TL;DR

  • In 2025, ransomware and other attack groups targeted network weaknesses like poor identity controls, shared infrastructure, and cloud misconfigurations.

  • Supply chain attacks, geopolitical cyber activity, and major service disruptions showed the fragility of interconnected networks and the collateral damage of a single incident.

  • Major takeaways from this year include tightening zero trust security controls such as authorization, visibility, and early detection and response.

As 2025 comes to a close, one thing is painfully clear: the threat landscape didn't "evolve" this year. It hit the gas, cut the brakes, and aimed straight for every weak spot organizations have been quietly pretending they'll get around to fixing someday. Attackers automated everything, shifted left, shifted right, and shifted into whatever lane defenders weren’t watching.

So instead of a simple year‑end recap, here’s the real version: what actually went wrong, why it hurt so badly, and what’s waiting for us in 2026.

The 2025 Threat Landscape: What Actually Happened

The incidents below represent a cross-section of disclosures from education, healthcare, travel, and commercial sectors.

Although the organizations differ, the attack patterns share foundational issues: identity compromise, misconfigurations, and third-party risk.

Higher Education: Distributed Environments, Broad Exposure

Universities remained frequent targets due to sprawling networks, outdated systems tucked under decades of "temporary fixes," and authentication models that make identity governance feel like a group project with no adult supervision.

  • University of Pennsylvania disclosed two separate incidents in 2025 involving compromised credentials and exploitation of an Oracle-related vulnerability, exposing personal information tied to students, staff, and donors. The events demonstrated how attackers can leverage identity and third-party software weaknesses to move laterally across academic environments.

  • Oklahoma University Health confirmed exposure of patient intake records, lab reference numbers, appointment metadata, and internal routing notes—an example of how academic medical systems unintentionally merge two high‑value data domains.

Higher‑ed environments are a perfect storm: too many systems, too many admins, too few upgrades, and an expectation that everything stays online 24/7. Attackers love that math.

And the same patterns showed up far beyond higher education.

Healthcare: High-Value Data and Email Compromise

Healthcare in 2025 was resembled all‑you‑can‑eat buffet for attackers. The industry continues to run mission-critical operations on a patchwork of legacy systems, shared credentials, and email workflows that should have been decommissioned back when pagers were still a thing.

And healthcare wasn’t the only sector feeling the strain.

  • MedStar Health reported theft of patient records, administrative spreadsheets, and internal documentation.

  • Kenosha County Behavioral Health disclosed unauthorized access affecting individuals receiving county services.

  • AltaMed Health Services experienced exposure due to compromised employee email accounts containing protected patient information.

Email compromise and third-party weaknesses remained the dominant causes of healthcare-related threats this year.

Travel and Airline Sector: Large Databases, Complex Integrations

Threats within the travel sector highlighted the high value of passenger information and the complexity of global booking ecosystems.

  • Zoomcar, an Indian car-sharing marketplace, disclosed a significant cybersecurity incident affecting approximately 8.4 million users, as reported in a Form 8-K filing with the U.S. SEC. The company became aware of the incident after receiving external communications from the threat actor claiming access to internal systems.

  • Air France and KLM (Air France–KLM Group) disclosed a data incident on August 7, 2025 originating from a third-party customer support platform. The attack, attributed to the ShinyHunters group, did not impact airline core systems but exposed customer contact details that could be used for targeted phishing and social engineering.

Airline environments reflect the reality many organizations face today: complex loyalty platforms, global distribution systems, partner APIs, and long-lived infrastructure that has grown over time to support the business. When something breaks, the impact can be immediate and highly visible.

Credential Abuse: The Most Common Entry Vector

Credential theft remained the most reliable method attackers used to gain access. For example, Nikkei disclosed a 2025 incident involving a malicious Slack application that harvested credentials and exposed internal communications, highlighting how identity abuse can occur even within trusted collaboration platforms.

Cloud Misconfigurations: A Persistent Source of Exposure

Misconfigurations continued to outpace organizations’ capacity to identify and remediate them. One notable incident was McDonald’s disclosure of a significant data exposure in July 2025 tied to its AI-powered hiring platform, McHire, used by many franchisees. The incident was caused by a failure to secure the platform’s administrative backend, including a weak admin password ("123456") that had not been updated for years and an Insecure Direct Object Reference (IDOR) vulnerability. The exposure potentially impacted approximately 64 million job applicants globally.

This issue was configuration- and access-control related rather than the result of a sophisticated exploit. It highlights the risks of deploying third-party AI platforms without rigorous security oversight.

Supply Chain and Geopolitical Threats: When Trust and Tension Collide

Beyond individual vulnerabilities, 2025 reinforced two uncomfortable realities: modern software supply chains remain fragile, and geopolitical conflict continues to spill directly into cyberspace.

Software Supply Chain Attacks

  • npm ecosystem abuse continued to surface as attackers published malicious or typosquatted packages designed to steal credentials, exfiltrate environment variables, or implant backdoors during the build process. These packages often lived just long enough to be pulled into CI pipelines before being discovered.

  • xz Utils backdoor attempt demonstrated how attacker access to trusted maintainers can introduce backdoors into widely deployed open source components.

  • Malicious PyPI packages leveraged typosquatting and dependency confusion to deliver credential stealers and data exfiltration logic into build pipelines, often before detection.

Supply chain attacks remain attractive because they scale. Compromise one widely used dependency and inherit thousands of downstream victims without ever touching their networks directly.

Geopolitical Cyber Activity

Geopolitical conflict continued to manifest as persistent cyber pressure rather than isolated events:

  • Russia and Ukraine remained locked in a sustained cyber conflict, with ongoing activity targeting energy infrastructure, government services, telecommunications, and logistics. Operations ranged from disruptive attacks to long-term espionage and influence campaigns.

  • Israel and Iran saw continued cyber escalation, including destructive malware, data leaks, and attempted disruptions tied to broader regional tensions. These operations frequently blurred the line between espionage, sabotage, and signaling.

These campaigns reinforced a key point for defenders: geopolitical cyber activity does not stay contained to nation-state targets. Collateral impact regularly spills into private industry, cloud providers, and global supply chains.

And as if targeted attacks weren’t enough, 2025 also delivered internet‑wide outages that amplified the chaos.

Major Service Disruptions: When the Internet’s Backbone Reminded Everyone Who’s Really in Charge

2025 wasn’t just about targeted attacks; it was also the year the internet itself seemed to tap out occasionally. And every time a major provider stumbled, the ripple effects looked indistinguishable from a coordinated attack in terms of operational chaos and attacker opportunism.

AWS: The Day Half the Internet Took an Unscheduled Break

  • AWS East region suffered a multi-hour disruption triggered by a cascading failure in its internal service discovery layer.

  • Payment processors froze, airline check-in systems jammed, and healthcare portals stalled.

Cloudflare: When a Routing Issue Became Everybody’s Problem

  • A backbone routing misconfiguration caused widespread latency and outages across financial platforms, logistics networks, and consumer apps all felt it.

  • The disruption highlighted a lesson from major internet outages: when core infrastructure stumbles, downstream services and dependent platforms feel the impact immediately.

Microsoft: Identity at Scale-And Failure at Scale

  • Microsoft 365 / Azure AD authentication failures prevented global logins to Outlook, Teams, OneDrive, and Azure services.

  • The outage cascaded into dependent cloud applications, grinding daily business operations to a halt.

  • Azure regional degradation further impacted VM autoscaling, routing, and SQL availability-even for customers outside the affected region.

Google: Cloud Networking Faults and Workspace Delays

  • Google Cloud routing and load-balancing faults disrupted GKE clusters, BigQuery operations, and back-end services powering major SaaS platforms.

  • Gmail and Workspace delays left organizations unable to send, receive, or enforce policy on email for extended periods.

These outages weren’t security incidents, but they created all the conditions attackers thrive on: confusion, miscommunication, and millions of users desperately clicking anything that looks like an update or fix.

AI as a Force Multiplier: New Acceleration and New Exposure

In 2025, AI began to meaningfully alter both how attacks are executed and where new risk surfaces appear. AI primarily accelerated existing problems while creating new infrastructure layers that many organizations were not yet prepared to secure.

  • AI-assisted cyber espionage operations were disrupted in 2025 following research published by Anthropic, which documented how large language models were used to automate reconnaissance, vulnerability analysis, and task execution across dozens of global targets. While not fully autonomous, these operations demonstrated how AI can dramatically compress attack timelines and lower the barrier to complex campaigns.

  • Exposed Model Context Protocol (MCP) servers were identified by Bitsight researchers, who found roughly 1,000 internet-accessible MCP deployments with no authentication controls in place. Because MCP enables AI systems to invoke tools and access data sources, misconfigured servers risked providing unintended access to internal tools, cloud environments, and sensitive enterprise systems.

The implication for defenders is straightforward: AI does not replace traditional security fundamentals, but it amplifies the impact of identity weaknesses, misconfigurations, and automation gaps. Teams that apply the same rigor to AI tooling as they do to cloud and SaaS platforms will be better positioned to manage this accelerating risk.

Why These Threats Keep Happening

Across all sectors, several systemic pressures explain the persistence of these threats:

  1. Identity is now the primary attack surface, with credential abuse driving the majority of incidents.

  2. Third-party dependencies create indirect pathways that attackers increasingly exploit.

  3. Cloud and SaaS complexity heightens misconfiguration risk, overwhelming manual oversight processes.

  4. Data sprawl expands the blast radius of any single compromised account or system.

  5. Attackers leverage automation and AI, enabling rapid, large-scale operations at minimal cost.

These are structural issues rather than isolated organizational failures.

What Organizations Should Prioritize in 2026

The lessons of 2025 point toward several high-impact areas:

  • Strengthening zero trust identity controls and reducing credential-based attack surfaces

  • Increasing visibility into SaaS platforms, especially Salesforce

  • Expanding third-party governance and continuous monitoring expectations

  • Implementing automated verification of cloud configurations

  • Reducing unnecessary data retention

  • Prioritizing early detection and response capabilities over traditional perimeter defenses

This is where many organizations feel the weight of complexity but also where real progress is possible. Approaches aligned with Cloud Native Security Fabric (CNSF) principles help teams connect identity, network behavior, cloud posture, and SaaS activity into a more coherent picture.

Instead of chasing alerts across disconnected tools, security teams gain clearer context, faster investigation paths, and better control over east-west and shared infrastructure risk.

Curious about how to protect your network with zero trust principles? Explore Aviatrix Zero Trust for Workloads.

resources_orange_glow
related posts
IBM 2025 Cost of Data Breach Report Reveals Shadow AI Risks card image

IBM 2025 Cost of Data Breach Report Reveals Shadow AI Risks

Cloud Network Security, Simplified The High-Rise Apartment Analogy card image

Cloud Network Security, Simplified: The High-Rise Apartment Analogy

4 Predictions for Cloud Security in 2026 card image

4 Predictions for Cloud Security in 2026

Subscribe
Matt Snyder
Matt Snyder

Principal Engineer/Lead - Detection and Response, Aviatrix, Inc.

Matt leads lead Detection & Response efforts at Aviatrix, working closely with internal security teams and external partners to identify, investigate, and respond to potential threats. His role spans strategic oversight and hands-on execution to ensure a strong security posture across complex, distributed environments.

Featured Categories

orange-pattern-center

ACE Program

card image

Customers

card image

Cloud Network Security

card image

AWS

card image

Partners

card image

Cloud Networking Heroes

card image

Azure

card image

Events

card image
PODCAST

Altitude

View All
subscribe now

Keep Up With the Latest From Aviatrix

Cta pattren Image