Identity lapses ensnared organizations at scale in 2024 | CyberScoop<\/title> <meta name=\"description\" content=\"Cisco Talos observed identity-based attacks in 60% of the incidents it responded to last year.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cybercriminals-target-identity-weaknesses-cisco-talos\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Identity lapses ensnared organizations at scale in 2024\"> <meta property=\"og:description\" content=\"Cisco Talos observed identity-based attacks in 60% of the incidents it responded to last year.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cybercriminals-target-identity-weaknesses-cisco-talos\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-04-01T15:02:07+00:00\"> <meta property=\"article:modified_time\" content=\"2025-04-01T15:02:10+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/identity-lapses-ensnared-organizations-at-scale-in-2024-2.jpg\"> <meta property=\"og:image:width\" content=\"2514\"> <meta property=\"og:image:height\" content=\"1193\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1742994400g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1742323795g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1740691656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=a815169637cf454b7376\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/84045\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=84045\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcybercriminals-target-identity-weaknesses-cisco-talos%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcybercriminals-target-identity-weaknesses-cisco-talos%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-84045 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cybercriminals-target-identity-weaknesses-cisco-talos\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"23.75\">\n<div class=\"single-article__header-content\" readability=\"28.919786096257\">\n<p> Cisco Talos observed identity-based attacks in 60% of the incidents it responded to last year. <\/p>\n<p>   <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"303\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/identity-lapses-ensnared-organizations-at-scale-in-2024.jpg?resize=640%2C303&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/identity-lapses-ensnared-organizations-at-scale-in-2024-2.jpg 2514w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/identity-lapses-ensnared-organizations-at-scale-in-2024-2.jpg?resize=300,142 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/identity-lapses-ensnared-organizations-at-scale-in-2024-2.jpg?resize=768,364 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/identity-lapses-ensnared-organizations-at-scale-in-2024-2.jpg?resize=1024,486 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/identity-lapses-ensnared-organizations-at-scale-in-2024-2.jpg?resize=1536,729 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/identity-lapses-ensnared-organizations-at-scale-in-2024-2.jpg?resize=2048,972 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/identity-lapses-ensnared-organizations-at-scale-in-2024-2.jpg?resize=600,285 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/identity-lapses-ensnared-organizations-at-scale-in-2024-2.jpg?resize=1200,569 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/identity-lapses-ensnared-organizations-at-scale-in-2024-2.jpg?resize=1500,712 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> Source: Getty Images <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"31.822545255074\"><body readability=\"64.734860370254\"><\/p>\n<p>Cybercriminals predominantly relied on weaknesses in identity controls to afflict organizations in 2024, with valid accounts being the main way they gained access for the second year in a row, Cisco Talos said in an <a href=\"https:\/\/blog.talosintelligence.com\/content\/files\/2025\/03\/2024YiR-report.pdf\">annual report<\/a> released Monday.<\/p>\n<p>Across the incident response cases Cisco Talos responded to last year, 60% involved an identity attack component, researchers said. Attackers used legitimate credentials, session cookies and API keys to gain access, achieve lateral movement and escalate privileges on compromised environments.<\/p>\n<p>Identity is a recurring problem for enterprises, reflecting a widespread deficiency attackers have identified in business infrastructure and targeted at scale with great success. This method of intrusion triggers malicious follow-on activities with attackers confronting minimal resistance or detection because the traffic originates from presumably legitimate accounts.<\/p>\n<p>Identity attacks were ubiquitous in the incidents Cisco Talos responded to last year, but the harm dealt to organizations was especially pronounced in ransomware attacks. Half of all identity-based attacks Cisco Talos responded to last year were ultimately executed for ransomware or pre-ransomware operations.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cIn many cases, it\u2019s much easier and safer for adversaries to simply log in to legitimate user accounts using stolen credentials than to use more complex means like exploiting vulnerabilities or deploying malware,\u201d Cisco Talos researchers said in the report.<\/p>\n<p>Cybercriminals also used identity-based attacks to steal credentials for illicit sales to initial access brokers in nearly a third of the incidents Cisco Talos investigated last year. Data theft for future espionage or malicious activity was observed in 10% of these cases, and financial fraud was the ultimate goal in 8% of these attacks, the report said.<\/p>\n<p>Cisco Talos researchers found that organizations often fail to properly secure Active Directory, a widely used authentication service containing critical enterprise access information. Threat groups targeted Active Directory in 44% of identity-based attacks.<\/p>\n<p>Many of the successful attacks involving compromised Active Directory environments occurred in enterprise systems with misconfigured security products or insufficient security policies. <\/p>\n<p>Cisco Talos frequently encountered organizations with excessive or incorrect privileges, accounts with weak or default passwords and missing or misconfigured multifactor authentication. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>MFA weaknesses were the leading deficiency observed by Cisco Talos last year. Through all of the compromised organizations the incident response firm assisted in 2024, 24% were not enrolled in MFA, 22% didn\u2019t have the security measure fully enabled and 19% lacked MFA on virtual private network services. <\/p>\n<p>These structural security lapses opened a clear path for cybercriminals to carry out widespread ransomware activity. Financially motivated threat groups used valid accounts for initial access in 69% of the ransomware attacks Cisco Talos responded to last year. <\/p>\n<p>Cisco Talos said its annual report is based on data it received from more than 46 million devices globally.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.8810043668122\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/identity-lapses-ensnared-organizations-at-scale-in-2024-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cybercriminals-target-identity-weaknesses-cisco-talos\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Identity lapses ensnared organizations at scale in 2024 | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1764,724,2973,282,78,3912,3030,46,256,288],"tags":[1769,727,2975,286,86,3916,3033,54,262,294],"class_list":["post-7498","post","type-post","status-publish","format-standard","hentry","category-cisco","category-cisco-talos","category-credential-theft","category-cybercrime","category-cybersecurity","category-identity","category-identity-authentication","category-ransomware","category-research","category-threats","tag-cisco","tag-cisco-talos","tag-credential-theft","tag-cybercrime","tag-cybersecurity","tag-identity","tag-identity-authentication","tag-ransomware","tag-research","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cisco\/\" rel=\"category tag\">Cisco<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cisco-talos\/\" rel=\"category tag\">Cisco Talos<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/credential-theft\/\" rel=\"category tag\">credential theft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/identity\/\" rel=\"category tag\">identity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/identity-authentication\/\" rel=\"category tag\">identity authentication<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7498","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7498"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7498\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7498"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7498"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7498"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7498,"date":"2025-04-01T10:02:07","date_gmt":"2025-04-01T15:02:07","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=84045"},"modified":"2025-04-01T10:02:07","modified_gmt":"2025-04-01T15:02:07","slug":"identity-lapses-ensnared-organizations-at-scale-in-2024","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/04\/01\/identity-lapses-ensnared-organizations-at-scale-in-2024\/","title":{"rendered":"Identity lapses ensnared organizations at scale in 2024"},"content":{"rendered":"