All news with #threat report tag

CrowdStrike: Rise in Physical Attacks on Privileged Users

🔒 CrowdStrike's 2025 analysis documents a sharp rise in physical attacks and kidnappings tied to cyber intrusions, concentrated in Europe. The report cites the January 2025 kidnapping of a Ledger co‑founder and records 17 similar incidents in Europe from January through September 2025, 13 of them in France. Consultants warn attackers increasingly pair cyber operations with real‑world violence, driving organizations to strengthen physical and executive security and adjust incident response playbooks.

Asset Management: The Essential Foundation for Defense

🔍 Threat intelligence is valuable but only effective when organizations maintain reliable asset management. Asset management—the inventory, monitoring, and administration of hosts—provides the foundational visibility needed to detect, patch, and prevent intrusions. Bradley Duncan cites historic malware like Emotet and Qakbot to show how poor asset hygiene enabled massive infections and urges proactive measures such as Unit 42's Attack Surface Assessment.

Malicious Android Apps on Google Play Reach 42M Downloads

🔒 A Zscaler report found 239 malicious Android apps on Google Play that were downloaded a combined 42 million times between June 2024 and May 2025, driven largely by adware, spyware, and banking trojans. Telemetry shows a 67% year-over-year increase in mobile-targeted malware, with adware now comprising roughly 69% of detections and spyware up 220% YoY. Zscaler highlights evolving strains such as Anatsa, Android Void, and Xnotice, and advises timely updates, strict app permissions, disabling unnecessary Accessibility access, and regular Play Protect scans.

Scattered LAPSUS$ Hunters Unite ShinyHunters Alliance

🔎 Trustwave SpiderLabs has identified a coordinated alliance now operating as Scattered LAPSUS$ Hunters (SLH), merging reputational capital from Scattered Spider, ShinyHunters and LAPSUS$. The collective presents a unified operational brand, complete with a named "Operations Centre," centralized narrative and affiliate-driven extortion model. Analysis attributes fewer than five core operators managing roughly 30 personas and highlights Telegram as a persistent command-and-branding hub. Trustwave warns this consolidation aims to fill the vacuum left by the collapse of BreachForums and to sustain public, intimidation-based extortion tactics.

Cybersecurity Forecast 2026: AI, Cybercrime, Nation-State

🔒 The Cybersecurity Forecast 2026 synthesizes frontline telemetry and expert analysis from Google Cloud security teams to outline the most significant threats and defensive shifts for the coming year. The report emphasizes how adversaries will broadly adopt AI to scale attacks, with specific risks including prompt injection and AI-enabled social engineering. It also highlights persistent cybercrime trends—ransomware, extortion, and on-chain resiliency—and evolving nation‑state campaigns. Organizations are urged to adapt IAM, secure AI agents, and harden virtualization controls to stay ahead.

How Social Engineering Works — Unlocked 403 Podcast S2E6

🔍 In this episode of Unlocked 403, host Becks speaks with Alena Košinárová, a software engineer at ESET, to unpack the psychological tactics behind social engineering and why people fall for scams even when they know better. They discuss how public information and social media amplify attackers' effectiveness and outline practical measures to reduce exposure. The segment balances behavioral insight with clear, actionable defenses.

Cloudflare analysis confirms Turkmenistan IP changes

🔍 Cloudflare researchers revisited historic telemetry to assess reports that Turkmenistan experienced an unprecedented easing of IP address blocking in mid‑2024 and may have been testing a new firewall. Using Radar metrics, they observed a clear surge in HTTP requests beginning in mid‑June, alongside shifts in TCP reset and timeout patterns. These connection anomalies manifested at different stages of the TCP lifecycle across multiple autonomous systems, and while the data cannot provide attribution, the observed patterns are consistent with large‑scale filtering or firewall testing.

Weekly Recap: Lazarus Web3 Attacks and TEE.Fail Risks

🔐 This week's recap highlights a broad set of high‑impact threats, from a suspected China‑linked intrusion exploiting a critical Motex Lanscope flaw to deploy Gokcpdoor, to North Korean BlueNoroff campaigns targeting Web3 executives. Researchers disclosed TEE.fail, a low‑cost DDR5 side‑channel that can extract secrets from Intel and AMD TEEs. Also noted: human‑mimicking Android banking malware, WSL‑based ransomware tactics, and multiple high‑priority CVEs.

Continuous Exposure Management Transforms SOC Ops Today

🔍 SOC analysts are increasingly overwhelmed by alert volume and contextual blind spots that force extensive manual triage. Continuous exposure management brings environment-specific intelligence into existing EDR, SIEM, and SOAR workflows to prioritize assets, validate exploitability, and visualize attack paths. By correlating exposures with MITRE ATT&CK techniques and automating remediation workflows, teams reduce false positives, accelerate investigations, and harden detections over time.

Hacktivists Target Internet-Exposed Industrial Controls

⚠️ The Canadian Centre for Cyber Security warns hacktivists are increasingly exploiting internet-accessible industrial control systems (ICS), citing recent intrusions that affected a water utility, an oil and gas automated tank gauge (ATG), and a farm's grain-drying silo. Attackers manipulated pressure, fuel-gauge, and environmental controls, creating safety and service disruptions. The alert urges secure remote access via VPNs with MFA and inventories of OT assets. Provincial and municipal coordination is recommended to protect sectors lacking cybersecurity oversight.

European Ransomware Leak-Site Victims Spike in 2025

🔒 CrowdStrike's 2025 European Threat Landscape Report found a 13% year-on-year rise in ransomware victims across Europe, with the UK hardest hit. The study, covering leak sites from September 2024 to August 2025, identified 1,380 victims and noted that since January 2024 more than 2,100 organisations were named on extortion sites, with 92% involving file encryption and data theft. The report highlights Akira and LockBit as the most active groups and warns of persistent big-game hunting, growing vishing campaigns and an emerging Violence-as-a-Service threat landscape.

Aligning Security with Business Strategy: Practical Steps

🤝 Security leaders must move beyond a risk-only mindset to actively support business goals, as Jungheinrich CISO Tim Sattler demonstrates by joining his company’s AI center of excellence to advise on both risks and opportunities. Industry research shows significant gaps—only 13% of CISOs are consulted early on major strategic decisions and many struggle to articulate value beyond mitigation. Practical alignment means embedding security into initiatives, using business metrics to measure effectiveness, and prioritizing controls that enable growth rather than impede operations.

2025 European Threat Landscape: Extortion and State Activity

🔍 CrowdStrike’s 2025 European Threat Landscape Report reveals rising extortion and intensifying nation-state operations across Europe, with Big Game Hunting (BGH) actors naming roughly 2,100 Europe-based victims on more than 100 dedicated leak sites since January 1, 2024. The United Kingdom, Germany, Italy, France and Spain are most targeted, across sectors such as manufacturing, professional services, technology, industrials and retail. The report details an active cybercrime ecosystem — forums, encrypted apps and marketplaces — and notes enabling techniques like voice phishing and fake CAPTCHA lures, while geopolitical conflicts drive expanded Russian-, Chinese-, Iranian- and DPRK-linked operations.

China-Linked UNC6384 Exploits Windows LNK Vulnerability

🔒 A China-affiliated group tracked as UNC6384 exploited an unpatched Windows shortcut flaw (ZDI-CAN-25373, CVE-2025-9491) to target diplomatic and government entities in Europe between September and October 2025. According to Arctic Wolf, the campaign used spear-phishing links to deliver malicious LNK files that launch a PowerShell stager, sideload a CanonStager DLL, and deploy the PlugX remote access trojan. Microsoft says Defender detections and Smart App Control can help block this activity.

The Unified Linkage Model: Reframing Cyber Risk in Practice

🔗The Unified Linkage Model (ULM) reframes cyber risk by focusing on the relationships — not just individual assets — that allow vulnerabilities and adversaries to propagate across systems. Drawing on the Okta 2023 support-credential compromise, the model highlights three structural linkage types: adjacency, inheritance and trustworthiness. ULM shifts analysis from topology or isolated CVE lists to the connective tissue that enables systemic exposure. Applied correctly, it clarifies prioritization, accelerates impact analysis and unifies threat and vulnerability data into actionable risk pathways.

October 2025: Key Cybersecurity Stories and Guidance

🔒 As October 2025 concludes, ESET Chief Security Evangelist Tony Anscombe reviews the month’s most significant cybersecurity developments and what they mean for defenders. He highlights that Windows 10 reached end of support on October 14 and outlines practical options for affected users and organizations. He also warns about info‑stealing malware spread through TikTok videos posing as free activation guides and summarizes Microsoft’s report that Russia, China, Iran and North Korea are increasingly using AI in cyberattacks — alongside China’s accusation of an NSA operation targeting its National Time Service Center.

Trick, Treat, Repeat: Patch Trends and Tooling for Q3

🎃 Microsoft’s free Windows 10 updates have largely ended, with EEA consumers receiving free Extended Security Updates through Oct 14, 2026, while most other users must pay. Q3 telemetry shows roughly 35,000 CVEs through September, averaging about 130 new entries per day, and a rising set of Known Exploited Vulnerabilities (KEV) that widen vendor and network impact. Talos also launched the Tool Talk series, offering a hands-on guide to dynamic binary instrumentation with DynamoRIO for malware analysis and runtime inspection.

Russian Ransomware Gangs Adopt Open-Source AdaptixC2

🔒 AdaptixC2, an open-source command-and-control framework, has been adopted by multiple threat actors, including groups tied to Russian ransomware operations, prompting warnings about its dual-use nature. The tool offers encrypted communications, credential and screenshot managers, remote terminal capabilities, a Golang server, and a cross-platform C++ QT GUI client. Security firms Palo Alto Networks Unit 42 and Silent Push have analyzed its modular capabilities and traced marketing activity to a developer using the handle RalfHacker. Observed abuse includes fake Microsoft Teams help-desk scams and an AI-generated PowerShell loader used to deliver post-exploitation payloads.

AdaptixC2 Abused by Ransomware Operators Worldwide

⚠️ Silent Push reports a surge in malicious use of AdaptixC2, an open-source adversarial emulation framework that researchers say is now being delivered by the CountLoader malware as part of active ransomware operations. Deployments accelerated after new detection signatures were released, and public incident reports show increased sightings across multiple intrusions. Analysts flagged the developer alias RalfHacker and issued indicators covering Golang C2 traffic and unknown C++/QT executables.

Hezi Rash: Kurdish Hacktivist DDoS Campaigns Rising

🛡️ Hezi Rash is a Kurdish nationalist hacktivist collective formed in 2023 that has escalated to coordinated DDoS campaigns targeting entities perceived as hostile to Kurdish or Muslim communities. Their public rhetoric mixes nationalism, religion, and activism, and they have claimed attacks in response to symbolic provocations such as an anime scene depicting a burning Kurdish flag. Targets reported include anime platforms, media outlets, NGOs, and government services, causing intermittent service disruptions and demonstrating growing technical sophistication.