< ciso
brief />
Threat and Trends Reports Banner

All news in category “Threat and Trends Reports

1639 articles · page 2 of 82

SkillCloak research shows scanners can be bypassed

🛡️ Researchers at the Hong Kong University of Science and Technology show that simple file-level transformations and packing tricks can let malicious AI coding agent "skills" evade existing static scanners while still executing normally. Their tool, SKILLCLOAK, fooled multiple marketplace scanners over 80–99% of the time, while a runtime sandbox, SKILLDETONATE, detected most evasions at the cost of slower analysis. The study highlights active real-world abuse, practical mitigation ideas, and the need to move trust decisions to behavior observed at execution time.
read more →

SMB Cyber Readiness: Prioritize the Fundamentals

🔒 AI is reshaping attacker toolkits, but familiar failures—phishing, unpatched vulnerabilities, poor monitoring and weak passwords—remain the primary causes of incidents for SMBs. ESET telemetry and research show AI mainly amplifies these risks rather than replacing them with pervasive, real-time AI malware. Practical mitigations like patch management, identity protection, MFA, password managers and MDR services remain the most effective ways to improve readiness and resilience.
read more →

Flock’s Vehicle Fingerprinting Enables Plateless Surveillance

🚨 A 2024 company presentation reveals that Flock uses a so-called “Vehicle Fingerprint” combining decals, bumper stickers, racks and temporary tags to identify cars when license plates are incomplete or absent. The system enables officers to search that dataset, perform multi-geo queries and locate vehicles believed to be traveling together. Bruce Schneier notes this capability echoes older surveillance practices and warns that similar outcomes are possible with broad access to cell phone location data.
read more →

Board Games Sharpen Cybersecurity Intuition

🎲 The Threat Source newsletter draws a connection between learning board games and developing cybersecurity skills, arguing that games sharpen pattern recognition, intuition, and adaptive thinking. The piece highlights how diverse games—from Ticket to Ride to Go—teach strategy, breaking habits, and embracing failure as a learning tool. It also summarizes Talos research on the ARToken phishing-as-a-service panel and recent threat trends affecting Microsoft 365, AI agents, and RMM vulnerabilities.
read more →

ConsentFix and ClickFix: Microsoft 365 hijacks

🔒 Modern phishing variants like ClickFix and the newer ConsentFix convert routine user actions into account takeover opportunities. Attackers trick victims into executing keyboard shortcuts or dragging callback links, which hands over OAuth tokens and session access to Microsoft 365 services without passwords or MFA bypass. The technique relies on familiar workflows and readily available tooling, with public sharing of blueprints lowering the barrier to entry.
read more →

NCSC guidance to frustrate penetration testers

🔒 The NCSC asked pen testers what makes their work harder and published recommendations to boost organisational resilience. Responses emphasise secure-by-design practices—like threat modelling, phishing-resistant MFA, avoiding hard-coded credentials, and early input validation—alongside network segmentation and strong OT/IT separation. The guidance also highlights the critical role of quality logging, monitoring and exercised incident response to detect and respond to intrusions.
read more →

2026 Exposure Gap Report: Rising Vulnerability Risk

🔍 The 2026 Exposure Gap Report reveals that vulnerabilities now account for 42.6% of critical exposure, up from 18.7% in 2025, shifting the focus of risk across connected environments. Only 7.8% of vulnerability alerts are validated as exploitable and classified as Critical or High, highlighting the need for context-aware prioritization. The report emphasizes validation, asset criticality, and evidence of exploitation to narrow large alert volumes into actionable priorities. Teams that apply consistent validation and filtering can close the exposure gap more effectively and prioritize remediation where it matters.
read more →

Risks and Safeguards for AI API Proxy Aggregators

🔒 As organizations adopt AI more broadly, third-party API proxies and aggregators promise convenience, cost savings, and failover between models. Some providers operate transparently, but many exploit forged or stolen accounts, reroute queries to cheaper models, and capture or manipulate prompts and outputs. These practices expose firms to data leakage, IP loss, compliance violations, and security threats such as injected malicious code or reduced model accuracy.
read more →

AI-generated browser ransomware risk emerges

🛡️ Researchers warn of an AI-generated Python web app, attributed to DeepSeek, that demonstrates a practical in-browser ransomware and information-stealing toolkit affecting Chromium-based browsers on Windows and Android. The sample, named InfernoGrabber v9.0, uses a phishing decoy to gain File System Access API permissions, then enumerates, exfiltrates, encrypts files, and displays a ransomware note without installing native payloads. Check Point highlights the lowered expertise barrier as LLMs can now independently surface viable attack paths.
read more →

2026 Cybersecurity Assessment Reveals Resilience Gap

🔍 The 2026 Bitdefender Cybersecurity Assessment surveyed 1,200 IT and security professionals across six countries and found striking contradictions between awareness and operational resilience. Leaders often overestimate visibility into AI use, while frontline staff report gaps. Organizations agree reducing the attack surface is critical but face policy, resource, and disruption concerns. Many report pressure to conceal breaches despite acknowledging the importance of transparency.
read more →

AI-enabled browser ransomware risk on Android

🛡️ Check Point Research discovered a Python Flask sample where an AI model connected a legitimate browser API to ransomware-like behavior. The model generated code invoking showDirectoryPicker(), leveraging the File System Access API to request folder access and modify files without installation. A proof-of-concept showed how a fake web app could encrypt photos in a chosen directory, and Android Chrome’s full API support makes DCIM access possible. Defenders should scrutinize folder-access prompts, avoid granting write access to primary photo libraries, and rely on anti-phishing controls to block malicious pages.
read more →

Phantom squatting: AI-hallucinated domains abused

🛡️ Palo Alto Networks' Unit 42 warns attackers are registering AI-hallucinated domains and using them for phishing and malware distribution. The report shows models invent millions of links, many unregistered, and attackers are preemptively purchasing and cloning brand sites. Because new domains lack reputation data, they evade blocklists until damage is done. Unit 42 documents several real-world cases and offers mitigation steps for defenders and users.
read more →

Detection engineering rises as a core SOC capability

🔍 Detection engineering has moved from a niche role to a strategic imperative for many organizations, focused on building tailored, behavior-driven alerts that reduce false positives and improve response. It emphasizes threat modeling, SDLC/CI-CD practices, and integration of threat intelligence to craft detections specific to an organization’s environment. A SANS-Anvilogic survey found broad investment and leadership support, while AI and automation are increasingly used to tune rules and scale workflows.
read more →

Phantom Squatting: LLMs Enabling Web Domain Attacks

🛡️ Unit 42 found that large language models (LLMs) commonly hallucinate plausible web domains for real brands, and adversaries are registering these nonexistent domains to intercept AI-generated traffic. This phenomenon, called phantom squatting, poses a supply chain risk and was observed across multiple sectors. Researchers predicted adversary registrations 18–51 days in advance and discovered over 13,229 malicious URLs plus ~250,000 unregistered hallucinated domains.
read more →

Monthly security roundup — June 2026 highlights

🔍 ESET Chief Security Evangelist Tony Anscombe reviews key cybersecurity stories from June 2026, assessing implications for defenders. He covers new CISA vulnerability patching rules, attacks on Internet-exposed automatic tank gauge (ATG) systems, rising imposter-scam losses reported by the FTC, and proposed UK and Canada social media bans for under-16s. Tony outlines lessons for organizations beyond federal agencies and practical steps to reduce risk.
read more →

Study: 282 iOS Apps Expose LLM API Keys in Traffic

🔍 Researchers tested 444 iPhone AI chatbot apps and found 282 leaking paid AI access via network traffic, often as plaintext keys, reusable tokens, or unsecured backend relays. The team used a tool called LLMKeyLens to capture credentials without jailbreaking. Only 28% of affected apps were fixed after three months; many tokens remained valid and susceptible to costly misuse.
read more →

ClickFix Emerges as Dominant Malware Delivery Method

🔒 Analysis by ReliaQuest shows the ClickFix social engineering technique dominated malware delivery from March to May 2026. ClickFix tricks users into pasting attacker-supplied commands into trusted dialogs like Run, Terminal, or Script Editor, allowing payloads such as infostealers to execute while evading many defenses. The method has been used to deliver Windows malware and, notably, to deploy AMOS/Atomic Stealer to macOS via Script Editor. ReliaQuest urges equal monitoring for macOS and recommends user training and administrative restrictions to mitigate ClickFix risks.
read more →

Pre-positioned cyber threats around FIFA 2026 event

⚠️ Check Point Research found that cybercriminals pre-built and partially deployed fraud infrastructure targeting FIFA World Cup 2026 before the June 11 kickoff, focusing on financial services, transportation, hospitality, and gambling. Pre-tournament research highlighted weak DMARC enforcement among partners, a 60x surge in fake sportsbook apps concentrated on Google Play, and large volumes of lookalike travel and hotel domains created two months prior. Check Point's exposure, brand protection, and dark web monitoring capabilities flagged the activity and report rapid remediation metrics.
read more →

How to Recognize Social Engineering Attacks

🔍 Social engineering exploits human emotions and urgency to trick people into sharing data or taking harmful actions. This article explains common psychological tactics scammers use, such as panic, authority impersonation, guilt, and manufactured urgency, and highlights practical red flags to watch for. It also advises verifying contacts via official channels, pausing before reacting, and seeking a second opinion to avoid manipulation.
read more →

June 2026 Threat Technique Catalog Update for AWS

🛡️ The AWS CIRT updated the Threat Technique Catalog for June 2026, adding five new entries focused on container security, organization-level trust, and compute hijacking. The update documents EKS workload modification, exploitation of public-facing Kubernetes services, sts:AssumeRoot abuse across AWS Organizations, compute hijacking in clusters, and account invitations into attacker-controlled organizations. It also refreshes three existing entries with expanded detection and mitigation guidance.
read more →