Identity Attacks Overtake Exploits as Top Ransomware Cause
Email attacks overtook exploits as the top ransomware root cause last year. Multifactor authentication (MFA) was deployed in 97% of credential-based attacks but failed to prevent compromise.
Stolen credentials can enable account takeover and lateral movement; phishing-resistant MFA, password managers, and rapid revocation reduce the risk.
Search across headline titles and summaries.
Background for this topic.
Credentials are the data used to verify a user's identity to a system, commonly including usernames, passwords, security tokens, or biometric identifiers. They serve as gatekeepers for access to accounts, applications, and sensitive information. Attackers target credentials to impersonate users, escalate privileges, or gain unauthorized system access.
Compromise of credentials can occur through phishing, credential stuffing, or theft from insecure storage. Effective defenses include enforcing strong, unique passwords, implementing multi-factor authentication (MFA), and securely storing credentials using hashing or encryption. Monitoring for unusual login patterns and promptly revoking compromised credentials are also critical to limit attacker impact.
Weekly headline count for the current query.
Email attacks overtook exploits as the top ransomware root cause last year. Multifactor authentication (MFA) was deployed in 97% of credential-based attacks but failed to prevent compromise.
The attacker exploited AI workflows, chained cloud weaknesses, and stolen credentials to extort a large Amazon customer.
The phishing campaign uses several tactics, including nested redirects, to evade detection and steal credentials from unsuspecting targets.
The infostealer was delivered via CVE-2026-48558, a critical authentication bypass vulnerability in SimpleHelp, targeting credentials linking development and admin environments to wider enterprise systems.
Adversaries could plant a malicious repository that can execute arbitrary code and steal cloud credentials by exploiting the vulnerability, which showcases growing MCP risk.
The threat actors engineered a Golang-based sniffer to target 430,000 FortiGate firewalls and identify 110 million credentials in the ongoing global campaign.
Attackers are actively targeting various sectors across nearly 200 countries and already have compiled a list of working credentials for tens of thousands of compromised devices.
In addition to executing entirely in memory, the malware's infection chain incorporates other anti-analysis techniques designed to evade detection.
Google discovered and disrupted the sprawling campaign, which stole RedCAP credentials to breach numerous institutions and exfiltrate sensitive data.
Like Shai-Hulud, the campaign targets developers to steal credentials and reuses them to propagate across the software supply channel.
In just six hours, the campaign quietly pushed thousands of malicious commits to more than 5,500 GitHub repositories, stealing credentials, developer secrets, and more.
The agency's GitHub repository, publicly available since November 2025, was ironically named "Private-CISA."
The now-patched vulnerabilities in the rapidly growing AI agent framework allow attackers to steal credentials, escalate privileges, and maintain persistence.
Hundreds of npm packages infected by the self-propagating, credential-stealing worm from TeamPCP are related to the open source TanStack ecosystem.
Sapphire Sleet uses fake job offers and phony Zoom updates to deliver ClickFix attacks that steal credentials and sensitive data from Macs.
The prolific China-backed threat group is targeting AWS, Google, Azure, and Alibaba cloud environments and using typosquatting to obscure C2 communication.
These are the fundamental detection model shifts cybersecurity teams need to make to keep up with the rising number of credential-based attacks.
An emerging threat cluster tracked as UAT-10608 is exploiting vulnerable Web-exposed Next.js apps and using an automated tool to exfiltrate credentials, secrets, and other system data.
The threat group's shift to speedy attacks on AWS, Azure, and SaaS instances shows organizations need to respond quickly to compromised credentials.
The massive amount of junk code that hides the malware's logic from security scans was almost certainly generated by AI, researchers say.