Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Business Security. Show all posts

Here's Why Businesses Need to be Wary of Document-Borne Malware

 

The cybersecurity experts are constantly on the lookout for novel tactics for attack as criminal groups adapt to better defences against ransomware and phishing. However, in addition to the latest developments, some traditional strategies seem to be resurfacing—or rather, they never really went extinct. 

Document-borne malware is one such strategy. Once believed to be a relic of early cyber warfare, this tactic remains a significant threat, especially for organisations that handle huge volumes of sensitive data, such as those in critical infrastructure.

The lure for perpetrators is evident. Routine files, including Word documents, PDFs, and Excel spreadsheets, are intrinsically trusted and freely exchanged between enterprises, often via cloud-based systems. With modern security measures focussing on endpoints, networks, and email filtering, seemingly innocuous files can serve as the ideal Trojan horse. 

Reasons behind malicious actors using document-borne malware 

Attacks utilising malicious documents seems to be a relic. It's a decades-old strategy, but that doesn't make it any less detrimental for organisations. Still, while the concept is not novel, threat groups are modernising it to keep it fresh and bypass conventional safety procedures. This indicates that the seemingly outdated method remains a threat even in the most security-conscious sectors.

As with other email-based techniques, attackers often prefer to hide in plain sight. The majority of attacks use standard file types like PDFs, Word documents, and Excel spreadsheets to carry malware. Malware is typically concealed in macros, encoded in scripts like JavaScript within PDFs, or hidden behind obfuscated file formats and layers of encryption and archiving. 

These unassuming files are used with common social engineering approaches, such as a supplier invoice or user submission form. Spoofed addresses or hacked accounts are examples of email attack strategies that help mask malicious content. 

Organisations' challenges in defending against these threats 

Security analysts claim that document security is frequently disregarded in favour of other domains, such as endpoint protection and network perimeter. Although document-borne attacks are sufficiently commonplace to be overlooked, they are sophisticated enough to evade the majority of common security measures.

There is an overreliance on signature-based antivirus solutions, which frequently fail to detect new document-borne threats. While security teams are often aware of harmful macros, formats such as ActiveX controls, OLE objects, and embedded JavaScript may be overlooked. 

Attackers have also discovered that there is a considerable mental blind spot when it comes to documents that appear to have been supplied via conventional cloud-based routes. Even when staff have received phishing awareness training, there is a propensity to instinctively believe a document that arrives from an expected source, such as Google or Office 365.

Mitigation tips 

As with other evolving cyberattack strategies, a multi-layered strategy is essential to defending against document-borne threats. One critical step is to use a multi-engine strategy to malware scanning. While threat actors may be able to deceive one detection engine, using numerous technologies increases the likelihood of detecting concealed malware and minimises false negatives. 

Content Disarm and Reconstruction (CDR) tools are also critical. These sanitise and remove malicious macros, scripts, and active material while keeping the page intact. Suspect files can then be run through enhanced standboxes to detect previously unknown threats' malicious behaviour while in a controlled environment. 

The network should also be configured with strict file rules, such as limiting high-risk file categories and requiring user authentication before document uploads. Setting file size restrictions can also help detect malicious documents that have grown in size due to hidden coding. Efficiency and dependability are also important here. Organisations must be able to detect fraudulent documents in their regular incoming traffic while maintaining a rapid and consistent workflow for customers.

The True Cost of Legacy Software: A Comprehensive Look

 

Business leaders tend to stay with what they know. It's familiar, comfy, and—above all—seems trustworthy. However, this comfort zone can be costing us more than they realise when it comes to legacy software systems. 

Many leaders focus on the upfront costs of new technology while failing to consider the long-term implications of remaining with outdated systems. As technology advances, it's important to examine how past systems stack up against modern cloud-based options, particularly in terms of scalability, integration, and access to upcoming breakthroughs. 

True cost of legacy systems

The upfront expenses of sustaining legacy systems do not account for all of the challenges that firms should consider. These antiquated systems, for example, often rely on on-site physical servers, necessitating substantial infrastructure expenditure. Setting up a new server can cost up to $10,000, with additional costs for software licenses, maintenance, and support adding up quickly. 

These systems also incur additional operational costs, such as higher power consumption, heat output, supplemental cooling requirements, and a constant demand on bandwidth during data backup. 

Another often-overlooked expense is the knowledge reliance that these systems entail. When key IT personnel leave, they take with them the knowledge required to maintain and troubleshoot these outdated systems. Equally troubling is the increased IT complexity of managing server-based systems, particularly as an organisation grows and scales.

While the disadvantages of legacy software are widely known, there are some legitimate reasons why some organisations continue to use it—at least for the time being. Regulatory or compliance frameworks may require on-premises data storage or auditing transparency, which cloud providers cannot currently provide. In some circumstances, modernisation may be delayed out of necessity rather than choice. 

ROI of cloud-based platforms 

Think of modern cloud-based platforms as growth accelerators rather than cost-cutters. Cloud solutions include scalability, artificial intelligence, and automation. According to McKinsey, firms who go beyond basic cloud adoption and proactively integrate cloud into their operations could unleash up to $3 trillion in global value through faster product creation, better decision-making, and increased operational resilience. 

Cloud solutions also enable the use of open APIs, allowing enterprises to seamlessly integrate technologies. Unlike traditional software, which locks firms into rigid systems, contemporary cloud platforms with open APIs allow for unique technology stacks adapted to specific business requirements. This transition allows organisations to select best-in-class systems for finance, customer management, logistics, and marketing automation. 

These skills are especially important in healthcare, where interconnected systems can simplify operations and improve patient care. According to another McKinsey analysis, 62% of healthcare professionals feel generative AI offers the greatest potential to boost consumer engagement, but just 29% have begun to deploy it, indicating a considerable gap between opportunity and implementation.

Ransomware Attacks Continue to Rise in an Alarming Trend

 

The frequency and intensity of cyberthreats seem to be increasing despite businesses' ongoing efforts to thwart malicious actors. Honeywell, a global technology and manufacturing firm that also provides cybersecurity solutions, reported a 46% rise in ransomware extortion attacks between October 1, 2024, and March 31, 2025, as compared to the previous six-month period. 

Win32.Worm.Ramnit, a Trojan that typically targets the banking sector to steal account details, was found in 37% of files blocked by Honeywell's SMX product. That represented a 3,000% rise from the second quarter of 2024, when Honeywell last reported on it. 

In its investigation report, Honeywell stated that "it can likely be assumed it has been repurposed to extract control system credentials" due to the Trojan's saturation presence in the ecosystems of its industrial clients. "Existing adversaries continue to disrupt operations across critical sectors, even in the absence of new ransomware variants specifically designed for industrial control systems." 

1,929 ransomware incidents were made public throughout the reporting period. Eight verticals accounted for the vast majority (71%) of the cases, with the industries most affected being manufacturing, construction, healthcare, and technology. 

Given that ransomware attacks are normally "more opportunistic, typically creating a normal distribution of attacks across different industries," Honeywell noted that this was a really unusual pattern. The report claims that supply chain disruptions, manual failovers, and forced production outages caused by ransomware have been experienced by manufacturing plants, water treatment facilities, and energy providers. 

In response to the elevated threats, during the reporting period, some organisations "doubled down on best practices that would be considered baseline," according to Honeywell. Such procedures include, for example, immutable data backups and regular vulnerability assessments. According to Honeywell, as of October 2024, victimised organisations had paid out more than $1 billion in ransomware. 

Another new cybersecurity report, from the Information Security Media Group, focused on artificial intelligence, which it described as the "defining force" of cybersecurity-related disruption. 

As businesses use AI to automate threat detection and scale response capabilities, "adversaries are using the same technologies to enhance phishing, generate polymorphic malware, and conduct identity fraud with unprecedented precision," according to the ISMG research. ISMG added that the combination of AI and quantum computing "further signals a critical shift requiring crypto-agility and forward planning.”

Understanding the Dynamic threat Landscape of Ransomware Attacks

 

The constant expansion of cyber threats, particularly malware and ransomware, necessitates our undivided attention. Our defence strategy must evolve in tandem with the threats. So far this year, ransomware has targeted Frederick Health Medical Group, Co-op Supermarkets, and Marks & Spencer. 

This meant that critical data got into the wrong hands, supply networks were interrupted, and online transactions were halted. Almost 400,000 PCs were attacked with Lumma Stealer malware, a ClickFix malware version went viral, and a new spyware dubbed 'LOSTKEYS' appeared.

The threat landscape is always evolving, making traditional security methods ineffective. Effective protection methods are not only useful; they are also required to protect against severe data loss, financial damage, and reputational impact that these attacks can cause. Understanding the nature of these enemies is a critical first step towards developing strong defences. 

Ransomware: An ongoing and profitable menace 

Ransomware deserves special attention. It encrypts data and demands payment for its release, frequently spreading through phishing or software weaknesses. More complex ransomware variations take data before encrypting it, combining the threat with blackmail. The effects of ransomware include:

Data loss: May be permanent without backups. 

Financial costs: Includes ransom, restoration, and penalties 

Reputational damage: If publicly exposed, trust is lost. 

Ransomware's profitability makes it particularly tenacious. It does not just impact huge companies; small firms, healthcare systems, and educational institutions are all common targets. Its ease of deployment and high return on investment continue to attract cybercriminals, resulting in more aggressive campaigns.

Ransomware attacks increasingly frequently use "double extortion," in which attackers exfiltrate data before encrypting it. Victims confront two threats: inaccessible data and public exposure. This strategy not only enhances the chance of ransom payment, but also raises the stakes for organisations who are already battling to recover.

Challenges

Malware and ransomware are challenging to detect due to evasive strategies. Attackers are getting more creative, using legitimate administrative tools, zero-day vulnerabilities, and social engineering to get around defences. A multi-layered security approach that includes behavioural detection, endpoint hardening, and regular system updates is necessary to defend against these threats.

In the end, protecting against malware and ransomware involves more than just technology; it also involves mentality. Professionals in cybersecurity need to be knowledgeable, proactive, and flexible. The defenders must adapt to the ever-changing threats.

Here's How 'Alert Fatigue' Can Be Combated Using Neuroscience

 

Boaz Barzel, Field CTO at OX Security, recently conducted research with colleagues at OX Security and discovered that an average organisation had more than half a million alerts at any given time. More astonishing is that 95% to 98% of those alerts are not critical, and in many cases are not even issues that need to be addressed at all. 

This deluge has resulted in the alert fatigue issue, which jeopardises the foundations of our digital defence and is firmly entrenched in neuroscience. 

Security experts must constantly manage alerts. Veteran security practitioner Matt Johansen of Vulnerable U characterises the experience as follows: "You're generally clicking 'No, this is OK.'" 'No, this is OK' 99 times out of a hundred, and then, 'No, this is not OK.' And then this is going to be a very exciting and unique day." 

This creates a perilous scenario in which alerts keep coming, resulting in persistent pressure. According to Johansen, many security teams are understaffed, resulting in situations in which "even big, well-funded organisations" are "stretched really thin for this frontline role.”

Alert overload 

As the former director of the Gonda Multidisciplinary Brain Research Centre at Israel's Bar-Ilan University and the Cognitive Neuroscience Laboratory at Harvard Medical School and Massachusetts General Hospital, Professor Moshe Bar is regarded as one of the world's foremost cognitive neuroscientists. According to Bar, alert weariness is especially pernicious since it not only lowers productivity but also radically changes how professionals operate.

"When you limit the amount of resources we have," Bar notes, "it's not that we do less. We actually change the way we do things. … We become less creative. We become … exploitatory, we exploit familiar templates, familiar knowledge, and we resort to easier solutions.” 

The science driving this transformation is alarming. When neurones fire frequently during sustained attention activities, they produce what Bar refers to as "metabolic waste." With little recovery time, waste builds and we are unable to effectively clean it. What was the result? Degraded cognitive function and depleted neurotransmitters such as dopamine and serotonin, which regulate our reward systems and "reward" us for various activities, not just at work but in all aspects of our lives.

The path ahead

Alert fatigue poses a serious threat to security efficacy and is not only an operational issue. When security personnel are overburdened, Bar cautions, "you have someone narrow like this, stressed, and opts for the easiest solutions." The individual is different. 

Organisations can create more sustainable security operations that safeguard not only their digital assets but also the health and cognitive capacities of individuals who defend them by comprehending the neurological realities of human attention.

Best Practices for SOC Threat Intelligence Integration

 

As cyber threats become more complex and widespread, Security Operations Centres (SOCs) increasingly rely on threat intelligence to transform their defensive methods from reactive to proactive. Integrating Cyber Threat Intelligence (CTI) into SOC procedures has become critical for organisations seeking to anticipate attacks, prioritise warnings, and respond accurately to incidents.

This transition is being driven by the increasing frequency of cyberattacks, particularly in sectors such as manufacturing and finance. Adversaries use old systems and heterogeneous work settings to spread ransomware, phishing attacks, and advanced persistent threats (APTs). 

Importance of threat intelligence in modern SOCs

Threat intelligence provides SOCs with contextualised data on new threats, attacker strategies, and vulnerabilities. SOC teams can discover patterns and predict possible attack vectors by analysing indications of compromise (IOCs), tactics, methods, and procedures (TTPs), and campaign-specific information. 

For example, the MITRE ATT&CK framework has become a key tool for mapping adversary behaviours, allowing SOCs to practice attacks and improve detection techniques. According to a recent industry research, organisations that integrated CTI into their Security Information and Event Management (SIEM) systems reduced mean dwell time, during which attackers went undetected, by 78%. 

Accelerating the response to incidents 

Threat intelligence allows SOCs to move from human triage to automated response workflows. Security Orchestration, Automation, and Response (SOAR) platforms run pre-defined playbooks for typical attack scenarios such as phishing and ransomware. When a multinational retailer automated IOC blocklisting, reaction times were cut from hours to seconds, preventing potential breaches and data exfiltration.

Furthermore, threat intelligence sharing consortiums, such as sector-specific Information Sharing and Analysis Centres (ISACs), enable organisations to pool anonymised data. This partnership has effectively disrupted cross-industry efforts, including a recent ransomware attack on healthcare providers. 

Proactive threat hunting

Advanced SOCs are taking a proactive approach, performing regular threat hunts based on intelligence-led hypotheses. Using adversary playbooks and dark web monitoring, analysts find stealthy threats that avoid traditional detection. A technology firm's SOC team recently discovered a supply chain threat by linking vendor vulnerabilities to dark web conversation about a planned hack.

Purple team exercises—simulated attacks incorporating red and blue team tactics—have also gained popularity. These drills, based on real-world threat data, assess SOC readiness for advanced persistent threats. Organisations who perform quarterly purple team exercises report a 60% increase in incident control rates. 

AI SOCs future 

Artificial intelligence (AI) is poised to transform threat intelligence. Natural language processing (NLP) technologies can now extract TTPs from unstructured threat data and generate SIEM detection rules automatically. 

During beta testing, these technologies cut rule creation time from days to minutes. Collaborative defence models are also emerging. National and multinational programs, such as INTERPOL's Global Cybercrime Program, help to facilitate cross-border intelligence exchange.

A recent operation involving 12 countries successfully removed a botnet responsible for $200 million in financial fraud, demonstrating the potential of collective defence.

Google Claims Attackers That Hit UK Firms Now Targeting American Stores

 

Hackers responsible for a series of destructive, financially driven assaults on some of the United Kingdom's leading retailers are now targeting major American firms, Google noted earlier this week. 

“Major American retailers have already been targeted,” John Hultquist, the chief analyst for Google’s Threat Intelligence Group, told NBC News.

In recent weeks, cyberattacks have targeted at least three major British retailers. Marks & Spencer had to pause online orders for several weeks. Hackers contacted the BBC and presented evidence of "huge amounts of customer and employee data" stolen from the Co-op Group. The third, Harrods, blocked certain internet access at store locations, although the spokesperson told NBC News that there is no proof that consumer data was stolen.

Hultquist declined to identify specific American retailers the hackers may be targeting. The National Retail Federation, which represents thousands of firms such as Walmart and Target, acknowledged the threat. 

"U.S.-based retailers are aware of the threats posed by cybercriminal groups that have recently attacked several major retailers in the United Kingdom, and many companies have taken steps to harden themselves against these criminal groups’ tactics over the past two years,” Christian Beckner, the NRF's vice president of retail technology and cybersecurity stated. 

Google, one of the world's top tech firms, supplies cloud storage, networking, and security measures to some of the world's largest retailers, providing it significant insight into how hackers operate. It's unclear whether the hackers targeted retail organisations for technical reasons, such as a vulnerability in a standard industry software program.

In recent years, for-profit hackers have demonstrated their ability to get access to major firms' computer systems and profit by holding data and entire networks for ransom. The hacking effort in the United Kingdom is strikingly similar to the one that caused parts of some Las Vegas casinos to close in 2023.

As a result, MGM Resorts, the owners of the Bellagio and Mandalay Bay, closed some casino floors, preventing customers from accessing their rooms via keycards. The same hackers broke into Caesars Entertainment, but unlike MGM, Caesars paid the hackers immediately and did not endure extensive service disruptions.

That hacking campaign was noteworthy as it was the first time a Russian-speaking cyber crime cell and a group of young, mostly English-speaking hackers had worked together to effectively access high-level corporate accounts. According to Hultquist, the same loosely related group that initially granted access to the British businesses is now targeting those in the United States. It appears to have largely avoided high-profile targets in the interim. 

The casinos, as well as the Co-op Group and Marks & Spencer, were infected with ransomware, which is a type of malicious software that hackers use to lock down critical systems and steal sensitive data. They then demand money for either not using the information or for assistance in making the computer systems usable again.

Meta Mirage” Phishing Campaign Poses Global Cybersecurity Threat to Businesses

 

A sophisticated phishing campaign named Meta Mirage is targeting companies using Meta’s Business Suite, according to a new report by cybersecurity experts at CTM360. This global threat is specifically engineered to compromise high-value accounts—including those running paid ads and managing brand profiles.

Researchers discovered that the attackers craft convincing fake communications impersonating official Meta messages, deceiving users into revealing sensitive login information such as passwords and one-time passcodes (OTP).

The scale of the campaign is substantial. Over 14,000 malicious URLs were detected, and alarmingly, nearly 78% of these were not flagged or blocked by browsers when the report was released.

What makes Meta Mirage particularly deceptive is the use of reputable cloud hosting services—like GitHub, Firebase, and Vercel—to host counterfeit login pages. “This mirrors Microsoft’s recent findings on how trusted platforms are being exploited to breach Kubernetes environments,” the researchers noted, highlighting a broader trend in cloud abuse.

Victims receive realistic alerts through email and direct messages. These notifications often mention policy violations, account restrictions, or verification requests, crafted to appear urgent and official. This strategy is similar to the recent Google Sites phishing wave, which used seemingly authentic web pages to mislead users.

CTM360 identified two primary techniques being used:
  • Credential Theft: Victims unknowingly submit passwords and OTPs to lookalike websites. Fake error prompts are displayed to make them re-enter their information, ensuring attackers get accurate credentials.
  • Cookie Theft: Attackers extract browser cookies, allowing persistent access to compromised accounts—even without login credentials.
Compromised business accounts are then weaponized for malicious ad campaigns. “It’s a playbook straight from campaigns like PlayPraetor, where hijacked social media profiles were used to spread fraudulent ads,” the report noted.

The phishing operation is systematic. Attackers begin with non-threatening messages, then escalate the tone over time—moving from mild policy reminders to aggressive warnings about permanent account deletion. This psychological pressure prompts users to respond quickly without verifying the source.

CTM360 advises businesses to:
  • Manage social media accounts only from official or secure devices
  • Use business-specific email addresses
  • Activate Two-Factor Authentication (2FA)
  • Periodically audit security settings and login history
  • Train team members to identify and report suspicious activity
This alarming phishing scheme highlights the need for constant vigilance, cybersecurity hygiene, and proactive measures to secure digital business assets.

Explaining AI's Impact on Ransomware Attacks and Businesses Security

 

Ransomware has always been an evolving menace, as criminal outfits experiment with new techniques to terrorise their victims and gain maximum leverage while making extortion demands. Weaponized AI is the most recent addition to the armoury, allowing high-level groups to launch more sophisticated attacks but also opening the door for rookie hackers. The NCSC has cautioned that AI is fuelling the global threat posed by ransomware, and there has been a significant rise in AI-powered phishing attacks. 

Organisations are increasingly facing increasing threats from sophisticated assaults, such as polymorphic malware, which can mutate in real time to avoid detection, allowing organisations to strike with more precision and frequency. As AI continues to rewrite the rules of ransomware attacks, businesses that still rely on traditional defences are more vulnerable to the next generation of cyber attack. 

Ransomware accessible via AI 

Online criminals, like legal businesses, are discovering new methods to use AI tools, which makes ransomware attacks more accessible and scalable. By automating crucial attack procedures, fraudsters may launch faster, more sophisticated operations with less human intervention. 

Established and experienced criminal gangs gain from the ability to expand their operations. At the same time, because AI is lowering entrance barriers, folks with less technical expertise can now utilise ransomware as a service (RaaS) to undertake advanced attacks that would ordinarily be outside their pay grade. 

OpenAI, the company behind ChatGPT, stated that it has detected and blocked more than 20 fraudulent operations with its famous generative AI tool. This ranged from creating copy for targeted phishing operations to physically coding and debugging malware. 

FunkSec, a RaaS supplier, is a current example of how these tools are enhancing criminal groups' capabilities. The gang is reported to have only a few members, and its human-created code is rather simple, with a very low level of English. However, since its inception in late 2024, FunkSec has recorded over 80 victims in a single month, thanks to a variety of AI techniques that allow them to punch much beyond their weight. 

Investigations have revealed evidence of AI-generated code in the gang's ransomware, as well as web and ransom text that was obviously created by a Large Language Model (LLM). The team also developed a chatbot to assist with their operations using Miniapps, a generative AI platform. 

Mitigation tips against AI-driven ransomware 

With AI fuelling ransomware groups, organisations must evolve their defences to stay safe. Traditional security measures are no longer sufficient, and organisations must match their fast-moving attackers with their own adaptive, AI-driven methods to stay competitive. 

One critical step is to investigate how to combat AI with AI. Advanced AI-driven detection and response systems may analyse behavioural patterns in real time, identifying anomalies that traditional signature-based techniques may overlook. This is critical for fighting strategies like polymorphism, which have been expressly designed to circumvent standard detection technologies. Continuous network monitoring provides an additional layer of defence, detecting suspicious activity before ransomware can activate and propagate. 

Beyond detection, AI-powered solutions are critical for avoiding data exfiltration, as modern ransomware gangs almost always use data theft to squeeze their victims. According to our research, 94% of reported ransomware attacks in 2024 involved exfiltration, highlighting the importance of Anti Data Exfiltration (ADX) solutions as part of a layered security approach. Organisations can prevent extortion efforts by restricting unauthorised data transfers, leaving attackers with no choice but to move on.

Here's How to Prevent Outdated Software from Hurting Your Business

 

Do you think continuing with the same old version of the same old software is a good idea? While it may function adequately for the time being, the clock is ticking towards disaster. Waiting to upgrade results in a monster that consumes money, time, data, and morale.

Demands on your organisation are increasing, putting additional strain on your outdated software to perform under conditions it was not built to withstand. As your system strains to keep up, malfunctions occur more frequently, increasing the likelihood of failure. Software vendors may still be prepared to assist, but when your old system fades into obscurity, fixing it becomes a custom task with increased custom work costs. 

Maintenance is critical and costs more as software ages. If you think you can forgo maintenance and only pay for repairs on a case-by-case basis, you're going down a bad road. You'll deplete your money and risk having emergencies that hinder or even halt your output completely. When a software system goes down for repair, personnel and procedures may be affected. 

Do you worry about the cost of licensing new software? Consider the value you obtain for your investment. Better software opens up new options to operate smarter and more efficiently. It increases your ability to accomplish more for your clients faster, which can easily offset license expenses. Fewer errors, reduced downtime, and less expensive maintenance all contribute to a higher return on investment in upgrades and licenses.

Holding your data hostage 

Isolated software systems are becoming increasingly rare. It's a connected world, and your system's ability to integrate with other systems, both internal and external, can make or break your company's ability to grow. Old software that is incompatible with other systems in your company, your vendors' systems, or your clients' systems effectively traps data that could otherwise propel you forward. 

Incompatibility disrupts the flow of data, preventing it from being used to inform and enhance your partnerships. Incompatibility might also be a risk when it comes to hardware connectivity. Old software can corrupt inputs streaming from hardware, resulting in inaccuracy and data loss. Access control gear, networking hardware, and surveillance equipment, as well as more specialised systems ranging from advanced two-way radios to inventory management tools such as barcode scanners and RFID readers, can all be compromised. 

Older software also increases the threat of data security breaches. As security standards increase through software upgrades, old software becomes easier to exploit. Clinging to an obsolete system may end up costing significantly more in security breaches than modernising. And if a crisis comes, you can end up paying for both at once. 

Data portability realities can often come as a great, unexpected surprise. You may be unable to transfer data that is locked within an older software system. There may be no way to recover the data for use in a new or different system. Then you have to decide whether to dump your old system and start afresh, or to continue with it until it ages and eventually fails.

It’s a dead end 

Your old software system may have served you well for years, performing exactly as needed to support your company's goals. You may consider it a workhorse that you cannot live without, and you are concerned that upgrading to something new will take too long to master and may not work as well. 

But the reality is that new software is intended to be a rewarding experience. Many people wonder how they lived for so long without upgrading their enterprises. The truth is, there isn't much of an option. Even well-maintained software loses steam with time. The people who built and maintained it eventually abandon it in favour of other opportunities to create something smarter, stronger, and more effective for your company.

Nearly Half of Companies Lack AI-driven Cyber Threat Plans, Report Finds

 

Mimecast has discovered that over 55% of organisations do not have specific plans in place to deal with AI-driven cyberthreats. The cybersecurity company's most recent "State of Human Risk" report, which is based on a global survey of 1,100 IT security professionals, emphasises growing concerns about insider threats, cybersecurity budget shortages, and vulnerabilities related to artificial intelligence. 

According to the report, establishing a structured cybersecurity strategy has improved the risk posture of 96% of organisations. The threat landscape is still becoming more complicated, though, and insider threats and AI-driven attacks are posing new challenges for security leaders. 

“Despite the complexity of challenges facing organisations—including increased insider risk, larger attack surfaces from collaboration tools, and sophisticated AI attacks—organisations are still too eager to simply throw point solutions at the problem,” stated Mimecast’s human risk strategist VP, Masha Sedova. “With short-staffed IT and security teams and an unrelenting threat landscape, organisations must shift to a human-centric platform approach that connects the dots between employees and technology to keep the business secure.” 

95% of organisations use AI for insider risk assessments, endpoint security, and threat detection, according to the survey, but 81% are concerned regarding data leakage from generative AI (GenAI) technology. In addition to 46% not being confident in their abilities to defend against AI-powered phishing and deepfake threats, more than half do not have defined tactics to resist AI-driven attacks.

Data loss from internal sources is expected to increase over the next year, according to 66% of IT leaders, while insider security incidents have increased by 43%. The average cost of insider-driven data breaches, leaks, or theft is $13.9 million per incident, according to the research. Furthermore, 79% of organisations think that the increased usage of collaboration technologies has increased security concerns, making them more vulnerable to both deliberate and accidental data breaches. 

With only 8% of employees accountable for 80% of security incidents, the report highlights a move away from traditional security awareness training and towards proactive Human Risk Management. To identify and eliminate threats early, organisations are implementing behavioural analytics and AI-driven surveillance. A shift towards sophisticated threat detection and risk mitigation techniques is seen in the fact that 72% of security leaders believe that human-centric cybersecurity solutions will be essential over the next five years.

Role of Continuous Threat Exposure Management in Business Security

 

Continuous threat exposure management (CTEM) is a framework for proactively managing and mitigating threat exposure using an iterative approach that emphasises on developing structured organisational procedures as well as leveraging security tools. 

In this article, we'll go over CTEM, its key elements, and a five-step implementation plan for lowering risk exposure, improving prioritisation, and leading to better vulnerability and exposure management. 

Understanding continuous threat exposure management

In traditional vulnerability management, security teams work in relative silos, focussing less on the "why" and "how" of what is uncovered during vulnerability assessments. In contrast, CTEM is a proactive approach that assists organisations: 

  • Determine the most valuable assets for the organisation.
  • Identify the assets in scope and the different forms of exposures to these assets.
  • Validate the actual exploitability of identified exposures and the effectiveness of pre-defined organisational responses. 
  • Encourage the organisation to take the proper action. Track and improve the program through iteration.

CTEM uses an iterative strategy to continuously improve the organization's security posture. By taking this approach, organisations can create an actionable security plan that management can understand, business units can support, and technical teams can utilise as a reference. 

The 5 steps in the CTEM cycle 

1. Identify the initial scope

Most organisations struggle to keep up with the digital velocity of asset surface growth. In this step, the organisation must identify which types of assets are most important. When launching a CTEM program, organisations should consider the following as their initial scope:-

External attack surface: This refers to an organization's internet-facing assets, which an attacker could target to acquire access.

SaaS security posture: Due to the increase in remote work, many organisations receive and transfer business data to third-party APIs and externally hosted applications. 

2. Discover assets and assess threats 

 Discovery entails locating specific assets within the category established in the previous scoping step and evaluating them for potential risks. In addition to Common Vulnerabilities and Exposures (CVEs), the exposures should contain misconfigurations and other vulnerabilities. It goes without saying that finding assets based on a precise business risk scope is significantly more valuable than making a broad discovery that finds a lot of vulnerabilities and assets. 

3. Prioritizing threats 

Prioritisation involves assessing the importance of identified issues. This stage is critical for cutting through the noise of numerous security vulnerabilities and focussing on the most important concerns. Beyond CVEs, organisations should examine exploit prevalence and characteristics unique to their organisation, such as available controls, mitigation alternatives, business criticality, and risk tolerance. 

4. Validate exploitability and security response 

The validation process uses tools such as attack path simulations, breach and attack simulations, and other controlled simulations to assess the exploitability of prioritised exposures and their impact on key systems. It confirms whether vulnerabilities may be exploited and whether the present defence strategy will address them. This method entails conducting simulated attacks and ensuring that reaction plans are activated correctly. 

5. Mobilize remediation teams Through the simplification of approvals, implementation procedures, and mitigation deployments, the "mobilisation" effort seeks to assist teams in responding to CTEM results. Teams outside of the security team are frequently responsible for remediation; there are numerous approaches to problem solving, and each one may have a distinct effect on the business. 

Building on the first tool automation is crucial to developing a systematic and well-coordinated cleanup procedure. By reducing delays in implementation and operational procedures, this mobilisation phase guarantees prompt response times. 

Benefits of implementing CTEM 

Reduced risk exposure: Employing continuous monitoring to identify threats before they can impact business operations helps mitigate risk exposure. 

Improved prioritization: CTEM helps organizations understand the severity of each threat so they can determine which ones require urgent attention and resources. 

Proactive security posture: The proactive approach of CTEM is seen particularly in the scoping and discovery steps, which work continuously to address emerging threats.

Three Ways To Prevent Insider Threat Driven Data Leaks

 

The United States is poised to undergo a period of highly disruptive transformation. The incoming administration has promised to make significant changes, including forming a new body, the Department of Governmental Efficiency (DOGE), with the aim of substantially reducing the size of the government. 

Many people in our hugely polarised society are unhappy with the upcoming changes. Some will even refuse to "go down without a fight" and attempt to sabotage the shift or the new administration's prospects for success. How? One popular disruption method is to leak bits and pieces of insider information in order to distract, provoke opposition, and ultimately stall the changes.

While insider leaks can occur at any organisation and at any moment, a controversial move can be a major driver for such threats. We don't need to look far back for examples of this. After Donald Trump was elected to his first term, someone explicitly got a job as an IRS contractor so that he could leak the tax returns of key leaders, including President Trump. There was also information disclosed concerning a Trump cabinet pick. 

It's possible that this behaviour will worsen significantly. Agencies and organisations can take proactive measures to prepare for this. 

Launch an insider threat program: Nearly 80% of organisations have noticed an increase in insider threat activity since 2019, and just 30% believe they have the ability to deal with the situation. While external threats are frequently addressed, according to IBM's Cost of a Data Breach report, breaches by people within an organisation were the most costly, averaging just shy of $5 million.

Having a formal security strategy in place can safeguard sensitive data, maintain operational integrity, and ensure that your organization's communication links remain open and secure. Start by assessing your risk, establishing guidelines for data sharing and management, and installing technologies to monitor user activity, detect irregularities, and notify security teams of potential risks. 

Individualize information: Organisations can also explore using steganographic technologies to personalise the information they send to their employees. Forensic watermarking technology allows sensitive information to be shared in such a way that each employee receives a completely unique copy that is undetectable to the human eye. With this technology in place, employees are more likely to think twice before giving a secret presentation on future strategy. If a leak still occurs, the organisation can easily identify the source.

Avoid sharing files: The world must shift away from using files to share personal information. At first glance, it may appear impossible, yet changing the way organisations share information might help them preserve their most valuable information. File sharing is more than a risk factor; it is also a threat vector, as files are the source of the majority of data exfiltration risks. As a result, deleting them would naturally eliminate the threat. What are the alternatives? Using SaaS applications in which no one can download anything. This strategy also helps to safeguard against external attacks.

Public Holidays And Weekends Make Companies More Vulnerable to Cyberattacks

 


Cyberattacks Surge During Holidays and Weekends: Semperis Report

Companies are particularly susceptible to cyberattacks during public holidays and weekends due to reduced security manpower. A recent report on ransomware assaults, published by Semperis, a provider of identity-based cyber resilience, confirms this vulnerability.

The study revealed that an average of 86% of organizations assessed across the United States, United Kingdom, France, and Germany were targeted during public holidays or weekends. The findings also indicate that 75% of businesses reduced their security workforce by up to 50% during these periods, leaving critical systems exposed.

Targeted Attacks During Key Business Events

Half of the respondents who experienced cyberattacks reported being targeted during major business events such as mergers or acquisitions. For instance, after UnitedHealth acquired Change Healthcare, cybercriminals exploited a security flaw in remote access systems to breach the company’s infrastructure.

The report highlighted that 90% of ransomware attacks compromised a firm’s identity service, such as Microsoft Active Directory (AD) or Entra ID, as these are widely used and vulnerable. Additionally:

  • 35% of businesses reported insufficient funds to safeguard against cyberattacks.
  • 61% of organizations lacked adequate backup solutions for their identity services.

While 81% of respondents stated they possess the knowledge to defend against identity-related threats, 83% admitted to experiencing a successful ransomware assault within the past year. This disconnect underscores the need for better implementation of security measures.

The US Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly emphasized the need for vigilance during weekends and public holidays. Notably, the ransomware group Clop exploited a long weekend to take advantage of a vulnerability in the MOVEit data exchange software. This attack affected over 130 companies in Germany, leading to significant data breaches and blackmail attempts.

Solutions to Mitigate Risks

To address these vulnerabilities, enterprises must take the following measures:

  • Protect critical flaws, such as those in Active Directory (AD) and other identity services.
  • Ensure security operations centers (SOCs) are adequately staffed during off-hours.
  • Integrate cybersecurity into the broader business resiliency strategy, alongside safety, financial, and reputational risk management.

Prioritizing security as an essential component of business resilience can make the difference between surviving and thriving in the face of catastrophic cyber incidents.

Thousands of SonicWall Devices Vulnerable to Critical Security Threats

 


Thousands of SonicWall network security devices are currently exposed to severe vulnerabilities, with over 20,000 running outdated firmware that no longer receives vendor support. This puts countless organizations at risk of unauthorized access and potential data breaches.

Key Findings of the Study

  • A Bishop Fox study identified more than 25,000 SonicWall SSLVPN devices exposed to the internet, making them easy targets for cybercriminals.
  • The research analyzed over 430,000 SonicWall devices globally and found that 39% of the exposed devices were running Series 7 firewalls, many of which lacked the latest security patches.
  • Over 20,000 devices were found to be running software versions no longer supported by SonicWall, with older Series 5 and Series 6 devices being the most at risk.

Impact of Vulnerabilities

The study highlighted that many of these devices remain susceptible to exploits, including authentication bypasses and heap overflow bugs disclosed earlier this year. Attackers could use these flaws to gain unauthorized access to networks, particularly when both SSL VPN and administration interfaces are exposed online.

Bishop Fox employed advanced fingerprinting techniques to reverse-engineer the encryption securing the SonicOSX firmware, allowing researchers to pinpoint the vulnerabilities specific to each device version.

Risks Posed by Unsupported Firmware

  • Many Series 5 devices, which are largely unsupported, continue to be exposed to the internet, leaving them highly vulnerable to attacks.
  • Series 6 devices, while better maintained, still include a significant number that have not applied the latest patches.
  • Approximately 28% of evaluated devices were found to have critical or high-severity vulnerabilities.

Recommendations for Companies

Organizations using SonicWall devices must take immediate steps to mitigate these risks:

  • Ensure all firmware is updated to the latest version to address known vulnerabilities.
  • Disable public exposure of SSL VPN and administration interfaces to reduce attack surfaces.
  • Regularly audit network security practices and implement robust patch management protocols.

The findings underscore the urgent need for companies to prioritize cybersecurity measures. Neglecting to update firmware and secure network devices can have severe consequences, leaving systems and sensitive data vulnerable to exploitation.

With threats growing increasingly sophisticated, staying proactive about network security is no longer optional—it’s essential.

Citrix Expands Platform Capabilities with DeviceTrust and Strong Network Acquisitions

 


Citrix, a business unit of Cloud Software Group, has acquired DeviceTrust and Strong Network to enhance the functionality of its platform. These acquisitions enable Citrix to offer more comprehensive access management and security solutions, expanding its capabilities in both on-premises and cloud environments. The integration of these technologies allows Citrix to provide customers with enhanced control over hybrid application deployments while reducing the risk of data loss.

Expanding Zero-Trust Access and Hybrid Work Solutions

The acquisitions enable Citrix to implement zero-trust access for both cloud and on-premises applications. This approach helps address a range of user needs in hybrid application deployments, improving security while lowering the risk of data loss. According to Ethan Fitzsimons, Citrix's Vice President and Head of Global Channels, the deals open up "significant" opportunities for partners by broadening the services and solutions they can offer their clients.

“With the integration of DeviceTrust and Strong Network, partners can now provide advanced zero-trust security capabilities for VDI (Virtual Desktop Infrastructure) and DaaS (Desktop as a Service) environments. This will meet critical customer needs for secure hybrid work solutions,” Fitzsimons explained. “Our partners will also be able to leverage demand for secure hybrid work environments and offer Citrix Secure Private Access and related services, including implementation, customization, and ongoing management.”

DeviceTrust and Strong Network Capabilities

DeviceTrust technology enables real-time, contextual access within VDI and DaaS systems. The platform allows organizations to track and respond to changes in device posture and user location. By continuously assessing device attestation, the Citrix platform gives IT teams the ability to grant or revoke access based on real-time security conditions, enhancing control over network access.

Strong Network provides secure cloud development environments, enabling enterprises to build, launch, and access applications more efficiently and cost-effectively. The platform offers robust protection against data breaches through features like data loss prevention (DLP) and data infiltration detection. These capabilities protect organizations from phishing, malware, and credential theft. In addition, Strong Network ensures compliance with key safety standards, including the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO), while offering visibility and control throughout the application lifecycle.

Strengthening Citrix’s Competitive Positioning

Fitzsimons emphasized that these acquisitions strengthen Citrix’s competitive positioning, enabling the company to offer a comprehensive zero-trust security platform across all application types and use cases—a capability that many competitors currently lack.

“By embedding these technologies directly into the Citrix platform, customers gain seamless access to these advanced security features without requiring separate purchases. This positions Citrix and its partners to attract customers seeking to consolidate vendors, especially as businesses focus on streamlining operations and enhancing cybersecurity in hybrid environments,” he added.

Enhanced Support for Citrix Secure Private Access

In addition to these acquisitions, Citrix is increasing support for its Citrix Secure Private Access in hybrid environments. This expanded support includes extending zero-trust access controls to web and SaaS applications, virtual desktops, and traditional client/server applications. By offering secure management of application access across both on-premises and cloud environments, Citrix helps businesses strengthen their overall cybersecurity posture.

Creating a Strong Cybersecurity Culture: The Key to Business Resilience

 

In today’s fast-paced digital environment, businesses face an increasing risk of cyber threats. Establishing a strong cybersecurity culture is essential to protecting sensitive information, maintaining operations, and fostering trust with clients. Companies that prioritize cybersecurity awareness empower employees to play an active role in safeguarding data, creating a safer and more resilient business ecosystem. 

A cybersecurity-aware culture is about more than just protecting networks and systems; it’s about ensuring that every employee understands their role in preventing cyberattacks. The responsibility for data security has moved beyond IT departments to involve everyone in the organization. Even with robust technology, a single mistake—such as clicking a phishing link—can lead to severe consequences. Therefore, educating employees about potential threats and how to mitigate them is crucial. 

As technology becomes increasingly integrated into business operations, security measures must evolve to address emerging risks. The importance of cybersecurity awareness cannot be overstated. Just as you wouldn’t leave your home unsecured, companies must ensure their employees recognize the value of safeguarding corporate information. Awareness training helps employees understand that protecting company data also protects their personal digital presence. This dual benefit motivates individuals to remain vigilant, both professionally and personally. Regular cybersecurity training programs, designed to address threats like phishing, malware, and weak passwords, are critical. Studies show that such initiatives significantly reduce the likelihood of successful attacks. 

In addition to training, consistent reminders throughout the year help reinforce cybersecurity principles. Simulated phishing exercises, for instance, teach employees to identify suspicious emails by looking for odd sender addresses, unusual keywords, or errors in grammar. Encouraging the use of strong passwords and organizing workshops to discuss evolving threats also contribute to a secure environment. Organizations that adopt these practices often see measurable improvements in their overall cybersecurity posture. Artificial intelligence (AI) has emerged as a powerful tool for cybersecurity, offering faster and more accurate threat detection. 

However, integrating AI into a security strategy requires careful consideration. AI systems must be managed effectively to avoid introducing new vulnerabilities. Furthermore, while AI excels at monitoring and detection, foundational cybersecurity knowledge among employees remains essential. A well-trained workforce can address risks independently, ensuring that AI complements human efforts rather than replacing them. Beyond internal protections, cybersecurity also plays a vital role in maintaining customer trust. Clients want to know their data is secure, and any breach can severely harm a company’s reputation. 

For example, a recent incident involving CrowdStrike revealed how technical glitches can escalate into major phishing attacks, eroding client confidence. Establishing a clear response strategy and fostering a culture of accountability help organizations manage such crises effectively. 

A robust cybersecurity culture is essential for modern businesses. By equipping employees with the tools and knowledge to identify and respond to threats, organizations not only strengthen their defenses but also enhance trust with customers. This proactive approach is key to navigating today’s complex digital landscape with confidence and resilience.

Microsoft Warns of Russian Spear-Phishing Campaign Targeting Multiple Organizations

 

Microsoft Threat Intelligence has discovered a new attack campaign by Russian hacker group Midnight Blizzard, targeted at thousands of users from over 100 organisations. The attack uses spear-phishing emails that contain RDP configuration files, allowing perpetrators to connect to and potentially compromise the targeted systems. 

The malicious campaign targeted thousands of users from higher education, defence, non-governmental organisations, and government institutions. Dozens of nations have been impacted, mainly in the United Kingdom, Europe, Australia, and Japan, consistent with previous Midnight Blizzard phishing attacks. 

In the most recent Midnight Blizzard assault campaign, victims received meticulously targeted emails including social engineering lures related to Microsoft, Amazon Web Services, and the concept of Zero Trust. 

According to Microsoft Threat Intelligence, the emails were sent using email addresses from legitimate organisations obtained by the threat actor during earlier breaches. Every email included an RDP configuration file signed with a free LetsEncrypt certificate and included multiple sensitive parameters. When the user accessed the file, an RDP connection was established with an attacker-controlled system. 

The threat actor could then use the established RDP connection to acquire information regarding the targeted device, such as files and folders, connected network drives, and peripherals such as printers, microphones, and smart cards. 

It would also allow for the collection of clipboard data, web authentication via Windows Hello, passkeys and security keys, and even point-of-sale devices. Such a link may also enable the threat actor to install malware on the targeted device or mapped network share(s). 

Outbound RDP connections were established to domains constructed to deceive the victim into thinking they were AWS domains. Amazon, which is collaborating with the Ukrainian CERT-UA to combat the threat, began grabbing affected domains immediately in order to stop operations. Meanwhile, Microsoft alerted all impacted customers who had been targeted or compromised.