Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Valid logins without multifactor authentication are a hacker’s favourite way to break into your network.
A new report from cyber security firm Rapid7 has revealed the most common ways hackers gain initial access to a network, and the results are, sadly, not surprising.
Of all the ways threat actors broke into a network in the first quarter of 2025, valid credentials without any form of multifactor authentication (MFA) made up 56 per cent of all observed incidents, according to Rapid7’s Q1 Incident Response analysis.
In Q1 2024, stolen credentials accounted for almost 80 per cent of all attacks, and while this figure has been slowly dropping over the last 12 months, it has largely remained the same since late 2024.
“Rapid7 regularly bangs the drum for tighter controls where valid accounts and MFA are concerned,” Rapid7’s researchers said in a 4 June blog post.
“As per the key findings, 56 per cent of all incidents in Q1 2025 involved valid accounts/no MFA as the initial access vector. In fact, there’s been very little change since Q3 2024, and as good as no difference between the last two quarters.”
The next most used access vector is exploiting network vulnerabilities. Thirteen per cent of all observed incidents involved vulnerabilities such as CVE-2024-55591, a bug in Fortinet’s FortiOS that could lead to an attacker executing arbitrary commands as a super-admin user. Despite being published earlier this year, exploitation has been commonly observed in the wild.
Even more worrying is the dwell time in these instances, with hackers remaining on a network for up to a month. According to Rapid7, this may be evidence of an initial access broker maintaining persistence to on-sell this access to other threat actors or a possible step towards data exfiltration and the deployment of ransomware.
Brute force attacks also make up 13 per cent of initial access vectors, while exposed remote desktop protocol services, SEO poisoning, and exposed RMM tooling each accounted for 6 per cent of all attacks.
“Q1 2025 resembles a refinement of successful tactics, as opposed to brand new innovations brought to the table. Our Q1 ransomware analytics showed threat actors making streamlined tweaks to a well-oiled machine, and we find many of the same ‘evolution, not revolution’ patterns occurring here,” Rapid7 said.
“This progression is particularly applicable in the case of initial access via valid accounts with no MFA protection. We expect to see no drop in popularity while businesses continue to leave easy inroads open and available to skilled (and unskilled) attackers.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
