Global enterprises are facing a serious security crisis as misconfigured Access Management Systems (AMS) expose sensitive employee data and grant potential access to restricted facilities. The vulnerabilities found across healthcare, education, manufacturing, and government industries put organizations at heightened risk of data breaches, financial losses, and compliance violations.
In some cases, attackers could manipulate credentials to bypass security systems entirely, raising urgent concerns over both digital and physical security, according to a report by cybersecurity firm Modat.
The findings suggest that hundreds of thousands of sensitive employee records have been exposed, including biometric information, identification details, photographs, and work schedules. In some cases, these vulnerabilities could allow unauthorized individuals to bypass physical security measures and gain entry into restricted facilities.
Access Management Systems are crucial in modern security and yet they can often present significant vulnerabilities,” the report said. “Some systems offer comprehensive access control features, but their network-connected nature can create potential attack vectors.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Attackers are shifting tactics, targeting mid-size companies and critical infrastructure sectors, while generative AI risks threaten to overshadow a focus on cyber hygiene.
Ransomware attacks continue to be one of the most significant cybersecurity threats organizations and cybersecurity leaders face. Attacks lead to wide-scale disruptions, large data breaches, huge payouts and millions of dollars in costs to businesses.
In response, large, coordinated law enforcement operations have targeted major ransomware groups and disrupted operations, dismantled data leak sites and seen the release of decryption keys.
However, the volume of attacks has risen, the number of reported victims continues to grow and like a hydra that sprouts new heads, the ransomware ecosystem has been reformed and continues operating, although some of the tactics are changing.
Here are five key insights CISOs need to know in 2025.
1. Too much focus on generative AI risks underestimating known threats
Generative AI tools such as ChatGPT continue to cause a stir in organizations and raise a host of security concerns. However, some incident data and threat analysis suggest security leaders need to remain vigilant about the evolution of traditional ransomware tactics.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.csoonline.com/article/3825545/5-things-to-know-about-ransomware-threats-in-2025.html
CrowdStrike (Nasdaq: CRWD) today announced the findings of the 2025 CrowdStrike Global Threat Report, revealing a dramatic shift in cyber adversary tactics, with attackers leveraging stolen identity credentials, AI-generated social engineering, and hands-on keyboard intrusions to bypass traditional security measures. The report details a surge in identity-based attacks, the growing exploitation of cloud environments and an increase in nation-state cyber activity, particularly from China, which has intensified its targeting of critical industries such as finance, media and manufacturing. Now in its 11th annual edition, CrowdStrike’s definitive threat intelligence report provides an in-depth look at cybercriminal and nation-state adversary behavior.
Key Findings in the 2025 Report
The global cyber threat landscape has evolved rapidly, with adversaries becoming faster, stealthier and more sophisticated. A surge in Chinese cyber activity, the rise of hands-on keyboard attacks, and the widespread use of generative AI to enhance phishing and social engineering tactics have forced security teams to rethink their defense strategies.
According to CrowdStrike’s latest threat report, China’s cyber operations escalated significantly, with a 150% increase in attacks across all sectors in 2024 compared to the previous year. Certain industries, including financial services, media and manufacturing, saw spikes of 200-300%, marking a shift in China’s cyber strategy. CrowdStrike also identified seven new China-nexus adversaries, further contributing to the surge in espionage and cyber operations.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Cloud authentication provides so many advantages in business. It can allow your users to seamlessly authenticate between applications, it’s cost-efficient, and it’s scalable, and it offers great security options. But as with anything that is good in this line of work, it has the potential to be abused.
One example of this is Open Authorization (OAuth) technology, an open-standard protocol designed to allow third-party applications to access user information without sharing the user’s credentials, such as passwords. It enables users to grant limited access to resources from one site to another without exposing login information.
When used for good, it allows users to make persistent connections. When used for evil, it can allow malicious actors to gain a foothold on a network, even an on-premises location.
- Set the filter to permission level “high severity” and community use to “not common”. Using this filter, you can focus on apps that are potentially very risky, where users may have underestimated the risk.
- Under Permissions select all the options that are particularly risky in a specific context. For example, you can select all the filters that provide permission to email access, such as Full access to all mailboxes and then review the list of apps to make sure that they all really need mail-related access. This can help you investigate within a specific context, and find apps that seem legitimate but contain unnecessary permissions. These apps are more likely to be risky.
- Select the saved query Apps authorized by external users. Using this filter, you can find apps that might not be aligned with your company’s security standards.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
A critical vulnerability in Microsoft s Partner Center platform is under attack, enabling unauthenticated attackers to escalate privileges, potentially leading to data breaches, malware deployment, and lateral movement across enterprise networks.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw, tracked as CVE-2024-49035, to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in real-world environments.
A high-impact vulnerability in Microsoft’s partner ecosystem
CVE-2024-49035 is a privilege escalation flaw stemming from improper access control within Microsoft Partner Center, a platform used by enterprises and managed service providers to handle cloud services, licenses, and customer accounts.
Microsoft first disclosed the issue in November 2024, assigning it a CVSS score of 8.7. However, the National Vulnerability Database (NVD) later upgraded its severity rating to 9.8 out of 10, citing its low attack complexity and high impact on confidentiality and integrity. The flaw enables threat actors to exploit the Microsoft Power Apps-based backend of Partner Center, gaining unauthorized access without requiring authentication.
This raises concerns about potential supply chain risks, as attackers could use compromised partner accounts to pivot into customer environments.
Discovery and response timeline
Security researchers Gautam Peri, Apoorv Wadhwa, and an anonymous contributor identified the vulnerability and reported it to Microsoft through the coordinated vulnerability disclosure process.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
A botnet of more than 130,000 compromised devices is conducting a large-scale password-spray cyberattack, targeting Microsoft 365 accounts through a basic authentication feature.
The attacks have been recorded in non-interactive sign-in logs, something that the researchers at Security Scorecard note is often overlooked by security teams. Threat actors are able to exploit this feature by conducting high-volume password spraying attempts while going virtually undetected.
Non-interactive sign-ins are completed on behalf of the user, performed by a client app or operating system components, and do not require the user to provide any authentication. Rather, the user is automically authenticated using previously established credentials.
Non-interactive logins are widespread in Microsoft 365, driven by service accounts, automated tasks, and API integrations, said Jason Soroko, senior fellow at Sectigo, in an emailed statement to Dark Reading.
They often represent a significant portion of overall authentication events, as background processes routinely access resources without direct user input.
This tactic separates itself from traditional password spray attacks, which often result in account lockouts, prompting investigation by security teams. By exploiting non-interactive sign-ins, threat actors are given more time to infiltrate a system before the alarms are ever sound, and typically succeed against even the most robust security environments.
This tactic has been observed by the researchers across multiple M365 tenants across the world.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.darkreading.com/cyberattacks-data-breaches/microsoft-365-accounts-sprayed-mega-botnet
The fake websites trick users into downloading and running malware that searches for personal information, especially anything related to crypto currency.
Threat actors are leveraging brand impersonation techniques to create fake websites mimicking DeepSeek, an AI chatbot from China that launched just a month ago. Their goal? Getting users to divulge personal and sensitive information.
A significant number of imposter sites imitating DeepSeek have already popped up, according to researchers at ThreatLabz, including deepseeksol[.]com, deepseeksky[.]com, deepseek[.]app, deepseekaiagent[.]live, and many more.
The attack chain involves the fraudulent DeepSeek website asking visitors to complete a registration process. Once done, the user is directed to a fake CAPTCHA page. Malicious JavaScript copies a malicious PowerShell command to the user’s clipboard, which, if run, downloads and executes the Vidar information stealer, allowing it to exfiltrate sensitive data such as passwords, cryptocurrency wallets, and personal files.
“The malware employs social media platforms, such as Telegram, to conceal its C2 infrastructure,” noted the researchers in a blog post.
They added that the malware is programmed to search for files and configurations specifically related to cryptocurrency wallets. If detected, Vidar will query “specific registry keys and file paths to exfiltrate sensitive data such as wallet files.” The malware also actively searches the victim’s system for other assets, such as stored cookies and saved login credentials.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
CISOs shouldn’t be shy about what they need from the board, as organizations with mutual board-CISO understanding are better positioned to tackle cybersecurity challenges successfully.
There has been an extremely strong focus of late on organizational boards’ concerns about cyber threats. This focus has come alongside amplified regulatory attention, much of which pushes for stronger board engagement on cybersecurity. As a result, board directors are increasingly asking questions of their CISOs.
In November 2023, the New York Department of Financial Services (NYDFS) finalized its modifications to 23 NYCRR Part 500. While this legislation was groundbreaking for being very prescriptive in what cyber controls are required, there was in earlier drafts indications that each board should have suitably cyber-qualified members.
As a result, questions about cybersecurity practices are cascading into risk committees in every enterprise, with CISOs at the center.
But the CISO is already in the ‘hot’ seat, navigating a very challenging role that requires both deep expertise and experience. To ensure CISOs are equipped to meet this challenge, boards must look beyond what they need from their CISOs to address what CISOs need from them as well.
What the board wants from the CISO
The board has very specific expectations from their chief information security officer that center on effective risk management and communication. Most of all they want transparency and truth. This requires translation skills, as the CISO must translate complex cybersecurity risks into clear business terms and potential impacts that board members can understand and act on.
While clear and concise risk communication is essential, boards also expect regular updates on the organization’s security posture, critical threats, and vulnerabilities that could affect business objectives, all explained without technical jargon.
Let’s remember that board members have a personal liability at stake and they want to see strategic leadershipthrough along-term security strategy that aligns with business goals, supported by clear metrics and cost-effective resource allocation. It is paramount for CISOs to remember this motivation when talking to the board.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Cloud adoption, tool integrations, and AI are spurring significant changes in how security information and event management (SIEM) systems are evolving.
Security information and event management AI (SIEM) platforms have evolved far beyond their basic log collection and correlation roots.
With cyber threats moving too fast for manual intervention, leading vendors have been integrating artificial intelligence and machine learning technologies into their SIEM platforms.
In addition, modern SIEM platforms now incorporate extended detection and response (XDR) and security orchestration, automation, and response (SOAR), enabling real-time threat detection and automated remediation.
SIEMs have become a platform to monitor log data for anomalies and suspicious events before triggering alerts based on unusual behavior and detection rules.
“[SIEM] often serves as the workspace for security analysts to investigate incidents that are correlations of alerts with other contexts such as asset information, vulnerabilities, and threat intelligence,” according to analyst group IDC. “IDC expects that in the future, the SIEM will also be the response center of the SOC with automated handling of many incidents via playbooks.
And as enterprise cloud use continues to rise, Google’s Cloud Cybersecurity Forecast predicts that SIEM products will become central to enterprise SOCs (security operations centers) ingesting “everything from cloud logs to endpoint telemetry.”
Joe Turner, global director of research and business development at market intelligence firm Context, notes that larger attack surfaces and more sophisticated attacks are spurring enterprises to invest in SIEM in combination with other technologies, including XDR and SOAR, as a platform to correlate, detect, and remediate threats. As such, his firm reports that the SIEM market grew 20% in 2024.
SIEM, XDR, and SOAR convergence
The convergence of SIEM with security tools such as XDR and SOAR is a major factor driving growth in the market.
SIEM provides log analytics and broad visibility, XDR extends detection across endpoints and cloud, and SOAR orchestrates response.
When SIEM detects a security incident, SOAR triggers automated response actions via XDR — isolating compromised endpoints, disabling compromised user accounts, or blocking malicious traffic in real-time.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.csoonline.com/article/3829750/4-key-trends-reshaping-the-siem-market.html
To ensure minimal business disruption, CISOs must have the right incident recovery strategies, roles, and processes in place. Security experts share tips on assembling your playbook.
When a company experiences a major IT systems outage — such as from a cybersecurity incident — it’s essentially out of business for however long the downtime lasts. That’s why having an effective incident response (IR) plan is vital.
It’s not just a matter of finding the source of an attack and containing it, though. Enterprises need to design for resilience to be able to continue operating even as key systems become unavailable.
What goes into an effective incident response plan? Here are some suggestions of essential components.
Perform impact analysis to ensure business resiliency and continuity
When a security breach brings down key systems, companies need to have a solid IT resiliency or business continuity (BC) plan in place. If the business is down for even a few hours that could lead to big financial losses and negative public relations.
0 seconds of 26 minutes, 3 secondsVolume 0%
“One of the key components of the development of a business continuity plan is to understand the essential functions your organization performs, and what the impacts would be if they were disrupted,” says Justin Kates, senior business continuity advisor for convenience store operator Wawa, who is responsible for architecting a new BC program for Wawa’s expanding footprint of more than 1,000 stores across 10 states.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.csoonline.com/article/3829684/how-to-create-an-effective-incident-response-plan.html
