{"id":2919,"date":"2025-04-25T09:01:00","date_gmt":"2025-04-25T09:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2919"},"modified":"2025-04-25T09:01:00","modified_gmt":"2025-04-25T09:01:00","slug":"cybercriminals-switch-up-their-top-initial-access-vectors-of-choice","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2919","title":{"rendered":"Cybercriminals switch up their top initial access vectors of choice"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Third-party involvement in breaches and exploitation of vulnerabilities have become more important factors in security breaches, according to the latest edition of Verizon\u2019s Data Breach Investigation Report (DBIR)<\/a>.<\/p>\n

An analysis of 22,000 security incidents, including 12,195 confirmed data breaches in 139 countries, found that credential abuse (22%) and exploitation of vulnerabilities (20%, up from 14.9% in 2024) were the two most prevalent initial attack vectors.<\/p>\n

\u201cFor the first time, vulnerability exploitation has overtaken phishing \u2014 and is catching up to credential abuse \u2014 as a top initial access vector,\u201d noted Chris Wysopal, chief security evangelist and co-founder of application security firm Veracode.<\/p>\n

Security on the edge<\/h2>\n

Edge devices and VPNs now represent 22% of vulnerability exploitation targets, up from just 3% in 2024. Among this mix, zero-day exploits targeting perimeter devices and VPNs<\/a> became more prevalent.<\/p>\n

Tenable Research analyzed<\/a> 17 edge-device CVEs featured in the DBIR, each of which added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities<\/a> list last year, to understand renumeration times.<\/p>\n

Verizon\u2019s study found that the median time for organizations to fully remediate edge-device vulnerabilities was 32 days. Fix times for flaws in general have sharply risen over the past five years, as companies increasingly drown in high-risk security debt<\/a>. But for edge security devices, the urgency to remediate is paramount.<\/p>\n

\u201cOrganizations must leverage a risk-based approach and prioritize vulnerability scanning and patching for internet-facing systems,\u201d wrote Saeed Abbasi, threat research manager at cloud security firm Qualys, in a blog post<\/a>. \u201cThe data clearly shows that attackers follow the path of least resistance, targeting vulnerable edge devices that provide direct access to internal networks.\u201d<\/p>\n

Greg Linares, principal threat intelligence analyst at managed detection and response vendor Huntress, said, \u201cWe\u2019re seeing a distinct shift in how modern attackers breach enterprise environments, and one of the most consistent trends right now is the exploitation of edge devices.\u201d<\/p>\n

Edge devices, ranging from firewalls and VPN appliances<\/a> to load balancers and IoT gateways, serve as the gateway between internal networks and the broader internet.<\/p>\n

\u201cBecause they operate at this critical boundary, they often hold elevated privileges and have broad visibility into internal systems,\u201d Linares noted, adding that edge devices are often poorly maintained and not integrated into standard patching cycles.<\/p>\n

Linares explained: \u201cMany edge devices come with default credentials, exposed management ports, secret superuser accounts, or weakly configured services that still rely on legacy protocols \u2014 these are all conditions that invite intrusion.\u201d<\/p>\n

Once compromised, edge devices provide attackers with privileged access, persistence, and a clean staging ground for lateral movement. These systems often store administrator credentials, session tokens, VPN keys, or logs that provide a detailed roadmap of the internal infrastructure.<\/p>\n

\u201cAttackers can implant custom malware or even modify the firmware itself to survive across reboots and evade detection,\u201d Linares concluded. \u201cBecause these devices typically fall outside the scope of endpoint detection and response [EDR] solutions and SIEM integration, intrusions often go unnoticed for weeks, months, or longer.\u201d<\/p>\n

Espionage groups such as Volt Typhoon<\/a> and UNC4841 have leveraged vulnerabilities in Fortinet, SonicWall, and Barracuda appliances to quietly infiltrate high-value networks in the past year or so. Ransomware groups such as Black Basta and Royal frequently use compromised NAS devices and firewalls<\/a> to break into targeted networks.<\/p>\n

Ransomware fiends target smaller businesses<\/h2>\n

The percentage of breaches involving third parties doubled to 30%, highlighting the risks associated with supply chain and partner ecosystems.<\/p>\n

The prevalence of ransomware attacks<\/a> also increased, turning up as a factor in 44% of analyzed breaches (compared to 37% in 2024). Ransomware had a disproportionate impact of on small and midsize businesses (SMBs).<\/p>\n

While larger organizations experience ransomware in 39% of breaches, SMBs grappled with ransomware in 88% of breach incidents.<\/p>\n

Symptomatic of the trend of ransomware actors to go after smaller targets, there was a noticeable decrease in the median ransom amount paid, which fell to from $150,000 in 2024 to $115,000 in this year\u2019s report.<\/p>\n

The number of victim organizations that did not pay ransoms was 64%, compared to 50% that refused payment two years ago.<\/p>\n

The human factor<\/h2>\n

Human involvement in cybersecurity breaches stayed around the same as in Verizon\u2019s 2024 DBIR \u2014 a factor in 60% of successful attacks. The figure illustrates the ongoing importance of social engineering attacks such as phishing and credential (password and login credential) abuse. To that end, cybercriminals are switching up tactics to make phishing more effective<\/a> and relying more on infostealer malware to capture credentials<\/a>.<\/p>\n

AI is also playing a greater role in cyberattacks and data leak risks. Synthetically generated text in malicious emails has doubled over the past two years, according to Verizon.<\/p>\n

Meanwhile, 15% of employees routinely accessed generative AI platforms on their<\/p>\n

corporate devices, increasing the potential for data leaks, which CISOs are struggling to contain<\/a>.<\/p>\n

Spy games<\/h2>\n

Verizon estimates that espionage-motivated attacks account for 17% of security breaches, almost trebling in prevalence since 2024.<\/p>\n

Manufacturing and healthcare sectors faced an increase in espionage-motivated attacks.<\/p>\n

Microsoft\u2019s Digital Defense Report from November 2024 also noted a rising trend that sees lines blurring between cyberespionage and cybercriminal activity<\/a>.<\/p>\n

Countermeasures<\/h2>\n

As always, defending against potential attacks relies on developing a multilayered defense strategy.<\/p>\n

\u201cBusinesses need to invest in robust security measures, including strong password policies, timely patching of vulnerabilities, and comprehensive security awareness training for employees,\u201d said Chris Novak, VP of global cybersecurity solutions at Verizon Business.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Third-party involvement in breaches and exploitation of vulnerabilities have become more important factors in security breaches, according to the latest edition of Verizon\u2019s Data Breach Investigation Report (DBIR). An analysis of 22,000 security incidents, including 12,195 confirmed data breaches in 139 countries, found that credential abuse (22%) and exploitation of vulnerabilities (20%, up from 14.9% […]<\/p>\n","protected":false},"author":0,"featured_media":2920,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2919","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2919"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2919"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2919\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2920"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2919"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2919"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2919"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}