Dive Brief:

• Threat actors motivated by financial gain continue to rise in prominence, representing 55% of all cyber actors during 2024, according to a report by Mandiant. The figures show a steady increase from 52% in 2023 and 48% in 2022. 
• Exploits remained the most common initial access vector for the fifth consecutive year, representing 33% of exploits overall, according to the Mandiant M-Trends 2025 report. However, stolen credentials become the second most common initial access point for the first time, indicating a rising trend. 
• Cyber threat groups are increasingly targeting unsecured data repositories as poor security hygiene continues to leave organizations at risk

Dive Insight:

The rise in credential theft was among the most surprising developments in the report, as underground criminals have become increasingly focused on harvesting and abusing user credentials. 

Mandiant researchers said that infostealers have been a concern for many years and there has recently been a resurgence in the use of such tools. 

“Email tends to be noisier and easier to detect with phishing detection,” Jurgen Kutscher, VP, Mandiant Consulting, told Cybersecurity Dive via email. “There is an entire cybercrime business surrounding stolen credentials that promoted the sale (and use) of stolen credentials.”

Kutscher said there has been an increase in credential theft from noncorporate systems, particularly personal computers. These systems do not use enterprise-grade security controls, such as endpoint detection and response (EDR) or network monitoring. 

That risk escalates when workers or outside contractors disable antivirus software so they can install unlicensed software, Kutscher said. 

The report, based on Mandiant Consulting’s attack investigations worldwide during 2024, analyzed data the company collected from more than 450,000 hours of incident response engagements.