Full Report
Infostealers fueled the staying power of identity-based attacks, increasing 84% on a weekly average last year, according to IBM X-Force. The post Attackers stick with effective intrusion points, valid credentials and exploits appeared first on CyberScoop.
Analysis Summary
This summary is based on the provided article excerpt regarding the IBM X-Force 2025 Threat Intelligence Index findings. The focus is on prevalent attack vectors, credential harvesting, and observed malware types.
# Tool/Technique: Infostealers (General Category)
## Overview
Infostealers are malicious software designed to extract and steal sensitive information, primarily login credentials, from victim systems. They are a major fueling component behind the rise of identity-based attacks, often delivered via phishing emails.
## Technical Details
- Type: Malware Family (Category)
- Platform: Primarily Windows endpoints (implied by context of common use/delivery, though specific targeting is not detailed)
- Capabilities: Retrieving login credentials from compromised systems.
- First Seen: Not specified in the text, but their role is highlighted across 2024 activity.
## MITRE ATT&CK Mapping
Since Infostealers are the delivery mechanism for credentials, they relate to collection and initial access:
- **T1555 - Credentials from Password Stores** (Via direct exfiltration/storage access)
- **T1555.003 - Credentials from Web Browsers** (Common target)
- **T1566 - Phishing** (Primary delivery vector mentioned)
- **T1566.001 - Spearphishing Attachment/Link** (Implied vector for email delivery)
- **TA0001 - Initial Access**
## Functionality
### Core Capabilities
- Harvesting and stealing valid user login credentials.
- Distribution primarily via phishing emails, showing an 84% weekly average increase in volume compared to the previous year, and a 180% jump compared to 2023 levels.
### Advanced Features
- The text highlights the successful use of these tools to enable attackers to "log in, versus hacking in."
## Indicators of Compromise
- File Hashes: [Not specified]
- File Names: [Not specified]
- Registry Keys: [Not specified]
- Network Indicators: [Not specified]
- Behavioral Indicators: Delivery via email leading to collection scripts/binaries being executed; subsequent network communication for data exfiltration (implied).
## Associated Threat Actors
- Cybercriminals (general mention, as these are widely used COTS/commodity tools).
## Detection Methods
- **Behavioral detection**: Monitoring for processes associated with credential scraping or unusual data egress originating from endpoint security agents.
- **Email filtering**: Detecting inbound phishing emails distributing the infostealer payloads.
## Mitigation Strategies
- **Identity Protection**: Focusing on Multi-Factor Authentication (MFA) to render stolen credentials less useful.
- **Vulnerability Management**: Patching public-facing applications aggressively (as exploitation remains a top attack vector).
- **User Training**: Training users to recognize and report credential phishing attempts.
## Related Tools/Techniques
Specific Infostealers listed by IBM X-Force as top threats on dark web forums in 2024:
- Lumma
- RisePro
- Vidar
- Stealc
- RedLine
---
# Tool/Technique: Exploitation of Public-Facing Applications (Vector)
## Overview
The technique of exploiting vulnerabilities discovered in applications accessible via the internet (e.g., web servers, VPNs, exposed APIs) remains a primary vector for initial network intrusion. This method accounted for 30% of IBM X-Force incident response cases.
## Technical Details
- Type: Technique / Initial Access Vector
- Platform: Externally facing server infrastructure (Varies widely based on the software targeted)
- Capabilities: Gaining initial unauthorized access to an organization's network perimeter.
- First Seen: Ongoing and historical
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- **T1190 - Exploit Public-Facing Application**
## Functionality
### Core Capabilities
- Direct intrusion into organizational networks by leveraging unpatched Software vulnerabilities.
### Advanced Features
- Post-compromise scanning (observed in 25% of these cases) to identify further vulnerabilities for lateral movement.
- The success is attributed to threat actors leveraging flaws for which patches have long been available ("vulnerabilities from years ago").
## Indicators of Compromise
- File Hashes: [Not specified]
- File Names: [Not specified]
- Registry Keys: [Not specified]
- Network Indicators: Initial connection attempts indicative of scanning or exploit delivery against public services.
- Behavioral Indicators: Unexpected process execution or file writes following external network traffic targeting web services.
## Associated Threat Actors
- General cybercriminal syndicates and advanced persistent threat (APT) groups.
## Detection Methods
- **Security Monitoring**: Monitoring external perimeter devices (WAFs, firewalls) for exploit signatures.
- **Vulnerability Scanning**: Continuously scanning public-facing assets to ensure known vulnerabilities are patched.
## Mitigation Strategies
- **Vulnerability Management**: Implementing robust patch management processes, prioritizing internet-facing assets.
- **Network Segmentation**: Ensuring that systems compromised via public-facing applications do not trivially lead to sensitive internal network segments.
## Related Tools/Techniques
- Vulnerability Scanning Tools (used post-compromise).
---
# Tool/Technique: Valid Account Usage (Credential Compromise)
## Overview
The use of stolen or illegally obtained legitimate credentials to log into victim networks is a dominant initial access method, accounting for 30% of IBM X-Force incident response cases, matching the rate of exploit usage. This technique allows attackers to "blend into seemingly common activities."
## Technical Details
- Type: Technique / Access Method
- Platform: Any platform that authenticates users (Windows, Cloud infrastructure, VPNs, etc.)
- Capabilities: Bypassing perimeter defenses by mimicking legitimate user activity.
- First Seen: Ongoing
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- **T1078 - Valid Accounts**
- **T1078.003 - Local Accounts** (Potential)
- **T1078.004 - Cloud Accounts** (Potential)
- **TA0006 - Credential Access** (Credential harvesting is the source)
## Functionality
### Core Capabilities
- Logging in using existing, trusted user accounts.
- Credential harvesting is the primary source, with investigators seeing 800 million potential credential pairs on the dark web.
### Advanced Features
- Attackers are blending in, making detection difficult as they perform actions similar to legitimate users.
## Indicators of Compromise
- File Hashes: [Not specified]
- File Names: [Not specified]
- Registry Keys: [Not specified]
- Network Indicators: Logins originating from unexpected geographic locations or during unusual hours, even if using valid credentials.
- Behavioral Indicators: Anomalous activity following a successful login (e.g., immediate privilege escalation attempts, unusual C2 beaconing).
## Associated Threat Actors
- All threat actors leveraging identity-based attacks.
## Detection Methods
- **Logging and UEBA**: Deploying User and Entity Behavior Analytics (UEBA) to spot deviations from established baseline user activity (e.g., impossible travel, access attempts outside normal hours).
- **MFA Requirement**: Enforcing MFA for all accounts, especially those exposed to phishing or credential stuffing.
## Mitigation Strategies
- **Strong Authentication**: Implementing and enforcing Multi-Factor Authentication (MFA) across the organization.
- **Privileged Access Management (PAM)**: Strictly controlling and monitoring accounts with elevated rights.
## Related Tools/Techniques
- Credential Phishing (the vector used to bait victims into giving up credentials).
- Infostealers (the component used to steal credentials from endpoints).