惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Engineering at Meta
Engineering at Meta
T
Threatpost
P
Palo Alto Networks Blog
NISL@THU
NISL@THU
O
OpenAI News
Project Zero
Project Zero
G
GRAHAM CLULEY
P
Privacy International News Feed
A
Arctic Wolf
Microsoft Azure Blog
Microsoft Azure Blog
H
Help Net Security
M
MIT News - Artificial intelligence
T
Threat Research - Cisco Blogs
S
Security @ Cisco Blogs
Google DeepMind News
Google DeepMind News
B
Blog RSS Feed
D
Docker
aimingoo的专栏
aimingoo的专栏
博客园 - 【当耐特】
N
Netflix TechBlog - Medium
云风的 BLOG
云风的 BLOG
雷峰网
雷峰网
W
WeLiveSecurity
P
Proofpoint News Feed
腾讯CDC
Cloudbric
Cloudbric
S
Secure Thoughts
C
Check Point Blog
博客园 - Franky
T
The Exploit Database - CXSecurity.com
T
Troy Hunt's Blog
GbyAI
GbyAI
Security Archives - TechRepublic
Security Archives - TechRepublic
Application and Cybersecurity Blog
Application and Cybersecurity Blog
月光博客
月光博客
C
Cyber Attacks, Cyber Crime and Cyber Security
I
Intezer
TaoSecurity Blog
TaoSecurity Blog
L
Lohrmann on Cybersecurity
V
Visual Studio Blog
F
Fortinet All Blogs
博客园 - 叶小钗
C
CXSECURITY Database RSS Feed - CXSecurity.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recorded Future
Recorded Future
C
Cisco Blogs
博客园 - 司徒正美
Stack Overflow Blog
Stack Overflow Blog
Y
Y Combinator Blog
Apple Machine Learning Research
Apple Machine Learning Research

The Register - Security: CSO

Anthropic's Mythos has The Kettle crew curious, skeptical 'People's Panel' to check if UK wants controversial Digital ID will cost £630K Top npm package backdoored to drop dirty RAT on dev machines Lightning-fast exploits mean patch fast, says Cisco Talos Lightning-fast exploits mean patch fast, says Cisco Talos Smooth criminals talking their way into cloud environments, Google says Cybercrime up 245% since the start of the Iran war Scattered Lapsus$ Hunters seeks women to defraud helpdesks Every day in every way, passwords are getting worse CISA quietly updated ransomware flags on 59 flaws last year Deepfake job seeker applied to work for an AI security firm Deepfake job seeker applied to work for an AI security firm AI-powered cyberattack kits are 'just a matter of time' AI-powered cyberattack kits are 'just a matter of time' FortiGate SSO bug still exploitable despite December patch FortiGate SSO bug still exploitable despite December patch Judge tosses CrowdStrike shareholder suit over 2024 outage DRAM shortage may drive firewall prices higher: analysts Ransomware attacks kept climbing in 2025 as gangs refused to stay dead Around 1,000 systems compromised in ransomware attack on Romanian water agency 1,000 systems pwned in Romanian Waters ransomware attack Half of exposed React servers remain unpatched amid attacks CISA warns spyware crews are breaking into Signal and WhatsApp accounts FCC guts Salt Typhoon telco rules despite espionage risk CISA orders feds to patch Oracle Identity Manager zero-day SEC drops SolarWinds lawsuit that painted a target on CISOs everywhere SEC bails on SolarWinds lawsuit Palo Alto kit sees massive surge in malicious activity amid mystery traffic flood Palo Alto kit sees massive surge in malicious activity Countries use cyber targeting to plan strikes: Amazon CSO Overconfidence is the new zero-day as teams stumble through cyber simulations UK's Cyber Security and Resilience Bill makes Parliamentary debut Cyber insurers paid out over twice as much for UK ransomware attacks last year Cyberpunks mess with Canada's water, energy, and farm systems Trump's workforce cuts blamed as America's cyber edge dulls Feds flag active exploitation of patched Windows SMB vuln How malware vaccines could stop ransomware's rampage Salesforce refuses to pay ransomware crims' extortion demand Germany slams brakes on EU's Chat Control snoopfest Germany slams brakes on EU's Chat Control snoopfest Employees regularly paste company secrets into ChatGPT Oracle tells Clop-targeted EBS users to apply July patch Red Hat repos raided, claims cybercrew, files stolen Suspected Chinese spies broke into 'numerous' enterprises UK gov acknowledges 'strong case' for JLR financial support JLR extends shutdown – again – as toll on workers laid bare UK chancellor blames cyberattacks on Russia despite evidence Fortra discloses 10/10 severity bug in GoAnywhere MFT Entra ID bug could have granted access to every tenant UEFI Secure Boot for Linux Arm64 – where do we stand? JLR says cyber cleanup to take additional week Insider blamed for FinWise data breach affecting nearly 700K Nork snoops whip up fake military ID with help from ChatGPT UK government dragged for incomplete security reforms Church of England abuse victims exposed by lawyer's email US spy chief claims UK backdown on Apple backdoor demand Workday confirms CRM breach via social engineering Black Hat/DEF CON: AI more useful for defense than hacking Ex-White House cyber guru talks Microsoft security fails CISA releases malware analysis for Sharepoint Server attack China: US spies used Microsoft Exchange 0-day to steal info Security pros drowning in threat-intel data Identity attacks surge 156% as phishermen get craftier Organizations can’t keep up with supply chain security musts Amazon CISO: Iranian hacking crews ‘on high alert’ UK data watchdog fines 23andMe £2.3M over 2023 breach Employers are demanding too much from junior cyber recruits FCA warned four staffers who pocketed regulator data Ransomware just wrecked your network – now what? Ivanti RCE attacks 'ongoing,' exploitation hits clouds Ex-NSA listened to Scattered Spider's calls: 'They're good' Snowflake CISO talks lessons learned from breaches, improv Why CVSS is failing us and what we can do about it Infosec pros still aren't nailing the basics of AI security Ransomware crims targeting systems between IT and operations Why aggregating asset inventory leads to better security NCSC and industry at odds over how to tackle shoddy software Powerschool extortionists may not have deleted stolen data CrowdStrike trims workforce by 5 percent, aims to rely on AI NSO Group must pay Meta $168M in WhatsApp spy case Ghost in the shell script: Boffins seek code correctness How Intruder finds what others miss in cloud security Linux malware can avoid syscall-based endpoint protection Infosec pro blabs about alleged malware mishap on LinkedIn The future of AI in cybersecurity in a word – optimistic CVE board 'kept in the dark' on funding, members say Security snafus caused by third parties up from 15% to 30% Blue Shield shared 4.7M people's health info with Google Ads US cyber defenses are being dismantled from the inside Bug hunter obtains an SSL cert for Alibaba Cloud in 5 steps
Who needs phishing when your login's already in the wild?
Jessica Lyons Jessica Lyons · 2025-04-23 · via The Register - Security: CSO

Criminals used stolen credentials more frequently than email phishing to gain access into their victims' IT systems last year, marking the first time that compromised login details claimed the number two spot in Mandiant's list of most common initial infection vectors.

"Credential stealers have been and are a major issue, but we have seen a resurgence recently," Mandiant Consulting VP Jurgen Kutscher said in an interview with The Register about the nearly 100-page M-Trends 2025 report from the Google-owned security shop.

"Email tends to be noisier and easier to detect with phishing detection," he added. "There is an entire cybercrime business surrounding stolen credentials that promotes the sale – and use – of stolen credentials."

The annual report also found 55 percent of attackers active in 2024 were financially motivated, up slightly from 52 percent the year before. Only 8 percent were motivated by espionage last year, which represents a 2 percent drop from 2023.

In 2024, Mandiant began tracking 737 new threat clusters, bringing the total number of groups on its radar to more than 4,500. Across last year's incident response engagements, the team observed 302 different threat groups, 233 of which were newly identified.

But the parts that piqued our interest – and likely will prove the most useful to defenders trying to keep the baddies off their networks – involved how attackers are breaking in, usually to steal data, demand ransoms, or sometimes both.

Exploits remained the top entry point overall for the fifth straight year. In cloud compromises, however, phishing led at 39 percent, with stolen credentials close behind at 35 percent.

New to this year's report is that Mandiant tracked the overall initial infection vector, but then also broke out cloud attacks and ransomware into their own separate sections.

How ransomware gangs gain initial access

It found the most commonly observed initial infection vector for ransomware infections was brute-force attacks (26 percent) followed by stolen credentials (21 percent).

Brute-force intrusions into victim environments highlight "the opportunistic nature of ransomware and multifaceted extortion," Kutscher told The Register. Attacks of this nature include password spraying, using default credentials across multiple virtual private network (VPN) devices, and high-volume login attempts against a remote desktop server.

A lot of those attacks are not targeted at any one specific company, but threat actors looking to see where they can break in, and where they can cause the most damage

"A lot of those attacks are not targeted at any one specific company, but threat actors looking to see where they can break in, and where they can cause the most damage," he added. 

Yes, healthcare is always a prime target, Kutscher admitted.

"But at the end of the day, most organizations are going to have sensitive data that you can either steal or encrypt, business operations that are time sensitive, that you can disrupt, and as such, we see a lot more opportunistic threats when it comes to ransomware," he said. "Anybody can be a target."

Cloud compromise and stolen creds

Cloud compromise got its own section "because we've just seen so much more activity in that space," Kutscher said. "And there, the initial compromise vector is use of stolen credentials and phishing, so a different way for threat actors to break in."

However, if you consider the crooks' objectives in each type of attack, the preferred methods start to make sense. In ransomware infections, criminals are locking up and stealing data to demand hefty ransom payments, while in cloud compromises, 66 percent involved data theft and 38 percent were financially motivated.

"It is not too surprising to see that threat actors adapt their primary egress point based on what they're targeting, and who they're targeting as well," Kutscher said.

Email phishing, we're told, has been on the decline since 2022, representing the initial access vector in 22 percent of Mandiant's investigations three years ago, 17 percent in 2023, and 14 percent last year.

Stolen credentials climbed from 10 percent in 2023 to 16 percent in 2024, edging out email phishing. This speaks to the ease with which crooks can obtain user login information: buying leaked or stolen ones online, mining large data dumps for credentials, and infecting users with keyloggers and infostealers, a type of malware that can collect a range of private user info including credentials, browser cookies, and even cryptocurrency wallets.

"Infostealers and broader credential theft are not new threats, but they are seeing a resurgence and have always posed significant risks to organizations that may not realize employee credentials have been compromised and exposed – sometimes years prior," the report authors wrote.

Remember the Snowflake customer breaches?

One prime example of the rise in stolen credentials and their role in cloud-targeted attacks is last year's Snowflake customer breaches. A crew that Google/Mandiant tracks as UNC5537 used stolen credentials to access Snowflake customers' cloud databases, and these credentials were largely obtained via infostealer malware.

During its investigation into the breach, Mandiant's team determined that UNC5537 used Snowflake customers' valid credentials, "hundreds" of which had been stolen by infostealers such as VIDAR, RISEPRO, REDLINE, RACCOON STEALER, LUMMA, and METASTEALER.

Some of these infections happened as far back as November 2020. But even in these years-old thefts, the credentials had not been updated or rotated.

"In several Snowflake-related investigations, Mandiant observed that the initial compromise of infostealer malware occurred on contractor systems that were also used for personal activities, including gaming and downloading pirated software," according to today's report.

"One of the contributing factors is we're seeing an increasing number of credentials stolen from non-corporate systems, i.e. personal computers," Kutscher said. "Personal devices typically don't have enterprise security controls, like no EDR, network monitoring, etc."

"Additionally, employees or contractors often disable [antivirus] on their personal devices so they can install unlicensed software. This leads to the increase of infostealers on personal computers. Also, people may synchronize web browsers on their work computers, which may transfer enterprise credentials to personal computers."

Another example of this is a financially motivated crew that Google Threat Intelligence tracks as Triplestrength because it poses a triple threat to organizations: it infects their on-premises computers with ransomware, and also hijacks their cloud accounts to illegally mine for cryptocurrency.

To take over victims' cloud accounts, Triplestrength uses stolen credentials and cookies, and relies on RACCOON infostealer logs to obtain at least some of the credentials for Google Cloud, Amazon Web Services, and Linode.

Plus, not only is this group using compromised logins to break into cloud environments, it is also selling this illicit access to other crooks. Google's threat hunters spotted online personas connected to Triplestrength advertising access to compromised servers, including those in Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud, and Digital Ocean.

Turn on MFA

A major takeaway from all of this – the uptick in stolen credentials, infostealers, cloud intrusions, and brute-force attacks leading to ransomware infections – is the importance of using multi-factor authentication (MFA).

As we learned from the Snowflake customer breaches, the criminals predominantly exploited accounts that didn't have MFA enabled. There's a good reason why baking MFA into software is one of the seven key pieces of CISA's Secure by Design initiative.

"A lot of times what we see is that it's not the cloud environment that is targeted directly, but that threat actors are able to leverage stolen credentials and then leverage that access to move into the cloud environment," Kutscher said. "That's where, again, the importance of properly implemented multi-factor authentication is really critical." ®