< ciso
brief />
Threat and Trends Reports Banner

All news in category “Threat and Trends Reports

1639 articles

Weekly ThreatsDay: Emerging cyber risks and trends

🔒 This ThreatsDay roundup highlights a series of recent, pragmatic security incidents and research findings that stem from routine administrative mistakes and small configuration errors. It covers a multinational fraud takedown, malicious typosquatting of payment SDKs, novel code-injection techniques, and a critical unauthenticated ArcGIS Server flaw. The report also outlines ransomware tool overlaps, data-exfiltration concerns in Claude Code, social engineering campaigns abusing Teams and Meta, and multiple kernel and driver vulnerabilities.
read more →

Cloudflare on ML‑DSA and the PQ signature landscape

🔒 Cloudflare explains why ML‑DSA, the NIST‑standardized post‑quantum signature, must be used for the initial migration even though better schemes may arrive later. The post‑quantum transition is underway: most traffic already uses ML‑KEM encryption, and Cloudflare targets full post‑quantum protection by 2029. The post outlines tradeoffs among candidate signature families — size, speed, and implementation risks — and highlights why specialization and generalist schemes will both be needed.
read more →

June 2026: Global Cyber Attacks and Ransomware Shift

📈 June 2026 saw a notable rebound in global cyber attacks, with weekly incidents per organization averaging 2,270, up 10% from May and 17% year over year. Education, Government, and Telecommunications were the most targeted industries, while Latin America recorded the largest regional increase. Ransomware incidents surged 33% year over year, and The Gentlemen overtook Qilin as the most active ransomware group.
read more →

CISOs Warn Executives Lack Understanding of Cyber Risk

🔒 A MetaCompliance report (July 9) based on responses from over 200 European CISOs finds 78% believe C-level executives do not fully grasp cybersecurity risks tied to employee behaviour. The survey highlights fading leadership support for security awareness, with 79% saying backing wanes over time and 40% worried employees share sensitive data with generative AI tools. AI-driven social engineering is cited as a key factor eroding confidence in organisational cyber resilience.
read more →

Why clearinghouses aren’t the core solution

🛠️ Athena joins a crowded set of recently announced clearinghouses, but the author argues the clearinghouse itself is the least important part of the equation. Clearinghouses are simply pools of vulnerability data; the real value is in actuation — rebuilding, testing, signing, and delivering fixes where users will actually consume them. The rise of private pre-disclosure findings is a byproduct of models tested against running applications, and scale plus fast throughput matters more than the mere existence of another database.
read more →

Rise of Malicious AI Agents Threatens Organizations

🤖 ESET analysis shows cybercriminals increasingly use AI agents and chatbots to autonomously plan and execute attacks. Researchers reviewed 900,000 AI skills in public repositories and found tens of thousands of suspicious and thousands of malicious toolsets, expanding the attack surface. These agentic tools can exfiltrate data, execute malware, override instructions, and be repurposed from legitimate utilities into harmful capabilities. ESET urges organizations to enforce policies and caution users about downloading free tools from untrusted sources.
read more →

Enterprises favor convenience, increasing lateral movement risk

🔒 Zero Networks’ 2026 report, analyzing 54 trillion activities across 312 enterprise environments, finds that most internal servers remain broadly reachable and rely on legacy protocols. The study highlights that >80% of servers are accessible from anywhere inside networks, with 87% accepting RDP/SSH and 78% reachable via SMB/WinRM, while 43% still use NTLM. Experts warn this widespread internal connectivity enables easy lateral movement for attackers and call for segmentation, identity controls, and containment strategies.
read more →

GitHub API abuse fuels enterprise reconnaissance

🔎 Datadog Security Research has tracked sustained abuse of GitHub’s public APIs where automated scanners, leaked credentials, and ghost accounts map organizations and members. Attackers harvest source code, secrets, and pipeline data by blending requests into normal traffic and leveraging the /graphql endpoint and REST org-mapping calls. Detection requires auditing user agents, token types, and unusual actor behavior, while enterprises should enable audit log streaming, MFA, access reviews, and credential scanning.
read more →

AI coding agents trigger endpoint behavioral detections

🛡️ Sophos analyzed a week of June 2026 telemetry and found AI coding agents like Claude Code, Cursor, and OpenAI Codex frequently trigger behavioral detection rules designed to catch human attackers. The agents perform actions—decrypting browser credentials, enumerating Windows Credential Manager, downloading files via LOLBins, and writing startup scripts—that look like malicious behavior to endpoint engines. While often benign developer automation, these behaviors overlap precisely with attacker techniques and can generate false positives. Sophos recommends scoping rules to agent parents, workspaces, and download reputations while keeping credential access tightly controlled.
read more →

Verification Step Emerges as New ATO Attack Surface

🛡️ Passkeys and passwordless flows are reducing credential stuffing, but attackers now target identity verification and recovery paths such as magic links, step-up flows, and re-enrollment. Generative AI has made impersonation and synthetic media widespread, increasing fraudulent verification attempts. Defenders must adopt biometric liveness, risk-based re-verification, intent binding, and network-effect signals to stay ahead as regulations and threats evolve.
read more →

Verify threat indicators before acting on feeds

🔍 The author recounts multiple cases where threat intelligence feeds and advisories mischaracterized malware or buried stronger indicators in machine-readable files. They describe a commercial feed mislabeling a Windows DonutLoader variant as the Linux Chalubo RAT, an official advisory whose PDF lacked stronger hashes present in the STIX bundle, and a CERT report with binary-level discrepancies. The piece stresses that labels and pipeline metadata are guesses until validated and urges analysts to open structured files and detonate samples when stakes are high.
read more →

ESET H1 2026: Threats, AI, and Ransomware Trends

🔍 The first half of 2026 sees attackers adapting established techniques to new platforms and behaviours, with AI increasingly shaping operations. ESET analyzed nearly 900,000 AI skills and found tens of thousands suspicious and thousands malicious, while AI features began appearing inside malware such as the Android PromptSpy. Other trends include expanded click-based social engineering, surging QR-code phishing, and persistent ransomware activity using EDR killers.
read more →

Top IT Security Certifications Driving Higher Pay

🔍 Foote Partners' 2Q 2026 report ranks the most valuable IT security certifications by average pay premium and recent market value increase. The article lists the top 13 credentials employers value now, describing each certification’s focus, prerequisites, exam length, and typical training and exam costs. It highlights portfolio certifications like GIAC’s GSE and GSP, vendor offerings from Microsoft and Check Point, and vendor-neutral options such as CCSK, ISACA’s CRISC and CISA, and ISC2’s CISSP and CSSLP. Practical, hands-on credentials like GX-CS and OffSec’s PEN-200/OSCP+ are also covered.
read more →

GitHub Actions attack pattern that eludes CI scanners

🛡️ In June 2026, Novee Security disclosed "Cordyceps," a CI/CD composition weakness across thousands of high-impact repositories that flagged 654 and confirmed 300+ exploitable cases. The issue stems from how GitHub Actions events like pull_request_target and workflow_run execute with elevated privileges and can be tricked into running attacker-controlled content. Each workflow file appears valid, so SAST/DAST tools miss the cross-file composition that enables command, code injection and cross-workflow privilege escalation. Vendors have patched, but the broader governance gap—exacerbated by AI-generated workflows—remains and requires stricter trust boundaries and provenance controls.
read more →

Scattered Spider framed as decentralized cybercrime collective

🕷️ Group-IB redefines Scattered Spider as a decentralized collective made up of independent clusters rather than a single organized group. The firm's June 7 analysis finds that multiple actors share tactics, tools and communities while operating separately, which explains persistent activity despite arrests. Common targets include tech employees, mobile carrier staff and cryptocurrency users, with social engineering and identity-based attacks central to operations. Group-IB advises defenders to focus on the shared techniques across clusters.
read more →

Recovering active ADFS signing keys via Machine DPAPI

🛡️ This post examines how ADFS token-signing private keys persisted in the machine-scoped key store and protected by Machine DPAPI can be recovered by a sufficiently privileged local context. It describes a red team finding where manual certificate rotations with AutoCertificateRollover disabled created configuration drift, leaving active signing keys exposed in Machine DPAPI and enabling forged SAML assertions. The article outlines extraction details, detection guidance, and mitigation measures including HSM use and configuration validation.
read more →

Monday Recap: Proxy Botnets, Browser Ransomware

⚡ Google and partners disrupted the NetNut residential proxy network (aka Popa), which abused smart home devices and preinstalled SDKs to route malicious traffic through an estimated 2 million devices. Other incidents this week include fake PoC repos delivering the ChocoPoC RAT via a dependency, a 19-year-old alleged Scattered Spider suspect extradited to the U.S., and a Brazilian Ousaban banking trojan targeting Spain and Portugal. Check Point flagged AI-generated browser ransomware leveraging the File System Access API, illustrating AI can autonomously devise working attack techniques.
read more →

AI Reveals a Validation Gap in Cybersecurity Skills

🔍 The article argues that cybersecurity faces a validation gap rather than a simple skills shortage, stressing that theoretical training and certifications can’t replicate real-world experience. It highlights risks from rapid AI deployment without governance, and notes many organizations lack visibility into AI breaches. The author advocates building continuous, hands-on cyber ranges with AI Proving Grounds, realistic environments, and post-exercise analysis to nurture and validate talent.
read more →

TrojPix: High‑Speed Air‑Gap Data Exfiltration

🖥️ Researchers at Shandong University demonstrated TrojPix, a novel covert channel that modulates otherwise imperceptible on-screen pixels so the video cable emits a faint radio signal a nearby receiver can decode. The technique requires only user-level malware that can draw to the screen and achieved a peak throughput of 8.1 Mbps and a laboratory range reported up to 208 meters. TrojPix works without hardware changes, can hide transmissions under normal-looking content or a fake powered-off display, and was tested across multiple monitor brands and cable types.
read more →

Seven common cyber risk assessment mistakes to avoid

🔍 A cyber risk assessment should be a decision tool that ties technical findings to business impact, yet many organizations fall into common pitfalls. Experts warn against rote, checklist-driven assessments, sugarcoating results, narrow scoping, and overreliance on risk registers that mask assumptions. Other frequent missteps include failing to link risks to business outcomes, confusing compliance with true security, and neglecting the implications of new technologies like AI. The article outlines seven practical gotchas and recommends context-driven, continuous risk assessment involving business stakeholders to produce actionable, defensible insights.
read more →