A new report out today from Cisco Talos, a cybersecurity company part of Cisco Systems Inc., found that in 2024, cybercriminals didn’t need zero-days or custom malware to wreak havoc: They just logged in. Identity-based attacks, misused legitimate tools, and years-old vulnerabilities drove the majority of security incidents last year.
The findings come from the Talos 2024 Year in Review report, based on telemetry from more than 46 million devices across 193 countries and regions, analyzing more than 886 billion security events daily. The report found that identity attacks were involved in 60% of incidents in every phase of the attack lifecycle. Attackers were often found to use valid credentials and native tools, not flashy new malware. Where identity wasn’t involved, old vulnerabilities were exploited, some decades old. For ransomware and multifactor authentication bypass, identity was the lead access path. [1]
Identity was central across all attack phases: access, escalation, lateral movement, and persistence. Of identity-based incidents, Active Directory was targeted in 44% of cases, while cloud application programming interface compromises accounted for 20% of identity-related incidents.
Identity-based attack motivations included ransomware (50%), credential harvesting and resale (32%), espionage (10%), and financial fraud (8%).
Facilitating identity-based attacks was a weakness in MFA, which was the top-observed security issue regarding these sorts of attacks. Common MFA failures included having no MFA on virtual private networks, MFA exhaustion/push fatigue, where attackers flood a user’s device with repeated multi-factor authentication prompts in hopes the user will eventually approve one out of frustration or confusion, and improper enrollment monitoring.
MFA attacks often targeted identity and access management systems like Citrix Systems Inc., Microsoft Corp., and Fortinet Inc. The report also found that threat actors’ use of artificial intelligence was limited in 2024, with AI mainly used to enhance social engineering and automation. Generative AI was also used for phishing campaigns, email lures, and voice deepfakes.
The report notes that the increasing adoption and expansion of capabilities from AI and large language models will present increasing concerns in 2025, specifically as agentic AI becomes capable of autonomous operations and as automated vulnerability discovery and exploitation become more common. AI systems themselves are noted as becoming more likely to be targeted, particularly as they are rolled out in supply chain pipelines.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
© 2025 Red Sky Alliance Corporation. All rights reserved.
Comments