All news in category “Threat and Trends Reports”

🔍 Organizations are shifting from annual, checklist-driven compliance to targeted, frequent risk assessments that address emerging threats in real time. The article contrasts gap analyses — which measure adherence to frameworks like NIST or ISO — with tailored risk reviews focused on specific threat paths (for example, access control, ransomware, AI or cloud misconfigurations). It recommends small, repeatable questionnaires, a simple scoring model and executive-ready outputs to prioritize remediation and integrate risk into governance.

🔍 New research from Palo Alto Networks shows enterprise networks remain sprawling and poorly controlled: telemetry from 27 million devices across 1,800 enterprises found 26% of Linux and 8% of Windows systems running on end-of-life OS versions, 39% of directory-registered devices lack active endpoint protection, and 32.5% operate outside IT control. Poor segmentation — present in 77% of networks — and unmanaged edge devices increase attacker opportunities.

🛡️This article compares three related threat-detection approaches: Endpoint Detection and Response (EDR), Network Detection and Response (NDR) and Extended Detection and Response (XDR). It explains that EDR focuses on endpoint agents and can leave visibility gaps, while NDR analyzes packet-level network traffic for real-time detection, forensic review and retrospective analysis. XDR is described as a strategy that unifies telemetry from multiple sources to accelerate response; when combined, these capabilities offer complementary coverage and reduced operational risk.

📈 Check Point Research found a continued uptick in global cyber assaults in October 2025, with organizations experiencing an average of 1,938 attacks per week. That represents a 2% increase from September and a 5% rise year‑over‑year. The report attributes the growth to an explosive expansion of ransomware operations and emerging risks tied to generative AI, while the education sector remained the most heavily targeted. Security teams are urged to strengthen detection, patching and access controls to counter increasingly automated and AI‑assisted threats.

🔒 The German Federal Office for Information Security (BSI) reports that cyber espionage is increasingly targeting public administration, with notable victims in defense, judiciary and public safety. The 1 July 2024–30 June 2025 report notes law-enforcement actions against ransomware providers LockBit and Alphv but warns many incidents go unreported. It highlights rising quishing and vishing attacks, insufficient basic protections—especially among SMEs and political organizations—and calls for stronger investment and reduced dependence on U.S. infrastructure.

🔒 KnowBe4 has identified a new phishing-as-a-service platform called Quantum Route Redirect that automates large-scale credential theft across roughly 90 countries and is hosted on about 1,000 domains. The kit distinguishes security tools from real users to evade URL scanning and some web application firewalls, routing victims to Microsoft 365 credential-harvesting pages. It includes redirect configuration, traffic analytics, monitoring dashboards and themed lures such as DocuSign and payroll impersonations. KnowBe4 urges multi-layered defenses including NLP-driven email analysis, sandboxing, continuous monitoring and rapid incident response.

🔒 Enterprises have pursued a passwordless future for more than a decade, yet deployment is stalling as legacy systems, industrial and IoT devices, and custom apps often lack support. A recent RSA report found 90% of organizations face coverage gaps or poor user experience, leaving most firms able to cover only about 75–85% of use cases. Experts warn that enrollment, recovery, and fallback mechanisms frequently reintroduce passwords and expand attack surfaces unless those flows are made as phishing-resistant as logins.

🔒 Unit 42 details how attackers force Windows hosts to authenticate to attacker-controlled systems by abusing rarely monitored RPC interfaces. The report explains techniques, including misuse of UNC path parameters and obscure opnums, and reviews a March 2025 healthcare incident that leveraged MS-EVEN ElfrOpenBELW. It outlines indicators such as bursts of failed NTLM authentications and RPC calls containing external UNC targets. Recommendations include detection, RPC filtering, SMB signing, and Cortex XDR protections.

📧 KnowBe4 researchers have identified a phishing automation kit named Quantum Route Redirect (QRR) that uses roughly 1,000 domains to harvest Microsoft 365 credentials. The platform is preconfigured with common lures—DocuSign requests, payment notifications, missed voicemail notices and QR prompts—and typically hosts landing pages on parked or compromised legitimate domains to aid social engineering and evade detection. QRR includes a built-in filter that distinguishes humans from bots and security scanners, redirecting genuine users to credential-harvesting pages while sending automated systems to benign sites. Most observed attacks target U.S. users, and defenders are urged to deploy robust URL filtering and continuous account monitoring.

🔒 FileFix is a social‑engineering technique that tricks users into pasting a malicious command into the Windows File Explorer address bar instead of the Run dialog. Attackers hide a long payload before a benign-looking file path using leading spaces so only the harmless path is visible, then invoke a PowerShell script (for example via conhost.exe) to retrieve and run malware. Defenses emphasize robust endpoint protection and ongoing employee awareness training, since blocking shortcuts alone is insufficient.

🔒 Phishing is moving beyond email to platforms like LinkedIn, where direct messages sidestep traditional email defenses and evade many web-based controls. Attackers exploit account takeovers, weak MFA adoption, and AI-driven outreach to scale targeted campaigns against executives and cloud identity services. Because LinkedIn messages are accessed on corporate devices but outside email channels, organizations often rely on user reporting and URL blocking—measures that are slow and ineffective. Vendor Push Security recommends browser-level protections that analyze page code and behavior in real time to block in-browser phishing and SSO-based compromises.

🛡️ This week's recap highlights sophisticated, real-world threats that bypass conventional defenses. Actors like Curly COMrades abused Hyper-V to run a hidden Alpine Linux VM and execute payloads outside the host OS, evading EDR/XDR. Microsoft disclosed the Whisper Leak AI side-channel that infers chat topics from encrypted traffic, and a patched Samsung zero-day was weaponized to deploy LANDFALL spyware to select Galaxy devices. Time-delayed NuGet logic bombs, a new criminal alliance (SLH), and ongoing RMM and supply-chain abuses underscore rising coordination and stealth—prioritize detection and mitigations now.

🛡️ The Browser Security Report 2025 warns that enterprise risk is consolidating in the user's browser, where identity, SaaS, and GenAI exposures converge. The research shows widespread unmanaged GenAI usage and paste-based exfiltration, extensions acting as an embedded supply chain, and a high volume of logins occurring outside SSO. Legacy controls like DLP, EDR, and SSE are described as operating one layer too low. The report recommends adopting session-native, browser-level controls to restore visibility and enforce policy without disrupting users.

🔍 Acronis TRU describes practical VirusTotal hunting techniques used to track the FileFix ClickFix variant, the long-running SideWinder actor, and the Shadow Vector SVG campaign targeting Colombian users. Using Livehunt, content-based YARA rules, VT Diff, and metadata pivoting, analysts located clipboard-based web payloads, document exploits (CVE‑2017‑0199/11882), and judicial-themed SVG decoys. The post emphasizes iterative rule tuning, retrohunt for timelines, and infrastructure pivots that convert fragmented indicators into actionable intelligence.

🪂 Purple teaming must become ongoing practice, not a one-off exercise. Many organisations run purple team engagements as transactional penetration tests that emphasise bypass and board-ready reports rather than sustained capability building. Real SOC uplift requires repetition, rehearsal, and collaborative iteration between testers and defenders, with an emphasis on simplicity, context-aware detection, and teaching analysts to understand attacker behaviour. Embedding project-style coordination and running small, focused simulations helps turn the SOC from a static service into a living capability.

📊 Cybersecurity leaders increasingly must translate technical metrics into business language to demonstrate program value and secure budget support. Studies from Ponemon Institute and Open Text show executives expect measurable business impact, yet many CISOs default to technical statistics that confuse boards. Experts recommend creating or aligning with an ERM function, using a documented risk register, and mapping metrics to business priorities. Use clear business measures such as potential financial exposure, risk-reduction percentages, ROI, and peer benchmarking to illustrate impact and prioritize investments.

📱 The Swiss NCSC warns of smishing attacks that impersonate Apple's Find My team, telling owners their lost iPhone has been found to lure them to a fake login page. Messages can cite device details visible on the lock screen and use the displayed contact info to target victims. The counterfeit pages request the user's Apple ID and password, which attackers then use to remove Activation Lock. Users should enable Lost Mode, avoid unsolicited links, use a dedicated contact email, and protect their SIM with a PIN.

🔒 Most email blackmail attempts are mass scams that exploit leaked personal data and fear to extort cryptocurrency from victims. The article outlines common themes — fake device hacks, sextortion, and even fabricated death threats — and describes regional campaigns where attackers impersonate law enforcement in Europe and CIS states. It highlights detection signs and practical defenses, urging verification, use of reliable security solutions, and reporting threats through official channels.

🔍 The ESET research team released its APT Activity Report covering April–September 2025, summarizing operations by state-aligned hacking groups. The report details espionage, disruptive attacks and monetized campaigns targeting government and corporate networks across multiple regions. Notably, the Russia-aligned group Sandworm deployed several data wipers against Ukraine's grain sector, an apparent attempt to harm economic resilience. ESET Chief Security Evangelist Tony Anscombe outlines key findings in an accompanying video and encourages readers to consult the full report for technical specifics.

🔐 Executives must treat cybersecurity and business continuity as a unified discipline rather than separate functions. Drawing on six years managing high-availability systems at Amazon, the author warns that attackers increasingly target recovery and backup infrastructure, turning outages into leverage. The article advocates network segmentation, air-gapped and offline backups, and integrated incident-response and recovery testing to protect operations and reputation.