< ciso
brief />
Threat and Trends Reports Banner

All news in category “Threat and Trends Reports

1641 articles · page 24 of 83

2025 Threat Trends: Talos and Splunk Double-Header

🔍 In this episode of Talos Takes, Amy is joined by William Largent (Cisco Talos) and Lou Stella (Splunk) for a double-header review of the newly released Cisco Talos 2025 Year in Review and the Splunk Top 50 Cybersecurity Threats. The conversation draws on Cisco telemetry, Talos original research, and Talos Incident Response engagements to move beyond headlines and identify actionable trends. Highlights include the professionalization of ransomware-as-a-service, the persistent exploitation of decade-old vulnerabilities, and practical guidance to help defenders prioritize mitigations and shrink their attack surface for the year ahead.
read more →

ThreatsDay Bulletin: PQC Push, AI Bugs, Pirated Backdoors

🔔 This week’s ThreatsDay Bulletin captures a quieter, sneakier cadence: big-picture progress on cryptography and AI set against a steady churn of pragmatic abuse. Google accelerated a PQC migration to 2029 and GitHub is bringing AI-powered detections into the PR workflow, while threat actors keep innovating around trust — using pirated ISOs, fake extensions, firmware implants and clever phishing to scale backdoors, credential theft and fraud. The common thread is operational efficiency: takedowns and disruptions are temporary, but the workflows keep returning.
read more →

Invoice Fraud Costs UK Construction Sector Millions

⚠️ The UK's NCA, alongside the National Federation of Builders (NFB), has warned finance and accounts payable teams in construction about a rise in invoice fraud, a form of BEC that cost victims almost £4m in September 2025. Fraudsters impersonate or hijack supplier emails to change bank details on invoices, exploiting complex subcontractor networks and insecure email channels. The campaign urges staff to verify invoice changes by calling suppliers, delay payments until details are confirmed, and strengthen IT controls such as strong passwords, multi‑factor authentication and up‑to‑date anti‑malware.
read more →

Spammers Abuse Yandex Surveys to Host Phishing Campaigns

⚠️ Kaspersky researchers have observed threat actors abusing Yandex Surveys to host phishing content and evade email filters by leveraging the platform's legitimate domain reputation. Attackers embed fraudulent pitches and malicious links in rich-text survey blocks, add official-looking logos, then hide interface elements with invisible padding; Kaspersky Premium blocked about 2,200 such messages in January and over 32,000 in February. Recipients who follow the links land on polished giveaway pages that harvest personal data, wallet addresses, or payments.
read more →

Phishers Abuse Bubble to Steal Microsoft Account Credentials

🔒 Threat actors are abusing the no-code Bubble AI app builder to host phishing pages that harvest Microsoft account credentials. Because apps are hosted under *.bubble.io, email security tools often treat the links as legitimate and fail to flag them. Kaspersky researchers found attackers use obfuscated JavaScript and Shadow DOM structures to redirect victims to Microsoft-like login forms, sometimes behind Cloudflare checks, to exfiltrate entered credentials.
read more →

Cloud Phones Fuel Rising Financial Fraud and Detection Gaps

📱 A new Group-IB report highlights how remote-access cloud phones — real Android devices hosted in data centres and accessed over the internet — have evolved from social-media automation into infrastructure for financial crime. Fraudsters use these devices to create and manage dropper accounts, often bypassing conventional device-based controls. Because instances present realistic hardware identifiers and sensor data, traditional fingerprinting often fails, prompting recommendations for multi-layered detection that combines device, network intelligence and behavioral analytics.
read more →

Hackers Exploit Identity Systems at Industrial Scale

🔐 The SentinelOne Annual Threat Report for 2026 warns that attackers are executing identity-based compromises at industrial scale, abusing legitimate enterprise accounts and identity systems. These intrusions often bypass or subvert MFA — including through readily available MFA-bypass kits and coercive push attacks — leaving traditional defenses blind. The report also highlights fake-persona recruitment campaigns, including deepfake-enabled interviews, and warns of administrative account takeovers that can disable MFA organization-wide.
read more →

North America Cyber Risk in 2026: Concentration and Repeat

🔍 The North America threat landscape hardened in 2025, with incidents becoming more concentrated, repeated and driven by persistent adversaries. Publicly recorded incidents were dominated by the United States, which accounted for roughly 93% of cases. The report highlights three dynamics shaping risk, including a stable, competitive extortion economy, recurring attack patterns, and predictable windows of opportunity. Organizations should expect pressure over surprise into 2026 and adjust defenses accordingly.
read more →

6 Key Trends Reshaping the Identity and Access Market

🔐 The IAM market is shifting from traditional login and MFA toward treating identity as a security control plane, driven by demand for phishing-resistant authentication and stronger governance for non-human accounts. Buyers are prioritizing FIDO2/passkeys, biometrics, and controls for service accounts, API keys, and AI agents. Regulatory change, managed services, and vendor consolidation are reshaping architectures and procurement decisions.
read more →

Virtual Machines Nearly Everywhere - Lingering Security Gaps

🔒 Cloud virtual machines deliver speed, scale and agility, but uncontrolled VM sprawl creates persistent security gaps. Many instances are provisioned quickly and then left unmanaged—missing OS updates, scoped permissions and continuous monitoring—so they can be abused for lateral movement or used as throwaway attack infrastructure. Organizations should inventory VMs, tighten workload identities and apply continuous, identity‑aware monitoring to reduce risk.
read more →

Global DDoS Attacks Double, Peak Volumes Soar in 2025

🛡️Gcore's semiannual Radar report found that registered DDoS attacks doubled in the second half of 2025 versus the first half, rising to about 2.25 million incidents and bringing the year total to 3.42 million. Peak attack throughput jumped to 12 Tbit/s compared with 2.2 Tbit/s in 2024. Network-layer volumetric strikes made up 82% of events—about three quarters lasting under a minute and 84% using UDP floods—while the remaining 18% were longer, targeted application-layer attacks against APIs, authentication and backend systems. Technology, financial services and gaming firms were the most frequently targeted sectors.
read more →

Endpoint Security Fails on One in Five Enterprise Devices

🛡️Research by Absolute Security finds endpoint cybersecurity software fails to protect one in five enterprise devices, creating an equivalent of 76 days per year of increased exposure to attackers. The 2026 Resilience Risk Index, published March 23, ties this gap to patch delays and rising endpoint complexity, with 24% of vulnerability platforms out of compliance. The report urges stronger enforcement of patch and update policies to reduce downtime and remediation costs.
read more →

Phishers Using Bubble No-Code Platforms for Redirects

🔗 Phishers are exploiting the Bubble no-code app builder to host web apps whose URLs appear legitimate and thus evade email filters. The platform’s dense JavaScript and Shadow DOM output confuses automated scanners, masking simple redirects to credential-harvesting pages. These Bubble-hosted apps are embedded in phishing messages and lead victims to convincing Microsoft sign‑in clones. Organizations should combine user training with endpoint protections and gateway anti-phishing controls to reduce risk.
read more →

Cloud Workload Security: Addressing Visibility and Gaps

🔍 Cloud workloads often become insecure not because of exotic attacks but due to operational complexity, sprawl and poor visibility across heterogeneous environments. Tomáš Foltýn warns organizations can end up with an Frankencloud, where admin fatigue, disparate consoles and unclear ownership create exploitable gaps. The remedy he proposes is improved visibility, consistent cross‑environment policy enforcement and carefully applied automation to scale security as workloads grow. Industry reports cited in the article underline that credential compromise, misconfiguration and emerging software exploits remain the primary entry points for attackers.
read more →

Hidden Cost of Cybersecurity Specialization and Skills Loss

🔒 Bryan Simon, a SANS Senior Instructor, argues that accelerating specialization in cybersecurity is eroding foundational skills and shared context. When teams focus narrowly on domains or tools, organizations lose end-to-end visibility, risk prioritization weakens, and decisions drift toward product selection instead of mission-driven protection. Simon emphasizes that knowing what is "normal," mapping assets to business impact, and reinforcing core competencies are essential; he will teach these principles in SEC401 at SANS Security West 2026.
read more →

Programmatic Physical Security for AI-Scale Data Centers

🔒 AI-driven demand is reshaping data center security and requires a programmatic, repeatable approach to scale without sacrificing quality. Providers must turn projects into standardized programs, reuse templates and BIM/digital-twin assets, and automate design and QA to sustain precision at hyperscale. Strategic partners should engage early, operate as collaborative owners, and help translate evolving regulatory, identity/access, drone and device risks into repeatable controls.
read more →

Google Authenticator: Hidden Mechanics of Passkeys Design

🔐 This Unit 42 analysis examines how Google implements synchronized passkeys using a cloud-based authenticator embedded in Chrome and Google Password Manager. The author documents an enclave service (observed connecting to enclave.ua5v[.]com), hidden onboarding flows, and TPM-backed identity and user-verification keys that bind devices and gate access. The post explains the Security Domain Secret, device wrapping keys, the GPM PIN recovery mechanism, and the Noise/WebSocket transport used to protect device-to-cloud communications, emphasizing a novel attack surface in passwordless deployments.
read more →

Faster Attacks and Recovery Denial Reshape Ransomware Risk

🔒 Mandiant's M‑Trends 2026 report, released at the RSA Conference, finds attackers compressing attack timelines, collaborating more, and increasingly targeting the systems organizations rely on for recovery. Hand-offs between initial access and secondary operators now occur in seconds, voice-based social engineering and token harvesting are on the rise, and ransomware actors emphasize recovery denial by attacking backups, identity, and virtualization control planes. The report urges faster triage, behavioral detection, stronger identity governance, and expanded telemetry to reduce dwell time and mitigate impact.
read more →

High-Tech Sector Becomes Top Cyberattack Target in 2025

🔍 Mandiant's M-Trends 2026 report finds the high-tech sector overtook finance as the most targeted industry in 2025, accounting for 17% of incident response investigations. The report also records a global median dwell time increase to 14 days and highlights widespread adoption of the ClickFix social-engineering technique. Analysts observed a surge in vishing and a strategic ransomware shift toward deliberate recovery denial, with attackers specifically targeting backups, identity services and virtualization management planes.
read more →

M-Trends 2026 — Data, Insights, and Response Guidance

🔒 M-Trends 2026 synthesizes findings from over 500,000 hours of Mandiant incident response in 2025 to profile evolving adversary tactics, techniques, and procedures and highlight defender gaps. The report calls out rising median dwell time, a collapse in the hand-off window between initial access brokers and secondary operators, and a shift toward voice phishing and edge-device persistence. It concludes with prioritized recommendations to strengthen identity controls, isolate critical control planes, extend telemetry retention, and adopt behavior-based detection.
read more →