All news in category "Threat and Trends Reports"

Weekly Recap: Bootkit Malware, AI Attacks, Supply Chain

⚡ This weekly recap synthesizes critical cyber events and trends, highlighting a new bootkit, AI-enhanced attack tooling, and persistent supply-chain intrusions. HybridPetya samples demonstrate techniques to bypass UEFI Secure Boot, enabling bootkit persistence that can evade AV and survive OS reinstalls. The briefing also covers vendor emergency patches, novel Android RATs, fileless frameworks, and practical patch priorities for defenders.

Your SOC as the Parachute: Engineering for Resilience

🪂The SOC is framed as the parachute organisations rely on when breaches occur. Too many SOCs are under‑specified and reactive—drowned in alerts and tools that add complexity rather than resilience. The author calls for Swiss engineering: over‑specified, tested processes, rehearsed responses, and anticipatory defence grounded in threat modelling and behavioural context. Vendors and AI can assist, but organisations must own priorities, rehearse decision making, and build muscle memory.

Five Trends Reshaping IT Security Strategies in 2025

🔒 Cybersecurity leaders report the mission to defend organizations is unchanged, but threats, technology and operating pressures are evolving rapidly. Five trends — shrinking or stagnating budgets, AI-enabled attacks, the rise of agentic AI, accelerating business speed, and heightened vendor M&A — are forcing changes in strategy. CISOs are simplifying tech stacks, increasing automation and outsourcing, and deploying AI for detection and response while wrestling with new authentication/authorization gaps. Vendor viability and consolidation now factor into resilience planning.

HiddenGh0st, Winos and kkRAT Abuse SEO and GitHub Pages

🚨 Fortinet and Zscaler researchers describe an SEO poisoning campaign that targets Chinese-speaking users by surfacing spoofed download pages and GitHub Pages that host trojanized installers. Attackers manipulated search rankings and registered lookalike domains to trick victims into downloading installers bundling legitimate applications with hidden malware such as HiddenGh0st and Winos. Delivery chains use scripts (for example, nice.js), multi-stage JSON redirects, malicious DLLs and DLL sideloading to evade detection and establish persistence.

Nine Essential Open-Source Security Tools for Teams

🔒 This article highlights nine widely used open-source security tools that help defenders identify vulnerabilities, analyze network traffic, perform forensic investigations, and manage threat intelligence. It stresses community-driven development and transparency as core advantages of open-source solutions and notes that independent review often speeds discovery and remediation. Representative tools covered include ZAP, Wireshark, BloodHound, Autopsy, MISP, Let's Encrypt, GnuPG, Yara and osquery, with attention to extensibility, multi-platform support, and practical deployment considerations for security teams.

Ten Career Pitfalls That Can Derail Today's CISOs Now

🔒 CISOs face many behavioral and strategic traps that can stall or end careers if not addressed. Leaders, coaches and consultants identify ten common mistakes — from failing to align security with business priorities and treating security as a pure technology function, to reflexively saying no, enforcing rigid rules, misunderstanding AI, lacking transparency, not networking, and mishandling incidents. The article emphasizes becoming an enabler, tying controls to ROI, communicating clearly, and rehearsing response plans to build resilience.

Token Management Risks in the Third-Party Supply Chain

🔐 This Unit 42 report describes how compromised OAuth tokens in third‑party integrations create severe supply‑chain exposure, using recent incidents as examples. It highlights three recurring weaknesses: dormant integrations, insecure token storage and long‑lived credentials, and explains how attackers exploit these to exfiltrate data and pivot. The authors recommend token posture management, encrypted secret storage and centralized runtime monitoring to detect and revoke abused tokens quickly.

VoidProxy PhaaS Uses AitM to Steal Microsoft, Google Logins

🔐 Okta has uncovered VoidProxy, a phishing-as-a-service operation that uses Adversary-in-the-Middle techniques to harvest Microsoft and Google credentials, MFA codes, and session tokens. The platform leverages compromised ESP accounts, URL shorteners, multiple redirects, Cloudflare Captcha and Cloudflare Workers to evade detection and hide infrastructure. Victims who enter credentials are proxied through an AitM server that captures session cookies and MFA responses, enabling account takeover. Okta recommends passkeys, security keys, device management, and session binding to mitigate the threat.

Wesco Reimagines Risk Management with Data Consolidation

🔍 Wesco consolidated thousands of security alerts into a unified risk framework to separate urgent threats from noise. By integrating more than a dozen platforms — including GitHub, Azure DevOps, Veracode, JFrog, Kubernetes, Microsoft Defender, and CrowdStrike — the company applied ASPM, threat modeling, a security champions program, and AI-driven automation to prioritize remediation. The initiative reduced duplication, saved developer time, and improved risk visibility across the organization.

Novel LOTL and File-Based Evasion Techniques Rising

🔍The Q2 2025 HP Wolf Threat Insights Report describes how threat actors are increasingly chaining living‑off‑the‑land (LOTL) tools and abusing uncommon file types to evade detection. Attackers hide final payloads inside images or use tiny SVGs that mimic legitimate interfaces, then execute code via native Windows processes like MSBuild. These methods leverage trusted sites and native binaries to bypass filters and complicate incident response.

SEO Poisoning Targets Chinese Users via Fake Software

🛡️ In August 2025, FortiGuard Labs uncovered an SEO poisoning campaign that manipulated search rankings to lure Chinese-speaking users to lookalike download sites mimicking legitimate software, notably a DeepL spoof. Victims downloaded a bundled MSI installer that combined genuine application installers with malicious components (EnumW.dll, fragmented ZIPs and a packed vstdlib.dll) and used anti-analysis, timing checks and parent-process validation to evade sandboxes. The in-memory payload implements Heartbeat, Monitor and C2 modules, exfiltrates system and user data, and supports plugins for screen capture, keylogging, Telegram proxy removal and crypto wallet targeting. Fortinet detections and network protections are updated; organizations are advised to apply patches, scan affected systems, and contact incident response if compromise is suspected.

Domain-Based Attacks Will Continue to Wreak Havoc Globally

🔒 Domain-based attacks that exploit DNS and registered domains are rising in frequency and sophistication, driven heavily by AI. Attackers increasingly blend website spoofing, email domain impersonation, subdomain hijacking, DNS tunnelling and automated domain-generation (DGAs) to scale campaigns and evade detection. Many proven protections—Registry Lock, DNSSEC, DNS redundancy and active domain monitoring—remain underused, leaving organizations exposed. Security teams should adopt preemptive scanning, layered DNS controls, strict asset ownership and employee training to limit impact.

HybridPetya: Petya-like Ransomware Targets UEFI Secure Boot

🛡️ ESET researchers identified HybridPetya in late July 2025 after suspicious samples were uploaded to VirusTotal. The malware resembles Petya/NotPetya and encrypts the NTFS Master File Table (MFT), while also capable of installing a malicious EFI application on the EFI System Partition to persist on UEFI systems. One analyzed variant exploits CVE-2024-7344 using a crafted cloak.dat to bypass UEFI Secure Boot on outdated systems. ESET telemetry shows no evidence of active, widespread deployments.

ICO: Students Cause Majority of UK School Data Breaches

🔒 The ICO analyzed 215 insider personal data breach reports from the UK education sector between January 2022 and August 2024 and found students were responsible for 57% of incidents. Around 30% of breaches involved stolen login credentials, with students accounting for 97% of those attacks by guessing weak passwords or using credentials found on paper. The report highlights cases where pupils used freely available tools to break into school systems and access or alter thousands of records. The ICO urges parents, schools and the wider industry to channel curiosity into legitimate cyber careers and strengthen basic protections.

Runtime Visibility Reshapes Cloud-Native Security in 2025

🛡️ The shift to containers, Kubernetes, and serverless has made runtime visibility the new center of gravity for cloud-native security. CNAPPs that consolidate detection, posture, and response are essential, but observing active workloads distinguishes theoretical risk from live exposure. AI-driven correlation and automated triage reduce false positives and accelerate remediation. Vendors such as Sysdig stress mapping findings back to ownership and source code to drive accountable fixes.

12 Digital Forensics Certifications to Advance Your Career

🔎 Digital forensics professionals investigate breaches to determine access methods, affected systems, and attacker actions, with the goal of preventing future incidents. This article reviews a curated list of a dozen certifications that span vendor-neutral and vendor-specific tracks, including mobile, cloud, network, memory, and Windows forensics. Each entry summarizes scope, target audience, exam format, validity period, renewal or CPE requirements, and typical training and exam fees to help practitioners choose the most appropriate credential.

Justifying Security Investments: A Boardroom Guide

💡 CISOs must present security spending as business enablers that reduce risk, protect revenue, and support strategic priorities rather than as purely technical upgrades. Begin by defining the business challenge, then tie the proposed solution—such as Zero Trust or platform consolidation—to measurable outcomes like reduced incident impact, faster recovery, and lower TCO. Use cost models, breach scenarios, per-user economics, and timelines to quantify benefits and speak the board’s language of risk, return, and shareholder value.

Beaches and Breaches: Shifts in Supply Chain and Identity

🌊 Returning from vacation, the author notes headlines shifted away from AI and ransomware toward breaches tied to compromised OAuth tokens and integrations like Salesloft/Drift. The piece emphasizes two converging trends: supply chain risk that now includes datapaths where information is processed, and identity attacks that increasingly target interconnected applications. It highlights Cisco Talos’ CTI-CMM as a practical maturity framework to assess gaps, prioritize investments, and build a roadmap for continuous improvement.

Global Cyber Threats August 2025: Agriculture Hit Hard

🚨In August 2025 organizations worldwide faced an average of nearly 2,000 cyber attacks per week, a small 1% decline from July but a notable 10% increase year‑over‑year. The agricultural sector was hit particularly hard, recording a 101% rise in incidents compared with August 2024. While overall attack volume shows tentative stabilization, the shifting distribution of threats across industries, regions and attack vectors underscores the urgent need for targeted defenses, stronger risk management and improved incident readiness.

Cryptominer targets exposed Docker APIs, installs backdoors

🔒 Akamai researchers reported a June–August 2025 variant that no longer drops a cryptominer but instead leverages exposed Docker APIs to gain persistent host access. The campaign launches lightweight containers that mount the host filesystem and fetch Base64-encoded scripts over Tor to install tools such as curl and tor. Once inside, the malware appends SSH keys, creates cron jobs, and attempts to modify firewall rules to deny others access to port 2375. Akamai also observed dormant logic to probe Telnet and Chrome remote debugging (9222), suggesting future botnet expansion.