All news in category “Threat and Trends Reports”

🔍 Bitdefender is hosting a webinar to separate speculative cybersecurity headlines from evidence-based risks organizations should prioritize for 2026. The session centers on three converging trends: ransomware evolving into targeted disruption, uncontrolled internal AI adoption that erodes perimeter assumptions, and a sober assessment of claims about AI-orchestrated adaptive attacks. Attendees receive research-backed guidance to align investments and defenses with real operational risk.

⚠️ Many German critical infrastructure organizations are transmitting over unencrypted digital radio, creating an easily exploitable interception vector. Wirtschaftswoche reports that prisons, airports and energy providers are operating TETRA networks without encryption—often citing cost reasons—while police networks remain multi-layer encrypted. AG Kritis calls the situation a security-policy disgrace, warning that a laptop, free software and modest technical skill are sufficient to eavesdrop and capture confidential information, potentially endangering supply security and lives.

🔐 New research from CyberArk finds enterprise users routinely bypass IAM controls to work faster, with 63% of security leaders reporting this behavior. Only 1% of organizations have fully implemented a modern just‑in‑time privileged access model, while 91% say at least half of privileged access remains always‑on. Shadow accounts and unmanaged secrets surface weekly in 54% of firms, and many lack clear AI access policies.

🔐 Corelight outlines six cyber threats to prioritize in 2026, driven by advances in AI, automation, and more sophisticated social engineering. Key concerns include agentic and shadow AI misuse, deepfakes in phishing, AI-orchestrated ransomware, accelerated vulnerability discovery, stale scanning practices, and multicloud blind spots. Recommendations focus on improved hybrid visibility, continuous scanning, Zero Trust access, digital identity verification, and deploying NDR alongside AI-enabled incident response to reduce detection gaps.

🔍 Cisco Talos attributes a China-nexus cluster named UAT-7290 to espionage-focused intrusions against South Asian and Southeastern European organizations. The actor conducts detailed reconnaissance and exploits one-day vulnerabilities and SSH brute force to compromise edge devices, primarily targeting telecommunications providers. UAT-7290 deploys Linux-based tooling including RushDrop, DriveSwitch, and SilentRaid, and uses the Bulbature backdoor to establish Operational Relay Box (ORB) nodes for broader access.

🔒 Edge-deployed rugged IoT enables real-time decision-making in defense, utilities and public safety, but operates beyond traditional IT perimeters and assumptions. Devices face harsh environments, intermittent connectivity and limited physical access, which extend exposure windows and complicate patching and monitoring. CIOs must adopt adaptive, decentralized security that blends device hardening, zero-trust networking, physical protections and offline update workflows to preserve continuity, compliance and safety.

📧 Microsoft Threat Intelligence warns attackers are increasingly abusing complex email routing and misconfigured DMARC and SPF policies to make phishing messages appear internal. Campaigns exploit MX records that do not point directly to Microsoft 365, allowing messages with the recipient's address in both To and From fields to bypass filters. Lures include password resets and shared-document notices, and some attacks use Phishing-as-a-Service platforms such as Tycoon 2FA to perform Adversary-in-the-Middle attacks that can defeat MFA. Microsoft recommends strict DMARC reject policies, SPF hard-fails, correct connector configuration, and phishing-resistant MFA like FIDO2.

🛡️ This week's ThreatsDay highlights a critical RustFS gRPC authentication flaw with a hard-coded token (CVSS 9.8) that allowed network attackers to perform privileged operations and was patched in 1.0.0-alpha.78. Other notable stories include GeoServer-based XMRig miners, an evolution in Iran-linked MuddyWater custom backdoors, a surge in Taiwanese infrastructure attacks, and CISA's KEV catalog expansion. Organizations should apply patches, enable MFA, and monitor credentials and exposed services.

🔒 Chainguard’s quarterly pulse, The State of Trusted Open Source, analyzes anonymized usage and CVE data across a large customer base and catalog of container images to reveal where real production risk concentrates. The report finds Python leading the modern AI stack, while roughly half of production runs on a diverse longtail of images beyond the top 20. Importantly, 98% of remediated CVE instances occurred in that longtail, and compliance drivers like FIPS adoption materially influence image choices. Chainguard also highlights fast remediation performance, averaging under 20 hours for Critical CVEs.

🔐 Credential stuffing exploits reused login credentials harvested from breaches or captured by infostealer malware, then systematically automates login attempts across services. Attackers increasingly use bots, IP rotation and AI-assisted scripts to mimic human behavior and evade basic defenses, enabling stealthier and larger-scale attacks. Because it uses valid credentials, it often bypasses alarms that detect brute-force failures. Protect yourself with a password manager, enable 2FA/MFA, and monitor for exposed credentials.

🔒 The year 2025 tightened the regulatory landscape—DORA and NIS2 pushed many organizations to elevate cybersecurity and operational resilience. CISOs expect 2026 to remain dominated by compliance complexity, persistent cost pressures, and an acute skills shortage. Attention will shift toward Resilience by Design, software supply-chain security, and operationalizing Zero Trust for identities and machine accounts. Controlling Shadow AI and strengthening third-party risk management will also be high priorities.

🎧 In episode 449 of the Smashing Security podcast, Graham Cluley examines an actual romance-fraud handbook that includes scripts, personality “types,” corporate jargon and a seven-day plan to convince victims to hand over cryptocurrency. Guest Lesley Carhart delivers a stark reality check on the shrinking entry-level cybersecurity job market and the hazards of automated CV screening. The show also features ThreatLocker CEO Danny Jenkins discussing how misconfigurations drive breaches and how default-deny approaches work in practice.

📉 New data from SimilarWeb shows ChatGPT's web market share fell to 64.5% in January 2026, down from 86.7% a year earlier, while Gemini rose to 21.5%. The report's timeline highlights steady gains for Gemini and smaller increases for Grok and DeepSeek, alongside a seasonal dip in usage over the holidays. Independent tests cited in the coverage praise Claude Code for complex coding and Gemini for image quality, and OpenAI is reportedly considering ads for ChatGPT amid rising competition.

🛡️ ReversingLabs has identified a versatile Windows packer, pkr_mtsi, used since April 2025 in large-scale malvertising and SEO-poisoning campaigns to deliver trojanized installers pretending to be utilities like PuTTY, Rufus and Microsoft Teams. The infections arise from fake download sites promoted via paid search ads rather than vendor compromise. The loader drops varied follow-on payloads (Oyster, Vidar, Vanguard Stealer, Supper), increasingly employs obfuscation and anti‑analysis techniques, and RL has released an expanded YARA rule to improve detection.

🔎 The New York City Wegmans is reportedly collecting biometric information about customers through in-store cameras and analytics systems. Bruce Schneier highlights that this appears to amount to facial recognition or at least biometric profiling without clear customer notice or consent. The piece raises concerns about transparency, retention policies, and potential misuse of sensitive data. It calls attention to gaps in oversight and urges better disclosure and regulation.

🔒 Microsoft warns that threat actors are exploiting misconfigured email routing and lax spoof protections to send phishing messages that appear to originate from an organization’s own domain. The Microsoft Threat Intelligence team says the tactic surged since May 2025 and is commonly deployed via Tycoon 2FA phishing-as-a-service kits. Attacks aim to steal credentials, bypass MFA via AiTM techniques, and enable follow-on fraud or BEC, often using fake invoices, HR notices, or shared-document lures. Organizations should enforce DMARC reject and strict SPF policies, validate third-party connectors, and disable Direct Send if unnecessary.

🔒 As enterprises deploy AI agents, expand cloud use, and rely on complex global supply chains, CISOs must tighten identity and access controls, govern agent accounts, and apply phishing-resistant MFA. They should prioritize zero-trust architectures across IT and OT, enforce proactive cloud posture management and supplier risk monitoring, and integrate geopolitical and regulatory scenario planning. Failing to address chatbot privacy, misconfigured cloud services, human error, and escalating compliance (e.g., GDPR, DORA, HIPAA) risks operational disruption, financial penalties, and reputational harm.

🔍 This special report helps IT leaders align near-term planning with 2026 priorities by emphasizing greater agility, flexibility, and measurable business outcomes. It stresses the need to automate, streamline, and modernize IT operations to counter skills shortages and meet rising demand. Four feature pieces examine strategy beyond AI, the cost of cloud fragility, how AI agents reshape supply chains, and AI's implications for cybersecurity.

🔒 Boards increasingly accept cyber risk, yet funding rarely follows purely rational ROI debates. The author contends that budget availability is often reactive — unlocked by imminent regulatory reviews, adverse audits or recent incidents — rather than the result of careful risk quantification. The core obstacles, he argues, are chronic execution failures, governance and cultural misalignment. CISOs should focus on building trust and strategic influence during the first hundred days to convert goodwill into lasting programs.

📧 Securonix researchers uncovered PHALT#BLYX, a phishing campaign that uses ClickFix-style lures and counterfeit Booking.com reservation messages to trick hospitality staff into executing commands that pull and run remote code. The landing pages present a fake CAPTCHA then a staged blue screen of death that instructs victims to paste a command into the Windows Run dialog, triggering a PowerShell dropper. That dropper downloads an MSBuild project (v.proj) and invokes MSBuild.exe to configure Defender exclusions, persist in Startup, and retrieve the DCRat remote-access trojan.