Throughout early 2025, financially motivated threat actors have pivoted towards using stolen credentials and valid accounts to infiltrate target networks, replacing traditional malware-heavy strategies. The FortiGuard Incident Response team unveiled consistent patterns where initial access is achieved primarily through compromised credentials obtained from phishing campaigns, Initial Access Brokers, or password reuse. Key entry points, particularly external remote services like VPNs, enable attackers to authenticate with stolen credentials, facilitating lateral movement within victim environments.
Threat actors also exploit n-day vulnerabilities to deploy legitimate remote management tools, thus complicating detection efforts. Once inside a network, attackers utilize RDP, SMB, and WinRM for lateral movement, leveraging elevated privileges gained through tools such as Mimikatz. The persistence is maintained through their configurations of remote access tools, allowing for seamless operation and data exfiltration with minimal forensic impact. Additionally, the lack of multi-factor authentication makes these attacks economically attractive and allows adversaries to avoid detection while executing their plans.
👉 Pročitaj original: Cyber Security News
