The Verizon Data Breach Investigations Report (DBIR) provides some valuable insights into trends in cyber attacks around this time every year, and this edition (examining over 20,000 incidents logged by the Verizon security team) notes some substantial spikes in third-party compromise and vulnerability exploitation.
These are trends that began some time ago and that may be chalked up to a general increase in incident reporting, but there are some smaller details that help inform ongoing threat development. Perhaps the most interesting item is a very large increase in the targeting of VPNs and edge devices, paired with continuing problems getting patches applied in a timely manner.
Cyber attacks increasingly targeting third parties, known vulnerabilities
The 2025 DBIR indicates vendor and partner breaches are on the rise, doubling from 15% to 30% of all of the cyber attacks examined in this period. In this attack category, threat actors are still preferring credential reuse (32%). In some cases this consists of still-working credentials taken from another breach, but the study notes that attackers are having consistent success finding secrets in GitHub repositories as well. Social engineering is a significant contributor as well, playing a role in 23% of incidents.
This likely has at least some overlap with a spike in espionage cases, now comprising 17% of all of the examined cyber attacks. However, these incidents most frequently see the attacker exploiting a vulnerability as the point of compromise. One would expect these attacks to be up with all the news of activity by groups like Volt and Salt Typhoon, but the DBIR notes that an increasing percentage of espionage attacks (28%) also involve a profit-seeking component.
One area that the DBIR does not report significant growth in is the malicious use of AI tools in cyber attacks. Thus far, criminals seem to primarily be using them to polish up emails and messages. The risk in this area is more from inside the house, with employees showing a strong tendency to avoid internal safeguards in the use of LLMs.
Drilling deeper into the 2025 DBIR numbers
Of all the cyber attacks examined in the 2025 DBIR, 22% kicked off with credential abuse. Vulnerability exploitation has been making a strong push to take the lead over the last two years, however, with its most recent surge putting it at 20% (and ahead of phishing at 16%). And within this category, targeting of edge devices and VPNs is way up – 22% as compared to just 3% the prior year. This appears to be connected to serious struggles with patching, which now takes 32 days on average; a little over half the time, edge devices never get patched.
The DBIR also shows mixed numbers for ransomware. Attack quantity is definitely up, seeing a 37% spike (the second year in a row that a large spike has taken place), and just shy of half of all of the cyber attacks logged involved ransomware. However, the average payment is down $35,000 to $115,000. A solid majority of victims, 64%, are also refusing to make a payment. While this signals general improvement in preparedness and recovery plans, the trend may not have caught up with smaller businesses yet. Profit-seeking criminals are increasingly willing to hit smaller targets (after several years of “whale hunting”), and 88% of cyber attacks on SMBs during the DBIR period involved ransomware.
