Why Hackers Keep Exploiting the Same Security Gaps
▼ Summary
– Identity-based attacks, particularly suspicious Microsoft 365 logins, are the most common detection and a primary entry point for attackers.
– Once inside, attackers escalate privileges using actions that mimic normal IT admin work, such as adding users to high-risk security groups.
– Remote management tools and third-party vendor access are major attack vectors, with 66% of incidents involving supply chain or third-party access.
– Security is frequently undermined by misconfigurations, especially disabled endpoint protection agents, and by old, unpatched vulnerabilities like weak encryption.
– Ransomware remains a consistent high-impact threat, with most incidents exploiting firewalls and nearly all lateral movement cases leading to ransomware deployment.
Cybersecurity teams face a relentless challenge, not from shadowy, novel threats, but from attackers repeatedly walking through the same unlocked doors. A comprehensive new analysis of security telemetry reveals that the majority of successful breaches stem from fundamental failures in identity management, third-party access controls, and the security of perimeter devices. The data underscores a persistent gap between security policies and their consistent enforcement across complex digital environments.
The findings are drawn from an immense pool of data encompassing trillions of IT events, hundreds of thousands of security alerts, and a vast array of protected assets monitored throughout the year. Within this dataset, alerts related to identity consistently topped the list. Suspicious logins, particularly anomalous Microsoft 365 access and “impossible travel” alerts, were the most frequently detected events, pointing directly to credential theft and account compromise. This pattern confirms that stolen or weak identities remain a primary gateway for attackers, far outpacing more sophisticated methods like advanced malware.
Once inside, adversaries focus on elevating their privileges, often by mimicking routine administrative tasks. Common tactics included adding users to high-risk Windows security groups or manipulating global administrator roles in Microsoft 365. Because these actions look identical to legitimate IT operations, they can easily evade traditional security alerts. Attackers are increasingly adept at using an organization’s own trusted tools and standard workflows to remain undetected while securing the access they need.
The abuse of remote management and access tools presents a significant and growing risk. Incidents frequently involved the exploitation of tools like ScreenConnect, RDP, PsExec, and various VPN services. In one case, attackers installed a trusted remote management application via PowerShell as part of their compromise chain. In another, ransomware operators deployed a legitimate IT automation tool on a domain controller, allowing their activity to blend in with normal backup or maintenance processes.
A particularly striking finding involves the role of third parties. Supply chain and third-party access were implicated in a majority of security incidents, a notable increase from the previous year. Often, vendor accounts remain active long after a contract concludes, creating dormant but powerful entry points. One ransomware attack began precisely this way, with adversaries using a never-deactivated vendor account to gain initial access before moving laterally to an unprotected server.
While new vulnerabilities make headlines, older weaknesses continue to pose widespread risks. The most commonly detected network vulnerabilities involved untrusted or self-signed security certificates and weak encryption. Notably, a decade-old flaw in the RC4 encryption algorithm was the most detected specific vulnerability, highlighting how legacy systems and outdated cryptographic standards persist in modern networks.
Perhaps the most telling data point concerns misconfiguration. In nearly every incident investigated, endpoint protection agents were found to be disabled or entirely absent. This single failure point renders other security investments moot. Multi-factor authentication and other critical security features were also found deliberately switched off in many cases, leaving systems exposed. The presence of even one unmanaged or rogue device on a network can provide the opening attackers need.
Ransomware continues to be a dominant and escalating threat, with a clear link to perimeter security. The analysis found that an overwhelming majority of ransomware incidents exploited firewalls, either through unpatched vulnerabilities or compromised administrator accounts. Once attackers achieve lateral movement across a network, the deployment of ransomware becomes almost inevitable. The speed of these attacks varies dramatically, with some moving from initial breach to full encryption in mere hours, while others linger for months to stealthily exfiltrate data before launching their payload.
The collective evidence points to a consistent theme: operational security hygiene often falters. A forgotten account, a misconfigured setting, or an unpatched perimeter device can nullify an entire security strategy. As one security director noted, attackers only need to find one such oversight to succeed, making consistent vigilance and foundational controls more critical than ever.
(Source: HelpNet Security)
