Automation, AI, and the Industrialization of Cybercrime

Across every stage of the attack chain, automation is reshaping threat behavior. In the reconnaissance phase, cybercriminals launched over 36,000 scans per second in 2024, a 16.7% global increase. These scans are no longer just searching for exposed ports; they’re probing deep into operational technology (OT), cloud APIs, and identity layers. SIP-based VoIP systems, RDP servers, and industrial protocols like Modbus TCP are being mapped automatically and continuously.

Automation also extends to phishing, credential theft, and even malware development. Cyber adversaries use AI-powered tools like FraudGPT and ElevenLabs to craft convincing phishing lures, generate deepfake videos, and clone executive voices. Cybercriminals no longer need to write code or breach a system directly; threat actors can purchase access, tools, and infrastructure through a rapidly growing Cybercrime-as-a-Service (CaaS) marketplace.[1]

The result is an industrialized cybercrime economy that dramatically lowers the barrier to entry, expands the volume of attacks, and increases their success rate.

Credentials Are the New Currency of Compromise - In 2024, FortiGuard Labs tracked a 42% surge in stolen credentials offered on darknet forums. That’s more than 100 billion unique records—email addresses, passwords, session tokens, and multifactor bypass data—freely traded and sold. Infostealer malware like Redline and Vidar contributed to a 500% increase in credential log activity, much of it harvested in real time and sold by Initial Access Brokers (IABs) offering turnkey infiltration into corporate VPNs, RDPs, and admin panels.

These credentials are the backbone of ransomware and espionage operations. Threat actors no longer just hunt for vulnerabilities to exploit; they’re buying entry into your network. And as long as stolen credentials remain abundant, brute force is unnecessary.

Cloud Missteps Remain a Primary Attack Vector - Cloud services now sit at the center of modern operations, and identity has become one of the most critical security perimeters. Cloud breaches are no longer limited to misconfigured storage buckets. As infrastructure migrates to the cloud, attackers are finding familiar footholds to exploit, such as over-permissioned identities, credential leaks in public code repositories, and lateral movement through cloud-native services.

FortiCNAPP telemetry shows that attackers often begin by logging in from unfamiliar geographies, sometimes within hours of a developer’s legitimate activity. From there, they escalate privileges, establish persistence, and use legitimate services to blend into normal network traffic. In 2024, 25% of all cloud incidents began with reconnaissance, such as API enumeration, permission probing, and discovery of exposed assets.

Exploitation Is Widespread, Persistent, and Opportunistic - Automation is also fueling scale. Fortinet’s intrusion prevention sensors recorded over 97 billion exploitation attempts in the second half of 2024, many targeting vulnerabilities disclosed years ago. CVE-2017-0147 (26.7% of all exploitation attempts), CVE-2021-44228 (11.6%), and CVE-2019-18935 (8%) remain among the most exploited—clear evidence that legacy exposures continue to create present-day risk.

IoT devices were also a major target, accounting for over 20% of all exploits. Routers, surveillance cameras, and firewalls with outdated firmware or default credentials are being recruited into botnets, used for lateral movement, or exploited for persistent access. But what’s striking isn’t just the volume of exploitation. It’s how methodical it has become. Attackers aren’t wasting time. They map the exposed surfaces of potential victims, wait for a vulnerability to emerge, and either strike before the organization can apply a patch or sell that vulnerability information on darknet forums.

From Breach to Control: The Post-Exploitation Playbook - Once inside, adversaries move with precision. In 88% of observed cases involving lateral movement, attackers used RDP to pivot within the network. Remote Access Trojans (RATs) such as Xeno RAT and SparkRAT provided remote command execution, data exfiltration, and long-term persistence.

Living-off-the-land techniques using legitimate Windows tools and protocols have made traditional detection approaches less effective. Attackers routinely leveraged PowerShell, WMI, and SMB traffic anomalies to move laterally and escalate privileges. Active Directory manipulation (via DCSync and DCShadow) enabled attackers to harvest credentials and silently expand their access.

Encrypted C2 channels, domain generation algorithms, and DNS tunneling were widely used to maintain communication with compromised systems, all while bypassing conventional perimeter defenses.

A New Mandate for Security Professionals - The pattern is clear: Attackers are optimizing for speed, scale, and stealth. Defenders must do the same. Traditional security models that rely on static controls, point-in-time assessments, or delayed patch cycles are increasingly inadequate.

What’s needed is a shift toward Continuous Threat Exposure Management (CTEM):

Continuously monitor attack surfaces, including cloud, OT, and IoT environments
Simulate real-world threats using adversary emulation and breach-and-attack testing
Prioritize vulnerabilities based on risk, threat intelligence, and exploit availability not just CVSS scores
Automate detection and response to reduce dwell time and accelerate containment

This is not a technology conversation; it’s a business continuity conversation. Cyberthreats no longer wait for vulnerabilities to be exposed. Their reconnaissance efforts monitor all levels of the network, including compromised credentials and other weaknesses available on darknet forums, so they can strike before your team can respond.

Regaining the Advantage - The global threat landscape is evolving, but the mission remains the same: reduce exposure, increase visibility, and move faster than the adversary. The Fortinet Security Fabric is designed to meet this challenge, uniting advanced threat intelligence, real-time detection, and coordinated response across the entire digital infrastructure.

Executives must ensure their organizations are not only protected but positioned to adapt. Download the full 2025 Global Threat Landscape Report.[2]

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings: