The Rising Threat: How Stolen Credentials and Account Abuse Drive Financial Cyber Attacks
In the first half of 2025, a significant shift has been observed in the tactics employed by financially motivated cybercriminals. Moving away from traditional malware-centric approaches, these adversaries are now leveraging stolen credentials and valid account access to infiltrate and persist within target networks across various industries.
Initial Access Through Compromised Credentials
The FortiGuard Incident Response team has identified a consistent pattern in recent cyber intrusions. Attackers gain initial access by exploiting compromised credentials, which are obtained through several methods:
– Phishing Campaigns: Deceptive emails and messages trick individuals into revealing their login information.
– Purchase from Initial Access Brokers: Cybercriminals buy stolen credentials from underground markets, with prices ranging from $100 to $20,000, depending on the organization’s size and location.
– Password Reuse and Infostealer Malware: Attackers exploit reused passwords and deploy malware designed to harvest login information.
These compromised credentials are then used to access external remote services, particularly Virtual Private Network (VPN) infrastructures. By authenticating with stolen credentials, adversaries can move laterally within the victim’s environment. Additionally, public-facing applications with known vulnerabilities are exploited to deploy legitimate remote management tools such as AnyDesk, Atera, Splashtop, and ScreenConnect.
Lateral Movement and Persistence Tactics
Once inside the network, attackers employ manual, operator-driven lateral movement techniques. They utilize built-in tools like Remote Desktop Protocol (RDP), Server Message Block (SMB), and Windows Remote Management (WinRM) to navigate the network. This approach allows them to blend with legitimate administrative activities, making detection more challenging.
To maintain persistence, adversaries install their own instances of remote access tools and leverage privileged credentials obtained through tools like Mimikatz and exploits such as Zerologon. Data exfiltration is conducted through direct file transfers via RDP and remote management interfaces, leaving minimal forensic evidence compared to traditional web-based exfiltration methods.
In some cases, attackers have configured VPN infrastructures without multi-factor authentication, granting unrestricted network access. This enables rapid encryption of hypervisor infrastructures for ransomware deployment. This low-complexity, high-return methodology allows financially motivated adversaries to operate undetected for extended periods while avoiding detection signatures commonly associated with malware-centric intrusions.
Implications for Organizations
The shift towards credential-based attacks underscores the importance of robust identity and access management practices. Organizations must implement multi-factor authentication, regularly update and patch systems, and educate employees about the risks of phishing and password reuse. By strengthening these areas, businesses can reduce the risk of unauthorized access and protect sensitive information from financially motivated cyber threats.
