All news in category “Threat and Trends Reports”

🔧 Modern cyberdefense has outgrown simple antivirus and generalist IT skills. MDR combines advanced detection technologies with continuous human expertise to detect, triage, and remediate threats faster than most in‑house teams can. It delivers enterprise-grade visibility and rapid response at scale, closing skills and detection gaps while letting IT focus on business priorities. Adopting MDR is increasingly a strategic imperative for organisations of all sizes.

⚠️ Functional security leaders are increasingly disengaging due to heavy workloads, limited autonomy, and stalled career progression, creating a direct resilience risk for CISOs and the broader enterprise. The piece cites ISACA data showing rising stress and widespread understaffing and includes perspectives from Carole Lee Hobson, Brandyn Fisher, and Monika Malik. Recommended actions include clear promotion rubrics and executive sponsorship, consolidated tooling with a quarterly kill-switch, and metrics tied to prevention and risk contribution.

⚠️ Criminal networks are exploiting shortages of GLP-1 drugs like Ozempic, Wegovy and Mounjaro, using AI to generate convincing counterfeit websites, emails and documents that impersonate regulators and health services across Europe. They are hijacking the identities of the NHS, AEMPS, ANSM, BfArM and AIFA to market fake weight-loss products and harvest payments. Check Point Research documents the tactics, scale and public-safety implications of this rapidly evolving scam epidemic.

🔔 BlackFrog has identified a new command-and-control platform, Matrix Push C2, that abuses browser push notifications to deliver phishing and malware. The campaign social-engineers users into allowing notifications and then issues realistic system-style alerts that redirect victims to malicious sites. Described as fileless, the technique leverages the browser notification channel rather than an initial executable. The platform includes a web dashboard with real-time client visibility, analytics and templates impersonating services like MetaMask, Netflix and PayPal.

🛡️ Modern SOCs drown in threat feeds; the problem is not data but converting it into repeatable decisions. The article lays out an operating model that makes CTI a business capability by centring work on Priority Intelligence Requirements (PIRs), engineering a single pipeline for collection, normalization and automated enrichment, and prioritizing behaviour‑first detections mapped to MITRE ATT&CK. It prescribes SOAR orchestration with human checkpoints, de‑duplication and scoring by relevance and visibility, and integration of intel into incident response and threat hunting. The result: measurable loss avoidance, reclaimed analyst capacity and executive reporting that drives concrete decisions.

🤖 FortiGuard Labs warns that by 2026 cybercrime will transition from ad hoc innovation to industrialized throughput, driven by AI, automation, and a mature supply chain. Attackers will automate reconnaissance, lateral movement, and data monetization, shrinking attack timelines from days to minutes. Defenders must adopt machine-speed operations, continuous threat exposure management, and identity-centric controls to compress detection and response. Global collaboration and targeted disruption will be essential to deter large-scale criminal infrastructure.

⚠️ Cyber insurance has become a boardroom staple, but it often creates a false sense of protection. Policies limit financial exposure but are not a blank check: insurers increasingly require documented controls and may reduce, delay, or deny claims when basic security hygiene—patching, access controls, logging, MFA, or incident readiness—is lacking. Relying on coverage without fixing these foundational failures leaves organizations exposed to financial, operational, and reputational harm.

🔐 A Trend Micro analysis warns ransomware actors are increasingly targeting cloud storage by abusing AWS-native encryption and key management to render S3 data unrecoverable. Attackers probe buckets with disabled versioning or Object Lock, exploit wide write permissions, and weaponize SSE-KMS, SSE-C, BYOK and XKS to seize control of keys. Researchers recommend least-privilege IAM, enable versioning/Object Lock, isolate backups, and continuously monitor audit logs. An "assume breach" posture and short-lived credentials are urged to limit impact.

🔍 This article explains key differences between NDR, EDR and XDR and why a combined approach strengthens defense. EDR monitors endpoints using agents to detect local anomalies and malware but can leave visibility gaps where agents cannot be deployed or are bypassed. NDR analyzes packet-level traffic in real time and provides retrospective forensics to trace lateral movement and assess breaches. XDR is a strategy unifying telemetry from multiple tools, but without network context it can create blind spots.

🔍 Post-incident learning often falls behind containment, with Foundry’s Security Priorities study reporting 57% of security leaders struggled to identify root causes last year. Experts warn that prioritizing firefighting over forensic investigation leaves organizations exposed to repeat breaches and that disciplined evidence preservation is essential. Centralized telemetry such as SIEM, and forensic-capable services like MDR and XDR, plus structured postmortems, are key to building long-term resilience.

🛡️ Researchers report that the Sneaky2FA phishing-as-a-service kit now includes browser-in-the-browser (BITB) functionality that lets attackers embed a fake browser window with a customizable URL bar to mimic legitimate sites such as Microsoft. The iframe-backed pop-up captures credentials and MFA codes in real time, enabling attackers to hijack active sessions. This change lowers the skill threshold for criminals and undermines many signature-based defenses, prompting calls for updated training and stronger browser configurations.

🔎 GreyNoise reports a roughly 40x surge in malicious scans against Palo Alto Networks GlobalProtect VPN login portals beginning November 14, with about 2.3 million sessions hitting the /global-protect/login.esp endpoint between Nov 14–19. Activity focused on the United States, Mexico, and Pakistan and is linked to recurring TCP/JA4t fingerprints and ASN reuse, notably AS200373 and AS208885. GreyNoise recommends treating these probes as active reconnaissance — block and monitor attempts rather than dismissing them.

🔒 Organizations should treat the Windows 11 migration as a strategic security opportunity rather than a routine OS update. While some users resist moving from Windows 10 or explore alternatives like Linux or legacy releases, those choices can introduce operational headaches and security gaps, especially as Microsoft phases out support. Use the transition to validate backups, recovery objectives, and patch posture to reduce exposure to unpatched vulnerabilities that increasingly target MSPs and their clients.

🛡️ A BlueVoyant survey finds 97% of organizations were negatively impacted by a supply chain breach, up sharply from 81% in 2024. The State of Supply Chain Defense: Annual Global Insights Report 2025, published 20 November, shows many firms are maturing TPRM programs and shifting oversight into cyber or IT teams. Despite increased maturity, respondents report persistent issues such as lack of executive buy-in, compliance-first approaches, limited integration with enterprise risk frameworks, and a trend of adding vendors faster than they add visibility or remediation capacity.

🔒 As CISOs finalize next year’s cybersecurity budgets, winning board approval requires translating technical needs into business value. First, quantify risk in financial terms—estimate value at risk across worst-, best- and most‑likely scenarios, using industry reports, internal experts and vendor assessments to model direct losses, business interruption and reputational impact. Second, go beyond compliance: reserve budget for emerging threats (generative AI, quantum, third‑party risk) and repurpose existing line items such as Data Security Posture Management, SASE and GRC hours to limit net new spend. Third, know thy board and tailor your message—use dollars-and-cents for finance‑focused directors and vivid attack narratives for others, while maintaining regular engagement year-round.

🛡️ This week's ThreatsDay Bulletin highlights a surge in espionage, zero-day exploits, and organized crypto laundering across multiple countries. MI5 warned that Chinese operatives are using LinkedIn profiles and fake recruiters to target lawmakers and staff, while researchers disclosed critical flaws like a pre-auth RCE in Oracle Identity Manager and a resource-exhaustion bug in the Shelly Pro 4PM relay. The bulletin also details malicious browser extensions, new macOS stealer NovaStealer, high-profile arrests and sanctions, and continued pressure on crypto-mixing services. Patch, update, and verify identities to reduce exposure.

🔒 Check Point Research reports a significant increase in Black Friday–themed domain registrations, with about 1 in 11 newly registered domains classified as malicious. Brand impersonation is a primary tactic: roughly 1 in 25 new domains referencing marketplaces like Amazon, AliExpress, and Alibaba are flagged. Attackers create convincing fake storefronts that copy logos, layouts, and imagery to harvest credentials and payment data, with recent campaigns impersonating HOKA and AliExpress demonstrating active phishing tied to seasonal promotions.

🔍 OSINT is the disciplined practice of collecting and analysing publicly available information to produce actionable intelligence for security teams, journalists and researchers. The article outlines how practitioners use OSINT to discover exposed assets, support penetration testing, track threat actor activity and monitor reputational issues. It highlights common tools such as Shodan, Maltego and SpiderFoot, describes techniques like Google Dorking and metadata analysis, and stresses responsible, lawful investigation and rigorous sourcing to reduce error and privacy risk.

🔒Sturnus is a new Android banking trojan discovered by ThreatFabric that can capture decrypted messages from end-to-end encrypted apps like Signal, WhatsApp, and Telegram. It abuses Accessibility services and on-screen capture to read message content and deploys HTML overlays to harvest banking credentials. The malware also supports real-time, AES-encrypted VNC remote control and obtains Android Device Administrator privileges to resist removal while targeting European financial customers with region-specific overlays.

🔒 Sneaky2FA has integrated a Browser-in-the-Browser (BitB) pop-up that impersonates Microsoft sign-in windows and adapts to the victim’s OS and browser. Used alongside its existing SVG-based and attacker-in-the-middle (AitM) proxying, the BitB layer renders a fake URL bar and loads a reverse-proxy Microsoft login to capture credentials and active session tokens, enabling access even when 2FA is active. The kit also employs heavy obfuscation and conditional loading to evade analysis.