2025年全球网络安全报告：威胁趋势、风险预警与防御策略

Executive Summary Initial Accesses on Sale4 6 Notable Accesses on Sale Jakarta Transport Operator Targeted in Alleged Data BreachThreat Actor Sold Alleged Access to Angolan Government PortalItalian Police Department’s Alleged Email Access For SaleAlleged VPN Access to Indonesian State Firm and Agribusiness Giant Data Breaches and Leaks Notable Data Breaches and Leaks French Sports Union Hit By Major Data BreachFOG Ransomware Leaks GitLab Source Code of Global OrganizationsData of French Insurance Broker Leaked Online Ransomware Attacks Critical Vulnerabilities observed as Zero days and CISA KEVKnown Exploited VulnerabilitiesZero-Day Vulnerabilities Hacktivism 26 Industry Insights and Analysis Conclusion ExecutiveSummary Cyble’s Global Cybersecurity Report brings to light specific cyber threat activity targetingWorldwide from January 2025 to November 2025. The threat landscape was characterized by a high volume of ransomware attacks, data breaches,and the sale of initial access, with Qilin emerging as the most prolific ransomware operatortargeting the manufacturing and construction sectors, while groups like CL0P leveraged zero- Illicit markets showed a strategic focus, with compromised access sales disproportionatelyaffecting the retail industry, and data breaches primarily targeting government and BFSI entities,all facilitated by a fragmented landscape of threat actors. Persistentexploitation of high-severity and zero-day vulnerabilities in network securityappliances and enterprise software from vendors like Fortinet, Ivanti, and Microsoft served as aprimary initial access vector. Geopolitically motivated hacktivism drove widespread DDoS attacks and data leaks, alongsidea thriving ecosystem of cybercrime-as-a-service platforms enabling financially motivatedattacks.Notable incidents showcased the severe risk posed by state-sponsored actorsconducting supply chain attacks and espionage operations against government and critical Recommended mitigation strategies emphasize the prioritization of rapid patching for knownexploited vulnerabilities, the implementation of network segmentation to limit lateral movement,and enhanced monitoring to detect and respond to compromises. Initial Accesseson Sale Analysis of the Overall Threat Activity In 2025, Cyble Research and Intelligence Labs observed 3013 incidents related to the sale ofcompromised access on cybercrime forums. The distribution of these incidents reveals a concentrated focus on specific industries, withthe Retail sector being the most prominent target, accounting for 594 incidents, or nearly 20%of the total. This figure is more than double that of the next most impacted sector, Banking,Financial Services, and Insurance (BFSI), which saw 284 incidents, followed by Government This strategic targeting shows threat actors’ prioritization of industries rich with monetizabledata; Retail for its vast stores of consumer PII and payment information, BFSI for direct access tofinancial assets, and Government entities for sensitive state and intelligence data. The sale of such access significantly elevates the risk of subsequent large-scale data breaches,financial fraud, and potential threats to national security. Ultimately, the disproportionate impacton the Retail, BFSI, and Government sectors underscores a persistent cybercriminal focus oncompromising data-rich environments for maximum illicit gain. Analysis of the compromised access market in 2025 revealed a highly active landscape.The most prolific threat actors by post volume were ‘professorkliq’ (55 posts), ‘cosmodrome’(49 posts), and ‘reve’ (45 posts). Despite the activity of these top sellers, the market shows asignificant lack of centralization. The three most active actors combined were responsible for This low concentration indicates a market characterized by many independent and opportunisticsellers rather than one dominated by a few established players, pointing to a low barrier ofentry for new threat actors into this illicit economy. Notable Accesseson Sale Jakarta Transport Operator Targeted in Alleged Data Breach On June 19, the threat actor ‘xanozore’ advertised data allegedly stolen from PT Mass RapidTransitJakarta on the Darkforums cybercrime marketplace.The actor claimed to haveaccessed internal data, including information from the electronic ticketing system (ETC), andoffered it for sale without specifying a price. To substantiate their claims, the threat actor shared Threat Actor Sold Alleged Access to Angolan Government Portal Around June 22, the threat actor ‘darksidebases’ advertised the sale of unauthorized accessto a document management portal allegedly belonging to the Angolan government on acybercrime forum. The threat actor claimed the portal contained approximately 200,000internal documents. To substantiate their claim, the actor shared samples, including scanned Italian Police Department’s Alleged Email Access For Sale Around March 26, the threat acto