Rapid7 Q1 2025 Incident Response Findings

Source: Rapid7 Cybersecurity Blog

Author: Chris Boyd

URL: https://www.rapid7.com/blog/post/2025/06/04/rapid7-q1-2025-incident-response-findings/

ONE SENTENCE SUMMARY:

Rapid7’s Q1 2025 report highlights stolen credentials without MFA as the top initial access vector, widespread BunnyLoader malware, and targeted ransomware attacks primarily affecting manufacturing.

MAIN POINTS:

1. Stolen credentials without MFA remain the leading initial access vector, causing 56% of incidents.
2. Exposed RDP services were the initial access vector in 6% but exploited further in 44% of incidents.
3. Vulnerability CVE-2024-55591 in Fortinet appliances widely exploited, enabling attacker control and data exfiltration.
4. Exploited SimpleHelp RMM vulnerabilities (CVE-2024-57726/57727/57728) facilitated ransomware deployment.
5. SEO poisoning via sponsored search ads led directly to malware downloads and ransomware attacks.
6. BunnyLoader malware observed in 40% of incidents, prevalent across nearly all industries.
7. Fake CAPTCHA attacks accounted for half of BunnyLoader malware deployments.
8. Manufacturing was the most targeted industry, involved in over 24% of incidents.
9. Qilin ransomware group actively targeted healthcare, manufacturing, financial sectors through double-extortion attacks.
10. Attackers frequently disabled security tools and backups to prevent recovery post-compromise.

TAKEAWAYS:

1. Implementing MFA remains critical, as attackers consistently exploit unprotected valid credentials.
2. Organizations must secure exposed RDP and RMM tooling to prevent ransomware infections.
3. Be cautious of sponsored search results to avoid SEO poisoning and malware downloads.
4. Strengthen defenses against BunnyLoader malware, particularly fake CAPTCHA and compromised sites.
5. Manufacturing organizations should prioritize securing legacy systems and complex supply chains.