All news in category "Threat and Trends Reports"

How CISOs Justify Security Investments to the Board

🔒 CISOs must position security investments as strategic enablers that directly support corporate objectives rather than as purely technical upgrades. Presentations should connect proposed solutions to outcomes like entering new markets, protecting margins, ensuring compliance, and improving resilience. Use concrete scenarios, cost models, and recovery timelines to show how investments reduce probability and impact of incidents while improving operational stability. Tailor messaging to the board’s maturity and speak in terms of risk, return, and shareholder value.

Using Managed XDR to Address Cybersecurity Skills Gaps

🔒 Managed Extended Detection and Response (MXDR) enables organizations to augment understaffed security teams with experienced analysts who provide continuous monitoring and rapid response. Providers deliver 24/7 coverage, broad sensor visibility, and immediate containment actions such as endpoint isolation. MXDR can reduce the need to hire internal specialists, but organizations must evaluate vendors carefully for expertise, data protection, and configurability.

Over 10,000 Docker Hub Images Expose Live Secrets Globally

🔒 A November scan by threat intelligence firm Flare found 10,456 Docker Hub images exposing credentials, including live API tokens for AI models and production systems. The leaks span about 101 organizations — from SMBs to a Fortune 500 company and a major national bank — and often stem from mistakes like committed .env files, hardcoded tokens, and Docker manifests. Flare urges immediate revocation of exposed keys, centralized secrets management, and active SDLC scanning to prevent prolonged abuse.

How Staff+ Security Engineers Can Force-Multiply Impact

🔧 Staff+ security engineers should move from being individual problem-solvers to force multipliers by enabling others, automating enforcement, and shaping security strategy. The article recommends practical mechanisms—policy-as-code, paved paths, mentorship trees—and disciplined delegation to scale impact. It urges embedding security via shift-left practices, reusable reference architectures, and cautious AI-assisted tooling. During incidents, act as an orchestrator, set inflection points, and bridge teams with leadership to preserve strategic influence.

Behind the Breaches: Case Studies of Modern Threat Actors

🔍 This analysis examines leaked communications and recent incidents to reveal how modern threat actors organize, adapt and blur the lines between criminal, contractor and researcher roles. Leaked BlackBasta chats show internal discord, leadership opacity, technical debt and disputes over revenue and workload. The EncryptHub case highlights a solo operator who both conducted malware and credited vulnerability disclosures to Microsoft, illustrating the growing hybridization of actor identities. Finally, BlackLock’s open recruitment for "traffers" demonstrates how the ransomware supply chain is becoming commoditized and industrialized.

November 2025: Ransomware and GenAI Drive Cyber Attacks

🛡️ In November 2025, organizations faced an average of 2,003 cyber-attacks per week, a 3% rise from October and 4% above November 2024. Check Point Research attributes the increase to a surge in ransomware, broader attack surfaces and growing exposure from internal use of generative AI tools. The education sector was hit hardest, averaging 4,656 attacks per organization per week. These trends elevate operational, data and recovery risks across industries.

Tens of Millions Download Vulnerable Log4j (Log4Shell)

🛡️ Sonatype reports that 13% of Log4j downloads in 2025 — roughly 40 million of 300 million Maven Central downloads analyzed — remain vulnerable to the CVSS 10.0 Log4Shell flaw first disclosed four years ago. The vendor describes this as corrosive risk, where fixes exist but unsafe versions continue to spread because consumers don’t upgrade or transitive dependencies reintroduce bad releases. Sonatype highlights noisy SCA alerts, set-and-forget dependencies and poor selection criteria as root causes. It urges using SCA and artifact repositories to map exposure, automating upgrade PRs, enforcing repository guardrails and adopting new metrics to reduce unnecessary risk.

Exposed GitHub PATs Enable Access to Cloud Secrets

🔒 Recent research from the Wiz Customer Incident Response Team shows attackers are using exposed GitHub Personal Access Tokens (PATs) to retrieve GitHub Action Secrets and pivot into cloud environments. A read-level PAT can leverage GitHub’s API code search to locate secret references like "${{ secrets.SECRET_NAME }}" — and because those search API calls are not logged, discovery is stealthy. Once obtained, cloud provider credentials let attackers spin up resources, exfiltrate data, install malware, or persist while often evading detection. Organizations should treat PATs as privileged credentials: enforce expiration and rotation, remove cloud secrets from workflows, apply least privilege, and improve monitoring and developer training.

From Adoption to Impact — DORA AI Capabilities Model Guide

🤖 The 2025 DORA companion guide highlights that AI acts as an amplifier, boosting strengths and exposing weaknesses across teams. Drawing on a cluster analysis of nearly 5,000 technology professionals, it identifies seven foundational capabilities — including a clear AI stance, healthy and AI-accessible data, strong version control, small-batch workflows, user-centric focus, and quality internal platforms — that increase the odds of positive outcomes. The guide maps seven team archetypes to help leaders diagnose where to start and offers a Value Stream Mapping facilitation to direct efforts toward system-level constraints so AI-driven productivity scales safely.

Racks, Sprawl and the Myth of Redundancy in Modern Networks

🔁 The article traces redundancy from tangible rack-level practices to fragile cloud and software-defined environments. It argues that physical diversity, disciplined configuration management and automation remain essential as networks span BGP, SD-WAN, edge devices and cloud control planes. Real resilience requires policy alignment, diverse DNS and routing protections and rehearsed pre-mortems so backups are usable when they matter most.

Four clusters exploiting CastleLoader expand MaaS reach

🛡️Recorded Future's Insikt Group attributes rapid expansion of a modular loader ecosystem to an actor named GrayBravo, noting the distribution of a loader called CastleLoader under a malware-as-a-service model. The report identifies four distinct operational clusters that employ phishing, ClickFix campaigns, malvertising, and impersonation to deliver CastleLoader and secondary payloads such as CastleRAT and NetSupport RAT. These campaigns target logistics and enterprise software users and leverage multi-tiered C2 infrastructure and fraudulent platform accounts to increase credibility and resilience.

Hidden Forensic Evidence in Windows ETL: Diagtrack File

🔍 FortiGuard IR analysts discovered that an obscure ETL file, AutoLogger-Diagtrack-Listener.etl, can retain historical process execution data useful for post-incident forensics. Parsing ETW payloads exposed ProcessStarted events including ImageName, ProcessID, ParentProcessID and sometimes CommandLine entries that revealed deleted tools. Controlled testing showed creating the autologger and setting AllowTelemetry=3 often produced an empty file, indicating the DiagTrack service may populate the file only under undocumented conditions. Further research is needed to understand when and how this telemetry is written.

BYOVD Loader Used to Disable EDR in DeadLock Ransomware

🔐 Cisco Talos reported a novel Bring Your Own Vulnerable Driver (BYOVD) loader used to disable endpoint security and deliver DeadLock ransomware. The attacker exploited a Baidu Antivirus driver vulnerability (CVE-2024-51324) via a loader named EDRGay.exe and driver DriverGay.sys to terminate EDR processes at kernel level. A PowerShell payload bypassed UAC, disabled Windows Defender, stopped backup and database services, and removed all volume shadow copies. DeadLock uses a custom timing-based stream cipher and extensive kill and exclusion lists to encrypt files while avoiding system corruption.

Whaling attacks against executives: risks and mitigation

🎯 Whaling attacks are highly targeted social engineering campaigns aimed at senior executives that combine reconnaissance, spoofing, and urgency to trick leaders into divulging credentials, approving transfers, or executing malware-laden actions. Threat actors exploit executives’ visibility, limited time, and privileged access, and increasingly leverage generative AI and deepfakes to scale and refine impersonations. Key defenses include personalised executive simulations, strict multi-party approval flows for high-value transfers, AI-enhanced email filtering, deepfake detection, and a Zero Trust approach to access.

Manufacturing Sees Fewer Encryptions but Ransom Risks

🔒 A recent Sophos study finds the manufacturing sector is blocking more ransomware before encryption, with only 40% of attacks resulting in data encryption this year versus 74% in 2024. Despite improved containment, data theft remains high (39% of encrypted cases) and more than half of affected firms paid ransoms; the median payment was about €861,000. Shortages of skilled staff, unknown vulnerabilities and inadequate protections are cited as root causes, and attacks are increasing stress and leadership pressures within IT teams.

FinCEN: Ransomware Gangs Extorted $2.1B (2022–2024)

📊 A FinCEN analysis of 4,194 Bank Secrecy Act filings found organizations paid more than $2.1 billion in ransom between January 2022 and December 2024. Ransomware incidents peaked in 2023 before falling in 2024 after law enforcement actions disrupted ALPHV/BlackCat and LockBit. Most ransom payments were under $250,000 and roughly 97% were made in Bitcoin. Manufacturing, financial services, and healthcare were the most targeted industries.

Balancing Cost and Cyber Resilience in Procurement Strategies

🔒 Procurement teams frequently chase short‑term savings, consolidating suppliers and selecting the lowest‑cost vendors, which can create systemic cyber fragility. The article warns that cost-focused procurement often overlooks vendor security posture and incident readiness, leading to outsized losses in breaches, ransomware or supply disruptions. It recommends cyber due diligence, risk-tiering, minimum baselines (e.g., MFA, encryption, patching), resilience KPIs (MTTD, MTTR, RTO) and cross-functional governance to align cost with resilience. Strategic partnerships, scenario testing and cultural change convert procurement from bargain hunters into resilience builders.

Weekly Cyber Recap: React2Shell, AI IDE Flaws, DDoS

🛡️ This week's bulletin spotlights a critical React Server Components flaw, CVE-2025-55182 (React2Shell), that was widely exploited within hours of disclosure, triggering emergency mitigations. Researchers also disclosed 30+ vulnerabilities in AI-integrated IDEs (IDEsaster), while Cloudflare mitigated a record 29.7 Tbps DDoS attributed to the AISURU botnet. Additional activity includes espionage backdoors (BRICKSTORM), fake banking apps distributing Android RATs in Southeast Asia, USB-based miner campaigns, and new stealers and packer services. Defenders are urged to prioritize patching, monitor telemetry, and accelerate threat intelligence sharing.

Substitution Cipher Modeled on the Voynich Manuscript

🧩 Bruce Schneier highlights a new paper proposing the Naibbe cipher, a verbose homophonic substitution method that transforms Latin and Italian plaintext into ciphertext resembling the Voynich Manuscript. The author demonstrates the cipher can be executed entirely by hand with plausible 15th‑century materials. Applied to a range of texts, Naibbe reproduces many of the manuscript’s key statistical properties while remaining decipherable. Schneier observes this keeps the ciphertext hypothesis viable and places constraints on plausible substitution structures.

Preparing Retailers for Holiday Credential Threats

🔒 Retailers face concentrated credential risk during holiday peaks as bot-driven fraud, credential stuffing and pre-staged automated attacks target logins, payment tokens and loyalty balances. Effective defenses combine adaptive MFA, bot management, rate limiting and credential-stuffing detection to stop automation without harming checkout conversion. Strong controls for staff and third parties, plus tested failovers and tools like Specops Password Policy to block compromised passwords, reduce blast radius and protect revenue.