Full Report
Infostealers fueled the staying power of identity-based attacks, increasing 84% on a weekly average last year, according to IBM X-Force. The post Attackers stick with effective intrusion points, valid credentials and exploits appeared first on CyberScoop.
Analysis Summary
# Incident Report: Pervasive Use of Valid Credentials and Exploits in 2024 Intrusions
## Executive Summary
Cyberattacks in 2024 heavily relied on established, effective intrusion vectors, specifically focusing on leveraging valid account credentials and exploiting publicly facing applications, each accounting for 30% of observed incidents studied by IBM X-Force. Identity-based attacks were bolstered significantly by the 84% rise in infostealer usage via phishing, allowing attackers to "log in rather than hack in." Critical infrastructure sectors, particularly Manufacturing, were disproportionately targeted, highlighting systemic failures in vulnerability and patch management.
## Incident Details
- Discovery Date: Ongoing observations throughout 2024 (Based on IBM X-Force 2025 Threat Intelligence Index reporting)
- Incident Date: 2024
- Affected Organization: Multiple organizations reviewed under IBM X-Force incident response cases.
- Sector: Critical Infrastructure (70% of attacks studied), including Manufacturing (26%), Finance/Insurance (23%), Professional/Business/Consumer Services (18%), Energy, and Transportation.
- Geography: Not explicitly disclosed, inferred to be global based on IBM X-Force index scope.
## Timeline of Events
### Initial Access
- **Date/Time:** Various times throughout 2024.
- **Vector:** Valid Account Credentials (30%) and Exploitation of Public-Facing Applications (30%).
- **Details:** Attackers gained initial access using either stolen credentials (often from infostealers or credential phishing) or by exploiting unpatched vulnerabilities on internet-facing systems. Infostealer delivery via phishing saw an 84% weekly average increase compared to 2023.
### Lateral Movement
- **Date/Time:** Post-initial access.
- **Vector:** Post-compromise scanning (25% of web application exploitation cases).
- **Details:** In attacks leveraging public-facing application vulnerabilities, attackers frequently conducted post-compromise scanning to look for additional defects to facilitate further access and lateral movement.
### Data Exfiltration/Impact
- **Date/Time:** Post-infiltration staging.
- **Vector:** Credential harvesting and reuse.
- **Details:** Credentials were the top objective, occurring in 28% of all incident response cases. Compromised credentials were used either to move laterally or potentially sold on the dark web (800 million pairs observed). Specific types of data exfiltrated are not detailed but implied to be sensitive due to the focus on credential theft.
### Detection & Response
- **Date/Time:** Varies based on organization maturity.
- **Vector:** Detection of activity related to stolen credentials or exploited vulnerabilities.
- **Details:** The report focuses on the methods of intrusion rather than specific organizational response timelines. The high volume of identity-based attacks suggests difficulty in detection as attackers blended into normal activity ("logging in, versus hacking in").
## Attack Methodology
- **Initial Access:** Valid Account Credentials (30%), Exploitation of Public-Facing Applications (30%).
- **Persistence:** Not explicitly detailed, but utilizing valid credentials suggests session hijacking or maintaining access via backdoors after initial login.
- **Privilege Escalation:** Not explicitly detailed, but likely a goal following initial access via vulnerability exploitation or credential compromise.
- **Defense Evasion:** Identity-based attacks inherently evade some defenses by mimicking legitimate user sessions. Use of infostealers suggests strong evasion tactics against endpoint security to retrieve credentials.
- **Credential Access:** Infostealers (Lumma, RisePro, Vidar, Stealc, RedLine observed as top 5 on dark web), Credential Phishing (mimicking legitimate login pages).
- **Discovery:** Post-compromise scanning to find additional vulnerabilities (observed in 25% of web application exploitation cases).
- **Lateral Movement:** Using harvested/compromised valid credentials; leveraging additional discovered vulnerabilities.
- **Collection:** Credential harvesting (objective in 28% of IR cases).
- **Exfiltration:** Through mechanisms enabled by compromised high-level access (details not specified).
- **Impact:** System compromise enabling broad network access, leading to potential data loss and operational disruption, especially in critical infrastructure.
## Impact Assessment
- **Financial:** Not explicitly quantified in the summary, but high given the focus on critical infrastructure and credential theft potentially leading to secondary compromises sold on the dark web.
- **Data Breach:** High likelihood of compromise involving sensitive data, as credential harvesting was the top objective (28% of IR cases).
- **Operational:** High risk, particularly for critical infrastructure organizations which were the target in 70% of attacks reviewed.
- **Reputational:** Inherent risk due to the high-profile targeting of critical sectors.
## Indicators of Compromise
- **Network indicators (defanged):**
- C2 traffic associated with known infostealer Command & Control servers.
- Anomalous logins from unexpected geographies or unusual times corresponding to stolen credentials.
- **File indicators:**
- Presence of known infostealer binaries (e.g., Lumma, RisePro, Vidar, Stealc, RedLine executables).
- **Behavioral indicators:**
- Phishing emails delivering payloads designed to capture login credentials.
- Sudden spike in authentication failures or successful logins using previously dormant or new accounts.
- Post-exploitation reconnaissance scans against internal systems.
## Response Actions
The article does not detail specific response actions taken by victim organizations but implies remediation focuses on:
- **Containment:** Revocation and resetting of compromised user accounts; potentially isolating systems exploited via public-facing vulnerabilities.
- **Eradication:** Removing infostealer malware from endpoints.
- **Recovery:** Reverting access controls and securing public-facing applications.
## Lessons Learned
- **Effectiveness of Identity Attacks:** Attackers continue to favor identity-based attacks because logging in is harder to distinguish from legitimate activity than traditional hacking methods.
- **Infostealers are Powering Identity Attacks:** The significant rise in infostealer usage directly correlates with the increased success of valid credential compromise.
- **Vulnerability Management Failure:** Continuously exploiting old, publicly known vulnerabilities indicates that organizations are failing at fundamental patch and vulnerability management best practices.
- **Sector Risk Concentration:** Critical infrastructure remains an overwhelmingly high-priority target.
## Recommendations
- **Strengthen Authentication:** Implement Multi-Factor Authentication universally to neutralize the impact of stolen credentials and credential stuffing campaigns.
- **Aggressive Patch Management:** Prioritize immediate patching for all internet-facing applications, focusing on both recent and discovered legacy vulnerabilities that attackers are actively leveraging.
- **Endpoint Detection & Response (EDR):** Enhance EDR capabilities specifically tuned to detect the execution and communication patterns of known infostealer malware families.
- **User Education:** Increase training frequency and phishing simulations targeting credential harvesting links, given the massive increase in phishing-delivered infostealers.