Cybersecurity teams are falling short of expectations as new forms of cloud attacks such as LLMjacking and cryptojacking emerge. The Sysdig Threat Research Team (TRT) has published a new report highlighting AI‑cybersecurity struggle in 2024 against these risks, with additional insights and predictions on the biggest threats in 2025. According to the report, LLMjacking is only the tip of the iceberg in an AI-dominated cybertech landscape where unpreparedness could cost victims $100,000 per day in loss. Despite substantial efforts to create awareness about cybersecurity frameworks enforced through best policies, CISOs and CIOs are fighting a losing battle.

Reason?

Threat actors are far more advanced when it comes to innovating their tactics and tools for cyber attacks. The key highlight of the Sysdig report is the mention of the entrepreneurial threat actors– a growing community of threat-as-a-service providers who deliver faster, bigger, and costlier attacks on behalf of repeat customers. So, while security leaders could be testing their existing cybersecurity architecture hoping it doesn’t skid due to an incident, attack groups have already planned their waves over the next 12 months, armed with new-age AI and automation tools.

Let’s dive deeper into the report. To do so, we have identified the 5 key takeaways from Sysdig 2024 Global Threat Report that every CIO, CISO, and SecOps team should read.

Key Takeaway #1 The Rise of Advanced Cloud Attacks in 2025

AI-cybersecurity struggles have intensified with cloud attacks Attackers continue to harness cloud-based capabilities to launch newer types of cyber attacks. In 2025, these attacks could manifest into bigger threats. One of the most striking revelations from Sysdig’s 2024 Global Threat Year-in-Review is the alarming speed at which large-scale cyberattacks can unfold. The Sysdig TRT had previously explain how the malicious actors are moving so quickly through the “attack chain.” The SRT reported cloud attacks can happen in less than 10 minutes, mentioning attackers gaining free access to cloud services and easier monetization through attacks as the main factors contributing to the menace. Things will change in 2025, albeit for worse, as the same Sysdig TRT researchers have provided ample information on why cloud attacks would become more sophisticated, and hence costlier to identify and recover from.

Why attackers choose cloud?

According to Darktrace, attackers are increasingly using alternative methods to deliver malicious links and payloads through cloud-based services, which can potentially evade traditional cybersecurity protections. Additionally, by leveraging legitimate login credentials to access systems, their actions become more difficult to trace.

While cloud infrastructure is designed to provide agility and scalability for businesses, these same features also present unique advantages for cybercriminals. The swift execution of attacks—ranging from cryptojacking to Distributed Denial of Service (DDoS) assaults—has emerged as a significant concern for organizations worldwide.

Recent trends highlight a worrying capability for attackers to inflict substantial financial damage within mere hours. For instance, certain campaigns have been shown to accumulate victim costs of up to $80,000 in an incredibly short timeframe, thanks to the ease of scaling operations in cloud environments. This rapid monetization of attacks poses serious risks for businesses that are not prepared to defend against these threats.

Recommended CyberTech Insights: Sysdig: Protecting Hybrid Clouds with Cloud Identity Insights

Key Takeaway #2: Turning the AI Tables with “LLMJacking”

One of the more concerning developments identified in this year’s report is the evolution of automated resource jacking. A notable tactic, termed “LLMjacking,” has come to the forefront in 2024. This method involves attackers gaining unauthorized access to cloud accounts that host large language models (LLMs)—advanced AI systems such as OpenAI’s GPT and Anthropic’s Claude. These models are not only highly valuable but also costly to operate, making them prime targets for cybercriminals looking to exploit cloud resources.

LLMjacking shares similarities with traditional resource-based exploits, such as cryptojacking, but presents an even more significant financial risk. As organizations increasingly rely on LLMs for various applications, the potential for attackers to harness these sophisticated models for their own gain raises the stakes considerably. LLMjacking attacks could cost victims in the range of $40k and $100k daily, escalating the drain on AI resources. This could lead to a bigger problem for victims in the form of “resource-jacking.”

As a cybersecurity executive, it’s critical to understand the geopolitical landscape influencing cyber threats. Sysdig SRT closely monitored the rise of LLMjacking attacks, particularly in nations facing restricted internet access or sanctions that entirely block connectivity to global resources.

In these regions, cybercriminals are exploiting the limitations imposed by their governments. LLMjacking tactics allow attackers gain unauthorized access to cloud accounts hosting large language models (LLMs), effectively bypassing local restrictions. This not only enables them to tap into advanced computational resources but also serves as a means to connect to the broader global internet, circumventing the very limitations that hinder their access.

Why attackers fancy LLMjacking?

The motivations behind the LLMjacking cloud attacks are multifaceted.

Residents in sanctioned or isolated nations may seek to leverage LLMs for legitimate purposes, such as academic research or business innovation. However, the inability to access these tools legally drives some to resort to malicious activities. The stolen resources facilitate not just individual gain, but also the potential for organized groups to exploit these models for more nefarious ends, including misinformation campaigns or enhanced cyberattack capabilities.

Moreover, this trend highlights a significant challenge for cybersecurity professionals. Organizations hosting LLMs must remain vigilant, not only against traditional threats but also against this evolving tactic that leverages geopolitical tensions. The intersection of cybersecurity and international relations cannot be understated; as long as there are disparities in access to technology, the potential for exploitation will persist as long as cloud attacks stay unreported.

Key Takeaway #3: Malicious Intent Expose Open Source Tools

The rise of malicious use of open source software (OSS) technology exemplifies a broader trend in the cyber threat landscape: the increasing sophistication and adaptability of attackers.

In the latest findings from the Sysdig Threat Research Team (TRT), we are witnessing a concerning trend: a marked increase in the exploitation of open source tools by cybercriminals for malicious ends. As a cybersecurity executive, it’s crucial to analyze this shift not only from a technical standpoint but also in the context of broader threat landscape dynamics.

The report outlines a diverse array of open source tools being co-opted by various malicious actors. One particularly striking example is the CRYSTALRAY campaign, where a penetration testing tool was weaponized to compromise over 1,500 victims. This incident serves as a stark reminder of how legitimate technology can be repurposed for nefarious activities, effectively blurring the lines between ethical use and malicious intent.

The increasing prevalence of such tactics reflects a strategic evolution among cybercriminals. By leveraging open source tools, attackers can more easily disguise their activities within normal network operations. This blending strategy not only complicates detection efforts but also heightens the risk for organizations that may not have the appropriate visibility into their network traffic. As attackers use tools that are widely regarded as legitimate, traditional defenses may falter, leading to successful intrusions and data breaches.

Moreover, the accessibility of these tools democratizes cybercrime, enabling even less sophisticated actors to mount sophisticated cloud attacks. This trend underscores the imperative for organizations to bolster their defenses through enhanced monitoring and threat intelligence capabilities. Understanding the specific tools and tactics being employed in the wild will be essential for developing effective countermeasures.

Key Takeaway #4: The RUBYCARP Botnet

The RUBYCARP botnet group, which managed to evade detection for over a decade. As a cybersecurity technology analyst group, we find this case particularly instructive, illustrating the lengths to which sophisticated attackers will go to maintain their operations.

RUBYCARP’s success can largely be attributed to its reliance on custom tools and advanced persistence techniques. Unlike many botnets that utilize readily available exploit kits, RUBYCARP has demonstrated a tailored approach, focusing on vulnerabilities within popular applications such as Laravel and GitLab. This specificity not only enhances their effectiveness but also enables them to fly under the radar, avoiding the scrutiny typically directed at more conventional attack vectors.

What sets RUBYCARP apart is their strategic patience and stealth. While most botnets are eventually identified and dismantled, the RUBYCARP group exemplifies how a methodical, low-profile approach can yield long-term operational success. Their ability to adapt to changing security landscapes has allowed them to remain undetected, continually exploiting systems without drawing significant attention.

The financial implications of their activities are equally noteworthy. Through cryptomining operations, the group has generated a steady stream of income, with one member reportedly amassing $22,800 in just two years—an amount equivalent to a respectable annual salary in Romania. This underscores not only the potential profitability of such cybercriminal endeavors but also the motivations that drive attackers to sustain their operations over extended periods.

RUBYCARP’s persistence highlights a growing trend in the cybersecurity realm: the sophistication of today’s attackers who are increasingly focused on playing the long game. By remaining discreet, these cybercriminals can continue to exploit vulnerabilities without triggering alerts that might lead to their downfall.

The lack of legal recourse against the RUBYCARP group over the past decade can largely be attributed to the challenges associated with attributing actions to individuals or groups using open source tools.

Open source software is publicly available and often widely used, which means that many attackers can utilize these tools without leaving clear traces that lead back to them. This makes it extremely difficult for law enforcement and cybersecurity professionals to identify and hold accountable those behind malicious activities.

The Technology Engine for The RUBYCARP Cybercriminals

In the case of the RUBYCARP group, the Sysdig Threat Research Team (TRT) identified a specific tool—the shellbot Perl script—that has been reported on extensively. However, the reports focus on the tool itself rather than on the individuals or group utilizing it. This situation is not uncommon; while the tool may be linked to various attacks, the people behind its deployment often remain anonymous. And, motivation is a “few hundred dollars” every month till the group scores a jackpot!

The difficulty in open source attribution, combined with the anonymous nature of cybercriminal activities, explains why there has been no legal recourse against the RUBYCARP group despite their long-standing operations.

Furthermore, the nature of cybercrime often involves the use of proxy servers, anonymizing networks, and other techniques that obscure the attackers’ identities and locations. These factors create significant hurdles for legal action, as establishing a clear connection between the tool and its users is crucial for prosecution.

In light of these developments, it is imperative for organizations to adopt a proactive and layered security posture. Continuous monitoring, threat intelligence, and behavioral analysis are essential to detect and mitigate such stealthy threats. As cybersecurity professionals, we must be vigilant, understanding that today’s attackers are not only technically adept but also strategic in their long-term planning. This awareness will be crucial in safeguarding our systems against evolving threats like RUBYCARP and similar groups.

Key Takeaway #5: Anticipating the Evolving Cloud Attacks Landscape in 2025 | CyberTech Predictions

As we look ahead to the coming year, it is clear that the attack surface will continue to expand, particularly with the growing integration of large language models (LLMs) across various sectors. Organizations are increasingly centralizing data that was once compartmentalized, directing vast amounts of information into LLMs in pursuit of enhanced productivity. While this approach offers significant operational benefits, it inadvertently introduces new concentration risks and broadens the attack surface, thereby presenting increased opportunities for cybercriminals.

The shift towards centralization raises critical concerns about data security. As organizations aggregate sensitive information into LLMs, the potential impact of a breach escalates. Attackers can exploit vulnerabilities in these centralized systems to access large volumes of data in one fell swoop, amplifying the consequences of any security incident. The complexity and scale of LLMs also mean that traditional security measures may struggle to keep pace, making it essential for organizations to reassess their security architectures.

From a financial perspective, we are anticipating a substantial increase in the costs associated with cyberattacks. According to IBM, the average cost of a data breach is projected to reach $4.68 million in 2024. However, this figure rises to $5.17 million specifically for breaches involving public cloud environments. The statistics are striking: the United States alone reported over 1,500 breaches in the first half of 2024.

Given these trends and projections, it is reasonable to forecast that global cyberattacks could incur costs exceeding $100 billion in 2025 due to cloud attacks. This underscores the critical need for organizations to invest in robust cybersecurity measures. It is essential to not only enhance threat detection and response capabilities but also to educate employees about the risks associated with data centralization and the use of emerging technologies like LLMs.

Conclusion

Sysdig’s 2024 report paints a vivid picture of the evolving threat landscape in cloud environments. The combination of rapid attack execution and the emergence of specialized cloud attacks tactics like LLMjacking underscores the urgent need for businesses to bolster their security measures.

As attackers continue to leverage the agility and scalability of the cloud, proactive defense strategies will be crucial in mitigating these rising threats. As cybersecurity professionals, we must remain vigilant and proactive, ensuring that our defenses are robust enough to recognize and respond to these evolving threats. By staying informed about the tools and tactics employed by cybercriminals, we can better protect our organizations and mitigate the risks posed by this alarming trend.

To share your insights with CyberTech Newsroom, please write to us at news@intentamplify.com