All news with #threat report tag

German Companies Affected by 2024–2025 Cyberattacks

🔒 In 2024 and into 2025, a wide range of German companies — from small and mid-sized enterprises to publicly listed groups and critical-service providers — were struck by ransomware and other intrusions, causing operational disruptions, lost revenue, supply-chain effects and reputational harm. Notable victims include Volkswagen Group, Adidas, Samsung Germany and several defence and manufacturing firms, while IT service providers and regional utilities were also targeted. At least one company (Fasana GmbH) reported insolvency after an attack. The editorial team updates this list regularly, but it is not exhaustive.

TAG-150 Develops CastleRAT: Python and C Variants Now

🛡️ Recorded Future links the activity of TAG-150 to a new remote access trojan, CastleRAT, available in both Python and C variants that collect system data, fetch additional payloads, and execute commands via CMD and PowerShell. The Python build is tracked as PyNightshade, while eSentire and others refer to related tooling as NightshadeC2. Researchers observed Steam-profile dead drops, a multi-tiered C2 layout, and distribution through CastleLoader-assisted phishing and fake GitHub repositories. Operators use Cloudflare-themed "ClickFix" lures and deceptive domains to deliver loaders and downstream stealers and RATs.

Sharp Rise in Cyberattacks on German Education Sector

🔒 Researchers at Check Point report a 56% year-over-year increase in cyberattacks against German educational institutions as the new school year begins, well above the global average. Analysts observed targeted phishing campaigns, including an August 2025 scheme that redirected victims to fake university and Outlook login pages to harvest credentials. To mitigate risk, experts recommend targeted phishing awareness training, mandatory multi-factor authentication (MFA), early detection of suspicious domains, regular system updates and deployment of modern threat-prevention solutions as part of a preventive, multi-layered security strategy.

61% of US Companies Hit by Insider Data Breaches in Two Years

📊 Nearly two-thirds (61%) of US firms experienced insider data breaches in the past two years, according to a new OPSWAT report conducted by the Ponemon Institute. Affected organizations reported an average of eight unauthorized file-access incidents and an average financial impact of $2.7m per organization. Respondents identified file storage and web file transfers as the riskiest environments for data loss. The study also found mixed approaches to generative AI—29% have banned it, 25% have formal policies, and 33% already include AI in file security strategies.

Lack of Board Access Drives CISO Job Dissatisfaction

🛡️ Cybersecurity leaders say board engagement is essential, but many CISOs—particularly in small and mid‑market organizations—report minimal or no access to full boards, according to a 2025 report from IANS and Artico Search. That lack of access strongly correlates with job dissatisfaction and short tenures. Experts recommend strengthening C‑suite relationships and framing cyber risk in business terms to secure board support.

VirusTotal Finds 44 Undetected SVG Malware Samples

⚠️ Cybersecurity researchers warn of a phishing campaign using Scalable Vector Graphics (SVG) files that embed JavaScript to decode and inject a Base64-encoded HTML page impersonating Colombia's Fiscalía General de la Nación. VirusTotal identified 44 unique SVG samples that evaded antivirus detection and reported a total of 523 SVGs seen in the wild, with the earliest from August 14, 2025. Attackers relied on obfuscation, polymorphism, and large volumes of junk code to bypass static detections and used a fake progress/download flow to trigger a background ZIP download. The disclosure coincides with separate macOS-focused campaigns distributing the AMOS information stealer via cracked-software lures and Terminal-based installers that attempt to circumvent Gatekeeper protections.

From Summer Camp to Grind Season — Threat Source Recap

📰 This week’s Threat Source newsletter highlights three significant vulnerabilities Talos researchers uncovered and helped remediate: a Dell firmware persistence flaw (Revault), an Office for macOS permissions bypass, and router compromises that blend malicious traffic with legitimate ISP flows. The author, William Largent, also emphasizes mental health and recommends a paper on AI behavioral pathologies to help anticipate malicious or errant AI-driven activity. Top headlines include a 4.4M-record TransUnion breach, a Salesloft Drift AI token compromise, a Passwordstate high-severity fix, an Azure AD credential leak, and a WhatsApp zero-day. Watch the Talos Threat Perspective episode and read the Dell write-up for mitigation guidance.

North Korea-Linked Actors Target Cyber Threat Intel

🔍 Cybersecurity firm SentinelLabs and internet intelligence company Validin uncovered a coordinated effort by a North Korea-aligned cluster, tracked as Contagious Interview, to exploit CTI platforms between March and June 2025. The actors repeatedly created accounts on Validin’s portal, reused Gmail addresses tied to prior operations and registered new domains after takedowns. Investigators observed team-based coordination, probable Slack use, and operational slip-ups that exposed logs and directory structures. The probe also identified ContagiousDrop malware delivery applications that harvested details from more than 230 mostly cryptocurrency-sector victims, underscoring the campaign’s revenue-driven motive and the need for vigilance from job seekers and infrastructure providers.

Secure-by-Default: Simple Defaults to Shrink Attack Surface

🔒 This article argues that adopting a security-by-default mindset—setting deny-by-default policies, enforcing MFA, and employing application Ringfencing™—can eliminate whole categories of risk early. Simple changes like disabling Office macros, removing local admin rights, and blocking outbound server traffic create a hardened environment attackers can’t easily penetrate. The author recommends pairing secure defaults with continuous patching and monitored EDR/MDR for comprehensive defense.

GhostRedirector: IIS SEO Fraud and Windows Backdoors

🕵️ ESET researchers uncovered GhostRedirector, a previously undocumented actor that compromised at least 65 Windows servers across Brazil, Thailand, Vietnam and other countries. The intrusions deployed a passive C++ backdoor, Rungan, and a native IIS module, Gamshen, to enable remote command execution and conduct SEO fraud that targets search-engine crawlers. Attackers also used public LPE exploits (EfsPotato, BadPotato) and PowerShell-based payloads; ESET attributes the activity to a China-aligned actor with medium confidence.

Healthcare slow to remediate serious flaws, average 58 days

🩺 Cobalt's State of Pentesting in Healthcare 2025 report shows healthcare organizations take far longer than peers to remediate serious vulnerabilities, leaving systems and patient data exposed. The firm, using a decade of internal pentest data and a survey of 500 US security leaders, found only 57% of serious findings are fixed and the median time to resolve is 58 days, with a 244-day half-life for serious issues. While business-critical assets often see fixes within days, Cobalt warns that prioritizing SLA-bound remediation lets other serious but non-critical flaws linger and accrue security debt, increasing ransomware and data-exfiltration risk.

CrowdStrike Named Leader in Forrester Wave MDR Europe

🔒 CrowdStrike has been named a Leader in The Forrester Wave™: Managed Detection and Response (MDR) Services in Europe, Q3 2025, receiving the highest possible scores in 16 evaluation criteria spanning detection surfaces, managed response, threat hunting and analyst experience. Falcon Complete Next-Gen MDR combines AI-accelerated detection and investigation with expert-led response across endpoint, cloud, identity and third-party telemetry. The service uses CrowdStrike Charlotte AI to triage alerts and accelerate analysis, and emphasizes end-to-end remediation actions that remove persistence and contain intrusions without costly reimaging. CrowdStrike positions this recognition as validation of its platform-led, AI-plus-human approach to stopping breaches.

Smashing Security #433: Hackers Harnessing AI Tools

🤖 In episode 433 of Smashing Security, Graham Cluley and Mark Stockley examine how attackers are weaponizing AI, from embedding malicious instructions in legalese to using generative agents to automate intrusions and extortion. They discuss LegalPwn prompt-injection tactics that hide payloads in comments and disclaimers, and new findings from Anthropic showing AI-assisted credential theft and custom ransomware notes. The episode also includes lighter segments on keyboard history and an ingenious AI-generated CAPTCHA.

FBI: Seniors Targeted by Three-Phase Phantom Scams

⚠️ The FBI and its Internet Crime Complaint Center (IC3) warn that seniors are being targeted by a three‑phase “Phantom Hacker” scam that combines tech‑support, financial‑institution, and U.S. government impersonations to extract life savings. Scammers typically gain trust by convincing victims to grant remote access, then prompt transfers via wire, cash, or cryptocurrency to purportedly secure accounts. The IC3 reports substantial losses—an average of US $83,000 per victim—and urges people not to allow remote access, download unsolicited software, or transfer funds at the request of unknown callers.

Zero Trust Implementation Remains a Major CISO Challenge

🔐According to an Accenture report, 88% of security leaders say they face significant difficulties implementing Zero Trust, and 80% cannot effectively protect cyber-physical systems. Other industry studies show mixed adoption—Gartner found 63% with full or partial strategies in 2024, while Entrust reports Germany lags at 53%. Experts point to divergent definitions, legacy systems, cultural resistance to the never trust, always verify model, poor visibility into data flows, and misaligned incentives as core obstacles; many argue the effort is strategic, lengthy, and requires top-down leadership.

Massive IPTV Piracy Network Spanning 1,100+ Domains

🔍 Silent Push uncovered an extensive IPTV piracy operation spanning more than 1,100 domains and over 10,000 IP addresses that has reportedly operated for several years. The investigation links the network to hosting firms XuiOne and Tiyansoft and identifies Nabi Neamati as a central operator. The infrastructure served unlicensed streams for major brands and sports leagues, and users face risks including fraud, identity theft and malware. Silent Push will present detailed findings in a webinar on 23 September 2025.

Tycoon Phishing Kit Uses New Link Obfuscation Techniques

🔐 Barracuda researchers have detailed new link-obfuscation capabilities in the Tycoon Phishing-as-a-Service kit that hide malicious destinations from scanners and recipients. Observed techniques include URL encoding with '%20' invisible spaces, deceptive Unicode characters, hidden codes appended to links, redundant protocol prefixes, and subdomain manipulation. Attacks also incorporate a fake CAPTCHA stage and tools aimed at bypassing multi-factor authentication, enabling more effective email-based social engineering and evasion of traditional filters.

A CISO’s Guide to Monitoring the Dark Web Effectively

🔍 Dark web monitoring gives CISOs timely, actionable intelligence that can reveal breaches, stolen credentials, and early indicators of ransomware campaigns. Continuous visibility into forums, marketplaces, and leak sites helps detect initial access brokers, stealer logs, and items like RDP/VPN access being sold, enabling rapid containment and credential revocation. Use platforms such as SpyCloud and DarkOwl, subscribe to threat feeds and ISACs, and augment with deception (honeypots, canary tokens) while integrating findings into SIEM/XDR and incident response playbooks.

MystRodX Backdoor Uses DNS and ICMP for Stealthy Control

🛡️ QiAnXin XLab warns of a stealthy backdoor named MystRodX (aka ChronosRAT) that leverages layered encryption and flexible network options to hinder detection. The C++ implant supports file management, port forwarding, reverse shells and socket control, and can run actively or as a passive "wake-up" backdoor triggered by crafted DNS queries or ICMP payloads. A multi-stage dropper with anti-debug and VM checks decrypts components and an AES-encrypted configuration that contains C2 endpoints, ports and the backdoor mode.

1965 Cryptanalysis Training Workbook Released by NSA

🧾 The NSA has declassified a September 1965 training workbook, Cryptanalytic Diagnosis with the Aid of a Computer, compiling 147 printouts from the diagnostic program Stethoscope. Run on the special-purpose Bogart computer, the listings show statistical outputs—frequency tables, index of coincidence, periodicity tests, and n-gram analyses—used to train analysts to infer language and cipher type without seeing plaintext. The document also notes the related tool Rob Roy and reflects an era when computers automated manual analytic work.