< ciso
brief />
Tag Banner

All news with #threat report tag

542 articles · page 15 of 28

ThreatsDay Weekly: Redis RCE, RMM Abuse, AI Voice Brief

🛡️ This week’s ThreatsDay covers a broad set of active risks: a critical Redis XACKDEL stack‑overflow RCE (CVE‑2025‑62507, CVSS 8.8) with ~2,924 servers affected, signed malware campaigns by BaoLoader, and surging abuse of legitimate RMM tools delivered by phishing. Researchers also disclosed RCE in AI/ML libraries via Hydra.instantiate() misuse and a new voice‑cloning evasion technique, VocalBridge. Multiple OT, Wi‑Fi, and smart‑contract incidents — and law‑enforcement activity — round out this week’s notable developments. Prioritize patches, certificate vetting, and account hygiene.
read more →

Microsoft Tops Brands Imitated in Q4 2025 Phishing

🔒 In Q4 2025, Check Point Research found Microsoft to be the most impersonated brand in phishing campaigns, responsible for 22% of branded phishing attempts. Google followed with 13%, while Amazon rose to 9%, driven by Black Friday and holiday sales, displacing Apple. After a lengthy absence, Facebook (Meta) reappeared in the top ten at fifth, underscoring renewed interest in social media account takeover. The pattern reflects a multi-quarter trend of attackers abusing trusted enterprise and consumer brands to harvest credentials and gain initial access.
read more →

Critical HPE OneView RCE Under Active Exploitation Campaign

🚨 Check Point Research reports large-scale active exploitation of CVE-2025-37164, a critical remote code execution flaw in HPE OneView. The campaign, attributed to the RondoDox botnet, generated tens of thousands of automated attack attempts that were blocked by Check Point defenses. The issue was reported to CISA and added to the Known Exploited Vulnerabilities catalog on January 7, 2026; organizations should patch immediately.
read more →

UAT-8837 APT Targets North American Critical Systems

🔍 Cisco Talos is tracking UAT-8837, an assessed China-nexus APT that since 2025 has focused on obtaining initial access to high-value and critical infrastructure organizations in North America. The actor uses both n-day and zero-day exploits (including CVE-2025-53690 in SiteCore) and often deploys open-source tooling—Earthworm, SharpHound, DWAgent, Certipy, and GoTokenTheft—to harvest credentials, enumerate Active Directory, and create remote tunnels. Operators perform hands-on-keyboard reconnaissance, create backdoored accounts and remote admin access, and cycle tools when endpoint protections block their payloads. Talos provides IOCs, Snort rules, and ClamAV signatures to detect and mitigate this activity.
read more →

Microsoft Disrupts RedVDS, Takedown of Fraud RDP Service

🛡️Microsoft said it executed coordinated legal action in the U.S. and U.K. to seize infrastructure and take RedVDS (redvds[.]com) offline after linking the service to large‑scale fraud. For as little as US $24 per month, the subscription offered disposable Windows RDP hosts and a Telegram management bot with no activity logs. Microsoft attributed roughly US $40 million in U.S. fraud since March 2025 and says RedVDS‑enabled attacks compromised over 191,000 organizations worldwide since September 2025.
read more →

From typos to takeovers: npm supply‑chain attack escalation

🔐 The npm ecosystem has shifted from simple typosquatting to coordinated, credential-driven supply‑chain intrusions that target maintainers, CI pipelines, and trusted automation. Attackers now compromise legitimate packages via stolen tokens and publish trojanized updates that quietly propagate to millions of downstream projects. Detection increasingly requires runtime and anomaly analysis rather than static scanning, while mitigations focus on treating CI runners as production assets, aggressively rotating and scoping publish tokens, disabling unnecessary lifecycle scripts, and pinning dependencies to immutable versions.
read more →

Impersonation Drives Crypto Fraud to Record $17bn in 2025

🪙 Chainalysis reports cryptocurrency-related fraud reached at least $14bn in 2025 and expects the total to rise to $17bn as more illicit wallets are identified. Impersonation scams surged in volume by 1,400% YoY and payment values jumped, while AI-linked operations now extract substantially higher revenues. The report warns of industrialized, Asia-linked networks using layered laundering to convert crypto into real-world assets and urges combined prevention and law enforcement responses.
read more →

Allianz: AI Rises to Major Global Business Risk Worldwide

🤖 Allianz Commercial's annual Risk Barometer reports that artificial intelligence has jumped from tenth to second place among global business risks, trailing only cybercrime. The insurer warns that cybercriminals increasingly harness AI for social engineering—deepfakes, cloned voices and highly tailored phishing—while legitimate internal AI use can produce erroneous or fabricated outputs that prompt litigation and reputational harm. The survey of 3,338 professionals across 97 countries also links AI risk to business interruptions and copyright exposure.
read more →

Cybercrime Inc.: Organized Hackers Outpacing IT Defense

🔒 Cybercrime has evolved into a structured, global underground economy that mirrors legitimate corporations, with departments, KPIs, and scalable supply chains. Models like ransomware-as-a-service let nontechnical actors license malware, buy access, and outsource extortion, while payments and sales are managed via closed forums and cryptocurrencies. The result is an efficient, agile adversary that exploits human error, leverages AI for social engineering, and gains a persistent speed advantage over often bureaucratic defenders.
read more →

PLUGGYAPE Backdoor Uses Signal and WhatsApp for Access

🛡️CERT-UA reports a campaign attributed with medium confidence to the group tracked as Void Blizzard that targeted Ukrainian defense forces between October and December 2025 with a Python backdoor dubbed PLUGGYAPE. Attackers used Signal and WhatsApp messages, impersonating charities and distributing password‑protected archives containing a PyInstaller executable. The backdoor supports remote code execution over WebSocket and, as of December 2025, MQTT, and retrieves base64‑encoded C2 addresses from paste services to maintain operational resilience. Successive builds have added obfuscation and anti‑analysis checks to avoid execution in virtual environments.
read more →

Latin America Sees Sharpest Rise in Cyber Attacks - Dec 2025

📈 In December 2025 organizations experienced an average of 2,027 cyber attacks per organization per week, reflecting a 1% month-over-month and 9% year-over-year increase. Latin America recorded the steepest rise, with 3,065 attacks per week on average, a 26% year-over-year jump. Check Point attributes sharper regional and sector-level spikes primarily to accelerating ransomware operations and growing exposure tied to enterprise adoption of generative AI. The findings signal heightened risk even as overall growth appears moderate.
read more →

Phishing and Fraud Surpass Ransomware as Top Risk Globally

🔒Phishing and broader cyber-enabled fraud have overtaken ransomware as the primary concern for business leaders, according to the World Economic Forum’s Global Cybersecurity Outlook for 2026. The WEF report, produced with Accenture and released on 12 January ahead of Davos, found 77% of surveyed executives reported increases in fraud and phishing, with 62% aware of phishing incidents in their networks. The review also highlights accelerating AI-driven vulnerabilities — 87% reported rising AI-related risks and 94% expect AI to shape cybersecurity in 2026.
read more →

Weekly Recap: Automation, Exploits, and Rapid Escalation

🔐 This week's recap highlights how small oversights and automation conveniences have become widespread attack vectors, enabling rapid, large-scale compromise. Key incidents include a maximum-severity RCE in n8n (Ni8mare, CVE-2026-21858) affecting self-hosted instances, the 2M-device Kimwolf Android botnet, and malicious Chrome extensions that exfiltrated AI conversations. The report catalogs numerous trending CVEs and active campaigns, emphasizing that familiar tools and exposed services are the biggest risks today.
read more →

Illicit Crypto Activity Hits Record $158bn in 2025

📈 TRM Labs estimates illicit crypto wallets received $158bn in 2025, a 145% increase on 2024, while Chainalysis published a comparable $154bn figure. TRM attributes the surge to increased sanctions evasion (notably by Russia, Iran and Venezuela), improved identification via the Beacon Network, and a handful of large-scale hacks. The firm cautions that methodology changes and ongoing investigations mean these numbers are a dynamic baseline rather than fixed totals. Measured as a share of on-chain flows, illicit activity actually declined to 1.5% in 2025.
read more →

Cybersecurity Predictions 2026: Hype vs. Actionable Risks

🔍 Bitdefender is hosting a webinar to separate speculative cybersecurity headlines from evidence-based risks organizations should prioritize for 2026. The session centers on three converging trends: ransomware evolving into targeted disruption, uncontrolled internal AI adoption that erodes perimeter assumptions, and a sober assessment of claims about AI-orchestrated adaptive attacks. Attendees receive research-backed guidance to align investments and defenses with real operational risk.
read more →

From Resolutions to Response: UAT-7290 APT Disclosure

🔒 Cisco Talos' Threat Source newsletter contrasts personal resolution habits with practical security practices and highlights an important APT disclosure. The post details a new Talos finding on UAT-7290, an espionage-focused actor active since at least 2022 that targets South Asian telecom and network infrastructure using implants named RushDrop, DriveSwitch, and SilentRaid. It urges defenders to apply updated detection signatures, audit and harden internet-facing devices, and ensure incident response plans are ready, while also summarizing notable weekly headlines and telemetry.
read more →

China-linked UAT-7290 Targets South Asian Telecoms

📡 Cisco Talos attributes a long-running cyber-espionage campaign to UAT-7290, a China-nexus actor targeting telecommunications providers since at least 2022. The group prioritizes public-facing edge devices in South Asia and has recently expanded activity into Southeastern Europe, using one-day exploits and SSH brute-force to gain persistent footholds. Its Linux-focused toolkit includes RushDrop, DriveSwitch and the modular backdoor SilentRaid, while Bulbature is used to convert compromised systems into relay nodes that can support other China-linked operators.
read more →

China-linked UAT-7290 Targets Telecoms, Deploys ORBs

🔍 Cisco Talos attributes a China-nexus cluster named UAT-7290 to espionage-focused intrusions against South Asian and Southeastern European organizations. The actor conducts detailed reconnaissance and exploits one-day vulnerabilities and SSH brute force to compromise edge devices, primarily targeting telecommunications providers. UAT-7290 deploys Linux-based tooling including RushDrop, DriveSwitch, and SilentRaid, and uses the Bulbature backdoor to establish Operational Relay Box (ORB) nodes for broader access.
read more →

Trusted Open Source Report: Longtail Risk & Remediation

🔒 Chainguard’s quarterly pulse, The State of Trusted Open Source, analyzes anonymized usage and CVE data across a large customer base and catalog of container images to reveal where real production risk concentrates. The report finds Python leading the modern AI stack, while roughly half of production runs on a diverse longtail of images beyond the top 20. Importantly, 98% of remediated CVE instances occurred in that longtail, and compliance drivers like FIPS adoption materially influence image choices. Chainguard also highlights fast remediation performance, averaging under 20 hours for Critical CVEs.
read more →

UAT-7290: China-Nexus APT Targeting Telecom Edge Devices

🔍 Cisco Talos discloses UAT-7290, a China‑nexus APT active since at least 2022 that targets telecommunications infrastructure in South Asia and has recently expanded into Southeastern Europe. The actor conducts extensive reconnaissance, uses one‑day exploits and target-specific SSH brute force, and primarily deploys a Linux-centric toolset including RushDrop, DriveSwitch, SilentRaid, and Bulbature. Talos notes UAT-7290 also provisions Operational Relay Box (ORB) nodes that may support other China-nexus operators and provides ClamAV and Snort signatures for detection.
read more →