Redazione RHC : 4 November 2025 07:22
A FortiGuard report for the first half of 2025 shows that financially motivated attackers are increasingly eschewing sophisticated exploits and malware. Instead , they are using valid accounts and legitimate remote access tools to penetrate corporate networks undetected.
This approach has proven not only simpler and cheaper, but also significantly more effective: attacks using stolen passwords are increasingly escaping detection.
Experts report that in the first six months of the year , they investigated dozens of incidents across various sectors, from manufacturing to finance and telecommunications . Analysis of these cases revealed a recurring pattern: attackers gain access using stolen or purchased credentials, connect via VPN, and then move around the network using remote administration tools such as AnyDesk, Atera, Splashtop, and ScreenConnect.
This strategy allows them to disguise their activity as system administrator activity and avoid suspicion. FortiGuard confirms these findings over the same period: the password leak trends documented in open source documents match those identified during internal investigations. Essentially, attackers don’t have to “hack” systems in the traditional sense: they simply log in using someone else’s login credentials, often obtained through phishing or infostealers sold on black market platforms.
In one analyzed attack, attackers used valid credentials to connect to a corporate VPN without multifactor authentication, then extracted saved hypervisor passwords from the compromised user’s browser and encrypted the virtual machines. In another case, an operator gained access via a stolen domain administrator account and mass-installed AnyDesk across the entire network using RDP and Group Policy, allowing it to move between systems and remain undetected for extended periods of time. There have also been cases where attackers exploited an old vulnerability in an external server, implemented several remote management tools, and created fake service accounts to secretly move and then steal documents.
The analysis showed that password theft remains one of the cheapest and most accessible strategies. The cost of access depends directly on the company’s size and geography: for organizations with over a billion dollars in revenue in developed countries, it can reach $20,000 , while for smaller companies in developing regions, it ranges into the hundreds of dollars. Massive infostealing campaigns provide a constant stream of up-to-date data, and the low barrier to entry makes such attacks attractive even to less trained groups.
| Company turnover | developed economies | Emerging/Developing Economies |
|---|---|---|
| Over 1 billion US dollars | $10,000-20,000 USD | $3,000-6,000 USD |
| US$500 million-1 billion | $4,000-8,000 USD | $1,000-5,000 USD |
| 100-500 million US dollars | $2,000-5,000 USD | $500-2,000 USD |
| Less than 100 million US dollars | $500-1,500 USD | $100-500 USD |
The main advantage of this scheme is stealth . The attackers’ behavior is indistinguishable from that of legitimate employees , especially if they connect during normal working hours and to the same systems.
Security tools focused on scanning for malicious files and suspicious processes often fail to detect anomalies when the attack is limited to routine logins and network browsing . Furthermore, when manually stealing data via RDP interfaces or built-in RMM features, it’s difficult to trace the transferred files, as these actions leave no obvious network artifacts.
According to FortiGuard’s observations, attackers involved in such campaigns continue to actively use Mimikatz and its variants to extract passwords from memory , and continue to use the Zerologon exploit for privilege escalation . Sometimes, they also manually use utilities such as GMER , renamed “system tools,” to hide their presence.
FortiGuard emphasizes that protecting against these threats requires a rethinking of approaches. Relying solely on traditional EDR systems that analyze malicious code no longer guarantees reliable security. A strategy based on user accounts and behavior is becoming more effective.
Businesses should create their own normal activity profiles and respond promptly to deviations, such as logins from unusual geographic locations, simultaneous connections to multiple servers, or activity outside of business hours.
Particular attention is recommended to multi-factor authentication, not only for the external perimeter but also within the network. Even if an attacker obtains a password, requiring additional authentication will slow down their progress and increase the chances of detection . It is also important to limit administrator privileges, prevent the use of privileged accounts via VPN , and monitor their movements within the infrastructure.
FortiGuard recommends that organizations strictly control the use of remote administration tools . If these programs are not required for business purposes, they should be blocked and any new installations or associated network connections monitored. Additionally, it is recommended to disable SSH, RDP, and WinRM on all systems where they are not needed and configure alerts to re-enable these services. According to analysts, such measures can also detect hidden attempts at lateral movement within the network.
Redazione