For the first time in its publication history of nearly 20 years, Verizon's annual Data Breach Investigations Report (DBIR) is tracking vulnerability exploitation as the leading initial access method for attackers. Stolen credentials had been the #1 method for the entirety of the report's history up to this year.
Talos confirms that at least one known Cisco bug, CVE-2018-0171, was likely to have been actively exploited by Salt Typhoon. But the researchers say that the primary approach was to target legitimate existing credentials, likely through a variety of methods.
The campaign was conducted by malicious hackers who sold the stolen credentials off, with much of the info being put to use in spam and phishing campaigns. The attack simply made use of open-source tools to scan IP ranges for potentially vulnerable Git config files.
The 1.2 terabyte MOAB file is broken up into over 3,800 folders, each one representing a prior data leak that saw personal information or credentials make their way to the open internet. In total there are over 26 billion records.
Digital transformation, hybrid work, third-party partnerships, and other factors have weakened security controls. It’s now more likely than not that the adversary is already hiding within the network, and equally as likely that they got in with stolen, now compromised, credentials.





