Stolen Credentials: The Most Common Gateway for Cyber Intrusions
In the realm of cybersecurity, keeping networks secure is paramount. A recent analysis by the cybersecurity firm Rapid7 has shed light on the predominant methods hackers use to gain initial access to networks. The findings are alarming yet unsurprising—valid logins without multifactor authentication (MFA) have emerged as the leading tactic.
A Closer Look at the Data
According to Rapid7’s Q1 Incident Response report, a staggering 56% of all cyber incidents in the first quarter of 2025 were initiated through valid credentials lacking MFA. This illustrates a persistent vulnerability that organizations have yet to address adequately.
Historically, stolen credentials have been a significant concern, accounting for nearly 80% of all attacks in Q1 2024. While this percentage has seen a slight decline over the past year, it highlights a critical area where attackers still find considerable success. The data indicates that since late 2024, the situation has remained relatively unchanged, indicating a worrying trend in the cybersecurity landscape.
The Importance of Multifactor Authentication
Rapid7 emphasizes the necessity of implementing stronger security measures, especially in relationships with valid account usage and MFA. “Our research shows that the presence of valid accounts without MFA continues to be a primary entry point for cybercriminals,” stated Rapid7 in a recent blog post. This signals a pressing need for businesses to enhance their access controls to deter hackers.
Common Entry Points Beyond Stolen Credentials
While stolen credentials represent the bulk of initial access attempts, they are not the only vector hackers exploit. The analysis identified that 13% of incidents stemmed from exploiting network vulnerabilities. A notable example is the CVE-2024-55591 vulnerability in Fortinet’s FortiOS, which can allow attackers to execute arbitrary commands with super-admin privileges. Despite the publication of a patch for this vulnerability earlier this year, attacks utilizing this exploit continue to be reported frequently.
Persistence in Cyberattacks
The time hackers remain undetected within a network—also referred to as dwell time—poses a significant concern. Rapid7 noted that hackers can stay unnoticed for up to a month. This duration is critical, as it allows for potential data exfiltration or the deployment of ransomware, increasing the stakes for organizations.
Other Methods of Entry
In addition to credential theft and network vulnerabilities, the report highlights other access methods such as brute force attacks, which also accounted for 13% of the incidents. Furthermore, exploited remote desktop protocol (RDP) services, search engine optimization (SEO) poisoning, and exposed remote monitoring and management (RMM) tools each contributed to 6% of initial access cases.
Evolution of Cyber Tactics
Rather than introducing entirely new methods, attackers appear to be refining existing tactics. Rapid7 remarked that Q1 2025 reflects a continued evolution of proven strategies. The firm noted that, “Threat actors have streamlined their operations, implying that many are enhancing their capabilities rather than reinventing their approach.”
This evolution is especially notable when discussing the continued preference for exploiting valid accounts without MFA. As long as organizations neglect to address these vulnerabilities, the trend of easy access for attackers is likely to persist.
Conclusion
The insights from Rapid7’s report serve as a wake-up call for organizations of all sizes. The reliance on valid credentials lacking MFA leaves networks susceptible to significant breaches. As cyber threats evolve, so must the responses of businesses to protect their assets and sensitive information. Implementing robust authentication methods is no longer optional but essential in the current landscape of cybersecurity challenges.
