![\"2025H1](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/07\/VL-2025H1-Threat-Review-report-cover.webp\")
<\/p>\nForescout\u2019s Vedere Labs threat research team issues threat reports about topical cyber activities, attacks or vulnerabilities that impact the cybersecurity community at large. The reports include a summary of the incidents and main threat actors, followed by a technical analysis of each incident, list of common vulnerabilities and exposures (CVEs) and affected software, indicators of compromise (IOCs) and mitigation recommendations.<\/p>\n
Subscribe to Threat Notifications <\/p>\n
\u00a0<\/p>\n
<\/p>\n
Once again, here is a midyear lens with a macro look at the most pressing cybersecurity risks to date. From 3,649 ransomware attacks to state-sponsored intrusions to new trends in lateral movement, here are the new threat patterns and cyber attack behavior you need to know right now.<\/p>\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/04\/The-rise-of-state-sponsored-hacktivism_2025-report-thumbnail_Page_01.jpg\")
<\/p>\n
April 29, 2025<\/strong> April 9, 2025<\/strong> <\/a><\/p>\n January 27, 2025<\/strong> <\/a><\/p>\n January 9, 2025<\/strong> October 29, 2024<\/strong> Aug. 29, 2024<\/strong> Aug. 6, 2024<\/strong> Jun. 10, 2024<\/strong> Apr. 23, 2024<\/strong> Apr. 11, 2024<\/strong><\/p>\n In a new threat briefing, Forescout Research \u2013 Vedere Labs details an exploitation campaign targeting organizations running Fortinet\u2019s FortiClient EMS which is vulnerable to CVE-2023-48788. We are designating this campaign Connect:fun because of the use of ScreenConnect and Powerfun as post-exploitation tools \u2013 our first-ever named campaign\u2026<\/p>\n Jan. 24, 2024<\/strong><\/p>\n Throughout last year, the ongoing conflicts and the emergence of new ones, alongside the exploitation of critical vulnerabilities and the growing threat of cybercrime, stood out as pivotal events. Forescout Research \u2013 Vedere Labs conducted a thorough analysis of attack-related data and the 2023 threat landscape impacting critical infrastructure. The result is a detailed report providing organizations with tactical insights and strategic recommendations to fortify their defense strategies.<\/p>\n Jan. 11, 2024<\/strong><\/p>\n During geopolitical conflict, criminals, state-sponsored actors and other adversaries take advantage of the chaos to drive new vulnerabilities into the cyber-landscape. In two distinct regions, Denmark and Ukraine, the energy sector has fallen victim. Forescout Research \u2013 Vedere Labs conducted an independent analysis of these attacks, delivering new insights and new evidence of the root causes and published its findings in this report, \u201cClearing the Fog of War.\u201d<\/p>\n Oct. 4, 2023<\/strong><\/p>\n Forescout Vedere Labs has been tracking a new phishing campaign that is abusing Microsoft Teams functionality to send malicious attachments. This Instant Messaging Spam campaign (often called SPIM) was first observed in late August 2023, when Microsoft Teams phishing messages were seen being sent using compromised external Office 365 accounts to other unconnected organizations.<\/p>\n Sept. 6, 2023<\/strong><\/p>\n Forescout Vedere Labs looks back at the most relevant cybersecurity events and data during 2023H1 to shed light on the evolving threat landscape and offer mitigation steps. Observations involving building automation devices, network infrastructure and NAS devices confirm increasing threats to unmanaged devices.<\/p>\n Jul. 13, 2023<\/strong><\/p>\n Since 2020, Forescout Research has been tracking the riskiest devices on organizations\u2019 networks. Our reports are entirely based on data coming directly from connected devices. Throughout the years, we have noticed that although many device types are consistently in these lists \u2013 such as IP cameras, VoIP equipment and programmable logic controllers (PLCs) \u2013 due either to their inherent criticality or to the persistent lack of attention from security teams, there are other devices whose current risk level reflect developments in the threat landscape.<\/p>\n Jun. 13, 2023<\/strong><\/p>\n This report analyzes the mass exploitation of CVE-2023-34362, a critical vulnerability in MOVEit Transfer software, a widely adopted managed file transfer (MFT) solution that enables organizations to securely exchange files with their business partners and customers.<\/p>\n Mar. 28, 2023<\/strong><\/p>\n In 2022, cyberattacks grew in intensity, sophistication and frequency. The adoption of new connected devices by organizations in 2023 is likely to pose even greater challenges. To help organizations of all sizes prepare, Forescout\u2019s Vedere Labs has analyzed data gathered in 2022 about cyberattacks, exploits and malware and shared insights via our 2022 Threat Roundup.<\/p>\n Mar. 22, 2023<\/strong><\/p>\n Forescout\u2019s Vedere Labs analyzes TTPs commonly used in ransomware attacks and gives specific mitigation recommendations, including detection with Forescout XDR. While the TTPs used have remained mostly constant, ransomware has been evolving rapidly since 2020, with the increased use of double extortion, zero-day exploits and targeted attacks on specific organizations vs. casting a wide net.<\/p>\n Mar. 9, 2023<\/strong><\/p>\n Vedere Labs provides details on the recent ransomware campaign targeting VMware ESXi virtualization servers, or hypervisors, and analyzes two payloads used in these attacks: variants of the Royal and Clop ransomware. We also present the TTPs used by attackers in this campaign, discuss mitigation recommendations and list IOCs that can be used for detection or threat hunting.<\/p>\n Jan. 10, 2023<\/strong><\/p>\n The Royal ransomware threat actor group, initially tracked as DEV-0569, emerged in early 2022 and has been very active in late 2022-early 2023. It uses double extortion to gain access to a victim\u2019s environment, encrypt their data, exfiltrate sensitive data and demand a ransom to decrypt files. This report analyzes the group\u2019s encryptor payload and TTPs and presents threat hunting opportunities for network defenders.<\/p>\n Dec. 1, 2022<\/strong><\/p>\n Hacktivists expanded their arsenal in 2022 to become much more than a nuisance to critical infrastructure owners \u2013 and reach into unexpected industries thanks to the widespread use of IoT and OT equipment. This report describes examples of active hacktivist groups; presents the device types, specific models and protocols these groups have targeted; discusses their TTPs and provides mitigation recommendations.<\/p>\n Oct. 12, 2022<\/strong><\/p>\n In this report, Vedere Labs identifies the five riskiest connected devices in four categories: IT, IoT, OT and IoMT. We update our findings from 2020 with new entries such as hypervisors and human machine interfaces that represent trends including critical vulnerability and increased OT connectivity.<\/p>\n Sept. 26, 2022<\/strong><\/p>\n Vedere Labs found more than 7,000 exposed medical devices and systems on the internet, including PACS, healthcare integration engines, EMRs and medication dispensing systems.<\/p>\n Jul. 13, 2022<\/strong><\/p>\n Industroyer2 leverages OS-specific wipers and a dedicated module to communicate over the IEC-104 industrial protocol. INCONTROLLER is a full toolkit containing modules to send instructions to or retrieve data from ICS devices using industrial network protocols, such as OPC UA, Modbus, CODESYS, Machine Expert Discovery and Omron FINS. Additionally, Industroyer2 has a highly targeted configuration, while INCONTROLLER is much more reusable across different targets.<\/p>\n Jun. 2, 2022<\/strong><\/p>\n In this threat report, Forescout\u2019s Vedere Labs analyzes attacks by pro-Russian hacktivist group Killnet and shows how to mitigate risk of DDoS and other attacks. Killnet stands out as one of the most active groups since Russian invaded Ukraine and has gained notoriety for DDoSing the websites of western critical infrastructure operators such as airports, banks, energy providers and governmental agencies.<\/p>\n
\nHacktivism is increasingly intertwined with state interests. In a new threat briefing, we analyze 780 hacktivist attacks by four major groups.\n\n\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/03\/Riskiest-2025-Report-Cover-V2.webp\")
<\/p>\nThe Riskiest Connected Devices of 2025<\/h3>\n
\nThis year, 12 brand-new asset types make the list. It is the largest year-over-year change in the report\u2019s history. See the results.\n\n\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/01\/2024-Threat-Roundup-Report-Cover-540x700-1.webp\")
<\/p>\n2024 Threat Roundup: Top Cybersecurity Trends from Vedere Labs<\/h3>\n
\nForescout Research shares the top cybersecurity trends in its annual threat report that tracks cyber attacks by country and by vertical.\n\n\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/01\/hunters-international-threat-briefing-thumbnail.webp\")
<\/p>\nAnatomy of an Attack: Hunters International Ransomware<\/h3>\n
\nForescout Research analyzes an attack it discovered using Hunters International ransomware. See what was discovered in detail and how to mitigate.\n\n\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/10\/iomt-report_THM-1.jpg\")
<\/p>\nUnveiling the Persistent Risk of Connected Medical Devices<\/h3>\n
\nRansomware has been wreaking havoc in 2024. If networks at hospitals are shut down, patients suffer. Life-saving surgeries are postponed. Patient monitoring returns to pen and paper. Insurance approvals and billing systems become inoperative.\n\n\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/08\/Perils-in-the-Periphery_Ransomware-thm-1.jpg\")
<\/p>\n2024H1 Threat Review: Perils in the Periphery<\/h3>\n
\nIn this mid-year report, we find threat patterns and isolate changes in cyber attack behavior. Most importantly, we can see how and where they are doing it. Right now, it is happening in your unmanaged network perimeter via VPNs and network appliance vulnerabilities. Which VPN vendors? Who are the threat actors? Which countries and industries are most targeted? See all. Know more.\n\n\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/08\/rough-around-the-edges-THM.jpg\")
<\/p>\nRough Around the Edges: Top Router Firmware Vulnerabilities<\/h3>\n
\nIn this joint research with Finite State, we explore today\u2019s firmware vulnerabilities from a range of popular cellular routers. We spotlight the hidden risks within outdated open-source software components \u2013 and explore the chaos introduced by vendors with custom patching.\n\n\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/06\/riskiest-devices-THM-1.jpg\")
<\/p>\n2024 Riskiest Devices<\/h3>\n
\nIn 2024, attackers are crossing OT and IT siloes to find entry points across the full spectrum of devices, operating systems and embedded firmware. This year marks our fourth annual Riskiest Connected Devices report detailing the most concerning assets in the enterprise across 10 major vertical industries and by global region.\n\n\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/04\/Better-safe-than-sorry.png\")
<\/p>\nBetter Safe Than Sorry – Proactively identifying at-risk, internet-exposed OT\/ICS<\/h3>\n
\nA recent wave of attacks by the Iranian-affiliated Cyber Av3ngers hacktivist group targeted Israeli-made Unitronics Programmable Logic Controllers (PLCs) around the world. Our research takes a fresh look at the topic by examining the nuanced evolution of exposed OT\/ICS data from 2017
\nto 2024.\n\n\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/04\/connect-fun-report-thm.jpg\")
<\/p>\nConnect:fun Detailing an exploitation campaign targeting FortiClient EMS via CVE-2023-48788<\/h3>\n
\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/01\/FS-2024-VL-Threat-Round-Up-Thumb-v1-440x554-1.png\")
<\/p>\n2023 Global Threat Roundup Report: Trends in cyberattacks, exploits, and malware<\/h3>\n
\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2024\/01\/FS-2024-VL-Fog-of-War-Report-Thumb-v1-440x554-1.png\")
<\/p>\nClearing the Fog of War<\/h3>\n
\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2023\/10\/FS-2023-Dark-Gate-Report-VL-Thumb-v1-440x554-1.png\")
<\/p>\nDarkGate Loader Malspam Campaign<\/h3>\n
\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2023\/09\/FS-2023-Vedere-Labs-H1-Threat-Thumb-v1-440x554-1.png\")
<\/p>\n2023H1 Threat Review: Vulnerabilities, Threat Actors and Malware<\/h3>\n
\n
![\"Vedere](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2023\/07\/FS-2023-Vedere-Labs-Riskiest-Devices-Thumb-v1-440x554-1.png\")
<\/p>\nThe Riskiest Connected Devices in 2023<\/h3>\n
\n
![\"MOVEit](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2023\/06\/FS-2023-MOVEit-Report-Thumb-v1-440x554-1.png\")
<\/p>\n Mass Exploitation of MOVEit Transfer Critical Vulnerability<\/h3>\n
\n
![\"Threat](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2023\/03\/FS-2023-Threat-Roundup-Thumb-v1-440x554-1.png\")
<\/p>\n2022 Threat Roundup Report: The Emergence of Mixed IT\/IoT Threats<\/h3>\n
\n
![\"Common](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2023\/03\/FS-2023-Threat-Briefing-Thumb-TTP-v1.png\")
<\/p>\nCommon Ransomware TTPS<\/h3>\n
\n
![\"VMWare](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2023\/03\/esxi-servers.jpg\")
<\/p>\nVMware ESXi Servers: A Major Attack Vector for Ransomware<\/h3>\n
\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2023\/01\/FS-2023-Threat-Briefing-Thumb-Royal-Ransom.png\")
<\/p>\nRoyal Ransomware \u2013 Analysis of One of the Most Active Ransomware Groups in Late 2022 and Early 2023<\/h3>\n
\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2022\/11\/FS-2022-Threat-Briefing-Thumbnails-Hacktivist.png\")
<\/p>\nThe Increasing Threat Posed by Hacktivist Attacks: An Analysis of Targeted Organizations, Devices and TTPs<\/h3>\n
\n
![\"Threat](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2022\/10\/FS-2022-Riskiest-Devices-Social-v3-440x554-1.png\")
<\/p>\nThe Riskiest Connected Devices in Enterprise Networks<\/h3>\n
\n
![\"Research](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2022\/09\/Research_report-Internet-Exposure-of-Medical-Devices-and-Systems.png\")
<\/p>\nInternet Exposure of Medical Devices and Systems<\/h3>\n
\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2022\/07\/FS-2022-Threat-Briefing-Thumbnails-Industroyer2.png\")
<\/p>\nIndustroyer2 and INCONTROLLER (PIPEDREAM): In-depth Technical Analysis of the ICS-specific Malware<\/h3>\n
\n
![](\"https:\/\/www.forescout.com\/wp-content\/uploads\/2022\/06\/FS-2022-Threat-Briefing-Thumbnails-Killnet.png\")
<\/p>\nKillnet: Analysis of Attacks from a Prominent Pro-Russian Hacktivist Group<\/h3>\n