Identity Attacks Now Comprise a Third of Intrusions – Source: www.infosecurity-magazine.com

Threat actors ramped up credential theft over the past year, using AI-generated phishing emails and infostealer malware to improve their results, according to IBM.

Published this morning, the tech giant’s IBM X-Force 2025 Threat Intelligence Index was compiled from the company’s own incident response engagements, as well as dark web and other threat intelligence sources.

It claimed that around 30% of intrusions last year were identity based attacks, fueled by an 84% annual increase in the volume of emails delivering infostealers. AI is being used to generate highly convincing phishing emails en masse, as well as write malicious code, the report claimed.

“Cybercriminals are most often breaking in without breaking anything – capitalizing on identity gaps overflowing from complex hybrid cloud environments that offer attackers multiple access points” said Mark Hughes, global managing partner of cybersecurity services at IBM.

“Businesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernizing authentication management, plugging multi-factor authentication holes and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data.”

Read more on infostealers: Surge in Infostealer Attacks Threatens EMEA Organizations’ Data Security

Tied in joint first as the most popular initial access vector, alongside use of legitimate account credentials, was exploitation of public-facing applications.

The report claimed a quarter of attacks against critical infrastructure (CNI) providers use this technique, with reliance on legacy systems and slow patching cycles exposing a growing number of organizations to this threat.

“After gaining access, threat actors use active scanning techniques post-compromise to identify new vulnerabilities, gain additional access, and move laterally in compromised environments,” it explained.

“Most importantly, attackers seek to escalate privileges to gain access to core services. The longer a threat remains undetected, the greater the risk.”

Blurred Lines on the Dark Web

IBM revealed that nation state and cybercrime actors are increasingly sharing information on exploits on the dark web, with 40% of the most talked about CVEs on underground forums linked to sophisticated threat actor groups.

Elsewhere, ransomware tactics are shifting. Although ransomware made up the largest share of malware cases in 2024 (28%), there was an overall annual reduction in incidents last year.

The impact of global takedown efforts has been to force some groups away from established malware families like Trickbot and Quakbot to “new and short-lived families.”

Manufacturing was the most targeted sector again last year, and the biggest ransomware victim, accounting for 29% of extortion and 24% of data theft attacks.