All news with #threat report tag

🔐 Google Cloud's H1 2026 Threat Horizons Report finds that in the second half of 2025 threat actors shifted from credential-based access to exploiting unpatched third-party software. Third-party software entry rose to 44.5% of primary vectors (up from 2.9%), while credential abuse declined to 27.2%. Google highlights React2Shell (CVE-2025-55182) as a heavily exploited RCE and recommends automated defenses, stronger identity controls and WAF protections to mitigate rapid post-disclosure attacks.

🔒 KadNap is a newly observed botnet that compromises primarily ASUS routers and other edge devices to assemble a distributed proxy network. Since August 2025 it has grown to roughly 14,000 nodes and uses a modified Kademlia Distributed Hash Table (DHT) protocol to conceal command-and-control infrastructure and complicate takedowns. Infections begin when a malicious script (aic.sh) is fetched from 212.104.141.140, which installs an ELF binary named kad and establishes persistence via a cron job that runs every 55 minutes. Researchers at Black Lotus Labs link KadNap to the Doppelganger/Faceless proxy service that sells access to infected devices, and Lumen has blocked related traffic on its network while preparing indicators of compromise.

⚠️ Check Point Research reports that global cyber attack volumes remained near record highs in February 2026, with an average of 2,086 weekly attacks per organization—a 9.6% year‑over‑year increase and effectively flat month‑to‑month (-0.2%). While ransomware activity eased versus the same period last year, overall attack volumes grew due to automation, expanding digital footprints, and persistent exposure risks tied to enterprise GenAI use. The findings point to a sustained, high‑pressure threat environment that demands continuous risk management.

🔎 Check Point Research observed increased activity by Chinese-nexus APT groups targeting Qatar following the recent Middle East escalation. Within a day of Operation Epic Fury's launch, the Camaro Dragon actor attempted to deploy a PlugX variant against Qatari targets. Attackers leveraged the conflict in their lures and demonstrated rapid adaptation to breaking events. The campaign highlights elevated regional cyber risk and the need for vigilant defenses.

🤖 The World Economic Forum’s Global Cybersecurity Outlook 2026 warns that AI is accelerating the cyber arms race: 94% of leaders expect it to be the top change driver and 87% say AI vulnerabilities are the fastest‑growing risk. The report notes organizations are improving AI tool security evaluation (from 37% to 64%), yet CEOs and CISOs display different risk priorities. It also highlights widening resilience gaps across organization sizes and calls for harmonized regulation and stronger public‑private collaboration.

🔐 IT-Harvest has published its 2026 Cyber 150 list, noting that AI security vendors make up 22% of the cohort. The annual ranking highlights mid-sized cybersecurity firms (50–500 staff) chosen on funding, 2025 growth and market traction. 33 companies were classified as AI security, including fast growers like Tenex.ai (318% growth) and well-funded names such as 7AI and Noma Security. The list also shows broad category distribution and geographic concentration in the US and Israel.

🔒Ransomware-as-a-service (RaaS) has driven a rise in financially motivated attacks, combining double and triple extortion, data theft, and growing use of AI. Law enforcement disruptions have fragmented the marketplace and helped spawn new players such as Akira, BlackCat, and RansomHub. Attackers exploit unpatched VPNs, open RDP, phishing, and zero-day flaws to hit healthcare, manufacturing, education, telecom and critical infrastructure.

🛡️ Palo Alto Networks Unit 42 attributes a years-long espionage campaign against high-value organizations in South, Southeast and East Asia to a previously undocumented cluster dubbed CL-UNK-1068. The actor uses a mixed toolkit of custom malware, modified open-source utilities and living-off-the-land binaries to operate on both Windows and Linux. Intrusions commonly begin with web server exploits and web shells, followed by credential theft and targeted file harvesting. Researchers observed novel exfiltration methods—archiving with WinRAR, Base64-encoding via certutil, and printing the encoded output to the web shell to avoid direct file transfer.

🔒 Ransomware operators are shifting from noisy, disruptive attacks to covert, long-term intrusions focused on data theft and extortion. Picus Security's Red-Teaming report—based on simulations and analysis of 1.1 million malware files and 15.5 million MITRE-mapped actions—finds most common techniques aim to remain undetected. Adversaries increasingly chain vulnerabilities, route C2 through trusted services like OpenAI and AWS, and favor persistence over immediate encryption, though some vendors dispute a reduction in overall activity.

🤖 Microsoft’s Threat Intelligence report warns that threat actors are increasingly using generative AI across all stages of cyberattacks to accelerate execution and lower technical barriers. Attackers employ models to draft phishing lures, generate realistic fake identities and resumes, produce or debug malware, and scaffold infrastructure. Groups like Jasper Sleet and Coral Sleet have used AI in remote IT worker schemes, while operators test jailbreaking and agentic techniques. Microsoft advises treating these campaigns as insider risks and strengthening identity controls, credential monitoring, and protections around AI systems.

🔐 Fortinet investigated recent reports of AI-assisted attacks and found no exploitation of FortiGate vulnerabilities; attackers instead exploited exposed management ports and weak single-factor credentials using automated password spraying. The novel concern is that conversational AI prompts and cloud resources can now automate target discovery, credential guessing, vulnerability assessment, and exploitation at scale with no coding required. Fortinet stresses defense-in-depth and rapid remediation.

🛡️ Google Threat Intelligence Group (GTIG) analysis found 90 zero-day vulnerabilities were actively exploited in 2025, and attackers are increasingly focusing on enterprise technology. Enterprise software and appliances accounted for 43 (48%) of tracked zero-days, with security and networking appliances most frequently targeted. End-user platforms still comprised 52% of exploits overall, led by Microsoft Windows, while mobile OS targeting rose and browser-based zero-days fell to a historic low. GTIG recommends segmentation, least-privilege architectures and continuous monitoring to detect and respond to threats.

⚠️ Google’s GTIG tracked 90 zero-day vulnerabilities in 2025, finding nearly half targeted enterprise technologies such as security appliances, VPNs, networking gear, and enterprise software. The report highlights that Chinese-linked actors increased their use of zero-days and that commercial surveillance vendors now outpaced state-backed groups. Defenders face shrinking response windows as exploit sharing, faster public-to-exploit timelines, and emerging AI accelerate attacks.

📌 Cisco Talos' 2025 retrospective finds 48,196 CVEs (≈132 per day) and highlights persistent root causes—XSS, SQL injection, and insecure deserialization—responsible for roughly 10,000 vulnerabilities. Known Exploited Vulnerabilities rose ~30% to 241, with many affecting network devices and an expanded vendor set of 99, underscoring patching and supply-chain visibility challenges. The author stresses prioritized patch management, accurate asset inventories, and compensating controls (microsegmentation, network isolation, enhanced monitoring) for unpatchable systems, and also notes a near-doubling of AI-related CVEs.

🔐 Google Threat Intelligence Group (GTIG) reports 90 zero-day vulnerabilities were actively exploited in 2025, a 15% increase from 2024. Nearly half targeted enterprise products such as security appliances, networking gear, VPNs, and virtualization platforms. Memory-safety issues comprised 35% of exploited flaws, and commercial spyware vendors overtook state actors as the top zero-day consumers. Google recommends reducing attack surface, continuous monitoring, and rapid patching to detect and contain exploitation.

🛡️ Google Threat Intelligence Group's 2025 review found 90 zero-day vulnerabilities exploited in the wild, down from 2023 but above 2024. Enterprise technologies accounted for a record 48% of zero-days, driven by attacks on networking and security appliances, while browser exploitation fell to historic lows. GTIG highlights growing involvement of commercial surveillance vendors and expanded financially motivated use of zero-days. Defenders are urged to prioritize segmentation, inventory, and rapid mitigation.

⚠️ FortiGuard Labs reports a surge of regional cyber activity in the 24–48 hours following U.S.-Israeli strikes on Iranian targets, including defacements, broadcast intrusions, Telegram claims, and internet disruptions, but no confirmed large-scale destructive campaign tied directly to the strikes. Many observed events appear to be psychological operations, hacktivist signaling, or opportunistic exploitation of geopolitical noise rather than coordinated state-level retaliation. The report warns that access is often pre-positioned and that activations can be delayed, so organizations should harden basic controls and preparedness now. Recommended actions include enabling MFA, automating patching, isolated backups, segmentation, active monitoring, and exercising incident response playbooks.

🔍 Resecurity analysed a leaked Ariomex database covering 2022–2025 and concluded the exchange's records suggest potential sanctions evasion and large capital transfers linked to actors inside Iran. The review covered 11,826 verified users, identified 27 potential sanctions matches and found about 7,710 Iran-linked accounts, with roughly 70% of volume in Tether and Tron. Resecurity flagged mechanisms such as shell accounts, stablecoin routing and intermediary wallets and said it will assist regulators.

🔍 Google Threat Intelligence Group describes Coruna, a sophisticated iOS exploit kit containing five full exploit chains and 23 exploits that target iOS 13.0 through 17.2.1. The kit combines WebKit RCEs, PAC/PPL bypasses, and a root-capable loader called PlasmaLoader that exfiltrates financial data and cryptocurrency wallet information. GTIG observed deployments by both suspected state-backed and financially motivated actors and added affected domains to Safe Browsing. Users are urged to update iOS or enable Lockdown Mode if updates are not possible.

🔍 The 2026 Cloudflare Threat Report from Cloudforce One documents a shift from brute-force intrusion toward high-trust exploitation, introducing a new metric: the Measure of Effectiveness (MOE). The report identifies eight trends — including AI-driven attack automation, token theft that neutralizes MFA, weaponized cloud tooling, and record-setting hyper-volumetric DDoS — that favor speed and throughput over sophistication. It urges organizations to adopt autonomous, real-time defenses and previews an upgraded automated threat-events command center to help harden the connective tissue of modern networks.