Third-party involvement in breaches and exploitation of vulnerabilities have become more important factors in security breaches, according to the latest edition of Verizon’s Data Breach Investigation Report (DBIR).
An analysis of 22,000 security incidents, including 12,195 confirmed data breaches in 139 countries, found that credential abuse (22%) and exploitation of vulnerabilities (20%, up from 14.9% in 2024) were the two most prevalent initial attack vectors.
“For the first time, vulnerability exploitation has overtaken phishing — and is catching up to credential abuse — as a top initial access vector,” noted Chris Wysopal, chief security evangelist and co-founder of application security firm Veracode.
Security on the edge
Edge devices and VPNs now represent 22% of vulnerability exploitation targets, up from just 3% in 2024. Among this mix, zero-day exploits targeting perimeter devices and VPNs became more prevalent.
Tenable Research analyzed 17 edge-device CVEs featured in the DBIR, each of which added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities list last year, to understand renumeration times.
Verizon’s study found that the median time for organizations to fully remediate edge-device vulnerabilities was 32 days. Fix times for flaws in general have sharply risen over the past five years, as companies increasingly drown in high-risk security debt. But for edge security devices, the urgency to remediate is paramount.
“Organizations must leverage a risk-based approach and prioritize vulnerability scanning and patching for internet-facing systems,” wrote Saeed Abbasi, threat research manager at cloud security firm Qualys, in a blog post. “The data clearly shows that attackers follow the path of least resistance, targeting vulnerable edge devices that provide direct access to internal networks.”
Greg Linares, principal threat intelligence analyst at managed detection and response vendor Huntress, said, “We’re seeing a distinct shift in how modern attackers breach enterprise environments, and one of the most consistent trends right now is the exploitation of edge devices.”
Edge devices, ranging from firewalls and VPN appliances to load balancers and IoT gateways, serve as the gateway between internal networks and the broader internet.
“Because they operate at this critical boundary, they often hold elevated privileges and have broad visibility into internal systems,” Linares noted, adding that edge devices are often poorly maintained and not integrated into standard patching cycles.
Linares explained: “Many edge devices come with default credentials, exposed management ports, secret superuser accounts, or weakly configured services that still rely on legacy protocols — these are all conditions that invite intrusion.”
Once compromised, edge devices provide attackers with privileged access, persistence, and a clean staging ground for lateral movement. These systems often store administrator credentials, session tokens, VPN keys, or logs that provide a detailed roadmap of the internal infrastructure.
“Attackers can implant custom malware or even modify the firmware itself to survive across reboots and evade detection,” Linares concluded. “Because these devices typically fall outside the scope of endpoint detection and response [EDR] solutions and SIEM integration, intrusions often go unnoticed for weeks, months, or longer.”
Espionage groups such as Volt Typhoon and UNC4841 have leveraged vulnerabilities in Fortinet, SonicWall, and Barracuda appliances to quietly infiltrate high-value networks in the past year or so. Ransomware groups such as Black Basta and Royal frequently use compromised NAS devices and firewalls to break into targeted networks.
Ransomware fiends target smaller businesses
The percentage of breaches involving third parties doubled to 30%, highlighting the risks associated with supply chain and partner ecosystems.
The prevalence of ransomware attacks also increased, turning up as a factor in 44% of analyzed breaches (compared to 37% in 2024). Ransomware had a disproportionate impact of on small and midsize businesses (SMBs).
While larger organizations experience ransomware in 39% of breaches, SMBs grappled with ransomware in 88% of breach incidents.
Symptomatic of the trend of ransomware actors to go after smaller targets, there was a noticeable decrease in the median ransom amount paid, which fell to from $150,000 in 2024 to $115,000 in this year’s report.
The number of victim organizations that did not pay ransoms was 64%, compared to 50% that refused payment two years ago.
The human factor
Human involvement in cybersecurity breaches stayed around the same as in Verizon’s 2024 DBIR — a factor in 60% of successful attacks. The figure illustrates the ongoing importance of social engineering attacks such as phishing and credential (password and login credential) abuse. To that end, cybercriminals are switching up tactics to make phishing more effective and relying more on infostealer malware to capture credentials.
AI is also playing a greater role in cyberattacks and data leak risks. Synthetically generated text in malicious emails has doubled over the past two years, according to Verizon.
Meanwhile, 15% of employees routinely accessed generative AI platforms on their
corporate devices, increasing the potential for data leaks, which CISOs are struggling to contain.
Spy games
Verizon estimates that espionage-motivated attacks account for 17% of security breaches, almost trebling in prevalence since 2024.
Manufacturing and healthcare sectors faced an increase in espionage-motivated attacks.
Microsoft’s Digital Defense Report from November 2024 also noted a rising trend that sees lines blurring between cyberespionage and cybercriminal activity.
Countermeasures
As always, defending against potential attacks relies on developing a multilayered defense strategy.
“Businesses need to invest in robust security measures, including strong password policies, timely patching of vulnerabilities, and comprehensive security awareness training for employees,” said Chris Novak, VP of global cybersecurity solutions at Verizon Business.
No Responses