All news in category “Threat and Trends Reports”

📰 This week’s Threat Source newsletter highlights three significant vulnerabilities Talos researchers uncovered and helped remediate: a Dell firmware persistence flaw (Revault), an Office for macOS permissions bypass, and router compromises that blend malicious traffic with legitimate ISP flows. The author, William Largent, also emphasizes mental health and recommends a paper on AI behavioral pathologies to help anticipate malicious or errant AI-driven activity. Top headlines include a 4.4M-record TransUnion breach, a Salesloft Drift AI token compromise, a Passwordstate high-severity fix, an Azure AD credential leak, and a WhatsApp zero-day. Watch the Talos Threat Perspective episode and read the Dell write-up for mitigation guidance.

🔒 This article outlines six browser-based attack techniques—phishing with reverse-proxy AitM kits, ClickFix/FileFix command-injection lures, malicious OAuth grants, rogue extensions, weaponized file downloads, and credential attacks exploiting MFA gaps—that security teams must prioritize in 2025. It explains why the browser has become the primary attack surface as users access hundreds of cloud apps, and why traditional email/network controls and endpoint defenses often miss these threats. The piece argues that effective detection requires real-time browser-level visibility and management across managed and unmanaged apps, highlighting Push Security as a vendor offering such capabilities.

🚗 A recent survey of 200 German automotive cybersecurity experts and IT decision-makers shows 75% of companies rate the threat from cyberattacks as high or very high. Respondents identified cloud security gaps (19.5%) and ransomware/malware (19%) as the leading concerns, while data breaches (16.5%), AI-based attack scenarios (14.5%) and connected-vehicle vulnerabilities (14%) followed. Fewer than half of firms (47%) express confidence in their defenses, and many plan investments in threat detection, AI-driven analytics and security training.

🔒 This article argues that adopting a security-by-default mindset—setting deny-by-default policies, enforcing MFA, and employing application Ringfencing™—can eliminate whole categories of risk early. Simple changes like disabling Office macros, removing local admin rights, and blocking outbound server traffic create a hardened environment attackers can’t easily penetrate. The author recommends pairing secure defaults with continuous patching and monitored EDR/MDR for comprehensive defense.

🕵️ ESET researchers uncovered GhostRedirector, a previously undocumented actor that compromised at least 65 Windows servers across Brazil, Thailand, Vietnam and other countries. The intrusions deployed a passive C++ backdoor, Rungan, and a native IIS module, Gamshen, to enable remote command execution and conduct SEO fraud that targets search-engine crawlers. Attackers also used public LPE exploits (EfsPotato, BadPotato) and PowerShell-based payloads; ESET attributes the activity to a China-aligned actor with medium confidence.

🩺 Cobalt's State of Pentesting in Healthcare 2025 report shows healthcare organizations take far longer than peers to remediate serious vulnerabilities, leaving systems and patient data exposed. The firm, using a decade of internal pentest data and a survey of 500 US security leaders, found only 57% of serious findings are fixed and the median time to resolve is 58 days, with a 244-day half-life for serious issues. While business-critical assets often see fixes within days, Cobalt warns that prioritizing SLA-bound remediation lets other serious but non-critical flaws linger and accrue security debt, increasing ransomware and data-exfiltration risk.

🛡️ MSRC reports that Cross-Site Scripting (XSS) remains a persistent threat across legacy portals and modern single-page applications, with hundreds of cases triaged in the past year. Between July 2024 and July 2025, MSRC mitigated over 970 XSS cases and awarded more than $900,000 in bounties, spanning low-impact self-XSS to zero-click critical exploits. The post describes MSRC’s severity matrix that combines data classification and exploit conditions, outlines servicing scope and exclusion criteria, and publishes a practical submission checklist. Developers and researchers are encouraged to adopt context-aware encoding, Content Security Policy (CSP), and secure-by-default frameworks to reduce exposure.

📍 Geolocation data from smartphones, apps and IPs can be weaponized by threat actors to launch precise, geographically targeted attacks such as localized phishing and malware activation. These attacks can act as "floating zero days," remaining dormant until they reach a specific location, as seen with Stuxnet and modern campaigns like Astaroth. Organizations should adopt multilayered defenses — robust endpoint detection, decoys, location baselines and stronger multi-factor verification — to mitigate this evolving threat.

🔐According to an Accenture report, 88% of security leaders say they face significant difficulties implementing Zero Trust, and 80% cannot effectively protect cyber-physical systems. Other industry studies show mixed adoption—Gartner found 63% with full or partial strategies in 2024, while Entrust reports Germany lags at 53%. Experts point to divergent definitions, legacy systems, cultural resistance to the never trust, always verify model, poor visibility into data flows, and misaligned incentives as core obstacles; many argue the effort is strategic, lengthy, and requires top-down leadership.

🔐 Barracuda researchers have detailed new link-obfuscation capabilities in the Tycoon Phishing-as-a-Service kit that hide malicious destinations from scanners and recipients. Observed techniques include URL encoding with '%20' invisible spaces, deceptive Unicode characters, hidden codes appended to links, redundant protocol prefixes, and subdomain manipulation. Attacks also incorporate a fake CAPTCHA stage and tools aimed at bypassing multi-factor authentication, enabling more effective email-based social engineering and evasion of traditional filters.

🔍 Dark web monitoring gives CISOs timely, actionable intelligence that can reveal breaches, stolen credentials, and early indicators of ransomware campaigns. Continuous visibility into forums, marketplaces, and leak sites helps detect initial access brokers, stealer logs, and items like RDP/VPN access being sold, enabling rapid containment and credential revocation. Use platforms such as SpyCloud and DarkOwl, subscribe to threat feeds and ISACs, and augment with deception (honeypots, canary tokens) while integrating findings into SIEM/XDR and incident response playbooks.

🛡️ Corporate communications must be an integral part of cyber incident preparedness, working closely with the CISO to develop and execute a crisis communication plan. Preventive measures include a crisis manual, continuous internet monitoring, and established relationships with opinion leaders to preserve reputation. The article advises joint leadership by communications and IT of a compact emergency team, creation of an independently accessible emergency infrastructure (including an darksite), staged statements and prebuilt templates, and secure off-network contact lists.

🛡️ The CISSP is an advanced cybersecurity certification from ISC2 that validates a professional's ability to design, implement, and manage enterprise security programs. Candidates typically need five years of relevant work experience or may apply as an Associate of ISC2 while gaining experience, and must pass a rigorous exam covering eight domains. Exam registration costs US$749 and certified holders pay an annual maintenance fee; official and third-party training options are widely available, and CISSP holders often see improved job prospects and higher salaries.

🛡️ QiAnXin XLab warns of a stealthy backdoor named MystRodX (aka ChronosRAT) that leverages layered encryption and flexible network options to hinder detection. The C++ implant supports file management, port forwarding, reverse shells and socket control, and can run actively or as a passive "wake-up" backdoor triggered by crafted DNS queries or ICMP payloads. A multi-stage dropper with anti-debug and VM checks decrypts components and an AES-encrypted configuration that contains C2 endpoints, ports and the backdoor mode.

🔒 This article explains how web cookies work, their classifications, and why session IDs are particularly valuable to attackers. It outlines common attack methods — including session sniffing over HTTP, cross‑site scripting (XSS), cross‑site request forgery (CSRF), and predictable session IDs — and describes specialized tracking like supercookies and evercookies. Practical advice for users and developers covers HTTPS, browser updates, cookie management, two‑factor authentication, cautious use of public Wi‑Fi, and preferring essential cookies only.

🧾 The NSA has declassified a September 1965 training workbook, Cryptanalytic Diagnosis with the Aid of a Computer, compiling 147 printouts from the diagnostic program Stethoscope. Run on the special-purpose Bogart computer, the listings show statistical outputs—frequency tables, index of coincidence, periodicity tests, and n-gram analyses—used to train analysts to infer language and cipher type without seeing plaintext. The document also notes the related tool Rob Roy and reflects an era when computers automated manual analytic work.

☁️ The Certified Cloud Security Professional (CCSP) is a cloud-focused security certification from ISC2 for experienced professionals responsible for designing, managing, and securing cloud data, applications, and infrastructure. The exam was updated effective August 1, 2024 to 125 questions over three hours and maps to six CBK domains. Candidates must meet work-experience and endorsement requirements and maintain the credential via annual fees and continuing education.

🔒 An Accenture report finds 88% of security leaders face significant challenges implementing zero trust. Respondents point to varying definitions, broad deployment scope across on-prem, cloud, IoT and legacy systems, poor visibility into data flows and device/user state, and resistance from business units. Experts recommend phased, use-case-driven rollouts and strong executive sponsorship, while noting meaningful programs can take years and may never be fully complete.

🛡️ Security researchers warn that Android dropper apps are increasingly used to deliver not only banking trojans but also SMS stealers, spyware and lightweight payloads. According to ThreatFabric, attackers in India and parts of Asia are packaging payloads behind benign "update" screens to evade targeted Play Protect Pilot Program checks, fetching and installing the real payload only after user interaction. Google says it found no such apps on Play and continues to expand protections, while Bitdefender links malvertising campaigns to Brokewell distribution.

🔒 As enterprises shift more critical work to the browser, adversary Scattered Spider (UNC3944) targets live browser data—saved credentials, calendars, and session tokens—to achieve account takeover and persistent access. The article highlights techniques like Browser-in-the-Browser overlays, JavaScript injection, malicious extensions, and token theft that evade conventional EDR. It recommends elevating browser-native controls: runtime JavaScript protection, session-token binding, extension governance, API restrictions, and integrated browser telemetry so CISOs treat browser security as a primary defense layer.