2025年全球网络安全威胁全景报告

Executive Summary Initial Accesses on Sale Notable Accesses on Sale Alleged Breach of Food Delivery Platform Puts 7Mn Records andAccess Up for SaleAlleged Sale of Access to Kuwaiti Government Department’s Email Accounts Data Breaches and Leaks Notable Data Breaches and Leaks Threat Actor Sells Alleged Dubai’s Critical Sector DataUAE Hospital Data Leaked on Cybercrime ForumAlleged Israeli Military Database Offered for Sale on Cybercrime ForumRALord Ransomware Claims Attack on Saudi Firm; Samples Implicate 13 Critical Vulnerabilities observed as Zero days and KEVKnown Exploited VulnerabilitiesZero-Day Vulnerabilities Hacktivism Industry Insights and Analysis 634 Targets, 6 Million Records at Stake—Inside the UAE’s CybersecurityShowdownThink Before You Download: UAE Cybersecurity Council Issues Conclusion Key Takeaways ExecutiveSummary Cyble’s Threat Landscape Report META 2025 brings to light specific cyber threat activity targetingthe Middle East, Turkey and Africa in 2025. The threat landscape has been defined by a high volume of opportunistic cybercrime, includingthe sale of initial access, data breaches, and persistent ransomware campaigns, alongsidegeopolitically motivated hacktivism. Threat actors actively monetized compromised data through a fragmented marketplace forinitial access and data leaks, with a pronounced focus on the Government & Law Enforcement, Ransomware continued to be a dominant threat, with prolific groups such as Qilin, NightSpire,and CL0P systematically targeting critical sectors like Construction, BFSI, and Government This activity was further enabled by the active exploitation of numerous critical and zero-dayvulnerabilities in widely used enterprise products. Concurrently, hacktivist operations, primarilydriven by the Israel-Palestine conflict, contributed significantly to disruptive activities like DDoS Consequently, Cyble urges organizations to prioritize rapid patch management for knownexploited vulnerabilities, implement robust network segmentation, and enhance monitoring forindicators of compromise to mitigate these multifaceted threats. Initial Accesseson Sale Analysis of the Overall Threat Activity Analysis of these incidents revealed a significant concentration of targeting against the Retail,Government & Law Enforcement (LEA), and Banking, Financial Services, and Insurance (BFSI)sectors. These three industries alone accounted for 87 incidents, representing nearly 40% of all The focus on the Retail sector likely stemmed from the high value of payment card informationand customer PII for follow-on fraud. Conversely, the targeting of Government & LEA entitiessuggestedmotivations ranging from espionage to disruption,posing significant nationalsecurity risks. The persistent focus on the BFSI sector showed the direct financial motivations of The compromised access market exhibited a highly distributed structure in 2025, characterizedby a large number of sellers and the absence of a few dominant players. Analysis of post distribution identifies “stepbro,” “personx,” and “bigbrother” as the most prolificactors, each contributing an equal volume of advertisements. However, despite their higheractivity levels, these top three actors collectively accounted for only approximately 15% of thetotal access-for-sale posts. This lack of concentration is further underscored by a significant Notable Accesseson Sale Alleged Breach of Food Delivery Platform Puts 7Mn Records and Access Up forSale Around January 21, the threat actor ‘ayamee’ posted on a cybercrime forum offering an allegedlystolen database and unauthorized access to an online food delivery platform in Saudi Arabia.The actor claimed the breach exposed approximately 7 million records, including over 30 GB oforder data containing customer names, contact information, delivery addresses, and paymentmethods. The dataset also purportedly includes information on delivery drivers, such as their Alleged Sale of Access to Kuwaiti Government Department’s Email Accounts In early March 2025, the threat actor ‘DataSec’ posted on a cybercrime forum offering allegedunauthorized access to two email accounts belonging to government officials in Kuwait forUSD 199 each. As proof of the breach, the threat actor shared redacted screenshots displaying Airport’s Alleged Control Panel Access Appears for Sale On November 26, the threat actor ‘operation_endgame’ advertised unauthorized access to acontrol panel allegedly belonging to a Middle East Airport on the DarkForums. The actor sharedscreenshots from the portal to support their claim, which disclosed various technical details.However, the validity of the offering is dubious, as all captured records within the console were Alleged Network Access to Kuwaiti Retailer Store for Sale On April 29, the threat actor “Evo” advertised the alleged unauthorized access to a retail chainbased in Kuwait. In a post on the English-language cybercrime forum Darkforums, the actorclaimed