All news with #threat intelligence tag

🤝 Google announced it has signed the Industry Accord Against Online Scams & Fraud with major industry partners including Adobe, Amazon, LinkedIn, Meta, Microsoft and OpenAI. The agreement commits participants to unify capabilities, share threat intelligence and coordinate defenses against sophisticated, cross-border scam networks. Google said it will expand technical support and deploy AI-driven detection tools, building on $15 million in Google.org funding. In 2026 the company will share more through the Global Signal Exchange and publish guides on data sharing, private sector referrals to law enforcement, and public policy frameworks.

🔍 ESET positions its threat intelligence and telemetry as essential tools for organizations facing increasingly sophisticated cyber threats, including AI-enabled attacks and convincing deepfakes. ESET Telemetry reports a 12% decline in overall detections in India (Jan–Aug 2025), but ransomware surged 70% from H2 2024 to H1 2025 and phishing remains the most common vector. The vendor bundles endpoint, XDR, identity protection, MDR, and analyst-driven APT reporting to help CIOs and CISOs stay ahead.

🔐 AI is reshaping cyber defense strategies and executive responsibilities. Organizations face a dual-use threat where AI empowers attackers and defenders; security teams must combine human expertise with automated capabilities. Human + AI approaches, informed by threat intelligence and comprehensive asset mapping, are critical. Vendors like ESET emphasize global, 24/7 coverage and say CISOs must secure board-level buy-in, regulatory alignment, and a clear, cost-effective AI roadmap to improve detection, response, and remediation.

🚨 Cybersecurity firms reported 149 hacktivist DDoS claims from Feb 28–Mar 2 that targeted 110 organizations across 16 countries, with 107 attacks concentrated in the Middle East. Two groups, Keymous+ and DieNet, drove nearly 70% of activity while NoName057(16) and others composed most remaining operations. Government, finance, and telecom sectors were disproportionately targeted, and vendors including Radware, Orange Cyberdefense, and Unit 42 provided attribution and telemetry. Analysts warn allied nations and critical infrastructure to increase monitoring and harden defenses.

🛡️ Tier 1 analysts handle the bulk of alerts but frequently lack the context and tooling needed to decide quickly and accurately. The piece advises CISOs to invest in three coordinated capabilities: live threat intelligence feeds to improve detection, automated enrichment and sandbox analysis to turn flags into findings, and comprehensive integration of intelligence into SIEM, EDR, and network controls. These steps reduce MTTD/MTTR, lower false positives, and shift Tier 1 work from manual research to high-value investigation.

🔍 Resecurity analysed a leaked Ariomex database covering 2022–2025 and concluded the exchange's records suggest potential sanctions evasion and large capital transfers linked to actors inside Iran. The review covered 11,826 verified users, identified 27 potential sanctions matches and found about 7,710 Iran-linked accounts, with roughly 70% of volume in Tether and Tron. Resecurity flagged mechanisms such as shell accounts, stablecoin routing and intermediary wallets and said it will assist regulators.

🛡️ Cloudflare’s Cloudforce One Threat Intelligence Platform is an edge-native TIP that centralizes global telemetry, analyst investigations, and automated defenses. It eliminates bulky ETL and monolithic databases by using a sharded, SQLite-backed Durable Object architecture and running GraphQL in Workers for sub-second, multi-shard queries. The platform enriches SIEM alerts with historical actor context, supports STIX2 exports, and can push instant protections via the Firewall API to close the loop between discovery and defense.

🔍 Cisco Talos is actively monitoring the evolving conflict in the Middle East for cyber-related activity and currently reports no significant, state-sponsored cyber impacts. Incidents observed to date are limited — primarily website defacements, small distributed-denial-of-service (DDoS) campaigns, and opportunistic phishing using conflict-themed lures. Talos assesses that Iranian-aligned groups historically operate in espionage, destructive attacks, and hack-and-leak operations, which remain plausible avenues. Organizations should prioritize MFA, timely patching, robust monitoring, and targeted third-party risk controls to reduce collateral exposure.

🔍 For years organizations have relied on CVSS scores as the default measure of vulnerability severity, but severity does not equal operational risk. High CVSS numbers can misdirect remediation efforts while lower-scored but actively exploited flaws pose greater danger. KEV lists are useful yet inherently reactive; effective prioritization demands multi-source threat intelligence and real-time exploitation telemetry to focus fixes where they reduce true risk.

🔒 Kaspersky outlines the on-premise Kaspersky Threat Attribution Engine (KTAE) and a free IDA Pro plugin that embeds attribution into the reverse-engineering workflow. The local KTAE keeps all analysis inside the customer perimeter, supports adding proprietary threat groups, and enriches attribution with internal research. The Python-based plugin requires IDA Pro (not IDA Free), a local KTAE URL and an API token, then highlights code fragments that triggered the attribution.

🛡️ Google Threat Intelligence Group, Mandiant, and partners executed a coordinated disruption against a global espionage campaign attributed to UNC2814 that abused cloud services for covert command and control. Investigators identified a novel C-based backdoor called GRIDTIDE that uses Google Sheets APIs as a high-availability C2 channel, protected by an AES-128-CBC key and service account credentials. Actions included terminating attacker-controlled Google Cloud projects, disabling accounts and Sheets API access, sinkholing infrastructure, and publishing IOCs and detection guidance to support defenders.

🔍 Threat intelligence isn't the problem—it's the type and context. Security teams need both internal intelligence (signals and telemetry from inside their environment) and external intelligence (attacker activity, campaigns, and indicators) because each alone gives an incomplete picture. Many organizations ingest multiple generic, fragmented, and delayed feeds that confuse rather than clarify risk, causing critical decisions to be based on underrefined data. Integrating and enriching feeds with internal telemetry turns raw alerts into prioritized, actionable insights.

🔒 The Lithuanian government, coordinated by the Innovation Agency Lithuania, has launched a national initiative to strengthen e-security and digital resilience across public services and critical infrastructure. One of three strategic missions, Safe and Inclusive E-Society, led by Kaunas University of Technology (KTU), unites universities and cybersecurity firms under a €24.1 million program to develop and pilot AI-driven defenses, threat sensors, automated cyber threat intelligence, and disinformation detection. Researchers warn that Generative AI and LLMs are transforming fraud into highly realistic, scalable, multilingual social engineering attacks, requiring a shift from pattern-based defenses to adaptive, AI-enhanced protection and cross-sector collaboration.

🔍 Criminal IP has integrated with IBM QRadar SIEM and SOAR, embedding external IP-based threat intelligence directly into detection, investigation, and response workflows. Firewall traffic forwarded to QRadar is analyzed via the Criminal IP API and observed IPs are automatically scored as High, Medium, or Low to help prioritize actions. Analysts can right-click IPs in Log Activity to view detailed Criminal IP reports, while pre-built SOAR playbooks automate IP and URL enrichment to accelerate response without leaving the QRadar environment.

🔔 The Frankfurt Cyberintelligence Institute (CII) has launched the Cyber Risk Observation Service (CYROS), a smartphone warning app that consolidates security-relevant alerts on ransomware, phishing and digital sabotage. CYROS aggregates official and specialist sources — including the Federal Office for Information Security (BSI), consumer protection groups and security vendors, and will integrate SOC feeds from Datagroup. Alerts are paired with tailored guidance and are sortable by topic, life area and federal state; the app is free in app stores and alerts are also accessible online.

🔍 Group-IB researchers have linked dozens of servers to the ShadowSyndicate cybercrime cluster through reused OpenSSH fingerprints and recurring access keys, exposing a larger, consistently managed malicious infrastructure. The cluster, first documented in 2023, continues to deploy and transfer servers between internal clusters while retaining overlapping keys that enable attribution. Analysts identified at least 20 command-and-control nodes supporting commercial red-team frameworks and open-source post-exploitation tools and observed ties to multiple ransomware affiliates. Group-IB recommends ingesting indicators of compromise, monitoring repeated MFA failures and unusual login activity, and tracking activity in frequently used autonomous systems.

🔎 Analysts often stop at sandboxing and blocklisting, but that approach fails against targeted, multi-stage intrusions. Attribution — linking artifacts to known groups — enables defenders to find related tools, tactics and IOCs and to prioritize remediation. Using the Kaspersky Threat Intelligence Portal, the article shows how TTP correlation, YARA rules and SIEM signatures can accelerate containment and reduce false positives.

🔒 Mid-market organizations face a constant tradeoff between necessary security and limited budgets and staff. This article argues for security across the full threat lifecycle—combining prevention, protection, detection, and response—to reduce risk without adding complexity. It highlights how consolidated platforms like Bitdefender GravityZone and outsourced MDR services extend visibility and operational capacity. The goal is stronger coverage with less overhead.

🔒 CISOs must prioritize reducing dwell time by acting on high-quality, timely threat intelligence that maps to actual business risk rather than broad public feeds. AnyRun promotes STIX/TAXII-compatible TI Feeds that deliver validated IPs, domains, and hashes plus behavioral context from global sandbox analyses, claiming near-zero false positives and 99% unique indicators. Integrating these feeds into SIEM, EDR/XDR, TIP, or NDR is presented as a way to detect more threats, lower escalations, and accelerate MTTD/MTTR to preserve operational continuity.

🛡️ Many CISOs now expect a material breach within the next 12 months, yet four persistent constraints are holding back security agendas: weak empowerment and decision training for teams, difficulty keeping pace with enterprise AI adoption, slow use of AI in security operations, and acute talent and skills shortages. The article draws on surveys from Proofpoint, Cyera, ISC2 and others, and quotes practitioners who recommend clear prioritization criteria, holistic AI risk profiling, and targeted talent strategies to restore momentum.