybercrime groups, using risk-based frameworks for effective patch management. The use of dark web intelligence is also recommended to monitor emerging ransomware services and track hacktivist coordination efforts in order to pre-emptively mitigate threats including distributed denial-of-service and web defacement attacks.

FortiGuard Labs states that its advisory services combine technology and expertise to assist organisations in strengthening security postures before threats materialise. In the event of a cybersecurity incident, the organisation offers rapid response and detailed forensic analysis aimed at minimising impact and preventing recurrence.