< ciso
brief />
Threat and Trends Reports Banner

All news in category “Threat and Trends Reports

1642 articles · page 25 of 83

M-Trends 2026 — Data, Insights, and Response Guidance

🔒 M-Trends 2026 synthesizes findings from over 500,000 hours of Mandiant incident response in 2025 to profile evolving adversary tactics, techniques, and procedures and highlight defender gaps. The report calls out rising median dwell time, a collapse in the hand-off window between initial access brokers and secondary operators, and a shift toward voice phishing and edge-device persistence. It concludes with prioritized recommendations to strengthen identity controls, isolate critical control planes, extend telemetry retention, and adopt behavior-based detection.
read more →

Weekly Cyber Recap: CI/CD Backdoor and Emerging Threats

🔒 This week’s recap highlights a major supply-chain compromise of Trivy, where attackers injected credential‑stealing malware into official releases and GitHub Actions, producing a self‑propagating worm called CanisterWorm that affected thousands of CI/CD workflows. Law enforcement dismantled several massive IoT botnets built from routers, cameras and DVRs, while high‑severity flaws — including a critical Langflow RCE and a Cisco FMC 0‑day exploited by Interlock ransomware — were weaponized within hours of disclosure.
read more →

Beers with Talos Breaks Down 2025 Year in Review Highlights

🔍 The Beers with Talos B team (Hazel, Bill, Joe and Dave) reviews the 2025 Talos Year in Review and highlights the most consequential cyber trends of the year. They discuss the rapid weaponization of newly disclosed vulnerabilities, widespread identity abuse, evolving ransomware tactics, and a notable rise in APT investigations. The conversation also addresses cyber activity tied to the situation in the Middle East and offers practical priorities for defenders heading into the coming year.
read more →

2025 Talos Year in Review — Speed, Scale, Staying Power

🔍 Cisco Talos’ 2025 Year in Review analyzes how adversaries increased the speed and scale of operations, creating sustained pressure on defenders. The report highlights three central themes: rapid exploitation of both newly disclosed and long-standing CVEs, attackers targeting the architecture of trust (identity and device controls), and deliberate focus on centralized systems and shared frameworks to amplify impact. Talos emphasizes prioritized mitigations—timely patching, stronger identity controls, and resilience for shared components—and directs readers to the full, ungated report for detailed telemetry and actionable guidance.
read more →

Post-Quantum Roadmap for US Enterprises Targeting 2030

🔒 US organizations should begin operationalizing post-quantum cryptography now to protect long-lived secrets and meet an emerging 2030 readiness horizon. With NIST finalizing initial PQC standards in 2024 and agencies like NSA and CISA aligning guidance, a pragmatic hybrid strategy—pairing existing classical algorithms (ECDHE/TLS) with post-quantum primitives such as ML-KEM—reduces long-term confidentiality risk while preserving interoperability. Start with a comprehensive crypto inventory tied to data value, pilot internal mTLS, VPN and code-signing migrations in a lab, improve crypto agility, add telemetry for rollout metrics, and add PQC requirements into procurement to buy time and avoid last-minute disruption.
read more →

Insider Threats Surge as AI and Remote Work Expand Risk

🚨 Insider threats are rising again: the Mimecast State of Human Risk Report found 42% of organizations saw increases in both malicious and negligent insider incidents, with an average of six insider-driven incidents per month at an estimated cost of $13.1 million per incident. Two-thirds of surveyed IT leaders expect insider-related data loss to grow over the next 12 months. Experts warn the insider perimeter now includes contractors, fraudulent hires, and AI agents, and they recommend adaptive, behavior-driven controls, coordinated legal/HR response plans, and extending protections to nonhuman identities to reduce risk.
read more →

VoidStealer uses debugger trick to steal Chrome master key

🔓 VoidStealer, an information stealer offered as MaaS since mid‑December 2025, uses a debugger-based technique to extract Chrome's v20_master_key directly from memory. The malware starts a suspended, hidden browser process, attaches as a debugger, and waits for the target chrome.dll to load before setting hardware breakpoints on an instruction that references the key. When the breakpoint triggers during startup decryption, VoidStealer reads the register pointer and uses ReadProcessMemory to capture the plaintext key without privilege escalation. Gen Digital reports this is the first infostealer observed in the wild using this approach.
read more →

Water Utilities Boost Cybersecurity Through Cooperation

💧Water utilities facing aging operational systems and limited IT staff are improving cybersecurity by sharing information and coordinating responses. A two-year pilot led by the Cyber Readiness Institute and the Center on Cyber and Technology Innovation, sponsored by Microsoft, enrolled about 200 small and mid-sized utilities. The study found that combining cybersecurity training with hands-on technical assistance, stronger sector links and practical support is more effective than distributing guidance alone.
read more →

How CISOs Can Survive Geopolitical Cyberattacks Today

🛡️ Geopolitical tensions are driving a rise in destructive, non‑financial cyber campaigns that aim to disrupt operations rather than extort payment. Recent Iranian-linked wiper activity — exemplified by the March 2026 Handala attack on Stryker — shows attackers rely on stolen credentials and legitimate admin tools to move freely. Zero Networks recommends a five-step playbook focused on identity-aware access, default‑deny admin ports, scoped privileged access, detection of tunnels, and rapid automated containment to limit blast radius and preserve operations.
read more →

Predator spyware disables iOS camera and mic indicators

🔎 Cybersecurity researchers analyzed Predator, a commercial spyware component developed by Intellexa, and revealed how it disables iOS camera and microphone recording indicators. The malware intercepts communications between the system component that tracks module activity and SpringBoard, exploiting Objective‑C behavior to suppress status signals so the green/orange dots never appear. The report outlines the techniques, traces earlier dead code attempts, and offers practical mitigations for users at elevated risk.
read more →

Quick Guide to Recovering a Hacked Online Account Safely

🔒 This concise guide explains fast, practical steps to recover a compromised online account and limit attacker control. It recommends a prioritized, timed response—contain the incident, secure access, and check for persistent compromises—emphasizing actions like change passwords, remove unauthorized forwarding, enable two-factor authentication, and revoke sessions from a known-clean device. The piece also covers device cleanup, notifying contacts and banks, and long-term protections such as password managers, authenticator apps, hardware keys and regular software updates.
read more →

Infrastructure Already in the Espionage Collection Path

🔍 Enterprises now sit directly in adversaries' collection paths: they may not be primary targets but their shared telecom, cloud, MSP, and identity dependencies are being exploited upstream. Commercial spyware like Predator and state‑aligned groups documented in Singapore's February 2026 telco breaches show how device and backbone compromises create persistent, upstream access. CISOs must assume provider compromise, demand attestation, harden session and identity layers, and shift detection to low‑noise, long‑duration intelligence operations.
read more →

54 EDR Killers Use BYOVD to Exploit 34 Signed Drivers

🔒 A new ESET analysis identified 54 EDR-killer tools that leverage BYOVD, abusing 34 signed vulnerable drivers to gain kernel-mode privileges and neutralize endpoint protection. These utilities are frequently reused in ransomware operations to disable defenses prior to encryption, decoupling evasion from the encryptor. ESET recommends blocking misused drivers and adopting layered detection to mitigate the threat.
read more →

Identity Attacks Rise: Adversaries Seek Invitations

🧛 Cisco Talos highlights a growing trend in 2025: attackers increasingly seek to be authorised as legitimate users rather than relying solely on loud exploits. Telemetry shows nearly a third of MFA spray attacks targeted IAM applications and fraudulent device registrations surged 178%, indicating adversaries focus on the mechanisms that grant access. Talos urges organisations to harden authentication, prioritise patching, manage EOS/EOL devices, and adopt phishing-resistant controls as part of a broader defensive posture.
read more →

Tax season surge: Phishing and malware campaigns in 2026

📧 Microsoft Threat Intelligence and the Defender Security Research Team observed a surge of tax-themed phishing and malware campaigns in early 2026, exploiting W-2s, 1099s, IRS notices, and CPA communications to trick recipients. Attackers used Phishing-as-a-Service kits such as Energy365 and SneakyLog, QR-coded documents, and repackaged RMM tools (ScreenConnect, SimpleHelp, Datto) to steal credentials and gain remote access. Highly customized messages, multi-step flows, and legitimate hosting services helped these campaigns evade detection and target both individuals and tax professionals.
read more →

Cybersecurity Certifications: A Business Imperative

🔒 The Fortinet 2025 Global Cybersecurity Skills Gap Report shows persistent talent shortages are driving higher breach rates and financial losses, making validated skills essential. Certifications provide standardized, role-aligned evidence of operational readiness, support staged career progression, and signal employer investment to improve retention. Structured programs map learning to real roles and help close the readiness gap between knowing concepts and applying them under pressure.
read more →

Global Surge in Mobile Banking Malware Targets 1,243 Brands

📱 Zimperium zLabs reports a global surge in mobile banking malware targeting 1,243 financial brands across 90 countries. The firm analysed 34 active malware families affecting apps with more than three billion downloads and found industrialised campaigns exploiting weak app protections and widespread code sharing. Attacks now intercept authentication codes, hijack live sessions and can take control of devices, undermining traditional backend fraud controls.
read more →

ThreatsDay: FortiGate RaaS, Citrix Exploits & Phish

🔔 ThreatsDay Bulletin highlights a wave of pragmatic, stealthy intrusions and abuse of lingering edge vulnerabilities. Notable findings include a nascent RaaS named The Gentlemen exploiting CVE-2024-55591 against FortiGate, a chained pre-auth RCE in BMC FootPrints, and active campaigns targeting Citrix NetScaler. The briefing underscores how small, well-crafted techniques— from deep-link MCP abuse to Teams phishing—are enabling remote access and data theft.
read more →

Preventing Privilege Escalation via Password Resets

🔒 Many organizations invest heavily in login protections but leave password reset paths less scrutinized, creating an easy escalation route once attackers gain a foothold. The article explains common abuse scenarios — from helpdesk social engineering and intercepted reset tokens to misuse by over-permissioned admins — and recommends seven practical mitigations, including MFA, device posture checks, strict password policies, and avoiding knowledge-based authentication. It also highlights Specops tools to harden reset workflows and block breached passwords.
read more →

SpyCloud 2026 Report: Surge in Non-Human Identity Theft

🔒 SpyCloud's 2026 Identity Exposure Report details a structural shift in credential theft, reporting a 23% increase in its recaptured datalake to 65.7B distinct identity records. Attackers are increasingly targeting non-human identities — exposed API keys, session tokens and AI-linked credentials — which often lack MFA and rotate infrequently. The report also flags large volumes of phished records, session artifacts, and malware-exfiltrated data that enable persistent, scalable access across cloud and enterprise environments.
read more →