< ciso
brief />
Threat and Trends Reports Banner

All news in category “Threat and Trends Reports

1641 articles · page 21 of 83

Device-code phishing attacks surge as kits spread online

🔐 Device-code phishing attacks that exploit the OAuth 2.0 Device Authorization Grant flow have surged sharply this year, driven by commodity phishing kits. Researchers report a 37.5x increase in detected pages and identify at least 11 kits, with the PhaaS offering EvilTokens the most prominent. These kits mimic legitimate SaaS flows, use anti-bot protections and cloud hosting, and trick victims into entering device codes that grant attackers valid access and refresh tokens. Security teams are advised to disable unused device-code flows and monitor authentication logs and sessions closely.
read more →

Managing Open-Source Vulnerabilities Across the Pipeline

🔒 Modern vulnerability management must go beyond scanning version numbers to encompass download policies, AI guardrails, and build-pipeline controls. Organizations should adopt a trusted internal artifact registry, rigorous component screening, and dependency pinning to reduce supply-chain and malicious-package risks. Complement these controls with enriched vulnerability intelligence, SCA, and developer training. Systematic handling of EOL or abandoned components — via migration, LTS, or compensatory controls — completes the approach.
read more →

Microsoft: Cookie-Controlled PHP Web Shells on Linux

🍪 Microsoft Defender Security Research Team warns that threat actors are increasingly using HTTP cookies as a covert control channel for PHP-based web shells on Linux servers. Instead of passing commands via URL parameters or request bodies, attackers gate execution and convey instructions through values accessible in the PHP $_COOKIE superglobal. This technique keeps malicious code dormant during normal application activity and activates only when specific cookie values are present, reducing observable indicators. Microsoft observed multiple obfuscated loaders and a cron-driven 'self-healing' persistence model that recreates loaders and minimizes forensic visibility.
read more →

Securing Physical Systems as OT Comes Online in IT Era

🔒 Operational technology (OT) is rapidly moving online, creating new cyber-physical risks as industrial control systems connect to corporate IT. In a Fortinet Brass Tacks podcast, KPMG’s Hossain Alshedoki explains how visibility, culture, and measured extension of IT controls into OT are essential. He stresses resilience over replication of IT models, and prioritizes asset discovery before automation.
read more →

Why Third-Party Risk Is the Biggest Gap in Client Security

🔒 The next major breaches are likely to originate from trusted vendors, SaaS tools, or subcontractors, expanding the enterprise perimeter beyond owned infrastructure. Cynomi's new guide argues that Third-Party Risk Management (TPRM) must evolve from an annual checkbox into a continuous, governance-grade security function driven by regulatory pressure and financial risk. With regulators like CMMC, NIS2, and DORA raising expectations, and research showing third parties factor in roughly 30% of breaches and average remediation costs near $4.91M, MSPs and MSSPs can monetize structured, tech-enabled TPRM as a repeatable, high-margin service.
read more →

Key cyber industry trends from RSA Conference 2026

🤖 RSA 2026 highlighted a rapid, industry-wide shift toward AI-driven security, with CISOs clustering into three archetypes—proactive, curious/confused, and blissfully ignorant. Vendors stressed the need to build AI foundations (data/context engines, control planes, execution layers) and then layer agents atop them. Microsoft, legacy security vendors, and AI-native startups all showcased approaches, while pricing, governance, and evolving threats remain open challenges.
read more →

Open-Source Vulnerabilities and Supply Chain Risks in AI

🛡️Open-source components are now central to modern development, but their vulnerability data, maintenance status, and supply-chain integrity are increasingly unreliable. Public vulnerability databases often lack CVSS scores, contain inconsistent metadata, and lag behind exploit availability, leaving teams to guess prioritization. Unmaintained, EOL packages persist across projects, and registries have seen sharp rises in malicious packages and automated worm-like campaigns. AI-assisted coding accelerates development but can amplify these risks by suggesting outdated or hallucinated dependencies and cannot fully remediate legacy or deep dependency flaws on its own.
read more →

Cookie-Controlled PHP Webshell Tradecraft for Linux Hosting

🔒 Threat actors are increasingly abusing HTTP cookies as a stealthy control channel for PHP webshells on Linux hosting platforms. By gating execution on specific cookie values, attackers keep loaders dormant during normal traffic and activate functionality only when exact cookie conditions are met. Variants range from multi-stage loaders that reconstruct functions at runtime to single-file interactive shells, often using base64 reconstruction and layered obfuscation to evade detection. Review Microsoft Defender guidance to detect, hunt, and mitigate these threats.
read more →

Tax Season 2026: Cybercriminals Prepare Attacks Early

🔍 Check Point Research reports that cyber criminals systematically prepared for Tax Season 2026, registering hundreds of tax‑related domains each month from September 2025 through February 2026. These prebuilt infrastructures fueled phishing campaigns, fraudulent tax portals and malware designed to harvest credentials and financial data. Organizations and individuals should prioritize domain monitoring, DNS filtering, email authentication and targeted employee training to reduce exposure.
read more →

Residential proxies bypass IP reputation in 78% of attacks

🕵️ GreyNoise analyzed 4 billion malicious sessions over three months and found residential proxies accounted for roughly 39% of traffic yet evaded IP reputation feeds in 78% of cases. Researchers say the short-lived, systematically rotated, or low-activity nature of these addresses prevents timely cataloging by reputation systems. They recommend moving from IP-based blocking to behavior-focused detection, such as spotting sequential probing and tracking device fingerprints that persist through IP rotation.
read more →

Storm infostealer exfiltrates browser and wallet data

🔒 Researchers at Varonis have uncovered Storm, a new infostealer that harvests browser credentials, session cookies and crypto wallets before exfiltrating encrypted data to attacker-controlled servers. Emerging on underground forums in early 2026 and detailed in an April 1 report by Daniel Kelley, Storm shifts decryption off-host to avoid detection and supports both Chromium and Gecko-based browsers. It operates in memory, automates session restoration using Google refresh tokens and SOCKS5 proxies, and is marketed to attackers for under $1,000 per month.
read more →

Adversaries Exploit Vacant Homes to Intercept Mail

📬 Flare analysts examined a step‑by‑step fraud tutorial showing how attackers identify and abuse vacant residential properties to intercept mail for identity theft and financial fraud. The guide recommends using real‑estate sites (Zillow, Rightmove, Zoopla) to find “drop” addresses, enrolling in services such as Informed Delivery, and filing change‑of‑address or forwarding requests with forged or purchased identities. By combining digital discovery with physical mail forwarding, actors gain persistent access to verification letters, credit cards, and financial correspondence.
read more →

Defender Guide: Hardening vCenter and ESXi Control Plane

🛡️ This guide summarizes GTIG and Mandiant research on threats targeting the vCenter Server Appliance and ESXi hypervisors, where attackers establish persistence beneath guest OS defenses. It prescribes an infrastructure-centric defense across four phases—benchmarking and base controls, identity management, vSphere network hardening, and logging/forensic visibility—emphasizing Photon OS hardening, mandatory remote telemetry, and strict network segmentation to force detectable friction.
read more →

When Attackers Become Trusted Users: Identity Threats

🔐 In this episode of the Talos Threat Perspective, Hazel Burton examines how identity is being used to gain, extend, and maintain access inside environments. Drawing on the 2025 Talos Year in Review, the video outlines how attackers target identity systems and MFA workflows, establish persistent high-trust access, and use internal phishing to move laterally. It also explores risks from over-permissioned AI agents and identity-linked access, and how adversaries blend into normal user behaviour, complicating detection and containment.
read more →

Researchers Observe Sub-One-Hour Ransomware Attacks

🔒 Halcyon warns that the Akira ransomware group can complete a full attack lifecycle in under an hour, often exploiting vulnerabilities in internet-facing VPN and backup appliances where multi-factor authentication is absent. The group supplements exploits with credential theft, spearphishing, password spraying and initial access brokers, then exfiltrates data before encryption in a double-extortion model. Akira favors stealth and living-off-the-land tools (FileZilla, WinRAR, WinSCP, RClone) to stage and encrypt data; organizations should adopt layered defenses, harden third-party access, monitor for exfiltration and deploy dedicated anti-ransomware protections.
read more →

ThreatsDay Bulletin: Pre-auth Chains and Supply-Chain Risks

📰 The ThreatsDay Bulletin highlights immediate, actionable risks including a pre-auth RCE chain in Progress ShareFile (CVE-2026-2699/CVE-2026-2701), unpatched ImageMagick zero-days enabling RCE, and novel CloudTrail evasion techniques that erase forensic visibility. It also details widespread mobile-rootkit campaigns, a sharp rise in open-source and supply-chain malware advisories, and phishing apps abusing distribution services to harvest credentials. Defenders should prioritize patching, sandboxing ingest pipelines, and hunting for signs of chained low-and-slow techniques and suspicious AWS API activity.
read more →

State of Trusted Open Source: Q1 2026 Insights & Trends

🔍 The State of Trusted Open Source report analyzes Chainguard customer usage and security data from Dec 1, 2025 through Feb 28, 2026, covering 2,200+ container image projects, 33,931 fix instances, and 377 unique CVEs. It shows AI-driven development accelerating adoption of Python and PostgreSQL, broader standardization around language ecosystems, and the rise of chainguard-base as a minimal foundation. Vulnerability discovery and remediation scaled dramatically—unique CVEs rose 145% and fixes tripled—while median remediation time remained about 2.0 days. The report highlights persistent long-tail risk and a notable increase in FIPS-driven adoption.
read more →

Qilin EDR Killer: Multi-Stage msimg32.dll Loader Analysis

🔍 This Talos analysis dissects a malicious msimg32.dll used in Qilin ransomware attacks, detailing a multi-stage PE loader that evades and disables endpoint detection and response (EDR) solutions. The loader employs SEH/VEH obfuscation, syscall-stub reuse, and paging-file-backed sections to decrypt and map payloads entirely in memory without triggering hooks or ETW telemetry. The final EDR killer loads two helper drivers to perform physical memory R/W and to unprotect and terminate guarded processes, enabling it to neutralize over 300 vendor drivers.
read more →

Talos 2025 Year in Review: Identity, AI, and Speed

🔒 The Cisco Talos 2025 Year in Review, discussed by Christopher Marshall and Peter Bailey, highlights accelerating attacker speed and a shift toward identity as the primary battleground. The report shows rapid weaponization of new flaws alongside persistent exploitation of legacy, end-of-life infrastructure, and a sharp rise in fraudulent device registration. Defenders are urged to prioritize identity controls, visibility, lifecycle discipline, and secure AI governance to keep pace.
read more →

Qilin Ransomware Surge in Japan 2025: Detection Insights

🔍 In 2025 Japan reported 134 ransomware incidents—a 17.5% increase from 2024—with Qilin responsible for 22 cases (16.4%). Talos highlights Qilin’s growing automation, credential‑based access, and use of an EDR‑killer that targets 300+ drivers and employs locale-based geo‑fencing. The blog focuses on detecting activity during the pre‑ransomware phase (average six days to execution) and shares Sigma/YARA rules plus correlation guidance to reduce false positives.
read more →