Attackers stick with effective intrusion points, valid credentials and exploits
IBM X-Force observed an identical breakdown of the top methods cybercriminals used to intrude networks for two years running, the company said in its annual Threat Intelligence Index. The top initial access vectors, valid account credentials and exploitation of public-facing applications, each accounted for 30% of IBM X-Force incident response cases last year.
By focusing on identity-based attacks, cybercriminals are blending into seemingly common activities on victim networks and evading detection. “They’re logging in, versus hacking in,” Michelle Alvarez, manager of the IBM X-Force threat intelligence team, told CyberScoop.
Infostealers, malicious software and phishing emails that retrieve login credentials, are fueling the staying power of identity-based attacks, according to researchers. IBM X-Force also described credential phishing, malicious sites that mimic a legitimate login page, as a “shadow infection vector for valid account compromise.”
Threat researchers observed an 84% weekly average increase in infostealers delivered via phishing emails last year, compared to 2023. The weekly volume of infostealers distributed by email in 2025 thus far is even greater, representing a 180% jump from 2023 activity levels.
Credentials were also the top objective across all of IBM X-Force’s incident response cases in 2024, with credential harvesting occurring in 28% of incidents.
Cybercriminals reuse valid account credentials against other organizations or sell them on the dark web. “We saw 800 million potential credential pairs available on the dark web,” Alvarez said.
“A large majority of the credentials are either from infostealers or credential phishing,” Alvarez said. “Those two factors are definitely influencing the use of valid credentials to log in.”
The top five infostealers listed on dark web forums in 2024 include Lumma, RisePro, Vidar, Stealc and RedLine, according to IBM X-Force.
Identities weren’t the only entry point for cyberattacks in 2024. IBM X-Force incident responders traced 30% of attacks to exploited vulnerabilities in public-facing applications. Researchers observed post-compromise scanning in 25% of those cases, indicating attackers used vulnerability scanning tools to identify additional defects to gain further access and achieve lateral movement.
“Oftentimes, threat actors are just leveraging vulnerabilities that are essentially widely unpatched,” Alvarez said. “We see vulnerabilities from years ago that had a patch available for a long time still being exploited, so it really comes down to vulnerability management best practices.”
Critical infrastructure organizations were hit particularly hard last year, representing 70% of all attacks, IBM X-Force said in the report. Manufacturing was the most attacked industry for the fourth consecutive year, accounting for 26% of incidents in 2024.
Attacks in the finance and insurance industry represented 23% of all critical infrastructure attacks, followed by professional, business and consumer services at 18%. Energy and transportation rounded out the five-most impacted industries, accounting for 10% and 7% of attacks, respectively.
IBM X-Force said attackers used valid accounts to gain access in 31% of all attacks on critical infrastructure organizations last year.
