威胁情报（TI）焦点趋势报告

Threat Intelligence (TI)Spotlight Trends Report August 2025 Methodology ▪Kroll TI monthly spotlights are based on intelligence from Kroll’s cyber incident responseengagements where we are engaged to respond, manage, or mitigate a cybersecurity incident.Kroll’s incident response work is informed by intelligence gained from the thousands ofengagements handled per year by the Kroll Cyber Data & Resilience team. ▪Data is collected and processed by the Kroll Cyber Threat Intelligence team during the initialscoping intake as well as during the lifecycle of a Kroll engagement. ▪Kroll currently reports on data on a monthly and quarterly basis through the monthly spotlightsand Quarterly Threat Landscape reports. Key Takeaways August 2025 Initial Access Methods* Most Impacted Industries •External Remote Services(20%)•Phishing: Link(17%)•Phishing: Attachment(13%)•Valid Accounts(13%)•Phishing: Non-Technical(10%) •Professional, Scientific, and Technical Services(27%)•Manufacturing(16%)•Finance and Insurance(9%)•Health Care and Social Assistance(8%)•Educational Services(8%) Top Threat Incident Types Top Ransomware Variants •Email Compromise(40%)•Ransomware(31%)•Insider Threat(18%)•Unauthorized Access(5%)•Web Compromise(3%) •QILIN•SINOBI•NITROGEN•INC•FOGS•DRAGONFORCE•KAWA4096 Industry Analysis August 2025 PROFESSIONAL, SCIENTIFIC, AND TECHNICAL SERVICES WAS THE MOSTIMPACTED INDUSTRY IN AUGUST 2025 ▪Email CompromiseandRansomwarewere the top reported threat incident typesimpacting the professional, scientific, and technical services industry.▪In August, threats against theprofessional, scientific, and technical servicesindustry mostoften involvedExternal Remote ServicesandPhishing: Linkas the initial access methods. MANUFACTURING WAS THE 2ndMOST IMPACTED INDUSTRY IN AUGUST 2025 ▪Ransomwarewas the top reported threat incident type impacting themanufacturing industry.▪In August, threats against the manufacturing industry most often involvedExternal RemoteServicesas the initial access method. August 2025Incidents by Industry Most Impacted Industries Previous 6 Months Impact Analysis August 2025 DATA ENCRYPTED FOR IMPACT WAS THE MOST COMMON IMPACTOBSERVED BY KROLL IN AUGUST 2025 ▪In Kroll ransomware engagements, the primary impact wasAccount Access Removal.▪For insider threat engagements, the most observed impact wasFinancial-TheftandData-Exfiltrated-For-Impact.▪Professional, Scientific, and Technical Servicesreported the most confirmed impactsacross all threat types including: ▪Data Encrypted for Impact▪Data Exfiltrated for Impact▪Financial Theft Ransomware Analysis August 2025 AKIRA WAS THE MOST COMMON RANSOMWARE VARIANT OBSERVEDBY KROLL IN AUGUST 2025 ▪In August,Professional, Scientific, and Technical Serviceswas the top industrytargeted by ransomware actors across Kroll engagements.▪Ransomware actors primarily gained initial access throughExternal Remote Services,such as VPN. The most frequently observed VPN was SonicWall.▪Consumer and Industrialwas the top industry for victims posted to ransomwareactor-controlled shaming sites and blogs.▪North Americawas the top region for victims posted to ransomware actor-controlledshaming sites and blogs. August 2025Ransomware: Top Impacted Industries Ransomware: Actor-Controlled Site ListingsAugust 2025 August 2025Incidents by Threat Type Threat Type Trends Previous 6 Months August 2025Initial Access Methods Trending Vulnerabilities August 2025 Threat Incident Types Email Compromise:An event where email accounts are accessed maliciously by a third party (e.g., accounttakeover), a phishing email/campaign is identified, or an organization’s email is used or compromised in a fraudscheme, such as a business email compromise. Ransomware:An event where threat actors conduct malicious activity within a network followed by a demand for afinancial ransom. Typically includes some combination of data exfiltration, data encryption, and extortion. Malware:An organization is impacted by a malware or virus where no financial demand is made. Examples includepre-ransomware activity (e.g.,QakBot, Emotet) or information stealers (e.g., Vidar, Raccoon). Unauthorized Access:An unauthorized actor has inadvertently or maliciously accessed a network. Web Compromise:An actor has gained unauthorized access to web application or website code to conductmalicious activity. Examples include SQL injections to steal credit card data or website defacement. Initial Access Methods Drive-By Compromise:Compromise via a legitimate website.External Remote Services:Compromise via remote access services such as VPNs, RDPs, and other devices.Hardware Additions:Addition of computing device to gain access.Exploit Public Facing Application:Exploitation of a vulnerability or misconfigured settings to gain access.Phishing: Attachment:Use of malware attached to an email.Phishing: Link:Use of links in an email that lead to credential loss and/or downloading malware.Phishing: Non-Techni