Who Needs Phishing When Your Login’s Already In The Wild?

Criminals used stolen credentials more frequently than email phishing to gain access into their victims’ IT systems last year, marking the first time that compromised login details claimed the number two spot in Mandiant’s list of most common initial infection vectors.

“Credential stealers have been and are a major issue, but we have seen a resurgence recently,” Mandiant Consulting VP Jurgen Kutscher said in an interview with The Register about the nearly 100-page M-Trends 2025 report from the Google-owned security shop.

“Email tends to be noisier and easier to detect with phishing detection,” he added. “There is an entire cybercrime business surrounding stolen credentials that promotes the sale – and use – of stolen credentials.”

The annual report also found 55 percent of attackers active in 2024 were financially motivated, up slightly from 52 percent the year before. Only 8 percent were motivated by espionage last year, which represents a 2 percent drop from 2023.

In 2024, Mandiant began tracking 737 new threat clusters, bringing the total number of groups on its radar to more than 4,500. Across last year’s incident response engagements, the team observed 302 different threat groups, 233 of which were newly identified.

But the parts that piqued our interest – and likely will prove the most useful to defenders trying to keep the baddies off their networks – involved how attackers are breaking in, usually to steal data, demand ransoms, or sometimes both.

Exploits remained the top entry point overall for the fifth straight year. In cloud compromises, however, phishing led at 39 percent, with stolen credentials close behind at 35 percent.

New to this year’s report is that Mandiant tracked the overall initial infection vector, but then also broke out cloud attacks and ransomware into their own separate sections.

How ransomware gangs gain initial access

It found the most commonly observed initial infection vector for ransomware infections was brute-force attacks (26 percent) followed by stolen credentials (21 percent).

Brute-force intrusions into victim environments highlight “the opportunistic nature of ransomware and multifaceted extortion,” Kutscher told The Register. Attacks of this nature include password spraying, using default credentials across multiple virtual private network (VPN) devices, and high-volume login attempts against a remote desktop server.

A lot of those attacks are not targeted at any one specific company, but threat actors looking to see where they can break in, and where they can cause the most damage

“A lot of those attacks are not targeted at any one specific company, but threat actors looking to see where they can break in, and where they can cause the most damage,” he added. 

Yes, healthcare is always a prime target, Kutscher admitted.

“But at the end of the day, most organizations are going to have sensitive data that you can either steal or encrypt, business operations that are time sensitive, that you can disrupt, and as such, we see a lot more opportunistic threats when it comes to ransomware,” he said. “Anybody can be a target.”

Cloud compromise and stolen creds

Cloud compromise got its own section “because we’ve just seen so much more activity in that space,” Kutscher said. “And there, the initial compromise vector is use of stolen credentials and phishing, so a different way for threat actors to break in.”

However, if you consider the crooks’ objectives in each type of attack, the preferred methods start to make sense. In ransomware infections, criminals are locking up and stealing data to demand hefty ransom payments, while in cloud compromises, 66 percent involved data theft and 38 percent were financially motivated.

“It is not too surprising to see that threat actors adapt their primary egress point based on what they’re targeting, and who they’re targeting as well,” Kutscher said.

Email phishing, we’re told, has been on the decline since 2022, representing the initial access vector in 22 percent of Mandiant’s investigations three years ago, 17 percent in 2023, and 14 percent last year.

Stolen credentials climbed from 10 percent in 2023 to 16 percent in 2024, edging out email phishing. This speaks to the ease with which crooks can obtain user login information: buying leaked or stolen ones online, mining large data dumps for credentials, and infecting users with keyloggers and infostealers, a type of malware that can collect a range of private user info including credentials, browser cookies, and even cryptocurrency wallets.

“Infostealers and broader credential theft are not new threats, but they are seeing a resurgence and have always posed significant risks to organizations that may not realize employee credentials have been compromised and exposed – sometimes years prior,” the report authors wrote.

Remember the Snowflake customer breaches?

One prime example of the rise in stolen credentials and their role in cloud-targeted attacks is last year’s Snowflake customer breaches. A crew that Google/Mandiant tracks as UNC5537 used stolen credentials to access Snowflake customers’ cloud databases, and these credentials were largely obtained via infostealer malware.

During its investigation into the breach, Mandiant’s team determined that UNC5537 used Snowflake customers’ valid credentials, “hundreds” of which had been stolen by infostealers such as VIDAR, RISEPRO, REDLINE, RACCOON STEALER, LUMMA, and METASTEALER.

Some of these infections happened as far back as November 2020. But even in these years-old thefts, the credentials had not been updated or rotated.

“In several Snowflake-related investigations, Mandiant observed that the initial compromise of infostealer malware occurred on contractor systems that were also used for personal activities, including gaming and downloading pirated software,” according to today’s report.

“One of the contributing factors is we’re seeing an increasing number of credentials stolen from non-corporate systems, i.e. personal computers,” Kutscher said. “Personal devices typically don’t have enterprise security controls, like no EDR, network monitoring, etc.”

“Additionally, employees or contractors often disable [antivirus] on their personal devices so they can install unlicensed software. This leads to the increase of infostealers on personal computers. Also, people may synchronize web browsers on their work computers, which may transfer enterprise credentials to personal computers.”

Another example of this is a financially motivated crew that Google Threat Intelligence tracks as Triplestrength because it poses a triple threat to organizations: it infects their on-premises computers with ransomware, and also hijacks their cloud accounts to illegally mine for cryptocurrency.

To take over victims’ cloud accounts, Triplestrength uses stolen credentials and cookies, and relies on RACCOON infostealer logs to obtain at least some of the credentials for Google Cloud, Amazon Web Services, and Linode.

Plus, not only is this group using compromised logins to break into cloud environments, it is also selling this illicit access to other crooks. Google’s threat hunters spotted online personas connected to Triplestrength advertising access to compromised servers, including those in Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud, and Digital Ocean.

Turn on MFA

A major takeaway from all of this – the uptick in stolen credentials, infostealers, cloud intrusions, and brute-force attacks leading to ransomware infections – is the importance of using multi-factor authentication (MFA).

As we learned from the Snowflake customer breaches, the criminals predominantly exploited accounts that didn’t have MFA enabled. There’s a good reason why baking MFA into software is one of the seven key pieces of CISA’s Secure by Design initiative.

“A lot of times what we see is that it’s not the cloud environment that is targeted directly, but that threat actors are able to leverage stolen credentials and then leverage that access to move into the cloud environment,” Kutscher said. “That’s where, again, the importance of properly implemented multi-factor authentication is really critical.” ®

Original Source