Cyberattacks reached victims faster and came from a wider range of threat groups than ever last year, CrowdStrike said in its annual global threat report released Tuesday, adding that cybercriminals and nation-states increasingly relied on predictable tactics to evade detection by exploiting trusted systems.

The average breakout time — how long it took financially-motivated attackers to move from initial intrusion to other network systems — dropped to 29 minutes in 2025, a 65% increase in speed from the year prior. “The fastest breakout time a year ago was 51 seconds. This year it’s 27 seconds,” Adam Meyers, head of counter adversary operations at CrowdStrike, told CyberScoop.

Defenders are falling behind because attackers are refining their techniques, using social engineering to access high-privilege systems faster and move through victims’ cloud infrastructure undetected.

“Threat actors are exploiting those cross-domain gaps to gain access to environments, so they’re wriggling in between the seams in cloud, identity, enterprise and unmanaged network devices,” Meyers said. 

Starting from an already disadvantaged position — made worse by faster attacks and living-off-the-land techniques — defenders face burnout, stress and other factors that can lead to mistakes, he added. 

The myriad sources of these problems are spreading, too. 

CrowdStrike tracked 281 threat groups at the end of 2025, including 24 new threats it named throughout the year. Researchers at the cybersecurity firm are also tracking 150 active malicious activity clusters and emerging threat groups.

Cybercriminals seeking a payout and nation states committing espionage or implanting footholds into critical infrastructure for prolonged access are increasingly seizing on security weaknesses in cloud-based environments to break into victim networks. 

These cloud-focused attacks have seen a reported 37% year-over-year increase, with a 266% surge in this activity from nation-state threat groups.

The vast majority of attacks detected last year, 82%, were free of malware — highlighting attackers’ enduring shift toward hands-on-keyboard operations and the abuse of legitimate tools and credentials, CrowdStrike said in the report. More than 1 in 3 incident response cases involving cloud intrusions last year were linked back to a valid or abused credential that granted attackers access, according to CrowdStrike. 

Attacks originating from or sponsored by North Korea increased 130% last year, while incidents linked to China jumped 38% during the same period.

Chinese threat groups achieved immediate system access with two-thirds of the vulnerabilities they exploited last year, and 40% of those exploits targeted edge devices.

Zero-day exploits — especially defects in edge devices such as firewalls, routers and virtual private networks — allowed nation-state and cybercrime threat groups to break into systems, execute code and escalate privileges undetected.

CrowdStrike said it observed a 42% year-over-year increase in the number of zero-day vulnerabilities exploited prior to public disclosure last year. 

Meyers said he expects that number to grow further, predicting an explosion of activity from attackers using artificial intelligence to find and exploit zero-day vulnerabilities in various products during the next three to nine months.

CrowdStrike’s annual global threat report is full of figures moving in the wrong direction, yet the most worrying finding for Meyers comes down to attacker speed.

“The speed at which we’re seeing these breakout times accelerate is one of the markers,” he said, adding that it’s only a matter of time before the fastest attacks drop down to seconds, if not milliseconds.

The post CrowdStrike says attackers are moving through networks in under 30 minutes appeared first on CyberScoop.

SonicWall said a state-sponsored threat actor was behind the brute-force attack that exposed firewall configuration files of every customer that used the company’s cloud backup service. 

The vendor pinned the responsibility for the attack on an undisclosed nation state Tuesday, after Mandiant concluded its investigation into the incident.

SonicWall did not attribute the attack to a specific country or threat group and Mandiant declined to provide additional information. The vendor’s update, which lacked a root-cause analysis, was mostly an effort to put the attack behind it as leadership made pledges to improve SonicWall’s security practices.

“The malicious activity has been contained and was isolated to our firewall cloud backup service, which stores firewall configuration files in a specific cloud bucket,” SonicWall CEO Bob VanKirk said in a pre-recorded video published alongside the update. “There was no impact to any SonicWall product, firmware, source code, production network, or to any customer data or any other SonicWall system.”

Yet, customer data was impacted because backup firewall configuration files were stolen. Ryan Dewhurst, head of proactive threat intelligence at watchTowr, previously told CyberScoop those files contain a “treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations and more.”

The vendor’s public disclosures regarding the attack have been convoluted and, in some cases, erroneous. SonicWall played down the scope of compromise in its initial disclosure, framing it as impacting less than 5% of its firewall install base, but walked that assessment back weeks later when Mandiant confirmed the totality of exposure. 

SonicWall said Mandiant determined the state-sponsored attacker gained access to the cloud backup files using an API call, but it did not provide further detail. 

Other critical details remain unknown, including how many customers were impacted and how long the nation-state attacker maintained access to SonicWall’s customer portal. The company said it detected suspicious activity on MySonicWall.com in September. 

The attack on SonicWall’s customer-facing system was disclosed a week after researchers and authorities warned about a fresh burst of about 40 Akira ransomware attacks involving exploits of a year-old vulnerability affecting SonicWall firewalls. The company said those attacks impacting customers are unrelated to the attack on SonicWall’s cloud backup environment.

“There is no evidence that this event is related to recent increases in the Akira ransomware attacks on edge devices,” VanKirk said. 

SonicWall customers have confronted a series of actively exploited vulnerabilities in SonicWall devices, including four flaws exploited in the wild this year.

Fourteen defects affecting the vendor’s products have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA. 

VanKirk said the company is committed to continuously improve the security of its products and systems, adding that all of Mandiant’s recommended remediations have been enacted or are actively underway.

The post SonicWall pins attack on customer portal to undisclosed nation-state appeared first on CyberScoop.