Forescout’s 2025H1 Threat Review Highlights Surge in Zero-Day Exploits, Nation-Backed Hacktivism, and Healthcare Vulnerabilities

Ransomware hits 20 targets per day as attackers exploit unconventional entry points for lateral movement

LAS VEGAS, Nevada, August 4, 2025 — Forescout Technologies, Inc., a global leader in cybersecurity, today released its 2025H1 Threat Review, an analysis of more than 23,000 vulnerabilities and 885 threat actors across 159 countries worldwide during the first half of 2025. Among the key findings: ransomware attacks are averaging 20 incidents per day, zero-day exploits increased 46 percent, and attackers increasingly targeting non-traditional equipment, such as edge devices, IP cameras and BSD servers. These footholds are often used for lateral movement across IT, OT, and IoT environments—allowing threat actors to pivot deeper into networks and compromise critical systems.

Download the full report and read the blog.

“We’re seeing attackers gain initial access through overlooked IoT devices or infostealers, then use lateral movement to pivot across IT, OT, and IoT environments,” said Sai Molige, Senior Manager of Threat Hunting at Forescout Technologies. “Our ValleyRAT hunt, which uncovered the Chinese threat actor Silver Fox targeting healthcare systems, is a prime example. These attackers exploit blind spots to quietly escalate access. The Forescout 4D Platform™ is purpose-built to detect hidden entry points, continuously assess their risk, and disrupt lateral movement before adversaries reach critical systems.”

“Cyberattacks aren’t just technical events — they have real-world consequences that put human lives at risk. From hospitals to medical devices to critical infrastructure, it is all being targeted through zero-day exploits, unconventional entry points, and nation-backed hacktivism,” said Barry Mainz, CEO of Forescout. “You can’t defend critical infrastructure with yesterday’s tools. Security today must be continuous, proactive, and device-agnostic. Forescout delivers the only platform that secures all devices — IT, OT, IoT and IoMT — across every environment, so organizations can protect what matters most.”

Forescout Research – Vedere Labs H1 2025 Threat Review Key Findings:

Exploits shift to older vulnerabilities and unconventional devices, zero days increase

• 47% of newly exploited vulnerabilities were originally published before 2025.
• Published vulnerabilities rose 15%, with 45% rated high or critical.
• Zero-day exploitation increased 46%, and CVEs added to CISA KEV jumped 80%.
• Modbus accounted for 57% of OT protocol traffic in Forescout honeypots.
• Ransomware actors increasingly targeted non-traditional equipment, such as edge devices, IP cameras and BSD servers, which often lack EDR, making them ideal entry points for undetected lateral movement and underscoring the need for integrated detection solutions.

Ransomware rises 36% year over year, with 3,649 documented attacks in H1

• Attacks grew in frequency to 608 per month, or roughly 20 per day.
• The U.S. was the top target, accounting for 53% of all incidents.
• The top sectors targeted were services, manufacturing, technology, retail and healthcare.
• New attack vectors included IP cameras and BSD systems, amplifying lateral movement across enterprise environments.

Healthcare is under siege, averaging two healthcare breaches per day

• In the first half of 2025, the healthcare sector emerged as the most impacted vertical for data breaches.
• Nearly 30 million individuals were affected by breaches in H1 2025.
• 76% of breaches stemmed from hacking or IT incidents.
• 62% of breaches involved data stored on network servers; 24% were on email systems.
• Forescout identified trojanized DICOM imaging software delivering malware directly to patient systems.

Lines blur between hacktivists and state-sponsored actors 

• Forescout tracked 137 threat actor updates in H1 2025, with 40% attributed to state-sponsored groups and 9% as hacktivists. The remaining 51% were cybercriminals, such as ransomware groups.
• Iran-affiliated groups like GhostSec and Arabian Ghosts targeted programmable logic controllers (PLCs) linked to Israeli media and water systems.
• CyberAv3ngers amplified unverified claims before major OT attacks in 2023–2024, echoing similar tactics now under a new identity: APT IRAN.
• APT IRAN, CyberAv3ngers and other Iranian hacktivist personas form a continuum of Iranian threats to OT/ICS.

“Hacktivist operations are no longer just symbolic or isolated. They’re evolving into coordinated campaigns targeting critical infrastructure with real-world consequences,” said Daniel dos Santos, Head of Research at Forescout. “What we’re seeing from Iranian-aligned groups is a shift toward more aggressive, state-influenced disruption tactics masked as activism. As geopolitical tensions escalate, these actors are becoming faster, louder and harder to attribute, and that makes their threat even more urgent for defenders to address.”

Steps to Reduce Risk and Build Cyber Resiliency

• Use agentless discovery to identify and monitor all connected assets—IT, OT, IoT and healthcare systems.
• Regularly assess for vulnerabilities, apply patches, disable unused services and enforce strong, unique credentials with MFA.
• Segment networks to isolate device types and limit lateral movement in case of compromise.
• Encrypt all sensitive data in transit and at rest, especially PII, PHI and financial information.
• Deploy threat detection tools that ingest data from EDR, IDS and firewalls while enabling detailed logging of user and system activity.

 

Share This: Share on LinkedinShare on TwitterShare on Facebook