All news in category "Threat and Trends Reports"

RainyDay, Turian and PlugX Variant Abuse DLL Hijacking

🛡️ Cisco Talos describes an ongoing campaign in which Naikon-linked actors abused DLL search order hijacking to load multiple backdoors, including RainyDay, a customized PlugX variant and Turian. The report highlights shared loaders that use XOR and RC4 decryption with identical keys and an XOR-RC4-RtlDecompressBuffer unpacking chain. Talos notes the PlugX variant adopts a RainyDay-style configuration and includes embedded keylogging and persistence, with activity observed since 2022 targeting telecom and manufacturing organizations in Central and South Asia. Talos published IOCs and recommended mitigations for detection and prevention.

Data Loss Rises Despite Increased Security Spending

🔒 The 2025 Data Security Report from Fortinet and Cybersecurity Insiders finds that data loss is increasing even as organizations shift to programmatic approaches and boost budgets for insider risk and data protection. Legacy DLP tools, designed for perimeter-era environments, lack visibility into employee interactions across SaaS, cloud, and generative AI, and they fail to provide the context needed to separate accidents from real threats. The report urges adoption of behavior-aware, unified platforms—such as FortiDLP integrated with identity and activity telemetry—to turn alerts into actionable risk narratives and reduce costly insider incidents.

2025 DORA Report: AI-assisted Software Development

🤖 The 2025 DORA Report synthesizes survey responses from nearly 5,000 technology professionals and over 100 hours of qualitative data to examine how AI is reshaping software development. It finds AI amplifies existing team strengths and weaknesses: strong teams accelerate productivity and product performance, while weaker teams see magnified problems and increased instability. The report highlights near-universal AI adoption (90%), widespread productivity gains (>80%), a continuing trust gap in AI-generated code (~30% distrust), and recommends investment in platform engineering, user-centric workflows, and the DORA AI Capabilities Model to unlock AI’s value.

AI Growth Fuels Surge in Hardware and API Vulnerabilities

🛡️ Bugcrowd's annual "Inside the Mind of a CISO 2025: Resilience in an AI-Accelerated World" report warns that rapid, AI-assisted development is expanding the attack surface and exposing foundational weaknesses. Published September 23, the study links faster release cycles to gaps in access control, data protection and hardware security, and highlights rising API and network vulnerabilities. It calls for continuous offensive testing and collective intelligence to mitigate escalating risks.

Lean Security Teams Elevate Risk from Hardcoded Secrets

🔒 As organizations shrink and security teams tighten, hardcoded secrets have become a critical, costly blind spot that manual processes can no longer manage. The article cites rising credential-driven breaches, a 292‑day average containment window, and steep financial impacts when secrets are exposed. It contends that precision remediation — contextual ownership, integrated workflows, and automated rotation — is essential to reduce remediation from weeks to hours and to curb analyst overhead. GitGuardian is presented as an example of this targeted remediation approach.

Attacker Breakout Time Drops to 18 Minutes, ReliaQuest

🔒 ReliaQuest's Threat Spotlight (June–August 2025) reports average attacker breakout time — the period from initial access to lateral movement — has fallen to 18 minutes, with one Akira incident taking just six minutes. The vendor warns adversaries are becoming faster and more adept at bypassing endpoint protections, noting an increase in ransomware using the SMB protocol (from 20% to 29%). Drive-by compromise was the leading initial vector at 34%, and USB-based malware, notably Gamarue, is resurging due to weak policy enforcement and inconsistent endpoint controls.

Essential Security Tools Every Organization Should Deploy

🔐 Security leaders face a shifting threat landscape, tighter regulation, and increasing IT complexity, so a well-integrated toolset is essential. The article outlines 13 core solution categories — from XDR, MFA and IAM to DLP, CASB, backup/DR and AI‑SPM — and explains how each strengthens detection, access control, data protection and recovery. Emphasis is placed on integration, automation and real-time response to reduce manual verification and satisfy compliance and cyberinsurance requirements.

Operation Rewrite: BadIIS SEO Poisoning Campaign in Asia

🔍 Unit 42 uncovered Operation Rewrite, a March 2025 SEO poisoning campaign that deploys a native IIS implant called BadIIS to manipulate search engine indexing and redirect users to attacker-controlled scam sites. The implant registers request handlers, inspects User‑Agent and Referer headers, and proxies malicious content from remote C2 servers. Variants include lightweight ASP.NET page handlers, a managed .NET IIS module, and an all-in-one PHP front controller. Organizations can detect and block activity with Palo Alto Networks protections and should engage incident responders if compromised.

DORA AI Capabilities Model: Seven Levers of Success

🔍 The DORA research team introduces the inaugural DORA AI Capabilities Model, identifying seven technical and cultural capabilities that amplify the benefits of AI-assisted software development. Based on interviews, literature review, and a near-5,000‑respondent survey, the model highlights priorities such as clear AI policies, healthy and AI-accessible internal data, strong version control, small-batch work, user-centricity, and quality internal platforms. The guidance focuses on practices that move organizations beyond tool adoption to measurable performance improvements.

Why Phishing Is Moving Beyond Email Delivery: Risks

🔗 Phishing attacks are increasingly delivered outside traditional email — via social media, instant messaging, SMS, malvertising and in‑app messengers — making mail gateways insufficient. Attackers now send links from compromised accounts, targeted ads or SaaS messages and use fast‑rotating domains and advanced Attacker‑in‑the‑Middle (AitM) kits that obfuscate JavaScript and the DOM to evade network detection. Organizations often rely on user reports and URL blocking, but these approaches fail against rapid domain churn and client‑side stealth. Vendors such as Push Security propose browser‑level detection that monitors real‑time page behavior to identify AitM, session hijacking and credential theft.

Nimbus Manticore Expands into Europe Targeting Defense

🛡️ Check Point Research reports that Iranian-linked threat actor Nimbus Manticore is expanding operations into Europe, focusing on the defense, telecom and aerospace sectors. The group uses fake job portals and targeted spear‑phishing to deliver malicious files disguised as hiring materials while impersonating prominent aerospace firms. Evolving toolsets such as MiniJunk and MiniBrowse enable stealthy data theft and persistent access, consistent with intelligence-collection objectives linked to IRGC priorities.

Security Implications of Quantum Computing for CISOs

🔐 Quantum computing poses a long-term threat to public-key cryptography, with the potential to break RSA, ECC and Diffie-Hellman once scalable quantum machines exist. Although practical attacks on RSA-2048 are commonly estimated to be eight to fifteen years away, organizations with long-lived confidential data must act now. CISOs should begin a crypto-agility assessment, engage vendors about post-quantum cryptography, and brief leadership and boards to build a migration roadmap.

Weekly Recap: Chrome 0-day, AI Threats, and Supply Chain Risk

🔒 This week's recap highlights rapid attacker innovation and urgent remediation: Google patched an actively exploited Chrome zero-day (CVE-2025-10585), while researchers demonstrated a DDR5 RowHammer variant that undermines TRR protections. Dual-use AI tooling and model namespace reuse risks surfaced alongside widespread supply-chain and phishing disruptions. Defenders should prioritize patching, harden model dependencies, and monitor for stealthy loaders.

CSO Awards: Security Innovation and Transformative Work

🔒 CSO highlights seven award-winning security initiatives that showcase practical innovation across vulnerability management, third-party risk, multicloud security, secure coding, threat detection, and AI-driven hunting. Profiles include BMHCC’s risk-based remediation delivering a 70% risk reduction, FSU’s tighter vendor assessments, Marvell’s unified cloud vulnerability platform, and Mastercard’s developer-focused security conference. The pieces emphasize automation, AI, and cross-team collaboration as key drivers of measurable security impact.

FBI warns of fake IC3 portals used by scammers online

⚠️ The FBI warns that cybercriminals are creating spoofed versions of the Internet Crime Complaint Center (IC3) website to harvest personally identifiable information and facilitate financial scams. The agency noted over 100 reports between December 2023 and February 2025 prompting a public service announcement and flagged domains that mimic ic3.gov. Users are advised to type www.ic3.gov directly, avoid sponsored search results, never share sensitive data, and remember the FBI will never ask for payment to recover funds.

Lighthouse and Lucid PhaaS Linked to 17,500 Phishing Domains

🔍 Netcraft reports that the PhaaS platforms Lucid and Lighthouse are linked to more than 17,500 phishing domains impersonating 316 brands across 74 countries. Lucid, first documented by PRODAFT in April, supports smishing via Apple iMessage and RCS and is tied to the Chinese-speaking XinXin group. Both services offer customizable templates, real-time victim monitoring, and granular targeting controls (User-Agent, proxy country, configured paths) that restrict access to intended victims. Lighthouse subscriptions run from $88 per week to $1,588 per year, underscoring the commercial scale of these offerings.

Ransomware Still Evades Defenses Despite Protections

🔒 Picus Security's Blue Report 2025 shows ransomware continues to outpace defenses: overall prevention fell from 69% to 62% year-over-year, while data exfiltration prevention collapsed to just 3%. Both established families (BlackByte, BabLock, Maori) and emerging strains (FAUST, Valak, Magniber) bypass controls using credential theft, fileless techniques and staged execution. Picus recommends continuous Breach and Attack Simulation (BAS) to validate controls, deliver actionable fixes, and provide measurable evidence of readiness.

NFT Security Handbook: Avoiding Wallet Drains and Scams

🛡️ The article warns NFT buyers about practical security risks that can turn valuable tokens into worthless assets. It describes attacks such as metadata manipulation and centralized storage that permit creators to change or remove artwork after sale, and marketplace scams that exploit currency symbols and interface design. The piece highlights phishing vectors including Discord takeovers and malicious airdrops, and recommends defenses like multi-wallet segregation, the five-minute rule, and regular permission audits.

Surveying the Global Spyware Market: 2024 Investment Shifts

🔍 The Atlantic Council’s second annual report, Mythical Beasts, maps the global spyware market and documents a substantial uptick in US-based investors in 2024, which made the United States the largest investor in this sampled dataset despite ongoing policy actions. The authors also emphasize the opaque, central role of resellers and brokers, whose intermediary activity obscures vendor–buyer ties and complicates oversight. Overall, the report highlights a clear enforcement and transparency gap and urges targeted research and coordinated policy responses.

Gamaredon and Turla Collaboration Targets Ukraine in 2025

🚨 ESET Research reports the first observed collaboration between Gamaredon and Turla in Ukraine, with telemetry from February to June 2025 showing Gamaredon tools used to deliver and restart Turla’s Kazuar implants. ESET assesses with high confidence that Gamaredon provided initial access and delivery channels while Turla selectively deployed advanced Kazuar implants on higher‑value hosts. The analysis details multiple infection chains involving PteroGraphin, PteroOdd and PteroPaste, and includes technical indicators and remediation guidance.