2025年8月威胁情报（TI）焦点趋势报告

Threat Intelligence (TI)Spotlight Trends Report August 2025 Methodology ▪Kroll TI monthly spotlights are based on intelligence from Kroll’s cyber incident responseengagements where we are engaged to respond, manage, or mitigate a cybersecurity incident.Kroll’s incident response work is informed by intelligence gained from the thousands of ▪Data is collected and processed by the Kroll Cyber Threat Intelligence team during the initial ▪Kroll currently reports on data on a monthly and quarterly basis through the monthly spotlightsand Quarterly Threat Landscape reports. Key Takeaways August 2025 Initial Access Methods Most Impacted Industries •External Remote Services(20%)•Phishing: Link(17%)•Phishing: Attachment(13%)•Valid Accounts(13%) •Professional, Scientific, and Technical Services(27%)•Manufacturing(16%)•Finance and Insurance(9%) Top Ransomware Variants Top Threat Incident Types •Email Compromise(40%)•Ransomware(31%)•Insider Threat(18%) •QILIN•SINOBI•NITROGEN•INC•FOGS•DRAGONFORCE Industry AnalysisAugust 2025 PROFESSIONAL, SCIENTIFIC, AND TECHNICAL SERVICES WAS THE MOSTIMPACTED INDUSTRY IN AUGUST 2025 ▪Email CompromiseandRansomwarewere the top reported threat incident types ▪In August, threats against theprofessional, scientific, and technical servicesindustry mostoften involvedExternal Remote ServicesandPhishing: Linkas the initial access methods. MANUFACTURING WAS THE 2ndMOST IMPACTED INDUSTRY IN AUGUST 2025 ▪Ransomwarewas the top reported threat incident type impacting the ▪In August, threats against the manufacturing industry most often involvedExternal Remote Most Impacted Industries Impact Analysis August 2025 DATA ENCRYPTED FOR IMPACT WAS THE MOST COMMON IMPACTOBSERVED BY KROLL IN AUGUST 2025 ▪In Kroll ransomware engagements, the primary impact wasAccount Access Removal.▪For insider threat engagements, the most observed impact wasFinancial-TheftandData-Exfiltrated-For-Impact. ▪Professional, Scientific, and Technical Servicesreported the most confirmed impacts ▪Data Encrypted for Impact▪Data Exfiltrated for Impact Ransomware AnalysisAugust 2025 AKIRA WAS THE MOST COMMON RANSOMWARE VARIANT OBSERVEDBY KROLL IN AUGUST 2025 August 2025Ransomware: Top Impacted Industries Ransomware: Actor-Controlled Site ListingsAugust 2025 August 2025Incidents by Threat Type Threat Type Trends Trending Vulnerabilities August 2025 Threat Incident Types Email Compromise:An event where email accounts are accessed maliciously by a third party (e.g., accounttakeover), a phishing email/campaign is identified, or an organization’s email is used or compromised in a fraudscheme, such as a business email compromise. Ransomware:An event where threat actors conduct malicious activity within a network followed by a demand for afinancial ransom. Typically includes some combination of data exfiltration, data encryption, and extortion. Malware:An organization is impacted by a malware or virus where no financial demand is made. Examples includepre-ransomware activity (e.g.,QakBot, Emotet) or information stealers (e.g., Vidar, Raccoon). Unauthorized Access:An unauthorized actor has inadvertently or maliciously accessed a network. Web Compromise:An actor has gained unauthorized access to web application or website code to conductmalicious activity. Examples include SQL injections to steal credit card data or website defacement. Initial Access Methods Drive-By Compromise:Compromise via a legitimate website.External Remote Services:Compromise via remote access services such as VPNs, RDPs, and other devices.Hardware Additions:Addition of computing device to gain access.Exploit Public Facing Application:Exploitation of a vulnerability or misconfigured settings to gain access.Phishing: Attachment:Use of malware attached to an email.Phishing: Link:Use of links in an email that lead to credential loss and/or downloading malware.Phishing: Non-Technical:Using social engineering techniques to deceive users i.e. email impersonation, spoofing. Incident Impact Account Access Removal:Adversaries August deny legitimate users access to accounts by deleting, locking, or alteringcredentials. Data Destruction:Adversaries August destroy data on systems or networks to disrupt availability, often making recoverydifficult. Data Encrypted for Impact:Adversaries August encrypt data to deny access, demanding ransom or making datapermanently inaccessible. Data Exfiltrated for Impact:Adversaries August steal and exfiltrate sensitive data to cause harm, disrupt operations,damage reputations, or leverage for financial or strategic gain. Data Manipulation:Adversaries August alter data to influence business processes, decision-making, or hide maliciousactivity. Defacement:Altering websites, applications, or digital content to spread misinformation, intimidation, or propaganda. Disk Wipe:Destroying or corrupting disk data to make systems unusable, often for sabotage or ransomware. Endpoint Denial of Service:Exploiting