By Chinenye Anuforo
Sophos, a cybersecurity firm, has released a report indicating that cybercriminals are increasingly favoring legitimate login credentials over traditional vulnerability exploitation to infiltrate networks.
The 2025 Sophos Active Adversary Report, which examined over 400 incidents handled by their Managed Detection and Response (MDR) and Incident Response (IR) teams in 2024, revealed that 56% of initial network breaches stemmed from compromised credentials used with remote access services like VPNs and firewalls.
This data reconfirms that stolen login details remain the primary cause of cyberattacks for the second consecutive year, accounting for 41% of incidents. Exploited weaknesses (21.79%) and brute-force attempts (21.07%) were also significant attack vectors.
The report also highlighted the rapid pace of attacker operations. In cases involving ransomware, data theft, and extortion, the median time from initial compromise to data exfiltration was a mere 72.98 hours (3.04 days), with detection occurring just 2.7 hours later, on average.
“Basic security measures are no longer adequate,” emphasized John Shier, field CISO at Sophos. “Organizations need to actively monitor their networks and ensure swift responses to detected threats. Our findings demonstrate that proactive surveillance results in faster detection and improved outcomes.”
The report detailed that attackers can infiltrate and gain control of a system, particularly targeting Active Directory (AD), within a median of only 11 hours from their initial action. This rapid compromise significantly elevates the risk of complete organizational takeover.
Akira emerged as the most prevalent ransomware group in 2024, followed by Fog and LockBit. This ranking remained consistent despite earlier efforts to disrupt LockBit’s operations.
Overall, the time between an attack’s commencement and its discovery, known as dwell time, has dramatically decreased to just 2 days in 2024, a notable reduction from 4 days. This improvement is attributed to the inclusion of Managed Detection and Response (MDR) data in the analysis.
However, dwell time remained at 4 days for ransomware incidents and 11.5 days for non-ransomware incidents within Incident Response (IR) cases. In MDR cases, the dwell time was just 3 days for ransomware and 1 day for non-ransomware, demonstrating the effectiveness of MDR services.
A significant 83% of ransomware deployments occurred outside of normal business hours, indicating a clear preference for nighttime attacks by threat actors.
Remote Desktop Protocol (RDP) continues to be a major security risk, with 84% of MDR/IR cases involving its exploitation.
To effectively combat these growing threats, Sophos recommends that organizations implement the following security measures: block public access to RDP ports, enforce robust authentication protocols, ensure timely software updates, and deploy advanced monitoring and incident response strategies.