CERT Intrinsec Incidents Report 2025

CERT Intrinsec's 2025 incident response review of 60 confirmed compromises highlights widespread use of Initial Access Brokers, BEC targeting Microsoft 365 (AitM and DirectSend), exploitation of public‑facing vulnerabilities, stolen VPN credentials, industrial-scale infostealers, and ransomware double‑extortion (Akira, LockBit, Fog, Incransom, Lynx) with rapid pre‑encryption exfiltration. Key operational findings include attackers staging exfiltration on Tier 0 systems using RCLONE (frequently to Mega.nz), heavy reliance on native Windows interpreters and tools (Impacket, NetExec), pervasive failures in centralized logging and monitoring, and consistent targeting of Active Directory; the report provides actionable recommendations such as enforcing MFA/FIDO2, AD tiering and PAWs, immutable/offline backups, restricting outbound internet from Tier 0 systems, and improving log collection and detection coverage.