How Attackers Get In: Unpatched Vulnerabilities and Compromised Credentials

How are bad actors getting access to organizations? In many cases, they simply log in. Sophos research finds that one of the most common root cause of attacks is compromised credentials. In fact, 30% of respondents to its 2023 Active Adversary Report for Business Leaders said criminals have used these credentials to log on and steal data. 

Compromised credentials were second only to unpatched vulnerabilities – the most common cause of attackers gaining initial access to targeted systems. In fact, in half of investigations included in the report, attackers exploited ProxyShell and Log4Shell vulnerabilities –vulnerabilities from 2021 — to infiltrate organizations. 

It’s clear the threat environment related to these two factors has only grown in volume and complexity – to the point where there are no discernible gaps for defenders to exploit in their quest to protect the organization. 

Why are so many vulnerabilities still going unpatched?

Bugs that date back years still linger – unpatched. That’s why one of the primary areas security leaders should examine is how well their patching program works. So many vulnerabilities are still not getting the attention they require.

“I think there are several reasons why people still are not patching,” said John Shier, field CTO, commercial at Sophos. “First, I think there are some other business priorities that might get in the way of patching in a timely manner. It could be deploying a new system to enable the business takes priority.” Other factors include a lack of defined process for patching within an organization. 

“Every month, there are patches released that need to be addressed, but for many teams it comes down to getting around to it. If there is little maturity in their patching program, there’s often no defined cadence there, and it is of potentially little importance either.”

Shier suggests defenders follow a few tips to enhance their patching process and to shore up defenses around credentials.

Sponsorship from the top down. Patching will always be low priority if executive leadership is not advocating for it. “You have to say, from the executive leadership: “We will have this patching program in place. We will define the patching timeframes; we will define the patching priorities.'”

Enable multi-factor authentication (MFA). MFA for systems should be table stakes now, but for many it is still not in place. Shier says if your services are not protected with MFA they should be. If MFA is unavailable for the service, it should be protected by something capable. “We have seen credentials used in many attacks because authentication is not hardened enough. A lot of organizations are just not up to standards.”

Mind your legacy systems. Shier says while some industries, like manufacturing, struggle with having older systems more than others, all organizations need to be mindful of updating older technology – which can often be behind attacks and breaches simply because they are so easy to exploit. “For example, Windows XP persisted for a very long time in some of these environments,” said Shier. “When you see that kind of thing it’s both out of date technology but also the inability to take action on legacy systems.”

Keeping systems patched and credentials secure are some of the first essentials steps to preventing a data breach or an attack. Learn how Sophos can provide you with managed security to assist your organization with timely system updates by visiting

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button