Cybersecurity Concerns: Criminals Capitalize on Compromised Credentials and Remote Access
A staggering 56% of cyberattacks gained initial access to targeted networks by exploiting external remote services, according to cybersecurity firm Sophos in its 2025 Active Adversary Report. The attackers often misuse legitimate accounts and edge devices such as firewalls and VPNs to breach systems. This combination of external remote service exploitation and valid credentials has emerged as the primary enabler of cyber intrusions.
The report draws on insights from more than 400 incidents of Managed Detection and Response (MDR) and Incident Response (IR) handled throughout 2024, offering an in-depth look into adversaries’ behaviors and techniques.
For the second consecutive year, compromised credentials were identified as the leading cause of successful cyberattacks, accounting for 41% of cases. Vulnerability exploitation followed at 21.79%, while brute-force attacks contributed to 21.07% of breaches.
To better understand the speed of such intrusions, Sophos also analyzed ransomware attacks, data theft, and extortion incidents. The findings revealed that in these scenarios, it took only an average of 72.98 hours (roughly 3.04 days) between the initial attack and data exfiltration. Moreover, once the data was extracted, it took just 2.7 hours on average for the breach to be detected.
The report further warns that threat actors can compromise an organization’s Active Directory within just 11 hours of initial access. Compared to the previous year, the total duration of attacks has decreased from four days to just two days. In IR-handled ransomware cases, attackers remained undetected for an average of four days, while non-ransomware incidents lingered for 11.5 days. In MDR-managed cases, ransomware went unnoticed for about three days, and non-ransomware incidents for only one day.
Sophos's investigation also highlighted that 83% of ransomware attacks occurred after business hours. Additionally, 84% of MDR and IR incidents involved the abuse of Remote Desktop Protocol (RDP).
Given these findings, Sophos recommends several preventive measures: “Close open RDP ports,” the report advises. It also stresses the importance of enabling Multi-Factor Authentication (MFA) to mitigate phishing attacks, timely patching of internet-facing devices and services, running Endpoint Detection and Response (EDR) or MDR systems, and ensuring continuous active monitoring. Regular testing and implementation of incident response plans were also strongly emphasized.
