All news in category "Threat and Trends Reports"

Kerberoasting in 2025: Protecting Service Accounts

🔒 Kerberoasting remains a persistent threat to Active Directory environments, enabling attackers to request service tickets for SPNs and crack their password hashes offline to escalate privileges. Adversaries use freely available tools like GetUserSPNs.py and Rubeus to extract tickets tied to service accounts, then perform offline brute-force attacks against the ticket encryption. Mitigations recommended include regular AD password audits, using gMSAs with auto-managed long passwords, preferring AES over RC4, enforcing non-reusable 25+ character passwords with rotation, and deploying MFA and robust password policies.

Time Travel Debugging for .NET Process Hollowing Analysis

🕒 This post introduces Time Travel Debugging (TTD) via WinDbg as a high-value tool for accelerating analysis of obfuscated, multi-stage .NET droppers that perform process hollowing. The authors demonstrate recording a TTD trace, querying the Debugger Data Model with LINQ to find CreateProcess and WriteProcessMemory calls, and extracting a hidden AgentTesla payload. It highlights practical tips, tooling (TTD.exe, FLARE-VM), and limitations such as user-mode scope and proprietary trace formats.

CISO Pay Rises 6.7% as Budgets Slow and Mobility Grows

📰 IANS Research polled 566 CISOs across the US and Canada between April and October 2025 and found average total compensation (salary, bonus and equity) rose 6.7% year‑on‑year. The report highlights sharp pay dispersion: the top 1% report over $3.2m—about ten times the median—while 70% of CISOs receive equity that often drives top packages. Budgets grew just 4% (the slowest pace in five years), CISO mobility climbed to 15%, and tech and financial services led sector pay at averages of $844,000 and $744,000 respectively.

Book Review: The Business of Secrets and 1970s Crypto

🔐 Fred Kinch’s memoir recounts his years selling commercial cryptographic hardware from 1969 to 1982, chronicling Datotek’s pivot from file to link encryption and the chaotic marketplace of the era. He describes regulatory battles, notably ITAR and NSA scrutiny, alongside anecdotal demonstrations of security that now seem alarmingly informal. Kinch’s stories reveal a world where vendors, customers, and even governments often accepted cryptographic strength on trust rather than proof.

Ransomware Fragmentation and Rising Attacks in Q3 2025

🔍 The ransomware landscape in Q3 2025 reached a critical inflection point: despite law enforcement takedowns earlier in the year, attacks remained at historically high levels. Check Point Research identified 1,592 new victims across 85 active extortion groups, a 25% year‑over‑year increase. While major brands such as RansomHub and 8Base disappeared, numerous smaller actors rapidly filled the void, driving unprecedented RaaS fragmentation and complicating response efforts.

Machine-Speed Security: Patching Faster Than Attacks

⚡ Attackers are weaponizing many newly disclosed CVEs within hours, forcing defenders to close the gap by moving beyond manual triage to automated remediation. Drawing on 2025 industry reports and CISA and Mandiant observations, the article notes roughly 50–61% of new vulnerabilities see exploit code within 48 hours. It urges adoption of policy-driven automation, controlled rollback, and streamlined change processes to shorten exposure windows while preserving operational stability.

Kraken Ransomware: Cross-Platform Big-Game Hunting

🐙 Kraken is a Russian-speaking ransomware group active since February 2025 that conducts double-extortion, big-game hunting campaigns across multiple regions. In a documented intrusion Talos observed, attackers exploited SMB flaws for access, used Cloudflared for persistence, exfiltrated data via SSHFS, then deployed cross-platform encryptors for Windows, Linux and ESXi. The family includes on-host benchmarking to tune encryption, and Talos maps detections and IOCs to Cisco protections to aid response.

techUK Urges Collaboration to Tackle Rising Fraud Now

🔍 techUK has published its Anti-Fraud Report 2025, warning that fraud now accounts for 40% of crime in the UK and that an estimated 67% is cyber-enabled. The report urges improved collaboration across law enforcement, banks, tech platforms, telecoms and regulators and recommends a connected anti-fraud ecosystem, wider use of AI and machine learning, and a national Tell Us Once victim-reporting model. It highlights the scale of harm—global losses of about $1 trillion in 2024—and cautions that government action is still being finalised.

ThreatsDay Bulletin: Key Cybersecurity Developments

🔐 This ThreatsDay Bulletin surveys major cyber activity shaping November 2025, from exploited Cisco zero‑days and active malware campaigns to regulatory moves and AI-related leaks. Highlights include CISA's emergency directive after some Cisco updates remained vulnerable, a large-scale study finding 65% of AI firms leaked secrets on GitHub, and a prolific phishing operation abusing Facebook Business Suite. The roundup stresses practical mitigations—verify patch versions, enable secret scanning, and strengthen incident reporting and red‑teaming practices.

Password managers under attack: risks, examples, defenses

🔐 Password managers centralize credentials but are attractive targets for attackers who exploit phishing, malware, vendor breaches, fake apps and software vulnerabilities. Recent incidents — including a 2022 LastPass compromise and an ESET‑reported North Korean campaign — demonstrate how adversaries can exfiltrate vault data or trick users into surrendering master passwords. To reduce risk, use a long unique master passphrase, enable 2FA, keep software and browsers updated, install reputable endpoint security, and only download official apps from trusted stores.

UK Cyber Insurance Payouts Surge 230% to £197m in 2024

🔍 The UK cyber insurance sector paid £197m to policyholders in 2024, a 230% increase on the previous year, driven largely by more damaging malware and ransomware incidents that now account for 51% of claims. The ABI says insurers issued 17% more policies over the period while higher payouts reflect growing threat sophistication and larger recovery costs. Insurers are tightening underwriting and requiring stronger resilience, offering services such as expert advice, threat monitoring and incident response support as part of coverage to reduce future losses.

Active Directory Under Siege: Risks in Hybrid Environments

🔐 Active Directory remains the critical authentication backbone for most enterprises, and its growing complexity across on‑premises and cloud hybrids has expanded attackers' opportunities. The article highlights common AD techniques — Golden Ticket, DCSync, and Kerberoasting — and frequent vulnerabilities such as weak and reused passwords, lingering service accounts, and poor visibility. It recommends layered defenses: strong password hygiene, privileged access management, zero‑trust conditional access, continuous monitoring, and rapid patching. The piece stresses that AD security is continuous and highlights solutions that block compromised credentials in real time.

Moving Beyond Frameworks: Real-Time Risk Assessments

🔍 Organizations are shifting from annual, checklist-driven compliance to targeted, frequent risk assessments that address emerging threats in real time. The article contrasts gap analyses — which measure adherence to frameworks like NIST or ISO — with tailored risk reviews focused on specific threat paths (for example, access control, ransomware, AI or cloud misconfigurations). It recommends small, repeatable questionnaires, a simple scoring model and executive-ready outputs to prioritize remediation and integrate risk into governance.

Enterprise networks hit by legacy, unpatched systems

🔍 New research from Palo Alto Networks shows enterprise networks remain sprawling and poorly controlled: telemetry from 27 million devices across 1,800 enterprises found 26% of Linux and 8% of Windows systems running on end-of-life OS versions, 39% of directory-registered devices lack active endpoint protection, and 32.5% operate outside IT control. Poor segmentation — present in 77% of networks — and unmanaged edge devices increase attacker opportunities.

Understanding Differences Between NDR, EDR and XDR

🛡️This article compares three related threat-detection approaches: Endpoint Detection and Response (EDR), Network Detection and Response (NDR) and Extended Detection and Response (XDR). It explains that EDR focuses on endpoint agents and can leave visibility gaps, while NDR analyzes packet-level network traffic for real-time detection, forensic review and retrospective analysis. XDR is described as a strategy that unifies telemetry from multiple sources to accelerate response; when combined, these capabilities offer complementary coverage and reduced operational risk.

Global Cyber Attacks Surge in October 2025: Ransomware Rise

📈 Check Point Research found a continued uptick in global cyber assaults in October 2025, with organizations experiencing an average of 1,938 attacks per week. That represents a 2% increase from September and a 5% rise year‑over‑year. The report attributes the growth to an explosive expansion of ransomware operations and emerging risks tied to generative AI, while the education sector remained the most heavily targeted. Security teams are urged to strengthen detection, patching and access controls to counter increasingly automated and AI‑assisted threats.

Cyber spies target German public administration, says BSI

🔒 The German Federal Office for Information Security (BSI) reports that cyber espionage is increasingly targeting public administration, with notable victims in defense, judiciary and public safety. The 1 July 2024–30 June 2025 report notes law-enforcement actions against ransomware providers LockBit and Alphv but warns many incidents go unreported. It highlights rising quishing and vishing attacks, insufficient basic protections—especially among SMEs and political organizations—and calls for stronger investment and reduced dependence on U.S. infrastructure.

Quantum Route Redirect: Automated PhaaS Targets 90 Countries

🔒 KnowBe4 has identified a new phishing-as-a-service platform called Quantum Route Redirect that automates large-scale credential theft across roughly 90 countries and is hosted on about 1,000 domains. The kit distinguishes security tools from real users to evade URL scanning and some web application firewalls, routing victims to Microsoft 365 credential-harvesting pages. It includes redirect configuration, traffic analytics, monitoring dashboards and themed lures such as DocuSign and payroll impersonations. KnowBe4 urges multi-layered defenses including NLP-driven email analysis, sandboxing, continuous monitoring and rapid incident response.

Why a Fully Passwordless Enterprise May Remain Elusive

🔒 Enterprises have pursued a passwordless future for more than a decade, yet deployment is stalling as legacy systems, industrial and IoT devices, and custom apps often lack support. A recent RSA report found 90% of organizations face coverage gaps or poor user experience, leaving most firms able to cover only about 75–85% of use cases. Experts warn that enrollment, recovery, and fallback mechanisms frequently reintroduce passwords and expand attack surfaces unless those flows are made as phishing-resistant as logins.

Authentication Coercion: Abusing Rare Windows RPC Interfaces

🔒 Unit 42 details how attackers force Windows hosts to authenticate to attacker-controlled systems by abusing rarely monitored RPC interfaces. The report explains techniques, including misuse of UNC path parameters and obscure opnums, and reviews a March 2025 healthcare incident that leveraged MS-EVEN ElfrOpenBELW. It outlines indicators such as bursts of failed NTLM authentications and RPC calls containing external UNC targets. Recommendations include detection, RPC filtering, SMB signing, and Cortex XDR protections.