Dive Brief:
- The share of cyberattacks that relied on vulnerability exploitation as the initial means of access dropped in the fourth quarter of 2025, although it still remained high, researchers from Cisco’s Talos threat intelligence team said in a blog post published on Thursday.
- Nearly 40% of the incidents to which Cisco responded in Q4 began with the exploitation of public-facing network services, compared with 62% in the third quarter.
- Cisco also saw fewer ransomware attacks in Q4 (13% of all incidents) compared with Q3 (when it was 20%) and the first half of the year (when it was nearly 50% in both Q1 and Q2).
- Notably, Cisco said it “did not respond to any previously unseen ransomware variants.”
Dive Insight:
While vulnerability exploitation remained high in Q4, there were no major exploitation campaigns that accounted for the lion’s share of the activity, Cisco said — a departure from Q3, when the ToolShell campaign unleashed a wave of attacks. Still, there were multiple attacks targeting a flaw in Oracle’s E-Business Suite and a vulnerability in React Server Components.
One threat actor exploited the Oracle flaw in an attack that Cisco said was “likely related to a large-scale campaign aiming to extort executives.” Another threat actor exploited the React flaw to deploy cryptocurrency mining malware. Cisco said cryptomining was “one of the many types of operations we expect to see as threat actors race to quickly capitalize on unpatched systems.”
Phishing ranked second behind exploitation on the list of most common initial access methods that Cisco observed, and the company described a campaign targeting a victim community that rarely features in threat intelligence reports: Native American tribal organizations.
In one case, Cisco analysts observed a threat actor using compromised email accounts and websites to distribute malware in believable messages. “While no lateral movement beyond email account abuse could be confirmed,” researchers wrote, “the exposure of additional accounts within the victim’s environment and external recipients indicates the potential for a wider impact. ”
Cisco also observed a second phishing campaign against tribal organizations that shared characteristics — including indicators of compromise — with the earlier attacks.
On the ransomware front, Cisco said the Qilin ransomware gang “remains dominant and was observed in the majority of ransomware attacks,” although researchers also responded to attacks using DragonForce ransomware, which the company said it had not seen “for over a year.”
Government agencies were the most-targeted sector in Cisco’s Q4 incident response engagements — a continuation of a Q3 trend — followed by telecommunications, education and healthcare.
Based on its incident response findings, Cisco recommended that organizations routinely patch systems, enable robust logging, practice rapid response and “implement detections to identify MFA abuse and [enable] strong MFA policies.”
