The U.S. has never faced a more challenging time for cybersecurity, with critical infrastructure under siege, nation-state threat actors emboldened, and a new Presidential Administration that could usher in policy changes and a possible government restructuring.

A new Cyble report highlights the cyber threats and challenges facing the U.S., offering critical insights into the biggest threats that organizations must grapple with. The report examines the top threats, threat actors, and attack targets; hacktivism trends; more than 50 actively exploited IT and ICS vulnerabilities; Dark Web and cybercrime trends; and recommendations for security teams.

Major U.S. Cyber Challenges

The challenges that will help define the U.S. cybersecurity direction in the coming months include:

Disinformation: Efforts to influence the U.S. election escalated significantly in the final weeks of the campaign. The main foreign actors involved in influence campaigns—notably Russia, China, and Iran—will likely continue to try to influence U.S. policy and discourse.

The Future of CISA: The Republican “Project 2025” agenda includes proposals to reorganize the top U.S. cybersecurity agency and its responsibilities at a time when critical infrastructure is facing significant challenges.

Nation-State Threats: Concern about foreign adversaries escalated when China-linked threat actors successfully infiltrated U.S. telecom systems to access wiretap data and the phone data of top U.S. officials. As China is believed to have significantly infiltrated critical infrastructure in the U.S. and elsewhere, national cyber agencies must do more to detect and remove these threats.

AI in Social Engineering: The proliferation of AI technology is enhancing the effectiveness of social engineering attacks, enabling more personalized and convincing tactics that have scammed average citizens as well as multi-national corporations. To help combat this rising threat, Cyble has added AI deepfake detection and takedown services to its threat intelligence suite.

Dark Web and Cybercrime: Dark Web activity remains a major threat, as exploits are under discussion on cybercrime forums within hours after vulnerabilities are publicly revealed, and zero-day vulnerabilities can frequently be found for sale on these forums.

Healthcare and OT/ICS environments: Threat actors continue to heavily target healthcare and critical infrastructure, with Manufacturing, Energy, Oil and Gas, and Building Automation being the leading attack targets detected by Cyble.

Ransomware: The U.S. is by far the biggest ransomware target, and data exfiltration is increasingly a goal of ransomware groups.

Infostealers continue to grow in frequency and sophistication, threatening the accounts and credentials of both enterprises and consumers.

Most Active Threat Groups and Ransomware Targets

Cyble detected four of the most active threat groups in October: ransomware groups. RansomHub was the top threat actor, followed by DragonForce, Lockbit, and Storm-0501. An APT group, UNC5812, rounded out the top five.

According to Cyble data, the U.S. remains the biggest ransomware target, with October attack volumes 10 times higher than in any other country (chart below).

Healthcare is being increasingly targeted by ransomware groups, and the effects on patient care are predictably dire. Texas Tech Health Sciences Center, Aspen Healthcare Services, and Boston Children’s Health Physicians were among the bigger ransomware targets in October.

The full report examines more than 30 threat groups, more than 50 IT and ICS vulnerabilities, and 52 malware families. The top malware families observed by Cyble in October were:

• Hydra
• Lynx
• Nitro
• RansomHub
• Rhysida
• Hellcat Ransomware
• Cactus
• Everest
• Medusa
• Interlock

Hacktivism Trends

Hacktivism remained significantly active heading into the election, both in the U.S. and elsewhere. Israel and Palestinian concerns were by far the most dominant – and played a surprisingly pivotal role in the U.S. election in some states, most notably in Michigan and Wisconsin.

Some of the most active hacktivist groups in October included:

• XYZ/Alpha Wolf
• Key Group
• NoName
• Cyber Operation Alliance
• Anon Black Flag

Dark Web and Cybercrime Activity

The dark web has become a democratizing force in cybercrime, giving less experienced threat actors and hacktivists access to more sophisticated exploits, leaked files, credentials, stolen credit cards, compromised endpoints, and more.

Cyble dark web researchers typically see ten or more vulnerability exploits discussed each week on cybercrime forums, many of which have available Proof of Concept (PoC) exploits that can be easily deployed.

Cyble’s AI-powered threat intelligence tool detected 1.5 million data exposures, 48,000 compromised endpoints, and 178,000 leaked credentials in October, all readily available for a price.

The report also looked at 34 IT and 20 ICS vulnerabilities targeted by attackers, many of which were discussed on dark web forums. Network devices are frequently a starting point for cyberattacks, but the list touches a wide range of systems that hackers use to move laterally, elevate privileges, and establish persistence.

Cyble Recommendations

The threat landscape may appear overwhelming at times, but good cybersecurity practices performed regularly can do much to reduce your attack surface. Patching, network segmentation, air-gapped backups, monitoring and logging, vulnerability assessments, and a strong incident response plan are all essential practices that take time but don’t necessarily carry a high price tag. Cyble can help with cost-effective vulnerability intelligence and scanning services targeted to individual environments.

Related