All news in category “Threat and Trends Reports”

🚨 China-based phishing-as-a-service groups have deployed thousands of mobile-targeted scam domains using SMS (iMessage/RCS) lures that promise rewards points, tax refunds or bargains to harvest payment data. Sites collect name, address and card details, then request a one-time code — which fraudsters use to enroll stolen cards in Apple or Google mobile wallets. These fake e-commerce shops are advertised on major platforms and can remain active for months, making them harder to detect; reporting suspicious messages and domains to blocklists such as SURBL and threat scanners helps accelerate takedowns.

🔗 The article argues that traditional threat feeds no longer suffice in modern, interconnected environments and proposes a Unified Linkage Model (ULM) to transform static indicators into dynamic threat flows. ULM defines three core linkage types — adjacency, inheritance and trustworthiness — to map how risk propagates across systems. It outlines practical steps to ingest and normalize feeds, establish and score linkages, integrate with MITRE ATT&CK and risk frameworks, and visualize attack pathways for prioritized response and compliance.

🔒 Operational technology (OT) environments underpin critical infrastructure but frequently lag behind IT in cybersecurity maturity. Strong password policies mitigate risks from outdated hardware, shared accounts, remote vendor access, and credential reuse. Core measures include prioritizing password length, enforcing rotation with reuse prevention, and adopting password vaults. Combined with MFA, network segmentation and Privileged Access Workstations, these practices form a resilient OT security posture.

🔎 The UK’s National Cyber Security Centre and Canada’s Centre for Cyber Security (CCCS) have published a report on public content provenance aimed at improving digital trust in the AI era. It examines emerging provenance technologies, including trusted timestamps and cryptographically secured metadata, and identifies interoperability and usability gaps that hinder adoption. The guidance offers practical steps for organisations considering provenance solutions.

🛡️ Web security in 2025 shifted rapidly as AI-enabled development and adversaries outpaced traditional controls. Natural-language "vibe coding" and compromised AI dev tools produced functional code with exploitable flaws, highlighted by the Base44 authentication bypass and multiple CVEs affecting popular assistants. At the same time, industrial-scale JavaScript injections, advanced Magecart e-skimming, and widespread privacy drift impacted hundreds of thousands of sites and thousands of financial sessions. Defenders moved toward security-first prompting, behavioral monitoring, continuous validation, and AI-aware controls to reduce exposure.

🔍 ISC2’s 2025 Cybersecurity Workforce Study, based on responses from more than 16,000 professionals, reports that 59% of organizations now face critical or significant cyber-skills shortages, up from 44% last year. Technical gaps are most acute in AI (41%), cloud security (36%), risk assessment (29%) and application security (28%), with governance, risk and compliance and security engineering each at 27%. The survey cites a dearth of talent (30%) and budget shortfalls (29%) as leading causes and links shortages to concrete impacts—88% reported at least one significant security incident. Despite concerns, headcount appears to be stabilizing and many professionals view AI as an opportunity for specialization and career growth.

🔒Identity-focused attacks are driving major breaches across industries, with recent vishing incidents at M&S and Co-op enabling ransomware intrusions and combined losses exceeding £500 million. Attackers harvest credentials via infostealers, targeted phishing/smishing/vishing, breached password stores and automated attacks like credential stuffing. Implement least privilege, strong unique passwords in managers, MFA (authenticator apps or passkeys), PAM and automated identity lifecycle controls to limit blast radius.

🔒 Submarine cables carry between 95% and 99% of global data traffic, yet recent breakages — notably ten in the Baltic Sea between 2022 and July 2025 — highlight persistent vulnerabilities. Private operators now control most capacity, and governments and vendors must address both physical threats such as fishing and anchors and increasingly sophisticated cyber risks. Major cloud vendors emphasize route diversity and redundancy while operators like Telxius combine burial, audits, AI/ML detection and continuity planning to protect service availability.

🔐 In episode 446 of the Smashing Security podcast, Graham Cluley and guest Rik Ferguson discuss a teenage cybercriminal who inadvertently doxxed himself by mocking a sextortion scammer. They examine how stolen data has become the jet fuel of cybercrime and consider worrying trends for 2026. Plus, Graham rants about intrusive recipe sites and shares musical notes about Lily Allen.

🔐 Researchers at Any.Run report a hybrid 2FA-phishing strain that fuses elements of Salty2FA and Tycoon2FA, producing payloads that evade detection rules tuned to either kit alone. The samples begin with Salty-style obfuscation and trampoline JavaScript, then shift into Tycoon’s DGA domains and AiTM execution chain. Analysts warn defenders to focus on behavioral patterns and fallback routines rather than static indicators of compromise.

🔍 DragonForce is a ransomware-as-a-service group that re-emerged in 2023 and has rebranded as a self-described "ransomware cartel," recruiting affiliates with generous revenue shares and customizable encryptors. Recent variants exploit vulnerable drivers like truesight.sys and rentdrv2.sys to disable security controls and shore up earlier encryption flaws. Its partnership with Scattered Spider combines elite social-engineering initial access with deployable ransomware, elevating risk to organizations globally.

⚠️ In three months the Aisuru botnet has been linked to more than 1,300 DDoS attacks, including a record peak of 29.7 Tbps in Q3 2025 that Cloudflare mitigated. The botnet, offered as a rental service, leverages an estimated 1–4 million compromised routers and IoT devices exploited via known vulnerabilities and weak credentials. The record incident lasted 69 seconds and used UDP carpet‑bombing across roughly 15,000 destination ports per second; Cloudflare reports a sharp rise in hyper‑volumetric attacks that can disrupt ISPs and critical services.

🔍 Google Threat Intelligence Group (GTIG) analysis shows that Intellexa, vendor of the Predator spyware, continues to develop and deploy zero‑day exploits against mobile browsers and operating systems despite sanctions. GTIG attributes 15 unique zero‑days to Intellexa out of roughly 70 discovered since 2021, spanning RCE, sandbox escape, and LPE flaws on iOS, Android, and Chrome. The company uses modular exploit frameworks, acquires exploit chain steps from third parties, delivers payloads via one‑time messaging links and malvertising, and embeds anti‑analysis watcher modules to abort operations on detection.

📈 The 23rd edition of Cloudflare’s Quarterly DDoS Threat Report reviews Q3 2025 data and spotlights the unprecedented Aisuru botnet, estimated at 1–4 million infected hosts. Aisuru launched routine hyper-volumetric attacks exceeding 1 Tbps and 1 Bpps, peaking at 29.7 Tbps and 14.1 Bpps, while Cloudflare mitigated 8.3 million DDoS events in the quarter. Network-layer attacks dominated the mix, and the report warns that short, high-volume strikes often outpace manual defenses, underscoring the need for global, automated mitigation.

🧭 Business leaders across 116 economies told the World Economic Forum that misinformation/disinformation, cyber insecurity and the adverse outcomes of AI rank among the top near-term threats to national stability. The WEF’s Executive Opinion Survey 2025 canvassed 11,000 executives, who placed technological risks alongside economic and societal concerns. Respondents flagged AI-driven deepfakes, model exploitation and AI-assisted cyber techniques as amplifiers of both disinformation campaigns and critical-system threats.

🛡️ A BdB survey of 1,057 German adults found that only 54% regularly or occasionally seek information about online security, even as 41% believe they are likely to face online fraud (9% very likely, 32% likely). Nearly a quarter (23%) reported being victims of online fraud in the past two years, yet 82% still consider online banking at home to be safe. BdB CEO Heiner Herkenhoff warns that awareness and basic protective measures significantly reduce the risk of falling for scams.

🔐 Shorter maximum TLS certificate lifespans are imminent: starting 15 March 2026 the limit drops from 398 days to 200 days, then to 100 days a year later and eventually to 47 days by 2029. CISOs should prioritize complete, continuously updated certificate inventories and move to automated issuance and renewal — ideally via ACME — to avoid outages. Centralized governance, percentage-based renewal policies, and integrated alerts tied to ticketing systems reduce human error and operational risk.

🛡️ Unit 42’s Browser Defense Playbook warns that modern work happens primarily in the browser—about 85% of daily tasks—and that attackers increasingly exploit that centrality with phishing, malicious extensions, drive-by downloads and session hijacks. The guide identifies common failures such as unmanaged extensions, lax policies and blind spots in encrypted traffic. It recommends extending zero trust to the browser with strong MFA, conditional access, continuous monitoring and vetted extension allow lists, and points to Prisma Browser for agentless inspection and DLP.

🔒Crimeware now behaves like subscription software: inexperienced attackers can rent turnkey services for phishing, access, data feeds, and malware instead of building tools. Varonis outlines five subscriptionized offerings — from AI-driven PhaaS (e.g., SpamGPT) and malicious PDF builders (MatrixPDF) to Telegram OTP-capture bots and searchable infostealer feeds. The piece shows how IABs and low-cost RAT subscriptions (for example, Atroposia) commoditize breaches and lower technical barriers. Defenders should adopt a system-first posture: automate detection playbooks, rotate credentials frequently, and enforce least privilege to raise costs for subscription-based attackers.

🛡️ FortiGuard Labs reports new Linux-focused eBPF malware updates in 2025, including 151 new BPFDoor samples and three new Symbiote samples. Both families abuse eBPF to install kernel-level packet filters that enable stealthy C2 channels; Symbiote is using UDP port-hopping across high ports while BPFDoor has added IPv6 and DNS-based filtering. Detection is difficult but Fortinet provides AV and IPS protections.