All news in category “Threat and Trends Reports”

🔐 Organizations facing rising phishing and ransomware threats are moving from passwords to PKI-based authentication to close gaps in traditional MFA. Certificates issued by a trusted CA and backed by asymmetric cryptography replace passwords and vulnerable SMS codes, improving both security and usability. Automated lifecycle management and user self-service reduce administrative overhead, while crypto-agility preserves long-term resilience.

🔍 A majority of CISOs want full visibility into data flows across hybrid cloud environments but often lack suitable tooling. The Gigamon study CISO Insights: Recalibrating Risk in the Age of AI, surveying 1,021 security and IT leaders including 200 CISOs in early 2025, reports that network data volumes have nearly doubled due to AI and that 86% favor combining packet and metadata. However, 97% admit they must compromise on transparency, and many distrust public cloud security.

🖱️ A recent episode of the Smashing Security podcast examines how commonplace devices and online behaviour can create unexpected security risks. Hosts discuss academic work that turns a standard computer mouse into an acoustic eavesdropping sensor, showing how a malicious webpage could exploit peripheral hardware. They also consider a ransomware crew’s reputation problems, and round out the episode with lighter items such as a quirky baked potato hack and a literary detour to Paraguay.

⚠️ A new FileFix variant uses cache smuggling to deliver a malicious ZIP via Chrome's disk cache while impersonating a Fortinet VPN Compliance Checker, tricking victims into pasting a crafted path into File Explorer. The embedded PowerShell command extracts a hidden ZIP from cached image files, writes a ComplianceChecker.zip and launches an executable, enabling execution without obvious downloads. Security firms report rapid abuse by ransomware and info-stealer operators and advise training users never to paste clipboard content into OS dialogs.

🖱️ Researchers at the University of California, Irvine demonstrated a proof-of-concept called Mic-E-Mouse, showing that high-end optical mice can pick up desk-transmitted voice vibrations and be used to reconstruct nearby conversations. The attack can be executed on PC, Mac and Linux by non-privileged user-space programs, and Wiener and neural-network filtering was used to enhance muffled signals into intelligible speech. Practical limits include a quiet environment, thin desks (≈3 cm or less), mostly stationary mice and very high-DPI hardware; placing a rubber pad or mouse mat under the mouse prevents the leakage.

📈 TransUnion's H2 2025 update warns that rising digital fraud is costing firms an average of 7.7% of annual revenue, amounting to an estimated $534bn in global losses. US businesses reported heavier impacts — 9.8% of revenue, or roughly $114bn — driven by a surge in account takeover and synthetic identity fraud. The report urges firms to move beyond reactive defenses and strengthen identity verification across digital touchpoints.

🛫 Kaspersky researchers uncovered a widespread email fraud campaign impersonating major airlines and airports to solicit advance refundable deposits. Attackers use convincing business-style messages, registration forms and NDAs rather than malware, then request several-thousand-dollar payments to secure partnership consideration. Recipients are urged to verify sender domains against official corporate contacts and treat any deposit request as a major red flag. Organizations should deploy strong email-gateway defenses and provide targeted security awareness training for finance, sales and procurement teams.

⚠ If you clicked a suspicious link, stay calm and act promptly. For work devices, contact IT immediately and follow their instructions. For personal devices, close the browser and check for unexpected downloads; if you entered credentials, change passwords and enable MFA; if financial data was entered, contact your bank; if a file was downloaded, disconnect, run a full scan, and consider restoring from a clean backup. Monitor accounts and report phishing attempts.

🛡️ Unit 42 describes the IUAM ClickFix Generator, a phishing kit that automates creation of ClickFix-style pages which coerce victims into pasting and executing attacker-supplied commands. The kit creates OS-aware, highly customizable pages with clipboard injection, obfuscation, and mobile blocking to deliver infostealers and RATs such as DeerStealer and Odyssey. Unit 42 observed real campaigns, shared developer artifacts, and recommends user education and technical controls to block domains, IPs, and malware indicators.

🔍 This article explains how organizations can measure cybersecurity effectively by aligning technical metrics with executive concerns. It outlines five iterative steps — define requirements, select key indicators, identify metrics, collect and analyze data, and report indicators — to create an actionable measurement cycle. Emphasis is placed on using high-level KPIs and KRIs, automating collection, and reviewing indicators with stakeholders to ensure relevance and drive decisions.

🔍 Unit 42 outlines a structured approach to investigating and responding to cloud incidents, noting that 29% of 2024 incident investigations involved cloud or SaaS environments. The guidance emphasizes a shift from endpoint-centric forensics to focus on identities, misconfigurations and service interactions. It recommends enabling and centralizing logs, retaining them for at least 90 days, and preparing for rapid evidence collection and VM/container imaging. The article stresses identity forensics, behavioral baselining and surgical containment to avoid alerting adversaries.

🛡️ Microsoft Threat Intelligence details how adversaries exploit Microsoft Teams collaboration capabilities—chat, calls, meetings, and screen sharing—at multiple stages of the attack chain. The post chronicles 2024–2025 campaigns and toolsets (phishing, malvertising, deepfakes, device code phishing, and red‑team tool reuse) that enable initial access, persistence, and exfiltration. It emphasizes layered defenses across identity, endpoints, apps, data, and network controls, and provides detection guidance, hunting queries, and product-specific recommendations to help defenders disrupt these operations.

🔐 The 2025 State of Cloud Security Report from Fortinet and Cybersecurity Insiders highlights how accelerating cloud adoption and a widespread cybersecurity skills shortage are expanding organizational risk across SaaS, APIs, and hybrid environments. Many incidents result from human error — misconfigurations, exposed APIs, and overprivileged accounts — rather than sophisticated targeted attacks. The post recommends five practical measures, including embracing shared responsibility, enforcing MFA and least privilege, integrating security into CI/CD, automating configuration management, and monitoring SaaS and APIs, and stresses that tools must be paired with user awareness and cultural change.

🔒 Ransomware now inflicts costs far beyond ransom payments, driving operational downtime, reputational damage, and regulatory exposure that directly erode the bottom line. The 2025 Unit 42 report shows median initial extortion demands rose to $1.25M and commonly equate to about 2% of perceived annual revenue. While roughly 48% of victims paid in 2024, Unit 42 negotiation reduced median paid demands to about 0.6% of PAR, yet attackers’ disruptive tactics increasingly amplify recovery costs. Strengthening backups, segmentation, and an incremental zero trust posture are key to limiting impact and shortening recovery timelines.

🛡️ Trellix researchers detail the return of XWorm 6.0, a modular Windows malware now supporting more than 35 in‑memory DLL plugins and expanded data-theft and persistence capabilities. The actor associated with earlier releases, known as XCoder, is of uncertain status, but v6.0—advertised on forums in June 2025—appears to address a prior RCE flaw while enabling credential theft, keylogging, screen capture, and optional ransomware. Campaigns use phishing, malicious JavaScript, LNK-based PowerShell chains, and process injection to evade detection and execute plugins directly in memory.

🧂 Cisco Talos documents growing abuse of CSS to insert visually hidden 'salt' into emails, a technique that undermines parsing and language-detection systems. Observed across preheaders, headers, attachments and bodies between March 1, 2024 and July 31, 2025, attackers use CSS properties (font-size, opacity, display, clipping) and zero-width characters to conceal irrelevant content. Talos recommends detection plus HTML sanitization and filters—examples include Cisco Secure Email Threat Defense—to strip or ignore invisible content before downstream analysis.

🔒 Company leaders must treat cyber risk as a strategic priority rather than a discretionary cost. The piece highlights a persistent budget-perception gap between CISOs and boards and notes SMBs often remain reactive, prioritizing firefighting over prevention. It cites high-profile breaches and the IBM Cost of a Data Breach to quantify losses and recommends technologies such as SIEM and SOAR, alongside governance measures like board oversight and appointed CISOs. Practical advice stresses framing security as business risk, using financial metrics, and reporting regularly to embed security-by-design.

🛡️ New variants of the XWorm backdoor (6.0, 6.4, 6.5) are being distributed via phishing campaigns after the original author, XCoder, abandoned the project. Multiple operators have adopted these builds, which now support more than 35 plugins enabling data theft, remote control, and a ransomware module that encrypts user files and drops HTML ransom notes. Trellix observed diverse droppers and recommends layered defenses including EDR, email/web protections, and network monitoring.

🛡️Threat actors tied to Cl0p exploited a critical Oracle E-Business Suite zero-day (CVE-2025-61882, CVSS 9.8) to steal large volumes of data, with multiple flaws abused across patched and unpatched systems. The week also spotlights a new espionage actor, Phantom Taurus, plus diverse campaigns from WordPress-based loaders to self-spreading WhatsApp malware. Prioritize patching, strengthen pre-boot authentication for BitLocker, and increase monitoring for the indicators associated with these campaigns.

🔍 Security researchers observed a roughly 500% surge in reconnaissance activity targeting Palo Alto Networks login portals on October 3, when GreyNoise recorded about 1,300 unique IP addresses probing its Palo Alto Networks Login Scanner tag versus typical daily volumes under 200. Approximately 91% of the IPs were US-based and 93% were classed as suspicious, with 7% confirmed malicious. GreyNoise also reported parallel scanning of other remote-access products including Cisco ASA, SonicWall, Ivanti and Pulse Secure, and noted shared TLS fingerprinting and regional clustering tied to infrastructure in the Netherlands. Analysts will continue monitoring for any subsequent vulnerability disclosures.