CSOonline

The Cybersecurity and Infrastructure Security Agency and the MITRE Corporation have renegotiated the contract supporting the 26-year-old Common Vulnerabilities and Exposures Program in a way that eliminates the looming expiration that triggered panic across the security community in 2025. According to sources, the program appears to have moved from a discretionary funding item to a protected line in CISA’s budget, a structural change that could prevent the kind of dramatic crisis that threatened the system last year. For roughly a day in 2025, the program that underpins vulnerability management tools, threat intelligence platforms, and patch management systems worldwide appeared headed for an abrupt shutdown. The cybersecurity world was blindsided when MITRE disclosed that its contract with the US Department of Homeland Security to operate the program was set to expire with no renewal in place. CISA ultimately stepped in at the last minute, issuing an emergency 11-month contract extension that kept the system running but left the global security community bracing for another funding cliff this spring. Nearly a year later, that stopgap has been replaced by what sources describe as a more durable arrangement. The CVE board was informed during its Jan. 21, 2026, meeting that there would be “no funding cliff in March” and that “ongoing operations and planning extend well beyond that timeframe,” according to meeting minutes later made public. In a statement, Nick Andersen, acting director of CISA, told CSO, “Under CISA’s leadership and sponsorship, the CVE program is fully funded and has continually evolved and modernized to support the global vulnerability ecosystem.” Jordan Graham, a spokesperson for MITRE, said in a statement that “MITRE, in support of CISA, is committed to CVE as a critical global resource.” From afterthought to protected program For longtime vulnerability disclosure advocates, the most important shift may not be the renewal itself but how the funding is structured. Pete Allor — a CVE board member, veteran cybersecurity professional, and co-founder of the CVE Foundation — said the program historically competed with other initiatives for leftover funds within CISA’s budget. “What I understand changed is we went from, ‘Hey, out of anything that’s left over, can we fund the CVE program along with a few other things?’ to above that line — it will be funded,” Allor said. “That’s a huge change.” In practical terms, that shift appears to elevate the vulnerability cataloging program from a discretionary item that could be squeezed out by competing priorities into a core operational program. The improved funding outlook has also prompted the CVE Foundation — created during last year’s uncertainty to explore alternative governance models — to reassess its next steps. “Why wrestle the horse to the ground when I can use it bridled?” Allor said. Transparency questions remain Despite the apparent funding stability, the contract itself remains largely opaque — even to members of the CVE board. A source close to the CVE program, who requested anonymity to preserve working relationships with CISA and MITRE, described the agreement as reassuring but lacking transparency. “It’s a mystery contract with a mystery number that has been agreed to and passed,” the source said. “The good news is people don’t have to worry. But now that they don’t have to worry, now is the time to ask the hard questions.” Those questions include how the program will be modernized, how its performance will be measured, and whether its governance structure should evolve. In his statement to CSO, CISA’s Andersen said, “CISA, in collaboration with the global cybersecurity community, is committed to enhancing data quality, modernizing infrastructure and services, improving governance processes with more diverse representation, among other lines of effort.” One CVE board member has repeatedly requested access to the MITRE-CISA contract at successive board meetings, according to people familiar with the discussions. MITRE has declined those requests, citing legal protections around the agreement between the two organizations. A separate Freedom of Information Act request for the contract has also gone unanswered. “If you’re saying you’re doing it for the public good and the greater good, it’s incumbent upon you to say how you are measuring good,” Allor said. “That’s an open question, and it can’t be secret.” The CVE board itself — expanded to 24 members in recent years — functions largely as an advisory body, while MITRE retains final decision-making authority over program operations. Global alternatives begin to emerge The near-collapse of the CVE program last year triggered a wave of contingency planning across the cybersecurity ecosystem. The CVE Foundation began exploring governance models that would reduce reliance on a single US government funding source. At the same time, the European Union Agency for Cybersecurity began developing its own vulnerability identification framework, which has since launched. An ENISA spokesperson said the agency remains committed to the CVE ecosystem but does not have visibility into the program’s funding arrangements. “ENISA is part of the CVE Program and remains committed to contributing to the global CVE community and supporting coordinated vulnerability management,” the agency said in a statement. Private-sector organizations also took steps to hedge against potential disruption. Vulnerability intelligence firm VulnCheck, for example, reserved blocks of CVE identifiers to ensure continuity if the numbering system faltered. Even with the funding scare resolved, those efforts are unlikely to disappear. Structural concerns about governance and long-term independence continue to drive interest in complementary or alternative systems. Some European stakeholders, in particular, remain uneasy about a critical piece of global cybersecurity infrastructure depending on a single US government contract. “There are some European people who don’t want to point their technical data directly at a US-funded government thing,” the source familiar with the CVE program said. Discussions have reportedly begun about potentially amending the EU’s Cyber Resilience Act to reference an identifier managed by ENISA rather than CVE. Allor said he expects CISA to expand its international engagement around the program in the coming months in response to those concerns. “I think there are countries within the EU, and I know of at least three countries external to the EU that were complaining about it,” he said. “I think the folks at CISA heard that loudly.” Last September, CISA outlined its “vision” for the CVE program, pledging to strengthen international partnerships and improve representation of governments and organizations outside the United States — a signal of renewed commitment following last year’s scare. A warning the industry won’t forget Even as the immediate funding crisis fades, the institutional environment surrounding CISA remains unsettled. The agency has faced budget cuts, leadership turnover, and staff reductions, and it has gone more than a year without a Senate-confirmed director. For now, however, the vulnerability catalog that serves as the cybersecurity industry’s common language remains funded and operational. But the events of last year revealed how dependent the global security ecosystem has become on a single US government contract — and sparked a broader debate about whether the governance and funding of such critical infrastructure should be more transparent, more international, and less fragile. View the full article

The Cybersecurity and Infrastructure Security Agency and the MITRE Corporation have renegotiated the contract supporting the 26-year-old Common Vulnerabilities and Exposures Program in a way that eliminates the looming expiration that triggered panic across the security community in 2025. According to sources, the program appears to have moved from a discretionary funding item to a protected line in CISA’s budget, a structural change that could prevent the kind of dramatic crisis that threatened the system last year. For roughly a day in 2025, the program that underpins vulnerability management tools, threat intelligence platforms, and patch management systems worldwide appeared headed for an abrupt shutdown. The cybersecurity world was blindsided when MITRE disclosed that its contract with the US Department of Homeland Security to operate the program was set to expire with no renewal in place. CISA ultimately stepped in at the last minute, issuing an emergency 11-month contract extension that kept the system running but left the global security community bracing for another funding cliff this spring. Nearly a year later, that stopgap has been replaced by what sources describe as a more durable arrangement. The CVE board was informed during its Jan. 21, 2026, meeting that there would be “no funding cliff in March” and that “ongoing operations and planning extend well beyond that timeframe,” according to meeting minutes later made public. In a statement, Nick Andersen, acting director and deputy director of US CISA, told CSO, “Under CISA’s leadership and sponsorship, the CVE program is fully funded and has continually evolved and modernized to support the global vulnerability ecosystem.” Jordan Graham, a spokesperson for MITRE, said in a statement that “MITRE, in support of CISA, is committed to CVE as a critical global resource.” From afterthought to protected program For longtime vulnerability disclosure advocates, the most important shift may not be the renewal itself but how the funding is structured. Pete Allor — a CVE board member, veteran cybersecurity professional, and co-founder of the CVE Foundation — said the program historically competed with other initiatives for leftover funds within CISA’s budget. “What I understand changed is we went from, ‘Hey, out of anything that’s left over, can we fund the CVE program along with a few other things?’ to above that line — it will be funded,” Allor said. “That’s a huge change.” In practical terms, that shift appears to elevate the vulnerability cataloging program from a discretionary item that could be squeezed out by competing priorities into a core operational program. The improved funding outlook has also prompted the CVE Foundation — created during last year’s uncertainty to explore alternative governance models — to reassess its next steps. “Why wrestle the horse to the ground when I can use it bridled?” Allor said. Transparency questions remain Despite the apparent funding stability, the contract itself remains largely opaque — even to members of the CVE board. A source close to the CVE program, who requested anonymity to preserve working relationships with CISA and MITRE, described the agreement as reassuring but lacking transparency. “It’s a mystery contract with a mystery number that has been agreed to and passed,” the source said. “The good news is people don’t have to worry. But now that they don’t have to worry, now is the time to ask the hard questions.” Those questions include how the program will be modernized, how its performance will be measured, and whether its governance structure should evolve. In his statement to CSO, CISA’s Andersen said, “CISA, in collaboration with the global cybersecurity community, is committed to enhancing data quality, modernizing infrastructure and services, improving governance processes with more diverse representation, among other lines of effort.” One CVE board member has repeatedly requested access to the MITRE-CISA contract at successive board meetings, according to people familiar with the discussions. MITRE has declined those requests, citing legal protections around the agreement between the two organizations. A separate Freedom of Information Act request for the contract has also gone unanswered. “If you’re saying you’re doing it for the public good and the greater good, it’s incumbent upon you to say how you are measuring good,” Allor said. “That’s an open question, and it can’t be secret.” The CVE board itself — expanded to 24 members in recent years — functions largely as an advisory body, while MITRE retains final decision-making authority over program operations. Global alternatives begin to emerge The near-collapse of the CVE program last year triggered a wave of contingency planning across the cybersecurity ecosystem. The CVE Foundation began exploring governance models that would reduce reliance on a single US government funding source. At the same time, the European Union Agency for Cybersecurity began developing its own vulnerability identification framework, which has since launched. An ENISA spokesperson said the agency remains committed to the CVE ecosystem but does not have visibility into the program’s funding arrangements. “ENISA is part of the CVE Program and remains committed to contributing to the global CVE community and supporting coordinated vulnerability management,” the agency said in a statement. Private-sector organizations also took steps to hedge against potential disruption. Vulnerability intelligence firm VulnCheck, for example, reserved blocks of CVE identifiers to ensure continuity if the numbering system faltered. Even with the funding scare resolved, those efforts are unlikely to disappear. Structural concerns about governance and long-term independence continue to drive interest in complementary or alternative systems. Some European stakeholders, in particular, remain uneasy about a critical piece of global cybersecurity infrastructure depending on a single US government contract. “There are some European people who don’t want to point their technical data directly at a US-funded government thing,” the source familiar with the CVE program said. Discussions have reportedly begun about potentially amending the EU’s Cyber Resilience Act to reference an identifier managed by ENISA rather than CVE. Allor said he expects CISA to expand its international engagement around the program in the coming months in response to those concerns. “I think there are countries within the EU, and I know of at least three countries external to the EU that were complaining about it,” he said. “I think the folks at CISA heard that loudly.” Last September, CISA outlined its “vision” for the CVE program, pledging to strengthen international partnerships and improve representation of governments and organizations outside the United States — a signal of renewed commitment following last year’s scare. A warning the industry won’t forget Even as the immediate funding crisis fades, the institutional environment surrounding CISA remains unsettled. The agency has faced budget cuts, leadership turnover, and staff reductions, and it has gone more than a year without a Senate-confirmed director. For now, however, the vulnerability catalog that serves as the cybersecurity industry’s common language remains funded and operational. But the events of last year revealed how dependent the global security ecosystem has become on a single US government contract — and sparked a broader debate about whether the governance and funding of such critical infrastructure should be more transparent, more international, and less fragile. View the full article

OpenAI’s new AppSec agent, Codex Security, has already flagged over 11,000 high-severity and critical flaws in real-world codebases during its first 30 days of research testing. The tool, designed to automatically find, validate, and fix vulnerabilities in software repositories, reportedly identified about 800 critical issues in more than a million scanned commits. According to an OpenAI blog post, the tool is meant to function more like a security researcher who studies a codebase, maps potential attack paths, and proposes fixes, rather than a static scanner. “It’s designed to operate at scale and surface the highest-confidence findings with easy-to-accept patches,” the company wrote. According to OpenAI, the tool builds contextual understanding of an entire project, which enables it to focus on vulnerabilities that are realistically exploitable, addressing the long-standing alert fatigue for AppSec teams. Flaws uncovered in proprietary and open-source projects In its first testing cycle, OpenAI said Codex Security scanned more than 1.2 million commits across external repositories, identifying 792 critical vulnerabilities and 10,561 high severity issues. The company said the findings came from a wide range of real-world codebases while maintaining relatively low noise, as critical issues appeared in under 0.1% of scanned commits. “Netgear was pleased to join the early access program, and the results exceeded expectations,” Chandan Nandakumaraiah, head of product security at Netgear, said in a comment shared within the post. “Codex Security integrated effortlessly into our robust security development environment, strengthening the pace and depth of our review processes.” Beyond proprietary repositories, vulnerabilities were flagged in several widely used open-source projects too, including OpenSSH, GnuTLS, GOGS, Thorium, libssh, PHP, and Chromium, with 14 CVEs assigned so far. OpenAI says these efforts are part of a broader “Codex for OSS” initiative, which provides maintainers with free access to Codex tools and security review support. The company plans to expand the program in the coming weeks to bring more open-source maintainers into the ecosystem. The company highlighted thirteen high-impact OSS vulnerabilities discovered by Codex Security, spanning path traversal, denial of service (DoS), and authentication bypass issues. From the ‘Aardvark’ experiment to an AI security researcher Codex Security evolved from an earlier internal project called Aardvark, an AI-powered vulnerability research agent that OpenAI began testing with select users. The concept behind Aardvark was to have the AI agent read code, test possible exploit paths, and reason through how an attacker might compromise a system. This agentic workflow allows the Codex Security system to mimic how human security researchers operate. The AI analyzes repository history, builds a threat model that identifies entry points and trust boundaries, and then explores attack paths that could lead to sensitive outcomes. Once a potential vulnerability is discovered, the system attempts to reproduce the issue in a sandbox environment to confirm that it is exploitable before reporting it. After validation, it generates remediation guidance, often in the form of proposed patches that developers can review and merge into their workflow. Codex Security can also learn from feedback over time to improve the quality of its findings. “When you adjust the criticality of a finding, it can use that feedback to refine the threat model and improve precision on subsequent runs as it learns what matters in your architecture and risk posture,” the company added in the post. Starting March 9, Codex Security is available in research preview to ChatGPT Pro, Enterprise, Business, and Edu customers via the Codex web with free usage for the next 30 days. View the full article

Das deutsche Gesetz zur Umsetzung der NIS-2-Richtlinie ist am 6. Dezember 2025 in Kraft getreten. konstakorhonen – shutterstock.com Welche Auswirkungen IT-Sicherheitsvorfälle für die Bevölkerung haben können, hat sich etwa gezeigt, als im vergangenen Herbst ein Flughafen-Dienstleister Opfer eines Cyberangriffs wurde. Betroffen waren mehrere Flughäfen in Europa. Der Hackerangriff legte am Flughafen Berlin-Brandenburg (BER) elektronische Systeme lahm, die für die Passagier- und Gepäckabfertigung genutzt werden. Zahlreiche Registrierungen vergangene Woche Allein in der letzten Woche vor Ablauf der Frist seien mehr als 4.000 Registrierungen neu hinzugekommen, teilte die BSI-Sprecherin auf Anfrage der Deutschen Presse-Agentur mit. Bei der Bonner Behörde ist man daher noch optimistisch, was die generelle Bereitschaft zur Erfüllung der neuen Regelungen angeht. “Die signifikante Steigerung der Registrierungen in den letzten Tagen lässt darauf schließen, dass kurzfristig viele weitere Registrierungen erfolgen werden”, sagte die Sprecherin. Daten zu einzelnen Sektoren – zur kritischen Infrastruktur zählen etwa große Energieversorger, Banken und IT-Dienstleister – wird das BSI zu einem späteren Zeitpunkt veröffentlichen. Frist von drei Monaten Das deutsche Gesetz zur Umsetzung der NIS-2-Richtlinie war am 6. Dezember in Kraft getreten. Es sieht unter anderem vor, dass Unternehmen erhebliche Sicherheitsvorfälle innerhalb von 24 Stunden melden, innerhalb von 72 Stunden aktualisierte Informationen bereitstellen und nach einem Monat eine Abschlussmeldung einreichen müssen. Bei schwerwiegenden Verstößen drohen Bußgelder. Ob die Vorgaben der Richtlinie für das eigene Unternehmen gelten, hängt unter anderem vom Geschäftsfeld, der Größe beziehungsweise dem Umsatz ab. Laut Schätzungen der Bundesregierung dürften rund 29.850 Unternehmen in Deutschland betroffen sein. Das BSI bietet online eine Betroffenheitsprüfung an. BSI bietet Betroffenen Unterstützung an “Dem BSI ist bewusst, dass die Prüfung der Betroffenheit und die zweistufige Registrierung im Einzelfall aufwendig sein kann”, heißt es aus dem Bundesamt. Für Konzernregistrierungen und für die Registrierung kritischer Komponenten werde man daher in Kürze weitere Hilfestellungen veröffentlichen. (dpa/rs) View the full article

Das deutsche Gesetz zur Umsetzung der NIS-2-Richtlinie ist am 6. Dezember 2025 in Kraft getreten. konstakorhonen – shutterstock.com Welche Auswirkungen IT-Sicherheitsvorfälle für die Bevölkerung haben können, hat sich etwa gezeigt, als im vergangenen Herbst ein Flughafen-Dienstleister Opfer eines Cyberangriffs wurde. Betroffen waren mehrere Flughäfen in Europa. Der Hackerangriff legte am Flughafen Berlin-Brandenburg (BER) elektronische Systeme lahm, die für die Passagier- und Gepäckabfertigung genutzt werden. Zahlreiche Registrierungen vergangene Woche Allein in der letzten Woche vor Ablauf der Frist seien mehr als 4.000 Registrierungen neu hinzugekommen, teilte die BSI-Sprecherin auf Anfrage der Deutschen Presse-Agentur mit. Bei der Bonner Behörde ist man daher noch optimistisch, was die generelle Bereitschaft zur Erfüllung der neuen Regelungen angeht. “Die signifikante Steigerung der Registrierungen in den letzten Tagen lässt darauf schließen, dass kurzfristig viele weitere Registrierungen erfolgen werden”, sagte die Sprecherin. Daten zu einzelnen Sektoren – zur kritischen Infrastruktur zählen etwa große Energieversorger, Banken und IT-Dienstleister – wird das BSI zu einem späteren Zeitpunkt veröffentlichen. Frist von drei Monaten Das deutsche Gesetz zur Umsetzung der NIS-2-Richtlinie war am 6. Dezember in Kraft getreten. Es sieht unter anderem vor, dass Unternehmen erhebliche Sicherheitsvorfälle innerhalb von 24 Stunden melden, innerhalb von 72 Stunden aktualisierte Informationen bereitstellen und nach einem Monat eine Abschlussmeldung einreichen müssen. Bei schwerwiegenden Verstößen drohen Bußgelder. Ob die Vorgaben der Richtlinie für das eigene Unternehmen gelten, hängt unter anderem vom Geschäftsfeld, der Größe beziehungsweise dem Umsatz ab. Laut Schätzungen der Bundesregierung dürften rund 29.850 Unternehmen in Deutschland betroffen sein. Das BSI bietet online eine Betroffenheitsprüfung an. BSI bietet Betroffenen Unterstützung an “Dem BSI ist bewusst, dass die Prüfung der Betroffenheit und die zweistufige Registrierung im Einzelfall aufwendig sein kann”, heißt es aus dem Bundesamt. Für Konzernregistrierungen und für die Registrierung kritischer Komponenten werde man daher in Kürze weitere Hilfestellungen veröffentlichen. (dpa/rs) View the full article

Ransomware-as-a-service (RaaS) models, double extortion tactics, and increasing adoption of AI characterize the evolving ransomware threat landscape. Law enforcement takedowns of groups such as LockBit have contributed to making the ransomware marketplace more fragmented, with emergent players attempting to muscle in on the action. Attackers range from nation-state actors to RaaS operations, lone operators, and data theft extortion groups. Over recent years, financially motivated ransomware groups have adopted the stealth, evasion, and living-off-the-land techniques previously reserved for sophisticated espionage operations. Ransomware remains a lucrative opportunity for threat actors, with well over 7,000 victims publicly posted last year — a huge figure that excludes victims who paid and whose data was not posted by threat actors. Akira alone raked in approximately $45 million in illicit payments in 2025, according to GuidePoint Security. The following non-exhaustive list contains a rundown of the main currently active threat groups, selected for inclusion based on their impact or innovative features. Akira History: Akira is a sophisticated RaaS operation that emerged in early 2023 and remains active. How it works: Groups deploying Akira often exploit lack of authentication in corporate VPN appliances, open RDP (remote desktop protocol) clients, and compromised credentials to attack corporate systems. Targeted victims: The key targets are small to midsize businesses across North America, Europe, and Australia. Affected industries include manufacturing, professional and legal services, education, telecommunications, technology, and pharmaceuticals, according to Palo Alto Networks’ Unit 42 intelligence unit. Attribution: Circumstantial evidence suggests Russian origins, and links with the defunct Conti ransomware, but attribution remains unclear. “The [threat] actor gained attention due to the ‘retro aesthetic’ applied to their DLS (data leak site) and messaging,” Shobhit Gautam, staff solutions architect for EMEA at bug bounty platform HackerOne, says. Black Basta History: Black Basta appeared on the ransomware scene in early 2022 and is believed to be a spin-off from Conti, a group notorious for attacking major organizations. How it works: Black Basta usually deploys malware through exploitation of known vulnerabilities and social engineering campaigns. “Employees in the target environment are email bombed and then contacted by the group pretending to be the organization’s help desk,” according to Christiaan Beek, senior director of threat analytics at Rapid7. Targeted victims: More than 500 organizations globally have been affected by Black Basta, according to an analysis by cloud security firm Qualys. Attribution: Security researchers speculate Black Basta may be associated with the FIN7 cybercrime group due to similarities in custom modules for evading endpoint detection and response systems in malware samples. Blackcat (ALPHV) History: BlackCat, also known by the aliases ALPHV or Noberus, emerged in November 2021. It is said to be made up of former members of the now-defunct Darkside group, which infamously targeted the Colonial Pipeline. How it works: The malware used by BlackCat targets Windows and Linux systems. BlackCat is known for using a triple-extortion strategy, which involves demanding a ransom for file decryption, pledging not to disclose stolen data, and preventing distributed denial-of-service (DDoS) attacks. Targeted victims: The BlackCat (ALPHV) ransomware group has been responsible for several high-profile attacks most notably Caesars Entertainment (September 2023) and Change Healthcare’s UnitedHealth Group subsidiary (February 2024). Attribution: The BlackCat group has gone dark, possibly in response to law enforcement action and the impact of the Change Healthcare attack. Its principals, likely experienced cybercriminals, have become the target of US prosecution. BlackLock History: BlackLock (aka El Dorado) has shown explosive growth since emerging in March 2024. How it works: The group stands apart by developing its own custom malware — a hallmark of top-tier groups like “Play” and “Qilin,” according to ReliaQuest. Its malware targets Windows, VMware ESXi (virtualized servers), and Linux environments. Attackers typically encrypt data while also exfiltrating sensitive information, threatening to publish sensitive information if extortionate demands are not met. Targeted victims: BlackLock has targeted a wide variety of victims, including US-based real estate, manufacturing, and healthcare organizations. Attribution: BlackLock is highly active on the RAMP forum, a Russian-language platform focused on ransomware, actively recruiting for various roles, including initial access brokers, who sell access to partially compromised networks to its affiliates. There is no definitive attribution for the makeup of the BlackLock ransomware group. Cl0p History: The Cl0p ransomware has a complex history dating back to 2019. Its widespread misuse over the past six years is primarily associated with Russian-speaking cybercrime groups, primarily TA505 and FIN11. How it works: Cl0p exploits zero-day vulnerabilities to target its prey. The Cl0p group tends to avoid using conventional payloads but still relies on a leak site to extort payment from victims. “We’ve seen the group use high-profile platform vulnerabilities with minimal downtime to exfiltrate data, such as exploiting a vulnerability in Cleo file transfer software,” according to Rapid7’s Beek. Targeted victims: Cl0p has targeted major organizations worldwide. Most notoriously, Cl0p conducted a massive campaign exploiting the MOVEit vulnerability, affecting thousands of organizations in 2023. Attribution: The Cl0p ransomware is attributed to several (mostly Russian speaking) cybercriminal groups. DragonForce History: Initially linked to hacktivism, DragonForce became known from late 2023 onwards as a ransomware-as-a-service operation that aggressively recruits affiliates through dark web forums, among other tactics. How it works: DragonForce reuses LockBit and Conti code but with modified payloads. Last year it joined up with LockBit and Qilin to form a “ransomware cartel” that coordinates attacks and shares resources. Targeted victims: DragonForce and its affiliates have claimed more than 120 victims in various sectors, including retail and logistics. Attribution: The group was initially thought to be made up from members of a Malaysian pro-Palestinian hacktivist collective but a history of posts on Russian-speaking cybercrime forums and use of Russian cybercrime tooling have cast doubt on whether this theory remains valid. Funksec History: FunkSec is a new RaaS group that emerged in late 2024, claiming more than 85 victims in December alone. How it works: FunkSec uses AI in its malware development, demands low ransoms, and has “questionable credibility regarding their data leaks,” according to Rapid7’s Beek. Targeted victims: FunkSec has claimed a large number of victims, but researchers caution some of the leaks may be rehashed or recycled from earlier breaches. Attribution: FunkSec operates as a RaaS model, likely with Russian-speaking affiliates. The Gentlemen History: This sophisticated group burst onto the ransomware scene in mid-2025 with a ransomware-as-a-service platform and attacks spanning manufacturing, construction, healthcare, and insurance. How it works: The group exfiltrates data before encrypting files and threatening to leak stolen information unless they are paid off. The Gentlemen, whose polished branding is styled after the Guy Richie film of the same name, abuse legitimate drivers for defense evasion, abuses Group Policy Objects to facilitate domain-wide compromise, and deploys custom malicious tools designed to disable endpoint security. Targeted victims: The Gentlemen have hit an estimated 30 victims across 17 countries with manufacturing and construction industries being the key targets, followed by healthcare, insurance, and others. Attribution: The cybercriminals behind The Gentlemen ransomware group remain unidentified. LockBit History: LockBit is a cybercrime group operating through a ransomware-as-a-service model it was instrumental in pioneering. Despite being disrupted in 2024, LockBit has shown signs of a comeback. The malware operation remains notorious for its efficient encryption and double extortion tactics. How it works: LockBit, despite a major takedown operation by law enforcement in 2024, continues to use the evermore powerful RaaS model as well as double extortion, also known as “lock and leak.” “LockBit continues to list victims, recruit affiliates, and try to reclaim its reputation on dark web forums,” Luke Donovan, head of threat intelligence, Searchlight Cyber tells CSO. LockBit resurfaced in September 2025 with the latest version of its ransomware, LockBit5. Targeted victims: LockBit targeted thousands of victims worldwide in its heyday, including government services, private sector companies, and critical infrastructure providers. Attribution: LockBit’s use of Russian-language forums and targeting patterns have led some analysts to believe the group is based in Russia. Russian national Dmitry Yuryevich Khoroshev, named by Western law enforcement agencies last year as the developer and administrator of LockBit, faces a US indictment alongside asset freezes and travel bans. Two Russian nationals were indicted for deploying LockBit ransomware against targeted organizations. Lynx History: Lynx shares 48% of its source code with the earlier INC ransomware, which indicates a plausible rebranding or evolution of the same threat actor. How it works: Lynx also operates a RaaS and employs double extortion tactics. After infiltrating a system, the ransomware can steal sensitive information and encrypt the victim’s data, effectively locking them out. To make recovery more difficult, it adds the ‘.lynx’ extension to encrypted files and deletes backup files like shadow copies. Targeted victims: Since emerging, the ransomware has actively targeted several US and UK industries, including retail, real estate, architecture, financial services, and environmental services. The group behind Lynx attacked multiple facilities across the US between July 2024 and November 2024, which include victims associated with energy, oil, and gas, according to Palo Alto’s Unit 42 threat intel group. “According to a statement Lynx released in July 2024, they claim to be ‘ethical’ with regards to choosing victims,” Rapid7’s Beek adds. Attribution: Lynx operates as a RaaS model, meaning it is likely used by multiple cybercriminals rather than a single entity. Medusa History: Medusa is a ransomware-as-a-service operation that debuted in 2022. How it works: The group typically hacks into systems by either exploiting vulnerabilities in public-facing assets, phishing emails, or using initial access brokers. Targeted victims: Cybercriminals behind Medusa have targeted healthcare, education, manufacturing, and retail organizations in the US, Europe, and India. Attribution: Activity on Russian-language cybercrime forums related to Medusa suggests the core group and many of its affiliates may be from Russia or neighbouring countries but this remains unconfirmed. Play History: Play is a ransomware threat that emerged in June 2022. The group intensified its activities following the disruption of other major threat actors. How it works: Attackers typically encrypt systems after exfiltrating sensitive data. Play keeps a fairly low profile on the dark web aside from its leak site, not advertising itself on dark web forums. “It has even claimed not to be an RaaS gang at all, saying it maintains a ‘closed group to guarantee the secrecy of deals,’ in spite of evidence to the contrary,” Searchlight Cyber’s Donovan explains. Targeted victims: The group has targeted various sectors, including healthcare, telecommunications, finance, and government service. Attribution: Play may have connections to North Korean state-aligned APT groups. In October 2024, security researchers at Palo Alto Networks’ Unit 42 published evidence of a deployment of Play ransomware by a threat actor backed by North Korea, specifically APT45. “The link between this threat actor and Play is unclear, but demonstrates the potential for crossover between state-sponsored cyber activity and ostensibly independent cybercrime networks,” Donovan says. Qilin History: Qilin, also known as Agenda, is a Russia-based RaaS group that has been operating since May 2022. How it works: The group targets Windows and Linux systems, including VMware ESXi servers, using ransomware variants written in Golang and Rust. Qilin follows a double extortion model — encrypting victims’ files and threatening to leak stolen data if the ransom is not paid. Targeted victims: Qilin recruits affiliates on underground forums and prohibits attacks on organizations in Commonwealth of Independent States (CIS) countries bordering present-day Russia. Qilin posted looted data from 697 victims in the second half on 2025, a five-fold year-on-year increase, according to research by Searchlight Cyber. Security researchers attribute the surge to an aggressive recruitment effort and tie-ins with initial access brokers to obtain stolen VPN credentials. Attribution: The makeup of Qilin remains unknown but a Russian-speaking organized cybercrime operation is strongly suspected. RansomHub History: RansomHub emerged in February 2024 and quickly became a major cyber threat. The group, initially known as Cyclops and later Knight, rebranded and expanded its operations by recruiting affiliates from other disrupted ransomware groups such as LockBit and ALPHV/BlackCat. How it works: Once inside a network, RansomHub affiliates exfiltrate data and deploy encryption tools, often utilizing legitimate administrative utilities to facilitate their malicious activities. RansomHub operates an “affiliate-friendly” RaaS model, initially offering a fixed 10% fee for those that make attacks using its ransomware and the option to collect ransom payments directly from victims before paying the core group. “These elements make it an attractive option for affiliates that are looking for a guaranteed return, where other RaaS operations have been unreliable in paying out in the past,” Searchlight Cyber’s Donovan says. Targeted victims: RansomHub has been linked to more than 210 victims across various critical sectors, including healthcare, finance, government services, and critical infrastructure in Europe and North America, according to Rapid7. Attribution: Attribution remains unconfirmed but circumstantial evidence points toward an organized Russian-speaking cybercrime operation with ties to other established ransomware threat actors. Scattered Lapsus$ Hunters History: Previously separate cybercrime groups Scattered Spider, LAPSUS$, and ShinyHunters formed a loose alliance in August 2025 to run ransomware attacks against large enterprises. Initially affiliates for ALPHV/BlackCat and others, the group broke away and developed its own platform and methodology. How it works: Scattered Lapsus$ Hunters is noted for its expertise in using social engineering to compromise help desks, among other tactics. The Consolidated Threat Group combines financial extortion via data leaks with ransomware. Their leak site was seized by law enforcement in October 2025 but this may well not be the last we hear of the cybercrime supergroup. Targeted victims: The collective ran a major Salesforce campaign in August and October that exposed data from dozens of companies, including Toyota, FedEx, and Disney. Attribution: Security researchers characterize Scattered Lapsus$ Hunters as a loose alliance rather than a single cohesive group. Suspected members of the group remain publicly unidentified as of late February 2026. View the full article

a way to automate alert triage, threat investigation and eventually higher-level functions. According to IDC, agentic AI is on track to become mainstream infrastructure. The analyst firm expects 45% of organizations to have autonomous agents operating at scale across critical business functions by 2030. In enterprise SOCs, AI is already reshaping functions like alert triage, enrichment, data correlation, IOC validation and initial containment. It could soon move up the stack to take on more complex tasks like incident investigation, root cause analysis, and response. “AI acts as a force multiplier in the SOC,” says Nicole Carignan, senior VP, security and AI strategy at Darktrace. But harnessing that promise will require organizations to invest now in reskilling analysts, redesigning processes, building new technical roles, and establishing guardrails and governance frameworks to ensure autonomous AI agents operate safely. “It’s not enough to simply deploy an AI solution. Security practitioners must understand how the underlying machine learning techniques function, what their strengths and limitations are, and how to evaluate their outputs,” Carignan says. “Without explainability and trust, AI risks are exacerbating alert fatigue rather than solving it.” Here is what security leaders need to know — and do — to prepare their SOCs for the agentic AI era. Reskill analysts to become AI collaborators and overseers Increasingly, human roles in the SOC will shift from hands-on execution to supervision, governance, design, and oversight. As AI agents take on more operational tasks, analysts will need to focus on managing AI systems, interpreting outputs, and resolving the nuanced challenges machines cannot handle, says Casey Ellis, founder of Bugcrowd. “Jobs won’t disappear, they’ll adapt. The key is ensuring that SOC professionals are prepared for this shift through ongoing education, training, and tooling.” Few expect the transition will occur organically or without friction. Many SOC leaders will need to reskill existing staff to manage AI effectively; to interrogate AI reasoning; enrich investigations with contextual insight; and apply informed human analysis to AI-driven outputs. When acting on an AI tool’s recommendation, analysts must understand what questions the agent asked, which data sources it queried, and what evidence informed its decision, according to Dov Yoran, co-founder and CEO of Command Zero. From there, they need to be able to pivot to additional data sources, pursue new artifacts, and extend the investigative timeline as needed. “Junior analysts who might not know how to start an investigation from scratch can become effective by learning how to extend and refine what the agent produced,” Yoran says. “It’s a different skill set from traditional SOC work, and in many ways, a more accessible one.” In the SOC of the future, analysts must also act as adversarial reviewers of AI-driven conclusions. That’s because AI systems can introduce hallucinations, training-data bias, and other vulnerabilities while also being vulnerable to adversarial manipulation. Analysts need to recognize these risks to ensure decisions remain grounded and defensible, says Ensar Seker, CISO at SOCRadar. “Analysts need to be trained less as button-pushers and more as adversarial reviewers of AI output. That means understanding how models reason, where they fail, how bias and data gaps surface, and how to interrogate confidence levels and assumptions. The goal isn’t to ‘trust AI faster,’ but to develop the instinct to ask: What would make this conclusion wrong?” Seker says. Analysts will also play a critical role in enabling organization-specific context into AI-driven workflows. Without that context, agents risk missing threats, amplifying noise, or triggering risky actions based on incomplete information. SOC leaders need to remember that “AI agents are only as smart as the context they have access to,” Yoran says. Analysts must learn to annotate identities, maintain watch lists, document recurring false-positive patterns, and build enrichment layers that strengthen future investigations, he said, “This is knowledge work, not data work.” Ultimately, the objective is not to outperform AI, but to do better where AI falls short. For example, “accept that autonomous alert triage will become table stakes,” Yoran says. “Your processes need to shift from ‘how do we triage every alert’ to ‘how do we handle escalations from autonomous investigations’.” Build capabilities for AI governance, content and quality Upskilling existing analysts alone is not enough. As AI agents begin operating across tools, making decisions and triggering actions with minimal human involvement, the demands on the SOC will extend well beyond traditional analyst capabilities, experts say. Content engineering, for instance, is one emerging requirement. In an AI-enabled SOC, detection engineers will no longer write only static rules. They must design dynamic content such as questions, prompts and investigation templates that agents can use to reason, enrich data, correlate signals and act autonomously. These content engineers curate the structured inputs that power agents, including telemetry, threat models, and playbooks. “This is the most underappreciated role in AI-powered security operations,” Yoran notes. “These are people who build and maintain the questions that agents can ask, the investigation plans that guide autonomous work, and the knowledge bases that provide context,”. Organizations need someone who can translate detection logic from their SIEM, import best practices from frameworks like MITRE ATT&CK, and encode institutional knowledge into the platform. “This isn’t traditional security engineering, it’s closer to knowledge management combined with threat intelligence,” he says. Mature SOCs will also require clear ownership of AI governance and agent oversight. That includes roles that have oversight over model risk evaluation, prompt and policy management, continuous performance validation, and even red teaming the agents themselves, Seker says. “You don’t need a massive new team, but you do need clear accountability for how autonomous decisions are made, tested, and constrained.” Another emerging need is analysts with deep fluency in data management. An AI-driven SOC will require professionals who understand how information should be classified, protected, normalized, and monitored to ensure reliable conclusions. “With 64% of organizations planning to add AI-powered solutions to their security stack in the next year, it is critical for professionals to cross-skill in AI,” Carignan says. “Cybersecurity professionals must become fluent in AI and data, developing a deeper understanding of data classification, governance, and model behavior.” Cross-skills in data science, machine learning, and cybersecurity enable analysts to critically evaluate AI outputs, tune models for security use cases, and adapt defenses as threats evolve, making them indispensable in an AI-augmented SOC. Frank Dickson, an analyst at IDC, urged organizations to think of this capability as similar to a data architect role. “The key to getting value from AI is having data located in a place where you can get to it, having it formatted in a homogeneous way so you can do analysis on it, and then manage the data,” he says. “The success of your AI initiative is going to be tied to the effectiveness of your ability to get data. A data architect manages that.” Dickson also emphasized the need for an “orchestration platform engineer” role responsible for ensuring effective communication and workflow integration across security tools. The SOC of the future will not hinge on a single platform but on an interconnected ecosystem of SIEM, EDR, SOAR, identity, cloud and other systems that must operate in concert to support AI-driven, agentic investigations and automation, Dickson tells. Dedicated orchestration expertise will become essential to maintain reliable data flows and automation logic in such an environment, he noted. Redesign SOC processes and playbooks where needed Organizations will need to review and rework SOC processes and playbooks to ensure their AI-augmented SOC is consistent, efficient and continuously learning. Yoran recommends that SOC leaders focus on codifying institutional knowledge into AI agent-accessible questions and plans. Translate playbooks into investigation plans that AI agents can follow on a repeatable basis. In situations where an agent might hit a wall, have processes in place for a smooth handoff to a human analyst and build feedback loops for continuous improvement, Yoran adds. “Playbooks must shift from step-by-step human procedures to intent-based guardrails,” Seker points out. “Instead of telling analysts how to investigate, define what outcomes are allowed, what actions are prohibited, and when human approval is mandatory.”. The objective is not to micromanage every alert but to assume AI agents operate continuously across tools, with humans only supervising exceptions, edge cases, and strategic decisions. SOCs also need to rethink metrics, accountability, and documentation within the SOC. Traditional performance indicators, such as ticket closure rates or mean time to resolution, may need to broaden to include model accuracy, escalation quality, and the effectiveness of automated containment actions. “The biggest mistake is optimizing for speed metrics instead of investigation quality,” Yoran says. “I see this constantly: vendors promising 90% faster time to resolution or reduce tier-one workload by 80% or close alerts in seconds instead of hours. These metrics while seductive are dangerous,” he cautions. “Making the same mistake faster benefits no one. An incomplete investigation that closes in two minutes isn’t better than a thorough investigation that takes 30 minutes.” Auditability too becomes critical. All AI-driven decisions should be traceable, explainable, and reviewable from both an internal governance standpoint and for external compliance requirements. “If you can’t explain why an AI took an action to an auditor, regulator, or executive, it shouldn’t be allowed to take that action. Explainability isn’t a nice-to-have; it’s a prerequisite for autonomy,” Seker says. Implement AI guardrails and principles Formal guardrails and operating principles are going to be critical in SOCs where AI agents influence decisions, initiate responses and help prioritize threats. That means setting defined boundaries around data access and model behavior, having processes to validate responses and making sure humans remain in the loop on all high-impact decisions. Focus areas should include approval thresholds for autonomous actions, figuring out allowed and disallowed actions for an agent, protecting against prompt injection attacks, testing and red-teaming of agentic workflows and ensuring IR policies are updated for AI-driven actions. “Require transparent decision trails, rate limiting, least-privilege, and instant override,” Seker advises. “Hard limits on action scope, blast radius, and privilege are non-negotiable. Agents should operate under least-privilege identities, with explicit kill-switches, change-control boundaries, and environment awareness. The key is to ensure that AI is never allowed to silently escalate its own authority or modify guardrails without human approval.” IDC analyst Dickson pointed to identity and access as two other areas to focus on by way of guardrails and policies. “In the past, when we gave humans access, we often over-provisioned by default. That approach does not work with agents. With agentic AI, permissions must start at least privilege, defined precisely from day one.” The focus should be on ensuring no standing privileges, implementing dynamic authorization and establishing clear role definitions, Dickson says. “Agentic AI is enormously powerful. Constraining access correctly is non-negotiable.” View the full article

Post-quantum cryptography (PQC) has long sat on the periphery of enterprise security, with experts calling it inevitable but not urgent. That posture is beginning to shift. Earlier this year, Palo Alto Networks published a blog announcing a new “quantum-safe security” initiative, framing it as a way for enterprises to assess where quantum-vulnerable cryptography exists across their environments and begin planning a transition. While the announcement was light on technical specifics, it added to a growing security sentiment. Post-quantum threats are real. “IDC’s view is that post-quantum risk is no longer a distant, theoretical issue; it is becoming a present-day governance and operational risk, especially for regulated and data-intensive industries,” said Sakshi Grover, senior research manager, security services, IDC Asia Pacific. While practical quantum attacks remain years away, security vendors are beginning to pull PQC out of the confines of a “future theory” and into present-day risk management. Rather than pushing sweeping architectural changes from the start, they are positioning discovery, inventory, readiness assessments, and crypto-agility capabilities as the first steps to get enterprises up to speed with quantum. But even that groundwork is far from straightforward. Can’t change what you can’t see At the heart of most PQC readiness offerings is a basic but difficult problem. Many organizations do not know where or how cryptography is used across their infrastructure. Encryption is embedded everywhere, from certificates and VPNs to APIs, firmware, identity systems, and third-party software. That sprawl makes it difficult to evaluate exposure to algorithms like RSA and elliptic curve cryptography, which are expected to be broken by sufficiently capable quantum computers. Palo Alto’s messaging centers on this visibility gap. According to the company, its approach is to help organizations identify cryptographic usage that may not be quantum-safe and provide guidance on remediation paths. It isn’t alone in trying to do this. Cisco frames the visibility problem in similarly operational terms, emphasising that readiness spans multiple phases rather than a one-time audit. “Cisco CX’s Quantum-Safe Services delivers end-to-end support across discovery, monitoring, and migration–plus strategic advisory and ongoing optimization to keep pace with evolving standards,” said Christian Chisolm, senior director of strategy & planning, Security & Trust Organization, Cisco. Companies like IBM have also been building cryptographic inventory solutions to catalog every encryption component. IBM’s Quantum Safe Explorer (QSE) performs static analysis of software to locate cryptographic assets, including libraries and dependencies, and pairs that with runtime monitoring through its Quantum Safe Advisor to build a comprehensive “Cryptography Bill of Materials.” Some providers are focusing specifically on infrastructure-layer visibility. Cisco says its discovery currently concentrates on network cryptography exposure. “We currently detect: Digital certificates across management, control, and data places; Cryptographic protocols and algorithms (TLS/SSL, SSH, IPsec, etc); Key exchange mechanisms on Cisco network devices; Trust anchors and hardware security elements within platform architectures,” Chisolm said. Cloudflare, by contrast, emphasizes visibility at the connection layer rather than deep asset discovery. “Cloudflare provides visibility into which client devices and endpoints can successfully establish TLS 1.3 connections,” Volker Rath, field CISO at Cloudflare, said. Certificate management vendors are also repositioning core functions for PQC readiness. DigiCert, for example, uses its Trust Lifecycle Manager and related tools to help enterprises identify, inventory, and begin replacing vulnerable certificates with quantum-safe alternatives. Some are already ahead as the migration question looms One of the earliest vendors to operationalize cryptographic discovery specifically for PQC readiness was Sandbox AQ, which emerged from Google’s quantum research efforts. As early as 2022, the company argued that enterprises needed to inventory cryptography assets long before post-quantum algorithms could be deployed at scale. Initially offered as a consulting-driven assessment, that capability eventually evolved into a product, AQtive Guard, designed to continuously monitor cryptographic usage and flag quantum-vulnerable dependencies. In 2024, the platform’s deployment by SoftBank Corporation gave the company’s claims a public validation, uncovering unnoticed vulnerable encryption and certificate issues across a large enterprise network. Beyond SoftBank, SandboxAQ has managed to secure high-profile engagements, including a partnership to deploy AQtive Guard across multiple US Department of War entities to accelerate cryptographic visibility and PQC modernization. A handful of other vendors, too, have moved beyond experimental efforts to deliver more mature offerings. QuSecure offers the QuProtect platform, combining crypto-agility with discovery so enterprises can embed quantum-resilient cryptography into existing infrastructure without rewriting application code. Some niche players are offering full-stack products that embed PQC across services. Companies like Post-Quantum (UK-based) provide modular software for identity, VPNs, and encrypted messaging that is quantum-safe today, stressing crypto-agility and backward compatibility as part of readiness. “The approach to mass migration away from where we’ve grown comfortable into new methods of encryption is no easy task,” said Bart Willemsen, VP analyst at Gartner. “The road towards continuous inventory, prioritization for replacement, and the ability to maintain connectivity in operations is a long one. What’s more, we need to become and remain crypto-agile (we’re likely going to have to do the same again, later, as has always been the case historically) and that repeatability demands consistency.” Cisco argues that migration planning must account for legacy constraints, not just modern systems. “Legacy systems present unique challenges — limited processing power, fixed firmware, and operational lifecycles spanning over 10 to 20 years. When direct upgrades aren’t feasible, we deploy cryptographic abstraction layers: quantum-safe proxies or gateways that mediate communications on behalf of legacy devices, essentially wrapping vulnerable protocols in PQC-secured tunnels,” Chisolm said. Cloudflare takes a different approach, positioning its network as a compensating control. “This means customers do not necessarily need to upgrade legacy systems or proprietary software to achieve PQC readiness, as the connection is secured at the edge, removing the opportunity for interception along the way,” Rath said. “Harvest now, decrypt later” adds pressure Part of the renewed urgency comes from the “harvest now, decrypt later” threat model, in which adversaries collect encrypted data today with the expectation that it can be decrypted once quantum capabilities mature. This scenario has shifted PQC from a hypothetical future problem to an immediate data protection concern, particularly for industries handling sensitive data with long confidentiality lifetimes, including telecommunications, finance, healthcare, and government. “We do hear of HNDL attacks, where conventionally encrypted content is no longer discarded but retained by criminals, who are seeing the (quantum) developments as an opportunity for their nefarious activities within 2-3 years,” Gartner’s Willemsen said. “When criminals see opportunity around the corner, the quantum-based decryption risks are no longer theoretical; they are real.” Vendors increasingly argue that action cannot wait for fully capable quantum computers. Cisco warns that organizations holding long-lived sensitive data should already be moving beyond assessments. “Assessment is urgent, but active replacement is now imperative,” Chisolm said. Cloudflare echoes the timeline concern while pointing to official guidance. “The National Institute of Standards and Technology (NIST) recommends organizations achieve full post-quantum readiness by 2030,” Rath noted. “Given the complexity of updating infrastructure at scale, we recommend that enterprises begin planning the replacement process now to reduce stress, costs, and friction.” NIST also finalized multiple post-quantum cryptographic algorithms, giving vendors and enterprises targets for migration and reducing uncertainty. As organizations prepare for hybrid PQC deployments, combining classical and quantum-resistant algorithms, vendors are racing to ensure their offerings support evolving standards. “We have been monitoring the developments in quantum space for over a decade, and our strategic planning assumptions regarding the expected moment of compromise have consistently pointed towards around 2029,” Willemsen pointed out. “Given the amount of work to be done for a successful migration and ‘continuous in-control’ situation, that should be read as ‘tomorrow.’” Readiness vs reality Not everyone is convinced that today’s PQC readiness offerings represent a fundamentally new category of security tooling. Much of what vendors are promoting: crypto inventories, certificate tracking, dependency mapping, overlaps with practices that security teams arguably should already have in place. In that sense, PQC may just be acting as a forcing hand for organizations to address longstanding blind spots rather than introducing entirely new technical requirements. Some vendors counter that the difference lies in depth and integration rather than concept. Cisco positions its approach as foundational rather than additive. “Traditional encryption tools inventory certificates and track key lifecycles. Cisco delivers infrastructure-level quantum readiness, embedding NIST PQC algorithms into core protocols and hardware roots of trust.” While NIST standards are now available, many commercial products and protocols have yet to fully integrate post-quantum algorithms. Even where support exists, performance trade-offs and interoperability challenges remain. IDC’s Grover recommends a phased transition. “Instead of aiming for full-scale deployment, buyers should prioritize critical systems first, align with NIST timelines, and integrate PQC into broader GRC programs,” she said. For vendors, the race is now about positioning. Being seen as a trusted guide through the PQC transition, rather than merely an algorithm provider, offers an opportunity to embed deeply into long-term enterprise roadmaps. Palo Alto Networks’ entry into PQC readiness reflects a broader shift in how the market is approaching the issue. What was once largely the domain of specialized quantum security firms is now being taken up by mainstream security and infrastructure vendors as part of their core platform strategies. Network providers like Cisco are introducing quantum-safe protections for existing protocols, while HSM vendors like Futurex are adding post-quantum algorithm support to established key management systems used in regulated environments. Cloudflare, similarly, frames readiness as an architectural shift rather than a discrete tool deployment. “With Cloudflare, customers simply need to place their origin server behind the Cloudflare network, and Cloudflare manages the encryption and key management,” Rath said. As more vendors formalize their offerings and additional customer deployments are disclosed, the edges of the PQC readiness market are likely to become clearer. What remains uncertain is whether enterprises will prioritize these efforts in the near term or treat them as part of the longer-term cryptographic modernization. View the full article

Statt eines kurzen, aber sehr schmerzhaften Stiches setzen Cyberkrimelle zunehmend darauf, sich in ihren Opfern festzubeißen und beständig auszusaugen. mycteria – shutterstock.com Ransomware-Angreifer ändern zunehmend ihre Taktik und setzen vermehrt auf unauffällige Infiltration. Dies liegt daran, dass die Drohung mit der Veröffentlichung sensibler Unternehmensdaten zum Hauptdruckmittel bei Erpressungen geworden ist. Der jährliche Red-Teaming-Bericht von Picus Security zeigt, dass Angreifer zunehmen von auffälligen Störungen zu stillen, langfristigen Zugriffen übergehen, also weg von „räuberischen“ Smash-and-Grab-Methoden hin zu einer „parasitären“ Strategie mit verdeckter Dauerpräsenz. So seien vier von fünf der häufigsten Angriffstechniken von Ransomware-Varianten darauf ausgelegt, nach dem ersten Angriff unentdeckt zu bleiben. Laut Picus Security setzen Ransomware-Angreifer zunehmend darauf, Sicherheitsvorkehrungen zu umgehen und sich im Netzwerk festzusetzen, da sich ihr Vorgehen kontinuierlich weiterentwickelt hat. Zudem leiteten Angreifer Command-and-Control-Verkehr (C2) immer häufiger über vertrauenswürdige Unternehmensdienste wie OpenAI und AWS, damit ihre schädlichen Aktivitäten stärker wie normalen Geschäftsdatenverkehr erscheinen. Verkettung als Strategie Die Schlussfolgerungen von Picus Security basieren auf Angriffssimulationen sowie die Analyse von 1,1 Millionen Schadsoftware-Dateien und 15,5 Millionen Angriffsaktionen, die dem MITRE ATT&CK-Framework zugeordnet wurden. MIt der Erkenntnis, dass Angreifer Tarnung und Beharrlichkeit gegenüber auffälligen Störungen bevorzugen, ist Picus nicht allein. Sie deckt sich mit den Ergebnissen der Ransomware-Forschung von Securin (Download gegen Daten). Wie das Unternehmen berichtet, verketten Angreifer zunehmend mehrere Schwachstellen in ihren Angriffen auf Unternehmenssysteme miteinander. „Ransomware-Gruppen betrachten Schwachstellen nicht mehr als isolierte Einfallstore“, erklärt Aviral Verma, leitende Analystin für Bedrohungsanalysen von Securin. „Sie verknüpfen sie zu gezielten Angriffsketten und wählen Schwachstellen nicht nur nach deren Schweregrad aus, sondern auch danach, wie effektiv sie damit Vertrauen, Persistenz und operative Kontrolle über ganze Plattformen hinweg untergraben können.“ KI verstärkt Ransomware Wenngleich Angreifer immer stärker mit KI vertraut sind, fungiert sie bei Ransomware-Angriffen primär als Verstärker und nicht als treibende Kraft. Ransomware-Banden bevorzugen häufig, ihre Opfer doppelt zu erpressen: Zum einen drohen sie damit, die gestohlenen Informationen zu veröffentlichen, zum anderen mit dem Chaos, dass die Verschlüsselung der Daten nach dem Eindringen in Unternehmensnetzwerke verursacht. Mittlerweile sind diese Attacken allerdings weniger geworden, wie Picus berichtet. Konkret spricht das Unternehmen von einem Rückgang der Verschlüsselungen um 38 Prozent in den letzten 12 Monaten. Der Hintergrund: Immer mehr Cyberkriminelle würden dazu übergehen, Daten unbemerkt zu exfiltrieren, um die Opfer zu erpressen. Kein Rückgang, eher Zunahme Picus’ Behauptung, die Anzahl der Ransomware-Angriffe gehe zurück, ist allerdings umstritten. So vertritt Tony Anscombe, Chief Security Evangelist bei ESET, einem Anbieter von Endpoint-Security-Lösungen, eine gegenteilige Meinung: „Im aktuellen ESET-Threat-Report für das zweite Halbjahr 2025 zeigen die Erkennungsdaten einen Anstieg von 13 Prozent zwischen dem ersten und zweiten Halbjahr“, erklärt der Experte gegenüber unserer US-amerikanischen Schwester. „Gleichzeitig stieg die Zahl der öffentlich gemeldeten Opfer laut ecrime.ch um 40 Prozent. Daher scheint Ransomware nicht rückläufig zu sein.“ Mehr Opfer durch Optimierung Auch der Cybersicherheitsdienstleister GuidePoint Security sieht keinen Rückgang – ganz im Gegenteil. Wie das Unternehmen darstellt, erreichte die Zahl der aktiven Ransomware-Gruppen im vergangenen Jahr einen neuen Höchststand. So gibt Nick Hyatt, Senior Threat Intelligence Consultant bei GuidePoint Security, an, dass im vergangenen Jahr die Daten von über 7.000 Opfern veröffentlicht wurden. Diese Zahl schließt wahrscheinlich diejenigen aus, die zwar Lösegeld zahlten, deren Daten aber nie von den Angreifern veröffentlicht wurden. „Die Angreifer haben ihre Angriffsfähigkeiten optimiert und setzen auf eine Mischung aus etablierten Techniken, der Ausnutzung von Sicherheitslücken und neuartigen Angriffen, um ihre Ziele zu erreichen“, so Hyatt. Obenauf die üblichen Verdächtigen Die von CSO befragten Experten stuften Qilin, Cl0p und Akira allgemein als die aktivsten Ransomware-Gruppen ein, allerdings gab es zahlreiche weitere Konkurrenten. „Laut den Huntress-Daten für 2025 ist Akira heute die führende Ransomware-Gruppe“, erklärt Dray Agha, Senior Manager of Security Operations beim Managed Detection and Response-Anbieter Huntress. „Ihre Vorgehensweise entwickelt sich rasant weiter, insbesondere um bestehende Sicherheitslösungen zu neutralisieren. Wir beobachten, dass sie aggressiv die Hypervisor-Ebene angreifen, um herkömmliche Endpoint-Sicherheitsmaßnahmen vollständig zu umgehen.“ Collin Hogue-Spears, leitender Direktor und technischer Experte beim Sicherheitsunternehmen Black Duck Software, erklärt, dass Ransomware-Betreiber nicht mehr wie organisierte Verbrecher, sondern wie ein Plattformunternehmen agieren. So verzeichnete Qilin 2025 „über 1.000 Opfer, eine Versiebenfachung gegenüber dem Vorjahr“, wie der Experte erläutert. „LockBit 5.0 hat, nachdem es abgeschaltet wurde, seine Einsatzfähigkeit wiedererlangt.“ Cybercrime-Dienstleitung befeuert das Verbrechen Unterdessen bietet die Föderation aus Scattered Spider, Lapsus$ und ShinyHunters, kurz SLSH, Extortion-as-a-Service an – ein Ansatz, der es auch technisch weniger versierten Cyberkriminellen erleichtert, sich auf betrügerische Weise ihren Lebensunterhalt zu verdienen. „Innerhalb von sechs Monaten sind 73 neue Gruppen entstanden, weil sie ihre Tools nicht mehr selbst entwickeln müssen“, so Hogue-Spears. „Sie mieten sie.“ Vasileios Mourtzinos, Mitglied des Bedrohungsteams beim Managed-Detection-and-Response-Unternehmen Quorum Cyber, erklärt, dass immer mehr Gruppen von wirksamer Verschlüsselung zu erpressungsbasierten Modellen übergehen. Dabei stünden Datendiebstahl und ein langanhaltender, unauffälliger Zugriff im Vordergrund. Gefahr kommt von innen „Diese Vorgehensweise, die durch Akteure wie Cl0p bekannt wurde, indem sie Schwachstellen in Drittanbietersystemen und Lieferketten großflächig ausnutzen, findet nun immer breitere Anwendung“, so Mourtzinos. „Hinzu kommt der zunehmende Missbrauch gültiger Konten und legitimer administrativer Tools, um sich in den normalen Geschäftsbetrieb einzufügen. In einigen Fällen werden sogar Insider rekrutiert oder mit Anreizen bestochen, um den Zugriff zu ermöglichen.“ Diese sich stetig weiterentwickelnden Methoden von Ransomware-Gruppen erfordern ein Überdenken der Abwehrstrategien. „Für CISOs sollte die Priorität darin bestehen, die Identitätskontrollen zu stärken, vertrauenswürdige Anwendungen und Integrationen von Drittanbietern genau zu überwachen und sicherzustellen, dass sich die Erkennungsstrategien auf Persistenz und Datenexfiltration konzentrieren“, rät er. (tf) View the full article

Statt eines kurzen, aber sehr schmerzhaften Stiches setzen Cyberkrimelle zunehmend darauf, sich in ihren Opfern festzubeißen und beständig auszusaugen. mycteria – shutterstock.com Ransomware-Angreifer ändern zunehmend ihre Taktik und setzen vermehrt auf unauffällige Infiltration. Dies liegt daran, dass die Drohung mit der Veröffentlichung sensibler Unternehmensdaten zum Hauptdruckmittel bei Erpressungen geworden ist. Der jährliche Red-Teaming-Bericht von Picus Security zeigt, dass Angreifer zunehmen von auffälligen Störungen zu stillen, langfristigen Zugriffen übergehen, also weg von „räuberischen“ Smash-and-Grab-Methoden hin zu einer „parasitären“ Strategie mit verdeckter Dauerpräsenz. So seien vier von fünf der häufigsten Angriffstechniken von Ransomware-Varianten darauf ausgelegt, nach dem ersten Angriff unentdeckt zu bleiben. Laut Picus Security setzen Ransomware-Angreifer zunehmend darauf, Sicherheitsvorkehrungen zu umgehen und sich im Netzwerk festzusetzen, da sich ihr Vorgehen kontinuierlich weiterentwickelt hat. Zudem leiteten Angreifer Command-and-Control-Verkehr (C2) immer häufiger über vertrauenswürdige Unternehmensdienste wie OpenAI und AWS, damit ihre schädlichen Aktivitäten stärker wie normalen Geschäftsdatenverkehr erscheinen. Verkettung als Strategie Die Schlussfolgerungen von Picus Security basieren auf Angriffssimulationen sowie die Analyse von 1,1 Millionen Schadsoftware-Dateien und 15,5 Millionen Angriffsaktionen, die dem MITRE ATT&CK-Framework zugeordnet wurden. MIt der Erkenntnis, dass Angreifer Tarnung und Beharrlichkeit gegenüber auffälligen Störungen bevorzugen, ist Picus nicht allein. Sie deckt sich mit den Ergebnissen der Ransomware-Forschung von Securin (Download gegen Daten). Wie das Unternehmen berichtet, verketten Angreifer zunehmend mehrere Schwachstellen in ihren Angriffen auf Unternehmenssysteme miteinander. „Ransomware-Gruppen betrachten Schwachstellen nicht mehr als isolierte Einfallstore“, erklärt Aviral Verma, leitende Analystin für Bedrohungsanalysen von Securin. „Sie verknüpfen sie zu gezielten Angriffsketten und wählen Schwachstellen nicht nur nach deren Schweregrad aus, sondern auch danach, wie effektiv sie damit Vertrauen, Persistenz und operative Kontrolle über ganze Plattformen hinweg untergraben können.“ KI verstärkt Ransomware Wenngleich Angreifer immer stärker mit KI vertraut sind, fungiert sie bei Ransomware-Angriffen primär als Verstärker und nicht als treibende Kraft. Ransomware-Banden bevorzugen häufig, ihre Opfer doppelt zu erpressen: Zum einen drohen sie damit, die gestohlenen Informationen zu veröffentlichen, zum anderen mit dem Chaos, dass die Verschlüsselung der Daten nach dem Eindringen in Unternehmensnetzwerke verursacht. Mittlerweile sind diese Attacken allerdings weniger geworden, wie Picus berichtet. Konkret spricht das Unternehmen von einem Rückgang der Verschlüsselungen um 38 Prozent in den letzten 12 Monaten. Der Hintergrund: Immer mehr Cyberkriminelle würden dazu übergehen, Daten unbemerkt zu exfiltrieren, um die Opfer zu erpressen. Kein Rückgang, eher Zunahme Picus’ Behauptung, die Anzahl der Ransomware-Angriffe gehe zurück, ist allerdings umstritten. So vertritt Tony Anscombe, Chief Security Evangelist bei ESET, einem Anbieter von Endpoint-Security-Lösungen, eine gegenteilige Meinung: „Im aktuellen ESET-Threat-Report für das zweite Halbjahr 2025 zeigen die Erkennungsdaten einen Anstieg von 13 Prozent zwischen dem ersten und zweiten Halbjahr“, erklärt der Experte gegenüber unserer US-amerikanischen Schwester. „Gleichzeitig stieg die Zahl der öffentlich gemeldeten Opfer laut ecrime.ch um 40 Prozent. Daher scheint Ransomware nicht rückläufig zu sein.“ Mehr Opfer durch Optimierung Auch der Cybersicherheitsdienstleister GuidePoint Security sieht keinen Rückgang – ganz im Gegenteil. Wie das Unternehmen darstellt, erreichte die Zahl der aktiven Ransomware-Gruppen im vergangenen Jahr einen neuen Höchststand. So gibt Nick Hyatt, Senior Threat Intelligence Consultant bei GuidePoint Security, an, dass im vergangenen Jahr die Daten von über 7.000 Opfern veröffentlicht wurden. Diese Zahl schließt wahrscheinlich diejenigen aus, die zwar Lösegeld zahlten, deren Daten aber nie von den Angreifern veröffentlicht wurden. „Die Angreifer haben ihre Angriffsfähigkeiten optimiert und setzen auf eine Mischung aus etablierten Techniken, der Ausnutzung von Sicherheitslücken und neuartigen Angriffen, um ihre Ziele zu erreichen“, so Hyatt. Obenauf die üblichen Verdächtigen Die von CSO befragten Experten stuften Qilin, Cl0p und Akira allgemein als die aktivsten Ransomware-Gruppen ein, allerdings gab es zahlreiche weitere Konkurrenten. „Laut den Huntress-Daten für 2025 ist Akira heute die führende Ransomware-Gruppe“, erklärt Dray Agha, Senior Manager of Security Operations beim Managed Detection and Response-Anbieter Huntress. „Ihre Vorgehensweise entwickelt sich rasant weiter, insbesondere um bestehende Sicherheitslösungen zu neutralisieren. Wir beobachten, dass sie aggressiv die Hypervisor-Ebene angreifen, um herkömmliche Endpoint-Sicherheitsmaßnahmen vollständig zu umgehen.“ Collin Hogue-Spears, leitender Direktor und technischer Experte beim Sicherheitsunternehmen Black Duck Software, erklärt, dass Ransomware-Betreiber nicht mehr wie organisierte Verbrecher, sondern wie ein Plattformunternehmen agieren. So verzeichnete Qilin 2025 „über 1.000 Opfer, eine Versiebenfachung gegenüber dem Vorjahr“, wie der Experte erläutert. „LockBit 5.0 hat, nachdem es abgeschaltet wurde, seine Einsatzfähigkeit wiedererlangt.“ Cybercrime-Dienstleitung befeuert das Verbrechen Unterdessen bietet die Föderation aus Scattered Spider, Lapsus$ und ShinyHunters, kurz SLSH, Extortion-as-a-Service an – ein Ansatz, der es auch technisch weniger versierten Cyberkriminellen erleichtert, sich auf betrügerische Weise ihren Lebensunterhalt zu verdienen. „Innerhalb von sechs Monaten sind 73 neue Gruppen entstanden, weil sie ihre Tools nicht mehr selbst entwickeln müssen“, so Hogue-Spears. „Sie mieten sie.“ Vasileios Mourtzinos, Mitglied des Bedrohungsteams beim Managed-Detection-and-Response-Unternehmen Quorum Cyber, erklärt, dass immer mehr Gruppen von wirksamer Verschlüsselung zu erpressungsbasierten Modellen übergehen. Dabei stünden Datendiebstahl und ein langanhaltender, unauffälliger Zugriff im Vordergrund. Gefahr kommt von innen „Diese Vorgehensweise, die durch Akteure wie Cl0p bekannt wurde, indem sie Schwachstellen in Drittanbietersystemen und Lieferketten großflächig ausnutzen, findet nun immer breitere Anwendung“, so Mourtzinos. „Hinzu kommt der zunehmende Missbrauch gültiger Konten und legitimer administrativer Tools, um sich in den normalen Geschäftsbetrieb einzufügen. In einigen Fällen werden sogar Insider rekrutiert oder mit Anreizen bestochen, um den Zugriff zu ermöglichen.“ Diese sich stetig weiterentwickelnden Methoden von Ransomware-Gruppen erfordern ein Überdenken der Abwehrstrategien. „Für CISOs sollte die Priorität darin bestehen, die Identitätskontrollen zu stärken, vertrauenswürdige Anwendungen und Integrationen von Drittanbietern genau zu überwachen und sicherzustellen, dass sich die Erkennungsstrategien auf Persistenz und Datenexfiltration konzentrieren“, rät er. (tf) View the full article

The White House released President Donald Trump’s long-awaited cybersecurity strategy, a lean seven-page blueprint that breaks from past approaches by placing offensive cyber operations at the center of US policy. Developed by the Office of the National Cyber Director (ONCD), the strategy emphasizes disrupting adversaries, deregulating industry, and accelerating the adoption of artificial intelligence while also addressing the defense of federal systems and critical infrastructure. “By moving the usual ‘deterrence’ part to the top and focusing on offense, which is usually only lightly referred to in past unclassified strategies, the administration has greatly emphasized that pillar, which will clearly get it the most attention in the short term,” Ari Schwartz, managing director of cybersecurity services and policy at Venable LLP, told CSO. The document frames cyberspace as a domain of national power where foreign governments and criminal networks are actively targeting Americans, critical services, and the broader economy — and comes on the heels of an FBI wiretap system breach with suspected Chinese threat group involvement. “Our adversaries have and will increasingly feel the consequences of their actions; we will dismantle networks, pursue hackers and spies, and sanction lawless foreign hacking companies,” the strategy states. “We will unveil and embarrass online espionage, destructive propaganda, influence operations, and cultural subversion.” Six pillars for guiding success Underpinning the strategy are six pillars that the White House says will guide implementation and measure success. Pillar 1: Shape adversary behavior. The US aims to use offensive and defensive cyber operations to disrupt and erode adversaries before they can attack, dismantle criminal networks, and impose real costs on those who target Americans. This pillar, with its emphasis on offensive cyber operations, is likely to generate the most controversy and bipartisan concern. Proactively attacking adversary networks, rather than waiting to respond, raises serious questions about whether offensive operations could actively invite retaliation against US critical infrastructure. Critics argue that “hack back” doctrines can trigger escalatory cycles that are hard to control. Pillar 2: Promote common sense regulation. The US plans to strip back what the Trump administration calls burdensome cyber regulations so that the private sector can move faster, while protecting American data privacy. This pillar may also prove contentious as security researchers and critical infrastructure experts worry that rolling back mandatory standards leaves key systems exposed. Pillar 3: Modernize and secure federal networks. The administration seeks to upgrade government systems with zero-trust architecture, post-quantum cryptography, cloud migration, and AI-powered defenses. This pillar, along with Pillar 5, underscores the strategy’s emphasis on artificial intelligence in cybersecurity. “What stands out most is the strategy’s explicit commitment to deploying AI-powered solutions,” Yejin Jang, VP of government affairs at email security vendor Abnormal AI, said in a statement. “By elevating AI as a core component of federal cybersecurity, ONCD is acknowledging that the government must match automation with automation, and speed with speed.” Pillar 4: Secure critical infrastructure. ONCD has outlined the need to harden essential services such as the energy grid, hospitals, banks, and water systems; remove adversary vendors; and secure supply chains. Some experts say this pillar could contradict the administration’s deregulatory push because it calls for hardening critical infrastructure while simultaneously cutting regulations that frequently mandate critical infrastructure security. Pillar 5: Sustain superiority in emerging technologies. The administration seeks to protect America’s lead in AI, quantum computing, and crypto/blockchain, and counter foreign tech platforms that censor or surveil users. The reference to cryptocurrencies and blockchain technologies reflects the administration’s broader pro-crypto stance now embedded in cybersecurity policy. It marks the first time alternative currencies have been referenced in a national cybersecurity strategy. Pillar 6: Build talent and capacity. The US will invest in the cyber workforce pipeline across schools, industry, and the military to recruit and train the next generation of cyber professionals. Although short on specifics, this is arguably the most bipartisan and least controversial pillar because workforce shortages in cybersecurity are widely acknowledged across party lines. Industry reaction and next steps Industry reaction was broadly positive, though notably, many of the strongest endorsements came from cybersecurity firms likely to benefit from the strategy’s emphasis on AI adoption and expanded private-sector roles in national defense. Drew Bagley, chief privacy and policy officer at CrowdStrike, said in a statement, “This strategy addresses modern threats through concrete policies that will strengthen America’s cybersecurity posture. Each pillar is important, and the emphasis on securing advanced technologies correctly recognizes AI as an accelerant for our adversaries and a must-have area of expertise for frontline defenders.” Palo Alto Networks CEO Nikesh Arora said in a statement, “I commend ONCD Director [Sean] Cairncross and the National Cyber Strategy for the forward-looking approach to tackling critical cybersecurity challenges. Of note, its emphasis on promoting quantum-safe security and AI security positions the United States to maintain technological leadership in an evolving threat landscape.” “I applaud Director Cairncross for having a clear-eyed vision, particularly a forward-leaning approach towards offensive cyber operations aimed at shaping adversary behavior,” McCrary Institute Director Frank Cilluffo said in a statement. “For too long, we haven’t deterred our enemies.” With the strategy now public, attention turns to implementation. A document this brief, seven pages covering the entire scope of US cybersecurity policy, is by design a vision statement, not an operational plan. The real test will come in the follow-on policy vehicles the White House says are forthcoming: National Security Memoranda binding agencies to specific requirements, sector-by-sector regulatory guidance, and crucially, budget requests that signal whether the strategy’s ambitions will be resourced or remain aspirational. Schwartz noted that the industry is already looking ahead. “We look forward to seeing the details in an Action Plan and other implementation information in the near future.” View the full article

The White House released President Donald Trump’s long-awaited cybersecurity strategy, a lean seven-page blueprint that breaks from past approaches by placing offensive cyber operations at the center of US policy. Developed by the Office of the National Cyber Director (ONCD), the strategy emphasizes disrupting adversaries, deregulating industry, and accelerating the adoption of artificial intelligence while also addressing the defense of federal systems and critical infrastructure. “By moving the usual ‘deterrence’ part to the top and focusing on offense, which is usually only lightly referred to in past unclassified strategies, the administration has greatly emphasized that pillar, which will clearly get it the most attention in the short term,” Ari Schwartz, managing director of cybersecurity services and policy at Venable LLP, told CSO. The document frames cyberspace as a domain of national power where foreign governments and criminal networks are actively targeting Americans, critical services, and the broader economy — and comes on the heels of an FBI wiretap system breach with suspected Chinese threat group involvement. “Our adversaries have and will increasingly feel the consequences of their actions; we will dismantle networks, pursue hackers and spies, and sanction lawless foreign hacking companies,” the strategy states. “We will unveil and embarrass online espionage, destructive propaganda, influence operations, and cultural subversion.” Six pillars for guiding success Underpinning the strategy are six pillars that the White House says will guide implementation and measure success. Pillar 1: Shape adversary behavior. The US aims to use offensive and defensive cyber operations to disrupt and erode adversaries before they can attack, dismantle criminal networks, and impose real costs on those who target Americans. This pillar, with its emphasis on offensive cyber operations, is likely to generate the most controversy and bipartisan concern. Proactively attacking adversary networks, rather than waiting to respond, raises serious questions about whether offensive operations could actively invite retaliation against US critical infrastructure. Critics argue that “hack back” doctrines can trigger escalatory cycles that are hard to control. Pillar 2: Promote common sense regulation. The US plans to strip back what the Trump administration calls burdensome cyber regulations so that the private sector can move faster, while protecting American data privacy. This pillar may also prove contentious as security researchers and critical infrastructure experts worry that rolling back mandatory standards leaves key systems exposed. Pillar 3: Modernize and secure federal networks. The administration seeks to upgrade government systems with zero-trust architecture, post-quantum cryptography, cloud migration, and AI-powered defenses. This pillar, along with Pillar 5, underscores the strategy’s emphasis on artificial intelligence in cybersecurity. “What stands out most is the strategy’s explicit commitment to deploying AI-powered solutions,” Yejin Jang, VP of government affairs at email security vendor Abnormal AI, said in a statement. “By elevating AI as a core component of federal cybersecurity, ONCD is acknowledging that the government must match automation with automation, and speed with speed.” Pillar 4: Secure critical infrastructure. ONCD has outlined the need to harden essential services such as the energy grid, hospitals, banks, and water systems; remove adversary vendors; and secure supply chains. Some experts say this pillar could contradict the administration’s deregulatory push because it calls for hardening critical infrastructure while simultaneously cutting regulations that frequently mandate critical infrastructure security. Pillar 5: Sustain superiority in emerging technologies. The administration seeks to protect America’s lead in AI, quantum computing, and crypto/blockchain, and counter foreign tech platforms that censor or surveil users. The reference to cryptocurrencies and blockchain technologies reflects the administration’s broader pro-crypto stance now embedded in cybersecurity policy. It marks the first time alternative currencies have been referenced in a national cybersecurity strategy. Pillar 6: Build talent and capacity. The US will invest in the cyber workforce pipeline across schools, industry, and the military to recruit and train the next generation of cyber professionals. Although short on specifics, this is arguably the most bipartisan and least controversial pillar because workforce shortages in cybersecurity are widely acknowledged across party lines. Industry reaction and next steps Industry reaction was broadly positive, though notably, many of the strongest endorsements came from cybersecurity firms likely to benefit from the strategy’s emphasis on AI adoption and expanded private-sector roles in national defense. Drew Bagley, chief privacy and policy officer at CrowdStrike, said in a statement, “This strategy addresses modern threats through concrete policies that will strengthen America’s cybersecurity posture. Each pillar is important, and the emphasis on securing advanced technologies correctly recognizes AI as an accelerant for our adversaries and a must-have area of expertise for frontline defenders.” Palo Alto Networks CEO Nikesh Arora said in a statement, “I commend ONCD Director [Sean] Cairncross and the National Cyber Strategy for the forward-looking approach to tackling critical cybersecurity challenges. Of note, its emphasis on promoting quantum-safe security and AI security positions the United States to maintain technological leadership in an evolving threat landscape.” “I applaud Director Cairncross for having a clear-eyed vision, particularly a forward-leaning approach towards offensive cyber operations aimed at shaping adversary behavior,” McCrary Institute Director Frank Cilluffo said in a statement. “For too long, we haven’t deterred our enemies.” With the strategy now public, attention turns to implementation. A document this brief, seven pages covering the entire scope of US cybersecurity policy, is by design a vision statement, not an operational plan. The real test will come in the follow-on policy vehicles the White House says are forthcoming: National Security Memoranda binding agencies to specific requirements, sector-by-sector regulatory guidance, and crucially, budget requests that signal whether the strategy’s ambitions will be resourced or remain aspirational. Schwartz noted that the industry is already looking ahead. “We look forward to seeing the details in an Action Plan and other implementation information in the near future.” The industry will also have to await implementation details on another White House cyber missive issued along with the strategy, an executive order directing federal agencies to step up efforts against cybercrime, fraud, and other online schemes targeting Americans. The order calls for a government-wide review of tools to identify, disrupt, and dismantle transnational criminal groups behind cyber-enabled crimes such as ransomware, phishing, financial scams, and sextortion. The directive also tells the attorney general to prioritize prosecutions of cyber-fraud and explore ways to return seized funds to victims. Department of Homeland Security will expand support for state and local partners, while the Department of State is tasked with pressuring foreign governments to crack down on cybercrime networks operating from their territories. View the full article

Threat actors are trying a different tactic to sucker employees into falling for ClickFix phishing attacks that install malware, says Microsoft. Rather than asking potential victims to copy and paste a (malicious) command into the Run dialog, launched by hitting the Windows button plus the letter R, they are being told to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly. Once the terminal is opened, victims are prompted to paste in malicious PowerShell commands delivered through fake CAPTCHA pages, troubleshooting prompts, or verification-style lures designed to appear routine and benign. Why? Going this route evades defenses looking for unusual run commands, and it bypasses security awareness training that tells employees not to do anything that invokes the Run command. Microsoft described the tactic in a post on X this week, saying what makes this campaign notable are the post-compromise outcomes. In one case, several Windows Terminal/PowerShell instances are opened that ultimately launch another Powershell process responsible for decoding embedded hex commands. The decoded PowerShell script then downloads a legitimate but renamed 7-Zip binary and saves it with a randomized file name, along with a zipped payload. The renamed archive utility extracts and runs the malware, which executes a multi-stage attack chain that includes retrieval of additional payloads, establishment of persistence through scheduled tasks, defense evasion through Microsoft Defender exclusions, and exfiltration of stolen machine and network data. In a second attack path, the victim pastes a hex-encoded, XOR-compressed command into Windows Terminal. This command downloads a randomly named batch file to AppData\Local that is then invoked through cmd.exe to write a VBScript to %Temp%. The batch script is executed via cmd.exe with the /launched command-line argument, and is then executed again through MSBuild.exe, resulting in LOLBin abuse. The script connects to Crypto Blockchain RPC endpoints, indicating etherhiding technique, and also performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes to harvest web and login data. But is this really new? However, a number of experts quickly added comments to the Microsoft post complaining that the Windows + X tactic isn’t new. Roger Grimes, CISO advisor at awareness training provider KnowBe4, agreed. “ClickFix attacks using Win+X instead of Win+R have been around for at least six months, if not a year or more,” he said in an email. “What they are doing during execution is not new.” Regardless, he added, the continuing and increasing use of ClickFix attacks means infosec leaders still need to educate employees about them. “We’ve long had training content around this type of attack. Users need to know that nothing legitimate will ever ask them to do Win+ whatever keys to paste gobblygook to run code. Anything that does that should simply not be performed,” he said. “And all Windows computers should already be restricted so that random, unsigned (not signed by the organization), PowerShell commands should not be allowed. Every organization and machine should already have the following PowerShell command setting: ‘Set-ExecutionPolicy Restricted -Force‘ enabled. If not, your organization’s cybersecurity risk is far higher than it needs to be.” Payload chain ‘built to last’ Joshua Roback, principal security solution architect at Swimlane, noted the campaign outlined by Microsoft pushes the ClickFix playbook into more trusted, everyday workflows by getting users to run pasted command content inside legitimate Windows tooling that feels routine and safe. That matters, he said, because it slips past the usual mental red flags people associate with sketchy popups, and it can also dodge some of the controls and detections that security teams have tuned to the more obvious ClickFix patterns. The payload chain is also more built to last than previous variants, he added. Instead of a quick one-and-done retrieval trick, it uses a more layered delivery and persistence approach that helps it blend in, stick around longer, and quietly escalate the damage once it lands. One path adds an additional indirection layer that helps the attacker’s infrastructure blend in and stay reachable, which can make takedowns and straightforward blocking a lot less effective. For CISOs, he said, the message to employees has to be clear. “Use a simple rule of thumb: never run pasted commands, never approve unexpected sign-ins, and report all incidents through official company support channels.” How ClickFix works ClickFix phishing campaigns began in 2024, Microsoft noted in a security blog last year that detailed the campaign’s tactics and indicators of compromise. The attack starts with an employee being asked to click on a link or open an attachment, often with a payment or invoice theme, within an email or text. To evade defenses looking to stop employees downloading unapproved files, the user is told in a popup box to “verify the download” by opening a Run dialog and copying and pasting something into it. The goal is to get the unwitting victim to download malware such as infostealers (usually LummaStealer), remote access tools such as Xworm, AsyncRAT, NetSupport, and SectopRAT; loaders like Latrodectus and MintsLoader; and rootkits. In the blog, Microsoft provides tips to defenders for fighting ClickFix attacks, including recommending they enable PowerShell script block logging to detect and analyze obfuscated or encoded commands, which would provide visibility into malicious script execution that might otherwise evade traditional logging. View the full article

Cybersecurity is, as it should be in this era of AI-driven cyberattacks, a regular item on enterprise board agendas. However, the ways in which CISOs and boards interact, and the depth of those discussions, remain brief and superficial. According to a new report from IANS, Artico Search, and The CAP Group, CISO-board interactions remain short (typically 30 minutes per quarter), lack depth around threats, particularly those posed by AI and other emerging technologies, and are more about “listening” than active participation. “The industry is still maturing, and ‘good’ is a moving target,” said Nick Kakolowski, senior director for CISO research at IANS. “CISOs and boards are still developing a shared vocabulary to contextualize and understand the long-term business implications of cyber issues.” CISOs not getting ‘extended airtime’ in meetings According to the study, just 30% of boards describe their relationship with CISOs as “strong and collaborative,” while 35% call it “adequate and functional,” and 24% say it needs improvement. This indicates that deep trust and partnership remain “uneven and far from universal,” the report notes. The majority of the 650-plus CISOs surveyed (95%) said they regularly report to their board, at least on a quarterly basis. Of those, 60% engage with the full board, and 35% with at least one board committee. However, three-quarters of security leaders said those discussions typically only last 30 minutes. “Updates are often tightly time-boxed and routed through committees rather than directed at the full board,” the report notes. It quotes one anonymous CISO at a publicly-listed financial services firm, who said, “There’s interest in the reports I present, but almost no follow‑through. The board treats cybersecurity as something to be briefed on — not something to experience or probe.” On the other hand, the 25% of CISOs who did have “extended airtime” of more than 30 minutes said cybersecurity was treated as a more strategic topic rather than simply a check-box or status discussion. In these cases, boards are able to engage in “trade-offs, risk tolerance, and decision-making,” rather than just metrics, according to the report. Boards are “consistently informed” these days, but many still struggle to translate cyber reporting into strategic decision-making, said Kakolowski. Directors are seeking clearer insight into what’s coming next, particularly as AI reshapes the threat landscape and enterprise risk. As a result, CISOs must strengthen their relationships within, and knowledge of, the business, to elevate the right issues to the board and create opportunities for “meaningful risk conversations,” he said, even if those are happening behind the scenes or at the sub-committee level. IANS faculty member Steve Martano agreed that the best security presentations are “holistic discussions” on cyber risk and business risk. These are driven by CISOs who form a “concise, data‑driven narrative” and foster discussion and brainstorming around risk tolerance, risk strategy, cyber and tech risk in the context of ROI. Boards want more forward-looking insights The report also suggests that board-CISO communication doesn’t dive as deeply into details as it should in these days of ever more sophisticated, AI-driven cyberattacks. The majority of board directors (82%) say their security leaders’ reporting on regulatory trends was satisfactory or excellent, and that they had strong visibility into program initiatives, current risks, and resourcing needs. However, about half said security leaders’ reporting in other areas, notably threats from AI and other emerging tools, needed improvement. This seems to signal that boards are seeking to move beyond high-level conversations to more forward-looking insights. AI is now a primary driver of cyber risk, enabling more sophisticated attacks; at the same time, it is introducing new areas of loss as AI models become high‑value assets that can be exploited or damaged, said Brian Walker, CEO of The CAP Group. “AI and cybersecurity are inextricably linked, and boards must understand the business risks of both,” he said. Similarly, boards regularly interact with dashboards and frameworks, but fewer than half of them (41%) participate in tabletop exercises, crisis simulation, incident escalation protocols, or other education and training. “In other words,” the report notes, “boards are well informed on paper, but often stop short of experiencing cyber risk, suggesting oversight that is more passive than active.” This suggests that CISOs are not helping boards get ahead of the “fast-moving risk dynamics” of today’s threatscape. Ultimately, the report emphasizes, this reinforces a familiar pattern: Updates effectively explain the current state, but are less effective at preparing directors for what comes next. Board involvement is critical for cybersecurity Getting board buy-in is critical, as data and digital capabilities are integral components of business strategy. Risks created by emerging technologies and methods of using data are, as a result, “becoming more impactful on an organization’s health,” said Kakolowski. In the strongest security-first organizations, CISOs are “deeply aware” of the risks that are most important to the business, and are able to contextualize cyber issues into those risks, he said. “They aren’t getting the board up to speed on cyber issues; they are shaping the cyber agenda around the risks that matter to the board and, implicitly, the broader organization.” The takeaway for CISOs: Use your security knowledge to determine the organization’s risk tolerance and manage risk accordingly. Simply put, building a strong relationship with the board requires a mindset shift “away from being a security leader trying to prevent breaches, to being a business leader partnering with the executive team,” said Kakolowski. View the full article

The US Federal Bureau of Investigation (FBI) has identified a suspected incident on a network used to manage wiretaps and foreign intelligence surveillance warrants, CNN reported. The FBI acknowledged the incident in a statement to CNN, saying, “The FBI identified and addressed suspicious activities on FBI networks, and we have leveraged all technical capabilities to respond.” The agency is not expanding on its statement but there will be concerns that this an attack prompted by a state agency, such as China. Last year, the bureau and the US Cybersecurity & Infrastructure Security Agency warned of continuing attacks by Chinese ransomware group, Ghost, on US organizations. The FBI has faced questions about the security of its IT systems before. In 2007, a report from the Government Accounting Office, found that the FBI’s infrastructure was less secure than the average company’s and in 2012, an agent’s laptop was allegedly subjected to a hacker’s attack, leading to claims that one million Apple UDIDs had been stolen. The bureau will certainly have tightened up procedures since then, although CNN also reported an alleged security breach at the FBI’s field office in February 2023. View the full article

A weakness in the configuration of OAuth credentials opens up a stored XSS vulnerability in the n8n automation platform, researchers at Imperva have discovered. Setting up OAuth allows n8n to connect to services such as Google Workspace, Microsoft 365, Slack, or GitHub without having to expose service passwords. This is core to automation platforms like n8n because it allows organizations to reduce multiple manual tasks to single automated workflows. A customer might submit a web form, which n8n passes via API calls or OAuth credentials to a CRM system and central database, before sending messages to external Slack messaging or project management tools. This relies on OAuth tokens or API keys for authentication and is set up via a URL pointing at each external service. Unfortunately, Imperva found, n8n does this without properly sanitizing the authorization URL. An attacker could pull off an XSS attack by replacing a valid URL with a malicious JavaScript payload which would be clicked on by other users using the same credential in their accounts. “This is a stored XSS, meaning the payload is saved permanently in the database and served to any user who interacts with the credential,” said Imperva. How serious is this? An important caveat: for any of this to be possible, an attacker would need access to the victim’s n8n system. From that point of view, exploiting this vulnerability would be the second stage of an attack, not the first. Equally, an attacker able to pull off the exploit would be able to exfiltrate multiple credentials across employees and eventually compromise the entire n8n system. However, in Imperva’s view, the bigger issue is really the extent to which organizations are pooling risk in automation platforms. “Workflow automation tools like n8n are becoming the backbone of modern IT infrastructure. While they offer immense power and speed, they also centralize trust,” Imperva said. “A vulnerability in this layer can often be more damaging than a vulnerability in a single isolated application. We recommend organizations treat their automation platforms as Tier-0 assets, enforce strict access controls, and ensure they are patched promptly.” In short, automation platforms save huge amounts of time but centralize access to multiple other systems. That makes them hugely attractive to attackers. The n8n platform releases new versions on a regular basis which means that vulnerabilities are often ‘silently’ patched before users hear about them. The same applies to the latest flaw discovered which was fixed in the v2.6.4 update released on February 6. In February, researchers uncovered a series of n8n vulnerabilities that generated six separate CVEs. A few weeks before that, the platform was hit by a critical-rated flaw that was patched along with four other CVEs. The platform has also been targeted by malicious npm packages posing as n8n integrations, a sign that its growing popularity is bringing it to the attention of threat actors. View the full article

Online ads are increasingly being used a means of introducing malware into organizations, according to The Media Trust. “Malvertising surpassed both email and direct hacks as the leading vector for malware delivery worldwide,” said Chris Olson, CEO of The Media Trust, an ad scanning and filtering company with, perhaps, a vested interest in playing up the threat posed by ads. Millions of copies of a single infected advertising creative or script can be distributed across pulblishers in seconds, the company said in its 2026 Intelligence Report. The use of AI is accelerating this, allowing malicious actors to write adaptive malware that changes its behavior based on location, browser, or device. Among the malware attacks leveraging ads, the company pointed to Ghost Cat, Click Fix and SocGholish but there are several new techniques in the pipeline. In future, the company said, we can expect to see new attacks developing, including AI-assisted evasion, in which AI will be used to tailor language and imagery to evade detection, and adtech as infrastructure, with compromised APIs and tracking pixels used for payload delivery. The main motivation for these attacks, it said, will be financial gain, with more than half of malvertising driven by this, but 30 percent of attacks will be prompted by a wish to steal data. Espionage and attempts to disrupt operations will account for a much smaller proportion of attacks, it said. View the full article

The Hollywood image of criminal hackers being largely teenage ne’er do wells is due for an update. That’s because profit-seeking career criminals — often approaching middle age — make up the largest cohort of today’s cybercriminals, according to an analysis of criminal cases carried out by Orange Cyberdefence. The Orange Group’s cybersecurity unit analysed 418 publicly announced law enforcement activities conducted between 2021 and mid-2025, finding that cyber offenders’ engagement in crime peaks between the ages of 35 and 44, with this demographic accounting for 37% of all the cybercrime cases reviewed. Collectively, the combined age groups of from 25 to 44 make up well over half (58%) of analysed cybercrime cases. This all goes against the Hollywood image of the maladjusted teen hacker living in their mum’s basement and up to no good. Profit-motivated cybercrime escalates with age — unlike other forms of crime where criminal behaviour emerges in adolescence, peaks in the late teens or early adulthood, and then sharply declines. The review of criminal cases found that 18- to 24-year-olds were the defendants in 21% of cybercrime cases, a figure that drops to 5% for the 12-to-17 age range. Offender profiling The study found a notable progression in cybercrime activity as offenders age. Among 18- to 24-year-olds, cybercriminal activity is highly diverse, with a focus on hacking (30%), followed by selling stolen data and DDoS attacks (10% each). “The variety of activities indicates the experimental, multifaceted nature of this demographic’s engagement in cybercrime as they test boundaries and trial tactics,” according to Orange Cyberdefence. This begins to shift among offenders aged 25 to 34, where activities such as selling stolen data (21%), cyber extortion (14%), and malware deployment (12%) lead the way — indicating a move toward profit-motivated crime. The trend intensifies among the 35-44 cohort, where cyber extortion (22%) is the dominant offence, followed by malware (19%), cyber espionage (13%), hacking (10%), and money laundering (7%). “While younger, less experienced hackers engage in highly diverse crime they may be less likely to engage in calculated, profit-seeking activity,” said Charl van der Walt, head of security research at Orange Cyberdefense. “Instead, cybercrime careers appear to peak much later into adulthood, accompanied by vastly more sophisticated and intentional techniques.” Cybercrime cartels Dray Agha, senior security operations manager at managed detection and response services firm Huntress, said the analysis illustrates that the “Hollywood image of a teenage lone wolf hacking for bragging rights” is vastly outdated since the threat landscape is dominated by “highly organised, profit-driven syndicates.” “While young people may still engage in digital vandalism or act as low-level affiliates, the architects orchestrating large-scale extortion and malware campaigns are mature adults operating what are essentially illicit technology companies,” Agha said. Agha argued that the 35-44 age group aligns perfectly with the skills required to run modern cybercrime operations, such as ransomware-as-a-service (RaaS). These professionally run campaigns require project management, software development lifecycles, human resources (recruiting affiliates), and customer service (negotiating with victims). “This level of operational maturity is rarely found in teenagers; it requires the business acumen typical of midcareer professionals,” Agha said. While it might be relatively easy to breach a vulnerable system, successfully cashing in on illicit access is a tricky process that requires experience. “The prominence of cyber extortion and money laundering in the 35-44 demographic highlights the need for a deep understanding of corporate pressure points, cryptocurrency tumbling, and illicit financial networks,” Huntress’ Agha added. “Older offenders have the real-world experience necessary to navigate these complex financial logistics and turn stolen data into usable cash.” While younger offenders often act as “initial access brokers” — finding the initial way into a network — this access is typically sold onto older, more experienced threat actors who execute the high-stakes extortion and espionage. “The young ‘pick the locks,’ while the adults ‘run the syndicate,’” Agha said. Career ladder Andra Zaharia, cybersecurity community lead at Pentest-Tools.com, said that many cybercrime operations look “less like solo activity and more like organised networks with roles, handoffs, and repeatable processes.” “That structure naturally skews older because it rewards operational discipline and trust networks that take time to build,” Zaharia told CSO. “Technical skill matters, but so does reliability and consistency over months and years.” Zaharia added: “Profit motive also reshapes the ‘career path.’” Extortion and malware campaigns often involve different people for different jobs: access, tooling, infrastructure, negotiation, and moving money. “Reputation becomes a form of currency in those environments,” Zaharia concluded. “Actors build it, protect it, and use it to climb into higher-earning roles.” View the full article

Sophisticated attacks and the incorporation of AI tools, talent shortages, and tight budgets are some of the challenges commonly cited when it comes to managing cybersecurity in organizations. In a changing environment, the key is no longer to stay one step ahead, but to maintain a resilient infrastructure that ensures a rapid response when — not if — a cyberattack occurs. In the coming months, many of the key issues from previous years will recur, but there will also be specific challenges: “2026 is shaping up to be a year in which attacks will be faster, cheaper, and more credible, as AI and automation now perform much of the work that previously required time and skill,” explains Marijus Briedis, CTO of NordVPN. Briedis also warns of what he calls “the growing monoculture of the internet,” in which the supply of cloud platforms, CDNs, and productivity tools is concentrated among a few players, and therefore compromising any of these systems or providers has a significant impact. “The most important change, however, is trust,” says Briedis, referring to deepfakes, voice cloning, synthetic identities, and automated phishing chats, among others, which “will continue to erode trust … as criminals increasingly focus on authentication and cloud access, rather than just devices.” He also draws attention to the quantum risk to digital security, with criminal strategies such as “collect now, decrypt later” forcing cybersecurity departments to improve their privacy and information protection tools. For Ángel Ortiz, director of cybersecurity at Cisco Spain, by 2026 “cybersecurity will evolve towards models based on speed, automation, and continuous identity verification.” He highlights the impact of generative and agentic AI in defining “an increasingly complex threat landscape,” based on “large-scale automated cyber operations. Identity has become the new security perimeter, as attackers no longer need to break in but simply log in with stolen credentials.” Cisco anticipates demand for “security architectures that prioritize business resilience, alignment with business objectives, and the integration of AI as a foundational element for cyber defenses.” “The main threats are along these lines: automated attacks thanks to agentic AI, with massive personalized cyberattacks that will use intelligent tools to “identify specific vulnerabilities and develop unique malware for each organization.” The trend toward supply chain attacks will continue, Ortiz predicts, and deepfakes and cognitive attacks will boom, while ransomware attacks will be refined. “IoT infrastructure and edge devices will also proliferate as attack vectors.” “Today, we no longer talk about cybersecurity as a purely technological field, but as an essential element for business continuity and, above all, for preserving the trust of our customers,” explains Hazel Díez Castaño, global CISO of the Santander group. In this sense, the challenge for 2026 is to keep adapting in a “dynamic and complex” context. “I like to talk about an anti-fragile approach, which goes beyond resilience: it’s not just about resisting and recovering from attacks, but about coming out stronger from them, continuously improving our capabilities. All this must be done without creating unnecessary friction for the customer, ensuring a secure, agile, and simple digital experience.” For Roberto Lara, director of cybersecurity at Vodafone Empresas (Enterprises), “in 2026, cybersecurity will continue to evolve towards a more mature approach based on cyber resilience,” in which the focus shifts from preventing incidents to “ensuring operational continuity during an attack, reducing the impact and accelerating recovery. This vision consolidates cybersecurity as a strategic priority for senior management, due to its direct connection to business stability, corporate reputation, and regulatory compliance,” Lara notes. As the main challenges, he points to AI as a vector of attack, which requires “strengthening detection and response capabilities through more proactive and agile defenses.” Lara adds data sovereignty is “a challenge that combines legal and operational factors in an increasingly complex global environment,” with the sovereign AI approach gaining weight. Like Ortiz, he maintains the importance of risk management in the supply chain. “Although regulation drives greater control over third parties, smaller suppliers remain a critical point due to their limitations in resources and maturity in cybersecurity.” Álvaro Fernández, sales director at Sophos Iberia, envisions 2026 around three key points: the systematic abuse of digital identities, the accelerated adoption of AI by attackers and defenders, and the amplification of human error as an attack surface. “Cybersecurity will evolve from a reactive approach based on perimeter controls to adaptive security models focused on continuous visibility, behavior detection, and automated response with human oversight,” Fernández summarizes. Among the main challenges is addressing what he calls the “cybersecurity poverty line,” referring not only to budgets but also to the lack of strategic leadership and talent. Fernández also highlights the regulatory factor as an added pressure for companies. Hazel Díez (Banco Santander), Roberto Lara (Vodafone), Marijus Briedis (NordVPN), Álvaro Fernández (Sophos), and Ángel Ortiz (Cisco). Banco Santander, Vodafone, NordVPN, Sophos y Cisco. Montaje: Foundry Key technologies to address 2026’s challenges Against this backdrop, Cisco defines AI as “the fundamental technology that will set the cybersecurity agenda in 2026,” in the words of Ortiz, who refers to the company’s Integrated AI Security and Safety Framework as “one of the first holistic attempts to classify, integrate, and manage the full spectrum of AI risks.” He adds XDR platforms as “a key element, unifying data from endpoints, networks, cloud, email, and identities into a consolidated view,” and continuous context-based identity verification, which he believes “will become mandatory.” The most important upcoming trends, according to Briedis, include: “Controls that reduce reliance on human trust signals: more robust authentication, better identity verification, and greater protection of credentials and sessions,” through which exposure to credential leaks can be reduced. Díez Castaño adds AI and automation among the technologies that will set the agenda, as well as security models integrated from the design stage, which incorporate protection “from the outset in digital processes, products, and services, rather than adding it at the end.” Along with identity and access management, she trusts in “the ability to have a clear, real-time view of what is happening in the systems” to “ensure effective and balanced protection.” However, technology will continue to be a fundamental lever, but always in support of a well-defined strategy, she adds. On the agenda for the coming months, Lara points to two priorities: “integrating actionable intelligence into defense and strengthening control over data,” which will promote an evolution “towards a more coordinated model, with interconnected SOCs capable of sharing information in real time and activating increasingly automated responses to incidents.” In addition, he foresees an increase in the adoption of secure communications, “with greater use of end-to-end encryption solutions, including reinforced mobile devices and environments for critical profiles,” as well as simulations and virtual environments for training teams, testing crisis scenarios, and improving decision-making. Regarding her work for the coming months, Díez Castaño outlines a generic approach: “Our priority will continue to be to strengthen a global cybersecurity model that is fully aligned with the group’s strategy and has a very clear focus on the customer. This means continuing to evolve our prevention, detection, and response capabilities, as well as protecting the bank of the future, which is increasingly digital, interconnected, and cloud-based.” They will also continue their work on security awareness and culture, “both within the organization and towards society.” “Cybersecurity is a collective challenge, and collaboration, both with other companies and with the public sector, is essential. Sharing information, learning together, and acting in a coordinated manner is the only way to tackle a problem that affects everyone and knows no borders,” she concludes. View the full article

Google tracked 90 vulnerabilities exploited as zero-days last year, with Chinese cyberespionage groups doubling their count from 2024 and commercial surveillance vendors overtaking state-sponsored hackers for the first time. Nearly half of the recorded zero-days targeted enterprise technologies such as security appliances, VPNs, networking devices, and enterprise software platforms. “Increased exploitation of security and networking devices highlights the critical risk that can be posed by trusted edge infrastructure, while targeting of enterprise software exhibits the value of highly interconnected platforms that provide privileged access across networks and data assets,” the Google Threat Intelligence Group (GTIG) said in its annual Zero-Days in Review report. This represents a continuation of a shift in attacker initial-access patterns that intensified over the past few years. Enterprise software accounted for 44% of all zero-days in 2024 and 48% last year. China-linked groups were responsible for at least 10 of the 16 zero-days attributed to state-sponsored threat actors in 2025, double the number attributed to them in 2024. This keeps China as the most prolific user of zero-day exploits of the past decade. However, commercial surveillance vendors (CSVs) are also an ever-growing source of zero-day exploits. CSVs sell their products to law enforcement and intelligence agencies around the world, including authoritarian regimes that use the software to crack down on activists. CSVs provide zero-days they discover to their customers to facilitate the deployment of their spyware on targets’ mobile phones and computers. Defenders face shrinking response windows Vulnerability exploitation remains the top initial access method in incident response investigations conducted by Google’s Mandiant division, ahead of stolen credentials and phishing. With nearly half of last year’s zero-days hitting enterprise infrastructure, organizations that delay patching even for hours face increasing risk. The speed at which exploit code spreads between groups is also accelerating, GTIG warned. Historically zero-day exploits were closely held by the most resourced teams, but an increasing number of PRC-linked groups are now exploiting the same vulnerabilities, suggesting increased exploit sharing or collaborative development. The pattern extends to n-day vulnerabilities, where GTIG observed a shrinking gap between public disclosure and widespread exploitation by multiple groups. Data from vulnerability intelligence firm VulnCheck shows that nearly a third of the 884 vulnerabilities known to be exploited last year were attacked on or before the day they were publicly disclosed, up from about a quarter in 2024. “Barely 1% of vulnerabilities disclosed in 2025 were ever exploited, but those that were moved faster, hit harder, and increasingly did so before defenders even had a chance to react,” VulnCheck CTO Jacob Baines said. GTIG researchers expect AI to compress these timelines further this year, with adversaries using it to accelerate reconnaissance, vulnerability discovery, and exploit development. “Defenders should prepare for when, not if, a compromise happens,” the researchers warned. Enterprise environments under siege Chinese threat actors continued to display a preference for targets that are difficult to monitor and allow persistent access to strategic networks. Notable examples include the groups that GTIG tracks as UNC5221, which exploited a flaw in Ivanti Connect Secure (CVE-2025-0282) and UNC3886, which exploited a vulnerability in Juniper routers (CVE-2025-21590). Another Chinese group tracked as UNC6201, which is known for the BRICKSTORM and GRIMBOLT backdoors, stood out because it targeted intellectual property such as source code and proprietary development documents from technology companies. Such assets could be used to discover new vulnerabilities in the victims’ products, posing a risk to their downstream customers. Security and networking products accounted for 21 of the 43 enterprise-targeted zero-days in 2025, and at least 14 targeted edge devices such as routers, switches, and security appliances. These devices typically lack endpoint detection capabilities, leaving compromises undetected. “A lack of input validation and incomplete authorization processes were common flaws within these products, demonstrating how basic systemic failures continue to persist, but are fixable with proper implementation standards and approaches,” the GTIG researchers wrote. Financially motivated threat groups, including ransomware gangs also targeted enterprise technologies and accounted for nine zero-days in 2025, double the five attributed to them in 2024. FIN11, the group behind the CL0P ransomware, targeted two zero-day flaws in Oracle E-Business Suite last year (CVE-2025-61882 and CVE-2025-61884). Storm-1175, a group associated with Medusa ransomware, exploited a vulnerability in GoAnywhere MFT (CVE-2025-10035). Meanwhile UNC2165, a financially motivated Russian group that overlaps with public reporting on Evil Corp, used a zero-day WinRAR vulnerability (CVE-2025-8088). The same vulnerability was exploited by another Russian group tracked as UNC4895 or RomCom that conducts both financially motivated and espionage operations. According to VulnCheck’s data, more than half of the 39 CVEs linked to ransomware attacks in 2025 were exploited as zero-days and about a third had no public or commercial exploit code as of January 2026, suggesting that these groups are developing their own exploits and keeping them private. Spyware vendors surpass state-backed hackers for the first time For the first time since GTIG began tracking zero-day exploitation, commercial surveillance vendors had more attributed zero-days than traditional state-sponsored espionage groups. The milestone reflects a gradual shift the researchers said they’ve observed over the past several years. CSVs maintained their focus on mobile devices and browsers, adapting their exploit chains to bypass security improvements that platform vendors have introduced over time. Multiple exploit chains discovered in 2025 required three or more chained vulnerabilities to achieve a single objective on mobile devices, a sign that platform hardening is raising the cost of exploitation but not stopping it. Operating system vulnerabilities accounted for 39 zero-days, with 15 impacting mobile OSes. Browsers fell below 10%, a historic low that GTIG attributed to hardening efforts, although the researchers noted the possibility that the groups have better operational security and some exploits have been missed. Microsoft was the most targeted vendor, with 25 zero-days exploited across its products, followed by Google with 11, Apple with eight, and Cisco and Fortinet with four each. Twenty vendors were hit by a single zero-day each, illustrating how widely attackers are casting their net across the enterprise software landscape. Prepare for zero-day exploitation “Prioritization is a consistent struggle for most organizations due to limited resources requiring deciding what solutions are implemented — and for every choice of where to put resources, a different security need is neglected,” the GTIG researchers said. “Know your threats and your attack surface in order to prioritize decisions for best defending your systems and infrastructure.” Recommendations include segmenting firewalls, VPNs, and DMZ infrastructure from core network assets and domain controllers to limit lateral movement when a perimeter device is breached. Enterprises are also advised to establish baselines for system processes in order to flag living-off-the-land activity, and to deploy canary tokens to detect lateral movement. Maintaining a software bill of materials to identify which systems are affected when a new zero-day is disclosed is also recommended, particularly for widely used libraries where the blast radius is difficult to gauge. Security leaders should also define emergency patching processes that can bypass standard change management when critical vulnerabilities require immediate action. When no patch is available, security teams should isolate affected systems and components with stop-gap measures such as disabling specific services or blocking ports at the perimeter. GTIG urges organizations to maintain a real-time asset inventory and to design system architectures with segmentation and least-privilege access built in rather than bolted on. View the full article

Godlikeart | shutterstock.com Ein Managed Security Service Provider (MSSP) bietet seinen Kunden ein umfassendes Spektrum an Sicherheits-Services. Als Drittanbieter kann ein MSSP die Arbeitsbelastung der internen IT-Teams deutlich reduzieren und Zeit freisetzen, um sich mit essenziellen Unternehmensprozessen und strategischen Überlegungen auseinanderzusetzen. Darüber hinaus kann ein MSSP unter anderem auch dazu beitragen, Qualifikationslücken zu schließen und Alarmmeldungen zu reduzieren. Die folgenden sieben Anzeichen deuten darauf hin, dass Ihr IT-Team die Grenze seiner Belastbarkeit erreicht oder bereits überschritten hat. In diesem Fall sollten Sie dringend in Erwägung ziehen, mit einem MSSP zusammenzuarbeiten. 1. Unzureichender Schutz Ein MSSP bietet Zugang zu Sicherheitssupport auf Expertenniveau, ganz ohne ein internes Team aufbauen und unterhalten zu müssen. “Managed Security Service Provider bieten Tools, Knowhow und Rund-um-die-Uhr-Monitoring. Das können die meisten Unternehmen nicht so einfach intern umsetzen”, meint Gyan Chawdhary, Gründer und CEO des Cybersecurity-Schulungsanbieters Kontra. Ein MSSP könne sowohl Bedrohungen frühzeitig erkennen als auch gewährleisten, dass auf Vorfälle eine schnelle Reaktion folge, so der Manager. Dabei sollten Sicherheitsentscheider nicht nur auf Tools achten, sondern auch auf “weiche” Faktoren, rät Chawdhary: “Was wirklich zählt, sind Erfahrung, Zuverlässigkeit und die Kommunikationsfähigkeit eines MSSP. Sie brauchen einen Anbieter, der Ihre Branche versteht, schnell reagiert, wenn etwas schief geht, und transparent darüber informiert, was er tut und warum.” Der CEO warnt jedoch, dass MSSPs zwar im Umgang mit technischen Problemen und Bedrohungen versiert sind, aber nicht alles lösen können: “Eine schwache Sicherheitskultur, schlechte interne Richtlinien oder Insider-Bedrohungen liegen oft außerhalb ihrer Kontrolle.” 2. Lähmende Warnmeldungen Wenn Ihr SOC-Team täglich 300 Warnmeldungen ignoriert und manuell triagiert, ist das ein deutliches Zeichen dafür, dass Sie einen Managed Security Service Provider in Betracht ziehen sollten. Das sieht auch Toby Basalla, Gründer und Principal Data Consultant bei Synthelize, so. “Wenn Chaos herrscht, wer weiß dann noch, welche Red Flags wirklich ernst zu nehmen sind? Sie würden wahrscheinlich auch nicht Daten rund um die Uhr ohne Redundanz verarbeiten. Mit Blick auf Security verhält es sich nicht anders.” 3. Brandbekämpfung First Wenn sich das interne Team nicht nur schwer damit tut, Alerts zu bewältigen, sondern auch damit, zeitnah auf Vorfälle zu reagieren oder mit den Compliance-Anforderungen Schritt zu halten, ist das ebenfalls ein Warnsignal für akuten MSSP-Bedarf. Ensar Seker, CISO beim Sicherheitsanbieter SOCRadar, erläutert, welche Folgen in so einem Fall drohen: “Wenn interne Teams von der schieren Menge der operativen Aufgaben überwältigt sind und sich nicht auf die strategische Verteidigung konzentrieren können, ist Burnout unausweichlich.” Laut Seker sollten Unternehmen, die MSSPs evaluieren vor allem auf Erfahrung, Transparenz und Integrationsbereitschaft achten: “Suchen Sie nach Anbietern, die detaillierte SLAs, Echtzeit-Transparenz bei Warnmeldungen, klare Eskalationswege und native Integrationen bieten. Ebenso wichtig ist eine enge kulturelle und kommunikative Abstimmung. Der MSSP muss sich wie eine Erweiterung Ihres Teams anfühlen, nicht wie eine Black Box.” 4. Keine internen Ressourcen Viele kleinere Unternehmen können es sich schlicht nicht leisten, ein Team von Cybersicherheitsspezialisten in Vollzeit zu beschäftigen. Das macht diese Firmen besonders anfällig für sämtliche Arten von Cyberangriffen. Einen Managed Security Service Provider zu engagieren, bietet einen Ausweg aus dieser Situation, wie Trevor Young, Chief Product Officer bei Security Compass, erklärt: “MSSPs können Skaleneffekte, proaktive Threat Intelligence und ein tiefgehendes Verständnis der Security Best Practices bieten.” Der größte Fehler, den Unternehmen bei der Suche nach einem MSSP machen können, ist nach Meinung des Produktentscheiders, das als rein kostenorientierte Entscheidung zu betrachten. Weitere häufige Fehler sind laut Young in diesem Zusammenhang, sämtliche Sicherheits-Tasks an einen MSSP auszulagern, ohne zuvor eine ordnungsgemäße Due Diligence durchzuführen: “Unternehmen versäumen es oft, ihre Sicherheitsanforderungen, die erwarteten Ergebnisse und den Umfang der Dienstleistungen klar zu definieren. Das führt zu falschen Erwartungen und unzureichendem Schutz.” 5. Interner Wissensmangel Wenn ein internes Team immer wieder auf Fragen stößt, die es nicht einhundertprozentig beantworten kann, ist es möglicherweise ebenfalls an der Zeit, die Hilfe eines Managed Security Provider in Anspruch zu nehmen. “Selbst wenn nur in einem oder zwei Cybersecurity-Bereichen spezifisches Wissen fehlt, kann das zu erheblichen Versäumnissen führen und das Potenzial für Effizienzsteigerungen verringern”, hält Aimee Simpson, Director beim Sicherheitsanbieter Huntress, fest. In Simpsons Erfahrung können insbesondere kleine IT-Teams in vielen Fällen bereits mit grundlegenden Cybersicherheitsaufgaben überlastet sein. “Ein MSSP kann Ihr Team entlasten, sodass es sich darauf konzentrieren kann, die IT-Sicherheit zu optimieren, statt sie nur aufrechtzuerhalten.” 6. Kein Schutz nach Feierabend Für Unternehmen, die nach einer 24/7-Sicherheitslösung suchen, bietet ein Managed Security Service Provider eine praktische und in der Regel erschwingliche Komplettlösung. “Der Umfang der Betreuung, die ein MSSP bietet, stellt an sich bereits eine erhebliche Verbesserung der Sicherheitslage dar”, meint Huntress-Managerin Simpson. CPO Young empfiehlt an dieser Stelle: “Suchen Sie nach einem MSSP, der eine umfassende Palette von Dienstleistungen anbietet und der sich dazu verpflichtet, neuen Bedrohungen einen Schritt voraus zu sein.” 7. Schmerzhaftes Reporting “Reportings stellen für viele Unternehmen einen erheblichen Mehraufwand dar”, konstatiert Tony Anscombe, Chief Security Evangelist beim Sicherheitsdienstleister ESET. Insbesondere Unternehmen, die aufgrund ihres Standortes einer Meldepflicht von Cybervorfällen unterliegen, müssten unter Umständen ganze Teams beschäftigen, um die damit zusammenhängenden Reporting-Tasks abdecken zu können. “Diese Belastung lässt sich wahrscheinlich am effizientesten durch einen Managed Security Service Provider oder ein externes Cyber-Incident-Response-Team bewältigen, das mit den spezifischen Berichtsmethoden und -anforderungen vertraut ist”, meint der Sicherheitsexperte. Darüber hinaus ist Anscombe der Ansicht, dass ein gutes MSSP-Paket neben Meldepflichten und Reportings auch einen Incident-Response-Plan und regelmäßiges Security-Testing umfassen sollte: “So lässt sich sicherzustellen, dass Patches und Software-Updates schnell und effektiv angewendet werden.” (fm) View the full article

Deutsche Unternehmen müssen sich warm anziehen: Sowohl staatliche als auch „private“ Akteure haben es auf sie abgesehen. Shutterstock Wie die Experten von Darktrace in ihrem aktuellen Threat Report 2026 darstellen, bleiben Cloud- und E-Mail-Konten das Einfallstor Nummer Eins in Europa. Dem Bericht zufolge begannen im vergangenen Jahr in Europa 58 Prozent der Attacken mit kompromittierten Cloud-Accounts oder E-Mail-Zugängen. Klassische netzwerkbasierte Intrusionen machten 42 Prozent aus. Mehr als die Hälfte der registrierten Vorfälle entfiel auf Organisationen in der EMEA-Region, wobei Deutschland das am stärksten ins Visier geratene Land war. Besonders häufig traf es Unternehmen aus dem verarbeitenden Gewerbe. Identität als Einfallstor Hintergrund sei, so Darktrace, dass Cloud-Transformation, SaaS-Nutzung und hybride Arbeitsmodelle die traditionelle Netzwerkgrenze aufgelöst hätten. Angreifer müssten deshalb nicht mehr in Systeme eindringen, sondern könnten sich mit gestohlenen Zugangsdaten anmelden. Anschließend bewegten sie sich dann mit legitimen Berechtigungen innerhalb der Infrastruktur. „Die Bedrohungslage hat sich fundamental verändert. Wir sehen, dass sich Angreifer mit gültigen Accounts anmelden und reguläre Administrationswerkzeuge nutzen. Das erschwert die Erkennung erheblich, weil sich bösartiges Verhalten in legitime Prozesse einbettet“, erklärt Nathaniel Jones, VP Security & AI Strategy bei Darktrace, die Situation. KRITIS in Gefahr Den Experten von Darktrace zufolge zeigt sich der identitätsbasierte Angriffsansatz in sensiblen Sektoren besonders: Demnach richteten sich 33 Prozent der Phishing-Mails im Gesundheitswesen, 30 Prozent im Finanzsektor und 20 Prozent im Energiesektor gezielt an privilegierte Nutzer. Darktrace dokumentierte zudem europäische Vorfälle, bei denen kompromittierte SaaS-Accounts als Ausgangspunkt für weitergehende Aktivitäten in operativen Umgebungen dienten. Als Hintermänner dieser Angriffe vermuten die Security-Fachleute staatlich unterstützte und hybride Akteure. Diese würden verstärkt auf strategische Vorpositionierung setzen, insbesondere in der Telekommunikation, dem Energiesektor und anderen systemrelevanten Bereichen. Besonders heben die Studienmachen hier die Gruppen Lazarus aus Nord-Korea und ShadowPad aus China hervor. Im „privaten“ Sektoren wird vor den Ransomware-as-a-Service-Experten von Akira gewarnt. Alle drei Gruppen sollen sich verstärkt auf den Manufacturing-Sektor konzentrieren. Weitere Player im Bereich Ransomware, die es zu beobachten gilt, sind laut Darktrace Qilin, RansomHub, Lynx und INC. Auch Cloud- und SaaS-Kompromittierungen Eine weitere Erkenntnis: Mit der Verlagerung geschäftskritischer Prozesse in Cloud- und SaaS-Umgebungen wächst die Abhängigkeit von Identitäts- und Zugriffsmechanismen. Kompromittierte Accounts könnten damit als Ausgangspunkt für laterale Bewegungen in komplexen, vernetzten Umgebungen dienen. Darktrace verweist auf Honeypot-Daten, wonach 43,5 Prozent der beobachteten Malware-Samples auf Microsoft Azure zielten, 33,2 Prozent auf Google Cloud Platform und 23,2 Prozent auf AWS. Docker-Umgebungen standen bei etwas mehr als der Hälfte der erfassten Angriffsversuche im Fokus. Bestehende Schwachstellen ausgenutzt Neben gezielten Angriffen auf Mail- und Cloud-Accounts machen sich Kriminelle immer häufiger technische Schwachstellen zunutze. Und davon gibt es zunehmend mehr, so Darktrace: 2025 wurden insgesamt 48.185 CVEs registriert – ein Anstieg um 20,6 Prozent gegenüber dem Vorjahr. Die Sicherheitsforscher beobachtete dabei in mehreren Fällen auffällige Exploitation-Aktivitäten Tage bis Wochen vor der offiziellen Offenlegung, unter anderem bei SAP NetWeaver und Ivanti. Besonderes Augenmerk auf Privilegierte Das Fazit von Darktrace: Wer ausschließlich auf Perimeter-Kontrollen oder bekannte Signaturen setzt, erkennt Angriffe häufig erst spät. Entscheidend sei die Fähigkeit, Abweichungen im Verhalten von Nutzern, Systemen und Workloads frühzeitig zu identifizieren und einzugrenzen. Dementsprechend raten die Experten Organisationen, privilegierte Konten kontinuierlich zu überwachen. Gibt es Informationen darüber, dass sich neue Admins auf Servern angemeldet haben, sei das ein Warnsignal. Zusätzlich raten sie, externe VPN-Anmeldungen an Rechenzentren als Vorboten schwerwiegender Sicherheitsvorfälle zu behandeln. Diese Vorkehrungen sollten mit Maßnahmen zur Härtung der Multi-Faktor-Authentifizierung (MFA) sowie Geräte-Baselines kombiniert werden. View the full article

Godlikeart | shutterstock.com Ein Managed Security Service Provider (MSSP) bietet seinen Kunden ein umfassendes Spektrum an Sicherheits-Services. Als Drittanbieter kann ein MSSP die Arbeitsbelastung der internen IT-Teams deutlich reduzieren und Zeit freisetzen, um sich mit essenziellen Unternehmensprozessen und strategischen Überlegungen auseinanderzusetzen. Darüber hinaus kann ein MSSP unter anderem auch dazu beitragen, Qualifikationslücken zu schließen und Alarmmeldungen zu reduzieren. Die folgenden sieben Anzeichen deuten darauf hin, dass Ihr IT-Team die Grenze seiner Belastbarkeit erreicht oder bereits überschritten hat. In diesem Fall sollten Sie dringend in Erwägung ziehen, mit einem MSSP zusammenzuarbeiten. 1. Unzureichender Schutz Ein MSSP bietet Zugang zu Sicherheitssupport auf Expertenniveau, ganz ohne ein internes Team aufbauen und unterhalten zu müssen. “Managed Security Service Provider bieten Tools, Knowhow und Rund-um-die-Uhr-Monitoring. Das können die meisten Unternehmen nicht so einfach intern umsetzen”, meint Gyan Chawdhary, Gründer und CEO des Cybersecurity-Schulungsanbieters Kontra. Ein MSSP könne sowohl Bedrohungen frühzeitig erkennen als auch gewährleisten, dass auf Vorfälle eine schnelle Reaktion folge, so der Manager. Dabei sollten Sicherheitsentscheider nicht nur auf Tools achten, sondern auch auf “weiche” Faktoren, rät Chawdhary: “Was wirklich zählt, sind Erfahrung, Zuverlässigkeit und die Kommunikationsfähigkeit eines MSSP. Sie brauchen einen Anbieter, der Ihre Branche versteht, schnell reagiert, wenn etwas schief geht, und transparent darüber informiert, was er tut und warum.” Der CEO warnt jedoch, dass MSSPs zwar im Umgang mit technischen Problemen und Bedrohungen versiert sind, aber nicht alles lösen können: “Eine schwache Sicherheitskultur, schlechte interne Richtlinien oder Insider-Bedrohungen liegen oft außerhalb ihrer Kontrolle.” 2. Lähmende Warnmeldungen Wenn Ihr SOC-Team täglich 300 Warnmeldungen ignoriert und manuell triagiert, ist das ein deutliches Zeichen dafür, dass Sie einen Managed Security Service Provider in Betracht ziehen sollten. Das sieht auch Toby Basalla, Gründer und Principal Data Consultant bei Synthelize, so. “Wenn Chaos herrscht, wer weiß dann noch, welche Red Flags wirklich ernst zu nehmen sind? Sie würden wahrscheinlich auch nicht Daten rund um die Uhr ohne Redundanz verarbeiten. Mit Blick auf Security verhält es sich nicht anders.” 3. Brandbekämpfung First Wenn sich das interne Team nicht nur schwer damit tut, Alerts zu bewältigen, sondern auch damit, zeitnah auf Vorfälle zu reagieren oder mit den Compliance-Anforderungen Schritt zu halten, ist das ebenfalls ein Warnsignal für akuten MSSP-Bedarf. Ensar Seker, CISO beim Sicherheitsanbieter SOCRadar, erläutert, welche Folgen in so einem Fall drohen: “Wenn interne Teams von der schieren Menge der operativen Aufgaben überwältigt sind und sich nicht auf die strategische Verteidigung konzentrieren können, ist Burnout unausweichlich.” Laut Seker sollten Unternehmen, die MSSPs evaluieren vor allem auf Erfahrung, Transparenz und Integrationsbereitschaft achten: “Suchen Sie nach Anbietern, die detaillierte SLAs, Echtzeit-Transparenz bei Warnmeldungen, klare Eskalationswege und native Integrationen bieten. Ebenso wichtig ist eine enge kulturelle und kommunikative Abstimmung. Der MSSP muss sich wie eine Erweiterung Ihres Teams anfühlen, nicht wie eine Black Box.” 4. Keine internen Ressourcen Viele kleinere Unternehmen können es sich schlicht nicht leisten, ein Team von Cybersicherheitsspezialisten in Vollzeit zu beschäftigen. Das macht diese Firmen besonders anfällig für sämtliche Arten von Cyberangriffen. Einen Managed Security Service Provider zu engagieren, bietet einen Ausweg aus dieser Situation, wie Trevor Young, Chief Product Officer bei Security Compass, erklärt: “MSSPs können Skaleneffekte, proaktive Threat Intelligence und ein tiefgehendes Verständnis der Security Best Practices bieten.” Der größte Fehler, den Unternehmen bei der Suche nach einem MSSP machen können, ist nach Meinung des Produktentscheiders, das als rein kostenorientierte Entscheidung zu betrachten. Weitere häufige Fehler sind laut Young in diesem Zusammenhang, sämtliche Sicherheits-Tasks an einen MSSP auszulagern, ohne zuvor eine ordnungsgemäße Due Diligence durchzuführen: “Unternehmen versäumen es oft, ihre Sicherheitsanforderungen, die erwarteten Ergebnisse und den Umfang der Dienstleistungen klar zu definieren. Das führt zu falschen Erwartungen und unzureichendem Schutz.” 5. Interner Wissensmangel Wenn ein internes Team immer wieder auf Fragen stößt, die es nicht einhundertprozentig beantworten kann, ist es möglicherweise ebenfalls an der Zeit, die Hilfe eines Managed Security Provider in Anspruch zu nehmen. “Selbst wenn nur in einem oder zwei Cybersecurity-Bereichen spezifisches Wissen fehlt, kann das zu erheblichen Versäumnissen führen und das Potenzial für Effizienzsteigerungen verringern”, hält Aimee Simpson, Director beim Sicherheitsanbieter Huntress, fest. In Simpsons Erfahrung können insbesondere kleine IT-Teams in vielen Fällen bereits mit grundlegenden Cybersicherheitsaufgaben überlastet sein. “Ein MSSP kann Ihr Team entlasten, sodass es sich darauf konzentrieren kann, die IT-Sicherheit zu optimieren, statt sie nur aufrechtzuerhalten.” 6. Kein Schutz nach Feierabend Für Unternehmen, die nach einer 24/7-Sicherheitslösung suchen, bietet ein Managed Security Service Provider eine praktische und in der Regel erschwingliche Komplettlösung. “Der Umfang der Betreuung, die ein MSSP bietet, stellt an sich bereits eine erhebliche Verbesserung der Sicherheitslage dar”, meint Huntress-Managerin Simpson. CPO Young empfiehlt an dieser Stelle: “Suchen Sie nach einem MSSP, der eine umfassende Palette von Dienstleistungen anbietet und der sich dazu verpflichtet, neuen Bedrohungen einen Schritt voraus zu sein.” 7. Schmerzhaftes Reporting “Reportings stellen für viele Unternehmen einen erheblichen Mehraufwand dar”, konstatiert Tony Anscombe, Chief Security Evangelist beim Sicherheitsdienstleister ESET. Insbesondere Unternehmen, die aufgrund ihres Standortes einer Meldepflicht von Cybervorfällen unterliegen, müssten unter Umständen ganze Teams beschäftigen, um die damit zusammenhängenden Reporting-Tasks abdecken zu können. “Diese Belastung lässt sich wahrscheinlich am effizientesten durch einen Managed Security Service Provider oder ein externes Cyber-Incident-Response-Team bewältigen, das mit den spezifischen Berichtsmethoden und -anforderungen vertraut ist”, meint der Sicherheitsexperte. Darüber hinaus ist Anscombe der Ansicht, dass ein gutes MSSP-Paket neben Meldepflichten und Reportings auch einen Incident-Response-Plan und regelmäßiges Security-Testing umfassen sollte: “So lässt sich sicherzustellen, dass Patches und Software-Updates schnell und effektiv angewendet werden.” (fm) View the full article

Deutsche Unternehmen müssen sich warm anziehen: Sowohl staatliche als auch „private“ Akteure haben es auf sie abgesehen. Shutterstock Wie die Experten von Darktrace in ihrem aktuellen Threat Report 2026 darstellen, bleiben Cloud- und E-Mail-Konten das Einfallstor Nummer Eins in Europa. Dem Bericht zufolge begannen im vergangenen Jahr in Europa 58 Prozent der Attacken mit kompromittierten Cloud-Accounts oder E-Mail-Zugängen. Klassische netzwerkbasierte Intrusionen machten 42 Prozent aus. Mehr als die Hälfte der registrierten Vorfälle entfiel auf Organisationen in der EMEA-Region, wobei Deutschland das am stärksten ins Visier geratene Land war. Besonders häufig traf es Unternehmen aus dem verarbeitenden Gewerbe. Identität als Einfallstor Hintergrund sei, so Darktrace, dass Cloud-Transformation, SaaS-Nutzung und hybride Arbeitsmodelle die traditionelle Netzwerkgrenze aufgelöst hätten. Angreifer müssten deshalb nicht mehr in Systeme eindringen, sondern könnten sich mit gestohlenen Zugangsdaten anmelden. Anschließend bewegten sie sich dann mit legitimen Berechtigungen innerhalb der Infrastruktur. „Die Bedrohungslage hat sich fundamental verändert. Wir sehen, dass sich Angreifer mit gültigen Accounts anmelden und reguläre Administrationswerkzeuge nutzen. Das erschwert die Erkennung erheblich, weil sich bösartiges Verhalten in legitime Prozesse einbettet“, erklärt Nathaniel Jones, VP Security & AI Strategy bei Darktrace, die Situation. KRITIS in Gefahr Den Experten von Darktrace zufolge zeigt sich der identitätsbasierte Angriffsansatz in sensiblen Sektoren besonders: Demnach richteten sich 33 Prozent der Phishing-Mails im Gesundheitswesen, 30 Prozent im Finanzsektor und 20 Prozent im Energiesektor gezielt an privilegierte Nutzer. Darktrace dokumentierte zudem europäische Vorfälle, bei denen kompromittierte SaaS-Accounts als Ausgangspunkt für weitergehende Aktivitäten in operativen Umgebungen dienten. Als Hintermänner dieser Angriffe vermuten die Security-Fachleute staatlich unterstützte und hybride Akteure. Diese würden verstärkt auf strategische Vorpositionierung setzen, insbesondere in der Telekommunikation, dem Energiesektor und anderen systemrelevanten Bereichen. Besonders heben die Studienmachen hier die Gruppen Lazarus aus Nord-Korea und ShadowPad aus China hervor. Im „privaten“ Sektoren wird vor den Ransomware-as-a-Service-Experten von Akira gewarnt. Alle drei Gruppen sollen sich verstärkt auf den Manufacturing-Sektor konzentrieren. Weitere Player im Bereich Ransomware, die es zu beobachten gilt, sind laut Darktrace Qilin, RansomHub, Lynx und INC. Auch Cloud- und SaaS-Kompromittierungen Eine weitere Erkenntnis: Mit der Verlagerung geschäftskritischer Prozesse in Cloud- und SaaS-Umgebungen wächst die Abhängigkeit von Identitäts- und Zugriffsmechanismen. Kompromittierte Accounts könnten damit als Ausgangspunkt für laterale Bewegungen in komplexen, vernetzten Umgebungen dienen. Darktrace verweist auf Honeypot-Daten, wonach 43,5 Prozent der beobachteten Malware-Samples auf Microsoft Azure zielten, 33,2 Prozent auf Google Cloud Platform und 23,2 Prozent auf AWS. Docker-Umgebungen standen bei etwas mehr als der Hälfte der erfassten Angriffsversuche im Fokus. Bestehende Schwachstellen ausgenutzt Neben gezielten Angriffen auf Mail- und Cloud-Accounts machen sich Kriminelle immer häufiger technische Schwachstellen zunutze. Und davon gibt es zunehmend mehr, so Darktrace: 2025 wurden insgesamt 48.185 CVEs registriert – ein Anstieg um 20,6 Prozent gegenüber dem Vorjahr. Die Sicherheitsforscher beobachtete dabei in mehreren Fällen auffällige Exploitation-Aktivitäten Tage bis Wochen vor der offiziellen Offenlegung, unter anderem bei SAP NetWeaver und Ivanti. Besonderes Augenmerk auf Privilegierte Das Fazit von Darktrace: Wer ausschließlich auf Perimeter-Kontrollen oder bekannte Signaturen setzt, erkennt Angriffe häufig erst spät. Entscheidend sei die Fähigkeit, Abweichungen im Verhalten von Nutzern, Systemen und Workloads frühzeitig zu identifizieren und einzugrenzen. Dementsprechend raten die Experten Organisationen, privilegierte Konten kontinuierlich zu überwachen. Gibt es Informationen darüber, dass sich neue Admins auf Servern angemeldet haben, sei das ein Warnsignal. Zusätzlich raten sie, externe VPN-Anmeldungen an Rechenzentren als Vorboten schwerwiegender Sicherheitsvorfälle zu behandeln. Diese Vorkehrungen sollten mit Maßnahmen zur Härtung der Multi-Faktor-Authentifizierung (MFA) sowie Geräte-Baselines kombiniert werden. View the full article

The LeakBase cyberforum, considered one of the world’s largest online marketplaces for cybercriminals to buy and sell stolen data and cybercrime tools, has been seized by the US, and arrests have also been made in other countries. The US Department of Justice said Thursday that earlier this week, law enforcement agencies in 14 countries took synchronized action against the site and its 142,000 users, capturing its data and two of the domains used by the forum. Law enforcement also executed search warrants, made arrests, and conducted interviews in the United States, Australia, Belgium, Poland, Portugal, Romania, Spain, and the United Kingdom. “Prevention messages” were also sent to LeakBase members. According to the US and Europol, the European police co-operative, the captured database included credential pairs (usernames and associated passwords), credit and debit card numbers, and bank account and routing information, as well as other sensitive business and personally identifiable information. The action started March 3, when around 100 enforcement actions, including arrests and house searches, were conducted worldwide. These included measures against 37 of the most active LeakBase users. The so-called technical phase, the seizure of the forum’s domain and database, took place the next day. That, Europol said, enabled the unmasking of multiple users who believed they were operating anonymously. “By contacting suspects through their preferred digital platforms, investigators delivered a clear message: no one is truly invisible online,” said Europol. Law enforcement authorities are proactively continuing to trace digital trails to unmask additional offenders and establish their real-world identities, it added. Sending a strong signal to cybercriminals However, one expert says IT leaders shouldn’t hold out much hope that, with this data, law enforcement authorities may be able to warn organizations that they’ve been hacked, or use the data to help victim firms plug vulnerabilities. “In the current climate of the geopolitical turbulence, data sharing between law enforcement and private sector is quite unlikely,” said Ilia Kolochenko, CEO of Swiss-based Immuniweb. “Moreover, in many jurisdictions, such data sharing may be illegal as it almost inevitably contains data stolen from third parties.” While this operation “marks another remarkable victory of law enforcement over global cybercrime,” he added, “practical benefits will probably remain modest. “First, the most dangerous and active cyber mercenaries and state-backed hacking groups are well prepared for a possible seizure of such marketplaces, and leave virtually no digital traces or other incriminating evidence that could help identify them. “Second, even if due to a mistake or omission some cybercriminals will be unmasked, most of them enjoy immunity in non-extradition jurisdictions. Finally, clandestine operators of such marketplaces almost always have a backup and Plan B, swiftly resurrecting like a hydra within several days or weeks. “In sum, while this operation sends a strong signal that cyber offenders will be prosecuted, global cybercrime will continue as usual,” he said. Garrett Carstens, senior vice-president of intel operations at Intel 471, said CSOs should view the LeakBase takedown as a positive development, but not as a decisive one or one that will translate into easily measurable reduction in cyber risk on its own. “Takedowns can create short-term disruption, intelligence opportunities, and friction for criminals,” he said, “yet the ecosystem typically adapts quickly via migration to other forums or more resilient distribution channels, such as Telegram.” It’s good news tactically, he said, but it will have limited strategic impact unless paired with follow-on actions such as arrests, financial interdiction, or other forms of sustained pressure. Carstens said to evaluate whether this, or other, takedowns matter for their organization, infosec leaders could track various metrics including, but not limited to, recent fraud activity such as credential-stuffing and account takeover attempts, how quickly any known exposed data appears on alternate forums/Telegram after a disruption, and the appearance of new phishing kits, new proxy services, and new bot patterns after a takedown. Global effort Thanks to international co-operation, a number of criminal marketplaces have been seized in recent years, including BreachForums and RaidForums. Law enforcement agencies involved in various ways in this week’s takedown came from Australia, Belgium, Canada, Germany, Greece, Kosovo, Malaysia, Netherlands, Poland, Portugal, Romania, Spain, the United Kingdom and the US. News of the seizure comes the day after the IT infrastructure hosting the Tycoon2FA phishing-as-a-service operation was dismantled. The takedown of LeakBase “disrupts a major international platform that cybercriminals use to obtain and profit from the theft of sensitive personal, banking and account credentials,” said US assistant attorney general A. Tysen Duva. “This operation illustrates the strength of the United States and our international partners working across the globe to dismantle a critical cybercriminal forum.” In a statement, Edvardas Šileris, head of Europol’s European Cybercrime Centre, said the operation “shows that no corner of the internet is beyond the reach of international law enforcement. What began as a shadowy forum for stolen data has now been dismantled, and those who believed they could hide behind anonymity are being identified and held accountable. This is a clear message to cybercriminals everywhere: if you traffic in other people’s stolen information, law enforcement will find you and bring you to justice.” View the full article