▼ Summary
– **Attackers exploit trusted service entrances** – Sophisticated attackers now bypass fortified perimeters by targeting trusted relationships and infrastructure businesses rely on.
– **Ransomware shifts to data theft** – Modern ransomware prioritizes stealing and threatening to release sensitive data over encrypting files, changing attackers’ timelines.
– **Third-party vendors become attack vectors** – Less secure vendors are used as stepping stones to breach larger clients, exploiting legitimate access for stealthy intrusions.
– **Cloud identity attacks rise** – Attackers exploit cloud permissions and session tokens, bypassing MFA and chaining minor access rights for major breaches.
– **Visibility and testing are critical** – Organizations must monitor network blind spots, scrutinize trusted connections, and continuously test cloud identity policies to mitigate risks.
The digital front door is locked, barred, and monitored. Security teams have spent years fortifying perimeters against direct assault. But a new report from cybersecurity firm Sygnia suggests the most sophisticated attackers are no longer bothering to pick the front lock. Instead, they are quietly using the trusted service entrances, exploiting the very relationships and infrastructure that businesses depend on to operate.
Drawn from frontline incident response investigations throughout 2024, Sygnia’s latest Threat Report paints a clear picture of an adversary who has adapted. Attackers are focusing their efforts on three interconnected fronts: the evolution of ransomware beyond simple encryption, the weaponization of the software supply chain, and the exploitation of identity in the cloud. These are not new concepts, but the report’s case studies reveal a level of stealth and patience that bypasses many conventional security controls, creating dangerous new blind spots for unprepared organizations.
Extortion’s New Playbook
Ransomware is no longer just about encrypting files. The new extortion model prioritizes data theft. The threat of publicly releasing sensitive corporate data is often a far more powerful motivator for payment than denying access to systems. According to Sygnia, this shift changes the attacker’s timeline. While some data heists can be over in hours, attacks culminating in mass encryption require more preparation.
This preparation phase creates a critical, yet frequently missed, window for detection.
Sygnia’s investigators found that groups like Abyss Locker, a ransomware actor active in 2024, typically spend one to two weeks inside a network before deploying their final payload. This “dwell time” is a gift to defenders, but only if they know where to look.
In one case study, the Abyss Locker group gained initial access using compromised VPN credentials, a common entry point. What they did next was telling. Instead of immediately moving toward high-value servers, they targeted overlooked network infrastructure. They established a foothold on Network Attached Storage (NAS) appliances, devices often lacking the robust monitoring of primary servers. From this stealthy outpost, disguised as a legitimate system process, they mapped the network, moved laterally to VMware ESXi hosts which manage the virtual infrastructure, and began exfiltrating massive amounts of data with tools like ‘rclone’. Only after the data was secure did they encrypt the virtual machines, crippling the organization. The attack succeeded not by overpowering defenses, but by living in their shadows.
The Trojan Horse Vendor
The modern enterprise is a web of dependencies, relying on dozens of third-party vendors for everything from IT support to cloud services. This interconnectedness is a primary target. Attackers now treat smaller, less secure vendors as stepping stones to their larger, more valuable clients.
Sygnia highlights a chilling incident involving an Advanced Persistent Threat (APT) group. These are often state-sponsored or highly sophisticated actors focused on long-term espionage, not quick financial gain. After being discovered and removed from a client’s network, the group resurfaced within weeks. The new intrusion point was not a new vulnerability, but a trusted, existing connection from a third-party service provider.
The attackers had compromised the vendor’s network and were using the vendor’s legitimate Remote Desktop Protocol (RDP) access to pivot back into their target’s environment. This activity was exceptionally difficult to detect because it blended perfectly with the normal, everyday operations between the client and its partner. The organization’s security tools saw a trusted vendor logging in, just as it did every other day. This silent persistence, maintained for years in some cases, underscores a fundamental vulnerability: many companies have almost no visibility into the security posture of their own suppliers.
The Identity Heist Goes Cloud Native
As organizations stampede to the cloud, they are inadvertently creating a new frontier for identity-based attacks. The cloud’s power is built on a complex fabric of permissions and identities, both human and machine. For an attacker, this fabric is a puzzle to be solved. A state-sponsored attack detailed in the report shows just how masterfully this can be done.
The attack began not with a technical exploit, but with a conversation on LinkedIn. Posing as researchers, the attackers engaged key developers at the target company, eventually convincing them to run what appeared to be harmless code. That code harvested credentials, but more importantly, it stole active session tokens. With a valid session token, an attacker can bypass multi-factor authentication (MFA) entirely, effectively walking into the user’s account without needing a password or a second factor.
Once inside the company’s AWS environment, the attackers did not have direct access to their target. What they had was a set of limited permissions. They then began a methodical process of “permission mining,” chaining together seemingly minor access rights to achieve a major breach. They found they could modify an AWS Lambda function, a small piece of serverless code. By altering this function, they could execute commands on previously inaccessible EC2 server instances. This gave them the foothold needed to craft fraudulent API calls and finally access the crown jewel assets. This wasn’t a smash-and-grab; it was a quiet, patient, and calculated exploitation of trust and complexity.
The lesson is stark. Investing in complex cloud identity policies is not enough. Without actively and continuously testing those policies through exercises like red teaming, organizations are blind to the subtle gaps that attackers are becoming experts at finding.
In 2025, security is no longer just about building higher walls. It is about gaining visibility into the dark corners of the network, scrutinizing trusted connections, and understanding that in the cloud, identity is the new perimeter. The greatest risks may no longer be from unknown enemies at the gate, but from the trusted keys you have already handed out.
