All news with #threat report tag

IR Playbooks and Mental Health After Major Incidents

🛡️ Joe Marshall uses the VPN Filter investigation to illuminate the often-hidden personal cost of incident response. He recounts months of high-pressure analysis into a modular SOHO botnet attributed to APT28 that featured persistence and a potentially destructive kill switch, and describes how prolonged stress produced burnout, fractured relationships, and career impact. Marshall offers four practical mitigations — boundaries, peer support, unplugged self-care, and mandatory decompression — and underscores how a Cisco Talos Incident Response (IR) Retainer can ensure organizations respond decisively while protecting staff wellbeing.

One in Three Android Apps Expose Sensitive Data to Attackers

🔒 The 2025 Zimperium Global Mobile Threat Report finds that one in three Android apps and more than half of iOS apps leak sensitive information through insecure APIs, and nearly half of apps contain hardcoded secrets such as API keys. Client-side weaknesses let attackers tamper with apps, intercept traffic and bypass perimeter defences. The report recommends API hardening and app attestation to ensure API calls originate from genuine, untampered apps.

Zscaler ThreatLabz: Global Ransomware Surge 2024–2025

🔒 Zscaler's annual ThreatLabz Ransomware Report (April 2024–April 2025) warns of a marked rise in extortion-focused attacks: incidents increased 146% year-over-year while exfiltrated data grew 92%. The vendor attributes this to a strategic shift from pure encryption to data theft and public shaming, with criminals using stolen files as leverage. Researchers also report that generative AI is increasingly incorporated into attackers' playbooks to enable more targeted and efficient campaigns. The U.S. accounted for half of all recorded attacks, Germany saw a nearly 75% rise and is the EU's most affected country, and the most-targeted sectors were manufacturing, technology and healthcare.

FileFix Campaign Uses Steganography and Multistage Payloads

🛡️ Acronis researchers have uncovered a rare FileFix campaign that hides a second-stage PowerShell script and encrypted executables inside JPG images using steganography. Attackers employ multilingual, heavily minified phishing pages that mimic a Meta support flow and trick victims into pasting a payload into file upload address bars. An obfuscated PowerShell one-liner downloads images from Bitbucket, extracts and decrypts components, and executes a Go-based loader that deploys StealC. Organizations should combine user training with process blocking and monitoring to mitigate this evolving threat.

Scattered Spider Resurfaces, Targets Financial Sector Again

🔍 Cyber threat group Scattered Spider has been linked to a new campaign targeting financial services, according to ReliaQuest. The attackers gained access by socially engineering an executive and abusing Azure AD self-service password reset, then moved laterally via Citrix and VPN to compromise VMware ESXi. They escalated privileges by resetting a Veeam service account, assigning Azure Global Administrator rights, and attempted data extraction from Snowflake and AWS. The activity contradicts the group's retirement claims and suggests regrouping or rebranding.

From Prevention to Rapid Response: The New CISO Era

🔒 CISOs are shifting from an all-or-nothing prevention model to a containment-first strategy that assumes breaches will occur. Organizations are investing in sharper visibility, automation and precise network segmentation to stop lateral movement and reduce blast radius. Modern zero trust implementations enforce context-aware, least-privilege access across hybrid environments, enabling faster detection and automated response while preserving user experience. In sectors such as fintech, CISOs must also balance strong background security with seamless interfaces and user education to sustain trust.

HMRC Tax Refund Phishing Reports Decline Sharply in 2025

📉 Bridewell's analysis of FOI data shows a marked fall in HMRC-impersonation phishing reports in the first half of 2025, with 41,202 incidents versus 102,226 in 2024 and 152,995 in 2023. Email-based attacks drove most of the decline while SMS phishing rose. The firm warns AI-enhanced social engineering is increasing and advises users to pause, avoid suspicious links and verify communications via official channels.

API Attacks Surge: 40,000 Incidents in H1 2025 Report

🔒 Thales' Imperva analysed telemetry from over 4,000 environments and reported about 40,000 API incidents in H1 2025, finding APIs now attract 44% of advanced bot traffic. Key findings included a 40% rise in credential-stuffing and account-takeover attempts against APIs without adaptive MFA, plus data scraping (31%) and coupon/payment fraud (26%). Financial services, telecoms and travel were among the most targeted sectors, and Thales warned the pace and sophistication of attacks will continue to increase.

Mustang Panda Uses SnakeDisk USB Worm to Deliver Yokai

🐍 IBM X-Force reports that China-aligned Mustang Panda is deploying a new USB worm, SnakeDisk, to propagate the Yokai backdoor against machines geolocated to Thailand. The actor also introduced updated TONESHELL variants (TONESHELL8/9) with proxy-aware C2 and parallel reverse shells. SnakeDisk abuses DLL side-loading and USB volume masquerading—moving user files into a subfolder and presenting a deceptive 'USB.exe' lure before restoring originals—to spread selectively on Thailand-based public IPs.

Yurei Ransomware Uses Open-Source Tools for Extortion

🔒 A newly identified ransomware group called Yurei is conducting double-extortion attacks, encrypting files and exfiltrating sensitive data before demanding payment. First observed by Check Point Research on September 5, Yurei has targeted organizations in Sri Lanka, India and Nigeria and may have ties to Morocco. Built largely from open-source Prince-Ransomware code, the malware encrypts each file using per-file ChaCha20 keys protected with ECIES, appending a .Yurei extension, and attempts to provide a ransom page and .onion contact. Although the early variant omits some operational features (for example it fails to set a ransom wallpaper and does not remove Windows shadow copies), the group still threatens publication of stolen data to pressure victims.

Weekly Recap: Bootkit Malware, AI Attacks, Supply Chain

⚡ This weekly recap synthesizes critical cyber events and trends, highlighting a new bootkit, AI-enhanced attack tooling, and persistent supply-chain intrusions. HybridPetya samples demonstrate techniques to bypass UEFI Secure Boot, enabling bootkit persistence that can evade AV and survive OS reinstalls. The briefing also covers vendor emergency patches, novel Android RATs, fileless frameworks, and practical patch priorities for defenders.

Your SOC as the Parachute: Engineering for Resilience

🪂The SOC is framed as the parachute organisations rely on when breaches occur. Too many SOCs are under‑specified and reactive—drowned in alerts and tools that add complexity rather than resilience. The author calls for Swiss engineering: over‑specified, tested processes, rehearsed responses, and anticipatory defence grounded in threat modelling and behavioural context. Vendors and AI can assist, but organisations must own priorities, rehearse decision making, and build muscle memory.

Five Trends Reshaping IT Security Strategies in 2025

🔒 Cybersecurity leaders report the mission to defend organizations is unchanged, but threats, technology and operating pressures are evolving rapidly. Five trends — shrinking or stagnating budgets, AI-enabled attacks, the rise of agentic AI, accelerating business speed, and heightened vendor M&A — are forcing changes in strategy. CISOs are simplifying tech stacks, increasing automation and outsourcing, and deploying AI for detection and response while wrestling with new authentication/authorization gaps. Vendor viability and consolidation now factor into resilience planning.

Ten Career Pitfalls That Can Derail Today's CISOs Now

🔒 CISOs face many behavioral and strategic traps that can stall or end careers if not addressed. Leaders, coaches and consultants identify ten common mistakes — from failing to align security with business priorities and treating security as a pure technology function, to reflexively saying no, enforcing rigid rules, misunderstanding AI, lacking transparency, not networking, and mishandling incidents. The article emphasizes becoming an enabler, tying controls to ROI, communicating clearly, and rehearsing response plans to build resilience.

Novel LOTL and File-Based Evasion Techniques Rising

🔍The Q2 2025 HP Wolf Threat Insights Report describes how threat actors are increasingly chaining living‑off‑the‑land (LOTL) tools and abusing uncommon file types to evade detection. Attackers hide final payloads inside images or use tiny SVGs that mimic legitimate interfaces, then execute code via native Windows processes like MSBuild. These methods leverage trusted sites and native binaries to bypass filters and complicate incident response.

Yurei Ransomware: Rapid Rise from Open-Source Code

🛡️ Yurei ransomware emerged on September 5, quickly claiming victims in Sri Lanka, India and Nigeria within its first week. The payload is largely copied from the open-source Prince-Ransomware project, illustrating how easily attackers can deploy commodity code. Although technical flaws allow partial recovery, Yurei focuses on data theft and public exposure to coerce payments. Early indicators point to links with Morocco, signaling a geographically shifting threat landscape.

SEO Poisoning Targets Chinese Users via Fake Software

🛡️ In August 2025, FortiGuard Labs uncovered an SEO poisoning campaign that manipulated search rankings to lure Chinese-speaking users to lookalike download sites mimicking legitimate software, notably a DeepL spoof. Victims downloaded a bundled MSI installer that combined genuine application installers with malicious components (EnumW.dll, fragmented ZIPs and a packed vstdlib.dll) and used anti-analysis, timing checks and parent-process validation to evade sandboxes. The in-memory payload implements Heartbeat, Monitor and C2 modules, exfiltrates system and user data, and supports plugins for screen capture, keylogging, Telegram proxy removal and crypto wallet targeting. Fortinet detections and network protections are updated; organizations are advised to apply patches, scan affected systems, and contact incident response if compromise is suspected.

ICO: Students Cause Majority of UK School Data Breaches

🔒 The ICO analyzed 215 insider personal data breach reports from the UK education sector between January 2022 and August 2024 and found students were responsible for 57% of incidents. Around 30% of breaches involved stolen login credentials, with students accounting for 97% of those attacks by guessing weak passwords or using credentials found on paper. The report highlights cases where pupils used freely available tools to break into school systems and access or alter thousands of records. The ICO urges parents, schools and the wider industry to channel curiosity into legitimate cyber careers and strengthen basic protections.

12 Digital Forensics Certifications to Advance Your Career

🔎 Digital forensics professionals investigate breaches to determine access methods, affected systems, and attacker actions, with the goal of preventing future incidents. This article reviews a curated list of a dozen certifications that span vendor-neutral and vendor-specific tracks, including mobile, cloud, network, memory, and Windows forensics. Each entry summarizes scope, target audience, exam format, validity period, renewal or CPE requirements, and typical training and exam fees to help practitioners choose the most appropriate credential.

Justifying Security Investments: A Boardroom Guide

💡 CISOs must present security spending as business enablers that reduce risk, protect revenue, and support strategic priorities rather than as purely technical upgrades. Begin by defining the business challenge, then tie the proposed solution—such as Zero Trust or platform consolidation—to measurable outcomes like reduced incident impact, faster recovery, and lower TCO. Use cost models, breach scenarios, per-user economics, and timelines to quantify benefits and speak the board’s language of risk, return, and shareholder value.