SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Realistic illustration masked figure dark hoodie laptop dimly lit room cyber attack
#
Firewalls
#
Ransomware
#
Network Security

Breakout time drops as new attacker tactics surge in cyber threat space

Thu, 25th Sep 2025
Author image
By Shannon Williams, Journalist

ReliaQuest has released its latest quarterly analysis of cyber attacker techniques, providing a detailed look at trends observed between 1 June and 31 August 2025.

Breakout time falls

The analysis shows the average breakout time-measuring the period from initial access to lateral movement-has dropped to 18 minutes. By comparison, the lowest recorded breakout time in 2024 was 27 minutes. In one incident involving "Akira" ransomware, lateral movement began within just six minutes of compromising a SonicWall VPN, highlighting the speed at which threat actors can now operate.

Attackers are continually getting faster: The average breakout time-the period from initial access to lateral movement-dropped to 18 minutes this reporting period (June 1 to August 31, 2025).

The report points out that defenders face increasing pressure to close detection gaps and enhance automation, as attackers refine their tactics to exploit every second available. The analysis also notes that staying proactive and adaptive is necessary as the threat landscape shifts rapidly.

Initial access and tactics

ReliaQuest's findings show drive-by compromises accounted for 34% of initial access techniques, influenced by an ongoing "Oyster" (also known as "Broomstick") malware campaign. Oyster accounted for 45% of true-positive customer incidents, a rise from just 2.17% in the previous quarter. USB-based attacks also surged, particularly those linked to "Gamarue" malware, as a result of inconsistent policy enforcement regarding removable media.

The report details Gamarue's tactics, observing that it uses hidden malicious Dynamic Link Libraries and auto-executes if USB autorun is not disabled, requiring no user interaction. This makes it effective at propagating quickly and remaining undetected, especially in isolated, high-security networks where USBs are commonly used for data transfer.

Defence evasion trends

Two malware campaigns - Gamarue and Oyster - have weaponised the legitimate Windows system binary "Rundll32" to evade detection and ensure persistence. This technique accounted for 11% of observed defence evasion tactics, after not featuring in the top 15 in the previous quarter. Oyster's use of "Rundll32" to execute DLLs via scheduled tasks is highlighted as especially effective at bypassing traditional security controls.

Oyster alone was linked to 48% of incidents involving the technique of matching legitimate file names or locations to evade detection.

Lateral movement: SMB abuse spikes

Attackers' lateral movement inside victim networks continued to rely heavily on Remote Desktop Protocol (RDP), which accounted for more than half of identified incidents. However, incidents involving Server Message Block (SMB) abuse spiked to 29%, up from 10% the previous quarter. Ransomware operators used SMB for remote file encryption, which allows them to bypass endpoint protections and operate more covertly within networks.

The report observes that "Akira" ransomware has favoured this approach, using compromised credentials to remotely encrypt shared network files, often from unmanaged or unmonitored devices or through VPN access.

IP-KVM device incidents surge

Incidents involving unauthorised keyboard, video, and mouse over IP (IP-KVM) devices increased by 328%. Attackers, including North Korean actors, are reported to use these devices to blend in with legitimate hardware or to gain access where endpoint visibility is minimal, such as in bring your own device (BYOD) environments. The report also notes that staff and third parties, not just threat actors, are introducing these devices, sometimes inadvertently expanding the attack surface.

ReliaQuest described an August incident in which an unauthorised JetKVM device was connected to a corporate workstation, what action was taken, and how new controls were implemented to prevent recurrence.

Infostealers: Lumma's continued prominence

Infostealer activity dropped by 67% this quarter, attributed mainly to the law enforcement takedown of "Lumma" infrastructure in May 2025. Despite this, Lumma maintained its position as the top infostealer, involved in 54% of relevant incidents. Lumma's operators adapted rapidly by shifting distribution methods to include fake software cracks, serial key generators, and "ClickFix" tactics like fraudulent CAPTCHA pages.

Other infostealers, including "Acreed", "Vidar", and "Stealc", have expanded their market share, focusing on SaaS credentials, cloud environments, and less-monitored platforms.

Ransomware: Victim numbers decline, but complexity rises

Overall ransomware victim numbers listed on data-leak sites declined by 4.52% in the reporting period. "Akira", "SafePay", and "Play" saw falls in their victim counts by 9.42%, 23.14%, and 35.54% respectively. However, "Qilin" retained its position as the most active ransomware group, driven by campaigns exploiting Fortinet FortiGate vulnerabilities.

Analysis indicates that attackers are targeting older, unpatched vulnerabilities in internet-facing devices. The health care and social assistance sector saw a 38% increase, while the utilities sector experienced an 84% rise in ransomware victim counts compared to the previous three months. Both sectors are highlighted as particularly vulnerable due to operational dependencies and the potential for service disruption.

Smaller groups and automation

The report notes increased fragmentation of ransomware groups, with smaller and more agile operations emerging. It cites the example of "GLOBAL" ransomware, which features an affiliate model and uses AI tools such as negotiation chatbots to streamline and personalise ransom demands.

The use of automation and AI by ransomware and malware campaigns, such as AI-powered SEO poisoning by Oyster and negotiation bots by GLOBAL, is highlighted as a growing enabler for attackers seeking to escalate and scale operations more efficiently.

Security challenges and recommendations

In summary, ReliaQuest's analysis underscores that many successful cyber attacks stem from foundational security failures, especially unpatched vulnerabilities and insufficient enforcement of basic controls. The continued rapid evolution of attacker tactics, increasing reliance on automation, hardware-level attacks, and the proliferation of BYOD environments collectively create a complex threat landscape for defenders.

ReliaQuest has outlined several key forecasts, including ongoing risks from Oyster malware, persistent threats from unauthorised IP-KVM devices, and the rising resilience of Lumma's infrastructure. The report calls for organisations to maintain vigilance and prioritise the detection and remediation of well-known vulnerabilities, while adapting security controls to mitigate both established and emerging threats.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Eugene Donovan rejoins Gallagher Security as Training Solutions Engineer
TeamViewer unveils Agentless Access for secure industrial control
Falco integrates Stratoshark for faster forensic cloud security
Fortinet unveils Secure AI Data Centre to protect large models
Bitdefender unveils Security Data Lake to cut alert overload

Top stories

AI & phishing attacks highlight human risk in Australian fraud
Synology unveils PAS7700 NVMe storage to meet AI data surge
Exclusive: Coevolve's Tim Sullivan warns firms on AI connectivity gap
Financial firms struggle to fully scale AI amid data silos & security
Datadog launches cloud storage tool to tackle rising AI costs