< ciso
brief />
Threat and Trends Reports Banner

All news in category “Threat and Trends Reports

1640 articles · page 13 of 82

Day Zero Readiness: Operational Gaps That Break Response

🔒 Having an incident response retainer or a pre-approved external firm is not the same as being operationally ready. Readiness requires pre-provisioned accounts, validated permissions, and practiced workflows so responders can gain immediate visibility into identity, cloud, EDR, and logs. The guide prioritizes identity-first visibility, out-of-band communications, a designated incident manager, and pre-tested activation procedures to eliminate delays that allow attackers to deepen compromise.
read more →

Nearly Half of World’s Passwords Cracked in Minutes

🔒 Kaspersky analyzed 231 million unique passwords leaked on dark‑web forums (2023–2026) and found that 60% can be cracked in under an hour, with 48% broken in less than a minute. The testing used a single RTX 5090 GPU against MD5 hashes, illustrating how rapidly cracking speeds are improving. The report identifies common human patterns—digits, years, predictable words and popular special characters—and warns that many users reuse unchanged passwords for years. It recommends practical defenses such as a password manager, passkeys, and strong two‑factor authentication.
read more →

Aligning Cyber Risk Communication with Boardroom Psychology

🔍 Security leaders must translate technical risk into clear business decisions to gain board support. Boards want concise, data-driven briefings that link exposures to financial impact, operational disruption and regulatory consequences rather than technical status updates. The most effective conversations prioritize a few high-impact issues, explain trade-offs and show exactly where resources will measurably reduce loss.
read more →

CallPhantom Android Scam: Fake Call Logs, Real Charges

🔍 ESET Research uncovered a cluster of fraudulent Android apps, dubbed CallPhantom, that promised call histories, SMS records and WhatsApp logs for any phone number but delivered fabricated entries and charged users for access. The apps collectively amassed over 7.3 million downloads on Google Play before ESET reported them on 16 December 2025 and the identified packages were removed. Operators used varied payment flows—official Play subscriptions, third‑party UPI links and embedded card checkouts—making refunds and cancellations difficult for many victims.
read more →

Rise in Vercel Abuse for Phishing Campaigns, Cofense Warns

⚠️ Cofense warns that low-skilled threat actors are increasingly abusing Vercel's v0.dev GenAI tools to generate convincing phishing pages with minimal effort. Attackers can prototype for free, purchase tokens to build pages, and use Vercel hosting—its pro tier is roughly $20/month—to deploy and tear down sites quickly. Integrations with services like Telegram, AWS, Stripe and xAI further simplify operations. Cofense advises security teams to verify sender domains, watch for urgency cues and report malicious Vercel sites for takedown.
read more →

Fixing the password problem: why '123456' still works

🔐 The most-used password globally remains '123456', according to NordPass, and the author found that some mainstream services still accept trivial credentials in direct tests. Examples include Evite (breached in 2019) and parts of major social platforms that permit easily guessable strings like '1234567!'. The article highlights inconsistent password policies across sites and argues for stronger authentication requirements—preferably mandated MFA—with regulatory backing where necessary.
read more →

CloudZ RAT and Pheno Plugin Abuse Microsoft Phone Link

🔐 Cisco Talos has observed the CloudZ RAT paired with a previously undocumented plugin, Pheno, harvesting SMS messages and one-time passwords by abusing Microsoft's Phone Link functionality. Pheno scans for Phone Link processes and confirms active paired sessions before extracting synced SMS content from local SQLite files, allowing attackers to capture OTPs without touching the victim's mobile device. Observed since January 2026, the campaign uses a Rust loader, a .NET payload deployed via regasm.exe, and multiple anti-analysis techniques; Talos published IoCs and ClamAV signatures to aid detection.
read more →

Why Ransomware Succeeds Even When Backups Exist: Fixes

🔒 Modern ransomware campaigns routinely target backup infrastructure before launching encryption, leaving organizations without viable recovery despite having backups. The article details an attack sequence — initial access, credential theft, lateral movement, backup discovery and destruction, then encryption — and identifies recurring failures like weak isolation, overprivileged credentials, lack of immutability, and untested restores. It recommends identity separation, network segmentation, immutable storage, continuous monitoring, and regular recovery testing, and highlights Acronis Cyber Platform as an integrated example that combines backup, immutability, and threat detection to reduce complexity and improve resilience.
read more →

39 Seconds: Why Speed Is the New Cybersecurity Perimeter

⏱️ Unit 42 data and a conversation with Wendi Whitmore warn that attackers can exfiltrate data in as little as 39 seconds, forcing a shift from prevention to rapid detection and containment. Whitmore argues manual workflows cannot match adversary tempo and calls for AI-driven detection paired with unified visibility across endpoints, cloud and AI systems. Visibility, not complexity, enables containment before escalation.
read more →

Resilient by Design: When Networks Become Targets Now

🔒 Organizations have long focused on cyber defenses against breaches and ransomware, but new geopolitical tensions show major disruptions can originate in the physical world and target cloud and network infrastructure. As cloud systems become integral to national economies, the network itself becomes an attack surface requiring resilient-by-design architecture. Enterprises must embrace operational resilience, redundancy, and distributed controls to mitigate physical and systemic risks.
read more →

Quasar Linux (QLNX) Turns Linux Hosts into P2P Mesh

🐧 Quasar Linux (QLNX) is a newly disclosed modular Linux RAT that converts compromised hosts into a resilient peer-to-peer attack mesh. It bundles kernel-level rootkit techniques, PAM-based authentication backdoors, and fileless persistence to hide activity and survive remediation. Trend Micro’s analysis notes the binary even embeds C source for its PAM backdoor and LD_PRELOAD rootkit. The implant communicates over raw TCP, HTTP, and HTTPS (with TLS for TCP and HTTPS) and Trend Micro has published IOCs while applying protections for Trend Vision One customers.
read more →

Analysis of Phone Number Clustering and Reuse in Scam Emails

📞 Cisco Talos analyzed phone numbers extracted from scam emails and found that API-driven VoIP provisioning enables large-scale, low-cost operations that are difficult to trace. Attackers rotate through sequential DID blocks, use cool-down windows, and frequently recycle numbers across multiple lures and attachment types. In a Feb 26–Mar 31, 2026 dataset of 1,652 numbers, the median lifespan was ~14 days; Sinch was the most abused provider. Talos recommends using phone numbers as anchors for cross-channel threat mapping.
read more →

Train Like You Fight: No-notice Drills for Cyber Ops

🔔 Cybersecurity detection is improving, but response effectiveness hinges on how people perform under real stress. The article argues that scheduled, announced exercises leave teams neurologically unprepared because threat-induced arousal suppresses executive function. No-notice drills, informed by stress inoculation science, raise teams' tolerance for pressure and build practical outcomes: faster instinctive response, stronger cross-team trust and organizational honesty. Practical steps include anomaly injection, full-chain activation and rapid, blameless debriefs to close gaps.
read more →

One in Eight UK Employees Admit Selling Corporate Logins

🔒 A Cifas survey of 2,000 UK employees at firms with 1,000+ staff found 13% admitted to selling corporate logins in the past year or knew someone who had. The report highlights even higher tolerance among senior managers and executives, with justification rates rising to 32-43% and 81% for business owners. Cifas urges organisations to build fraud-aware cultures and deliver counter-fraud training to curb insider risk.
read more →

Forced-Momentum Autodownload Phishing via Cloud Links

📎 Modern phishing now prioritizes speed over persuasion. By forcing immediate downloads via trusted cloud providers (for example Dropbox?s dl=1), attackers remove the preview step and exploit double extensions and hidden OS behavior to disguise executables. Cortex Email Security applies deep static analysis, behavioral signals, and LLM-based intent classification to detect forced-download parameters, identity-bound cloaking, and rotating social-engineering lures before they reach endpoints.
read more →

EOL Blind Spot in CVE Feeds: What SCA Tools Miss Most

⚠️ The article highlights a persistent blind spot: end-of-life (EOL) open-source versions frequently fall outside CVE affected ranges and thus don’t trigger SCA scanner alerts. Research from HeroDevs and Sonatype shows millions of EOL package versions and tens of thousands with known CVEs but no official fixes. Concrete Spring Security examples from 2026 illustrate how EOL users can remain exposed without warning. The piece urges improved visibility and proactive EOL scanning.
read more →

EOL Blind Spot in CVE Feeds: What SCA Tools Miss Now

🔍 The EOL blind spot in CVE feeds means scanners and SBOM tools routinely miss vulnerabilities in end-of-life open source versions because upstream advisories and CVE records typically list only actively supported ranges. HeroDevs and Sonatype data show maintainers lack the capacity to test legacy releases, producing widespread false negatives — HeroDevs estimates that for roughly 80% of CVEs on supported versions, EOL lines are also affected but unreported. The article uses CVE-2026-22732 in the Spring ecosystem to illustrate the problem and highlights a 12M+ version dataset that finds millions of EOL package versions and tens of thousands of EOL components with known CVEs. Use of HeroDevs EOL dataset or similar analysis is recommended to discover hidden exposure quickly.
read more →

AI Adoption Outpaces Safety Policies, Raising Systemic Risk

🛡️ New ISACA research finds AI tools are widely used in organizations, but governance is lagging. Ninety percent of digital trust professionals say employees use AI, yet only 38% report a formal, comprehensive AI policy while 25% have none at all. The poll highlights rising Shadow AI risks, with 56% unsure how long it would take to halt an AI system and only 20% having shutdown procedures, increasing exposure to data breaches and privacy failures.
read more →

CISOs Rethink Hiring as AI Widens Skills Shortage Now

🔒 A persistent cybersecurity skills shortage is forcing CISOs to change hiring, training, and architecture decisions as AI amplifies attack scale and complexity. ISC2’s 2025 workforce study found 95% of organizations report at least one skills gap and nearly 60% call those gaps critical or significant. Leaders are turning to internal upskilling, automation, and role transitions, while balancing trade-offs between best-of-breed tooling, integrated platforms, and multicloud complexity.
read more →

Zero Trust Often Fails at the Traffic Enforcement Layer

🛡️Organizations commonly implement strong identity, authentication and access policies under a zero-trust strategy, yet enforcement at the network traffic layer is frequently inconsistent. Gaps appear across ingress paths, load balancers, CDNs, TLS termination and east–west service communication, allowing traffic to bypass identity controls. Successful programs treat the traffic plane as the primary enforcement point: standardizing ingress, enforcing strict TLS baselines and mTLS, normalizing requests and maintaining end-to-end telemetry. The core message: mindset and policy alone are insufficient without consistent traffic-layer enforcement.
read more →