Cyber adversaries and their industrial-scale infrastructure relentlessly probe critical sector network vulnerabilities – such as remote access infrastructure and widely used platforms – with business-like efficiency, says a new report.
Researchers who recorded 44.5 million connection attempts originating from 372,800 unique source IPs last year said the scale and diversity of internet-facing exploits reveal how modern threat actors operate, according to a new report from Hewlett Packard Enterprise Threat Labs.
“Multiple large cybercriminal rings function like businesses, leveraging emerging generative AI tools and exploiting vulnerabilities with extreme precision,” the security vendor said.
WHY IT MATTERS
“This professionalization of cybercrime means attacks are more predictable in execution, yet harder to disrupt, because taking down one part of the criminal operation is like trying to shutter a single branch of a franchise,” David Hughes, HPE Threat Labs, senior vice president and general manager, SASE and security for networking, said in a statement on Tuesday.
The researchers said they analyzed 1,186 active threat campaigns globally, with 63 targeting healthcare organizations, from January 1 through December 31, 2025, to understand the new and known vulnerabilities exploited and which tactics were used.
While one data-stealing operation went so far as to coordinate an automated assembly line through the Telegram messaging application to exfiltrate data in real time, according to the report, the overall findings highlighted “the concentration of malicious traffic on vulnerable services and the persistent probing behavior of threat actors across various regions.”
Among the millions of connection attempts, “36,600 requests matched known attack signatures, originating from only 8,200 distinct source IPs targeting just five destination IPs,” the researchers said.
Commonly targeted platforms were VPNs and Microsoft SharePoint.
Additional findings showed similar patterns:
- 4,700 digital video recorder shell remote code executions.
- 3,100 PHP unit and TP-Link command injections.
- 3,400 Docker application programming interface abuses.
- 3,490 Huawei router exploits with Port 37215 heavily targeted, likely due to known RCE vulnerabilities.
- 2,700 printer enumeration (IPP) and Realtek UPnP abuses, often used in lateral movement or botnet propagation.
Interestingly, the top threat actor country by source IP count is the United States, followed by the African island nation Seychelles, then China, Germany, the United Kingdon and Russia, according to the report.
Among the 549 CVEs observed in 2025, the top five stood out not just for their volume, but because they could be patched, said the researchers.
The National Institute of Standards and Technology published the top CVEs long ago, they noted.
“This development serves as a powerful reminder that while often time-consuming, patching vulnerabilities is critical and ultimately worthwhile.”
By enforcing strict patching protocols and deploying automated anomaly detection, organizations in critical sectors, including healthcare, can more quickly identify lateral movement across hybrid environments to fend off disruptive attacks.
The researchers also advised organizations to:
- Harden user authentication through multifactor authentication and strict password policies and monitoring for credential dumps.
- Extend security beyond the corporate perimeter to home networks, third-party tools and supply chain environments.
- Segment networks to prevent an attacker who breached one device from roaming critical systems.
- Monitor and filter traffic from unmanaged endpoints, including requiring authenticated access for all remote connections.
- Apply zero-trust principles to strengthen authentication and limit lateral movement.
- Enforce patch protocols for widely used platforms such as VPNs and SharePoint.
- Deploy AI-native anomaly detection to identify lateral movement across hybrid environments.
- Share threat intelligence across corporate teams, customers and industries to improve visibility and response.
The majority of the statistical data used in the analysis was derived from customer telemetry and a private global network of honeypots designed to capture diverse threat activity, according to the report’s methodology section.
THE LARGER TREND
Shark Tank star Robert Herjavec, a security technology entrepreneur, said at HIMSS26 this month that he believes that AI will ultimately change the calculus in the cybersecurity arms race.
While hospitals can use AI to help fight AI-driven cyberattacks now, its use comes with risk, according to one healthcare cybersecurity expert.
One of the biggest risks is the lack of explainability, said Kumar Krishnamurthy Venkateswaran, CIO of the Indian private hospital chain, Narayana Health.
“AI should augment and not replace human judgment,” he explained in August during a presentation at HIMSS25 APAC. “It should be like a secondary decision support for a security analyst, a security manager, a security head or a [chief security officer].”
ON THE RECORD
“Such well-run operations reflect professional and systematic operations, dispelling the conventional assumption that threat actors primarily operate as lone wolves or with a sparse understanding of ubiquitous modern workforce tools,” researchers said in the Hewlett Packard Enterprise Threat Labs report.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.
