Back to Home

Cyberattacks 2025: 400k MDR Kaspersky alerts

Kaspersky report analyzes 400,000 MDR alerts for 2025: high-critical incidents down to 3.8%, top vectors — public apps and contractors. RCE in SAP/Oracle detected, LOLBins like PowerShell, SOC coverage issues 43%. Recommendations on patching and monitoring.

400,000 alerts: anatomy of cyberattacks 2025 Kaspersky
Advertisement 728x90

Cyber Threats 2025: Kaspersky MDR Analysis of 400,000 Alerts

Kaspersky's MDR, Incident Response, and Compromise Assessment services processed data from 200,000 corporate clients. In 2025, they logged 400,000 alerts. AI automatically resolved 95,000 (24%), SOC analysts filtered 87% of the remaining 300,000. Just 21,000 incidents reached customers.

Response times: 42 minutes for critical, 33 minutes for medium, and 31 minutes for low. That's a 22% improvement over 2024, thanks to automation.

Incident Criticality Trends

The share of critical incidents has been dropping for the sixth straight year: from 14.3% in 2021 to 3.8% in 2025. MDR caught up to three such cases daily. 97% of incidents were medium or low severity, mostly from automated malware and opportunistic attacks.

Google AdInline article slot

Human-operated attacks are rarer as a percentage but still the most dangerous. Catching them early explains the downward trend in criticality.

Most Targeted Industries

Top 3 industries by incident share:

  • Government — 19%
  • Manufacturing — 17%
  • IT — 15% (surpassing finance)

IT sector saw 4.9% critical incidents, government 4.3% (above average). The rise in IT attacks ties to supply chain compromises: hackers breach service providers and integrators to reach clients. We've seen cases chaining multiple organizations.

Google AdInline article slot

Initial Access Vectors

From Incident Response data:

  • Public app exploits — 43.7%
  • Compromised credentials — 25.4%
  • Trusted relationships (vendors) — 15.5%

Phishing dropped out of the top 3 in 2023 and now plays a supporting role in kill chains. Vendor attacks surged since 2023: breaching weakly secured firms with remote access to clients, making traffic look legit.

Impact of Successful Attacks

Data encryption topped damage-causing incidents at 39%. Next: persistence for disruption (12%), web exfiltration (7%).

Google AdInline article slot

Detection timing differences:

  • Post-damage: encryption, data destruction, service outages.
  • Pre-damage: persistence, Active Directory compromise.

Dwell time hinges on monitoring maturity, not the entry point.

Exploited Vulnerabilities

50% of Incident Response vulns were RCE, often unauthenticated. Top ones:

  • CVE-2025-31324 (SAP NetWeaver, CVSS 9.8) — unauthorized file upload
  • CVE-2025-42999 (SAP NetWeaver, CVSS 9.1) — insecure deserialization, RCE
  • CVE-2025-61882 (Oracle E-Business Suite, CVSS 9.8) — unauthenticated service takeover
  • CVE-2024-55591 (Fortinet FortiOS, CVSS 9.8) — authentication bypass

A third of vulns dated to 2021—ProxyLogon in Exchange remains relevant four years later. Attackers exploit known flaws with available patches.

Attacker Tools

LOLBins in critical MDR incidents:

| Tool | Share |

|---------------|--------|

| powershell.exe| 14.4% |

| rundll32.exe | 5.9% |

| mshta.exe | 3.8% |

| comsvcs.dll | 3.0% |

| msedge.exe | 2.7% |

mshta.exe spiked due to fake CAPTCHA lures. Specialized tools: Mimikatz (14.3%), PowerShell (8.1%), PsExec/AnyDesk (7.5%). Case in point: DLL hijacking via MPDefender.exe.

SOC Challenges

Rule coverage averages 43%, dropping to 30% with 50+ data sources. Key issues:

  • Coverage decay without oversight.
  • Vendor rules without tuning—false positives galore.
  • Unbalanced logging without detection (network, DB, web).

Emerging 2025 Techniques

T1568 Dynamic Resolution hit the top 10 for conversions (23%): DGA, Fast Flux DNS. Case: abusing URL reservations in HTTP.sys for stealthy C2, mimicking Exchange traffic.

Key Takeaways

  • Critical incidents at 3.8%, but MDR stops them pre-damage.
  • Top vectors: public apps (43.7%), credentials (25.4%), vendors (15.5%).
  • Vulns: 50% RCE, third from 2021—with patches available.
  • SOCs cover 43% of data; decay is a major risk.
  • IT in top 3 (15%), hit via supply chains.

— Editorial Team

Advertisement 728x90

Read Next