< ciso
brief />
Threat and Trends Reports Banner

All news in category “Threat and Trends Reports

1640 articles · page 14 of 82

Amazon SES Increasingly Abused in Phishing Attacks Globally

📧 Kaspersky reports a surge in phishing campaigns that abuse AWS Simple Email Service (SES) to bypass authentication and reputation-based defenses. Attackers are exploiting exposed AWS Identity and Access Management keys discovered in public repositories, configuration files, container images, backups, and open S3 buckets. They automate secret scanning, permission validation, and mass email distribution to send highly credible lures—custom HTML templates and fake document-signing notifications—that redirect victims to AWS-hosted phishing pages.
read more →

Amazon SES abused in phishing campaigns, Kaspersky warns

🔔 Kaspersky reports an increase in phishing campaigns that abuse Amazon Simple Email Service (SES) to send authenticated-looking malicious messages that can bypass reputation-based filters. Attackers are harvesting exposed AWS access keys from public repositories and assets, automating secret discovery, permission checks, and mass email distribution. Because messages originate from a trusted service, SPF, DKIM, and DMARC checks and IP blocks are often ineffective, prompting Kaspersky to recommend stricter IAM controls, MFA, key rotation, and IP restrictions.
read more →

DDoS Surge During Milano Cortina 2026 Winter Games

📈 The Milano Cortina 2026 Winter Games coincided with a dramatic rise in DDoS activity against Italian infrastructure, with attack frequency increasing 181% year-over-year from 2025. NETSCOUT ASERT recorded 12,963 attacks during the core Games window (Feb 6–23), peaking at more than 2,200 attacks on single days and shifting tactics from high-bandwidth floods to packet-rate–intensive vectors. The hacktivist group NoName057(16) dominated public claims, while ransomware groups and other actors also asserted responsibility. Adaptive defenses such as NETSCOUT ATLAS and Arbor products were highlighted as important mitigations.
read more →

Orphaned Applications Fuel Shadow IT and Risk Exposure

🔎 Orphaned applications silently expand shadow IT by persisting beyond team ownership, continuing to authenticate, exchange data, and consume resources without oversight. They commonly appear when departments adopt tools to meet urgent needs and those workflows, accounts, or service identities are never decommissioned. NETSCOUT Smart Data leverages packet-derived observability to reveal hidden dependencies and enrich the ServiceNow CMDB, helping teams reduce operational, security, and compliance blind spots.
read more →

Weekly Cyber Recap: Attackers Shift to Long-Term Occupation

🚨This week’s telemetry shows attackers moving from quick breaches to persistent occupation across SaaS, CI/CD and hosting panels. CVE-2026-41940 in cPanel/WHM and the Linux Copy Fail bug (CVE-2026-31431) are being actively exploited alongside supply-chain compromises that weaponize developer pipelines. Social engineering — including vishing that bypasses MFA — and AI-assisted phishing kits are scaling attacks. Prioritize urgent CVEs, rotate pipeline credentials, and treat sessions and routine pipeline runs as potentially hostile.
read more →

Structured loan fraud: How attackers target credit unions

🔍 Flare researchers identified organized, process-driven loan fraud methods on underground forums that use stolen identities, social engineering, and workflow knowledge to impersonate legitimate borrowers. Attackers focus on passing knowledge-based authentication (KBA) and reconstructing verification answers from public sources and leaked datasets. They preferentially target small- and mid-sized credit unions perceived to have weaker fraud detection, then rapidly move funds through intermediaries to complete cash-out before detection.
read more →

Small US Defense Contractors Lack Network Telemetry

🛡️ Small and mid-size US defense contractors lack the network telemetry needed to detect nation-state reconnaissance and pre-positioning operations, Team Cymru analyst Stephen Campbell warns. He says state-backed groups are increasingly targeting edge infrastructure — routers, firewalls and VPN gateways — and using living-off-the-land techniques and legitimate cloud services to evade endpoint alerts. Campbell urges firms to deploy NetFlow pattern recognition, map infrastructure, patch and segment systems, and hunt for anomalous DNS and lateral movement to uncover stealthy access.
read more →

The Fake IT Worker Threat CISOs Must Address Urgently

🛡️ Hiring fraud has produced thousands of fake IT workers who gain trusted access and create serious insider risks. Companies such as Amazon report coordinated attempts tied to state actors, while researchers like SentinelOne and vendors observe AI-enabled deepfakes, synthetic identities and stolen US credentials used to pass recruitment checks. Organizations must treat remote hiring as an access-control problem: strengthen identity screening, enforce staged trust, and deploy continuous post-hire telemetry and behavioral detection.
read more →

How CISOs Should Use DSPM to Inform Risk Decisions

🔎 Data security posture management (DSPM) is less about buying a single product and more about adopting a mindset: identify where sensitive data lives, quantify its value-at-risk, and use that information to prioritize remediation and investments. Full DSPM platforms can demand one to three dedicated FTEs to maintain, so many organizations should start with manual inventories, lightweight scanners or existing DLP outputs. The piece highlights practical scenarios—patch prioritization, M&A integrations, and IAM reviews—and warns that rising agentic AI and vendor access requirements make timely, measurable data discovery increasingly urgent in 2026.
read more →

CrowdStrike Technical Risk Assessments: Exposure Patterns

🔍 CrowdStrike Professional Services' Technical Risk Assessments (TRAs) analyze hundreds of production environments annually to surface common exposure patterns, including unmanaged assets, overlooked credential paths, and the rise of shadow AI. Assessments combine external attack surface enumeration, vulnerability and identity hygiene reviews, and hands-on validation to produce prioritized remediation recommendations. Findings stress that having the right tools is insufficient without operational discipline, clear ownership, and continuous validation to reduce breach likelihood.
read more →

What Is a Botnet? Risks, Architecture, and Defenses

🤖 A botnet is a network of compromised internet-connected devices controlled by attackers to perform coordinated criminal tasks such as DDoS, spam, crypto-mining, or malware distribution. Modern botnets use distributed architectures — from centralized command-and-control servers to peer-to-peer propagation — and often hide control traffic via IRC, HTTP, Telnet, or even public platforms. Defenders combine user training, patching, IoT hardening, antivirus, traffic filtering and CDN services with threat hunting methods like flow analysis and malware reverse-engineering.
read more →

ConsentFix v3 Automates OAuth Abuse Targeting Azure

🔐 ConsentFix v3 is an automated evolution of prior OAuth consent phishing techniques that targets Microsoft Azure environments by abusing pre-trusted first-party apps and the OAuth2 authorization code flow. Attackers conduct reconnaissance to harvest employee names, roles, and emails, host convincing phishing pages on Cloudflare Pages and DocSend, and use Pipedream webhooks to collect and immediately exchange authorization codes for refresh tokens. Phishing is often highly personalized and delivered via PDFs to evade filters. Captured tokens are imported into post-exploitation tools to access mail, files, and other resources permitted by the token.
read more →

Expanding Detection: Essential Data Beyond Endpoints

🔍 The 2026 Unit 42 Global Incident Response Report warns that adversaries are moving to exfiltration four times faster than in 2025 and are exploiting gaps created by an over-reliance on endpoint telemetry. Unit 42 found critical evidence present in logs for 75% of incidents, yet siloed systems and inaccessible telemetry prevented timely detection and response. The authors recommend a single-pane-of-glass, AI-driven SOC that centralizes logs and uses tools like Cortex XSIAM for alert stitching, ML-based scoring and unified investigations to reduce alert fatigue and close multi-surface blind spots.
read more →

Top Sales Challenges Costing MSPs Cybersecurity Revenue

🔍 The article identifies five go-to-market barriers that prevent managed service providers (MSPs) from converting growing cybersecurity demand into predictable revenue. It argues many MSPs emphasize technical findings and frameworks rather than translating risks into business outcomes, leaving security positioned as a cost rather than a strategic investment. Cynomi's GTM Academy Complete Sales Kit is presented as a practical, operator-led playbook to align sales and technical teams, quantify ROI, and expand existing accounts through targeted discovery, scoring, and playbooks.
read more →

Human-centric Failures: Why BEC Survives Despite MFA

🔒 Multi-factor authentication reduces credential risk but does not stop many business email compromise (BEC) attacks, because adversaries target human decision points and process gaps rather than accounts. High-profile cases — Toyota Boshoku (2019, ≈$30M) and Arup (2024, ≈$25M) — show attackers using cloned messages and deepfakes without stealing credentials. Organizations should redesign approval workflows, require out-of-band verification for high-risk requests, run realistic BEC simulations, embed micro-learning, introduce purposeful friction and assign clear ownership of payment verification to close operational blind spots.
read more →

Only 34% of Cyber Pros Plan to Stay With Employers

🔍Only 34% of cybersecurity professionals plan to remain with their current employer, according to a survey of 500 respondents by IANS and Artico Search. The report finds that flexible work models, visible leadership support, and structured career development influence retention more than absolute pay. Hybrid schedules, mentorship, and modern tooling help reduce burnout and turnover.
read more →

Managing OT Risk at Scale: Leadership Over Technical Fixes

🛡️Organizations frequently assume IT security models apply to operational technology, but the article argues that OT demands a different approach because systems have long lifecycles, limited patching, and pervasive third‑party dependencies. The core issue at scale is governance: consistent decision rights, escalation logic and shared accountability across distributed sites. Boards should focus on concrete OT scenarios, clarify whether governance is centralized or federated, and insist on independent assurance rather than tool debates. The piece frames OT resilience as a leadership and governance challenge, not merely a technical one.
read more →

High-Risk GenAI Browser Extensions Targeting Users

🛡️ Unit 42 identified 18 malicious browser extensions posing as GenAI productivity tools that deliver RATs, infostealers and MitM capabilities. These extensions intercept prompts, exfiltrate credentials and proxy HTTPS responses, often using AI-generated code to accelerate development. Organizations should restrict extensions, scrutinize permissions and treat browsers as critical attack surfaces. Google removed or warned developers after disclosure.
read more →

Bluekit phishing kit adds AI assistant and 40+ templates

🔵 Bluekit is a newly observed phishing kit that bundles more than 40 templates targeting services such as Outlook, Gmail, Yahoo, ProtonMail, iCloud, GitHub and Ledger. It includes an AI Assistant panel supporting models like Llama, GPT‑4.1, Claude, Gemini and DeepSeek to help draft campaign copy. Varonis found the assistant produces scaffold-like outputs that require cleanup. The platform centralizes domain purchase, phishing page setup, campaign management, granular anti-analysis controls and real-time victim session monitoring, with stolen data exfiltrated via Telegram.
read more →

Threat Source: Prioritizing Identity and Legacy Risks

🔐 Hazel Burton summarizes Cisco Talos' Year in Review and outlines five critical priorities for defenders facing an increasingly automated threat landscape. While AI and accessible exploit code have lowered the barrier for attackers, adversaries still follow predictable patterns and reuse infrastructure, producing detectable anomalies. Defenders should treat identity infrastructure as a top-tier asset, secure MFA workflows with strict verification, prioritize patching by internet exposure, hunt long-tail legacy risks, and apply enhanced monitoring to management-plane systems to focus detection on anomalous post-login behavior and reduce alert fatigue.
read more →