Full Report
IBM warns of infostealer surge as attackers automate credential theft and adopt AI to generate highly convincing phishing emails en masse
Analysis Summary
# Incident Report: Rise of Identity-Based Attacks and Evolving Cybercrime Tactics
## Executive Summary
Identity-based attacks surged to comprise approximately 30% of all intrusions over the reporting period, driven significantly by an 84% increase in infostealer malware delivery via email. Attackers leveraged AI to generate convincing phishing content and exploit identity gaps in hybrid cloud environments. While ransomware remains the dominant malware type, operational pressure from takedowns is forcing threat groups to adopt newer, short-lived malware families.
## Incident Details
- **Discovery Date:** Not explicitly stated; derived from data compiled covering the **past year** (Implied period leading up to the Q1/Q2 2025 report publication).
- **Incident Date:** Data compiled reflects activity over the **last year** (2024).
- **Affected Organization:** Data drawn from IBM X-Force incident response engagements globally.
- **Sector:** Manufacturing was the most targeted sector for extortion and data theft attacks.
- **Geography:** Global, based on IBM X-Force data sources.
## Timeline of Events
### Initial Access
- **Date/Time:** Throughout the reporting period (Last Year/2024).
- **Vector:** Identity-based attacks (30% of intrusions), use of legitimate account credentials, and exploitation of public-facing applications (tied for most popular initial vector).
- **Details:** Attackers utilized AI-generated phishing emails and infostealer malware to compromise credentials. Legacy systems and slow patching cycles increased exposure for Critical National Infrastructure (CNI) providers targeted via public-facing application exploitation.
### Lateral Movement
- Once access was gained, threat actors used **active scanning techniques** post-compromise to identify new vulnerabilities, gain additional access, and move laterally within the compromised environments.
### Data Exfiltration/Impact
- Attacks culminated in data theft, with manufacturing being the largest data theft victim (24% of attacks).
- Ransomware tactics shifted, although it remained the largest malware category (28% of malware cases).
### Detection & Response
- **How it was discovered:** Based on analysis of IBM's incident response engagements and threat intelligence sources.
- **Response actions taken:** Not explicitly detailed for specific incidents, but the report implies the need for proactive threat hunting.
## Attack Methodology
- **Initial Access:** Identity compromise, use of legitimate account credentials, exploitation of public-facing applications.
- **Persistence:** Not explicitly detailed, but implied through successful credential access.
- **Privilege Escalation:** Attackers actively seek to **escalate privileges** post-compromise to gain access to core services.
- **Defense Evasion:** Use of AI to generate convincing phishing content makes detection more difficult.
- **Credential Access:** Use of **infostealer malware** delivered via mass phishing campaigns.
- **Discovery:** Use of **active scanning techniques** post-compromise to identify new vulnerabilities.
- **Lateral Movement:** Active scanning and exploitation of newly discovered internal weaknesses.
- **Collection:** Undetermined, but focused on data relevant to extortion/theft.
- **Exfiltration:** Data theft, particularly prevalent against the Manufacturing sector.
- **Impact:** Ransomware events and data extortion.
## Impact Assessment
- **Financial:** Not quantified, but driven by ransomware and data theft costs.
- **Data Breach:** Sensitive data access driven by successful identity compromise.
- **Operational:** Risk increases the longer the threat remains undetected due to lateral movement and privilege escalation.
- **Reputational:** Inherent risk associated with identity breaches and ransomware execution.
## Indicators of Compromise
- **Network indicators:** Not specified (URLs/IPs defanged).
- **File indicators:** Mention of **infostealer malware** families (though specific names are shifting away from established ones like Trickbot/Quakbot).
- **Behavioral indicators:** High volume of phishing emails delivering infostealers; post-compromise active scanning; rapid privilege escalation attempts.
## Response Actions
- **Containment measures:** Not explicitly stated.
- **Eradication steps:** Not explicitly stated.
- **Recovery actions:** Not explicitly stated.
## Lessons Learned
- The primary breaking mechanism is no longer brute force but **capitalizing on identity gaps** in complex hybrid cloud environments.
- **AI is accelerating the preparatory phase** of attacks (generating phishing emails and malicious code).
- Global takedown efforts are forcing ransomware groups to cycle through **new and short-lived malware families**.
- Nation-state and cybercrime actors are **sharing exploit information** on the dark web (40% of top CVEs discussed are linked to sophisticated groups).
- The longer an attacker remains undetected, the greater the risk of privilege escalation to core services.
## Recommendations
- Shift from an ad-hoc prevention mindset to **proactive measures**.
- **Modernize authentication management**.
- **Plug multi-factor authentication (MFA) holes**.
- Conduct **real-time threat hunting** to uncover hidden threats before data exposure.
- Improve patching cadence, particularly for **public-facing applications**, to mitigate initial access vectors.