All news in category "Threat and Trends Reports"

Responding to Cloud Incidents: Investigation and Recovery

🔍 Unit 42 outlines a structured approach to investigating and responding to cloud incidents, noting that 29% of 2024 incident investigations involved cloud or SaaS environments. The guidance emphasizes a shift from endpoint-centric forensics to focus on identities, misconfigurations and service interactions. It recommends enabling and centralizing logs, retaining them for at least 90 days, and preparing for rapid evidence collection and VM/container imaging. The article stresses identity forensics, behavioral baselining and surgical containment to avoid alerting adversaries.

Disrupting Threats Targeting Microsoft Teams Environments

🛡️ Microsoft Threat Intelligence details how adversaries exploit Microsoft Teams collaboration capabilities—chat, calls, meetings, and screen sharing—at multiple stages of the attack chain. The post chronicles 2024–2025 campaigns and toolsets (phishing, malvertising, deepfakes, device code phishing, and red‑team tool reuse) that enable initial access, persistence, and exfiltration. It emphasizes layered defenses across identity, endpoints, apps, data, and network controls, and provides detection guidance, hunting queries, and product-specific recommendations to help defenders disrupt these operations.

Cloud and Application Security: Awareness Best Practices

🔐 The 2025 State of Cloud Security Report from Fortinet and Cybersecurity Insiders highlights how accelerating cloud adoption and a widespread cybersecurity skills shortage are expanding organizational risk across SaaS, APIs, and hybrid environments. Many incidents result from human error — misconfigurations, exposed APIs, and overprivileged accounts — rather than sophisticated targeted attacks. The post recommends five practical measures, including embracing shared responsibility, enforcing MFA and least privilege, integrating security into CI/CD, automating configuration management, and monitoring SaaS and APIs, and stresses that tools must be paired with user awareness and cultural change.

From Ransom to Revenue Loss and Recovery Costs for Business

🔒 Ransomware now inflicts costs far beyond ransom payments, driving operational downtime, reputational damage, and regulatory exposure that directly erode the bottom line. The 2025 Unit 42 report shows median initial extortion demands rose to $1.25M and commonly equate to about 2% of perceived annual revenue. While roughly 48% of victims paid in 2024, Unit 42 negotiation reduced median paid demands to about 0.6% of PAR, yet attackers’ disruptive tactics increasingly amplify recovery costs. Strengthening backups, segmentation, and an incremental zero trust posture are key to limiting impact and shortening recovery timelines.

XWorm 6.0 Returns with 35+ Plugins and Enhanced Theft

🛡️ Trellix researchers detail the return of XWorm 6.0, a modular Windows malware now supporting more than 35 in‑memory DLL plugins and expanded data-theft and persistence capabilities. The actor associated with earlier releases, known as XCoder, is of uncertain status, but v6.0—advertised on forums in June 2025—appears to address a prior RCE flaw while enabling credential theft, keylogging, screen capture, and optional ransomware. Campaigns use phishing, malicious JavaScript, LNK-based PowerShell chains, and process injection to evade detection and execute plugins directly in memory.

Hidden Text Salting: CSS Abuse in Email Threats and Evasion

🧂 Cisco Talos documents growing abuse of CSS to insert visually hidden 'salt' into emails, a technique that undermines parsing and language-detection systems. Observed across preheaders, headers, attachments and bodies between March 1, 2024 and July 31, 2025, attackers use CSS properties (font-size, opacity, display, clipping) and zero-width characters to conceal irrelevant content. Talos recommends detection plus HTML sanitization and filters—examples include Cisco Secure Email Threat Defense—to strip or ignore invisible content before downstream analysis.

Why Successful Businesses Are Built on Cyber Protection

🔒 Company leaders must treat cyber risk as a strategic priority rather than a discretionary cost. The piece highlights a persistent budget-perception gap between CISOs and boards and notes SMBs often remain reactive, prioritizing firefighting over prevention. It cites high-profile breaches and the IBM Cost of a Data Breach to quantify losses and recommends technologies such as SIEM and SOAR, alongside governance measures like board oversight and appointed CISOs. Practical advice stresses framing security as business risk, using financial metrics, and reporting regularly to embed security-by-design.

XWorm Backdoor Returns with Ransomware and 35+ Plugins

🛡️ New variants of the XWorm backdoor (6.0, 6.4, 6.5) are being distributed via phishing campaigns after the original author, XCoder, abandoned the project. Multiple operators have adopted these builds, which now support more than 35 plugins enabling data theft, remote control, and a ransomware module that encrypts user files and drops HTML ransom notes. Trellix observed diverse droppers and recommends layered defenses including EDR, email/web protections, and network monitoring.

Weekly Cyber Recap: Oracle 0-Day, BitLocker Bypass

🛡️Threat actors tied to Cl0p exploited a critical Oracle E-Business Suite zero-day (CVE-2025-61882, CVSS 9.8) to steal large volumes of data, with multiple flaws abused across patched and unpatched systems. The week also spotlights a new espionage actor, Phantom Taurus, plus diverse campaigns from WordPress-based loaders to self-spreading WhatsApp malware. Prioritize patching, strengthen pre-boot authentication for BitLocker, and increase monitoring for the indicators associated with these campaigns.

Palo Alto Login Portal Scanning Spikes 500% Globally

🔍 Security researchers observed a roughly 500% surge in reconnaissance activity targeting Palo Alto Networks login portals on October 3, when GreyNoise recorded about 1,300 unique IP addresses probing its Palo Alto Networks Login Scanner tag versus typical daily volumes under 200. Approximately 91% of the IPs were US-based and 93% were classed as suspicious, with 7% confirmed malicious. GreyNoise also reported parallel scanning of other remote-access products including Cisco ASA, SonicWall, Ivanti and Pulse Secure, and noted shared TLS fingerprinting and regional clustering tied to infrastructure in the Netherlands. Analysts will continue monitoring for any subsequent vulnerability disclosures.

Ransomware and Phishing Threats Escalate for German SMEs

🔒 German SMEs face a sharp rise in ransomware and data-exfiltration incidents, with leak-site publications more than quadrupling from 2021 to 2024. Authorities report that 80% of analyzed ransomware incidents targeted small and medium-sized enterprises, often using double extortion. Attackers favor targeted phishing—executives receive on average 57 such attempts yearly—and many firms lack adequate defenses amid staffing shortages and overly complex security stacks.

Beware of threats lurking in booby-trapped PDF files

📄 PDF files are a ubiquitous, convenient format that cybercriminals increasingly abuse as lures, with ESET telemetry placing PDFs among the top malicious attachment types. Attack techniques include embedded scripts, hidden links, malformed objects that exploit reader vulnerabilities, and files that merely masquerade as .pdf while actually being executables or archives. Verify sender context, enable Protected View or sandboxing, consider disabling JavaScript in your PDF reader, and scan or sandbox suspicious attachments before opening; when in doubt, confirm via a separate channel.

Ten Essential Physical Security Measures for CISOs

🔒 Chief information security officers (CISOs) play a strategic role in physical security when systems such as badges, keycards and video surveillance are tied to IT and grant access to critical assets. This article outlines ten essential measures—from hardening data centers and mapping physical–cyber connections to securing IoT and surveillance systems—that CISOs should coordinate with facilities, legal and physical security teams. Implementing these controls reduces risk and supports incident response and compliance.

Surge in Scans Targeting Palo Alto Network Login Portals

🔍 GreyNoise has observed a roughly 500% rise in IP addresses scanning Palo Alto Networks login portals, primarily emulating GlobalProtect and PAN-OS profiles. Activity peaked on October 3 with more than 1,285 unique IPs—typical daily scans are usually under 200—while most sources were geolocated to the United States with smaller clusters in the UK, Netherlands, Canada, and Russia. GreyNoise classified 91% of the IPs as suspicious and 7% as malicious, noting clusters with distinct TLS fingerprints and warning this reconnaissance could precede exploitation attempts; administrators should verify device exposure and monitoring.

Spike in Scanning Targets Palo Alto Login Portals Globally

🔍 GreyNoise observed a nearly 500% surge in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, jumping from about 200 to roughly 1,300 unique IPs. The firm classified 93% of those IPs as suspicious and 7% as malicious, with most activity geolocated to the U.S. and smaller clusters in the U.K., the Netherlands, Canada and Russia. GreyNoise noted the traffic was targeted and structured and shared a dominant TLS fingerprint with recent Cisco ASA scans.

Rhadamanthys Stealer Adds Fingerprinting, PNG Steganography

🛡️ Check Point researchers report that the Rhadamanthys information stealer (v0.9.2) has been updated to collect extensive device and browser fingerprints and to deliver payloads via steganography embedded in WAV, JPEG and PNG files. The operator—initially known as kingcrete2022 and now marketing as RHAD security/Mythical Origin Labs—offers the malware as a tiered MaaS product with subscription plans and enterprise options. The sample includes sandbox-evasion checks, an embedded Lua runner for plugins, obfuscated configurations, and a PNG-based payload decryption step that requires a shared secret.

Manufacturing Under Fire: Strengthening Cyber Defenses

🔒 Manufacturers face growing, targeted cyber threats driven by legacy OT, complex supply chains, and high-value IP. Attackers increasingly use credential theft, social engineering and sophisticated malware to achieve prolonged access, data theft and ransomware extortion that can halt production and ripple across partners. Building resilience with MFA, prompt patching and continuous detection such as MDR — offering 24/7 threat monitoring, expert hunting and rapid containment — reduces downtime and strengthens supply chain security while aligning with Zero Trust principles.

Fake CISO Job Offer Used in Long-Game 'Pig-Butchering' Scam

🔒 A seasoned US CISO was targeted in a months-long pig-butchering scam that used a fabricated recruitment process posing as Gemini Crypto, including LinkedIn outreach, SMS, WhatsApp messages and a likely deepfaked video interview. The attackers groomed the target from May–September 2025, offered a fictitious CISO role, and asked him to buy $1,000 in crypto on Coinbase as "training." The candidate declined, documented the exchange, and warned peers; analysts say these long-game social engineering campaigns and malware-laced "test" assignments are increasingly common and financially damaging.

HackerOne Pays $81M in Bug Bounties, AI Flaws Surge

🛡️ HackerOne paid $81 million to white-hat hackers over the past 12 months, supporting more than 1,950 bug bounty programs and offering vulnerability disclosure, penetration testing, and code security services. The top 100 programs paid $51 million between July 1, 2024 and June 30, 2025, and the top 10 alone accounted for $21.6 million. AI-related vulnerabilities jumped over 200%, with prompt injection up 540%, while 70% of surveyed researchers reported using AI tools to improve hunting.

New MatrixPDF Phishing Technique Targets Gmail Users

📄 Researchers at Varonis have identified a sophisticated phishing toolkit called MatrixPDF that embeds prompts, JavaScript, and external redirects inside seemingly legitimate PDF files to target Gmail users. Attackers exploit Gmail's preview and desktop PDF readers: a blurred preview displays a prompt to 'open secure document' that directs victims to external payloads, while embedded scripts can fetch malware if a user grants permission. Because the malicious content is only retrieved after user interaction, Gmail's automated scanners and attachment sandboxes can be bypassed. Security experts recommend stronger webmail controls, robust attachment sandboxing, endpoint detection, and frequent, realistic user awareness training.