All news in category "Threat and Trends Reports"

How Cybercriminals Bypass Logins Using Stolen Credentials

🔐 Cybercriminals increasingly target corporate credentials, authentication tokens and session cookies to bypass MFA and impersonate legitimate users. Stolen credentials accounted for a large share of recent breaches and estimates indicate billions of credentials were exposed in 2024. Organizations can reduce risk with Zero Trust, robust MFA, realistic training and continuous behavioral monitoring to detect suspicious sessions.

Open-Source OT Security: Cost-Effective Industrial Defense

🔒 Open-source tools can provide a cost-effective, flexible foundation for operational technology (OT) security in industrial environments. By combining passive asset discovery, protocol-aware inspection, IDS/IPS, centralized logging and vulnerability management, organizations can approximate many capabilities of expensive commercial offerings. Recommended components include Malcolm (with Zeek), Security Onion, ELK, Wazuh and OpenVAS, augmented by asset sources like NetBox. Successful deployment requires experienced OT/IT teams or external consultants to configure, tune and maintain the stack, and is not a plug-and-play substitute for vendor support.

Managed SOCs: Practical Path to Stronger IT Security

🔒 Companies face rapidly evolving threats and tightening regulation, and many — especially SMEs — lack the staff and budget to build an effective in‑house Security Operations Center. A Managed SOC delivers continuous 24/7 monitoring, rapid deployment and specialized analysts without the multi‑million euro investment or hiring of 10–20 experts. Choose providers with proven detection and response experience, recognized certifications such as ISO 27001, strong data protection practices and a focus on integrating existing tools. Internal readiness — defined escalation paths, fast decision-making and employee awareness — remains essential for any managed service to be effective.

Human-centered cybersecurity rises in CISO priorities

🔐 The role of the CISO is shifting from technical expert to manager of people and systems, making a human-centered approach essential to reduce the most significant cyber risks. Rather than repeating awareness campaigns, CISOs should design practical, scenario-based training, align security with corporate values, and foster a supportive security culture. Technology and policy must enable good behavior, while deliberate, minimal friction creates effective learning moments. A mature Human Risk Management program uses assessment, segmentation, targeted interventions and continuous feedback to deliver measurable risk reductions.

Maturing Cyber Threat Intelligence: CTI Capability Model

🛡️ The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) offers a practical framework for assessing and advancing organizational threat intelligence efforts. It identifies 11 domains and associated CTI missions that support decision-making across areas such as asset management, threat and vulnerability management, incident response, and third-party risk. The model defines four maturity levels (CTI0–CTI3) from pre‑foundational, ad hoc practices to highly refined, strategic intelligence, and prescribes an iterative improvement cycle—prepare, assess, plan, deploy, measure. The guidance stresses focusing on stakeholder needs and delivering useful, timely intelligence rather than pursuing the highest maturity rating for its own sake.

CHILLYHELL macOS Backdoor and ZynorRAT Cross-Platform RAT

🔍 Researchers have identified two malware strains: a modular macOS backdoor named CHILLYHELL and a Go-based cross-platform RAT called ZynorRAT. Jamf Threat Labs links CHILLYHELL to UNC4487, noting extensive host profiling, multiple persistence techniques, timestomping, and multi-protocol C2 over HTTP and DNS. The notarized CHILLYHELL sample (uploaded to VirusTotal on May 2, 2025) underscores that signed binaries can be malicious. Sysdig analysis shows ZynorRAT is managed via a Telegram bot and supports file exfiltration, screenshots, system enumeration, and persistence on Linux and Windows.

Ransomware Demands and Payments Fall Sharply in Education

📉 A new Sophos study finds that ransomware demands and payments in the education sector have dropped dramatically year‑on‑year, with average demands falling 74% for lower education and 80% for higher education. Median payments also plunged, moving education from among the highest to among the lowest payers. Improved detection, faster recovery and more effective negotiation are cited as key drivers behind the reductions.

Top Cybersecurity Trends: AI, Identity, and Threats

🤖 Generative AI remains the dominant force shaping enterprise security priorities, but the initial hype is giving way to more measured ROI scrutiny and operational caution. Analysts say gen AI is entering a trough of disillusionment even as vendors roll out agentic AI offerings for autonomous threat detection and response. The article highlights rising risks — from model theft and data poisoning to AI-enabled vishing — along with brisk M&A activity, a shift to identity-centric defenses, and growing demand for specialized cyber roles.

OT Security Strategy: The Case for Open Source Tools

🔒 Industrial digitization and interconnected production make OT security a strategic priority, as attacks on SCADA, networked machines and production data can cause outages, reputational harm and even life‑threatening incidents. Faced with budget pressure, the article explores cost‑efficient open-source alternatives that can approach commercial capability. It outlines recommended tool combinations and operational caveats.

Axios User Agent Enables Mass Automated Phishing Campaigns

🔍 ReliaQuest reports a sharp rise in automated phishing campaigns leveraging the Axios user agent and Microsoft's Direct Send feature, observing a 241% increase between June and August 2025. Attacks using Axios represented 24% of malicious user-agent activity and had a 58% success rate versus 9% for other incidents. When paired with Direct Send, success rose to 70%, prompting guidance to restrict Direct Send, enforce anti-spoofing, scan inbound messages for QR codes/URLs/PDFs, train users including executives, and block uncommon TLDs.

New Cryptanalysis Challenges Fiat–Shamir Transformation

🔒 A recent paper demonstrates theoretical attacks on the Fiat–Shamir transformation, extending known insecurities into less contrived scenarios while stopping short of immediate practical exploitation. Bruce Schneier notes the result is exciting from a research perspective but does not currently translate into real-world cryptanalysis. The work highlights limits in our ability to produce broad security proofs for the transform. It serves as a reminder that theoretical advances can reshape confidence in cryptographic proof techniques even when deployed systems remain unaffected.

New Malware Campaigns: MostereRAT and ClickFix Risks

🔒 Researchers disclosed linked phishing campaigns delivering a banking malware-turned-RAT called MostereRAT and a ClickFix-style chain distributing MetaStealer. Attackers use an obscure Easy Programming Language (EPL), mutual TLS for C2, and techniques to disable Windows security and run as TrustedInstaller to evade detection. One campaign drops remote-access tools like AnyDesk and VNC variants; another uses fake Cloudflare Turnstile pages, LNK tricks, and a prompt overdose method to manipulate AI summarizers.

Preventing Business Disruption with MDR for Resilience

🛡️ Organizations face escalating operational risk as threat actors leverage optimized supply chains, pre-packaged services and AI to accelerate attacks and social engineering. Managed detection and response (MDR) is promoted as a prevention-first approach that prioritizes speed of detection, containment and response. Best-in-class MDR combines 24/7 monitoring, proactive threat hunting and automated compliance and forensic reporting to reduce downtime and support recovery.

How Leading CISOs Secure Budget by Framing Business Risk

🔒 Security leaders are entering budget season facing skepticism; success now requires translating technical needs into clear business impact. Presentations that tie investments to revenue protection, uptime, regulatory compliance, and quantified loss avoidance resonate with boards. Adopt a risk-focused framework, define measurable KPIs such as time to detect and remediate, and employ continuous validation to expose exploitable weaknesses and track remediation velocity. Use standards like ISO 27001 and NIST as familiar anchors while showing real-world validation to avoid shelfware.

Majority of Organizations Hit by Third‑Party Incidents

🔒 A recent survey by SecurityScorecard found 71% of organizations experienced at least one material third‑party cybersecurity incident in the past year, with 5% reporting ten or more. Rising third‑party involvement — echoed in the 2025 Verizon Data Breach Investigations Report — and sprawling supplier ecosystems expand attackers’ avenues. Experts warn SaaS platforms, open‑source packages, and CI/CD pipelines are increasingly exploited, often via abused OAuth, stolen credentials, or over‑permissioned integrations.

Surge in Network Scans Targets Cisco ASA Devices Worldwide

🔎 Security researchers observed a large surge in network scans probing Cisco ASA login portals and Cisco IOS Telnet/SSH endpoints, with GreyNoise recording two major spikes in late August 2025. The second wave on August 26, 2025, was largely (about 80%) driven by a Brazilian botnet using roughly 17,000 IPs and overlapping Chrome-like user agents that suggest a common origin. Administrators are urged to apply the latest patches, enforce MFA for remote ASA logins, avoid exposing management pages and services directly, and use VPN concentrators, reverse proxies, geo-blocking, and rate limiting to reduce risk.

GPUGate: Malware Uses Google Ads and GitHub Redirects

🔒 Cybersecurity researchers have disclosed a sophisticated malvertising campaign that leverages paid search ads and manipulated GitHub commit URLs to redirect victims to attacker-controlled infrastructure. The first-stage dropper is a bloated 128 MB MSI that evades many online sandboxes and employs a GPU-gated decryption routine dubbed GPUGate, which aborts on systems lacking a real GPU or proper drivers. The campaign uses a lookalike domain (gitpage[.]app) and a VBScript-to-PowerShell chain that gains admin privileges, adds Microsoft Defender exclusions, establishes persistence, and stages secondary payloads for data theft.

Remote Access Abuse Signals Major Pre-Ransomware Risk

🔒 Cisco Talos finds abuses of remote access software and services are the most common pre-ransomware indicator, with threat actors leveraging legitimate tools such as RDP, PsExec, PowerShell and remote-support apps like AnyDesk and Microsoft Quick Assist. The report highlights credential dumping (for example, Mimikatz) and network discovery as other frequent TTPs. It recommends rapid response, MFA, application allowlisting and enhanced endpoint monitoring to limit ransomware execution.

Networking and Security Trends Driving SASE Adoption

🔒 Secure Access Service Edge (SASE) combines networking and security into a unified, cloud-delivered platform designed for the realities of remote and hybrid work. With nearly half of knowledge workers operating remotely or in hybrid models and many organizations adopting cloud apps and distributed branches, traditional perimeter-based models are no longer sufficient. SASE addresses distributed access, policy consistency, and simplified management while reducing attack surface and operational complexity.

MostereRAT Campaign Uses EPL, mTLS, and Legitimate RATs

🛡️ FortiGuard Labs identified a sophisticated phishing campaign that chains an Easy Programming Language (EPL) runtime with multi-stage payloads to deploy MostereRAT. The initial dropper, based on a wxWidgets sample, creates SYSTEM services and decrypts modules that run in memory while presenting social‑engineering prompts. Operators use mTLS‑protected C2 channels, disable and block security tooling via WFP filters, and install legitimate remote access tools such as AnyDesk and TightVNC to secure covert, persistent full access.