All news in category “Threat and Trends Reports”

🧠 Social engineering exploits human psychology to bypass technical and physical safeguards, using impersonation, deception and manipulation to gain access to systems, facilities or data. Attackers commonly use phishing, vishing, smishing, pretexting, baiting and tailgating after extensive reconnaissance to craft believable lures. High-value targets are often pursued via spear-phishing or BEC schemes, while opportunistic attackers rely on mass phishing. Practical defenses include ongoing security awareness training, verified procedures for urgent requests and realistic simulation tests; tools such as Social-Engineer Toolkit help organizations test their resilience.

🔐 Palo Alto Networks Unit 42 identified two interconnected 2025 campaigns that used large-scale brand impersonation to deliver variants of the Gh0st remote access Trojan to Chinese-speaking users globally. The adversary evolved from simple droppers (Campaign Trio, Feb–Mar 2025) to sophisticated, multi-stage MSI-based chains abusing signed binaries, VBScript droppers and public cloud storage (Campaign Chorus, May 2025 onward). The report includes representative IoCs and mitigation guidance for Advanced WildFire, Cortex XDR and allied protections.

🔍 ESG research shows that environmental complexity, not malware or phishing, is viewed by most organizations as the primary barrier to effective detection and response. As alerts proliferate and validation can take hours, teams are turning to the one transit every attack must cross — the network — for a reliable, unbiased source of truth. Shared network visibility between SecOps and NetOps, together with continuous packet capture, improves investigation speed and confidence. Vendors such as NETSCOUT Omnis Cyber Intelligence (OCI) deliver alert-independent, packet-level context and deep packet inspection to reduce dwell time and streamline incident response.

🔍 Shadow IT — any software, hardware, or resource introduced without formal IT, procurement, or compliance approval — is now pervasive and evolving into Shadow AI, where unsanctioned generative AI tools expand the attack surface. The article outlines how these practices drive operational, security, and regulatory risk, citing IBM’s 2025 breach-cost data and industry examples in healthcare, finance, airlines, insurance, and utilities. It recommends shifting from elimination to smarter control by improving continuous visibility through real‑time network analysis and vendor integrations that turn hidden activity into actionable intelligence.

🔒 Q3 2025 saw an unprecedented decentralization of ransomware, with Check Point Research tracking a record 85 active groups and roughly 1,592 disclosed victims across numerous leak sites. Despite enforcement actions and multiple takedowns, affiliates quickly reconstitute or rebrand, spawning 14 new ransomware brands this quarter. The return of LockBit 5.0 — with updated Windows, Linux and ESXi variants and individualized negotiation portals — suggests a possible shift back toward centralization, while marketing-driven actors like DragonForce further complicate attribution and response.

📚 This CSO Online roundup gathers books recommended by practicing CISOs to refine judgment, influence leadership style, and navigate modern security complexity. Recommendations range from risk and AI-focused studies to cognitive science, social engineering narratives, and organizational behavior, showing how reading informs both tactical and strategic decisions. The list highlights practical guides for risk measurement, frameworks for improving focus and decision making, and titles that remind leaders to protect attention and sustain personal resilience.

🛰️ Cisco Talos revisits the Feb. 24, 2022 KA‑SAT incident where attackers abused a VPN appliance vulnerability to access management systems and deploy the AcidRain wiper. The malware erased modem and router firmware and configs, disrupting satellite communications for many Ukrainian users and unexpectedly severing remote monitoring for ~5,800 German Enercon wind turbines. The piece highlights forensic gaps, links to VPNFilter-era tooling, and the operational choices defenders face when repair or replacement are on the table.

🔒 Palo Alto Networks found that 26% of Linux systems and 8% of Windows systems are running outdated versions across telemetry from 27 million devices spanning 1,800 companies. The analysis also shows 39% of devices lack active endpoint protection and roughly one-third of devices operate outside IT control. Poor segmentation and unmanaged edge devices increase the risk of undetected compromise.

🔒 Kerberoasting remains a persistent threat to Active Directory environments, enabling attackers to request service tickets for SPNs and crack their password hashes offline to escalate privileges. Adversaries use freely available tools like GetUserSPNs.py and Rubeus to extract tickets tied to service accounts, then perform offline brute-force attacks against the ticket encryption. Mitigations recommended include regular AD password audits, using gMSAs with auto-managed long passwords, preferring AES over RC4, enforcing non-reusable 25+ character passwords with rotation, and deploying MFA and robust password policies.

📰 IANS Research polled 566 CISOs across the US and Canada between April and October 2025 and found average total compensation (salary, bonus and equity) rose 6.7% year‑on‑year. The report highlights sharp pay dispersion: the top 1% report over $3.2m—about ten times the median—while 70% of CISOs receive equity that often drives top packages. Budgets grew just 4% (the slowest pace in five years), CISO mobility climbed to 15%, and tech and financial services led sector pay at averages of $844,000 and $744,000 respectively.

🕒 This post introduces Time Travel Debugging (TTD) via WinDbg as a high-value tool for accelerating analysis of obfuscated, multi-stage .NET droppers that perform process hollowing. The authors demonstrate recording a TTD trace, querying the Debugger Data Model with LINQ to find CreateProcess and WriteProcessMemory calls, and extracting a hidden AgentTesla payload. It highlights practical tips, tooling (TTD.exe, FLARE-VM), and limitations such as user-mode scope and proprietary trace formats.

🔐 Fred Kinch’s memoir recounts his years selling commercial cryptographic hardware from 1969 to 1982, chronicling Datotek’s pivot from file to link encryption and the chaotic marketplace of the era. He describes regulatory battles, notably ITAR and NSA scrutiny, alongside anecdotal demonstrations of security that now seem alarmingly informal. Kinch’s stories reveal a world where vendors, customers, and even governments often accepted cryptographic strength on trust rather than proof.

🔍 The ransomware landscape in Q3 2025 reached a critical inflection point: despite law enforcement takedowns earlier in the year, attacks remained at historically high levels. Check Point Research identified 1,592 new victims across 85 active extortion groups, a 25% year‑over‑year increase. While major brands such as RansomHub and 8Base disappeared, numerous smaller actors rapidly filled the void, driving unprecedented RaaS fragmentation and complicating response efforts.

⚡ Attackers are weaponizing many newly disclosed CVEs within hours, forcing defenders to close the gap by moving beyond manual triage to automated remediation. Drawing on 2025 industry reports and CISA and Mandiant observations, the article notes roughly 50–61% of new vulnerabilities see exploit code within 48 hours. It urges adoption of policy-driven automation, controlled rollback, and streamlined change processes to shorten exposure windows while preserving operational stability.

🐙 Kraken is a Russian-speaking ransomware group active since February 2025 that conducts double-extortion, big-game hunting campaigns across multiple regions. In a documented intrusion Talos observed, attackers exploited SMB flaws for access, used Cloudflared for persistence, exfiltrated data via SSHFS, then deployed cross-platform encryptors for Windows, Linux and ESXi. The family includes on-host benchmarking to tune encryption, and Talos maps detections and IOCs to Cisco protections to aid response.

🔍 techUK has published its Anti-Fraud Report 2025, warning that fraud now accounts for 40% of crime in the UK and that an estimated 67% is cyber-enabled. The report urges improved collaboration across law enforcement, banks, tech platforms, telecoms and regulators and recommends a connected anti-fraud ecosystem, wider use of AI and machine learning, and a national Tell Us Once victim-reporting model. It highlights the scale of harm—global losses of about $1 trillion in 2024—and cautions that government action is still being finalised.

🔐 This ThreatsDay Bulletin surveys major cyber activity shaping November 2025, from exploited Cisco zero‑days and active malware campaigns to regulatory moves and AI-related leaks. Highlights include CISA's emergency directive after some Cisco updates remained vulnerable, a large-scale study finding 65% of AI firms leaked secrets on GitHub, and a prolific phishing operation abusing Facebook Business Suite. The roundup stresses practical mitigations—verify patch versions, enable secret scanning, and strengthen incident reporting and red‑teaming practices.

🔐 Password managers centralize credentials but are attractive targets for attackers who exploit phishing, malware, vendor breaches, fake apps and software vulnerabilities. Recent incidents — including a 2022 LastPass compromise and an ESET‑reported North Korean campaign — demonstrate how adversaries can exfiltrate vault data or trick users into surrendering master passwords. To reduce risk, use a long unique master passphrase, enable 2FA, keep software and browsers updated, install reputable endpoint security, and only download official apps from trusted stores.

🔍 The UK cyber insurance sector paid £197m to policyholders in 2024, a 230% increase on the previous year, driven largely by more damaging malware and ransomware incidents that now account for 51% of claims. The ABI says insurers issued 17% more policies over the period while higher payouts reflect growing threat sophistication and larger recovery costs. Insurers are tightening underwriting and requiring stronger resilience, offering services such as expert advice, threat monitoring and incident response support as part of coverage to reduce future losses.

🔐 Active Directory remains the critical authentication backbone for most enterprises, and its growing complexity across on‑premises and cloud hybrids has expanded attackers' opportunities. The article highlights common AD techniques — Golden Ticket, DCSync, and Kerberoasting — and frequent vulnerabilities such as weak and reused passwords, lingering service accounts, and poor visibility. It recommends layered defenses: strong password hygiene, privileged access management, zero‑trust conditional access, continuous monitoring, and rapid patching. The piece stresses that AD security is continuous and highlights solutions that block compromised credentials in real time.