All news in category "Threat and Trends Reports"

Challenges and Best Practices in Internet Measurement

📊 Cloudflare explains why measuring the Internet is uniquely difficult and how rigorous methodology, ethics, and clear representation make findings reliable. An internal February 2022 Lviv traffic spike illustrates how context and complementary data can prevent misclassification of benign events as attacks. The post contrasts active and passive techniques and direct versus indirect measurement, outlines a lifecycle of curation, modeling, and validation, and stresses low-impact, ethical approaches. It concludes by inviting collaboration and continued exploration of passive measurement methods.

Internet Measurement, Resilience and Transparency Week

📡 This week Cloudflare Research publishes a series of posts revealing methods and findings that advance a more measurable, resilient, and transparent Internet. The series explores Internet measurement fundamentals, resilience frameworks, post-quantum deployment, and networking innovations, with deep dives into products such as Cloudflare Radar and experiments like Merkle Tree Certificates. Expect practical analysis, IETF-aligned protocol discussion, and real-world deployment considerations.

Working with Passive Data at Internet Scale: Challenges

🔍 During a 2022 internship at Cloudflare, Ram Sundara Raman examined whether connection tampering by network middleboxes can be detected using only passive production data. He sampled one in 10,000 TCP connections and logged the first ten inbound packets, then developed 19 tampering signatures while confronting scale, noisy telemetry, and limited ground truth. The work exposed practical limits of passive observation and the care required to interpret packet-level signals, and its outputs are published on Cloudflare Radar.

First Wap Altamides: SS7 Phone-Tracking Empire Revealed

🔎 Operating from Jakarta, First Wap markets a covert phone-tracking system called Altamides that leverages the legacy telecom protocol SS7 to locate subscribers in real time. Unlike device-targeting spyware such as Pegasus, Altamides requires no malicious link or implant and leaves minimal forensic traces on phones. Reporting from Mother Jones and Lighthouse Reports traces how permissive export rules and a global client network have allowed this capability to spread.

UK Fraud Cases Surge 17% as APP Losses Rise in H1 2025

💷 The UK saw a 17% annual rise in consumer fraud cases in H1 2025, with total losses of £629m across 2.1 million incidents, according to UK Finance’s Half Year Fraud Report 2025. Authorized push payment (APP) losses increased 12% despite an 8% decline in APP case numbers, driven largely by investment and romance scams originating on social media. Card-not-present activity pushed card losses to £299m, and criminals are increasingly using social engineering and compromised OTPs to scale attacks.

How MDR Gives MSPs a Competitive Market Edge Today

🛡️ Managed detection and response (MDR) helps managed service providers (MSPs) overcome talent shortages, alert overload and rapidly evolving threats by outsourcing 24/7 SOC monitoring, behavioral detection, threat hunting and automated incident response. MDR can open recurring revenue streams, strengthen customer relationships and meet cyberinsurance conditions, while intelligent prioritization and GenAI-assisted playbooks reduce operational strain and false positives. Choosing a partner with proven threat intelligence, continuous operations and a human-plus-machine approach is critical.

Top 10 Challenges Facing CISOs and Security Teams Today

🔒 Security leaders face a rapidly evolving threat landscape driven by AI, constrained budgets, talent shortages, and a vastly expanded attack surface. Many organizations rushed into AI adoption before security controls matured, and CISOs report growing involvement in AI governance and implementation even while attackers leverage AI to compress time-to-compromise. Data protection, employee susceptibility to sophisticated scams, quantum readiness, and board alignment emerge as immediate priorities that require clearer risk-based decisions and frequent simulation exercises.

Qilin Ransomware: Attack Methods and TTPs Exposed Globally

🔍 Cisco Talos details widespread Qilin ransomware operations observed in late 2025, highlighting persistent leak-site activity and sustained victim publication. The analysis links many intrusions to exposed administrative credentials and unprotected remote access, with manufacturing, professional services, and wholesale trade heavily affected. Talos documents abuse of open-source exfiltration tools (notably Cyberduck), dual-encryptor deployment patterns, credential harvesting with mimikatz and SharpDecryptPwd, and numerous defense-evasion techniques, recommending layered controls such as MFA, credential monitoring, and hardened backups.

RedTiger Infostealer Used to Steal Discord Accounts

🛡️ Attackers have compiled the open-source RedTiger red-team tool into a Windows infostealer that harvests Discord account tokens, payment details, browser credentials, crypto wallet files, and game data. The malware injects JavaScript into Discord's client to capture logins, purchases, and password changes, archives stolen data, and uploads it to GoFile. Users should revoke tokens, change passwords, reinstall Discord from the official site, clear browser data, and enable MFA.

Threat Actor Misuse of AzureHound for Cloud Discovery

🔍 AzureHound is an open-source Go-based enumeration tool designed for cloud discovery and red-team assessments that threat actors also misuse to map Entra ID and Azure resources. Unit 42 outlines how adversaries leverage Microsoft Graph and Azure REST APIs to enumerate users, groups, roles, storage and services and to identify privilege escalation paths. The report highlights observable artifacts such as the user-agent azurehound/ and discusses detection opportunities in Microsoft Graph, Entra ID sign-in logs and Cortex XQL hunts. Practical mitigations include phishing-resistant MFA, Conditional Access Policies, token binding and broad endpoint and cloud visibility.

Why Threat Actors Succeed and How Defenders Respond

🔍 The Unit 42 2025 Incident Response analysis explains that attackers exploit complexity, visibility gaps and excessive trust to succeed against organizations of all sizes. The report notes almost a third of incidents were cloud-related, IAM failures appeared in 41% of cases and attackers often moved within an hour, causing outsized disruption and cost. The recommended response is to consolidate telemetry into an integrated platform like Cortex, extend protection into cloud with Cortex Cloud, secure browser activity with Prisma Browser, and engage Unit 42 for advisory and retainer services.

Privacy rankings of popular messaging apps — 2025 Report

🔒 Incogni's Social Media Privacy Ranking 2025, summarized by Kaspersky, evaluates 15 platforms across 18 criteria to compare messaging apps on privacy and data handling. Overall scores place Discord, Telegram and Snapchat near the top, but a subset of practical criteria ranks Telegram first, followed by Snapchat and Discord. The analysis highlights default settings, data collection by mobile apps, handling of government requests, and encryption differences, noting that only WhatsApp provides end-to-end encryption for all chats by default.

Cyber-risk in the Shadows: Shadow IT, AI Use and Risks

🛡️ In a short video for Cybersecurity Awareness Month, ESET Chief Security Evangelist Tony Anscombe explains how unsanctioned hardware and software — commonly called shadow IT — is creating security gaps in the remote and hybrid work era. He warns that growing employee use of generative AI further increases risk by exposing sensitive corporate data outside IT control. The video outlines practical steps IT teams can take to discover, govern and mitigate these hidden risks and points to related guidance on authentication, patching and ransomware resilience.

Path to CPS Resilience: Securing Critical Infrastructure

🔒 Cyber-physical systems (CPS) underpin critical infrastructure across industry, healthcare and buildings, and their continuous availability is essential to public safety and business continuity. The article urges CISOs to prioritize CPS security, invest in OT protection, close long-standing IT–OT silos and maintain accurate asset inventories. It highlights that many organizations lack OT incident response or business continuity plans and emphasizes that rapid recovery, segmentation and tested emergency procedures are key to minimizing downtime and harm. Analysts warn of steep recovery times and severe financial and human impacts if CPS resilience is not improved.

ToolShell Exploit Drives Surge in SharePoint Attacks

🛡️ Cisco Talos reports a rapid rise in exploitation of public-facing applications following the mid‑July 2025 disclosure of the ToolShell chain, which targets on‑premises Microsoft SharePoint servers via CVE-2025-53770 and CVE-2025-53771. In Q3, application exploitation featured in over 60% of Talos Incident Response engagements, with ToolShell activity implicated in nearly 40% of cases. Talos urges expedited patching and network segmentation to limit lateral movement and downstream impacts such as ransomware.

Kryptos Part Four Claimed Solved Amid Auction Dispute

🧩 Two researchers say they have solved the long-elusive fourth section of Kryptos, but reached the answer through documentary research rather than cryptanalysis, finding clues in the Sanborn papers at the Smithsonian’s Archives of American Art. The discovery comes as Jim Sanborn is preparing to auction what he describes as the solution, and the solvers report they will not publish their work. Legal threats have been made over disclosure and sale, though the legal basis is unclear. The episode raises immediate questions about provenance, transparency, and the ethics of selling a solution to a famous cryptographic artwork.

The Cybersecurity Perception Gap: Executive vs. Ops

🔍 The Bitdefender 2025 Cybersecurity Assessment highlights a widening perception gap between executives and operational security teams. While 93% of surveyed cybersecurity and IT professionals report confidence in managing an expanding attack surface, just 45% of C-level leaders describe themselves as "very confident" versus 19% of mid-level managers. Without improved reporting, shared visibility and stronger cross-level communication, this divide risks underinvestment and misaligned priorities that can create critical blind spots.

Signal Protocol's Path to Quantum-Resistant Messaging

🔒 Signal has moved to integrate post-quantum cryptography into its messaging stack to mitigate future quantum threats. Phase 1 uses PQXDH, a hybrid handshake combining X25519 with the KEM CRYSTALS-Kyber, to block harvest now, decrypt later attacks. Phase 2 adds SPQR, which runs alongside the Double Ratchet to form a hybrid Triple Ratchet, preserving forward secrecy and post-compromise security while handling larger key sizes, asynchrony, and message loss.

Malicious Extensions Spoof AI Browser Sidebars, Report

⚠️ Researchers at SquareX warn that malicious browser extensions can inject fake AI sidebars into AI-enabled browsers, including OpenAI Atlas, to steer users to attacker-controlled sites, exfiltrate data, or install backdoors. The extensions inject JavaScript to overlay a spoofed assistant and manipulate responses, enabling actions such as OAuth token harvesting or execution of reverse-shell commands. The report recommends banning unmanaged AI browsers where possible, auditing all extensions, applying strict zero-trust controls, and enforcing granular browser-native policies to block high-risk permissions and risky command execution.

Mic-E-Mouse: Eavesdropping via High-Resolution Mice

🔊 A recent study by researchers at the University of California, Irvine shows that very high-resolution optical sensors in some mice can detect minute desk vibrations produced by speech. The theoretical attack, labeled Mic-E-Mouse, requires mice with extremely high DPI (≈10,000+) and very high polling rates (≈4,000 Hz+) and malware to exfiltrate raw sensor frames. The raw signals are extremely noisy, but Wiener filtering and ML-based denoising allowed partial speech recovery under controlled lab conditions. Significant practical limitations — few qualifying models, controlled setups with speakers inches from the sensor, and steep drops in accuracy with common barriers — plus straightforward mitigations make the attack largely a proof of concept for now.