< ciso
brief />
Tag Banner

All news with #threat report tag

542 articles · page 25 of 28

Bookworm Linked to Stately Taurus — Unit 42 Analysis

🔎 This Unit 42 case study applies the Unit 42 Attribution Framework to link the Bookworm remote access Trojan to the Chinese APT group Stately Taurus by combining malware analysis, tooling, OPSEC, infrastructure, victimology, and timelines. Analysts highlighted embedded PDB paths, a UUID-based shellcode encoding technique, and co-occurrence with a custom tool named ToneShell. Overlapping C2 IPs and domains, consistent targeting in Southeast Asia, and closely aligned compile times supported a high-confidence attribution. Palo Alto Networks also lists protections across WildFire, NGFW, URL/DNS filtering, Cortex XDR, and incident response contact options.
read more →

Chinese State-Linked RedNovember Targets Global Org

🛰️ Recorded Future has attributed a widespread cyber-espionage cluster to a Chinese state-sponsored actor it has named RedNovember, which overlaps with Microsoft's Storm-2077. From June 2024 to July 2025 the group targeted internet-facing perimeter appliances and used a mix of open-source and commercial tooling — notably Pantegana, Spark RAT and Cobalt Strike — to gain persistent access across government and private-sector networks worldwide. Attacks exploited known CVEs in VPNs, firewalls and other security appliances and leveraged a Go-based loader derived from LESLIELOADER, while administration infrastructure relied on VPN services such as ExpressVPN and Warp.
read more →

Malicious npm Package Uses QR Code to Steal Cookies

🔍 A malicious npm package named Fezbox was discovered using QR-code steganography to conceal and deliver a credential-stealing payload. The package fetched a QR image from a remote URL, waited roughly 120 seconds, decoded embedded code and executed it to extract usernames and passwords from browser cookies. Socket's AI-based scanner flagged the behavior; the package, which had at least 327 downloads, was removed after a takedown request to the npm security team.
read more →

ShadowV2 Botnet Highlights Growth of DDoS-as-a-Service

🛡️ Darktrace has uncovered a ShadowV2 campaign that combines a GitHub CodeSpaces-hosted Python command-and-control framework, a Docker-based spreader, and a Go-based RAT to operate a DDoS-as-a-service platform. Attackers target exposed Docker daemons on AWS EC2 to build on-victim images and deploy malware via environment variables, reducing forensic artifacts. The platform exposes an OpenAPI-driven UI and multi-tenant API enabling HTTP/HTTP2 floods, UAM bypasses, and other configurable attack options.
read more →

Obscura: New Ransomware Variant Targeting Domains Globally

🔒 On 29 August 2025 Huntress analysts identified a previously unseen ransomware variant they named Obscura after its embedded ransom note. The binary was placed in the domain NETLOGON scripts folder, enabling propagation via AD replication, and the actor created scheduled tasks to run it across hosts. Obscura requires administrative privileges, attempts to delete volume shadow copies and terminates roughly 120 security and backup processes. It uses Curve25519/X25519 key exchange and XChaCha20 for file encryption and writes a decoded ransom note to C:\README-OBSCURA.txt.
read more →

Allianz: Attackers Shift From Large Firms to Easier Targets

🛡️ Allianz warns that cybercriminals are increasingly shifting focus from well‑defended large organizations to smaller, less secure firms and to regions beyond the US and Europe. The insurer's Cyber report says customer losses in H1 2025 were about half those in H1 2024, even as active ransomware groups may have risen by roughly 50%. Double extortion and data theft now account for a growing share of large losses, and attackers often exploit third‑party IT providers to reach hardened targets.
read more →

European police dismantle crypto fraud ring, €100M loss

🚨 Five suspects were arrested in a cross-border crackdown on a cryptocurrency investment fraud ring that stole over €100 million from more than 100 victims. The operation, coordinated by Eurojust and supported by Europol, involved investigative teams from Spain, Portugal, Bulgaria, Italy, Lithuania and Romania and included searches and asset freezes. The scam, active since at least 2018, lured investors with promises of high returns and routed funds to bank accounts in Lithuania; victims were later asked to pay recovery fees before platforms went offline.
read more →

AI Growth Fuels Surge in Hardware and API Vulnerabilities

🛡️ Bugcrowd's annual "Inside the Mind of a CISO 2025: Resilience in an AI-Accelerated World" report warns that rapid, AI-assisted development is expanding the attack surface and exposing foundational weaknesses. Published September 23, the study links faster release cycles to gaps in access control, data protection and hardware security, and highlights rising API and network vulnerabilities. It calls for continuous offensive testing and collective intelligence to mitigate escalating risks.
read more →

Attacker Breakout Time Drops to 18 Minutes, ReliaQuest

🔒 ReliaQuest's Threat Spotlight (June–August 2025) reports average attacker breakout time — the period from initial access to lateral movement — has fallen to 18 minutes, with one Akira incident taking just six minutes. The vendor warns adversaries are becoming faster and more adept at bypassing endpoint protections, noting an increase in ransomware using the SMB protocol (from 20% to 29%). Drive-by compromise was the leading initial vector at 34%, and USB-based malware, notably Gamarue, is resurging due to weak policy enforcement and inconsistent endpoint controls.
read more →

Lighthouse and Lucid PhaaS Linked to 17,500 Phishing Domains

🔍 Netcraft reports that the PhaaS platforms Lucid and Lighthouse are linked to more than 17,500 phishing domains impersonating 316 brands across 74 countries. Lucid, first documented by PRODAFT in April, supports smishing via Apple iMessage and RCS and is tied to the Chinese-speaking XinXin group. Both services offer customizable templates, real-time victim monitoring, and granular targeting controls (User-Agent, proxy country, configured paths) that restrict access to intended victims. Lighthouse subscriptions run from $88 per week to $1,588 per year, underscoring the commercial scale of these offerings.
read more →

IR Playbooks and Mental Health After Major Incidents

🛡️ Joe Marshall uses the VPN Filter investigation to illuminate the often-hidden personal cost of incident response. He recounts months of high-pressure analysis into a modular SOHO botnet attributed to APT28 that featured persistence and a potentially destructive kill switch, and describes how prolonged stress produced burnout, fractured relationships, and career impact. Marshall offers four practical mitigations — boundaries, peer support, unplugged self-care, and mandatory decompression — and underscores how a Cisco Talos Incident Response (IR) Retainer can ensure organizations respond decisively while protecting staff wellbeing.
read more →

Forrester: Microsoft Defender Delivers 242% ROI Over 3 Years

🔒 Microsoft’s latest Forrester TEI study found a 242% return on investment over three years for organizations using Microsoft Defender. The analysis attributes $17.8 million in total benefits and reports an average payback period of less than six months for a composite organization. Integrated with Microsoft Sentinel, Defender streamlines SecOps by consolidating tooling, lowering false positives, and accelerating response through automation and KQL-enabled detections. Customers cite improved visibility across hybrid and multicloud environments and reduced operational overhead.
read more →

SystemBC Turns Compromised VPS into High-Capacity Proxy

🔎 Researchers at Lumen Technology’s Black Lotus Labs say the SystemBC proxy botnet actively targets commercial VPS instances worldwide to build a high-capacity proxy network. The operation averages about 1,500 bots daily, relies on more than 80 C2 servers, and primarily exploits unpatched systems that often contain dozens of vulnerabilities. Customers and operators exhibit poor operational security, and the service is used by ransomware groups and third-party proxy resellers.
read more →

One in Three Android Apps Expose Sensitive Data to Attackers

🔒 The 2025 Zimperium Global Mobile Threat Report finds that one in three Android apps and more than half of iOS apps leak sensitive information through insecure APIs, and nearly half of apps contain hardcoded secrets such as API keys. Client-side weaknesses let attackers tamper with apps, intercept traffic and bypass perimeter defences. The report recommends API hardening and app attestation to ensure API calls originate from genuine, untampered apps.
read more →

Zscaler ThreatLabz: Global Ransomware Surge 2024–2025

🔒 Zscaler's annual ThreatLabz Ransomware Report (April 2024–April 2025) warns of a marked rise in extortion-focused attacks: incidents increased 146% year-over-year while exfiltrated data grew 92%. The vendor attributes this to a strategic shift from pure encryption to data theft and public shaming, with criminals using stolen files as leverage. Researchers also report that generative AI is increasingly incorporated into attackers' playbooks to enable more targeted and efficient campaigns. The U.S. accounted for half of all recorded attacks, Germany saw a nearly 75% rise and is the EU's most affected country, and the most-targeted sectors were manufacturing, technology and healthcare.
read more →

Protecting SMBs From Ransomware: Trends and Defenses

🔒 Small and medium-sized businesses are increasingly targeted by ransomware gangs that exploit weak defenses, offer Ransomware-as-a-Service, and adapt tactics with AI-driven tools. RaaS industrialization and discoveries like ESET's PromptLock demonstrate how attackers can scale reconnaissance, exploitation and social engineering. SMBs face double-extortion, DDoS and coercive pressures while repeat payments remain an issue despite a decline in aggregate crypto payouts. Practical defenses—Zero Trust, timely patching, reliable backups, EDR/MDR and tested incident response—can materially reduce risk.
read more →

AI Shifts Entry-Level Cyber Hiring Toward Soft Skills

🔍Teamwork, problem-solving and analytical thinking now outrank core technical skills in entry-level cybersecurity hiring, according to an ISC2 study of 929 hiring managers across the US, UK, Canada, Germany, India and Japan. The report finds AI is reshaping priorities: managers favour human strengths that AI can't duplicate while routine monitoring is increasingly automated. Experts warn that overreliance on certifications and broken entry pipelines exclude capable candidates, prompting vendors and employers to broaden recruitment through apprenticeships, neurodiverse hiring and outreach to career changers.
read more →

API Attacks Surge: 40,000 Incidents in H1 2025 Report

🔒 Thales' Imperva analysed telemetry from over 4,000 environments and reported about 40,000 API incidents in H1 2025, finding APIs now attract 44% of advanced bot traffic. Key findings included a 40% rise in credential-stuffing and account-takeover attempts against APIs without adaptive MFA, plus data scraping (31%) and coupon/payment fraud (26%). Financial services, telecoms and travel were among the most targeted sectors, and Thales warned the pace and sophistication of attacks will continue to increase.
read more →

Domain-Based Attacks Will Continue to Wreak Havoc Globally

🔒 Domain-based attacks that exploit DNS and registered domains are rising in frequency and sophistication, driven heavily by AI. Attackers increasingly blend website spoofing, email domain impersonation, subdomain hijacking, DNS tunnelling and automated domain-generation (DGAs) to scale campaigns and evade detection. Many proven protections—Registry Lock, DNSSEC, DNS redundancy and active domain monitoring—remain underused, leaving organizations exposed. Security teams should adopt preemptive scanning, layered DNS controls, strict asset ownership and employee training to limit impact.
read more →

ICO: Students Cause Majority of UK School Data Breaches

🔒 The ICO analyzed 215 insider personal data breach reports from the UK education sector between January 2022 and August 2024 and found students were responsible for 57% of incidents. Around 30% of breaches involved stolen login credentials, with students accounting for 97% of those attacks by guessing weak passwords or using credentials found on paper. The report highlights cases where pupils used freely available tools to break into school systems and access or alter thousands of records. The ICO urges parents, schools and the wider industry to channel curiosity into legitimate cyber careers and strengthen basic protections.
read more →