All news in category "Threat and Trends Reports"

Trick, Treat, Repeat: Patch Trends and Tooling for Q3

🎃 Microsoft’s free Windows 10 updates have largely ended, with EEA consumers receiving free Extended Security Updates through Oct 14, 2026, while most other users must pay. Q3 telemetry shows roughly 35,000 CVEs through September, averaging about 130 new entries per day, and a rising set of Known Exploited Vulnerabilities (KEV) that widen vendor and network impact. Talos also launched the Tool Talk series, offering a hands-on guide to dynamic binary instrumentation with DynamoRIO for malware analysis and runtime inspection.

Stolen Credentials and Remote Access Abuse in 2025

🔒 FortiGuard Incident Response observed that in H1 2025 financially motivated actors frequently used stolen credentials and legitimate remote-access software to gain and extend access across environments. Adversaries relied on compromised VPN logins, password reuse, or purchased credentials, deploying tools like AnyDesk, Splashtop, Atera and ScreenConnect to move laterally and exfiltrate data manually. These intrusions often bypass endpoint-focused defenses because activity mimics normal user behavior, so FortiGuard emphasizes identity- and behavior-driven detection, broad MFA enforcement, and monitoring of remote access tooling.

Shadow AI: One in Four Employees Use Unapproved Tools

🤖 1Password’s 2025 Annual Report finds shadow AI is now the second-most prevalent form of shadow IT, with 27% of employees admitting they used unauthorised AI tools and 37% saying they do not always follow company AI policies. The survey of 5,200 knowledge workers across six countries shows broad corporate encouragement of AI experimentation alongside frequent circumvention driven by convenience and perceived productivity gains. 1Password warns that freemium and browser-based AI tools can ingest sensitive data, violate compliance requirements and even act as malware vectors.

Policy, Privacy, and Post-Quantum Anonymous Credentials

🔒 Lena Heimberger examines the challenge of building post-quantum Anonymous Credentials that are practical for large-scale use. The post summarizes real-world needs — from the EU digital identity wallet to Cloudflare’s Privacy Pass rate-limiting — and defines key requirements like unlinkability, unforgeability, round-optimality, and per-origin rate limits. It surveys PQ approaches (generic ZKP composition, lattice-based signatures, hash-and-sign with aborts, and MPC-in-the-head/VOLEitH), evaluates trade-offs in bandwidth and latency, and calls for standardized ZK-friendly hashes and PQ-native protocol designs.

ThreatsDay: DNS Poisoning, Supply-Chain Heist, New RATs

🔔 This week's ThreatsDay bulletin highlights a critical BIND9 vulnerability (CVE-2025-40778) enabling DNS cache poisoning and a public PoC, along with widespread campaign activity from loaders, commodity RATs and supply-chain trojans. Other notable items include a guilty plea by a former defense employee for selling cyber-exploit components to a Russian broker, a new Linux Rust dual-personality evasion technique, and Avast's free decryptor for Midnight ransomware. Recommended defensive actions emphasize patching to the latest BIND9 releases, enabling DNSSEC, restricting recursion, and strengthening monitoring and authentication controls.

Board Cyber Resilience: Metrics That Drive Governance

🔒 Boards need concise, business-focused cyber metrics that translate technical activity into measurable resilience. The article argues that traditional SOC metrics (patch counts, blocked phishing attempts) are poor indicators of business impact and recommends focusing on financial impact, governance, operational resilience, and strategic readiness. It highlights concrete measures — average cost per incident, downtime cost per minute, MTTR, MTTD, regulatory violations, third-party risk, and residual risk — and urges boards to choose 1–2 metrics per category, set reporting cadence, and iterate until metrics drive oversight.

Protecting Older Family Members From Financial Scams

🔒Elder fraud is rising sharply: in 2024 Americans aged 60+ reported nearly $4.9 billion lost to online scams, with an average loss of about $83,000 per victim. Effective protection pairs ongoing, shame-free family communication with practical technical measures and a clear remediation plan. Teach relatives to use a password manager, enable two-factor authentication, block popups and robocalls, keep devices updated, and verify any urgent financial request before acting.

Dynamic Binary Instrumentation with DynamoRIO on Windows

🛠️ This post introduces dynamic binary instrumentation (DBI) and provides a hands-on guide to building DBI tooling using DynamoRIO on Windows 11. It explains the difference between static and dynamic instrumentation and highlights practical uses such as malware analysis, anti-anti-analysis techniques, runtime de-obfuscation, and automated unpacking. The tutorial includes example clients, build instructions, and a GitHub repository with sample code to help researchers get started.

Ransomware Profits Decline as Fewer Victims Pay through 2024

🔍 A new Coveware study shows the ransomware economy is shifting: despite an increase in attacks, both average ransom amounts and the share of victims paying demands have fallen. In Q3 only 23% of victims paid, down from 28% in Q1 2024, and average payments dropped from around $377,000 last year to roughly $140,000 this year. Coveware attributes the change to better prevention and incident handling by organizations and growing pressure from authorities. Insurance provider Hiscox warns that 40% of paying victims still lose data, underscoring persistent recovery risks.

Email and Remote Access Drive 90% of Cyber Claims in 2024

📧 At-Bay's 2025 InsurSec analysis finds email and remote access were central to 90% of cyber insurance claims in 2024. Email accounted for 43% of incidents and fraud schemes commonly begin with credential theft, domain spoofing, and impersonation. Google Workspace was cited as the most secure mail provider, though claims rose; MDR services were highlighted as the most reliable defense against full encryption.

Spike in Automated Botnet Attacks Targeting PHP, IoT

🔍 Cybersecurity researchers warn of a sharp rise in automated botnet campaigns targeting PHP servers, IoT devices, and cloud gateways. The Qualys Threat Research Unit says Mirai, Gafgyt, Mozi and similar botnets are exploiting known CVEs, misconfigurations and exposed secrets to recruit vulnerable systems. Attackers leverage active debug interfaces (for example using '/?XDEBUG_SESSION_START=phpstorm'), scan from cloud providers to mask origin, and turn compromised routers and DVRs into residential proxies. Recommended mitigations include prompt patching, removing development tools from production, securing secrets with AWS Secrets Manager or HashiCorp Vault, and restricting public cloud access.

Social Media Privacy Ranking 2025: Platforms Compared

🔒 Incogni’s Social Media Privacy Ranking 2025 evaluates 15 major platforms across data collection, resale, AI training, privacy settings, and regulatory fines. The analysis identifies Pinterest and Quora as the most privacy-conscious, while TikTok and Facebook rank lowest, driven by extensive data use and historical penalties. The report highlights practical differences in opt-outs, data-sharing, and default settings and recommends users review privacy controls and use Kaspersky’s Privacy Checker.

Rise in Attacks on PHP Servers, IoT and Cloud Gateways

🔒 Qualys' Threat Research Unit reports a sharp rise in attacks targeting PHP servers, IoT devices and cloud gateways, driven by botnets such as Mirai, Gafgyt and Mozi exploiting known CVEs and misconfigurations. Researchers highlight active exploitation of flaws like CVE-2022-47945 (ThinkPHP RCE), CVE-2021-3129 (Laravel Ignition) and aging test/debug artifacts such as CVE-2017-9841, while attackers also harvest exposed AWS credentials. Qualys urges continuous visibility, timely patching, removal of debugging tools in production and managed secret stores to reduce risk.

Detecting CGNAT to Reduce Collateral Damage Globally

🔎Cloudflare describes a supervised approach to detect large-scale IP sharing — especially CGNAT — to reduce collateral damage from IP-based security controls. They build labeled training data using distributed traceroutes (RIPE Atlas), PTR/WHOIS scraping, and lists of known VPN/proxy exit IPs, then extract per-IP and per-/24 behavioral features. An XGBoost model trained on these features achieves high accuracy, enabling operators to tune rate limits and blocklists with less harm to innocent users, particularly in regions with heavy IP sharing.

Measuring TCP Connection Characteristics at Scale Globally

📊 Cloudflare shares aggregate measurements of TCP connections observed across its global CDN from a uniformly sampled 1% snapshot (Oct 7–15, 2025). The dataset records socket-level metadata via TCP_INFO, SNI, and request counts, limited to gracefully closed connections with at least one HTTP request. Results highlight strong heavy-tailed behavior: most connections are short and small while a minority carry massive volumes, and HTTP/2 shows higher reuse and larger responses than HTTP/1.x.

Preparing for the Digital Battlefield of Identity Risk

🔒 BeyondTrust's 2026 predictions argue that the next major breaches will stem from unmanaged identity debt rather than simple phishing. The report highlights three identity-driven threats: agentic AI acting as privileged deputies vulnerable to prompt manipulation, automated "account poisoning" in financial systems, and long-dormant "ghost" identities surfacing in legacy IAM. The authors recommend an identity-first posture with strict least-privilege, context-aware controls, real-time auditing, and stronger identity governance.

Atroposia RAT Emerges on Dark Web with Modular Toolset

🔍 Security researchers at Varonis identified a modular remote access trojan named Atroposia, first seen on October 15 and promoted on underground forums. The toolkit includes encrypted C2 channels, hidden remote desktop takeover (HRDP Connect), credential and cryptocurrency wallet theft, DNS hijacking, vulnerability scanning and robust persistence. It is offered via subscription tiers and can be combined with services like SpamGPT and MatrixPDF to automate phishing and delivery. Recommended defenses include phishing reduction, timely patching, MFA enforcement and monitoring for post-compromise activity.

Cybersecurity on a Budget: Strategies for Downturn

🔒 During economic downturns, organizations must preserve cybersecurity with constrained budgets by prioritizing risk-based controls, hardening existing systems, and blending open- and closed-source tools. The blog recommends defense-in-depth, isolating legacy hardware, disabling unnecessary features, and tuning EDR/AV, logging, and network filters to reduce exposure. It also advises retaining skilled incident response partners and investing selectively in early-to-mid career talent to maintain long-term resilience.

Notable Post-Quantum Cryptography Initiatives 2023

🔐 The article surveys major post‑quantum cryptography (PQC) initiatives from 2023–2025 that aim to prepare governments and industry for an eventual Q‑Day. It highlights NIST's standardization of ML‑KEM, ML‑DSA and SLH‑DSA (with HQC later selected) and vendor adoption by Google, AWS, Microsoft and others, including Chrome's default hybrid key exchange. Collaborative efforts such as the Linux Foundation's PQCA, the PQC Coalition and IETF's PQUIP are creating tooling, guidance and implementations, while agencies and standards bodies provide migration roadmaps and practical advice on crypto agility and hybrid strategies to mitigate "harvest now, decrypt later" risks.

SBOM Implementation: Eight Best Tools for Supply Chains

🔍 To secure modern software you must know what's inside it, and a Software Bill of Materials (SBOM) provides that transparency. An SBOM should be machine-readable, include component, version, license and patch data, and be generated automatically in CI/CD using standards like SPDX, CycloneDX or SWID. The article reviews eight tools — including Anchore, FOSSA, GitLab and Mend — that generate, analyze and manage SBOMs across the build, registry and runtime lifecycles.