All news with #threat report tag

Using Managed XDR to Address Cybersecurity Skills Gaps

🔒 Managed Extended Detection and Response (MXDR) enables organizations to augment understaffed security teams with experienced analysts who provide continuous monitoring and rapid response. Providers deliver 24/7 coverage, broad sensor visibility, and immediate containment actions such as endpoint isolation. MXDR can reduce the need to hire internal specialists, but organizations must evaluate vendors carefully for expertise, data protection, and configurability.

Transparent Email Security: New Microsoft Benchmarking

📊 Microsoft published its second email security benchmarking report comparing environments protected solely by Microsoft Defender to deployments using a Secure Email Gateway (SEG) in front of Defender and Integrated Cloud Email Security (ICES) layered after Defender. The updated methodology corrects for journaling and connector reinjection and now includes Defender's zero‑hour auto purge post‑delivery detections to avoid misattribution. Results show layering reduces marketing and bulk mail (avg 9.4%), while incremental gains for spam and malicious filtering remain modest. Post‑delivery remediation remains critical: Defender's zero‑hour auto purge removed 45% of malicious mail reaching inboxes on average, and ICES vendors accounted for an average 55% post‑delivery catch.

Behind the Breaches: Case Studies of Modern Threat Actors

🔍 This analysis examines leaked communications and recent incidents to reveal how modern threat actors organize, adapt and blur the lines between criminal, contractor and researcher roles. Leaked BlackBasta chats show internal discord, leadership opacity, technical debt and disputes over revenue and workload. The EncryptHub case highlights a solo operator who both conducted malware and credited vulnerability disclosures to Microsoft, illustrating the growing hybridization of actor identities. Finally, BlackLock’s open recruitment for "traffers" demonstrates how the ransomware supply chain is becoming commoditized and industrialized.

November 2025: Ransomware and GenAI Drive Cyber Attacks

🛡️ In November 2025, organizations faced an average of 2,003 cyber-attacks per week, a 3% rise from October and 4% above November 2024. Check Point Research attributes the increase to a surge in ransomware, broader attack surfaces and growing exposure from internal use of generative AI tools. The education sector was hit hardest, averaging 4,656 attacks per organization per week. These trends elevate operational, data and recovery risks across industries.

Four clusters exploiting CastleLoader expand MaaS reach

🛡️Recorded Future's Insikt Group attributes rapid expansion of a modular loader ecosystem to an actor named GrayBravo, noting the distribution of a loader called CastleLoader under a malware-as-a-service model. The report identifies four distinct operational clusters that employ phishing, ClickFix campaigns, malvertising, and impersonation to deliver CastleLoader and secondary payloads such as CastleRAT and NetSupport RAT. These campaigns target logistics and enterprise software users and leverage multi-tiered C2 infrastructure and fraudulent platform accounts to increase credibility and resilience.

Hidden Forensic Evidence in Windows ETL: Diagtrack File

🔍 FortiGuard IR analysts discovered that an obscure ETL file, AutoLogger-Diagtrack-Listener.etl, can retain historical process execution data useful for post-incident forensics. Parsing ETW payloads exposed ProcessStarted events including ImageName, ProcessID, ParentProcessID and sometimes CommandLine entries that revealed deleted tools. Controlled testing showed creating the autologger and setting AllowTelemetry=3 often produced an empty file, indicating the DiagTrack service may populate the file only under undocumented conditions. Further research is needed to understand when and how this telemetry is written.

Manufacturing Sees Fewer Encryptions but Ransom Risks

🔒 A recent Sophos study finds the manufacturing sector is blocking more ransomware before encryption, with only 40% of attacks resulting in data encryption this year versus 74% in 2024. Despite improved containment, data theft remains high (39% of encrypted cases) and more than half of affected firms paid ransoms; the median payment was about €861,000. Shortages of skilled staff, unknown vulnerabilities and inadequate protections are cited as root causes, and attacks are increasing stress and leadership pressures within IT teams.

FinCEN: Ransomware Gangs Extorted $2.1B (2022–2024)

📊 A FinCEN analysis of 4,194 Bank Secrecy Act filings found organizations paid more than $2.1 billion in ransom between January 2022 and December 2024. Ransomware incidents peaked in 2023 before falling in 2024 after law enforcement actions disrupted ALPHV/BlackCat and LockBit. Most ransom payments were under $250,000 and roughly 97% were made in Bitcoin. Manufacturing, financial services, and healthcare were the most targeted industries.

JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT

🔍 Securonix has detailed a campaign named JS#SMUGGLER that leverages compromised websites and an obfuscated JavaScript loader to deliver the NetSupport RAT. Attackers chain a hidden iframe and a remote HTA executed via mshta.exe to run encrypted PowerShell stagers and fetch the RAT. The loader applies device-aware branching and a visit-tracking mechanism to trigger payloads only on first visits, reducing detection risk. Temporary stagers are removed and payloads execute in-memory to minimize forensic artifacts.

ClayRat Android Spyware Upgraded with Greater Control

🔒 A new version of the ClayRat Android spyware significantly expands surveillance and device-control features, researchers at Zimperium report. The campaign now pairs Default SMS privileges with aggressive abuse of Accessibility Services to enable a keylogger that captures PINs, passwords and unlock patterns, full-screen recording via the MediaProjection API, deceptive overlays and automated taps that hinder removal. Over 700 unique APKs and more than 25 active phishing domains — including impersonations of video platforms and car apps — have been observed distributing the malware.

Substitution Cipher Modeled on the Voynich Manuscript

🧩 Bruce Schneier highlights a new paper proposing the Naibbe cipher, a verbose homophonic substitution method that transforms Latin and Italian plaintext into ciphertext resembling the Voynich Manuscript. The author demonstrates the cipher can be executed entirely by hand with plausible 15th‑century materials. Applied to a range of texts, Naibbe reproduces many of the manuscript’s key statistical properties while remaining decipherable. Schneier observes this keeps the ciphertext hypothesis viable and places constraints on plausible substitution structures.

Cyber Threats to the U.S.: What Policymakers Need for 2026

🔒 A new Check Point brief warns that cyber attacks against the U.S. have evolved into coordinated geopolitical tools employed by states, criminal networks, and ideological groups. These operations now aim to influence policy, erode public trust, and target critical infrastructure rather than being mere technical intrusions. The report urges leaders to prioritize resilience, improve cross-sector coordination, and strengthen information-sharing and recovery capabilities.

SANS ICS/OT Security 2025: Key Findings and Actions

🔐 The SANS State of ICS/OT Security 2025 report, sponsored by Fortinet, highlights persistent operational risks across critical infrastructure, with high incident rates, extended remediation times, and remote-access exposures. It calls for treating mean time to recovery (MTTR) as a board-level metric, unifying IT/OT visibility, and automating response playbooks. The analysis urges replacing ad hoc remote connectivity with secure, monitored access and integrating OT-specific threat intelligence into enforcement; FortiPAM and FortiGuard AI-Powered Security Services are cited as solutions to improve segmentation, detection, and recovery.

Ransomware in Manufacturing: Lower Encryption, High Payouts

🔒 A Sophos study finds manufacturing firms are increasingly able to stop ransomware before encryption occurs, with only 40% of attacks leading to data encryption — the lowest rate in five years and down from 74% the prior year. Despite improved defenses, data theft remains a major concern: 39% of encrypted incidents resulted in data loss. More than half of affected companies still paid ransoms, with a median payment of about €861,000 versus median demands near €1 million. Respondents cited skills shortages, unknown vulnerabilities and missing protections as key contributors, and attacks continue to strain IT and leadership teams.

Largest U.S. Telecommunications Hack: What Happened

🔐 On December 4, 2024, U.S. officials confirmed a widespread cyber-espionage campaign that targeted some 80 global telecommunications providers across dozens of countries. The intrusion has been attributed to a sophisticated nation-state actor tracked by Microsoft as Salt Typhoon (aka Ghost Emperor / FamousSparrow), with earlier links to LightBasin. A joint task force—Operation Enduring Security Framework—led by the NSA, Pentagon and CISA was created to contain and investigate the offensive.

Suspicious CDN-Header Traffic May Signal Evasion Tests

🔍 SANS honeypots detected increased HTTP requests containing CDN-related headers that may indicate probing to evade CDN protections. Researchers observed headers referencing Cloudflare (Cf-Warp-Tag-Id), Fastly (X-Fastly-Request-Id), Akamai (X-Akamai-Transformed) and an anomalous X-T0Ken-Inf0. Experts warn this could be reconnaissance to bypass CDNs and reach origin servers and urge origin hardening such as IP allowlists, validated tokens, or private connectivity.

From Feeds to Flows: Operationalizing Threat Intelligence

🔗 The article argues that traditional threat feeds no longer suffice in modern, interconnected environments and proposes a Unified Linkage Model (ULM) to transform static indicators into dynamic threat flows. ULM defines three core linkage types — adjacency, inheritance and trustworthiness — to map how risk propagates across systems. It outlines practical steps to ingest and normalize feeds, establish and score linkages, integrate with MITRE ATT&CK and risk frameworks, and visualize attack pathways for prioritized response and compliance.

Skills Shortages Outpace Headcount in Cybersecurity 2025

🔍 ISC2’s 2025 Cybersecurity Workforce Study, based on responses from more than 16,000 professionals, reports that 59% of organizations now face critical or significant cyber-skills shortages, up from 44% last year. Technical gaps are most acute in AI (41%), cloud security (36%), risk assessment (29%) and application security (28%), with governance, risk and compliance and security engineering each at 27%. The survey cites a dearth of talent (30%) and budget shortfalls (29%) as leading causes and links shortages to concrete impacts—88% reported at least one significant security incident. Despite concerns, headcount appears to be stabilizing and many professionals view AI as an opportunity for specialization and career growth.

WARP PANDA: Sophisticated China-Nexus Cloud Threats

🔍 CrowdStrike identified a China-nexus adversary, WARP PANDA, conducting covert intrusions against VMware vCenter and cloud infrastructure throughout 2025, deploying novel Golang implants and the backdoor BRICKSTORM. Operations emphasized stealth—log clearing, timestomping, unregistered VMs, and tunnelling via vCenter/ESXi/guest VMs—enabling long-term persistence and data staging from live VM snapshots. WARP PANDA also exfiltrated Microsoft 365 and SharePoint content, registered MFA devices, and abused cloud services for C2, prompting recommendations for tighter ESXi/vCenter controls and robust EDR on guests.

Smashing Security Ep. 446: Doxxing and SE-as-a-Service

🔐 In episode 446 of the Smashing Security podcast, Graham Cluley and guest Rik Ferguson discuss a teenage cybercriminal who inadvertently doxxed himself by mocking a sextortion scammer. They examine how stolen data has become the jet fuel of cybercrime and consider worrying trends for 2026. Plus, Graham rants about intrusive recipe sites and shares musical notes about Lily Allen.