All news with #threat report tag

🔒 Talos analysts Amy Ciminnisi and Pierre Cadieux review the ransomware and vulnerability patterns that shaped 2025. They emphasize persistent campaigns against the manufacturing sector, increased targeting of management infrastructure, and the rise of stealthy living-off-the-land techniques that evade traditional controls. The hosts explain how to spot the difference between a system administrator and a threat actor and outline steps organizations can take to move beyond reactive defenses toward a more resilient, proactive security posture.

🛡️ The FBI's 2025 Internet Crime Report shows US victims lost more than $17.7 billion to internet-enabled fraud, with the Internet Crime Complaint Center (IC3) receiving over one million complaints in 2025. Cryptocurrency investment scams were the single largest source of financial loss at $7.2 billion, followed by Business Email Compromise and fake tech support schemes. The report also highlights nearly $893 million lost to AI-enabled fraud and 22,364 AI-related complaints, warning that synthetic content and deepfakes are increasingly abused to perpetrate scams.

🔍 Talos' 2025 Year in Review highlights a marked shift in attacker behavior driven by both newly disclosed flaws and long-entrenched components. In the final weeks of 2025 React/React2Shell surged to the top of exploit activity, followed by legacy targets such as PHPUnit and Log4j. Agentic AI accelerated the creation and deployment of proofs-of-concept and exploit kits, dramatically reducing attacker time-to-exploit. Talos urges organizations to prioritize identity-adjacent systems and management planes for patching and mitigation.

🕵️ Germany's Federal Criminal Police Office (BKA) has named the alleged primary operators of the REvil (aka Sodinokibi) ransomware ring as Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk. Shchukin, widely known by aliases including UNKN and Oneiilk2, is accused of acting as a group leader while Kravchuk is alleged to have served as a developer. The BKA links the two to 130 attacks in Germany, €1.9 million in paid ransoms across 25 cases, and total losses exceeding €35.4 million, situating the announcement within earlier international actions that disrupted REvil.

🤖 RSA 2026 highlighted a rapid, industry-wide shift toward AI-driven security, with CISOs clustering into three archetypes—proactive, curious/confused, and blissfully ignorant. Vendors stressed the need to build AI foundations (data/context engines, control planes, execution layers) and then layer agents atop them. Microsoft, legacy security vendors, and AI-native startups all showcased approaches, while pricing, governance, and evolving threats remain open challenges.

🔒 The Cisco Talos 2025 Year in Review, discussed by Christopher Marshall and Peter Bailey, highlights accelerating attacker speed and a shift toward identity as the primary battleground. The report shows rapid weaponization of new flaws alongside persistent exploitation of legacy, end-of-life infrastructure, and a sharp rise in fraudulent device registration. Defenders are urged to prioritize identity controls, visibility, lifecycle discipline, and secure AI governance to keep pace.

🔒 A survey by e2e-assure of 250 UK critical national infrastructure (CNI) cybersecurity decision-makers found 80% of organisations expect operational technology (OT) downtime costs between £100,000 and £5m, with 23% reporting incidents exceeding £1m and 6% above £5m. Nearly two-thirds said they fear nation-state attacks, and the vendor warned attackers commonly pivot from IT into exposed OT environments. Respondents also highlighted limited OT visibility and supply-chain risks that hinder detection, response and remediation efforts.

📢 CERT-UA disclosed a phishing campaign in which attackers impersonated the agency to distribute a remote access trojan, AGEWHEEZE, via a password-protected ZIP hosted on Files.fm sent March 26–27, 2026. Emails, some originating from incidents@cert-ua.tech, targeted state bodies, medical centers, security firms, educational institutions, financial organizations and developers, urging installation of a purported "protection tool." The Go-based RAT communicates with 54.36.237.92 over WebSockets, supports extensive remote commands and persistence mechanisms, but CERT-UA reports only a handful of personal device infections and provided remediation assistance.

🔐 Blackpoint Cyber's 2026 Annual Threat Report finds that routine, legitimate access paths — not software exploits — increasingly enable intrusions. Across thousands of 2025 investigations, SSL VPN abuse (32.8%) and misuse of legitimate RMM tools (30.3%) were dominant initial access vectors, with ScreenConnect implicated in most rogue RMM cases. Social-engineering campaigns such as fake CAPTCHA and ClickFix-style prompts drove 57.5% of incidents, while Adversary-in-the-Middle phishing facilitated session reuse after MFA in about 16% of cloud compromises. The report urges treating remote access as high-risk and strengthening inventories, installation controls, and conditional access to reduce these blended, legitimate-looking intrusions.

🛡️ In 2025 Google’s Vulnerability Reward Program (VRP) celebrated its 15th anniversary and awarded over $17 million to more than 700 researchers worldwide — a 40%+ increase versus 2024. The year introduced a standalone AI VRP, extended Chrome rewards for AI features, and launched a patch rewards program for OSV-SCALIBR. Multiple bugSWAT events and the ESCAL8 conference generated hundreds of reports and significant payouts. Google reaffirms its commitment to collaboration, transparency, and continued events in 2026.

⚠️ Google Threat Intelligence Group (GTIG) observed a supply-chain attack on 2026-03-31 where attackers introduced a malicious dependency, plain-crypto-js, into legitimate axios releases (1.14.1 and 0.30.4). The package contains an obfuscated Node.js dropper (SILKBELL) that installs the multi-platform WAVESHAPER.V2 backdoor on Windows, macOS, and Linux. GTIG attributes the activity to UNC1069 and publishes IOCs and remediation steps for affected developers and organizations.

🔍Phantom Stealer, a .NET-based infostealer sold as part of a commercial cybercrime toolkit, harvests browser credentials, cookies, saved passwords, autofill and payment card details as well as messaging and email session data from infected systems. Group-IB observed a sustained phishing campaign between November 2025 and January 2026 that targeted logistics, manufacturing and technology organizations across Europe in five waves. Emails impersonated an equipment trading company and carried archive attachments with obfuscated JavaScript droppers or malicious executables. Indicators such as SPF failures, missing DKIM, reused templates and consistent spelling mistakes pointed to automated, template-driven stealer-as-a-service activity, with stolen data exfiltrated via messaging platforms, SMTP and FTP.

🔎 Unit 42 identified converging cyberespionage clusters that targeted a Southeast Asian government between June and August 2025. The investigation found three simultaneous activity clusters—Stately Taurus, CL-STA-1048, and CL-STA-1049—using USB-propagated worms, multiple RATs, and stealthy loaders to establish persistent access and exfiltrate data. Unit 42 links tooling and TTPs to China-aligned actors and recommends layered defenses including Cortex XDR and Advanced WildFire.

🔒 The Talos 2025 Year in Review synthesizes Cisco telemetry, incident response cases, and Talos research into a free, cross‑functional report highlighting identity-focused attacks, supply‑chain risks, and phishing trends. Key findings include React2Shell as the most targeted CVE, ToolShell ranking third, and Qilin as the dominant ransomware variant. The report warns that attackers increasingly compromise network infrastructure — especially ADCs and management platforms — to bypass MFA and escalate across environments, and recommends prioritizing patching and treating these devices as identity control points.

🔒 A PwC report finds AI is now the top cybersecurity investment priority for defenders as criminals rapidly weaponize generative models. The firm's Annual Threat Dynamics 2026 study warns adversaries are using AI to accelerate malware development, automate reconnaissance and scale social engineering, including via dark‑web LLMs. PwC cites agentic tools like ReaperAI being repurposed in real campaigns, but also stresses that AI can empower defenders with faster detection, automated containment and intelligence‑led decision‑making when embedded into security strategies.

🔒 Russian police in the Rostov region arrested a Taganrog resident accused of owning and administering the cybercrime forum LeakBase. The forum, launched in 2021 and linked to the ARES threat group, grew to over 142,000 members and was used to trade stolen databases, exploits, and illicit services. In March 2026 authorities from the FBI and 14 other countries dismantled the site during Operation Leak, seizing the domain and preserving the forum database and logs as evidence.

🔍 In this episode of Talos Takes, Amy is joined by William Largent (Cisco Talos) and Lou Stella (Splunk) for a double-header review of the newly released Cisco Talos 2025 Year in Review and the Splunk Top 50 Cybersecurity Threats. The conversation draws on Cisco telemetry, Talos original research, and Talos Incident Response engagements to move beyond headlines and identify actionable trends. Highlights include the professionalization of ransomware-as-a-service, the persistent exploitation of decade-old vulnerabilities, and practical guidance to help defenders prioritize mitigations and shrink their attack surface for the year ahead.

⚠️ Coruna, an iPhone exploit kit, repurposes an updated kernel exploit originally used in the 2023 Operation Triangulation campaign, according to Kaspersky. The kit targets iOS 13.0–17.2.1 devices with five full exploit chains and 23 exploits, fingerprinting Safari visitors and selecting tailored Mach-O loaders and payloads. Kaspersky warns the actively maintained, modular codebase now enables mass exploitation and broader criminal reuse, increasing risk to unpatched users.

🔒 Security researchers warn that the Iran-linked Pay2Key ransomware group has re-emerged with enhanced evasion, execution and anti-forensics capabilities. A Halcyon and Beazley Security analysis of a recent US healthcare provider incident describes interactive access via TeamViewer, credential theft with Mimikatz, LaZagne and ExtPassword, and host discovery using Advanced IP Scanner and ns.exe. Operators used the AD console (dsa.msc) to blend in, deployed an SFX payload (abc.exe) to encrypt systems within three hours, and removed a 'No Defender' toolkit to hide tracks. Report authors found no clear evidence of data exfiltration and warn defenders to monitor this unpredictable, politically motivated threat.

⚠️ Kaspersky researchers have observed threat actors abusing Yandex Surveys to host phishing content and evade email filters by leveraging the platform's legitimate domain reputation. Attackers embed fraudulent pitches and malicious links in rich-text survey blocks, add official-looking logos, then hide interface elements with invisible padding; Kaspersky Premium blocked about 2,200 such messages in January and over 32,000 in February. Recipients who follow the links land on polished giveaway pages that harvest personal data, wallet addresses, or payments.