Sophos Unveils Shocking Insight: 56% of Cyberattacks Use Legitimate Credentials

Sophos, a worldwide pioneer in cutting-edge cybersecurity solutions aimed at thwarting cyber threats, has published the 2025 Sophos Active Adversary Report. This report delves into the tactics and behaviors observed across more than 400 Managed Detection and Response (MDR) and Incident Response (IR) engagements conducted throughout 2024.

The study revealed that the main method used by attackers to initially penetrate networks (accounting for 56% of all incidents across Managed Detection and Response and Incident Response efforts) involved exploiting external remote services. This encompasses edge devices like firewalls and virtual private networks (VPNs), often through the use of legitimate credentials.

The combination of external remote services and valid accounts aligns with the top root causes of attacks. For the second year in row, compromised credentials were the number one root cause of attacks (41% of cases). This was followed by exploited vulnerabilities (21.79%) and brute force attacks (21.07%).

Grasping the Pace of Assaults

In their examination of MDR and IR investigations, the Sophos X-Ops team focused particularly on instances involving ransomware, data exfiltration, and data extortion to gauge the speed with which adversaries advanced through various phases of an assault inside a company. For these specific scenarios, they found that the typical duration from the onset of an attack to the point of data extraction was merely 72.98 hours (or about 3.04 days). Additionally, once data had been siphoned off, it took just a median span of 2.7 hours for such breaches to be detected.

"Relying solely on passive security measures is insufficient nowadays. Although preventive strategies remain crucial, quick responses have become equally important. Businesses should continuously oversee their network activities and promptly address identified data patterns. Systematic assaults carried out by determined opponents necessitate well-coordinated protective efforts. Consequently, numerous companies integrate industry-relevant insights with professional-driven surveillance and intervention practices. According to our study, entities employing active oversight identify threats more efficiently and achieve superior results," stated John Shier, field CISO.

Other Key Findings from the 2025 Sophos Active Adversary Report:

· Attackers Can Take Control of a System in Just 11 Hours: The median time between attackers’ initial action and their first (often successful) attempt to breach Active Directory (AD) – arguably one of the most important assets in any Windows network – was just 11 hours. If successful, attackers can more easily take control of the organization.

· Leading Ransomware Organizations in Sophos Reports: In 2024, Akira topped the list as the most commonly detected ransomware group, with Fog following closely behind. Despite a joint government operation against LockBit earlier in the year, it still appeared notably among cases.

· Dwell Time Reduced to Only 2 Days: On the whole, the duration from the onset of an attack until detection—known as dwell time—dropped from 4 days to merely 2 in 2024, primarily because MDR instances were included in the data set.

· Duration of Stay in Incident Response Cases: The duration stayed consistent at 4 days for ransomware incidents and 11.5 days for cases not involving ransomware.

· Duration of Stay in MDR Incidents: For MDR inquiries, the duration lasted merely 3 days for incidents involving ransomware and just 1 day for those without ransomware involvement, indicating that MDR teams can swiftly identify and address threats.

In 2024, Ransomware Gangs Operate Around-the-Clock: 83% of Ransomware Binaries Were Deployed Outside Targets' Business Hours Locally.

· The Remote Desktop Protocol Remains Preeminent: It featured in 84% of Managed Detection and Response/Incident Response cases, highlighting its status as the most commonly exploited Microsoft utility.

In order to strengthen their security measures, Sophos suggests that organizations should undertake the following actions:

• Secure open RDP ports

• Utilize phishing-resistant multi-factor authentication (MFA) whenever feasible

· Patch vulnerable systems in a timely manner, with a particular focus on internet-facing devices and services

· Implement an EDR or MDR solution and make sure it is continuously monitored around the clock

• Develop a thorough incident response strategy and routinely practice it using simulated scenarios or table-top drills.

Review the complete It Takes Two: The 2025 Sophos Active Adversary Report on Sophos.com.

Provided by Syndigate Media Inc. ( Syndigate.info ).

Comments

Post a Comment

Popular posts from this blog

China Successfully Launches Test Satellite for Satellite Internet Technology

Image
On April 2, 2025, Addis Ababa reported that China launched a test satellite aimed at advancing satellite internet technology from the Jiuquan Satellite Launch Center in the nation’s northwestern region on Tuesday. The satellite was launched at noon (Beijing Time) using a Long March-2D launch vehicle and successfully reached its intended orbit. Trial satellites for satellite internet technology are mainly utilized to carry out technical validation and research, encompassing mobile-to-satellite broadband services as well as the merging of s...
Read more

“I used ChatGPT to save my relationship, here’s what it did for me”

Image
Our fights used to feel like tense reality TV episodes: action-packed, a little too loud, and downright exhausting. Then one night, feeling a bit on edge, I called on an unexpected ally: ChatGPT. Yes, artificial intelligence. And no, it's not as cold and weird as it sounds. One evening, after yet another argument We've been together for 8 years. The kind of relationship where we finish each other's sentences... and sometimes also get on each other's nerves. Despite the love (still there, I assure you) , communication was becoming more and more... acrobatic. It only took one wrong word for everything to degenerate: poorly worded reproaches, icy silences, sentences we regret barely having said. One evening, the atmosphere was frosty. We had argued—again—over something trivial. I think it was about summer vacation: she wanted the mountains this time, me the sea again, and we found ourselves throwing reproaches at each other about two-year-old issues. You get ...
Read more

Edifier launches ES Series blending style with immersive sound

RICHMOND, BC, June 12, 2025 /PRNewswire/ -- Edifier, a leading innovator in premium audio solutions, is proud to announce the launch of its latest product line – the ES Series - a stunning new collection that redefines what it means to blend high-fidelity sound with sophisticated style. The new ES Series includes the ES20, ES60, and ES300 speakers, alongside the sleek and powerful ES850NB over-ear headphones. The new ES Series includes the ES20, ES60, and ES300 speakers, alongside the sleek and powerful ES850NB over-ear headphones. A symbol of Edifier's evolving vision, the "ES" in the series' name carries layered meaning: "E" for Elegant – capturing the series' sleek, modern design language. "S" for Superb (or Luxurious) – representing the elevated quality, premium materials, and refined finish. And "ES" as Edifier Sound – reflecting Edifier's legacy of high-performance audio and imm...
Read more