All news in category "Threat and Trends Reports"

Root Cause Analysis Lags, Undermining Incident Resilience

🔍 Post-incident learning often falls behind containment, with Foundry’s Security Priorities study reporting 57% of security leaders struggled to identify root causes last year. Experts warn that prioritizing firefighting over forensic investigation leaves organizations exposed to repeat breaches and that disciplined evidence preservation is essential. Centralized telemetry such as SIEM, and forensic-capable services like MDR and XDR, plus structured postmortems, are key to building long-term resilience.

Sneaky2FA Adds Browser-in-the-Browser to Phishing Kits

🛡️ Researchers report that the Sneaky2FA phishing-as-a-service kit now includes browser-in-the-browser (BITB) functionality that lets attackers embed a fake browser window with a customizable URL bar to mimic legitimate sites such as Microsoft. The iframe-backed pop-up captures credentials and MFA codes in real time, enabling attackers to hijack active sessions. This change lowers the skill threshold for criminals and undermines many signature-based defenses, prompting calls for updated training and stronger browser configurations.

Massive Scan Campaign Targets GlobalProtect VPN Portals

🔎 GreyNoise reports a roughly 40x surge in malicious scans against Palo Alto Networks GlobalProtect VPN login portals beginning November 14, with about 2.3 million sessions hitting the /global-protect/login.esp endpoint between Nov 14–19. Activity focused on the United States, Mexico, and Pakistan and is linked to recurring TCP/JA4t fingerprints and ASN reuse, notably AS200373 and AS208885. GreyNoise recommends treating these probes as active reconnaissance — block and monitor attempts rather than dismissing them.

Turn Windows 11 Migration into a Security Opportunity

🔒 Organizations should treat the Windows 11 migration as a strategic security opportunity rather than a routine OS update. While some users resist moving from Windows 10 or explore alternatives like Linux or legacy releases, those choices can introduce operational headaches and security gaps, especially as Microsoft phases out support. Use the transition to validate backups, recovery objectives, and patch posture to reduce exposure to unpatched vulnerabilities that increasingly target MSPs and their clients.

97% of Companies Hit by Supply Chain Breaches, BlueVoyant

🛡️ A BlueVoyant survey finds 97% of organizations were negatively impacted by a supply chain breach, up sharply from 81% in 2024. The State of Supply Chain Defense: Annual Global Insights Report 2025, published 20 November, shows many firms are maturing TPRM programs and shifting oversight into cyber or IT teams. Despite increased maturity, respondents report persistent issues such as lack of executive buy-in, compliance-first approaches, limited integration with enterprise risk frameworks, and a trend of adding vendors faster than they add visibility or remediation capacity.

3 Ways CISOs Can Win Over Their Boards This Budget Season

🔒 As CISOs finalize next year’s cybersecurity budgets, winning board approval requires translating technical needs into business value. First, quantify risk in financial terms—estimate value at risk across worst-, best- and most‑likely scenarios, using industry reports, internal experts and vendor assessments to model direct losses, business interruption and reputational impact. Second, go beyond compliance: reserve budget for emerging threats (generative AI, quantum, third‑party risk) and repurpose existing line items such as Data Security Posture Management, SASE and GRC hours to limit net new spend. Third, know thy board and tailor your message—use dollars-and-cents for finance‑focused directors and vivid attack narratives for others, while maintaining regular engagement year-round.

ThreatsDay: 0-Days, LinkedIn Spying, IoT Flaws, Crypto

🛡️ This week's ThreatsDay Bulletin highlights a surge in espionage, zero-day exploits, and organized crypto laundering across multiple countries. MI5 warned that Chinese operatives are using LinkedIn profiles and fake recruiters to target lawmakers and staff, while researchers disclosed critical flaws like a pre-auth RCE in Oracle Identity Manager and a resource-exhaustion bug in the Shelly Pro 4PM relay. The bulletin also details malicious browser extensions, new macOS stealer NovaStealer, high-profile arrests and sanctions, and continued pressure on crypto-mixing services. Patch, update, and verify identities to reduce exposure.

Black Friday Cybercrime Surge: Rise in Fraudulent Domains

🔒 Check Point Research reports a significant increase in Black Friday–themed domain registrations, with about 1 in 11 newly registered domains classified as malicious. Brand impersonation is a primary tactic: roughly 1 in 25 new domains referencing marketplaces like Amazon, AliExpress, and Alibaba are flagged. Attackers create convincing fake storefronts that copy logos, layouts, and imagery to harvest credentials and payment data, with recent campaigns impersonating HOKA and AliExpress demonstrating active phishing tied to seasonal promotions.

OSINT Playbook: Identifying and Mitigating Public Exposures

🔍 OSINT is the disciplined practice of collecting and analysing publicly available information to produce actionable intelligence for security teams, journalists and researchers. The article outlines how practitioners use OSINT to discover exposed assets, support penetration testing, track threat actor activity and monitor reputational issues. It highlights common tools such as Shodan, Maltego and SpiderFoot, describes techniques like Google Dorking and metadata analysis, and stresses responsible, lawful investigation and rigorous sourcing to reduce error and privacy risk.

Sturnus Android Trojan Steals Messages and Controls Devices

🔒Sturnus is a new Android banking trojan discovered by ThreatFabric that can capture decrypted messages from end-to-end encrypted apps like Signal, WhatsApp, and Telegram. It abuses Accessibility services and on-screen capture to read message content and deploys HTML overlays to harvest banking credentials. The malware also supports real-time, AES-encrypted VNC remote control and obtains Android Device Administrator privileges to resist removal while targeting European financial customers with region-specific overlays.

Sneaky2FA PhaaS Adds Browser-in-the-Browser Deception

🔒 Sneaky2FA has integrated a Browser-in-the-Browser (BitB) pop-up that impersonates Microsoft sign-in windows and adapts to the victim’s OS and browser. Used alongside its existing SVG-based and attacker-in-the-middle (AitM) proxying, the BitB layer renders a fake URL bar and loads a reverse-proxy Microsoft login to capture credentials and active session tokens, enabling access even when 2FA is active. The kit also employs heavy obfuscation and conditional loading to evade analysis.

Hidden Risks in DevOps Stacks and Data Protection Strategies

🔒 DevOps platforms like GitHub, GitLab, Bitbucket, and Azure DevOps accelerate development but also introduce data risks from misconfigurations, exposed credentials, and service outages. Under the SaaS shared responsibility model, customers retain liability for protecting repository data and must enforce MFA, RBAC, and tested backups. Third-party immutable backups and left-shifted security practices are recommended to mitigate ransomware, insider threats, and accidental deletions.

Vulnerability-Informed Hunting: Nexus of Risk and Intel

🔎 Vulnerability-informed hunting transforms static vulnerability scans into dynamic intelligence by enriching CVE data with asset context, exploit activity and threat feeds. The article shows how mapping vulnerabilities to adversary behaviors (for example, Log4Shell, ProxyShell and Zerologon) lets teams run focused hunts that detect exploitation or reveal telemetry gaps. It advocates a continuous loop where hunts inform detection engineering, improving logging, SIEM content and overall resilience.

CISA Releases Guides to Safeguard Infrastructure from UAS

🛡️ CISA released three new Be Air Aware™ guides to help critical infrastructure owners and operators identify and mitigate risks posed by unmanned aircraft systems (UAS). The publications include Unmanned Aircraft System Detection Technology Guidance for Critical Infrastructure, Suspicious Unmanned Aircraft System Activity Guidance for Critical Infrastructure Owners and Operators, and Safe Handling Considerations for Downed Unmanned Aircraft Systems. Developed with government and industry partners, the guides provide practical options to integrate UAS threats into existing security and emergency response plans. CISA encourages organizations to adopt the recommendations to strengthen resilience and align with related directives.

CISA Releases Guide to Combat Bulletproof Hosting Abuse

🔒 CISA, working with U.S. and international partners, published Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers to provide ISPs and network defenders with practical guidance to identify, disrupt, and mitigate abuse of bulletproof hosting. Bulletproof hosting enables obfuscation, command-and-control, malware delivery, phishing, and hosting of illicit content that supports ransomware, extortion, and DoS campaigns. The guide recommends traffic analysis, curated high-confidence malicious resource lists with automated reviews, customer notifications and filters, and standards for ISP accountability to reduce BPH effectiveness and strengthen network resilience.

Application Containment and Ringfencing for Zero Trust

🔒 Ringfencing, or granular application containment, enforces least privilege for authorized software by restricting file, registry, network, and interprocess access. It complements allowlisting by preventing misuse of trusted tools that attackers commonly weaponize, such as scripting engines and archivers. Effective rollout uses a monitoring agent, simulated denies, and phased enforcement to minimize operational disruption. Properly applied, containment reduces lateral movement, blocks mass exfiltration and ransomware encryption while preserving business workflows.

EdgeStepper Enables PlushDaemon Update Hijacking Attacks

🛡️ ESET researchers describe how the China-aligned actor PlushDaemon uses a previously undocumented network implant called EdgeStepper to perform adversary-in-the-middle hijacks of software update flows. EdgeStepper, a Go-based MIPS32 implant, redirects DNS traffic to malicious resolvers that reply with IPs of attacker-controlled hijacking nodes, causing legitimate updaters to fetch counterfeit components such as LittleDaemon. The analysis details the implant's AES-CBC encrypted configuration (notably using the GoFrame default key), iptables redirection of UDP/53 to a local port, and the downloader chain (LittleDaemon and DaemonicLogistics) that stages and deploys the SlowStepper backdoor on Windows hosts.

Hijacked VPN Credentials Drive Half of Ransomware Access

🔐 Beazley's Q3 2025 analysis shows ransomware activity rose, with three groups — Akira, Qilin and INC Ransomware — responsible for 65% of leak posts and an 11% increase in leaks versus the prior quarter. Initial access increasingly relied on valid VPN credentials (48% of incidents, up from 38%), with external service exploits accounting for 23%. The report highlights an Akira campaign abusing SonicWall SSLVPNs via credential stuffing where MFA and lockout controls were absent, and warns that stolen credentials and new infostealer variants like Rhadamanthys are fuelling the underground market. Beazley urges adoption of comprehensive MFA, conditional access and continuous vulnerability management to mitigate risk.

Addressing Password Management Challenges to Protect Data

🔒 Enterprises and SMBs have invested heavily in authentication and IAM, but those controls are only as strong as password management. Compromised credentials remain a leading cause of breaches while the average employee manages over 100 accounts, creating operational and compliance burdens. Dedicated password managers can cut support costs by up to 80% and lower incident rates, but success requires strong user adoption and integration with SSO, MFA, LDAP/AD and privileged access systems.

Behind the Firewall: Cyber Professionals with Disabilities

🔒 Surveys and first‑person accounts reveal persistent inclusion gaps for cyber professionals with disabilities and neurodivergence. UK research (Decrypting Diversity 2021) and Deloitte’s Disability Inclusion @ Work 2024 show many report barriers to progression and frequent denial of accommodations. Three practitioners — a security awareness leader, a former cyber risk analyst and a commercial sales manager — describe bias, resilience and concrete steps for leaders: ask rather than assume, build empathy, offer flexibility and provide structural supports.