All news with #incident response tag

⚠️ Asahi Group Holdings, Japan’s largest brewer, has suspended multiple domestic operations after a cyberattack disrupted ordering and shipping processes. Call center and customer service desks are currently unavailable to the public, and the company says the incident is confined to Japan-based systems. Investigations are ongoing; there is no confirmed leakage of personal or customer data, no public claim by ransomware gangs, and no recovery timeline has been announced.

🔒 The UK Government has granted Jaguar Land Rover a £1.5 billion loan guarantee via UK Export Finance's Export Development Guarantee (EDG) to help the automaker recover after a severe cyberattack halted production and forced system shutdowns. The guarantee backs a commercial bank loan rather than direct state lending, reducing lender risk so JLR can secure larger, better-priced financing and immediate liquidity to pay suppliers. Repaid over five years, the measure is intended to stabilise the supply chain and protect thousands of jobs while JLR works with the NCSC, law enforcement and cybersecurity specialists during a phased return to manufacturing.

🔍 A single Microsoft Defender alert triggered an investigation that uncovered a persistent cyberthreat against retail customers. Attackers exploited unpatched SharePoint flaws CVE-2025-49706 and CVE-2025-49704 using obfuscated ASPX web shells while also compromising identities through self-service password reset abuse and Microsoft Entra ID reconnaissance. DART swiftly contained the intrusions—removing web shells, isolating Entra ID, deprivileging accounts, and recommending Zero Trust measures, MFA enforcement, timely patching, and EDR deployment.

🔐 Cisco Talos Incident Response (Talos IR) provides rapid, 24/7 crisis support and proactive services to contain, investigate, and remediate cybersecurity incidents. Talos combines deep threat intelligence, digital forensics, and a vendor-agnostic approach to work with existing tools and environments. Engagements follow a structured IR lifecycle—Preparation, Identification, Containment, Eradication, Recovery, and Lessons learned—to minimize disruption and build long-term resilience.

🛡️ IT security is entering a new era where autonomy augments human defenders, moving beyond scripted automation to adaptive, AI-driven responses. Traditional playbooks and scripts are limited because they only follow defined rules, while attackers continuously change tactics. Organizations must adopt self-driving security systems that combine real-time telemetry, machine learning, and human oversight to improve detection, reduce response time, and manage risk.

🔒 CISA assisted a U.S. federal civilian executive branch agency after endpoint alerts showed threat actors exploiting CVE-2024-36401 in public-facing GeoServer instances to gain initial access. The actors operated undetected for roughly three weeks, deployed web shells and proxy/C2 tools, and moved laterally to a web and SQL server. CISA highlights urgent patching of KEV-listed flaws, exercising incident response plans, and improving EDR coverage and centralized logging.

🔒 CISA published an advisory summarizing lessons learned from an incident response engagement after its endpoint detection and response tool detected potential malicious activity. The guidance emphasizes expedited patching—highlighting exploitation of GeoServer CVE-2024-36401—alongside strengthened incident response planning and enhanced threat monitoring. Organizations are urged to prioritize fixes for public-facing systems, test response playbooks, and implement centralized logging to improve detection and reduce exposure.

🔒 ReliaQuest's Threat Spotlight (June–August 2025) reports average attacker breakout time — the period from initial access to lateral movement — has fallen to 18 minutes, with one Akira incident taking just six minutes. The vendor warns adversaries are becoming faster and more adept at bypassing endpoint protections, noting an increase in ransomware using the SMB protocol (from 20% to 29%). Drive-by compromise was the leading initial vector at 34%, and USB-based malware, notably Gamarue, is resurging due to weak policy enforcement and inconsistent endpoint controls.

🛡️ Joe Marshall uses the VPN Filter investigation to illuminate the often-hidden personal cost of incident response. He recounts months of high-pressure analysis into a modular SOHO botnet attributed to APT28 that featured persistence and a potentially destructive kill switch, and describes how prolonged stress produced burnout, fractured relationships, and career impact. Marshall offers four practical mitigations — boundaries, peer support, unplugged self-care, and mandatory decompression — and underscores how a Cisco Talos Incident Response (IR) Retainer can ensure organizations respond decisively while protecting staff wellbeing.

🔒 Palo Alto Networks' Unit 42 has been added to the UK's NCSC Cyber Incident Response scheme at the Enhanced Level, demonstrating certified capability to manage the most complex and impactful cyber incidents. The assurance verifies structured, government-benchmarked processes, strong investigative expertise, and a customer-focused retainer model tailored to regulatory and operational needs. This recognition underscores Unit 42's role in helping organisations reduce dwell time, contain threats faster, and strengthen long-term resilience.

🔒 SonicWall is urging customers to reset credentials after detecting suspicious activity that exposed firewall configuration backup files stored in MySonicWall cloud for under 5% of users. Although stored credentials were encrypted, the preference files contained information that could help attackers exploit related firewalls; the company says this was a series of brute-force accesses, not a ransomware event. Customers should verify backups, disable remote management and VPN access, reset passwords and TOTPs, review logs, and import the provided randomized preferences file that resets local passwords, TOTP bindings, and IPSec keys.

🔐 The Python Software Foundation has invalidated PyPI publishing tokens that were exfiltrated during the early-September GhostAction supply chain attack. GitGuardian first reported malicious GitHub Actions workflows attempting to steal secrets, and PyPI found no evidence that the stolen tokens were used to publish malware. Affected maintainers were contacted and advised to rotate credentials and adopt short-lived Trusted Publishers tokens for GitHub Actions. PyPI also recommended reviewing account security history for suspicious activity.

🔒 In this Humans of Talos interview, Alex Ryan, an Incident Commander with Cisco Talos Incident Response, reflects on her unconventional path from liberal arts degrees to a career in cybersecurity and threat intelligence. She describes the technical and emotional realities of incident response—triaging IOCs, conducting forensic analysis, and quickly building customer trust—while managing high stress and business risk. Ryan also discusses recovering from burnout after parenthood, learning to set boundaries, and how a supportive team helps sustain long-term performance.

🔒 Small and medium-sized businesses are increasingly targeted by ransomware gangs that exploit weak defenses, offer Ransomware-as-a-Service, and adapt tactics with AI-driven tools. RaaS industrialization and discoveries like ESET's PromptLock demonstrate how attackers can scale reconnaissance, exploitation and social engineering. SMBs face double-extortion, DDoS and coercive pressures while repeat payments remain an issue despite a decline in aggregate crypto payouts. Practical defenses—Zero Trust, timely patching, reliable backups, EDR/MDR and tested incident response—can materially reduce risk.

🔒 As AWS implemented support for PL/Rust on Amazon RDS, engineers created a telemetry-driven 'flywheel' built around SELinux, monitoring, and incident response to safely enable compiled Rust functions. They developed mandatory access control policies, routed denials into telemetry with automated ticketing, and ran quarterly red/blue game days to refine playbooks and reduce noise. An October SELinux denial triggered an investigation that validated the controls and led to collaboration with Varonis Threat Labs.

🔒 A Cisco Talos Incident Response (IR) Retainer provides organizations with prioritized access to Talos' global threat intelligence and incident response specialists, combining proactive preparedness with rapid 24/7 mobilization. The retainer includes tailored IR plans, playbooks, readiness assessments, and tabletop exercises, plus proactive threat hunting using the PEAK Framework. Clients receive vendor-agnostic integration guidance, optional Cisco technology deployment, coordinated legal and PR support, and detailed post-incident reviews to reduce downtime and reputational harm.

🔒 CISOs are shifting from an all-or-nothing prevention model to a containment-first strategy that assumes breaches will occur. Organizations are investing in sharper visibility, automation and precise network segmentation to stop lateral movement and reduce blast radius. Modern zero trust implementations enforce context-aware, least-privilege access across hybrid environments, enabling faster detection and automated response while preserving user experience. In sectors such as fintech, CISOs must also balance strong background security with seamless interfaces and user education to sustain trust.

🪂The SOC is framed as the parachute organisations rely on when breaches occur. Too many SOCs are under‑specified and reactive—drowned in alerts and tools that add complexity rather than resilience. The author calls for Swiss engineering: over‑specified, tested processes, rehearsed responses, and anticipatory defence grounded in threat modelling and behavioural context. Vendors and AI can assist, but organisations must own priorities, rehearse decision making, and build muscle memory.

⚠️ A bug in a dashboard React useEffect dependency caused an object to be recreated on every render, triggering repeated calls to the Tenant Service /organizations endpoint. Those excessive requests coincided with a Tenant Service deployment, overwhelming the service and breaking API authorization checks so many API requests returned 5xx errors and the Cloudflare dashboard became unavailable. Cloudflare mitigated the incident by scaling pods, applying a global rate limit, reverting a problematic patch, and applying a dashboard hotfix. They plan to prioritize Argo Rollouts for safer deployments, add randomized retry delays, increase Tenant Service capacity, and improve observability.

🔔 This report analyzes the persistent difficulty organizations face when notifying victims of cyber incidents and proposes a practical roadmap to improve outcomes. It introduces the CSRB's native-notification concept and outlines nearer-term, narrower changes that could increase both delivery and trust. The authors recommend that cloud service providers adopt better notification practices, support secure middleware for cross-platform delivery, and strengthen post-notification victim assistance.