< ciso
brief />
Threat and Trends Reports Banner

All news in category “Threat and Trends Reports

1641 articles · page 29 of 83

Zero-Day Exploits on Enterprise Software Reach Record High

🛡️ Google Threat Intelligence Group (GTIG) analysis found 90 zero-day vulnerabilities were actively exploited in 2025, and attackers are increasingly focusing on enterprise technology. Enterprise software and appliances accounted for 43 (48%) of tracked zero-days, with security and networking appliances most frequently targeted. End-user platforms still comprised 52% of exploits overall, led by Microsoft Windows, while mobile OS targeting rose and browser-based zero-days fell to a historic low. GTIG recommends segmentation, least-privilege architectures and continuous monitoring to detect and respond to threats.
read more →

CL-UNK-1068 Targets Critical Sectors Across Asia Region

🛡️ Unit 42 details CL-UNK-1068, a cluster observed since 2020 that targets aviation, energy, government, law enforcement, pharmaceutical, technology and telecommunications organizations across South, Southeast and East Asia. The actor deploys web shells (GodZilla, an AntSword variant), performs DLL side-loading with legitimate python binaries, and uses custom scanners and tunneling tools such as FRP. Exfiltration focuses on web configuration files, databases and credentials; defenders should prioritize detections for behavioral anomalies over static IOCs.
read more →

What Cybersecurity Actually Delivers for Business Value

🔒 Cybersecurity often looks uneventful when it succeeds, because routine controls quietly prevent incidents from escalating into business crises. Rather than just proving which disasters were avoided, security should be evaluated by what it enables: uninterrupted operations, customer trust, regulatory compliance and future growth. Operational services like MDR extend continuous detection and response to smaller organisations, reducing attacker dwell time and improving resilience.
read more →

Middle-Aged Professionals Now Dominate Cybercrime Roles

🔍 New analysis from Orange Cyberdefence of 418 law‑enforcement actions between 2021 and mid‑2025 shows profit-driven, midcareer criminals — especially those aged 35–44 — constitute the largest share of cyber offenders. Teenagers and young adults remain present (12–17: 5%; 18–24: 21%), but activity shifts toward organised extortion, malware and money laundering with age. Experts say modern operations resemble illicit tech firms that require project management, recruitment and financial expertise.
read more →

CISO Priorities for 2026: AI, Identity, and Resilience

🔐 2026 will bring faster, cheaper, and more credible cyberattacks as AI and automation lower the skill barrier for attackers. Industry leaders from Banco Santander, Vodafone, NordVPN, Sophos, and Cisco emphasize a shift from perimeter defenses to identity-centric, automated, resilience-focused models. Priority actions include continuous identity verification, integrated AI-driven security, XDR consolidation, supply-chain risk management, and stronger detection, response, and data-protection controls implemented with minimal customer friction.
read more →

Zero-day Exploits Hit Enterprises Faster and Harder

⚠️ Google’s GTIG tracked 90 zero-day vulnerabilities in 2025, finding nearly half targeted enterprise technologies such as security appliances, VPNs, networking gear, and enterprise software. The report highlights that Chinese-linked actors increased their use of zero-days and that commercial surveillance vendors now outpaced state-backed groups. Defenders face shrinking response windows as exploit sharing, faster public-to-exploit timelines, and emerging AI accelerate attacks.
read more →

Europe Targeted by Identity Theft and Account Takeovers

🔒 Darktrace's Threat Report 2026 warns that identity-based attacks—primarily via compromised cloud and email accounts—now initiate 58% of intrusions in Europe, with network-based breaches comprising the other 42%. Germany and the manufacturing sector were particularly affected as attackers leverage valid credentials and legitimate admin tools to evade detection. The report highlights state-backed groups (e.g., Lazarus, ShadowPad) and RaaS operators such as Akira, noting heavy targeting of Azure, GCP and Docker environments. Experts recommend continuous monitoring of privileged accounts, hardened MFA, device baselines and behavioral detection to spot anomalies early.
read more →

Patch, Track, Repeat: 2025 CVE Retrospective Summary

📌 Cisco Talos' 2025 retrospective finds 48,196 CVEs (≈132 per day) and highlights persistent root causes—XSS, SQL injection, and insecure deserialization—responsible for roughly 10,000 vulnerabilities. Known Exploited Vulnerabilities rose ~30% to 241, with many affecting network devices and an expanded vendor set of 99, underscoring patching and supply-chain visibility challenges. The author stresses prioritized patch management, accurate asset inventories, and compensating controls (microsegmentation, network isolation, enhanced monitoring) for unpatchable systems, and also notes a near-doubling of AI-related CVEs.
read more →

AI-Driven Insider Risk Now a Critical Business Threat

🔒 Mimecast's State of Human Risk Report 2026 warns that insider threats have escalated into a critical business risk, driven in part by employees mishandling or abusing AI tools. The study found 42% of organizations reported increases in both malicious insider activity and negligence-related incidents, while security leaders now anticipate an average of six insider-driven incidents per month. Mimecast cautions that attackers and insiders leveraging AI amplify exposure and call for security to address risk at the user level.
read more →

GTIG: 90 Zero-Day Exploits Observed in 2025, Enterprise Hit

🔐 Google Threat Intelligence Group (GTIG) reports 90 zero-day vulnerabilities were actively exploited in 2025, a 15% increase from 2024. Nearly half targeted enterprise products such as security appliances, networking gear, VPNs, and virtualization platforms. Memory-safety issues comprised 35% of exploited flaws, and commercial spyware vendors overtook state actors as the top zero-day consumers. Google recommends reducing attack surface, continuous monitoring, and rapid patching to detect and contain exploitation.
read more →

2026 Browser Report: Enterprise Security Blind Spots

🛡️ The 2026 State of Browser Security Report from Keep Aware warns that modern browsers—now hosting embedded AI copilots and generative tools—have become the primary execution layer for enterprise work and the largest emerging security gap. The study finds broad adoption of AI web tools, frequent uploads of internal and regulated data, and that traditional DLP and network controls fail to inspect typed inputs, pasted content, and in-session file uploads. It highlights phishing, malicious extensions, and social engineering as leading browser attack vectors and urges organizations to adopt browser-specific visibility, continuous extension governance, and account-level controls for AI usage.
read more →

Coruna iOS exploit kit moves from surveillance to crime

🔒Researchers at Google’s Threat Intelligence Group uncovered Coruna, a sophisticated iOS exploit kit composed of five exploit chains and 23 individual exploits that migrated from a commercial surveillance customer to suspected state and criminal operators within months. The framework resurfaced with UNC6353 on compromised Ukrainian sites and later powered mass attacks by China-based UNC6691 on fake financial pages. Its payload, tracked as Plasmagrid, injects into the root powerd daemon to exfiltrate cryptocurrency wallets, seed phrases and QR codes. GTIG urges immediate iOS updates, enabling Lockdown Mode where updates are impossible, and has published IoCs on VirusTotal.
read more →

2025 Zero-Day Review: Enterprise Rise and CSV Growth

🛡️ Google Threat Intelligence Group's 2025 review found 90 zero-day vulnerabilities exploited in the wild, down from 2023 but above 2024. Enterprise technologies accounted for a record 48% of zero-days, driven by attacks on networking and security appliances, while browser exploitation fell to historic lows. GTIG highlights growing involvement of commercial surveillance vendors and expanded financially motivated use of zero-days. Defenders are urged to prioritize segmentation, inventory, and rapid mitigation.
read more →

ThreatsDay Bulletin: Emerging Campaigns and Policy Shifts

📰 This ThreatsDay bulletin summarizes a fast-moving week of cyber activity, covering phishing, malware, large-scale scraping, privacy actions, and research that changes operational risk. Notable items include a CERT-UA–reported phishing campaign delivering SHADOWSNIFF, SALATSTEALER, and a Go backdoor; a DDR5 scraping operation used for scalping RAM inventory; and a new Chrome two‑week release cadence. The update also highlights regulatory action against Reddit and privacy steps by Samsung.
read more →

Where MFA Stops: Windows Authentication Gaps and Risks

🔐 Organizations often assume multi-factor authentication (MFA) eliminates credential risk, but in many Windows environments that assumption is incomplete. Cloud IdPs like Microsoft Entra ID, Okta, and Google Workspace protect federated sign‑ins, yet traditional Windows authentication paths — including interactive logons, RDP, NTLM, Kerberos ticket abuse, SMB, local admin and service accounts — commonly bypass those controls. The result: attackers can use stolen passwords, NTLM hashes, stolen or forged Kerberos tickets, or reused local credentials to move laterally and maintain persistent access without triggering cloud MFA. Vendor solutions such as Specops Secure Access and Specops Password Policy are presented as practical mitigations to enforce MFA for Windows logon, block compromised passwords, and reduce legacy protocol exposure.
read more →

State-affiliated groups prepare disruptive OT attacks

⚠️ Dragos reports that multiple state-affiliated threat groups have shifted from long-term access to actively mapping and preparing disruptive attacks against industrial control systems. Adversaries tracked as Voltzite, Kamacite, Electrum, and others have been observed harvesting engineering workstation files, scanning device types to map control loops, and staging wiper and firmware-corruption capabilities. The access-broker model — exemplified by Sylvanite handing footholds to operational teams — shortens the timeline from intrusion to operational readiness. With under 10% of OT environments monitored, many sites lack the visibility needed to detect or respond to these preparations.
read more →

Fourteen Long-Lived Software Bugs That Took Decades

🛠 This article reviews fourteen long-dormant software vulnerabilities that persisted for ten to thirty years and were only recently discovered or fixed. It highlights flaws across foundational components — from libpng and Python modules to Windows internals, bootloaders, network daemons, and secrets vaults — illustrating how legacy design choices and sparse code review can leave pervasive risks. The piece summarizes impacts, discovery timelines, and the remediation actions taken by vendors and maintainers.
read more →

Cyber Fallout After the Strikes: Signal, Noise, Next Steps

⚠️ FortiGuard Labs reports a surge of regional cyber activity in the 24–48 hours following U.S.-Israeli strikes on Iranian targets, including defacements, broadcast intrusions, Telegram claims, and internet disruptions, but no confirmed large-scale destructive campaign tied directly to the strikes. Many observed events appear to be psychological operations, hacktivist signaling, or opportunistic exploitation of geopolitical noise rather than coordinated state-level retaliation. The report warns that access is often pre-positioned and that activations can be delayed, so organizations should harden basic controls and preparedness now. Recommended actions include enabling MFA, automating patching, isolated backups, segmentation, active monitoring, and exercising incident response playbooks.
read more →

Inside Tycoon2FA: Scale and AiTM Phishing Operations

🔎 Tycoon2FA emerged in August 2023 as a phishing-as-a-service platform that provided adversary-in-the-middle (AiTM) capabilities to relay authentication flows and capture session cookies. Its web-based admin panel centralized templates, redirects, hosting, CAPTCHA, and exfiltration controls while exposing real-time metrics. Fast-moving short-lived domains, Cloudflare hosting, and heavy obfuscation let low-skill operators run scalable campaigns against MFA-protected accounts worldwide.
read more →

Browser-in-the-Browser Phishing Now Used Against Facebook

🔒 Browser-in-the-browser (BitB) phishing renders convincing fake login pop-ups inside malicious pages, and Kaspersky reports attackers are now using this technique in real campaigns to steal Facebook credentials. Threat actors create counterfeit authentication dialogs and even fake address bars so visual inspection is unreliable. Use a password manager — it checks the actual origin before auto-filling — and enable 2FA, adopt passkeys, and use unique passwords to reduce risk.
read more →