All news in category “Threat and Trends Reports”

🔐 Cisco Talos reported a novel Bring Your Own Vulnerable Driver (BYOVD) loader used to disable endpoint security and deliver DeadLock ransomware. The attacker exploited a Baidu Antivirus driver vulnerability (CVE-2024-51324) via a loader named EDRGay.exe and driver DriverGay.sys to terminate EDR processes at kernel level. A PowerShell payload bypassed UAC, disabled Windows Defender, stopped backup and database services, and removed all volume shadow copies. DeadLock uses a custom timing-based stream cipher and extensive kill and exclusion lists to encrypt files while avoiding system corruption.

🎯 Whaling attacks are highly targeted social engineering campaigns aimed at senior executives that combine reconnaissance, spoofing, and urgency to trick leaders into divulging credentials, approving transfers, or executing malware-laden actions. Threat actors exploit executives’ visibility, limited time, and privileged access, and increasingly leverage generative AI and deepfakes to scale and refine impersonations. Key defenses include personalised executive simulations, strict multi-party approval flows for high-value transfers, AI-enhanced email filtering, deepfake detection, and a Zero Trust approach to access.

🔒 A recent Sophos study finds the manufacturing sector is blocking more ransomware before encryption, with only 40% of attacks resulting in data encryption this year versus 74% in 2024. Despite improved containment, data theft remains high (39% of encrypted cases) and more than half of affected firms paid ransoms; the median payment was about €861,000. Shortages of skilled staff, unknown vulnerabilities and inadequate protections are cited as root causes, and attacks are increasing stress and leadership pressures within IT teams.

📊 A FinCEN analysis of 4,194 Bank Secrecy Act filings found organizations paid more than $2.1 billion in ransom between January 2022 and December 2024. Ransomware incidents peaked in 2023 before falling in 2024 after law enforcement actions disrupted ALPHV/BlackCat and LockBit. Most ransom payments were under $250,000 and roughly 97% were made in Bitcoin. Manufacturing, financial services, and healthcare were the most targeted industries.

🔒 Procurement teams frequently chase short‑term savings, consolidating suppliers and selecting the lowest‑cost vendors, which can create systemic cyber fragility. The article warns that cost-focused procurement often overlooks vendor security posture and incident readiness, leading to outsized losses in breaches, ransomware or supply disruptions. It recommends cyber due diligence, risk-tiering, minimum baselines (e.g., MFA, encryption, patching), resilience KPIs (MTTD, MTTR, RTO) and cross-functional governance to align cost with resilience. Strategic partnerships, scenario testing and cultural change convert procurement from bargain hunters into resilience builders.

🛡️ This week's bulletin spotlights a critical React Server Components flaw, CVE-2025-55182 (React2Shell), that was widely exploited within hours of disclosure, triggering emergency mitigations. Researchers also disclosed 30+ vulnerabilities in AI-integrated IDEs (IDEsaster), while Cloudflare mitigated a record 29.7 Tbps DDoS attributed to the AISURU botnet. Additional activity includes espionage backdoors (BRICKSTORM), fake banking apps distributing Android RATs in Southeast Asia, USB-based miner campaigns, and new stealers and packer services. Defenders are urged to prioritize patching, monitor telemetry, and accelerate threat intelligence sharing.

🧩 Bruce Schneier highlights a new paper proposing the Naibbe cipher, a verbose homophonic substitution method that transforms Latin and Italian plaintext into ciphertext resembling the Voynich Manuscript. The author demonstrates the cipher can be executed entirely by hand with plausible 15th‑century materials. Applied to a range of texts, Naibbe reproduces many of the manuscript’s key statistical properties while remaining decipherable. Schneier observes this keeps the ciphertext hypothesis viable and places constraints on plausible substitution structures.

🔒 Retailers face concentrated credential risk during holiday peaks as bot-driven fraud, credential stuffing and pre-staged automated attacks target logins, payment tokens and loyalty balances. Effective defenses combine adaptive MFA, bot management, rate limiting and credential-stuffing detection to stop automation without harming checkout conversion. Strong controls for staff and third parties, plus tested failovers and tools like Specops Password Policy to block compromised passwords, reduce blast radius and protect revenue.

📱 Cybersecurity researchers disclosed two new Android malware families (FvncBot, SeedSnatcher) and an upgraded ClayRat with expanded data-theft features. Reported by Intel 471, CYFIRMA, and Zimperium, the samples abuse Android accessibility services and MediaProjection to harvest keystrokes, stream screens, install overlays, and exfiltrate credentials. FvncBot targets Polish banking users and implements HVNC, web-injects, and keylogging; SeedSnatcher focuses on stealing cryptocurrency seed phrases and 2FA via SMS interception. These threats enable persistent device takeover and credential theft.

🔍 Offensive security is becoming central to enterprise defenses as CISOs increasingly add red teams and institutionalize purple teaming to surface gaps and harden controls. Practices range from traditional vulnerability management and pen testing to adversary emulation, social engineering assessments, and security-tool evasion testing. Vendors are embedding automation, analytics, and AI to boost effectiveness and lower barriers to entry. While budget, skills, and the risk of finding unfixable flaws remain obstacles, leaders say OffSec produces the data-driven evidence needed to prioritize remediation and counter more sophisticated, AI-enabled attacks.

🔎 A sprawling academic cheating network branded around Nerdify and related sites has generated nearly $25 million by selling finished essays and homework while posing as tutoring. The operation repeatedly recreated Google Ads accounts and new domains to evade ad bans, routing work to low-cost writers across Kenya, the Philippines, Pakistan, Russia and Ukraine. Investigations link the essay-mill operators to entrepreneurs with corporate ties to Synergy, Russia's largest private university, which is also implicated in drone development for the Russian military.

🔒 The article argues that the browser must be the primary enforcement point for enterprise zero trust, replacing outdated perimeter assumptions with per-request, context-aware controls. It synthesizes NIST SP 800-207 and 800-207A plus CISA guidance to describe identity-first access, least-privilege entitlements, continuous verification, phishing-resistant MFA (FIDO2/WebAuthn), device posture gating and remote browser isolation. Practical recommendations include SSO with short-lived tokens, SCIM-driven provisioning, ZTNA access proxies and governance-as-code to automate policy and reduce exposure.

🔐 The SANS State of ICS/OT Security 2025 report, sponsored by Fortinet, highlights persistent operational risks across critical infrastructure, with high incident rates, extended remediation times, and remote-access exposures. It calls for treating mean time to recovery (MTTR) as a board-level metric, unifying IT/OT visibility, and automating response playbooks. The analysis urges replacing ad hoc remote connectivity with secure, monitored access and integrating OT-specific threat intelligence into enforcement; FortiPAM and FortiGuard AI-Powered Security Services are cited as solutions to improve segmentation, detection, and recovery.

🔒 A Sophos study finds manufacturing firms are increasingly able to stop ransomware before encryption occurs, with only 40% of attacks leading to data encryption — the lowest rate in five years and down from 74% the prior year. Despite improved defenses, data theft remains a major concern: 39% of encrypted incidents resulted in data loss. More than half of affected companies still paid ransoms, with a median payment of about €861,000 versus median demands near €1 million. Respondents cited skills shortages, unknown vulnerabilities and missing protections as key contributors, and attacks continue to strain IT and leadership teams.

🎥 This Emergency Communications Month, the National Council of Statewide Interoperability Coordinators (NCSWIC) Planning, Training, and Exercise Committee released a concise educational video, 'What is a PACE Plan', that explains the components of a PACE plan (Primary, Alternate, Contingency, Emergency) and why it matters for public safety communications. NCSWIC members describe how communications can change in atypical situations and demonstrate why agencies should know their PACE and routinely practice it. The video is a practical tool to help agencies maintain continuity of communications when primary systems degrade.

🔐 The Getting to Yes anti-sales guide helps MSPs and MSSPs reframe cybersecurity conversations from fear-based pitches into collaborative business partnerships. It catalogs common objections—cost, perceived protection, small size, complexity, and time—and provides empathetic, evidence-driven responses that tie security to uptime, revenue, reputation, and compliance. The guide introduces a trust-first framework (Empathy, Education, Evidence) and explains how automation, fast assessments, posture dashboards, and measurable milestones make value visible and scalable.

🔐A new anonymous phone service allows users to register with only a ZIP code, foregoing typical identity checks like full address or payment verification. The design prioritizes ease and a veneer of privacy, but it also raises substantial operational and legal questions. Experts warn that metadata, device identifiers, and carrier cooperation can still de-anonymize users. Individuals and organizations should weigh convenience against potential misuse and regulatory scrutiny.

🔍 SpyCloud reported a 400% year‑over‑year increase in successfully phished identities, finding nearly 40% of more than 28 million recaptured phish records contained business email addresses—about three times the rate observed in recaptured malware. The company warns phishing has become the preferred gateway into enterprise environments and is fueling follow‑on attacks such as ransomware. SpyCloud urges organizations to adopt real‑time visibility and automated post‑compromise remediation across both personal and professional identities.

🔐 CISOs must stop being the “department of no” and enable rapid product delivery without introducing new risks. Security needs to be embedded early through close collaboration with product teams, clear business-aligned risk tolerances, and pragmatic guardrails. Assign a dedicated security partner to each product, integrate CI/CD and Infrastructure-as-Code enforcement, and automate policy checks so safe changes proceed while risky ones fail with actionable remediation.

🔍 SANS honeypots detected increased HTTP requests containing CDN-related headers that may indicate probing to evade CDN protections. Researchers observed headers referencing Cloudflare (Cf-Warp-Tag-Id), Fastly (X-Fastly-Request-Id), Akamai (X-Akamai-Transformed) and an anomalous X-T0Ken-Inf0. Experts warn this could be reconnaissance to bypass CDNs and reach origin servers and urge origin hardening such as IP allowlists, validated tokens, or private connectivity.