All news in category “Threat and Trends Reports”

🔒 A recent RSAC survey found a large disparity in indemnification for security leaders: 88% of Fortune 1000 CISOs report legal indemnity, versus just 53% at organizations with 500+ employees. D&O insurance is the most common vehicle, and inclusion of CISOs in such policies is rising, with >50% reporting coverage in the 2025 IANS Research report. Experts warn that indemnification agreements, distinct from D&O, are the critical legal guarantee and that midmarket CISOs face meaningful personal, financial, and career risk without them.

🔌 A Raspberry Pi with a cellular modem was discovered plugged into a French ferry's internal network as it prepared to sail from Sète to Algeria; investigators told Bloomberg that network segmentation and the absence of remote access to critical controls prevented lateral movement and possible sabotage. Security experts warn such rogue devices can create a new internal perimeter that bypasses monitored gateways and render SOCs blind if traffic exits over cellular. Recommended mitigations include 802.1X authentication, disabling unused switch ports by default, physical port locks and tamper-evident measures, deployment of advanced NACs and physical-layer fingerprinting tools like Sepio, and capturing a device's network traffic for forensic analysis before physical removal.

🔒 The Zeroday Cloud competition in London, hosted by Wiz Research with support from AWS, Microsoft, and Google Cloud, awarded $320,000 to teams that demonstrated 11 zero-day remote code execution vulnerabilities. Exploits affected critical cloud components including Redis, PostgreSQL, MariaDB, Grafana, and a Linux-kernel container escape that broke tenant isolation. Team Xint Code earned the top prize of $90,000. Attempts against AI tooling such as vLLM and Ollama were made but failed due to time exhaustion.

🌐 The Taliban ordered a two‑day nationwide internet blackout in Afghanistan in September, cutting emergency communications, grounding flights, and interrupting banking. That incident is part of a global surge: Access Now and the #KeepItOn coalition documented 296 deliberate shutdowns in 2024 and at least 244 more in 2025 so far. Shutdowns range from full national cuts to targeted platform blocks and throttling, and are increasingly used for political, military, and social control. Workarounds like VPNs, mesh networks, and satellite terminals help some, but for most people loss of connectivity means loss of essential services and civil liberties.

🔒 Unit 42 analyzes a notable upgrade to RansomHouse (tracked as Jolly Scorpius) that replaces a simple linear encryptor with a more complex, multi-layered design. The revised encryptor, Mario, implements a two-stage scheme using a 32-byte primary key and an 8-byte secondary key, plus chunked and sparse file processing. These changes complicate static analysis and decryption and specifically target ESXi virtual and backup artifacts. Unit 42 highlights detection controls and mitigation guidance for defenders.

🕶️ MSC Cruises has added smart glasses and similar wearable devices to its list of prohibited items in public areas, citing the risk of covert recording and security exposures. The new rule means devices such as Ray‑Ban Meta or Google Glass may be confiscated by ship security if used in restricted spaces. The line argues that smart glasses are harder for bystanders to notice than phones or cameras, increasing privacy concerns. Critics counter the ban restricts helpful features like translation and accessibility.

🔐 Organizations often assume stricter, more complex controls automatically increase security. The article identifies five common UX-driven mistakes — poor security mindset, one-size-fits-all policies, confusing complexity with protection, reliance on legacy security questions, and misplaced faith in biometrics — that can degrade defenses. Experts Yehudah Sunshine, Joseph Steinberg and April McBroom recommend practical measures such as targeted training, contextual controls, password managers, multiple-choice knowledge checks, and behavioral biometrics. Their guidance emphasizes reducing friction, encouraging honest reporting of errors, and tailoring security to user roles to improve both usability and protection.

🔒 Cyber hygiene is presented as an essential, routine set of practices to reduce digital risk and protect personal data. The article gives targeted, practical advice for three audiences: beginners (use a password manager, create long random passwords and enable MFA), intermediate users (prioritize patch management, remove unused extensions, secure home routers and IoT, and use VPNs), and cybersecurity professionals (model good behavior and build a security-aware culture). Small, regular actions can greatly reduce exposure and improve resilience.

⚠️ Cellik is a new Android malware-as-a-service advertised on underground forums that enables operators to create trojanized copies of legitimate Google Play apps. Attackers can select Play Store apps and build malicious APKs that retain the original UI, potentially helping infections remain unnoticed and, the seller claims, bypass Play Protect. The service, discovered by iVerify, is offered for $150 per month or $900 for lifetime access and includes capabilities such as screen streaming, notification interception, file exfiltration, a hidden browser mode, and an encrypted command-and-control channel.

🔒 Kaspersky describes a phishing campaign that abuses Telegram Mini Apps to harvest credentials by promising free NFT-style 'gifts' and airdrops. Attackers embed convincing fake Mini Apps inside the official Telegram client, exploiting users' trust in in-app content and minimal platform vetting. Kaspersky urges users to verify sources, avoid entering login codes inside Mini Apps, enable two-step verification and passkeys, and store credentials in a password manager.

🔒 Hypervisors are increasingly attractive targets for ransomware because a single host compromise can expose dozens or hundreds of VMs. Huntress Labs reports hypervisor ransomware involvement jumped from 3% to 25% in the second half of 2025, with the Akira group a major driver. The article urges treating hypervisor security with the same rigor as endpoints: strict access controls, runtime hardening, timely patching, and immutable backups. It also recommends improved monitoring, SIEM integration, and annual recovery drills to ensure rapid restoration.

🔒 Infoblox researchers found that most parked and typosquatting domains now redirect visitors to scams, scareware, or malware without any user click. The redirects are frequently conditional — benign when accessed via a VPN or non‑residential IP, but malicious for residential addresses — and rely on device fingerprinting, geolocation, and chained resells. The study highlights widespread abuse of expired and lookalike domains and the growing role of affiliate networks in distributing harmful traffic.

🔒 The Palo Alto Networks State of Cloud Security Report 2025 warns that rapid enterprise AI adoption has massively expanded the cloud attack surface, with 75% running AI in production and 99% reporting at least one AI-targeted incident last year. It finds GenAI-assisted coding accelerating insecure code into production and AppSec teams unable to keep pace with weekly deploys. The research highlights rising API attacks, persistent identity weaknesses, and widespread tool sprawl, and argues for agentic security to unify cloud and SOC operations.

🔒 Amazon Threat Intelligence has attributed with high confidence a years‑long campaign to Russia’s GRU, noting a shift in 2025 from exploiting software flaws to compromising misconfigured customer network edge devices. The actor has targeted enterprise routers, VPN concentrators, network management appliances and cloud-hosted edge instances, including some hosted on AWS, to gain initial access. This tactic supports credential harvesting, replay attacks and lateral movement while reducing attacker exposure and resource expenditure.

🔍 A new ASPI report, discussed here, documents how Chinese state actors rapidly embedded advanced AI into political control systems between 2023 and 2025. It highlights four accelerated areas: multimodal censorship of politically sensitive images; AI integration into the criminal‑justice pipeline; industrialised online information control; and AI‑enabled platforms run by Chinese firms abroad. The post frames this evidence to inform policymakers, civil society, the media and technology companies seeking to counter AI‑enabled repression.

🔍 ESET's H2 2025 threat report documents rapid attacker innovation, including the first known AI-driven ransomware, PromptLock, which can generate malicious scripts on demand. The report also highlights a near-collapse of Lumma Stealer, a roughly thirtyfold surge in the CloudEyE downloader, and a sharp rise in ransomware victims and NFC-based Android fraud. It underscores evolving distribution and evasion techniques across platforms.

⚠️ Check Point reports a surge in Christmas-themed phishing and social scams, detecting 33,500 unique phishing emails and over 10,000 seasonal social ads in a recent two-week period. Threat actors are using AI to produce flawless local-language messages, build fake e-commerce sites with working checkouts, and generate deepfake audio and smishing that mimic delivery alerts. Consumers should watch for spoofed URLs, unusual payment requests, new or inactive accounts and emotional triggers, and avoid clicking unsolicited links or sharing credentials.

🛡️ Organizations must build a ransomware playbook that pairs planning, technology, and people to reduce disruption and protect business continuity. Regular tabletop exercises create the muscle memory experts recommend, clarifying decision authority, communications, and containment steps across legal, IT, and executive stakeholders. Prevention should be layered — prioritized patching, behavior-based EDR, email/phishing defenses, MFA, least-privilege controls, and verified offline backups — while recovery playbooks, pre-engaged legal and forensics contacts, and tested restore procedures speed remediation and limit reputational harm.

⚠️Rapid7 researchers report a new malware-as-a-service called SantaStealer, advertised on Telegram and hacker forums as an in-memory info‑stealer designed to evade file-based detection. The operation appears to be a rebranding of BluelineStealer by a Russian-speaking developer and is being marketed with Basic ($175/month) and Premium ($300/month) tiers. Samples and an affiliate panel show 14 modular data-collection threads that harvest browser credentials, cookies, saved cards, messaging and gaming app data, crypto wallets and documents, bundle results into ZIPs in memory, and exfiltrate them in 10MB chunks to a hardcoded C2 on port 6767. Despite claims of stealth, leaked builds include symbol names and unencrypted strings that make analysis straightforward.

🔒 Organizations regularly leave servers, accounts, APIs, applications, and storage unmanaged or forgotten, creating high‑risk “IT zombies” that attackers exploit. The post outlines detection approaches — Automated Discovery and Reconciliation (AD&R), CMDB reconciliation, directory analysis, WAF/NGFW monitoring and SCA — and prescribes concrete responses for decommissioning, credential rotation, and data lifecycle control. Implementing IAM, SBOMs, DLP/CASB and automated test‑environment lifecycles reduces exposure and helps meet regulatory obligations.