It always points back to stolen credentials. In the Verizon Data Breach Investigation Report (DBIR) it states that 50.7% of hacking actions against web applications occur because of stolen credentials that were harvested via key loggers or other malware. In the financial, public and information industries the percentage jumps from 50.7% to 95% of web application attacks occurring via credentials that were stolen from their owners. Regardless of the reason the attacker is trying to get in to a companies network, they are using stolen credentials so they look legitimate and can maneuver around the network seemingly undetected while they look for information to harvest.
There is a silver lining though. Companies can shift their security efforts toward a new perimeter of identity and have secure access control over their web applications. To find out more about protecting against stolen credentials and the new identity perimeter check out this white paper, Defending Against Advanced Threats at the Identity Perimeter.