< ciso
brief />
Threat and Trends Reports Banner

All news in category “Threat and Trends Reports

1641 articles · page 28 of 83

Mental health apps leaking private data: 2026 audit

🧠 In February 2026, cybersecurity firm Oversecured audited 10 popular Android mental‑health apps and found 1,575 vulnerabilities — 54 rated critical — across apps with a combined 14.7M+ installs. Findings include insecure local storage, hardcoded API endpoints, weak token generation using java.util.Random, and no root detection, contradicting many apps’ claims of full encryption. The report highlights the real risk of exposure of therapy transcripts, mood logs, and medication data and urges users to review permissions, update apps, and avoid third‑party sign‑ins.
read more →

Cloud Attackers Favor Exploits Over Credential Theft

🔐 Google Cloud's H1 2026 Threat Horizons Report finds that in the second half of 2025 threat actors shifted from credential-based access to exploiting unpatched third-party software. Third-party software entry rose to 44.5% of primary vectors (up from 2.9%), while credential abuse declined to 27.2%. Google highlights React2Shell (CVE-2025-55182) as a heavily exploited RCE and recommends automated defenses, stronger identity controls and WAF protections to mitigate rapid post-disclosure attacks.
read more →

The New Turing Test: Geometry-Based Sandbox Evasion

🛡️ Modern malware increasingly uses mathematical and timing checks to avoid analysis. The Picus Red Report™ 2026 found Virtualization/Sandbox Evasion (T1497) surged to the #4 technique in 2025, appearing in 20% of samples. Threats like Blitz and LummaC2 use system profiling, trigonometry-based mouse analysis, and CPU timing comparisons to detect sandboxes and abort execution. Organizations should shift from file analysis to continuous behavioral validation using AEV and BAS.
read more →

Global Cyber Attacks Stay Near Record Levels in Feb 2026

⚠️ Check Point Research reports that global cyber attack volumes remained near record highs in February 2026, with an average of 2,086 weekly attacks per organization—a 9.6% year‑over‑year increase and effectively flat month‑to‑month (-0.2%). While ransomware activity eased versus the same period last year, overall attack volumes grew due to automation, expanding digital footprints, and persistent exposure risks tied to enterprise GenAI use. The findings point to a sustained, high‑pressure threat environment that demands continuous risk management.
read more →

Reducing Internet Exposure to Avoid Zero-Day Scrambles

🛡️ The window to respond to critical vulnerabilities is collapsing: disclosure-to-exploit can be as short as 24–48 hours today and is projected to shrink to minutes by 2028. Many organizations unknowingly expose unnecessary internet-facing services, turning unpatched systems into immediate attack opportunities. Intruder’s Head of Security recommends deliberate attack surface reduction through robust asset discovery, treating exposure as its own risk category, and continuous monitoring to prevent frantic, last-minute remediation.
read more →

The OT Security Time Bomb in Energy & Pharma Manufacturing

⚠️ Legacy operational technology in critical plants — often running unsupported systems like Windows XP and using insecure protocols — represents a persistent and escalating cyber risk. The author, an experienced OT security practitioner, identifies three main blockers: the taboo of planned downtime, cultural and language gaps between IT and OT teams, and diffused budget and accountability. He documents a typical attack chain that begins in IT, moves laterally through poorly segmented networks, and exploits unmonitored legacy controllers, and recommends a pragmatic, phased response: risk-based inventory, IEC 62443-aligned segmentation, OT-aware monitoring, compensating controls and stepwise modernization to reduce exposure without halting production.
read more →

Sednit reemerges with BeardShell and Covenant toolkit

🔍 Since April 2024 ESET documents the reactivation of Sednit’s advanced implant team, which now deploys paired implants BeardShell and Covenant to maintain resilient command-and-control through distinct cloud providers. A SlimAgent keylogger found in Ukraine shows clear code lineage to the 2010-era Xagent backdoor, while BeardShell executes PowerShell in a .NET runtime and communicates via Icedrive using an obfuscation pattern previously seen in Xtunnel. Covenant is a heavily modified open-source framework adapted for long-term espionage with cloud-backed protocols, and ESET maps observed behaviors to ATT&CK techniques and publishes IoCs.
read more →

Access Decisions: The Weakest Link in Identity Security

🔐 Longstanding identity programs have largely solved authentication with MFA and SSO, but authorization — the decisions about what authenticated identities can do — remains fragile and undergoverned. The article highlights a persistent denominator problem: many assets, cloud tenants, service accounts and shadow IT tools fall outside centralized visibility, so coverage metrics can be misleading. Effective risk reduction requires context-rich, accountable access decisions and stronger governance of non-human and third-party identities to avoid rubber-stamp approvals and excessive blast radius.
read more →

Replacing Annual Pen Tests with Continuous Automation

🔁 I replaced annual manual penetration tests with continuous automated platforms to gain immediate, repeatable validation and rapid retesting. Platforms like Pentera and Horizon3.ai’s NodeZero simulated black‑box, grey‑box, and custom scenarios on a fortnightly cadence, increasing testing from a single yearly engagement to at least 38 automated simulations annually. This change improved ROI, shifted prioritization from CVSS severity to real attack paths, exposed misconfigurations and ineffective controls, and accelerated team learning and SOC validation.
read more →

Threat Actor Abuses .arpa Reverse DNS to Evade Detection

🛡️ Infoblox reports a novel phishing evasion technique that leverages the .arpa reverse-DNS namespace and IPv6-to-IPv4 tunneling to host malicious content on infrastructure-only names. The actor created forward A/AAAA records for reverse DNS names—using services tied to Hurricane Electric and Cloudflare—so links appear to originate from trusted infrastructure, bypassing reputation checks and many security controls. Clicks redirected victims to credential- and payment-stealing landing pages. Infoblox recommends audits, DNS restrictions, and targeted detection for ip6.arpa traffic.
read more →

Cloud Attacks Shift to Exploiting Newly Disclosed Flaws

⚠️ Google reports attackers increasingly exploit newly disclosed third‑party vulnerabilities to gain cloud access, with the exploitation window shrinking to days. Bug exploits, especially RCE flaws like React2Shell and XWiki, accounted for 44.5% of intrusions while credential-based breaches fell to 27%. Incidents include OIDC abuse via compromised packages, long-term espionage by state-linked groups, and insider-facilitated exfiltration, prompting calls for automated response.
read more →

WEF Global Cybersecurity Outlook 2026: CISO Takeaways

🤖 The World Economic Forum’s Global Cybersecurity Outlook 2026 warns that AI is accelerating the cyber arms race: 94% of leaders expect it to be the top change driver and 87% say AI vulnerabilities are the fastest‑growing risk. The report notes organizations are improving AI tool security evaluation (from 37% to 64%), yet CEOs and CISOs display different risk priorities. It also highlights widening resilience gaps across organization sizes and calls for harmonized regulation and stronger public‑private collaboration.
read more →

Weekly Cybersecurity Recap: Exploits, Takedowns, Trends

🛡️ This week's roundup highlights major offensive operations, critical vulnerabilities, and notable law enforcement wins. Security firms and authorities dismantled the infrastructure behind Tycoon2FA and disrupted LeakBase, striking at large-scale AitM phishing and underground data markets. At the same time, researchers disclosed high-impact flaws — from a Qualcomm chipset exploit to the powerful Coruna iOS kit — underscoring persistent risk and the need for rapid patching. Prioritize the listed CVEs and accelerate triage and remediation.
read more →

AirSnitch: Cross-Layer Wi-Fi Identity Desynchronization

⚠️AirSnitch exploits cross-layer identity desynchronization between Layers 1 and 2 to mount full, bidirectional machine-in-the-middle attacks. An attacker on the same SSID, a different SSID, or another segment tied to the same AP can intercept and modify link-layer traffic. The technique affects home, office, and enterprise Wi‑Fi and enables DNS poisoning, credential theft, and exploitation of unpatched flaws.
read more →

Ransomware Shift: From Loud Disruption to Stealth Tactics

🔒 Ransomware operators are shifting from noisy, disruptive attacks to covert, long-term intrusions focused on data theft and extortion. Picus Security's Red-Teaming report—based on simulations and analysis of 1.1 million malware files and 15.5 million MITRE-mapped actions—finds most common techniques aim to remain undetected. Adversaries increasingly chain vulnerabilities, route C2 through trusted services like OpenAI and AWS, and favor persistence over immediate encryption, though some vendors dispute a reduction in overall activity.
read more →

Phishers Abuse .arpa Reverse DNS and IPv6 to Evade Defenses

🔒 Threat actors are abusing the special-use .arpa reverse DNS namespace and IPv6 reverse zones to evade domain reputation checks and email gateways. By obtaining IPv6 address space and controlling reverse DNS, attackers can create nonstandard records (for example A records under ip6.arpa) that resolve to phishing infrastructure hosted behind reputable providers like Cloudflare or Hurricane Electric. Infoblox observed short-lived, image-linked URLs that redirect through traffic distribution systems to selectively deliver phishing pages and frustrate investigation.
read more →

ClickFix phishers use Win+X shortcut to evade defenses

⚠ Attackers have shifted ClickFix phishing to use the Windows + X → I shortcut to open Windows Terminal, prompting victims to paste malicious PowerShell via fake CAPTCHAs and verification prompts. This avoids detections focused on Run (Win+R) and undermines basic security training. Microsoft says the campaign launches layered, persistent chains that decode embedded hex, download a renamed 7-Zip binary to extract payloads, establish persistence, apply Defender exclusions, and exfiltrate data.
read more →

CISO-Board Meetings Brief and Lacking Strategic Depth Across Boards

📊 Boards receive regular CISO briefings—typically quarterly—but those interactions are often short and surface-level. A recent IANS/Artico Search/The CAP Group study of more than 650 CISOs found most updates are time-boxed to ~30 minutes, and only 30% of boards describe relationships as strong and collaborative. Directors want more forward-looking, operational insight on threats—especially those driven by AI—and fewer passive status reports. CISOs with extended airtime report deeper, strategy-focused engagement.
read more →

Preparation and Hardening for Destructive Cyberattacks

🛡️ This article outlines practical, scalable recommendations to prepare and harden environments against destructive malware, wipers, and modified ransomware. It emphasizes resilience through verified, immutable backups, out-of-band incident communication, and prioritized recovery plans. The post recommends strengthening external-facing assets with multi-factor authentication and continuous attack-surface discovery, protecting Domain Controllers and virtualization infrastructure, and applying network and cloud segmentation alongside tuned detections. It also highlights available detections in Google SecOps and Mandiant rule packs.
read more →

Targeted Online Ads Emerging as Primary Malware Vector

🛡️ The Media Trust reports that online advertisements are increasingly exploited to deliver malware, and malvertising now surpasses email and direct hacks as the leading global delivery vector. Millions of infected creatives or scripts can propagate across publishers in seconds, and attackers are leveraging AI to produce adaptive malware that changes by location, browser, or device. Notable examples include Ghost Cat, Click Fix and SocGholish, while the company warns of emerging AI-assisted evasion and the abuse of adtech infrastructure.
read more →