< ciso
brief />
Threat and Trends Reports Banner

All news in category “Threat and Trends Reports

1641 articles · page 26 of 83

Ransomware Exfiltration Playbook: Abusing Everyday Tools

🔍 Exfiltration Framework examines how attackers repurpose legitimate OS utilities, third-party endpoint tools, and cloud clients to move sensitive data while evading traditional detections. The research shows that static IOCs and tool-blocking strategies are frequently ineffective when adversaries operate inside trusted software and infrastructure. By normalizing execution context, parent-child process relationships, network patterns, forensic artifacts, and destination characteristics, the framework exposes stable behavioral signals that persist despite masquerading, renaming, or relocation. It recommends correlating endpoint, network, and cloud telemetry, applying behavioral baselining, and focusing on cumulative transfer analysis rather than single-event or allow-list approaches.
read more →

Analyzing Current Use of AI in Malware: Unit 42 Report

⚠️ Unit 42 examines real-world instances where malware calls external LLMs for decision making or cosmetic effect. The researchers present two representative cases: a trio of obfuscated .NET infostealers that call OpenAI GPT-3.5-Turbo but largely perform "AI theater" by logging model outputs without functional integration, and a Go dropper that queries GPT-4 to gate Sliver payload execution. The report highlights detection opportunities and recommends Advanced Threat Prevention, Advanced WildFire, and Cortex XDR/XSIAM to monitor telemetry and IOCs.
read more →

Cloud Misconfigurations: The Multi-Billion Dollar Risk

🔒 Most major cloud breaches in recent years have stemmed from basic misconfigurations rather than sophisticated zero-days or custom malware. The article highlights incidents such as Snowflake (2024), AT&T, Ticketmaster and Capital One to show how exposed credentials, public storage buckets and missing controls led to vast data exposure. Immediate actions recommended are enabling MFA everywhere, enforcing account-level public access blockers, activating comprehensive logging across AWS/Azure/GCP, and prioritizing remediation of exposed buckets and keys, while longer-term fixes include CSPM tools and infrastructure-as-code security checks.
read more →

EDR killers explained: Beyond vulnerable drivers and tactics

🔒 ESET's research examines the prevalence and mechanics of EDR killers—separate tools attackers deploy to neutralize endpoint protection immediately before executing encryptors. Based on telemetry and incident analysis of nearly 90 active samples, the blogpost covers BYOVD, anti-rootkit abuse, driverless disruption, commercialization of kits, and indicators suggestive of AI-assisted development. The authors highlight predictable affiliate-driven tooling choices and warn that driver-based attribution is often misleading; they recommend prevention-focused, multilayered defenses and rapid containment.
read more →

UK regulation increasingly drives CNI cybersecurity

🔒 Security leaders at the UK's critical national infrastructure (CNI) firms are increasingly turning to regulatory compliance to steer cyber investment and maturity, Bridewell's Cybersecurity in CNI Report 2026 finds. The study shows 35% of leaders cite regulation as the primary influence, up from 26% in 2025. Adoption of frameworks like the NCSC CAF and NIS2 remains uneven, and organisations report widespread incidents and rising AI concerns.
read more →

Adversary-in-the-Middle Phishing Is Defeating MFA Now

🔐 Modern phishing now uses adversary-in-the-middle proxies that capture entire authentication flows, including MFA prompts and session cookies. Employees can complete legitimate logins and still be compromised because attackers replay session tokens from a different machine. Organizations must move beyond traditional MFA and outdated awareness training and instead deploy phishing-resistant authentication, bind sessions to managed devices, and monitor post-authentication behavior.
read more →

The Refund Fraud Economy Exploiting Retailers and Payments

🔍 Flare's analysis of fraud-focused communities reveals an organized underground market selling refund methods, tutorials, and operational services that exploit retailer and payment-provider workflows. Actors advertise step-by-step techniques—such as refund without return, chargeback abuse, goods swapping, and empty-box returns—while offering operators on commission. High-volume targets include Amazon, PayPal, Apple, and major retailers; tutorials typically sell for $50–$300. Researchers urge stronger intelligence sharing, refined controls, and continuous monitoring to close operational gaps.
read more →

AI and Automation Accelerate Exploitation in 2025

🔍 Rapid7's 2026 Global Threat Landscape Report finds AI and automation compressed the window between vulnerability disclosure and exploitation in 2025, turning what once unfolded over weeks into days or even minutes. The median time to inclusion on CISA's Known Exploited Vulnerabilities catalog fell from 8.5 days to five, and the mean dropped from 61 to 28.5 days. Confirmed exploitation of CVSS 7–10 flaws rose 105% YoY to 146 incidents, with deserialization, authentication bypass and memory corruption among the most targeted issues. Rapid7 urges CISOs to adopt pre-emptive security that reduces attack surface, prioritizes material risk and improves contextual detection and response.
read more →

Telegram Crackdown 2026: Why Cybercriminals Adapt and Persist

🔎 In early 2026 Telegram intensified enforcement after the late‑2024 arrest of CEO Pavel Durov and a year of stricter moderation in 2025. Millions of channels were taken down, bans and automation grew, and platform transparency reached new highs. Despite these measures, cybercriminal ecosystems on Telegram have not shrunk; they have rapidly adapted through fragmentation, private groups, automated tooling and alternative hosting. Check Point's Exposure Management intelligence highlights these shifts and explains why takedowns have reduced visibility but not eliminated illicit activity.
read more →

Claude Code Security and Magecart: Where Tools Stop

🛡️ This report explains why a Magecart skimmer that hid its payload inside a favicon's EXIF metadata can evade repository-focused scanners. Claude Code Security inspects source code and repo artifacts, so it cannot observe malicious scripts injected through third‑party CDNs, tag managers, or images that only execute in users' browsers. The observed attack used a multi‑stage loader to assemble a URL, parse binary image metadata, and execute the extracted payload at checkout, silently exfiltrating payment data. The piece argues that runtime monitoring and stronger supply‑chain governance are essential complements to static analysis.
read more →

Vidar Stealer 2.0 Delivered via Fake Game Cheats on GitHub

🎮 Acronis TRU found hundreds of GitHub repositories posing as "free" game cheats that deliver the Vidar 2.0 infostealer, warning the true number of malicious repos could be in the thousands. Campaigns begin in game-focused Discord and Reddit communities and use PS2EXE-compiled PowerShell loaders to evade basic detections. Loaders add Windows Defender exclusions, fetch secondary payload URLs from Pastebin linking to GitHub-hosted binaries, and deploy a Themida-packed Vidar executable that establishes persistence via scheduled tasks. The payload then harvests credentials, tokens and files and exfiltrates them through C2 infrastructure masked by Telegram bots and Steam dead-drop resolvers.
read more →

BSI Criticizes Healthcare Software Security Practices

🔒 The Federal Office for Information Security (BSI) has warned that software used in medical practices, clinics and long-term care needs stronger protections to safeguard sensitive patient data. In tests of standard configurations, the agency described the IT security of healthcare software as in need of improvement, finding chains of vulnerabilities in three of four representative practice management systems that could be exploited from the Internet. Outdated encryption algorithms were specifically cited; manufacturers were informed and issued timely fixes.
read more →

Over Half of UK Firms Hit by Nation-State Cyber Attacks

🛡️ The 2026 Armis Cyberwarfare Report found that 54% of UK companies experienced nation-state attacks last year, up from 47% previously. Based on interviews with 1,900 IT decision-makers (including 500 in the UK) and Armis Labs data, the study highlights growing fear over AI-powered threats and the weakening deterrent effect of "mutually assured disruption." Respondents identified Russia, China and North Korea as the greatest risks.
read more →

APIs Now Dominant Attack Surface as Incidents Surge

🔒 Akamai’s 2025 State of the Internet report finds APIs have become the dominant attack surface, with an average of 258 API attacks per organization (up 113% year‑on‑year). The vendor reports 61% of attacks involved unauthorized workflows or abnormal behavior, signaling a shift towards behavior‑based exploitation. Top exploited issues included security misconfigurations, broken object property level authorization and broken authentication. Akamai also warns that agentic AI and automation are amplifying the risk of sensitive data exposure across APIs.
read more →

UK Cyber Monitoring Centre Plans US Expansion by 2027

🌐 One year after its 2025 founding, the UK-based Cyber Monitoring Centre (CMC) is preparing to establish a US counterpart to quantify the economic and financial impact of major cyber incidents using its 0–5 category scale. In 2025 the CMC analysed two major events — the Marks & Spencer/Co‑op disruption (Category 2; estimated loss £270m–£440m) and the Jaguar Land Rover attack (the costliest, £1.6bn–£2.1bn). The nonprofit says it will appoint a US technical committee, set up a legal entity, run an incubation period to adapt its data-analytics methodology for the US economy, and expects formal establishment in 2027.
read more →

Boggy Serpens Threat Assessment: Evolving TTPs and Tooling

🔒Boggy Serpens (aka MuddyWater) is a persistent Iranian cyberespionage group that has shifted from noisy spear phishing to tailored, long-term intrusion campaigns targeting diplomatic, maritime, energy and financial sectors. The actor exploits hijacked trusted accounts and blurred-document macros to bypass reputation filters and deploys AI-assisted and Rust-based implants such as BlackBeard, LampoRAT, UDPGangster and Nuso. Defenders should enforce strict macro controls and layered protections including Cortex XDR and Advanced WildFire to detect behavioral anomalies and limit long-term persistence.
read more →

Evolution of Iranian Cyber Threats and Identity Risks

🔒 Iranian-aligned threat actors are shifting from bespoke destructive wipers to weaponizing privileged identities and native management features. Rather than deploying novel binaries, attackers compromise high-privilege accounts and use legitimate MDM/RMM or cloud consoles to push remote-wipe and factory-reset commands at scale. This living-off-the-land approach bypasses traditional endpoint telemetry and enables rapid, high-impact disruption across managed tenants. Defenders must prioritize identity resilience, Zero Trust, and immutable backups to maintain survivability.
read more →

Global Rise in Fake Shipment Tracking Scams — 2025 Update

📦 Group-IB reports a rapid global escalation of fake shipment tracking scams during 2025, jumping from almost no activity in 2024 to more than 100 unique campaigns per month and peaks of 218 and 208 in June and December. Attackers use disposable and lookalike domains, SMS sender spoofing, local-looking numbers and URL masking to trick recipients into providing credentials or paying bogus fees. Many phishing sites share infrastructure linked to the Darcula PhaaS, which offers thousands of counterfeit domains and templates. The report urges organisations to strengthen domain authentication and increase customer alerts.
read more →

Ransomware TTPs and Shifting Threat Landscape — 2025

🔐 GTIG and Mandiant analysis of 2025 ransomware activity shows a shift toward greater data-theft-extortion and targeting of virtualization despite declining overall profitability for operators. Exploitation of VPNs and firewalls, increased abuse of legitimate tools and cloud services, and more aggressive extortion tactics produced a record number of data-leak-site postings. REDBIKE was the most frequently observed family, and defenders saw drops in Cobalt Strike and RMM reliance. Recommended actions include patching perimeter devices, hardening virtualization, improving backup resiliency, enforcing credential hygiene, and monitoring for anomalous data egress.
read more →

Possible Quantum Speedup for Factoring: Skeptical View

🔬 The author expresses skepticism and notes they are not qualified to fully evaluate a newly announced claim of improved quantum factoring. If validated, the finding would represent a theoretical improvement in the speed of factoring large integers with a quantum computer. The post emphasizes that the result is currently unverified and that practical consequences for deployed cryptography remain uncertain. Further expert review, replication, and analysis are necessary to determine any real-world impact.
read more →