All news with #threat report tag

Beaches and Breaches: Shifts in Supply Chain and Identity

🌊 Returning from vacation, the author notes headlines shifted away from AI and ransomware toward breaches tied to compromised OAuth tokens and integrations like Salesloft/Drift. The piece emphasizes two converging trends: supply chain risk that now includes datapaths where information is processed, and identity attacks that increasingly target interconnected applications. It highlights Cisco Talos’ CTI-CMM as a practical maturity framework to assess gaps, prioritize investments, and build a roadmap for continuous improvement.

Stark Industries Rebrands to Evade EU Sanctions, Persists

🔁 In May 2025 the EU sanctioned Moldova-based PQ Hosting and its owners, the Neculiti brothers, for alleged links to Kremlin hybrid warfare. Recorded Future and KrebsOnSecurity reporting show Stark Industries quickly rebranded to the[.]hosting under Dutch WorkTitans BV on 24 June 2025 while key address space and assets moved to PQ Hosting Plus S.R.L. Netherlands-based MIRhosting appears to host and manage the new entities, suggesting the sanctions achieved little lasting disruption.

Global Cyber Threats August 2025: Agriculture Hit Hard

🚨In August 2025 organizations worldwide faced an average of nearly 2,000 cyber attacks per week, a small 1% decline from July but a notable 10% increase year‑over‑year. The agricultural sector was hit particularly hard, recording a 101% rise in incidents compared with August 2024. While overall attack volume shows tentative stabilization, the shifting distribution of threats across industries, regions and attack vectors underscores the urgent need for targeted defenses, stronger risk management and improved incident readiness.

Human-centered cybersecurity rises in CISO priorities

🔐 The role of the CISO is shifting from technical expert to manager of people and systems, making a human-centered approach essential to reduce the most significant cyber risks. Rather than repeating awareness campaigns, CISOs should design practical, scenario-based training, align security with corporate values, and foster a supportive security culture. Technology and policy must enable good behavior, while deliberate, minimal friction creates effective learning moments. A mature Human Risk Management program uses assessment, segmentation, targeted interventions and continuous feedback to deliver measurable risk reductions.

Maturing Cyber Threat Intelligence: CTI Capability Model

🛡️ The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) offers a practical framework for assessing and advancing organizational threat intelligence efforts. It identifies 11 domains and associated CTI missions that support decision-making across areas such as asset management, threat and vulnerability management, incident response, and third-party risk. The model defines four maturity levels (CTI0–CTI3) from pre‑foundational, ad hoc practices to highly refined, strategic intelligence, and prescribes an iterative improvement cycle—prepare, assess, plan, deploy, measure. The guidance stresses focusing on stakeholder needs and delivering useful, timely intelligence rather than pursuing the highest maturity rating for its own sake.

Ransomware Demands and Payments Fall Sharply in Education

📉 A new Sophos study finds that ransomware demands and payments in the education sector have dropped dramatically year‑on‑year, with average demands falling 74% for lower education and 80% for higher education. Median payments also plunged, moving education from among the highest to among the lowest payers. Improved detection, faster recovery and more effective negotiation are cited as key drivers behind the reductions.

Salty2FA Phishing Kit Targets US and EU Enterprises

⚠️ Researchers at ANY.RUN have uncovered Salty2FA, a new phishing-as-a-service kit engineered to harvest credentials and bypass multiple two-factor authentication methods. First observed gaining momentum in mid-2025, the kit uses multi-stage redirects, Cloudflare checks and evasive hosting to slip past automated filters. Salty2FA intercepts push, SMS and voice codes, enabling account takeover across finance, energy and telecom sectors.

Top Cybersecurity Trends: AI, Identity, and Threats

🤖 Generative AI remains the dominant force shaping enterprise security priorities, but the initial hype is giving way to more measured ROI scrutiny and operational caution. Analysts say gen AI is entering a trough of disillusionment even as vendors roll out agentic AI offerings for autonomous threat detection and response. The article highlights rising risks — from model theft and data poisoning to AI-enabled vishing — along with brisk M&A activity, a shift to identity-centric defenses, and growing demand for specialized cyber roles.

Threat Actor Reveals Tradecraft After Installing Agent

🔎Huntress analysts discovered a threat actor inadvertently exposing their workflows after installing the vendor's security agent on their own machine. The agent logged three months of activity, revealing heavy use of AI text and spreadsheet generators, automation platforms like Make.com, proxy services and Telegram Bot APIs to streamline operations. Investigators linked the infrastructure to thousands of compromised identities while many attempts were blocked by existing detections.

Axios User Agent Enables Mass Automated Phishing Campaigns

🔍 ReliaQuest reports a sharp rise in automated phishing campaigns leveraging the Axios user agent and Microsoft's Direct Send feature, observing a 241% increase between June and August 2025. Attacks using Axios represented 24% of malicious user-agent activity and had a 58% success rate versus 9% for other incidents. When paired with Direct Send, success rose to 70%, prompting guidance to restrict Direct Send, enforce anti-spoofing, scan inbound messages for QR codes/URLs/PDFs, train users including executives, and block uncommon TLDs.

New Cryptanalysis Challenges Fiat–Shamir Transformation

🔒 A recent paper demonstrates theoretical attacks on the Fiat–Shamir transformation, extending known insecurities into less contrived scenarios while stopping short of immediate practical exploitation. Bruce Schneier notes the result is exciting from a research perspective but does not currently translate into real-world cryptanalysis. The work highlights limits in our ability to produce broad security proofs for the transform. It serves as a reminder that theoretical advances can reshape confidence in cryptographic proof techniques even when deployed systems remain unaffected.

Preventing Business Disruption with MDR for Resilience

🛡️ Organizations face escalating operational risk as threat actors leverage optimized supply chains, pre-packaged services and AI to accelerate attacks and social engineering. Managed detection and response (MDR) is promoted as a prevention-first approach that prioritizes speed of detection, containment and response. Best-in-class MDR combines 24/7 monitoring, proactive threat hunting and automated compliance and forensic reporting to reduce downtime and support recovery.

45 Previously Unreported Domains Linked to Salt Typhoon

🔍 Silent Push researchers have identified 45 previously unreported domains tied to China-linked threat clusters Salt Typhoon and UNC4841, with registrations dating as far back as May 2020. The infrastructure shows overlap with UNC4841, the group associated with exploitation of a Barracuda ESG zero‑day (CVE-2023-2868). Investigators discovered three Proton Mail addresses used to register 16 domains with fabricated contact details and found many domains resolving to high‑density IP addresses. Organizations are urged to search five years of DNS logs and audit requests to the listed IPs and subdomains.

Surge in Network Scans Targets Cisco ASA Devices Worldwide

🔎 Security researchers observed a large surge in network scans probing Cisco ASA login portals and Cisco IOS Telnet/SSH endpoints, with GreyNoise recording two major spikes in late August 2025. The second wave on August 26, 2025, was largely (about 80%) driven by a Brazilian botnet using roughly 17,000 IPs and overlapping Chrome-like user agents that suggest a common origin. Administrators are urged to apply the latest patches, enforce MFA for remote ASA logins, avoid exposing management pages and services directly, and use VPN concentrators, reverse proxies, geo-blocking, and rate limiting to reduce risk.

GPUGate: Malware Uses Google Ads and GitHub Redirects

🔒 Cybersecurity researchers have disclosed a sophisticated malvertising campaign that leverages paid search ads and manipulated GitHub commit URLs to redirect victims to attacker-controlled infrastructure. The first-stage dropper is a bloated 128 MB MSI that evades many online sandboxes and employs a GPU-gated decryption routine dubbed GPUGate, which aborts on systems lacking a real GPU or proper drivers. The campaign uses a lookalike domain (gitpage[.]app) and a VBScript-to-PowerShell chain that gains admin privileges, adds Microsoft Defender exclusions, establishes persistence, and stages secondary payloads for data theft.

Remote Access Abuse Signals Major Pre-Ransomware Risk

🔒 Cisco Talos finds abuses of remote access software and services are the most common pre-ransomware indicator, with threat actors leveraging legitimate tools such as RDP, PsExec, PowerShell and remote-support apps like AnyDesk and Microsoft Quick Assist. The report highlights credential dumping (for example, Mimikatz) and network discovery as other frequent TTPs. It recommends rapid response, MFA, application allowlisting and enhanced endpoint monitoring to limit ransomware execution.

MostereRAT Campaign Uses EPL, mTLS, and Legitimate RATs

🛡️ FortiGuard Labs identified a sophisticated phishing campaign that chains an Easy Programming Language (EPL) runtime with multi-stage payloads to deploy MostereRAT. The initial dropper, based on a wxWidgets sample, creates SYSTEM services and decrypts modules that run in memory while presenting social‑engineering prompts. Operators use mTLS‑protected C2 channels, disable and block security tooling via WFP filters, and install legitimate remote access tools such as AnyDesk and TightVNC to secure covert, persistent full access.

Salesloft–Drift Supply Chain Breach and Weekly Recap

🔒 Salesloft has moved to take Drift offline after a supply‑chain compromise that resulted in the mass theft of OAuth tokens and unauthorized access to Salesforce data. Multiple large vendors — including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, and Tenable — confirmed impact, and activity is attributed to clusters tracked as UNC6395 and GRUB1. The incident underscores how fragile integrations can be and the importance of token hygiene, rapid revocation, and enhanced monitoring to contain downstream exposure.

Stopping Ransomware Before It Starts: Pre-Ransomware Insights

🔒Cisco Talos Incident Response (Talos IR) analyzed pre-ransomware engagements from January 2023 through June 2025 to determine which controls most often prevented ransomware deployment. Rapid engagement with incident responders and near-immediate action on EDR/MDR alerts were the two strongest correlates of stopping encryption. Talos found that aggressive blocking and quarantine settings, strict identity and privilege controls, improved logging, and early notifications from partners materially increased the chance of eviction before encryption. The guidance focuses on securing remote services, credential protection, application allowlisting, and network segmentation.

Ten Security Leadership Missteps That Damage Careers

🔒 Security leaders must avoid career-limiting behaviors that erode trust and effectiveness. The article outlines 10 common missteps — from failing to align security with business priorities and remaining purely technical to drawing inflexible red lines and mishandling AI — that stall advancement. It stresses practical shifts: become a business partner, balance risk with speed, improve asset visibility, foster relationships, and rehearse incident response to maintain credibility.