A new report out today from Cisco Talos, a cybersecurity company that’s part of Cisco Systems Inc., found that in 2024, cybercriminals didn’t need zero-days or custom malware to wreak havoc: They just logged in, with identity-based attacks, misused legitimate tools and and years-old vulnerabilities driving the majority of security incidents last year.

The findings come from the Talos 2024 Year in Review report, based on telemetry from more than 46 million devices across 193 countries and regions, analyzing more than 886 billion security events daily. The report found that identity attacks were involved in 60% of incidents, showing up in every phase of the attack lifecycle.

Attackers were often found to use valid credentials and native tools, not flashy new malware. Where identity wasn’t involved, old vulnerabilities were exploited, some decades old. For ransomware and multifactor authentication bypass, identity was the lead access path.

Identity was central across all attack phases: access, escalation, lateral movement and persistence. Of identity-based incidents, Active Directory was targeted in 44% of cases, while cloud application programming interface compromises accounted for 20% of identity-related incidents.

Identity-based attack motivations included ransomware at 50%, credential harvesting and resale at 32%, espionage at 10%, and financial fraud at 8%.

Facilitating identity-based attacks was a weakness in MFA, which was the top-observed security issue when it came to these sorts of attacks. Common MFA failures included having no MFA on virtual private networks, MFA exhaustion/push fatigue — where attackers flood a user’s device with repeated multi-factor authentication prompts in hopes the user will eventually approve one out of frustration or confusion — and improper enrollment monitoring.

MFA attacks often targeted identity and access management systems such as those from Citrix Systems Inc., Microsoft Corp. and Fortinet Inc.

Other findings in the report included that threat actors’ use of artificial intelligence was limited in 2024, with AI mainly being used to enhance social engineering and automation. Generative AI was also used for phishing campaigns, email lures and voice deepfakes.

The increasing adoption and expansion of capabilities from AI and large language models is noted in the report as presenting increasing concerns in 2025, specifically as agentic AI becomes capable of autonomous operations and as automated vulnerability discovery and exploitation become more common. AI systems themselves are noted as becoming more likely to be targeted, particularly as they are rolled out in supply chain pipelines.

Image: SiliconANGLE/Reve