< ciso
brief />
Threat and Trends Reports Banner

All news in category “Threat and Trends Reports

1640 articles · page 15 of 82

Q1 2026 Email Threat Landscape: Phishing Trends and Defenses

🔐 Microsoft Threat Intelligence observed ~8.3 billion email-based phishing threats in Q1 2026, with volumes easing from about 2.9 billion in January to 2.6 billion in March. QR code phishing more than doubled and CAPTCHA-gated phishing surged, while link-based delivery rose to 78% and credential theft dominated payloads. Disruption of the Tycoon2FA PhaaS reduced activity but adversaries adapted; Microsoft Defender detections and mitigations are recommended.
read more →

ThreatsDay: SMS blaster busts and supply‑chain shocks

🔍 This ThreatsDay bulletin highlights a week of converging risks: Canadian authorities dismantled an SMS blaster operation that spoofed cellular towers, while a malicious npm brandsquat (published as tanstack) exfiltrated local .env files during install. Researchers also flagged networks of browser extensions legally selling browsing and viewing data, the first documented abuse of the Komari admin agent in intrusions, and mass exposure of RDP/VNC servers—underscoring the importance of basic hygiene, credential rotation, and coordinated defensive response.
read more →

UK Education Sector Sees Sharp Rise in Cyber Breaches

📚 The UK public education sector experienced a marked increase in reported cyber breaches in the Cyber Security Breaches Survey 2025/2026, published on 30 April by the Department for Science, Innovation and Technology (DSIT) and the Home Office. The report's Education Annex records rises across primary, secondary, further and higher education — notably higher education breaches climbed from 91% to 98% and secondary schools from 60% to 73%. While national breach levels for businesses and charities remained broadly stable, the education surge, falling small-business cyber hygiene and the low uptake of Cyber Essentials are being flagged as significant resilience concerns.
read more →

EtherRAT Campaign Spoofs Admin Tools via GitHub SEO

🛡️ Atos Threat Research Center disclosed in March 2026 a resilient campaign delivering a JavaScript RAT named EtherRAT via SEO-poisoned GitHub facades. The adversary places benign-looking README storefronts that link to hidden repositories hosting malicious MSI installers impersonating common administrative tools used by admins, DevOps, and security analysts. Payloads download Node.js at runtime and use an Ethereum smart contract queried through public RPC endpoints to resolve live C2 addresses, enabling rapid operator-driven server rotation and evasion of classic takedown techniques. Atos provides IoCs, technical analysis, and mitigation advice including blocking public ETH RPC access and enforcing verified tool provenance.
read more →

Cyber Threat Literacy Tops Global People Risks 2026

🛡️ Marsh's 2026 People Risks report, compiled from interviews with over 4,500 HR and risk professionals across 26 markets, finds cyber-threat literacy is the top global people risk, with technological change, tech skills shortages and AI-related mindset barriers also ranking highly. The report highlights mishandling of data and low employee security awareness as persistent threats that can increase exposure to breaches and reputational damage. Marsh recommends reframing cyber risk to cover OT, HR and third-party systems, recruiting cyber talent, building a cyber-centric culture, reducing fatigue, and ensuring human oversight with robust governance and insurance cover.
read more →

April 2026 security roundup: Tony Anscombe insights

🔒 ESET Chief Security Evangelist Tony Anscombe reviews April’s top cybersecurity developments, including rising Microsoft Teams helpdesk impersonation scams, an Iranian-linked campaign targeting Rockwell programmable logic controllers exposed on U.S. critical infrastructure networks, and the FBI IC3’s finding that U.S. victims lost nearly $21 billion to cyber-enabled crime last year. Tony offers practical mitigation advice — from stricter verification and access controls for remote support to network segmentation, patching, and monitoring for industrial control systems — and invites viewers to watch the video for deeper context and comparisons to prior years.
read more →

ODNI 2026 ATA Signals Shift: Private Sector on Alert

🔍 The ODNI’s 2026 Annual Threat Assessment pivots from long-term, global forecasting to active operational reporting and a homeland-centric focus. This shift de-emphasizes detailed tracking of state-led infrastructure campaigns and named operations, leaving gaps in visibility on pre-positioned access. CISOs and CROs are urged to fund a resilience premium and prioritize identity, infrastructure continuity, algorithmic defense, and intelligence integration.
read more →

Defending Against SaaS-Focused CORDIAL and SNARKY SPIDERS

🔐 Since October 2025, CrowdStrike's Falcon Shield explains how CORDIAL SPIDER and SNARKY SPIDER execute fast, SaaS-first attacks that bypass endpoint visibility. Through vishing and SSO-themed AiTM pages they capture credentials and session tokens to pivot into IdPs and multiple SaaS apps. Falcon Shield detects anomalous sign-ins, MFA enrollments, notification suppression, and adversary proxy infrastructure to disrupt campaigns.
read more →

Eight Best Practices for CISOs Conducting Risk Reviews

📋 This blog by Rico Mariani outlines eight practical best practices for CISOs conducting risk reviews, focusing on identifying assets, applications, and access controls to shape review scope and priorities. It emphasizes good quality authentication (tokens and issuers like Microsoft Entra), robust authorization, network isolation, detection, and auditing to enable proactive security. The post also highlights commonly overlooked areas such as backups, support, and development systems to ensure comprehensive risk coverage.
read more →

How Vehicles Become Tools for Law Enforcement Surveillance

📡 Modern cars act as mobile computers that log and transmit extensive telemetry to manufacturers and third parties. Law enforcement increasingly uses Car Intelligence (CARINT) tools and vendor solutions such as Ateros, Berla, and Toka to extract GPS histories, call logs, paired-device lists, and driving statistics — sometimes without warrants. Even sensor systems like unencrypted TPMS can enable low-cost tracking. Recommended mitigations include avoiding phone syncs, clearing head-unit data, disabling voice commands, and minimizing use of manufacturer apps.
read more →

KELA: 2.9 Billion Compromised Credentials Tracked in 2025

🔒 KELA's 2026 report reveals nearly 2.9 billion compromised credentials traced worldwide in 2025, including usernames, passwords, session tokens and cookies sourced from ULP lists, breached email repositories and marketplaces. At least 347 million were obtained by infostealers operating on about 3.9 million infected machines, driven by a surge in macOS infections. The firm warns that AI-driven, autonomous attack workflows and increasing vulnerability weaponization are escalating risk for organizations.
read more →

Evaluating Exposure Management Platforms: What Matters

🔍 Exposure management exists to connect remediation work with real risk, answering whether closing thousands of findings actually makes you safer. The author categorizes platforms into four architectures — stitched portfolios, data aggregators, single-domain specialists, and integrated platforms — and highlights practical limits of each. Five evaluation questions (coverage depth, cross‑environment path mapping, exploitability validation, control modeling, and business‑aware prioritization) reveal what a product can truly deliver. The piece argues that only integrated platforms that build a digital twin, validate exploits, and factor in controls can reliably show that you are actually safer.
read more →

One in Four Healthcare Organizations Hit by Device Attacks

🏥 A new RunSafe Security index found that 24% of healthcare organizations experienced cyber-attacks affecting medical devices in the past year, with 80% of those incidents causing moderate or significant patient impact, from delayed imaging to interruptions in critical care. The survey of 551 professionals across the US, UK and Germany shows growing integration of security into procurement—82% deploying runtime exploit protection and 84% including cyber requirements in vendor RFPs—yet legacy devices remain a major exposure.
read more →

March 2026 TTC Update: New Cloud Persistence and Risk

🔒 The AWS Customer Incident Response Team (AWS CIRT) released the March 2026 update to the Threat Technique Catalog for AWS, adding three new entries that address identity abuse, persistence, infrastructure destruction, and privilege escalation. The update highlights concrete, real-world techniques — Cognito refresh token abuse, AMI deregistration, and misuse of UpdateAssumeRolePolicy — that let attackers hide in legitimate operations. Each entry includes detection guidance and straightforward mitigations you can apply today, such as enabling refresh token rotation, protecting AMIs with Recycle Bin retention rules, and monitoring trust-policy changes.
read more →

Talos Year in Review: Five Priorities for Defenders

🔐 Cisco Talos’ Year in Review, authored by Hazel Burton, highlights how lower barriers to attack and rapid proof-of-concept development are stressing defenders. The report shows attackers increasingly rely on valid accounts, credential abuse, and management-plane targets while still producing detectable anomalous behavior. Recommended priorities include hardening IAM, prioritizing patching by exposure, improving visibility into legacy components, and securing systems that broker trust.
read more →

Inside an OPSEC Playbook: How Actors Evade Detection

🔍 Flare researchers examined a recent forum post in which a threat actor details a structured OPSEC framework aimed at sustaining high-volume carding operations while avoiding detection. The actor prescribes a three-tier architecture—public, operational, and extraction layers—with strict identity compartmentalization, residential IP rotation, and isolated cashout channels. The post highlights recurring failures like identity reuse, metadata leakage, and weak anti-fingerprinting, and recommends resilience measures such as time-delayed triggers and dead man's switches. For defenders, it underscores the need to link cross-platform identities, evolve behavioral detection, and monitor the full attack chain.
read more →

Secure Data Movement Is the New Zero Trust Priority

🔒 New Cyber360 research shows the overlooked Zero Trust gap is not identity or endpoints but the movement of data across boundaries. The survey of 500 government, defense, and critical services leaders found 84% see cross-network data sharing as a heightened cyber risk and 53% still use manual transfer processes. That mismatch creates an attack surface as AI accelerates operations; layered approaches combining Zero Trust, data-centric controls, and cross-domain technologies are recommended for secure, near-real-time sharing.
read more →

Stopping AiTM Phishing: Defenses After Authentication

🛡️ AiTM phishing evades credential theft by intercepting session tokens after legitimate logins, rendering stronger passwords and many MFA approaches insufficient on their own. While FIDO2 and passkeys reduce exposure at the authentication step, session cookies remain bearer tokens that can be replayed. The article recommends three practical controls—bind sessions to managed devices, monitor post-authentication anomalies, and shorten high-value session lifetimes—combined with targeted user guidance to stop attackers from exploiting captured sessions.
read more →

NCSC: Bad SOC Metrics Undermine Detection and Response

🔍 The UK National Cyber Security Centre (NCSC) cautions that many common SOC metrics are misleading and can actively harm security operations if used or reported externally. CTO Dave Chismon argues that only time to detect/time to respond (TTD/TTR) reliably demonstrates SOC effectiveness, while metrics such as ticket counts, closure times, rule counts or raw log volume create perverse incentives. He recommends red and purple team exercises to assess TTD/TTR, and suggests internal, non-public metrics — hypothesis-led hunting, strict false-positive thresholds, log coverage, tooling expertise and analyst engagement — to monitor week-by-week health without driving the wrong behaviours.
read more →

FTC: Americans Lost Over $2.1B to Social Media Scams in 2025

📢 The FTC reports Americans lost more than $2.1 billion to social media scams in 2025, an eightfold increase since 2020. Facebook accounted for the largest share of reported losses across most age groups, while WhatsApp and Instagram trailed. The agency warns scammers exploit hacked accounts, targeted posts, and paid ads to reach victims at scale. Meta removed millions of scam ads and accounts and rolled out new warnings and protections.
read more →