All news with #threat report tag

Analyzing organizational traffic to Leakzone forum

🔍 UpGuard examined a leaked Elastic index containing 22 million client requests to Leakzone.net covering 28 days in June–July 2025. By mapping source IP metadata to known organizations, investigators identified traffic originating from universities, government networks, and private companies, including security vendors and large technology firms. Traffic patterns ranged from steady, automated scanning from services like Censys and SEMRush to bursty, human-like spikes from university and government networks, but the logs do not include request content, so intent remains uncertain.

Muddled Libra Strike Teams: Collaborative Cybercrime

🧩 Muddled Libra is not a single organized group but a fluid collaboration of personas that form distinct strike teams with varying objectives and tradecraft. Unit 42 has identified patterns across at least seven teams, from crypto theft and extortion to IP theft and mass data harvesting. Defenders should prioritize protecting high-value data, tighten access controls, and assume evolving tactics rather than a fixed adversary profile.

Dow's 125-Year Legacy: Innovating with AI for Security

🛡️ Dow is integrating AI into enterprise security through a strategic partnership with Microsoft, deploying Security Copilot and Microsoft 365 Copilot within its Cyber Security Operations Center. A cross-functional responsible AI team established principles and acceptable-use policies while assessing new AI risks. AI-driven tools are used to detect phishing and BEC, automate repetitive tasks, enrich tickets with contextual intelligence, and accelerate incident response. Apprentices leverage Copilot as a virtual mentor, shortening ramp time and enabling senior analysts to focus on proactive defense.

Supply-chain Dependencies and the Resilience Blind Spot

🔐A DEF CON 33 panel argued that while digital tactics like misinformation and cyberattacks can disrupt systems, they rarely win wars on their own. Panelists emphasised that cyber effects tend to be temporary, whereas kinetic attacks inflict longer-lasting physical damage. Using a Taco Bell supply-chain analogy and real incidents such as Change Healthcare, the discussion urged organisations to map dependencies and build resilience to mitigate third-party risk.

Erlang/OTP SSH RCE: CVE-2025-32433 Exploitation Wave

⚠️ Unit 42 details active exploitation of CVE-2025-32433, a critical (CVSS 10.0) unauthenticated RCE in the Erlang/OTP SSH daemon that processes SSH protocol messages prior to authentication. Researchers reproduced and validated the bug and observed exploit bursts from May 1–9, 2025, with payloads delivering reverse shells and DNS-based callbacks to randomized subdomains. Immediate remediation is to upgrade to OTP-27.3.3, OTP-26.2.5.11 or OTP-25.3.2.20 (or later); temporary measures include disabling SSH, restricting access and applying Unit 42 signature 96163.

Black Hat USA 2025: Insurers Limit Vendor Exposure

🛡️ At Black Hat USA 2025 speakers warned that high cyber-insurance premiums can reflect insurers capping exposure to specific third-party vendors rather than a direct finding of poor security in a customer’s environment. Insurers may respond to exceeded vendor thresholds by issuing prohibitively high quotes instead of declining coverage, effectively pricing some customers out. Claims data presented showed 45% of new claims in H1 2025 involved an SSL VPN lacking MFA, and Coalition reported 55% of ransomware begins at perimeter devices.

Android adware: risks, techniques and removal advice

📱 Android adware can range from benign ad‑supported apps to intrusive PUAs that harvest data, perform click fraud, or hide to prevent removal. Detections rose by 160% in H1 2025, and sophisticated campaigns such as Kaleidoscope — which uses identical “evil twin” apps across official and third‑party stores — accounted for a substantial share of incidents. To reduce risk, only install apps from reputable developers and the Google Play Store, keep software updated, enable PUA detection in mobile security tools, and if infected disconnect, reboot to Safe Mode and remove suspicious apps or run a trusted scanner.

ESET Threat Report H1 2025: ClickFix and Ransomware

🔍 ESET's H1 2025 Threat Report highlights a sharp rise in manipulative social-engineering techniques, coordinated infostealer takedowns, and aggressive infighting among ransomware groups. Hosts Aryeh Goretsky and Ondrej Kubovič analyze the rapid emergence of ClickFix, including the FakeCaptcha variant that coaxes victims into executing commands. They also summarize law enforcement disruptions of RedLine/Meta Stealer and other services, and recount a brazen “deathmatch” in which the small actor Dragonforce defaced and dismantled rival data leak sites.

Threat Actor Groups Tracked by Unit 42 — Updated 2025

📌 This Unit 42 reference catalog enumerates selected threat actor groups tracked by Palo Alto Networks, organized by assigned constellation and primary motivation (nation-state, cybercrime, ransomware). It lists aliases, activity summaries, typical sectors impacted and observed TTPs, and highlights recent additions through Aug. 1, 2025. Use of Unit 42 telemetry and the Attribution Framework informs assessments and updates.

Unit 42 Attribution Framework: Systematic Attribution

🔎 Unit 42's Attribution Framework defines a structured, repeatable process for linking observed cyber activity to clusters, temporary groups, or formally named threat actors. It pairs the Diamond Model with the Admiralty System to score source reliability and information credibility, guiding analysts through minimum standards, naming conventions, and promotion criteria to reduce premature attribution.

Unmasking AsyncRAT: Mapping Forks and Variants in the Wild

🛡️ ESET Research reviews the sprawling ecosystem of AsyncRAT, an open-source C# remote access trojan first published in 2019, and the many forks that have proliferated since. The post maps major families—most notably DcRat and VenomRAT—and outlines rapid identification techniques based on client configuration, embedded certificates, and behavior. It highlights uncommon plugins (USB spreaders, screamers, clipboard clippers, distributed brute modules) and stresses evolving obfuscation and evasion tactics.

Gamaredon 2024: Enhanced Spearphishing vs Ukrainian Targets

🔍 ESET Research describes Gamaredon’s 2024 shift to exclusively target Ukrainian government institutions, significantly increasing spearphishing scale and frequency while adopting new delivery techniques such as malicious hyperlinks and LNK files served from Cloudflare domains. The group introduced six new PowerShell and VBScript-based tools and upgraded existing implants with improved obfuscation, registry-based persistence, and stealth features. Operators have largely hidden C2 infrastructure behind Cloudflare tunnels and increasingly rely on third-party platforms and DoH for resilience.

ESET Threat Report H1 2025: Key Cyberthreat Findings

🛡️ The ESET research team has released the H1 2025 Threat Report, summarizing cyberthreat activity from December 2024 through May 2025. The report highlights a rapid rise in a new social engineering technique, ClickFix, with detections increasing more than fivefold, and a 160% surge in Android adware linked to evil twin fraud and PUAs. It also notes growing numbers of ransomware attacks and gangs even as overall payment values trended downward. Watch ESET Chief Security Evangelist Tony Anscombe's video overview and consult the full report for details and mitigation guidance.

ESET APT Activity Report - Q4 2024 to Q1 2025 Overview

🔍 The latest ESET APT Activity report and podcast episode summarize intrusion activity observed across Q4 2024–Q1 2025, highlighting persistent and evolving adversary techniques. ESET researchers spotlight China-aligned actors such as UnsolicitedBooker, which repeatedly targeted the same organization with the MarsSnake backdoor, and tool-sharing trends centered on groups like Worok. The report also covers Russia-aligned operations — Sednit’s expanded Operation RoundPress against webmail platforms, ongoing Gamaredon obfuscation in Ukraine, and Sandworm’s use of the ZEROLOT wiper — plus activity from other regional actors that complicate attribution and detection.

Google survey: U.S. consumers report rising online scams

🔒 Google’s latest survey with Morning Consult shows U.S. consumers increasingly aware of online scams and taking new protective steps. Over 60% report an uptick in scams and one-third say they experienced a data breach, with texts and email the most common vectors. The report highlights generational differences in sign-in preferences — older adults rely on passwords while Gen Z favors passkeys and social sign-ins — and recommends Google Password Manager, 2‑Step Verification and modern authentication methods.

Cost of Quantum Factoring for RSA: Updated Estimates

🧮 Google Quantum AI authors report that a future quantum computer with roughly one million noisy qubits running for about a week could theoretically factor a 2048-bit RSA key — a roughly 20× reduction in qubit requirements compared to their 2019 estimate. The improvement reflects both algorithmic advances (including approximate modular exponentiation and lower operation overhead) and error-correction gains. The post stresses the urgency of migrating to post-quantum cryptography (PQC) per NIST guidance, highlights deployment steps already taken in Chrome and Cloud KMS previews, and warns of “store now, decrypt later” risks for long-lived keys.

Building Resilient ICT Supply Chains: Supply Chain Month

🔒 This April, CISA highlights the 8th annual Supply Chain Integrity Month focused on strengthening the resilience of global information and communications technology (ICT) supply chains. The agency promotes four weekly themes—Preparedness, Mitigation, Trust, and Transparency—and showcases practical resources such as the Supply Chain Risk Management Essentials and Threat Scenarios Report. CISA also emphasizes vendor evaluation with the Vendor SCRM Template, hardware transparency via the HBOM Framework, and consolidated software guidance to help organizations assess, mitigate, and communicate ICT supply chain risks.

Turning Threat Research into Practical VirusTotal Detections

🔎 Detection engineering guidance for researchers and defenders. This post shows how VirusTotal can be used to hunt for recent, sandboxed samples and derive behavioral Sigma rules by combining targeted VT queries, sandbox logs (CAPE/Zenbox), and manual analysis. Using Lummac and VenomRAT examples, the team created experimental Sigma detections for process execution (more.com/vbc.exe) and suspicious .conf file creation to aid SOCs and hunting teams.

JA4 Client Fingerprinting Enhances VirusTotal Hunting

🔍 VirusTotal has added JA4 client fingerprinting to improve malware tracking and analysis. By extracting stable characteristics from the TLS Client Hello — including TLS version, cipher suites, extensions, and ALPN — JA4 is designed to be resilient to the extension randomization that reduced JA3's reliability. Analysts can pivot on these fingerprints using the platform's behavior_network modifier, run wildcard queries for partial matches, and automate detections with YARA rules that leverage the vt module.

Watering-Hole Campaign Deploys ScanBox Keylogger Nearby

🕵️ A China-linked actor, assessed as APT TA423 (Red Ladon), used targeted phishing and watering-hole pages to serve the ScanBox JavaScript reconnaissance framework to Australian domestic organizations and offshore energy firms between April and mid‑June 2022. The injected script acts as a browser-based keylogger and conducts extensive fingerprinting, enumerating OS, plugins, extensions, WebRTC and Flash. ScanBox further leverages STUN and ICE via WebRTC to establish peer connections and reach hosts behind NAT, enabling covert collection of typed data without writing malware to disk. Proofpoint and PwC researchers link the campaign to TA423 and note its likely intelligence focus on regional maritime and naval activity.