Majority of Compromises Caused by Stolen Credentials, No MFA

More than half (56%) of all compromises in Q1 2025 resulted from the theft of valid account credentials with no multi-factor authentication (MFA) in place, according to new research by Rapid7, published during Infosecurity Europe 2025.

The researchers expect stolen credentials to continue to be the dominant initial access technique while organizations fail to protect all accounts with MFA.

In the previous two quarters, a similar proportion of initial access vectors were related to credential theft and a lack of MFA. 

Read now: Vulnerability Exploitation and Credential Theft Now Top Initial Access Vectors

Spotlight on Fortinet Vulnerability

The next most common initial access methods in Q1 were vulnerability exploitation and brute force attacks, making up 13% of intrusions respectively.

Notable vulnerability exploits in the quarter included a websocket-based race condition authentication bypass (CVE-2024-55591) affecting Fortinet’s FortiOS and FortiProxy flagship appliances.

Successful exploitation results in the ability to execute arbitrary CLI console commands as the super_admin user.

Rapid7 revealed that in one investigation, the attackers exploited the flaw to create local and administrator accounts with legitimate-looking names. This allowed the attackers access to firewall dashboards, which may have contained useful information about the devices’ users, configurations and network traffic.

In March, the Cybersecurity and Infrastructure Security Agency (CISA) warned that the vulnerability was being actively exploited in a ransomware campaign.

Other Observed Initial Access Techniques

Other initial access techniques highlighted in the report included exposed remote desktop protocol (RDP) service, SEO poisoning and exposed remote monitoring and management (RMM) tooling, each making up 6% of incidents.

The researchers found that while exposed RDP services accounted for 6% of initial access techniques, they were abused by attackers more generally in 44% of incidents.

RDP services are used to provide remote connections Terminal Server and the Terminal Server Client. Research has shown these services are often misconfigured, making them publicly exposed and therefore popular targets for cybercriminals.

RMMs, used to remotely manage and access devices, are often used to gain initial access, or form part of the attack chain leading to ransomware.

SEO poisoning has emerged as a growing social engineering attack vector in recent years. Cybercriminals pay for sponsored ads from search engine providers, which ensures their websites are listed above typical searches.

In one case, victims’ searches for RV tools resulted in malicious websites as the top results. Visiting the sites and downloading the fake RV tools resulted in an escalating series of intrusion, data exfiltration, and ultimately, ransomware.

BunnyLoader the Top Malware Threat

The study found that the malware-as-a-service (MaaS) loader BunnyLoader, was the most common payload used by cybercriminals in Q1 across 12 of the 13 industries analyzed.

These included manufacturing, healthcare, business services, finance and retail.

BunnyLoader can be leveraged for a range of purposes, including clipboard and credential theft, keylogging, and the ability to deploy additional malware.

In total, the payload was leveraged in 40% of all incidents tracked by Rapid7.

The most frequently targeted industry in Q1 was manufacturing, making up 24% of incidents.

This was followed by business services (17%), communications (12%), healthcare (11%), retail (10%) and finance (6%).