Credential Abuse and Password Cracking Attacks Remain Highly Effective in 2025
Summary
Hide β²
Show βΌ
Compromised valid accounts and password cracking attacks continue to be highly effective against organizations in the first half of 2025. The Picus Blue Report 2025 reveals that 46% of tested environments were vulnerable to password cracking, and valid accounts (T1078) were exploited with a 98% success rate. These attacks often go undetected, allowing attackers to move laterally and exfiltrate data. The report underscores the need for stronger password policies, multi-factor authentication (MFA), and regular credential defense validation. The findings highlight that while organizations focus on perimeter defenses, they often overlook identity and credential protection, leaving critical systems vulnerable to credential abuse and lateral movement.
Timeline
-
21.08.2025 13:50 π° 1 articles Β· β± 26d ago
Picus Blue Report 2025: Credential Abuse and Password Cracking Attacks Highlighted
The Picus Blue Report 2025, released in August 2025, reveals that password cracking attacks succeeded in 46% of tested environments, nearly doubling the success rate from the previous year. Valid accounts (T1078) were exploited with a 98% success rate, allowing attackers to move laterally and exfiltrate data. The report underscores the need for stronger password policies, multi-factor authentication (MFA), and regular credential defense validation. The findings highlight that while organizations focus on perimeter defenses, they often overlook identity and credential protection, leaving critical systems vulnerable to credential abuse and lateral movement.
Show sources
- Weak Passwords and Compromised Accounts: Key Findings from the Blue Report 2025 β thehackernews.com β 21.08.2025 13:50
Information Snippets
-
Password cracking attempts succeeded in 46% of tested environments, nearly doubling the success rate from the previous year.
First reported: 21.08.2025 13:50π° 1 source, 1 articleShow sources
- Weak Passwords and Compromised Accounts: Key Findings from the Blue Report 2025 β thehackernews.com β 21.08.2025 13:50
-
Valid accounts (T1078) were exploited with a 98% success rate, allowing attackers to move laterally and exfiltrate data.
First reported: 21.08.2025 13:50π° 1 source, 1 articleShow sources
- Weak Passwords and Compromised Accounts: Key Findings from the Blue Report 2025 β thehackernews.com β 21.08.2025 13:50
-
46% of environments had at least one password hash cracked and converted to cleartext, indicating weak password policies.
First reported: 21.08.2025 13:50π° 1 source, 1 articleShow sources
- Weak Passwords and Compromised Accounts: Key Findings from the Blue Report 2025 β thehackernews.com β 21.08.2025 13:50
-
Infostealers and ransomware groups frequently use stolen credentials to spread across networks, often undetected.
First reported: 21.08.2025 13:50π° 1 source, 1 articleShow sources
- Weak Passwords and Compromised Accounts: Key Findings from the Blue Report 2025 β thehackernews.com β 21.08.2025 13:50
-
Organizations often prioritize perimeter defenses over identity and credential protection, leaving critical systems vulnerable.
First reported: 21.08.2025 13:50π° 1 source, 1 articleShow sources
- Weak Passwords and Compromised Accounts: Key Findings from the Blue Report 2025 β thehackernews.com β 21.08.2025 13:50
-
The Picus Blue Report 2025 is based on empirical findings from over 160 million attack simulations conducted within organizations' networks.
First reported: 21.08.2025 13:50π° 1 source, 1 articleShow sources
- Weak Passwords and Compromised Accounts: Key Findings from the Blue Report 2025 β thehackernews.com β 21.08.2025 13:50
Similar Happenings
Phoenix Rowhammer attack bypasses DDR5 Rowhammer defenses
A new Rowhammer attack variant, called Phoenix, bypasses the latest protection mechanisms on DDR5 memory chips from SK Hynix. This attack exploits vulnerabilities in the Target Row Refresh (TRR) mechanism to flip bits in memory, enabling privilege escalation and unauthorized access. The attack was developed by researchers at ETH Zurich University and Google, and it affects all DDR5 DIMM RAM modules produced between January 2021 and December 2024. The Phoenix attack can corrupt data, increase privileges, execute malicious code, or access sensitive data. It works by repeatedly accessing specific rows of memory cells to cause electrical interference, altering nearby bits. The attack is tracked as CVE-2025-6202 and has been assigned a high-severity score. The researchers demonstrated the attack's effectiveness by successfully flipping bits on all 15 DDR5 memory chips in their test pool, achieving root privileges in under two minutes. They also showed that the attack can break SSH authentication and alter system binaries to escalate local privileges. The researchers recommend increasing the refresh rate to 3x to mitigate the Phoenix attack.
UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns
The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.
Akira Ransomware Group Exploits SonicWall SSL VPN Flaws
The Akira ransomware group has been actively exploiting SonicWall SSL VPN flaws and misconfigurations to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting SonicWall devices to facilitate ransomware operations. The group leverages a combination of security vulnerabilities, including a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings, to bypass access controls and infiltrate networks. Organizations are advised to rotate passwords, remove unused accounts, enable multi-factor authentication, and restrict access to the Virtual Office Portal to mitigate risks. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of SonicWall SSL VPNs and issued alerts about the increased exploitation of CVE-2024-40766.
Increased browser targeting by threat actors
Threat actors are increasingly targeting web browsers as a primary attack vector. This shift is driven by the browser's central role in accessing sensitive data and cloud applications, making it an attractive target for credential theft and session hijacking. High-profile incidents, such as the Snowflake breach, underscore the need for enhanced browser security measures. The browser's role in accessing sensitive data and cloud applications makes it a prime target for attackers. The Snowflake breach, which exploited stolen credentials, highlights the risks associated with browser-based attacks. Experts emphasize the need for stronger browser security to mitigate these threats. Browser-based attacks include phishing for credentials and sessions, malicious copy & paste (ClickFix), malicious OAuth integrations, malicious browser extensions, malicious file delivery, and exploiting stolen credentials and MFA gaps. These attacks exploit the browser's role in accessing business applications and data, making it crucial for security teams to focus on browser security.
Microsoft September 2025 Patch Tuesday fixes 81 vulnerabilities, including two zero-days
Microsoft released updates for 80 vulnerabilities on September 2025 Patch Tuesday. None of these vulnerabilities were zero-days. The updates address eight critical flaws, including five remote code execution vulnerabilities, one information disclosure, and two elevation of privilege vulnerabilities. The vulnerabilities span various categories: 38 elevation of privilege, 2 security feature bypass, 22 remote code execution, 14 information disclosure, 3 denial of service, and 1 spoofing. One zero-day vulnerability was fixed in Windows SMB Server. The updates also include hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing. The patch includes 38 elevation of privilege vulnerabilities, the highest number among all categories. CVE-2025-54918 is an EoP vulnerability in Windows NT LAN Manager (NTLM) marked as critical. CVE-2025-54111 and CVE-2025-54913 are EoP flaws in Windows UI XAML, allowing privilege escalation via phished credentials or malicious Microsoft Store apps. CVE-2025-55232 is an RCE vulnerability in the Microsoft High Performance Compute (HPC) Pack with a CVSS score of 9.8. CVE-2025-54916 is an RCE vulnerability in Windows NTFS that can be triggered by authenticated users. Microsoft's patch update includes recommendations for preparing for the end-of-life of Windows 10 and mandatory multifactor authentication (MFA) for Azure in October 2025.