Full Report
Rapid7 found that 56% of all compromises in Q1 2025 resulted from the theft of valid account credentials with no MFA in place
Analysis Summary
# Incident Report: Dominance of Stolen Credentials Without MFA in Q1 2025 Compromises
## Executive Summary
Research published during Infosecurity Europe 2025 indicates that stolen, valid account credentials lacking Multi-Factor Authentication (MFA) were the leading initial access vector in Q1 2025, accounting for 56% of all compromises. This trend is expected to continue as organizations fail to enforce MFA across all accounts. Vulnerability exploitation, particularly targeting critical flaws like the one found in Fortinet devices, was the second most common initial vector.
## Incident Details
- **Discovery Date:** Early Q1 2025 (Research period covers Q1 2025)
- **Incident Date:** Q1 2025 (Ongoing trend analysis)
- **Affected Organization:** Organizations globally failing to enforce MFA. (Specific organization not detailed as this is a trend report.)
- **Sector:** Not specified (General industry trend)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Throughout Q1 2025
- **Vector:** Theft of valid account credentials (56% of compromises).
- **Details:** Attackers leveraged stolen credentials where MFA was not enforced, allowing unimpeded access.
### Lateral Movement
- *Details regarding specific lateral movement techniques are not explicitly listed for the credential theft vector, only for the secondary exploit.*
- **Specific Incident Highlight:** In one noted investigation involving a Fortinet vulnerability exploitation, attackers successfully created local and admin accounts.
### Data Exfiltration/Impact
- *Data exfiltration/impact details are not specified in this trend summary, although creation of admin accounts strongly implies post-exploitation activity.*
### Detection & Response
- **How it was discovered:** Data compiled through retrospective analysis by Rapid7 researchers.
- **Response actions taken:** Response actions are not detailed, as this is a research summary highlighting vectors, not a specific organizational IR report.
## Attack Methodology
- **Initial Access:** Stolen Valid Credentials (56%); Vulnerability Exploitation (13%); Brute Force Attacks (13%).
- **Persistence:** Not explicitly detailed for credential theft, but implied by successful initial access.
- **Privilege Escalation:** In a noted exploit case, attackers targeted a flaw affecting Fortinet to gain execution as the `super_admin` user.
- **Defense Evasion:** Not explicitly detailed.
- **Credential Access:** Implied via the primary vector (stolen credentials).
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Not explicitly detailed for the primary vector.
- **Collection:** Not explicitly detailed.
- **Exfiltration:** Not explicitly detailed.
- **Impact:** Compromise resulting from unauthorized access.
## Impact Assessment
- **Financial:** Not quantified.
- **Data Breach:** Not specified, though credential compromise exposes accounts to potential data theft.
- **Operational:** Potential operational disruption due to unauthorized administrative access in specific exploit cases (e.g., Fortinet exploit).
- **Reputational:** Not specified.
## Indicators of Compromise
- **Network indicators - defanged:** N/A (Reporting on methods, not specific IoCs).
- **File indicators:** N/A
- **Behavioral indicators:** Use of valid credentials without corresponding MFA factor.
## Response Actions
- **Containment measures:** N/A (This is a research summary).
- **Eradication steps:** N/A
- **Recovery actions:** N/A
## Lessons Learned
- Stolen credentials remain the overwhelming majority method of initial compromise (56% in Q1 2025).
- The absence of Multi-Factor Authentication (MFA) on accounts remains the critical failure point enabling these widespread compromises.
- Vulnerability exploitation, such as the race condition in Fortinet appliances (CVE-2024-55591), is a significant secondary initial access vector.
## Recommendations
- Implement mandatory Multi-Factor Authentication (MFA) across all user accounts, prioritizing privileged and remote-facing accounts.
- Immediately patch and mitigate publicly disclosed vulnerabilities, such as CVE-2024-55591 affecting Fortinet products, to neutralize exploitation pathways.
- Monitor for signs of credential stuffing and brute force activity, although these were secondary to pure credential theft.