All news in category “Threat and Trends Reports”

🔒2025 saw substantial attacker innovation in phishing, with identity-focused techniques becoming more effective and pervasive. Phishing moved beyond email into omni-channel vectors such as LinkedIn DMs, malicious search results, compromised sites and malvertising, which evade traditional email defenses. Criminal PhaaS kits (Tycoon, Sneaky2FA, Evilginx variants and others) commoditized AiTM and MFA-bypass capabilities. Security teams are urged to expand detection into the browser and close visibility gaps with browser-based response.

📊 Cloudflare’s Radar report summarizes the Top Internet Services of 2025 using anonymized DNS queries from the 1.1.1.1 resolver and a machine-learning ranking method. It highlights continued dominance by Google and Facebook, strong gains by generative AI like ChatGPT and emerging rivals, and regional shifts such as Kwai rising in emerging markets. The analysis spans nine categories and includes country-level Top 10s for local context. E-commerce momentum saw Shopee and Temu join Amazon in the global top three, while crypto, news, and streaming showed event-driven volatility.

🔍 The 2025 Cloudflare Radar Year in Review summarizes Internet trends observed across Cloudflare’s global network, covering January–December 2025. The report highlights rapid growth in traffic (up 19%), dramatic increases in AI crawling and user-action requests, and widespread adoption of post-quantum TLS, which reached 52% of human web traffic. It also documents hyper-volumetric DDoS escalation — multiple attacks exceeded 10 Tbps with records hitting 31.4 Tbps — and provides sector, device, and connectivity insights informed by new AI and speed‑test datasets.

🛳️ A single vessel carrying orange juice concentrate illustrates systemic risk at US ports: one weekly ship supplies millions and a localized outage would ripple across supply chains. Recent policy gaps — a furlough of CISA/FEMA staff and the lapse of the Cybersecurity Information Sharing Act — increase exposure, while nation-state malware is reportedly pre-positioned. New Title 33 CFR mandates and scarce maritime cybersecurity talent create urgent operational shortfalls; facilities must prioritize practical resilience testing, penetration tests, and cross-sector collaboration.

⚠️ Apple and Google issued urgent patches for two actively exploited zero-days affecting iOS, macOS, Safari and Chrome's ANGLE library, while multiple high‑severity flaws in React, WinRAR, and .NET proxies are being weaponized in live attacks. Researchers also disclosed SOAPwn .NET proxy abuse and a CentreStack/Triofox token‑encryption failure leading to remote code execution. CISA added the WinRAR path‑traversal bug to KEV; LastPass was fined after the 2022 breach. Prioritize immediate patching and validate web and SSO defenses.

🎄 AI and automation are enabling more sophisticated holiday scams in 2025, making fraudulent emails, fake retail sites, and social media giveaways harder to detect. Check Point researchers flagged over 33,500 Christmas-themed phishing emails and more than 10,000 suspicious holiday ads within a 14-day window, underscoring a global surge. Practical guidance emphasizes recognizing red flags, validating sellers, and using multi-factor authentication and updated security tools to protect holiday shoppers.

🛡️MITRE has published its annual CWE Top 25, ranking the most dangerous software weaknesses identified from 39,080 CVEs. Cross-site scripting (XSS) remains top, with SQL injection and cross-site request forgery following; several memory- and injection-related flaws shifted positions. New entries include classic, stack and heap buffer overflows, improper access control, authorization bypass via user-controlled keys, and resource allocation issues. Experts warn that weak credential protection and authorization failures are driving growing real-world risk in SaaS and API-driven environments.

🛡️ In 2025 CISOs reported that AI moved from experiment to dominant force, giving defenders major productivity gains while simultaneously enabling faster, more precise attacks. Leaders from Smartsheet, Calendly, Elastic and HCLTech say AI reshaped priorities, forced strategy changes, and amplified non-human identities and third-party risk. Heightened regulation and stricter enforcement of standards like NIST and ISO pushed security accountability up to boards.

⚠️ The Black Hat Europe 2025 talk by Gjoko Krstic of Zero Science Lab revealed that a widely deployed building management system, evolved through multiple acquisitions, now exposes over 1,000 buildings on public IPs and contains numerous long-standing vulnerabilities. Many issues trace back to an 18-year-old firmware codebase and to fixes that patched symptoms rather than root causes. The vendor recommends securing the platform behind a VPN; organizations should audit, patch and restrict access immediately.

🔑 Implementing Zero Trust requires more than technical changes — it demands executive-level communication that reframes security risks and benefits in business terms. Security leaders should translate technical concepts into outcomes executives care about: reduced attack surface, lower costs, simpler operations and regulatory resilience. Start with CTOs and infrastructure teams, then engage business unit heads with tailored conversations and regular briefings to build trust and momentum.

🔒Four newly documented phishing kits — BlackForce, GhostFrame, InboxPrime AI, and Spiderman — enable large-scale credential theft and advanced MFA bypass techniques. BlackForce (first seen August 2025) uses Man‑in‑the‑Browser (MitB) capabilities to capture OTPs and exfiltrate data to Telegram/C2 panels, while GhostFrame hides phishing pages inside iframes. InboxPrime AI automates high-quality mass mailings with generative assistance, and Spiderman offers full-stack banking replicas with ISP and geofence filtering. Researchers warn these kits lower the bar for attackers and recommend layered defenses including phishing-resistant MFA, strong email validation, anomaly detection, and user training.

🔒 Kaspersky examines the lifecycle of personal data stolen through phishing, showing how information is harvested, traded, verified and repeatedly reused across the shadow market. Stolen records are collected via forms and transmitted by email, Telegram bots or specialized admin panels before being bundled into bulk dumps, analyzed and resold. The report highlights targeted categories, average resale values for different account types and practical protections such as using 2FA, passkeys and a password manager, plus immediate steps to take if your data has been exposed.

🔐 MITRE released the 2025 CWE Top 25 list after scoring 39,080 CVE records reported between June 1, 2024 and June 1, 2025, highlighting the most severe and prevalent software weaknesses. Cross-Site Scripting (CWE-79) remains at the top, while several flaws — including buffer overflows and missing authorization/authentication — climbed the rankings or appeared as new entries. MITRE and CISA urge organizations to adopt Secure by Design practices and integrate the list into application security testing and vulnerability management.

🔒 Researchers at Push Security describe ConsentFix, a browser-only evolution of the ClickFix phishing technique that captures OAuth tokens for Microsoft logins. The attack leverages legitimate but compromised sites and a fake Cloudflare-style CAPTCHA to trick victims into copying and pasting a URL containing an OAuth token, which yields account access via Azure CLI without a password or MFA. Push Security warns the method avoids many endpoint and authentication defenses and is difficult to detect; mitigation requires tightened consent governance, enhanced monitoring, and browser-based protections.

🔎An extensive international gray market for physical and virtual SIM cards is enabling large-scale verification of fake accounts, a study by the University of Cambridge finds. Providers such as SMSActivate, 5Sim, SMShub and SMSPVA supply numbers used to create and verify bot armies across WhatsApp, Telegram, Facebook, X, TikTok and e-commerce sites. The researchers published the COTSI index to track daily SMS verification prices in 197 countries and observed notable price spikes for WhatsApp and Telegram ahead of national elections, highlighting risks for fraud, influence operations and phishing.

🛡️ Cisco Talos describes a new financially motivated campaign deploying DeadLock ransomware that uses a custom stream cipher with time-based keys to encrypt Windows hosts. The actor employs a Bring Your Own Vulnerable Driver (BYOVD) approach with a previously unseen loader to exploit the Baidu Antivirus driver vulnerability (CVE-2024-51324), enabling termination of EDR processes. Talos publishes Snort SIDs and multiple ClamAV detections and details lateral movement, anti-forensics, and selective encryption tactics aimed at complicating recovery.

🔒 Modern water and wastewater systems face accelerating cyber threats as utilities adopt remote sensors, cloud telemetry, and integrated SCADA. Critical safeguards—multi-factor authentication, network segmentation, and unified IT/OT visibility—are often missing, increasing risk from nation-state actors and ransomware. Utilities should prioritize comprehensive asset inventories, containment architectures, anomaly detection (e.g., FortiNDR, FortiSIEM), and regularly tested recovery plans to meet rising federal expectations.

🔍 IDC warns of a growing Total Cost of Ownership (TCO) crisis as AI inference becomes the dominant workload. Their global survey of 1,300 AI decision-makers finds inference already accounts for 47% of AI operations and is magnified by agentic workflows that trigger many sequential model calls. The research attributes the problem to fragmented stacks and idle accelerators and recommends shifting to integrated, system-level architectures that unite software, storage, networking, and compute. Google Cloud highlights AI Hypercomputer as a purpose-built solution to improve utilization and cost-effectiveness.

🔍 Many cybersecurity budget debates focus on ROI and risk models, but the author argues the real issue is execution and leadership rather than absolute funding. He explains that cognitive biases and reactive spending after incidents or audits trigger investment, while chronic execution failures and corporate short-termism stall long-term programs. The first 100 days for a CISO are crucial: listening, building trust and co-creating a business-aligned narrative turn available funds into durable security outcomes.

🔐 At Black Hat Europe 2025, Max Smeets of Virtual Rotes presented 'Inside the Ransomware Machine', examining LockBit and its affiliate-driven RaaS operations from 2022–2024. He highlighted how reputation shapes victim decisions and the attackers' need to be seen as reliable to secure payments. The talk warned that exposed cyber insurance details can guide extortion amounts and recommended segregating or air‑gapping insurance documentation.