All news in category “Threat and Trends Reports”

🔒 Cybersecurity in 2025 was defined by high-profile breaches, weaponized AI and renewed focus on supply-chain and vulnerability management. Major events included vendor withdrawals from MITRE ATT&CK evaluations, a large-scale IoT proxy network, a critical Fortinet zero-day in active exploitation, and the fast mitigation of an npm package compromise. New risks such as 'quishing', LLM-driven hallucination attacks and agentic AI guidance from OWASP also shaped the year.

🔎 This post summarizes a cross‑national pattern of LinkedIn job scams in which fake employers and recruiters extract money or credentials from prospective employees. Tactics vary by market: tech‑job baiting in India, referral‑style fraud in Kenya, fake formal roles in Mexico, and credential‑harvesting schemes in Nigeria. The author emphasizes these are employer‑side frauds and distinct from scams where attackers pose as employees to secure remote work.

🔒 Many enterprise CISOs continue to struggle to abandon passwords despite decades of effort and mounting security risks. RSA’s ID IQ Report 2026, based on a survey of 2,000 security professionals, finds that 90% of respondents report problems with passwordless deployments. Technical complexity across hybrid environments, legacy systems, OT/IoT devices, and inconsistent platform support creates gaps that often force organizations to retain insecure fallbacks. Experts recommend sequencing rollouts to secure privileged users first, using reverse proxies or VPN-enforced SSO for legacy apps, and ensuring end-to-end phishing-resistant enrollment and recovery.

⚠️ Cybercrime has matured into a structured, global underground economy that often outstrips corporate defenders. Groups now operate with division of labor, formal processes and professional marketing, and Ransomware-as-a-Service offerings enable nontechnical actors to lease malware, support and revenue-sharing schemes. The result is scalable, fast-moving criminal supply chains that exploit human error, weaponize stolen data and exploit slow, bureaucratic response models. Organizations must move beyond pure prevention to measurable resilience, rehearsed recovery and decisive incident leadership.

🔍 Cybercrime has evolved into a structured, global underground economy that frequently outperforms corporate IT in speed, efficiency and scale. Organized groups now run with defined roles, measurable KPIs and productized offerings such as Ransomware-as-a-Service, enabling nontechnical affiliates to launch high-impact attacks. The decisive metric is no longer if an organization will be targeted but how quickly it can recover and limit reputational and operational damage.

🔍 Post-incident reviews are a structured means to understand security incidents and improve future defenses. Conducted promptly, they preserve fresh details and enable accurate timelines that reveal where delays or failures occurred. Reviews must include root-cause analysis, evaluation of detection and response performance, and assessment of business impact. Involving legal, governance, finance, HR, and board stakeholders helps connect technical findings to policy and risk decisions, while avoiding blame and assigning concrete, timebound follow-up is essential.

⚠️ ErrTraffic is a self-hosted cybercrime platform that automates ClickFix social engineering by injecting code into compromised websites to display convincing browser or font 'glitches' and prompt victims to install updates or run commands. The service, promoted on Russian-speaking forums for a one-time $800 fee, fingerprints OS and geolocation to deliver architecture-specific payloads. According to Hudson Rock, infections deploy Windows info-stealers (Lumma, Vidar), Android Cerberus, macOS AMOS, and various Linux backdoors, while the operator has excluded CIS countries.

🔐 The convergence of operational technology (OT) and information technology (IT) creates major business opportunities but also introduces significant cybersecurity complexity and risk. Legacy OT equipment, cultural divides between OT and IT teams, and a historical focus on uptime over security increase exposure as organisations digitise critical infrastructure. Leaders must embed security by design, address compliance such as NIS2, and unite teams to manage cloud, AI and device proliferation.

🛡️ Enterprises are increasingly buying cyber insurance to mitigate financial fallout from breaches, but policies often contain hidden exclusions and obligations that can leave organizations exposed. Experts identify six common "gotchas": narrow or ambiguous coverage definitions, fine-print exclusions on interruptions and threats, hidden sub-limits, required security controls, the retroactive date trap, and misunderstandings about first-party versus third-party cover. The guidance: read policies closely, engage experienced counsel and brokers, run tabletop exercises to validate coverage, document required controls, and negotiate prior-acts or broader terms where possible.

🛡️ Cybersecurity frameworks require ongoing reassessment; this article highlights seven warning signs that your program may need substantial revision. Industry experts recommend adopting a dynamic detection-and-response model, integrating AI, and aligning frameworks to NIST while avoiding purely compliance-driven designs. Common problems include failing continuous monitoring, reactive alert triage, declining KRIs/KPIs, and recent incidents. Practical advice: schedule structured reviews, add interim check-ins, and rebuild when incremental fixes no longer suffice.

🎉 KrebsOnSecurity.com marks its 16th anniversary with a year of investigative reporting that focused on entities enabling complex, globally dispersed cybercrime. Coverage in 2025 examined rebranded bulletproof hosting such as Stark Industries Solutions, the rise and sanctioning of payment processor Cryptomus, pervasive voice- and SMS-phishing operations, and massive disruptive botnets including Aisuru and the emergent Kimwolf. The site detailed law enforcement actions, record DDoS assaults on the publication, and upcoming deep-dive reporting into Kimwolf. Readers are invited to subscribe to the plain-text newsletter and to consider exempting the site from ad blockers to support independent reporting.

🔔 A newly disclosed MongoDB memory-exposure flaw (CVE-2025-14847, "MongoBleed") and a wave of supply-chain and update-channel compromises defined the final week of 2025. Active exploitation of MongoDB affected tens of thousands of instances worldwide while extension- and package-based attacks, including a compromised Trust Wallet Chrome extension and a malicious npm package, led to immediate thefts and account takeovers. The recap stresses rapid attacker tempo, the abuse of trusted update/support channels, and persistent impacts that can surface months or years after an initial compromise.

📰 ESET Chief Security Evangelist Tony Anscombe reviews the key cybersecurity stories closing out 2025, spotlighting significant incidents and trends. He highlights FinCEN's finding that U.S. organizations paid over $2.1 billion in ransomware between 2022 and 2024, and legal action by the Texas Attorney General against major TV manufacturers for alleged secret collection of viewing data. Tony also examines notable breaches and the tactics used by threat actors, offering practical perspective on risks and resilience.

🔐 This article outlines seven certification programs from leading vendors that validate skills in converged, cloud-native Secure Access Service Edge (SASE) architectures. It summarizes entry to professional-level credentials from Cato Networks, Cisco, Fortinet, Netskope, Palo Alto Networks, Versa, and Zscaler, highlighting target audiences, exam formats, costs, and key competencies such as SD‑WAN, ZTNA, CASB and FWaaS. The piece also notes Gartner’s market projection and emphasizes that these credentials address a widening skills gap as enterprises migrate from perimeter-based defenses.

🔍 This week's ThreatsDay bulletin documents how attackers increasingly hide malicious activity inside everyday tools, trusted applications, and AI assistants. Investigations highlight abuse of open-source monitoring tools like Nezha, an 87% rise in NFC‑abusing Android malware, late‑2025 GuLoader waves, and prompt‑injection flaws in AI chat frontends. The report underscores the need for layered defenses, strict input validation, and rapid patching.

🔒 CERN manages cybersecurity across a globally distributed research community by prioritizing risk adaptation over one-size-fits-all controls. CISO Stefan Lüders frames security as a sociological challenge—measures must be explained and adapted so academic freedom and research workflows remain viable while defending against threats from script kiddies to ransomware and espionage. With roughly 200,000 devices and extensive BYOD, CERN relies on defense-in-depth, network monitoring, segmentation for legacy and IoT systems, and mandated protections such as MFA. Governance is being formalized through audits and standards while preserving operational flexibility.

🔍 ESET says the Nomani investment scam rose 62% in 2025 as actors expanded beyond Facebook to platforms such as YouTube and deployed AI-generated deepfake video testimonials to lure victims. The firm blocked over 64,000 unique malicious URLs, with most detections in Czechia, Japan, Slovakia, Spain, and Poland. Attackers improved deepfake quality, shortened ad runs, used cloaking and native ad tools like forms to harvest credentials and payments, and even followed up with fake Europol/INTERPOL recovery schemes to extract more funds.

🔐 Samantha Stallings argues that cybersecurity benefits from a wide range of backgrounds and talents, not just traditional STEM training. She challenges common stereotypes — the lone hacker or the inevitable technical prodigy — and shows how many roles contribute to effective threat research. Drawing on her own path from art school to Technical Writing Manager and referencing examples such as Dr. Sian Proctor, Stallings emphasizes that writers, marketers, product managers, and social media professionals all have valuable places in security teams. The piece is a direct invitation for nontechnical professionals to consider careers in cybersecurity.

🚨 Jamf Threat Labs uncovered a reworked macOS infostealer masquerading as a legitimate signed app. The Swift dropper is code‑signed and notarized, delivered in a 25.5MB disk image posing as a messaging installer, and silently fetches and executes an encoded script through a helper. It runs mainly in memory, removes quarantine attributes, enforces a ~3600s delay before execution, and cleans up traces; Jamf reported the developer certificate and Apple revoked it.

⚠️ Researchers at Jamf report that MacSync Stealer now arrives as a code-signed, notarized Swift utility that can execute with minimal user interaction. The dropper fetches a payload script from a command-and-control server after installation. Because the app appears signed and notarized, Gatekeeper does not display extra warnings, allowing attackers to exploit a window before certificate revocation. This behavior highlights limitations in Apple’s automated notarization checks.