All news with #threat report tag

🚨 The U.S. Department of the Treasury's Office of Foreign Assets Control has sanctioned six individuals and two entities tied to a DPRK-run IT worker scheme that secured remote jobs, stole data, and funneled salaries back to North Korea to finance weapons programs. The operation—tracked as Coral Sleet/Jasper Sleet (also called PurpleDelta/Wagemole)—used stolen identities, fabricated personas, VPN services, and AI-enabled tools to conceal origins, launder funds, and deploy malware or extort victims. OFAC named Amnokgang Technology Development Company and several facilitators, currency converters, and account enablers; security firms and Microsoft warn the campaign leverages Astrill VPN, AI faceswaps, agentic LLM misuse, and offshore operations to maintain persistent, low-cost access.

🔒 The Interlock ransomware gang exploited a maximum-severity remote code execution flaw in Cisco Secure Firewall Management Center as a zero-day beginning January 26, 2026. Cisco released a patch for CVE-2026-20131 on March 4, warning it allowed unauthenticated attackers to execute arbitrary Java code as root on unpatched devices. Amazon's threat team reported Interlock had been exploiting the vulnerability for 36 days prior to public disclosure.

🔍 Rapid7's 2026 Global Threat Landscape Report finds AI and automation compressed the window between vulnerability disclosure and exploitation in 2025, turning what once unfolded over weeks into days or even minutes. The median time to inclusion on CISA's Known Exploited Vulnerabilities catalog fell from 8.5 days to five, and the mean dropped from 61 to 28.5 days. Confirmed exploitation of CVSS 7–10 flaws rose 105% YoY to 146 incidents, with deserialization, authentication bypass and memory corruption among the most targeted issues. Rapid7 urges CISOs to adopt pre-emptive security that reduces attack surface, prioritizes material risk and improves contextual detection and response.

🔎 In early 2026 Telegram intensified enforcement after the late‑2024 arrest of CEO Pavel Durov and a year of stricter moderation in 2025. Millions of channels were taken down, bans and automation grew, and platform transparency reached new highs. Despite these measures, cybercriminal ecosystems on Telegram have not shrunk; they have rapidly adapted through fragmentation, private groups, automated tooling and alternative hosting. Check Point's Exposure Management intelligence highlights these shifts and explains why takedowns have reduced visibility but not eliminated illicit activity.

🛡️ The 2026 Armis Cyberwarfare Report found that 54% of UK companies experienced nation-state attacks last year, up from 47% previously. Based on interviews with 1,900 IT decision-makers (including 500 in the UK) and Armis Labs data, the study highlights growing fear over AI-powered threats and the weakening deterrent effect of "mutually assured disruption." Respondents identified Russia, China and North Korea as the greatest risks.

🔒 The Pentera AI and Adversarial Testing Benchmark Report 2026, based on a survey of 300 US CISOs and senior security leaders, finds that most security teams lack the tools and skills to secure AI systems. 67% of respondents report limited visibility into AI usage, while half cite a lack of internal expertise. Organizations largely extend legacy security controls—75%—and only 11% use AI-specific tools.

🔒 Akamai’s 2025 State of the Internet report finds APIs have become the dominant attack surface, with an average of 258 API attacks per organization (up 113% year‑on‑year). The vendor reports 61% of attacks involved unauthorized workflows or abnormal behavior, signaling a shift towards behavior‑based exploitation. Top exploited issues included security misconfigurations, broken object property level authorization and broken authentication. Akamai also warns that agentic AI and automation are amplifying the risk of sensitive data exposure across APIs.

🔒Boggy Serpens (aka MuddyWater) is a persistent Iranian cyberespionage group that has shifted from noisy spear phishing to tailored, long-term intrusion campaigns targeting diplomatic, maritime, energy and financial sectors. The actor exploits hijacked trusted accounts and blurred-document macros to bypass reputation filters and deploys AI-assisted and Rust-based implants such as BlackBeard, LampoRAT, UDPGangster and Nuso. Defenders should enforce strict macro controls and layered protections including Cortex XDR and Advanced WildFire to detect behavioral anomalies and limit long-term persistence.

📦 Group-IB reports a rapid global escalation of fake shipment tracking scams during 2025, jumping from almost no activity in 2024 to more than 100 unique campaigns per month and peaks of 218 and 208 in June and December. Attackers use disposable and lookalike domains, SMS sender spoofing, local-looking numbers and URL masking to trick recipients into providing credentials or paying bogus fees. Many phishing sites share infrastructure linked to the Darcula PhaaS, which offers thousands of counterfeit domains and templates. The report urges organisations to strengthen domain authentication and increase customer alerts.

🔒 This weekly recap spotlights multiple high‑urgency incidents, including two actively exploited Chrome zero‑days—an out‑of‑bounds write in Skia (CVE‑2026‑3909) and an implementation flaw in V8 (CVE‑2026‑3910)—patched in Chrome 146.0.7680.75/76. It also documents large router botnets such as SocksEscort and KadNap that flash custom firmware to maintain persistence and operate as proxy services. Supply‑chain abuse reappears with UNC6426, which used stolen nx npm keys and abused GitHub→AWS OIDC trust to gain admin access and exfiltrate S3 data within 72 hours. Prioritize patching actively exploited flaws, audit OIDC/S3 trusts and router persistence, and monitor for emerging supply‑chain and AI‑agent risks.

🔐 GTIG and Mandiant analysis of 2025 ransomware activity shows a shift toward greater data-theft-extortion and targeting of virtualization despite declining overall profitability for operators. Exploitation of VPNs and firewalls, increased abuse of legitimate tools and cloud services, and more aggressive extortion tactics produced a record number of data-leak-site postings. REDBIKE was the most frequently observed family, and defenders saw drops in Cobalt Strike and RMM reliance. Recommended actions include patching perimeter devices, hardening virtualization, improving backup resiliency, enforcing credential hygiene, and monitoring for anomalous data egress.

🔒 The FBI has issued guidance warning organizations and consumers about the growing use of residential proxies by cybercriminals, which reroute traffic through compromised home devices to mask malicious activity. By taking over IoT devices, smartphones, and home routers, attackers can make illegal traffic appear to originate from legitimate residential connections. The FBI recommends timely patching, strict device policies, network segmentation, blocking IPs tied to residential proxy networks, and stronger firewall rules to mitigate risk.

🔒 Unit 42 warns of elevated risk from destructive wiper operations attributed to the Iranian-linked Handala Hack actor, which has used phishing and compromised Microsoft Intune administrative access to delete servers and devices and disrupt operations. The actor, first seen in late 2023 and also tracked as Void Manticore, COBALT MYSTIQUE and Storm‑1084/0842, is assessed as a state-directed front for Iran’s MOIS. Mitigations focus on eliminating standing privileges (JIT, PIM), hardening Entra ID and Intune admin roles, enforcing conditional access and hardware MFA, reducing session lifetimes and ensuring immutable offline backups.

🛡️ Microsoft published updated email security benchmarks comparing Defender, secure email gateways (SEGs), and integrated cloud email security (ICES) solutions. The data shows Microsoft Defender removes an average of 70.8% of malicious email post-delivery, with ICES partners contributing the remaining 29.2% of post-delivery remediation. Layering matters: integrated ICES solutions improve marketing and bulk filtering by an average of 13.7%, while incremental gains for spam and malicious filtering were modest (around 0.29% and 0.24% respectively). The report also compares misses per 1,000 users, showing Defender had fewer high-severity misses than several evaluated SEG vendors.

🔒 The French cybersecurity agency ANSSI reported a decrease in known ransomware incidents in 2025, recording 128 attacks versus 141 in 2024. The agency attributed the decline partly to large-scale law enforcement actions and preventive interventions by cyber defenders, including Operation Endgame. Small and medium businesses remained the most targeted, while healthcare and education saw the sharpest increases. Prominent strains included Qilin, Akira and LockBit 3.0/LockBit Black.

📈 The February 2026 Check Point Global Threat Intelligence report found UK organisations saw fewer weekly attacks per organisation (1,504) than the global average (2,086), but a 36% year‑on‑year increase — nearly four times the global 9.8% rise. Education, energy & utilities, government, healthcare and financial services were among the most frequently targeted UK sectors. Ransomware remained acute, with 49 active groups and a plurality of victims attributed to Qilin, Clop and The Gentlemen. The report also warned that widespread, unmanaged GenAI use is elevating inadvertent data‑exposure risk, with one in 31 prompts judged high risk.

🔍 ESET positions its threat intelligence and telemetry as essential tools for organizations facing increasingly sophisticated cyber threats, including AI-enabled attacks and convincing deepfakes. ESET Telemetry reports a 12% decline in overall detections in India (Jan–Aug 2025), but ransomware surged 70% from H2 2024 to H1 2025 and phishing remains the most common vector. The vendor bundles endpoint, XDR, identity protection, MDR, and analyst-driven APT reporting to help CIOs and CISOs stay ahead.

🛡️ Cybersecurity researchers at Black Lotus Labs have identified a novel malware family, KadNap, that has infected over 14,000 edge devices — primarily Asus routers — since first observed in August 2025. KadNap uses a custom Kademlia-based DHT to conceal its control infrastructure and build a resilient peer-to-peer botnet. Infected devices are being offered as resident proxies by a service named Doppelgänger, complicating attribution and abuse tracking.

⚠️ The Cloud Threat Horizons report from Google Cloud's Office of the CISO warns that AI-assisted exploitation has compressed the window from vulnerability disclosure to active attacks from weeks to days. In H2 2025, third-party software flaws became the leading initial access vector, surpassing weak credentials. The report urges automated defenses, identity-based controls, and tamper-resistant logging to improve forensic readiness.

🛡️ X told British MPs it suspended 800 million accounts in 2024 for breaching rules on platform manipulation and spam. Company government affairs executive Wifredo Fernández said Russia was the most active state-backed manipulator, followed by Iran and China, and that efforts to influence elections and 'flood the zone' persist. Despite Elon Musk's prior pledge to purge bots, X acknowledges hundreds of millions of inauthentic accounts are removed annually, raising concerns about uncaught actors and moderation practices.