Attackers stick with effective intrusion points, valid credentials and exploits | CyberScoop<\/title> <meta name=\"description\" content=\"Infostealers fueled the staying power of identity-based attacks, increasing 84% on a weekly average last year, according to IBM X-Force.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/ibm-x-force-threat-intelligence-index-2025\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Attackers stick with effective intrusion points, valid credentials and exploits\"> <meta property=\"og:description\" content=\"Infostealers fueled the staying power of identity-based attacks, increasing 84% on a weekly average last year, according to IBM X-Force.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/ibm-x-force-threat-intelligence-index-2025\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-04-22T14:48:02+00:00\"> <meta property=\"article:modified_time\" content=\"2025-04-22T14:48:05+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/attackers-stick-with-effective-intrusion-points-valid-credentials-and-exploits-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1045\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1744740145g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1744729707g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1740691656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=a815169637cf454b7376\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/84251\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=84251\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fibm-x-force-threat-intelligence-index-2025%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fibm-x-force-threat-intelligence-index-2025%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-84251 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/ibm-x-force-threat-intelligence-index-2025\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"4.9180327868852\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Voting is open for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.417824074074\">\n<div class=\"single-article__header-content\" readability=\"36.412776412776\">\n<p> Infostealers fueled the staying power of identity-based attacks, increasing 84% on a weekly average last year, according to IBM X-Force. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/84251\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"348\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/attackers-stick-with-effective-intrusion-points-valid-credentials-and-exploits.jpg?resize=640%2C348&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/attackers-stick-with-effective-intrusion-points-valid-credentials-and-exploits-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/attackers-stick-with-effective-intrusion-points-valid-credentials-and-exploits-2.jpg?resize=300,163 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/attackers-stick-with-effective-intrusion-points-valid-credentials-and-exploits-2.jpg?resize=768,418 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/attackers-stick-with-effective-intrusion-points-valid-credentials-and-exploits-2.jpg?resize=1024,557 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/attackers-stick-with-effective-intrusion-points-valid-credentials-and-exploits-2.jpg?resize=1536,836 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/attackers-stick-with-effective-intrusion-points-valid-credentials-and-exploits-2.jpg?resize=600,327 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/attackers-stick-with-effective-intrusion-points-valid-credentials-and-exploits-2.jpg?resize=1200,653 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/attackers-stick-with-effective-intrusion-points-valid-credentials-and-exploits-2.jpg?resize=1500,816 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> (Tippapatt\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"40.467931937173\"><body readability=\"82.381151207874\"><\/p>\n<p>IBM X-Force observed an identical breakdown of the top methods cybercriminals used to intrude networks for two years running, the company said in its annual <a href=\"https:\/\/www.ibm.com\/thought-leadership\/institute-business-value\/en-us\/report\/2025-threat-intelligence-index\">Threat Intelligence Index<\/a>. The top initial access vectors, valid account credentials and exploitation of public-facing applications, each accounted for 30% of IBM X-Force incident response cases last year.<\/p>\n<p>By focusing on identity-based attacks, cybercriminals are blending into seemingly common activities on victim networks and evading detection. \u201cThey\u2019re logging in, versus hacking in,\u201d Michelle Alvarez, manager of the IBM X-Force threat intelligence team, told CyberScoop. <\/p>\n<p>Infostealers, malicious software and phishing emails that retrieve login credentials, are fueling the staying power of identity-based attacks, according to researchers. IBM X-Force also described credential phishing, malicious sites that mimic a legitimate login page, as a \u201cshadow infection vector for valid account compromise.\u201d<\/p>\n<p>Threat researchers observed an 84% weekly average increase in infostealers delivered via phishing emails last year, compared to 2023. The weekly volume of infostealers distributed by email in 2025 thus far is even greater, representing a 180% jump from 2023 activity levels.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Credentials were also the top objective across all of IBM X-Force\u2019s incident response cases in 2024, with credential harvesting occurring in 28% of incidents.<\/p>\n<p>Cybercriminals reuse valid account credentials against other organizations or sell them on the dark web. \u201cWe saw 800 million potential credential pairs available on the dark web,\u201d Alvarez said. <\/p>\n<p>\u201cA large majority of the credentials are either from infostealers or credential phishing,\u201d Alvarez said. \u201cThose two factors are definitely influencing the use of valid credentials to log in.\u201d<\/p>\n<p>The top five infostealers listed on dark web forums in 2024 include Lumma, RisePro, Vidar, Stealc and RedLine, according to IBM X-Force.<\/p>\n<p>Identities weren\u2019t the only entry point for cyberattacks in 2024. IBM X-Force incident responders traced 30% of attacks to exploited vulnerabilities in public-facing applications. Researchers observed post-compromise scanning in 25% of those cases, indicating attackers used vulnerability scanning tools to identify additional defects to gain further access and achieve lateral movement.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cOftentimes, threat actors are just leveraging vulnerabilities that are essentially widely unpatched,\u201d Alvarez said. \u201cWe see vulnerabilities from years ago that had a patch available for a long time still being exploited, so it really comes down to vulnerability management best practices.\u201d<\/p>\n<p>Critical infrastructure organizations were hit particularly hard last year, representing 70% of all attacks, IBM X-Force said in the report. Manufacturing was the most attacked industry for the fourth consecutive year, accounting for 26% of incidents in 2024.<\/p>\n<p>Attacks in the finance and insurance industry represented 23% of all critical infrastructure attacks, followed by professional, business and consumer services at 18%. Energy and transportation rounded out the five-most impacted industries, accounting for 10% and 7% of attacks, respectively.<\/p>\n<p>IBM X-Force said attackers used valid accounts to gain access in 31% of all attacks on critical infrastructure organizations last year.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.8240343347639\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/attackers-stick-with-effective-intrusion-points-valid-credentials-and-exploits-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/ibm-x-force-threat-intelligence-index-2025\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attackers stick with effective intrusion points, valid credentials and exploits<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2973,282,78,2659,4181,4182,256,1999,288,643],"tags":[2975,286,86,2661,4183,4184,262,2002,294,645],"class_list":["post-7556","post","type-post","status-publish","format-standard","hentry","category-credential-theft","category-cybercrime","category-cybersecurity","category-exploit","category-ibm","category-ibm-x-force","category-research","category-stolen-credentials","category-threats","category-vulnerabilities","tag-credential-theft","tag-cybercrime","tag-cybersecurity","tag-exploit","tag-ibm","tag-ibm-x-force","tag-research","tag-stolen-credentials","tag-threats","tag-vulnerabilities"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/credential-theft\/\" rel=\"category tag\">credential theft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/exploit\/\" rel=\"category tag\">exploit<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ibm\/\" rel=\"category tag\">IBM<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ibm-x-force\/\" rel=\"category tag\">IBM X-Force<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/stolen-credentials\/\" rel=\"category tag\">stolen credentials<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerabilities\/\" rel=\"category tag\">vulnerabilities<\/a>","tag_info":"vulnerabilities","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7556","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7556"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7556\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7556"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7556"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7556"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7556,"date":"2025-04-22T09:48:02","date_gmt":"2025-04-22T14:48:02","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=84251"},"modified":"2025-04-22T09:48:02","modified_gmt":"2025-04-22T14:48:02","slug":"attackers-stick-with-effective-intrusion-points-valid-credentials-and-exploits","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/04\/22\/attackers-stick-with-effective-intrusion-points-valid-credentials-and-exploits\/","title":{"rendered":"Attackers stick with effective intrusion points, valid credentials and exploits"},"content":{"rendered":"