All news in category "Threat and Trends Reports"

Threat Source: SharePoint Exploits and Patch Urgency

⚠ Cisco Talos reports a sharp increase in attacks against public-facing applications, with the ToolShell chain exploiting unpatched Microsoft SharePoint servers rising to over 60% of IR cases this quarter. Ransomware-related incidents fell to about 20% but show evolving tactics, including leveraging legitimate tools and compromised internal accounts for persistence and phishing. Organizations are urged to prioritize rapid patching, robust network segmentation, centralized logging, MFA, and user education to reduce exposure.

Vietnam Actors Use Fake Job Postings to Hijack Ad Accounts

🔎 GTIG describes a targeted campaign by a Vietnam-based cluster tracked as UNC6229 that uses fake job postings on legitimate platforms to socially engineer remote digital advertising workers. Victims are enticed to open password-protected attachments or visit convincing phishing portals that harvest corporate credentials and can bypass MFA. The actors abuse reputable CRM and SaaS services to increase trust, deliver remote access trojans, and ultimately take over high-value advertising and social media accounts for sale or resale.

ThreatsDay: Widespread Attacks Exploit Trusted Systems

🔒 This ThreatsDay bulletin highlights a series of recent incidents where attackers favored the easiest paths in: tricking users, abusing trusted services, and exploiting stale or misconfigured components. Notable items include a malicious npm package with a post-install backdoor, a CA$176M FINTRAC penalty for missed crypto reporting, session hijacking via MCP (CVE-2025-6515), and OAuth-based persistent backdoors. Practical defenses emphasized are rapid patching, disabling risky install hooks, auditing OAuth apps and advertisers, and hardening agent and deserialization boundaries.

Enterprises Move From Static Secrets to Managed Identities

🔐 Organizations are rapidly replacing embedded API keys and passwords with platform-native managed identities to reduce manual credential management and leakage risk. Enterprises report significant productivity gains—case studies cite up to a 95% reduction in time spent managing credentials and a 75% drop in time learning platform authentication. While major clouds (AWS, Azure, GCP) and CI platforms have built-in solutions, legacy systems and third-party APIs remain the primary obstacles to eliminating static secrets entirely.

IR Trends Q3 2025: ToolShell Drives Access & Response

🛡️ Cisco Talos Incident Response observed a surge in attacks exploiting public-facing apps in Q3 2025, driven chiefly by ToolShell chains targeting on-premises Microsoft SharePoint servers. Rapid automated scanning and unauthenticated RCE vulnerabilities led to widespread compromise, highlighting the need for immediate patching and strict network segmentation. Post-compromise phishing from valid accounts and diverse ransomware families, including Warlock and LockBit, continued to impact victims.

Global Smishing Campaign Targets Toll, Delivery, Services

🚨 Unit 42 attributes a widespread smishing campaign to the Smishing Triad that uses urgent SMS messages and realistic phishing pages to impersonate toll, delivery and other critical services. Since April 2024 the operation has registered and churned over 194,000 malicious domains and 136,900 root domains, leveraging a Hong Kong registrar while primarily hosting on U.S. cloud infrastructure. The campaign appears powered by a large phishing-as-a-service ecosystem and seeks PII, credentials and payment data. Advanced URL Filtering and Advanced DNS Security provide protections; contact Unit 42 Incident Response for urgent help.

Vidar 2.0 Emerges as Lumma Stealer Declines, Upgraded

🔒 Trend Micro reports that the Vidar infostealer has been upgraded to Vidar 2.0, featuring a complete rewrite in C, multithreaded exfiltration, custom browser credential extraction and an AppBound bypass targeting Chrome's app-bound encryption. The release, announced by an actor calling themselves "Loadbaks" on October 6, follows a decline in Lumma Stealer activity after law enforcement disruption and doxxing of its developers. Researchers warn security teams to anticipate increased Vidar activity through Q4 2025 and to adapt detection and mitigation strategies accordingly.

CISOs: Earning Business Respect Through Incident Response

🛡️ How a CISO handles a major incident can make or break their career. A Cytactic survey of 480 senior US cybersecurity leaders, including 165 CISOs, found that 65% said leading an incident response elevated their internal reputation while only 5% said it hurt it. Experts say a well-managed response can translate into better budgets and authority, but prevention work is often invisible and a single failure can still cost a CISO their job.

Six IT Risk-Assessment Frameworks for Enterprise Governance

🛡️ This article summarizes six prominent IT risk-assessment frameworks—COBIT, FAIR, ISO/IEC 27001, NIST RMF, OCTAVE and TARA—and explains their core purpose and methods. It contrasts governance-oriented, standards-based, lifecycle and threat-centric approaches and highlights where quantitative analysis or certification focus applies. The overview helps security and IT leaders identify which model or combination of models best fits organizational needs.

CISO Imperative: Building Resilience in Accelerating Threats

🔒 The Microsoft Digital Defense Report 2025 warns that cyber threats are accelerating in speed, scale, and sophistication, driven by AI and coordinated, cross-border operations. Attack windows have shrunk—compromises can occur within 48 hours in cloud containers—while AI-powered phishing and credential theft have grown markedly more effective. For CISOs this requires reframing security as a business enabler, prioritizing resilience, automation, and modern identity controls such as phishing-resistant MFA. The Secure Future Initiative provides practitioner-tested patterns to operationalize these priorities.

AI-Powered Mobile Threats Elevate Need to Rethink Security

📱 The 2025 Verizon Mobile Security Index underscores growing danger as mobile devices account for the majority of global internet traffic and increasingly serve as primary attack surfaces. Check Point highlights the rise of AI-powered threats, persistent phishing, and human error that expand exposure. Organizations must rethink security architectures, strengthen endpoint controls, and adopt AI-aware defenses across apps, devices, and identities to reduce risk.

Replace Short Complex Passwords with Longer Passphrases

🔒Modern guidance favors long, memorable passphrases over short, complex passwords. Length provides far more effective entropy than symbol substitution, making offline brute-force attacks exponentially harder for attackers using modern GPU rigs. Passphrases lower helpdesk resets, discourage insecure reuse, and align with NIST recommendations. Implement by raising minimum length, dropping forced complexity, and blocking compromised credentials in real time.

SnakeStealer Infostealer Surges to Top of Detections

🔒 SnakeStealer is an infostealer family that surged in early 2025 to top ESET's infostealer detection charts. First seen in 2019 and originally linked to tools marketed as 404 Keylogger/Crypter, it spread widely by abusing Discord and cloud hosting and through phishing attachments, archived payloads and pirated software. Offered as malware‑as‑a‑service, it harvests credentials, clipboard contents, screenshots and keystrokes while using evasion and persistence tricks. Reduce risk by keeping systems updated, enabling MFA, treating unsolicited attachments with caution, changing passwords from clean devices and running reputable security software.

Vidar Stealer 2.0 Rewritten in C with Multi-Threading

🛡️ Vidar Stealer 2.0 was released with a complete rewrite in C, multi-threaded data theft and stronger evasion, prompting warnings from security researchers about likely increased campaigns. The update reduces dependencies and footprint while spawning parallel worker threads to accelerate harvesting of browser, wallet, cloud and app credentials. It introduces extensive anti-analysis checks and a polymorphic builder to frustrate static detection. Notably, the malware injects into running browser processes to extract encryption keys from memory and bypass Chrome's App-Bound protections.

Researchers Exploit 34 Zero-Days at Pwn2Own Ireland

🔒On the first day of Pwn2Own Ireland 2025, security researchers exploited 34 unique zero-day vulnerabilities and collected $522,500 in cash awards. Team DDOS (Bongeun Koo and Evangelos Daravigkas) chained eight flaws to compromise a QNAP Qhora-322 router via its WAN interface and access a QNAP TS-453E, earning $100,000 and moving into second place on the Master of Pwn leaderboard. The Summoning Team led day one with $102,500 and 11.5 points after multiple successful root exploits. The Zero Day Initiative (ZDI) organized the event and coordinates 90-day responsible disclosure with affected vendors.

Pro-Russia Information Operations After Drone Incursion

🔎 Google Threat Intelligence Group (GTIG) observed coordinated pro-Russia information operations responding to reported Russian drone incursions into Polish airspace on Sept. 9–10, 2025. Actors amplified narratives denying Russian culpability, blaming NATO or Poland, and seeking to erode domestic and international support for Ukraine. GTIG documented activity across multiple networks and languages and noted these operations leveraged both long-standing and recently developed influence infrastructure.

PolarEdge Botnet Targets Cisco, ASUS, QNAP Routers

🔐 Cybersecurity researchers have detailed PolarEdge, a TLS-based ELF implant used to conscript Cisco, ASUS, QNAP and Synology routers into a botnet. The backdoor implements an mbedTLS v2.8.0 server with a custom binary protocol, supports a connect-back and interactive debug mode, and stores its obfuscated configuration in the final 512 bytes of the ELF. Operators use anti-analysis techniques, process masquerading and file-moving/deletion routines; a forked watchdog can relaunch the payload if the parent process disappears.

Deep Dive: BPF LPM Trie Performance and Optimization

🔍 Cloudflare investigated a production soft lockup traced to the Linux BPF LPM trie, a core data structure for IP and IP+Port longest-prefix matching. Benchmarks on 96-core AMD EPYC hardware showed lookups remain relatively fast at modest sizes, but updates, deletes and especially freeing maps degrade severely at scale, causing multi-second CPU stalls and customer packet loss. The post refreshes trie basics, presents measured results (lookups, updates, deletes, free costs), and diagnoses kernel implementation limits — notably binary child pointers, absent level compression, and allocator-induced cache and dTLB pressure — then outlines plans to upstream benchmarks and refactor toward a level-compressed multibit trie to reduce traversal height, cache/TLB misses, and freeing overhead.

Ransomware Payouts Rise to $3.6M as Tactics Evolve

🔒 The average ransomware payment climbed to $3.6m in 2025, up from $2.5m in 2024, as attackers shift to fewer but more lucrative, targeted campaigns. ExtraHop's Global Threat Landscape Report found 70% of affected organisations paid ransoms, with healthcare and government incidents averaging nearly $7.5m each. The study highlights expanding risks from public cloud, third‑party integrations and generative AI, and urges organisations to map their attack surface, monitor internal traffic for lateral movement and prepare for AI‑enabled tactics.

AI-Enabled Ransomware: CISOs’ Top Security Concern

🛡️ CrowdStrike’s 2025 ransomware survey finds that AI is compressing attacker timelines and enhancing phishing, malware creation, and social engineering, forcing defenders to react in minutes rather than hours. 78% of respondents reported a ransomware incident in the past year, yet fewer than 25% recovered within 24 hours and paying victims often faced repeat compromise and data theft. CISOs rank AI-enabled ransomware as their top AI-related security concern, and many organizations are accelerating adoption of AI detection, automated response, and improved training.