All news with #threat report tag

🔍 Cybercrime has evolved into a structured, global underground economy that frequently outperforms corporate IT in speed, efficiency and scale. Organized groups now run with defined roles, measurable KPIs and productized offerings such as Ransomware-as-a-Service, enabling nontechnical affiliates to launch high-impact attacks. The decisive metric is no longer if an organization will be targeted but how quickly it can recover and limit reputational and operational damage.

⚠️ Cybercrime has matured into a structured, global underground economy that often outstrips corporate defenders. Groups now operate with division of labor, formal processes and professional marketing, and Ransomware-as-a-Service offerings enable nontechnical actors to lease malware, support and revenue-sharing schemes. The result is scalable, fast-moving criminal supply chains that exploit human error, weaponize stolen data and exploit slow, bureaucratic response models. Organizations must move beyond pure prevention to measurable resilience, rehearsed recovery and decisive incident leadership.

🔔 A newly disclosed MongoDB memory-exposure flaw (CVE-2025-14847, "MongoBleed") and a wave of supply-chain and update-channel compromises defined the final week of 2025. Active exploitation of MongoDB affected tens of thousands of instances worldwide while extension- and package-based attacks, including a compromised Trust Wallet Chrome extension and a malicious npm package, led to immediate thefts and account takeovers. The recap stresses rapid attacker tempo, the abuse of trusted update/support channels, and persistent impacts that can surface months or years after an initial compromise.

📰 ESET Chief Security Evangelist Tony Anscombe reviews the key cybersecurity stories closing out 2025, spotlighting significant incidents and trends. He highlights FinCEN's finding that U.S. organizations paid over $2.1 billion in ransomware between 2022 and 2024, and legal action by the Texas Attorney General against major TV manufacturers for alleged secret collection of viewing data. Tony also examines notable breaches and the tactics used by threat actors, offering practical perspective on risks and resilience.

🔒 2025 exposed major, real-world risks across the AI ecosystem as rapid adoption of agentic AI expanded enterprise attack surfaces. Researchers documented pervasive Shadow AI and vulnerable vendor tools, AI supply-chain poisoning, credential theft (LLMjacking), prompt-injection attacks, and rogue or misconfigured MCP servers. These incidents affected popular frameworks and cloud services and resulted in data breaches, remote-code execution, and costly fraud.

🔍 Ransomware activity in 2025 remained high, with 306 groups and 7,902 victims listed on data leak sites, according to Ransomware.live. While coordinated takedowns and anti-cybercrime actions were quieter than in 2024, both emergent collectives (Scattered Spider, Lapsus$, ShinyHunters) and established syndicates continued to generate incidents. The most prolific actors — Qilin, Akira and Clop — claimed the largest shares of victims, and the United States accounted for nearly half of the reported targets.

📧 Fortra researchers have identified a global business email compromise (BEC) collective dubbed Scripted Sparrow that is sending an estimated 4–6 million highly tailored messages each month. The group poses as executive coaching and leadership consultancies, registering numerous domains and webmail addresses while sending spoofed reply chains with fake invoices and W‑9 forms to Accounts Payable teams. Fortra urges organisations to enforce strict payment approval protocols, verify requests via official channels and never trust embedded reply chains.

🔒 Google Cloud senior leaders Nick Godfrey and Anton Chuvakin recap 2025 security developments and lessons learned across cloud and AI. They highlight five focus areas — securing cloud, securing AI, AI-enabled defense, threat intelligence, and building trust — and call out major items such as the announced Wiz acquisition, response to React2Shell (CVE-2025-55182), and the launch of AI Protection. The newsletter stresses fundamentals, governance, and using AI to empower defenders.

🛡️ The Danish Defence Intelligence Service (DDIS) said on December 18, 2025 that Russian-aligned actors were responsible for recent destructive and disruptive cyber activity against Denmark. The agency named pro‑Russian hacktivist groups Z‑Pentest for a destructive 2024 intrusion at a water utility and NoName057(16) for DDoS campaigns targeting websites ahead of the 2025 municipal and regional elections. DDIS assessed both groups have links to the Russian state and are being used as instruments of a hybrid campaign to create insecurity and penalise countries supporting Ukraine. The statement followed a global advisory, co-signed by 23 law enforcement and intelligence bodies, which catalogued related TTPs.

📌 2025 left a clear imprint: ransomware operations matured into highly organized, profitable cartels such as Qilin, industrial targets like Jaguar Land Rover suffered major operational and financial damage, and early reports of AI-orchestrated espionage raised concerns about automated, scalable kill chains. Talos highlights week’s headlines—Fortinet zero-days (CVE-2025-59718, CVE-2025-59719), Microsoft update regressions affecting WSL VPNs, and a large AWS crypto-mining campaign driven by compromised IAM credentials. The guidance is pragmatic: double down on identity and access management, monitor service accounts, prioritize incident response basics, and care for your people to reduce burnout heading into 2026.

🔔 This week's ThreatsDay Bulletin highlights a rapid reshaping of old tools and fresh abuse of familiar systems across fraud, malware, and infrastructure. Notable incidents include a cross-border scam ring dismantled in Ukraine that defrauded hundreds for over €10 million, the modular SantaStealer infostealer sold as malware-as-a-service, and a WhatsApp device-linking hijack dubbed GhostPairing. Security teams should verify linked sessions, reduce exposed management endpoints, and prioritize timely patching and credential hygiene.

🚨Chainalysis reports North Korea's crypto thefts surged in 2025, exceeding $2bn and pushing the regime's cumulative haul to over $6.7bn. The firm says DPRK actors accounted for 60% of funds stolen this year, with the Bybit breach alone yielding an unprecedented $1.5bn; attackers are increasingly embedding IT workers inside exchanges and custodians to gain privileged access. They favor Chinese-language services, cross-chain bridges and mixers for laundering, while personal wallet thefts tripled in incidents but fell in average value to $713m overall.

🛡️ HMRC has received over 135,500 scam reports since February 2025, including about 4,800 tied to its Self Assessment system, and warns scams will rise ahead of the January 31, 2026 filing deadline. Fraudsters impersonate HMRC via phone, email and text to pressure victims into paying fake bills, disclosing personal data or installing malware. HMRC says it shut 25,000 phishing sites and numbers in the last 10 months and urges people to protect, recognize and report suspicious contacts to phishing@hmrc.gov.uk.

🛡️ Check Point Research links a sustained espionage campaign to the China-aligned cluster known as Ink Dragon (also tracked as Jewelbug, CL-STA-0049, Earth Alux/REF7707) that has targeted government and telecommunications organisations across Europe, Asia and Africa since at least March 2023. The actor exploits exposed web applications and predictable ASP.NET machine keys to drop web shells and install a custom ShadowPad IIS Listener, turning compromised servers into resilient C2 relays. Operators deploy a modular backdoor FINALDRAFT (aka Squidoor), alongside NANOREMOTE, loaders and tooling such as VARGEIT and Cobalt Strike to enable stealthy lateral movement, credential theft and high-throughput exfiltration.

🔎 Amazon Threat Intelligence reports a Russian state-sponsored cyber espionage team has increasingly targeted energy providers and other critical infrastructure, operating since at least 2021. The actors have shifted toward exploiting device misconfigurations while continuing to leverage known vulnerabilities such as CVE-2022-26318, CVE-2021-26084, CVE-2023-22518 and CVE-2023-2753. Observed tradecraft includes compromise of network-edge devices hosted on AWS EC2, passive credential capture and credential-replay attacks to move laterally across victim environments. Amazon provides indicators of compromise and specific mitigation guidance, including configuration audits, isolation of management interfaces and deployment of multi-factor authentication.

📧 Kaspersky researchers have uncovered a targeted campaign by the ForumTroll APT that lures political scientists with personalized plagiarism-check links impersonating the eLibrary service. The downloaded archive contained a malicious .lnk and a .Thumbs directory with images used to evade security; filenames included each victim’s full name. When executed on Windows the .lnk ran a PowerShell chain that installed the commercial red-team framework Tuoni, used COM hijacking for persistence, and displayed a decoy PDF named for the target. Kaspersky reports detections and recommends endpoint and mail-gateway protections to stop similar email-delivered threats.

🔍 A prolific China-linked group known as Ink Dragon is exploiting misconfigured public-facing servers in European government networks to create relay nodes, Check Point reports. After probing IIS, SharePoint and other web services for configuration flaws, operators quietly harvest credentials, reuse administrator and service accounts, and move laterally using Remote Desktop to blend into normal traffic. They install backdoors and credential-stealing implants, and deploy a customized module and a new FinalDraft backdoor to maintain long-term access and obfuscate command channels.

🔒 The Palo Alto Networks State of Cloud Security Report 2025 warns that rapid enterprise AI adoption has massively expanded the cloud attack surface, with 75% running AI in production and 99% reporting at least one AI-targeted incident last year. It finds GenAI-assisted coding accelerating insecure code into production and AppSec teams unable to keep pace with weekly deploys. The research highlights rising API attacks, persistent identity weaknesses, and widespread tool sprawl, and argues for agentic security to unify cloud and SOC operations.

🔍 A new ASPI report, discussed here, documents how Chinese state actors rapidly embedded advanced AI into political control systems between 2023 and 2025. It highlights four accelerated areas: multimodal censorship of politically sensitive images; AI integration into the criminal‑justice pipeline; industrialised online information control; and AI‑enabled platforms run by Chinese firms abroad. The post frames this evidence to inform policymakers, civil society, the media and technology companies seeking to counter AI‑enabled repression.

🛡️ Check Point Research reveals that Ink Dragon, a Chinese espionage group, has broadened operations from Asia and South America into European government networks, turning compromised servers into relay nodes to route commands and obscure activity. Updated toolsets — including a new FinalDraft variant — let attackers mimic Microsoft cloud traffic and maintain long-term access. Multiple actors, notably RudePanda, exploited the same public-facing flaw, underscoring how a single vulnerability can attract several advanced groups.