All news with #threat report tag

Tech Surpasses Gaming as Top DDoS Target Q1-Q2 2025

🛡️ The Gcore Radar Q1–Q2 2025 report shows a 41% year-on-year rise in DDoS attacks, with total incidents reaching 1.17 million and a record 2.2 Tbps peak. Attacks are getting longer, more sophisticated, and increasingly multi-vector, with technology (≈30%) overtaking gaming (19%) as the primary target. Gcore emphasizes integrated WAAP and global filtering capacity to mitigate these risks.

DeceptiveDevelopment: Social-Engineered Crypto Theft

🧩DeceptiveDevelopment is a North Korea-aligned actor active since 2023 that leverages advanced social-engineering to compromise software developers across Windows, Linux and macOS. Operators pose as recruiters on platforms like LinkedIn and deliver trojanized codebases and staged interviews using a ClickFix workflow to trick victims into executing malware. Their multiplaform toolset ranges from obfuscated Python and JavaScript loaders to Go and .NET backdoors that exfiltrate crypto, credentials and sensitive data. ESET's white paper and IoC repository provide full technical analysis and telemetry.

Bookworm Linked to Stately Taurus — Unit 42 Analysis

🔎 This Unit 42 case study applies the Unit 42 Attribution Framework to link the Bookworm remote access Trojan to the Chinese APT group Stately Taurus by combining malware analysis, tooling, OPSEC, infrastructure, victimology, and timelines. Analysts highlighted embedded PDB paths, a UUID-based shellcode encoding technique, and co-occurrence with a custom tool named ToneShell. Overlapping C2 IPs and domains, consistent targeting in Southeast Asia, and closely aligned compile times supported a high-confidence attribution. Palo Alto Networks also lists protections across WildFire, NGFW, URL/DNS filtering, Cortex XDR, and incident response contact options.

UNC5221 Deploys BRICKSTORM Backdoor Against US Targets

🛡️ Mandiant and Google’s Threat Intelligence Group report that the China‑nexus cluster UNC5221 has delivered the Go‑based backdoor BRICKSTORM to U.S. legal, SaaS, BPO, and technology organizations, frequently exploiting Ivanti Connect Secure zero‑days. BRICKSTORM uses a WebSocket C2, offers file and command execution, and provides a SOCKS proxy to reach targeted applications. The campaign prioritizes long, stealthy persistence on appliances that lack traditional EDR coverage, enabling lateral movement and access to downstream customer environments.

Extending Zero Trust to the Storage Layer: Resilience

🔒 Applying zero trust to the storage layer is no longer theoretical — it is now essential to ensure recovery. The author describes ransomware incidents, including Change Healthcare in February 2024, where attackers deliberately targeted backups and recovery points, exposing storage as a primary attack surface. He recommends three operational principles — control where data is touched, control who and when, and make critical backups immutable — and ties those measures to governance, policy-as-code, and executive outcomes.

Allianz: Attackers Shift From Large Firms to Easier Targets

🛡️ Allianz warns that cybercriminals are increasingly shifting focus from well‑defended large organizations to smaller, less secure firms and to regions beyond the US and Europe. The insurer's Cyber report says customer losses in H1 2025 were about half those in H1 2024, even as active ransomware groups may have risen by roughly 50%. Double extortion and data theft now account for a growing share of large losses, and attackers often exploit third‑party IT providers to reach hardened targets.

RainyDay, Turian and PlugX Variant Abuse DLL Hijacking

🛡️ Cisco Talos describes an ongoing campaign in which Naikon-linked actors abused DLL search order hijacking to load multiple backdoors, including RainyDay, a customized PlugX variant and Turian. The report highlights shared loaders that use XOR and RC4 decryption with identical keys and an XOR-RC4-RtlDecompressBuffer unpacking chain. Talos notes the PlugX variant adopts a RainyDay-style configuration and includes embedded keylogging and persistence, with activity observed since 2022 targeting telecom and manufacturing organizations in Central and South Asia. Talos published IOCs and recommended mitigations for detection and prevention.

US Secret Service Seizes 300 SIM Servers, 100,000 Cards

🚨 The U.S. Secret Service announced it dismantled a network of more than 300 co-located SIM servers and roughly 100,000 SIM cards across the New York tri-state area ahead of the United Nations General Assembly. The devices, concentrated within a 35-mile radius of the UN gathering, were used to issue anonymous threats to senior U.S. officials and could be weaponized to disrupt telecommunications or enable encrypted communications. The agency's Advanced Threat Interdiction Unit is leading the investigation and said early evidence shows cellular links between nation-state actors and individuals known to federal law enforcement.

2025 DORA Report: AI-assisted Software Development

🤖 The 2025 DORA Report synthesizes survey responses from nearly 5,000 technology professionals and over 100 hours of qualitative data to examine how AI is reshaping software development. It finds AI amplifies existing team strengths and weaknesses: strong teams accelerate productivity and product performance, while weaker teams see magnified problems and increased instability. The report highlights near-universal AI adoption (90%), widespread productivity gains (>80%), a continuing trust gap in AI-generated code (~30% distrust), and recommends investment in platform engineering, user-centric workflows, and the DORA AI Capabilities Model to unlock AI’s value.

AI Growth Fuels Surge in Hardware and API Vulnerabilities

🛡️ Bugcrowd's annual "Inside the Mind of a CISO 2025: Resilience in an AI-Accelerated World" report warns that rapid, AI-assisted development is expanding the attack surface and exposing foundational weaknesses. Published September 23, the study links faster release cycles to gaps in access control, data protection and hardware security, and highlights rising API and network vulnerabilities. It calls for continuous offensive testing and collective intelligence to mitigate escalating risks.

Attacker Breakout Time Drops to 18 Minutes, ReliaQuest

🔒 ReliaQuest's Threat Spotlight (June–August 2025) reports average attacker breakout time — the period from initial access to lateral movement — has fallen to 18 minutes, with one Akira incident taking just six minutes. The vendor warns adversaries are becoming faster and more adept at bypassing endpoint protections, noting an increase in ransomware using the SMB protocol (from 20% to 29%). Drive-by compromise was the leading initial vector at 34%, and USB-based malware, notably Gamarue, is resurging due to weak policy enforcement and inconsistent endpoint controls.

Operation Rewrite: BadIIS SEO Poisoning Campaign in Asia

🔍 Unit 42 uncovered Operation Rewrite, a March 2025 SEO poisoning campaign that deploys a native IIS implant called BadIIS to manipulate search engine indexing and redirect users to attacker-controlled scam sites. The implant registers request handlers, inspects User‑Agent and Referer headers, and proxies malicious content from remote C2 servers. Variants include lightweight ASP.NET page handlers, a managed .NET IIS module, and an all-in-one PHP front controller. Organizations can detect and block activity with Palo Alto Networks protections and should engage incident responders if compromised.

Nimbus Manticore Expands into Europe Targeting Defense

🛡️ Check Point Research reports that Iranian-linked threat actor Nimbus Manticore is expanding operations into Europe, focusing on the defense, telecom and aerospace sectors. The group uses fake job portals and targeted spear‑phishing to deliver malicious files disguised as hiring materials while impersonating prominent aerospace firms. Evolving toolsets such as MiniJunk and MiniBrowse enable stealthy data theft and persistent access, consistent with intelligence-collection objectives linked to IRGC priorities.

CSO Awards: Security Innovation and Transformative Work

🔒 CSO highlights seven award-winning security initiatives that showcase practical innovation across vulnerability management, third-party risk, multicloud security, secure coding, threat detection, and AI-driven hunting. Profiles include BMHCC’s risk-based remediation delivering a 70% risk reduction, FSU’s tighter vendor assessments, Marvell’s unified cloud vulnerability platform, and Mastercard’s developer-focused security conference. The pieces emphasize automation, AI, and cross-team collaboration as key drivers of measurable security impact.

Ransomware Still Evades Defenses Despite Protections

🔒 Picus Security's Blue Report 2025 shows ransomware continues to outpace defenses: overall prevention fell from 69% to 62% year-over-year, while data exfiltration prevention collapsed to just 3%. Both established families (BlackByte, BabLock, Maori) and emerging strains (FAUST, Valak, Magniber) bypass controls using credential theft, fileless techniques and staged execution. Picus recommends continuous Breach and Attack Simulation (BAS) to validate controls, deliver actionable fixes, and provide measurable evidence of readiness.

Gamaredon and Turla Collaborate in Attacks on Ukraine

🕵️ ESET researchers report that Russian state-linked groups Gamaredon and Turla collaborated in 2025 campaigns targeting high-value Ukrainian defense systems. In February, investigators observed Turla issuing commands via Gamaredon implants and Gamaredon's PteroGraphin downloader being used to restart Turla's Kazuar backdoor. Kazuar harvested machine metadata while Gamaredon later deployed Kazuar v2 installers in April and June. ESET assesses with high confidence that the interactions reflect a deliberate operational convergence.

Surveying the Global Spyware Market: 2024 Investment Shifts

🔍 The Atlantic Council’s second annual report, Mythical Beasts, maps the global spyware market and documents a substantial uptick in US-based investors in 2024, which made the United States the largest investor in this sampled dataset despite ongoing policy actions. The authors also emphasize the opaque, central role of resellers and brokers, whose intermediary activity obscures vendor–buyer ties and complicates oversight. Overall, the report highlights a clear enforcement and transparency gap and urges targeted research and coordinated policy responses.

Gamaredon and Turla Collaboration Targets Ukraine in 2025

🚨 ESET Research reports the first observed collaboration between Gamaredon and Turla in Ukraine, with telemetry from February to June 2025 showing Gamaredon tools used to deliver and restart Turla’s Kazuar implants. ESET assesses with high confidence that Gamaredon provided initial access and delivery channels while Turla selectively deployed advanced Kazuar implants on higher‑value hosts. The analysis details multiple infection chains involving PteroGraphin, PteroOdd and PteroPaste, and includes technical indicators and remediation guidance.

Russia and China Target Germany's Economy: Survey Findings

🔍 A representative Bitkom survey of 1,002 German companies finds nearly three in four report rising attacks, estimating combined damage at €289 billion. 87% of executives said their organization experienced at least one attack in the past 12 months; 28% now suspect foreign intelligence involvement. Respondents most often pointed to China and Russia (46% each). Insurers report AI-generated false claims, prompting firms and authorities to adopt more holistic, AI-assisted defenses.

Smart Cities Face Growing Cybersecurity Risks and Gaps

🏙️ Smart cities are expanding rapidly—69% of municipalities report strategic agendas and an estimated 83,000 sensors were deployed in 2024—significantly enlarging the attack surface. High-profile incidents (Dallas alarm hack, Washington, DC ransomware, Florida water-treatment manipulation, and Olsztyn transport disruption) show that networked devices can lead to both digital and physical harm. Experts from Accenture, Zebra Technologies, and S2GRUPO warn that legacy devices, fragmented governance, and IT/OT convergence demand zero-trust, segmentation, and coordinated incident response to reduce systemic risk.