| Threat actors typically initiate their cyberattacks by performing reconnaissance against an organization’s people, processes, and technology. They primarily seek to exploit vulnerabilities in people and software to gain initial access. The threat actors then attempt to access internal systems. VPNs and firewalls are often targeted by threat actors as they serve as primary gateways to these internal systems and networks and provide remote access to organizations. Successful cyberattacks can have cascading impacts, including operational disruptions, financial losses, and the loss of confidentiality, integrity, and availability of data and information systems. |
| Credentials (usernames and passwords) provide a way to authenticate users and control access to online accounts, email systems, network resources, and more. Threat actors attempt to harvest or steal these credentials and gain initial access primarily through phishing and other methods, such as keylogging malware, brute force attacks, man-in-the-middle (MITM) attacks, and credential stuffing attacks. The convenient practice of password reuse across multiple accounts is risky behavior that can result in account compromises. Credential harvesting and password reuse allow threat actors to easily compromise accounts, escalate privileges, exploit vulnerabilities, move laterally within a network, deploy malware, and access data. As highlighted by recent Medusa and Hellcat ransomware attacks, users are advised to activate MFA for all accounts and services, including email and VPNs. |
| Threat actors also attempt to exploit software vulnerabilities, especially in VPNs and firewalls and other edge devices, to infiltrate systems and networks. Multiple security advisories were issued during the first quarter of 2025, including the Ivanti Connect Secure, Policy Secure, and ZTA Gateways remote code execution vulnerability, the Cisco Meraki MX and Z Series AnyConnect VPN denial of service vulnerability, the Fortinet unverified password change vulnerability, and the OpenVPN denial of service vulnerability. Additionally, at least five VPN services have been linked to a sanctioned Chinese firm, inadvertently impacting millions of free VPN users in the United States. There was also a significant surge in Palo Alto Networks scanner activity, suggesting a coordinated effort to test network defenses and exploit vulnerable systems. Furthermore, threat actors exploited two Fortinet vulnerabilities in Fortigate firewall appliances that led to a series of intrusions deploying the SuperBlack ransomware variant. |
| The combination of weak credentials without MFA and unpatched or misconfigured systems creates a ticking timebomb for organizations to have threat actors compromise accounts and infiltrate perimeter security devices, resulting in cyber incidents such as ransomware and large-scale attacks. |
| Recommendations |
| Participate in security awareness training to help better understand cyber threats, provide a strong line of defense, and identify red flags in potentially malicious communications. Use strong, unique passwords and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes. Keep systems up to date and apply patches after appropriate testing. Utilize network segmentation to isolate valuable assets and help prevent the spread of ransomware and malware. Enforce the Principle of Least Privilege, disable unused ports and services, and use web application firewalls (WAFs). Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. Encrypt sensitive data at rest and in transit. Establish a comprehensive data backup plan that includes performing scheduled backups regularly, keeping an updated copy offline in a separate and secure location, and testing regularly. Create and test continuity of operations plans (COOPs) and incident response plans. Review the Ransomware: Risk Mitigation Strategies Employ tools such as haveibeenpwned.com to determine if your PII has been exposed via a public data breach. |