Attackers Handing Off Access in 22 Seconds, Experts Warn

Post Views: 144

Attackers Are Speeding Up Their Operations, Finds Mandiant Report

In a recent report, Mandiant analyzed data from over 500,000 hours of incident response work conducted in 2025, revealing that attackers have accelerated their internal handoffs, shifted away from phishing, and targeted backup and virtualization infrastructure with greater precision.

Exploits Remain Dominant Entry Point

For the sixth consecutive year, exploits remained the leading entry point for attackers, accounting for 32% of initial infections in 2025. Phishing, once the dominant social engineering vector, declined significantly and now represents a small fraction of its former share.

According to Mandiant, “Interactive social engineering methods require live human engagement and are more resistant to automated technical controls than volume-based campaigns.” – Source: Mandiant Report

Attackers Target Recovery Infrastructure

Ransomware operators targeted recovery infrastructure in 13% of Mandiant investigations in 2025. They have moved beyond dual-threat encryption-and-theft operations, focusing on systematically denying organizations the ability to recover. Identity services, virtualization management planes, and backup infrastructure were among the targets.

Misconfigured Systems Exploited by Attackers

Mandiant investigated multiple breaches where threat actors exploited misconfigured Active Directory Certificate Services (AD CS) templates to create administrator accounts exempt from multi-factor authentication. They also extracted dozens of high-privilege credentials in a single session from enterprise credential vaults.

New Malware Families and Threat Clusters Emerged in 2025

More than 660 new threat clusters and 714 new malware families were tracked in 2025, pushing the overall total past 5,000 and more than 6,000, respectively. Financially motivated groups made up the largest share of clusters observed in Mandiant investigations, while cyber espionage groups doubled their share compared to 2024.

Zero-Day Vulnerabilities Driven Widespread Exploitation

The most frequently exploited vulnerabilities in 2025 Mandiant investigations were all zero-days targeting internet-facing enterprise application servers. The vulnerabilities included:

CVE-2025-31324: Improper authorization flaw in SAP NetWeaver’s Visual Composer component.
CVE-2025-61882: Improper authentication vulnerability in Oracle E-Business Suite.
CVE-2025-53770: Deserialization vulnerability in Microsoft SharePoint Server.

These vulnerabilities allowed unauthenticated file uploads, remote code execution, and chaining of exploits to install web shells and conduct reconnaissance.

North Korean IT Workers Remained a Significant Insider Threat

North Korean IT workers using false identities to carry out employment fraud remained a significant and persistent insider threat, with a median dwell time of 122 days and, in several cases, undetected presence lasting more than a year.