Our bulletin Cyber Threat Watch has been created to help small businesses stay up to date on the latest threats, news, and events affecting their business. The content has been curated to make cybersecurity easy and accessible for both technical and nontechnical readers.

Many cybersecurity incidents may look different on the surface, but they often begin the same way—attackers gather legitimate login credentials and use them to access systems, acting as if they were authorized users. This technique, known as credential harvesting, continues to be one of the most common paths to data theft and exposure.

The latest updates from the Cybersecurity and Infrastructure Security Agency (CISA) reinforce that credential harvesting remains a primary entry point for both criminal and state-sponsored cyber activity. CISA’s recent Malware Analysis Report on the BRICKSTORM Backdoor, jointly released with its partners, confirms that attackers are actively extracting credentials to maintain long-term access. For small businesses, this shows why credential harvesting is an ongoing threat that requires consistent attention to prevention.

How Credential Harvesting Works

Credential harvesting refers to the technique used to gather valid usernames, passwords, authentication tokens, or other login information. With these legitimate credentials, attackers can access systems without triggering noticeable alarms.

This method continues to be effective for the following reasons:

• Stolen credentials allow attackers to appear as authorized users.
• Many systems still rely on passwords or single-factor authentication.
• Credentials often remain valid for a long period, even after compromise.
• Authorized yet illegitimate access can still function even when malware is removed or security controls are appropriately updated.

Once credentials are harvested, attackers can move through systems, access sensitive data, or deploy ransomware quietly.

What Recent Government Warnings Show

The following recent government updates highlight that credential harvesting remains a common access method across different threat types.

• BRICKSTORM: A joint update from CISA and its partners confirms that state-sponsored actors are extracting legitimate credentials to maintain long-term, stealthy access to targeted organizational systems.

• Cisco Firewall Devices: We covered CISA’s Emergency Directive (ED) 25-03 in our October bulletin. Since then, the Implementation Guidance has been released, clarifying how organizations should properly update affected devices and verify that patches have been applied correctly. CISA found that some systems marked as “patched” were still vulnerable and left authentication paths exposed.

• Akira Ransomware: CISA’s advisory shows that credential harvesting has been used by criminal organizations for years and continues to affect small and medium-sized businesses, particularly through remote access systems that lack strong authentication.

Why It Matters and What to Do for Your Business

Small businesses are frequently targeted because credential controls are often assumed to be handled by IT service providers or built-in tools. In reality, gaps around identity, patching, and remote access are often present. To mitigate risk, your business can take the following practical steps:

1. Management of Identity– Remove unused or inactive accounts, such as those for former employees, contractors, and vendors
   – Limit administrative privileges so everyday tasks are not performed with admin-level access
   – Avoid shared credentials for email, accounting systems, document sharing platforms, messaging tools, and remote access, which make misuse difficult to trace
2. Management of Patches– Verify that necessary updates were applied correctly, not just scheduled or assumed to be completed
   – Confirm regularly that updates are fully completed, including operating systems, business applications, and network devices such as firewalls, virtual private networks (VPNs), and routers
   – Replace unsupported hardware or software that can no longer receive security updates
3. Management of Remote Access Require multi-factor authentication (MFA) for all remote connections, not only for administrators
   Review who has remote access and whether it is still required for their role
   Monitor for unusual login activity, such as access outside normal business hours or from unexpected locations

Conclusion

Credential harvesting is not a new threat, but it remains one of the most common ways attackers gain access. Recent government advisories underscore that both criminal and state‑sponsored actors continue to gather legitimate credentials and use them to work their way through systems without triggering alerts. For small businesses, revisiting basic security controls around identity, patching, and remote access is one of the most effective ways to reduce potential risk.

The NCSS encourages businesses to adopt comprehensive security practices and stay informed about evolving threats. We recommend you consider becoming an NCSS member to access a wide range of our services. For more information, visit our Small Business page.

References

https://www.cisa.gov/news-events/alerts/2025/12/19/cisa-and-partners-release-update-malware-analysis-report-brickstorm-backdoor

https://industrialcyber.co/cisa/cisa-nsa-sound-alarm-on-brickstorm-backdoor-used-by-china-linked-actors-targeting-vmware-windows-systems/

https://www.techradar.com/pro/security/under-the-radar-google-warns-new-brickstorm-malware-was-stealing-data-from-us-firms-for-over-a-year

https://www.cisa.gov/ed-25-03-guidance-device-updates-and-patching

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

About the NCSS

The National Cybersecurity Society (NCSS) is committed to improving the online safety and security of the small business community through education, awareness, and advocacy. As a 501(3)(c) organization, the NCSS uses funds from charitable donations and grants to develop educational materials, webinars, weekly cyber tips, videos, and how-to-guides. The organization’s goal is to enable and empower small and medium businesses to obtain cybersecurity services, assist them in understanding their cyber risk, and advise on the type of protection needed. We want to continue to grow our community and encourage you to tell other small businesses we are here to help.

The NCSS is committed to respecting the use of images in our communication efforts. Accordingly, unless otherwise specifically noted, the graphics in our bulletin are sourced under license from Adobe Stock. The header and footer images were designed and purchased through a contract with Eyedea Advertising & Design Studio.