All news with #threat intelligence tag

Iran-Linked Hackers Mapped Ship AIS, Aided Kinetic Strikes

🔎 An Amazon Integrated Security report describes Iran-linked actors conducting digital reconnaissance to enable real-world attacks, a phenomenon the company terms cyber-enabled kinetic targeting. Researchers attribute AIS and CCTV intrusions to Imperial Kitten (aka Tortoiseshell) between December 2021 and January 2024 that preceded a missile attempt on a commercial vessel. Amazon also links MuddyWater activity in mid-2025 to live camera access in Jerusalem and notes the use of anonymizing VPNs to complicate attribution and refine target selection.

Emerging Threats Center in Google Security Operations

🛡️ The Emerging Threats Center in Google Security Operations uses the Gemini detection‑engineering agent to turn frontline intelligence from Mandiant, VirusTotal, and Google into actionable detections. It generates high‑fidelity synthetic events, evaluates existing rule coverage, and drafts candidate detection rules for analyst review. The capability surfaces campaign‑based IOC and detection matches across 12 months of telemetry to help teams rapidly determine exposure and validate their defensive posture.

Seeing Threats First: AI and Human Cyber Defense Insights

🔍 Check Point Research and External Risk Management experts explain how combining AI-driven analytics with seasoned human threat hunters enables organizations to detect and anticipate attacks before they strike. The AMA webinar, featuring leaders like Sergey Shykevich and Pedro Drimel Neto, detailed telemetry fusion, rapid malware analysis, and automated triage to act at machine speed. Speakers stressed continuous intelligence, cross-team collaboration, and proactive hunting to shorten dwell time. The approach blends scalable automation with human context to prevent large-scale incidents.

Preventing SOC Burnout with Real-Time Analysis and Automation

🛡️ SOC teams can reduce analyst burnout by replacing noisy alerts and manual chores with real-time behavioral context, automation, and integrated threat intelligence. Platforms such as ANY.RUN deliver interactive sandboxing that exposes full attack chains, automates human-like interactions (for example, solving CAPTCHAs and revealing hidden redirects), and pushes verified IOCs directly into SOC workflows. Organizations report up to 3× faster triage, fewer false positives, and a calmer, more resilient security operations center.

Asset Management: The Essential Foundation for Defense

🔍 Threat intelligence is valuable but only effective when organizations maintain reliable asset management. Asset management—the inventory, monitoring, and administration of hosts—provides the foundational visibility needed to detect, patch, and prevent intrusions. Bradley Duncan cites historic malware like Emotet and Qakbot to show how poor asset hygiene enabled massive infections and urges proactive measures such as Unit 42's Attack Surface Assessment.

Early Threat Detection: Protecting Growth and Revenue

🔎 Early detection turns cybersecurity from a reactive cost into a business enabler. Investing in continuous visibility, threat intelligence, and rapid detection reduces incident costs, preserves uptime, and protects revenue and reputation. Solutions such as ANY.RUN's Threat Intelligence Feeds and TI Lookup deliver real-time IOCs, context-enriched analyses, and STIX/TAXII-ready integrations so SOCs can prioritize and act faster, lowering MTTR and operational burden.

Weekly Recap: F5 Breach, Linux Rootkits, and Trends

🔒 This weekly recap highlights long-lived, stealthy intrusions and emerging tactics that are reshaping defender priorities. Chief among them, F5 disclosed a year-long breach involving the BRICKSTORM malware and stolen BIG-IP source material, while researchers uncovered new Linux rootkits such as LinkPro and campaigns abusing blockchain smart contracts for malware delivery. The report urges inventorying edge devices, prioritizing patches, and improving detection, baselining, and intelligence sharing.

Microsoft Revokes 200+ Fraudulent Code-Signing Certificates

🔒 Microsoft disclosed it revoked more than 200 certificates after a threat actor tracked as Vanilla Tempest used them to fraudulently sign malicious binaries, including fake Microsoft Teams installers that delivered the Oyster backdoor and led to Rhysida ransomware deployments. The activity was detected in late September 2025 and disrupted earlier this month, and Microsoft has updated security solutions to flag the associated signatures. The actor abused SEO poisoning and bogus download domains impersonating Teams to distribute trojanized installers. Users are advised to download software only from verified sources and to avoid suspicious links or ads.

Smart Contracts Abused to Serve Malware on WordPress

🪙 Google Threat Intelligence Group links a financially motivated actor, UNC5142, to widespread compromises of WordPress sites that leverage EtherHiding and on-chain smart contracts to distribute information stealers such as Atomic, Lumma, Rhadamanthys and Vidar. The campaign injects a multi-stage JavaScript downloader (CLEARSHORT) into plugins, themes and databases to query malicious BNB Smart Chain contracts, which return encrypted landing pages that use ClickFix social engineering to trick Windows and macOS users into executing stealer payloads. Google flagged roughly 14,000 infected pages through June 2025, and observed a move to a three-contract proxy-like architecture since November 2024 that improves agility and resistance to takedown.

Closing Detection Gaps: A Continuous SOC Workflow Model

🛡️ SOC teams can close persistent detection gaps by adopting a continuous detection workflow that links early threat feeds, interactive sandboxing, and live threat lookups. ANY.RUN survey data shows unified stages deliver faster investigations, clearer triage, and reduced MTTR. Early filtering reduces Tier‑1 noise, sandboxes expose evasive payloads in realtime, and threat lookup provides historical context so analysts can validate and act with confidence.

Why a Cisco Talos Incident Response Retainer Matters

🔒 A Cisco Talos Incident Response (IR) Retainer provides organizations with prioritized access to Talos' global threat intelligence and incident response specialists, combining proactive preparedness with rapid 24/7 mobilization. The retainer includes tailored IR plans, playbooks, readiness assessments, and tabletop exercises, plus proactive threat hunting using the PEAK Framework. Clients receive vendor-agnostic integration guidance, optional Cisco technology deployment, coordinated legal and PR support, and detailed post-incident reviews to reduce downtime and reputational harm.

RaccoonO365 Phishing Network Disrupted; 338 Domains Seized

🔒 Microsoft and Cloudflare coordinated a court-ordered disruption that seized 338 domains used by RaccoonO365, a phishing-as-a-service accused of harvesting over 5,000 Microsoft 365 credentials across 94 countries since July 2024. The takedown, executed between September 2–8, 2025, removed malicious Workers scripts, placed interstitial phish warnings, and suspended accounts to cut criminal access. RaccoonO365 was marketed by subscription and used legitimate services like Cloudflare Turnstile and Workers to harden phishing pages and evade detection.

Maturing Cyber Threat Intelligence: CTI Capability Model

🛡️ The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) offers a practical framework for assessing and advancing organizational threat intelligence efforts. It identifies 11 domains and associated CTI missions that support decision-making across areas such as asset management, threat and vulnerability management, incident response, and third-party risk. The model defines four maturity levels (CTI0–CTI3) from pre‑foundational, ad hoc practices to highly refined, strategic intelligence, and prescribes an iterative improvement cycle—prepare, assess, plan, deploy, measure. The guidance stresses focusing on stakeholder needs and delivering useful, timely intelligence rather than pursuing the highest maturity rating for its own sake.

Meet the Next Generation of Unit 42 Threat Intelligence

🔍 Unit 42 highlights two threat intelligence interns, Sakthi Vinayak and Gabrielle Calderon, who completed a 12-week program contributing to practical research and automation projects. Sakthi concentrated on mechanizing data ingestion, implementing a fidelity scoring framework, and building dashboards to surface trends and gaps in the knowledge repository. Gabrielle focused on malware ticket analysis and developing an automation tool to identify malware families and extract indicators of compromise. Both interns credited Unit 42’s collaborative mentorship and cross-team exposure for accelerating their technical growth and real-world impact.

Frenemies in Cybersecurity: Balancing Competition & Sharing

🤝 In a Threat Vector podcast, Michael Sikorski and Michael Daniel of the Cyber Threat Alliance discuss how competing vendors must nonetheless collaborate to counter shared threats. Daniel recalls how pooled observations during the 2017 WannaCry outbreak revealed its worm-like propagation and accelerated industry response. He emphasizes that the main obstacles to sharing are human—culture, legal risk, and lack of executive prioritization—and that concrete guardrails (antitrust-compliance statements, embargo protocols, and equal treatment) build the trust needed for timely intelligence exchange. The post cautions that as adversaries adopt AI and automation, systematic collaboration is essential.

JJ Cummings on Managing Sensitive Threat Intelligence

🔒 At Talos, JJ Cummings — leader of the Threat Intelligence and Interdiction team — discusses the delicate work of handling partner-provided, sensitive information while conducting nation‑state investigations. He outlines how analysts create unattributable or alternatively attributable reporting to preserve sources and still deliver operationally useful findings. JJ credits colleagues such as Matt Olney and Ryan Pentney and emphasizes his team's role as force multipliers in incident response, threat hunting, and deep analysis.