Redazione RHC : 6 November 2025 11:22
Milan, November 4, 2025 – Cyberattacks that exploit publicly accessible applications, such as websites or corporate portals, to gain access to organizational systems are on the rise, and phishing attacks conducted through compromised corporate accounts are also on the rise . Ransomware attacks, however , are declining , although new, dangerous variants of this type of threat have been detected.
These are the most significant data that emerged from the Cisco Talos Report – relating to the July, August and September quarters of 2025.
Regarding cyberattacks exploiting publicly accessible applications , this method was used in more than six out of ten incidents managed by the Incident Response team, up from 10% in the previous quarter . This sharp increase is linked in particular to a series of attacks against locally installed Microsoft SharePoint servers, which exploited security flaws disclosed in July.
Ransomware attacks accounted for approximately 20% of incidents, down from 50% in the previous quarter. Despite the decline, ransomware remains one of the most widespread and persistent threats to businesses . For the first time, the Cisco Talos team addressed new variants such as Warlock, Babuk, and Kraken, in addition to established families such as Qilin and LockBit.
In one case, experts attributed an attack with “moderate certainty” to a Chinese-linked cybercriminal group known as Storm-2603. An unusual element of this attack was the use of Velociraptor, an open-source software typically used for digital forensics, exploited here to maintain access to compromised systems—a behavior never before observed in this type of attack. Finally, an increase in attacks involving the Qilin ransomware has been observed, a sign that this group is intensifying its activity.
ToolShell-related attacks confirm the importance for companies to properly segment their networks and promptly install security updates. Over the past quarter, over 60% of incidents analyzed by Cisco Talos originated from publicly accessible applications , such as websites or corporate portals. Nearly four out of ten cases involved ToolShell activity, a technique that has significantly contributed to the growth of this type of attack.
Beginning in mid-July 2025, cybercriminals began exploiting two new vulnerabilities in on-premises Microsoft SharePoint servers ( identified as CVE-2025-53770 and CVE-2025-53771 ). These flaws, linked to others already patched by Microsoft in early July, allow attackers to remotely execute code without requiring valid login credentials.
As mentioned, phishing attacks launched from compromised corporate accounts continue to pose a real threat . Cybercriminals leverage compromised internal emails to spread the attack within the organization or to external partners.
Talos experts observed that the ToolShell chain was being exploited even before Microsoft’s official warning , with most attacks occurring in the following ten days. This technique was found in approximately a third of incidents in the quarter, an increase from the previous period. In many cases, it was combined with phishing: in one of the monitored attacks, a compromised Microsoft 365 account was used to send nearly 3,000 fraudulent emails .
Ransomware, on the other hand, is decreasing. In the just-ended quarter, ransomware attacks accounted for approximately 20% of incidents handled by Cisco Talos , down from 50% in the previous period. For the first time, however, the Talos Incident Response team addressed new variants such as Warlock, Babuk, and Kraken, in addition to established families such as Qilin and LockBit.
Cisco Talos handled a ransomware attack attributed with moderate certainty to the Chinese-based Storm-2603 group. The attack severely impacted a telecommunications company’s IT infrastructure, including critical operating systems. During the investigation, Talos experts discovered that the cybercriminals had installed an outdated version of Velociraptor , an open-source tool commonly used for digital forensics and incident response, on five compromised servers.
Velociraptor was used to maintain access to systems even after some hosts were isolated—a behavior never before observed in a ransomware attack. The version used had a security vulnerability that allowed attackers to remotely control infected systems. This case confirms a trend already highlighted by Cisco Talos: cybercriminals are increasingly using legitimate tools , both commercial and open source, to make attacks more effective and difficult to detect.
The Qilin group , which first emerged in the previous quarter, has been ramping up its operations, as evidenced by the growing number of data leaks published online since February 2025. Qilin attacks follow a well-established pattern: initial login with stolen credentials, use of a custom cryptographer for each victim, and deployment of the CyberDuck tool to steal and transfer data. The group’s growing activity indicates that Qilin will remain a top ransomware threat at least until the end of 2025 .
For the first time since 2021, public administration was the most affected sector . Public entities are attractive targets because they often have limited budgets and use outdated defense systems. This quarter, attacks primarily targeted local authorities, which also operate schools and healthcare facilities and handle sensitive data and therefore cannot afford long periods of inactivity. These characteristics make them attractive to both profit-driven and espionage-motivated cybercriminals.
During the quarter under review, the most common method of gaining initial access to corporate systems was through the exploitation of internet-based applications , often tied to ToolShell activity. Other methods observed included phishing , the use of compromised valid credentials , and attacks via malicious websites .
Over the past quarter, nearly a third of incidents involved multi-factor authentication (MFA) abuse, such as MFA fatigue—repeated requests to induce error—or control bypasses. To counter these attacks, Talos recommends enabling anomaly detection systems , such as logins from incompatible locations, and strengthening MFA policies. Another critical issue that emerged concerns logging: in many cases, the lack of complete logs has hampered investigations, with frequent issues such as logs being deleted, disabled, or retained for too short a period. Cisco Talos recommends using Security Information and Event Management (SIEM) solutions to centralize and protect logs, so traces remain even in the event of a system compromise. Finally, approximately 15% of attacks exploited unpatched systems , including SharePoint servers that remained vulnerable weeks after patches were released. To reduce vulnerabilities and prevent attackers from moving laterally, it is essential to apply updates promptly .
Redazione