IBM X-Force: Hackers recycle previously stolen data to get into networks

Cybercriminals are not only sticking with traditional methods, such as phishing and exploitation of vulnerabilities, they are also recycling previously stolen credentials in hacking their way to an organization’s network, according to the latest IBM X-Force Threat Intelligence Index 2020 report.

According to the report, criminals use previously stolen credentials as point-of-entry 29% of the time in observed incidents. In 2019, the report states more than 8.5 billion records were compromised — resulting in a 200% increase in exposed data reported year over year, adding to the growing number of stolen credentials that cybercriminals can use as their source material.

This strategy is among the three successful initial infection vector that IBM’s X-Force Threat Intelligence Index, which highlights contributing factors to this evolution, found out.

Have you read “Survey: PH corporate execs leverage data trust to achieve market leadership”?


One-third of incidents (31%) are attributed to phishing, compared to half in 2018. Previously stolen data and software vulnerability exploitation account for 60% of initial entries into victims’ networks.

Scanning and exploitation of vulnerabilities resulted in 30% of observed incidents, compared to just 8% in 2018. Older and known vulnerabilities in Microsoft Office and Windows Server Message Block still record high rates of exploitation in 2019.

“The amount of exposed records that we’re seeing today means that cybercriminals are getting their hands on more keys to our homes and businesses. Attackers won’t need to invest time to devise sophisticated ways into a business; they can deploy their attacks simply by using known entities, such as logging in with stolen credentials,” said Wendi Whitmore, Vice President, IBM X-Force Threat Intelligence.

“Protection measures, such as multi-factor authentication and single sign-on, are important for the cyber resilience of organizations and the protection and privacy of user data.”
– Wendi Whitmore, vice president, IBM X-Force Threat Intelligence

70 billion security events

IBM X-Force conducted its analysis based on insights and observations from monitoring 70 billion security events per day in more than 130 countries. Data is gathered and analyzed from multiple sources including X-Force IRIS, X-Force Red, IBM Managed Security Services, and publicly disclosed data breach information. IBM X-Force also runs thousands of spam traps around the world and monitors tens of millions of spam and phishing attacks daily while analyzing billions of web pages and images to detect fraudulent activity and brand abuse.

The analysis also yielded more than 8.5 billion breached records reported in 2019, seven billion of those, or over 85%, were due to misconfigured cloud servers and other improperly configured systems — a stark departure from 2018 when these records made up less than half of total records.

Some of the most active banking trojans found in this year’s report, such as TrickBot, were increasingly observed to set the stage for full-on ransomware attacks. Novel code used by banking trojans and ransomware topped the charts compared to other malware variants discussed in the report.

The IBM X-Force report found that tech, social media, and content streaming household brands make up the “Top 10” spoofed brands that cyber attackers are impersonating in phishing attempts. This shift could demonstrate the increasing trust put in technology providers over historically trusted retail and financial brands. Top brands used in squatting schemes include Google, YouTube, and Apple.