Category: Cybersecurity

Security operations centers (SOCs) are under pressure from both sides: threats are growing more complex and frequent, while security budgets are no longer keeping pace. Today’s security leaders are expected to reduce risk and deliver results without relying on larger teams or increased spending.

At the same time, SOC inefficiencies are draining resources. Studies show that up to half of all alerts are false positives, with some reports citing false positive rates as high as 99 percent. This means highly trained analysts spend a disproportionate amount of time chasing down harmless activity, wasting effort, increasing fatigue, and raising the chance of missing real threats.

In this environment, the business imperative is clear: maximize the impact of every analyst and every dollar by making security operations faster, smarter, and more focused.

Enter the Agentic AI SOC Analyst

The agentic AI SOC Analyst is a force multiplier that enables organizations to do more with the team and technology they already have. By automating repetitive investigations and reducing time wasted on false positives, Agentic AI helps organizations redirect human expertise to the threats and initiatives that matter most, aligning security operations with core business goals of resilience, efficiency, and growth.

Addressing the Skilled Analyst Shortage

A key driver behind the business case for agentic AI in the SOC is the acute shortage of skilled security analysts. The global cybersecurity workforce gap is now estimated at 4 million professionals, but the real bottleneck for most organizations is the scarcity of experienced analysts with the expertise to triage, investigate, and respond to modern threats. One ISC2 survey report from 2024 shows that 60% of organizations worldwide reported staff shortages significantly impacting their ability to secure the organizations, with another report from the World Economic Forum showing that just 15% of organizations believe they have the right people with the right skills to properly respond to a cybersecurity incident.

Given these realities, simply adding more headcount is neither feasible nor sustainable. Instead, organizations must focus on maximizing the impact of their existing skilled staff. The AI SOC Analyst addresses this by automating routine Tier 1 tasks, filtering out noise, and surfacing the alerts that truly require human judgment. This not only drives faster investigations and incident response, but also helps retain top talent by reducing burnout and enabling more meaningful, strategic work.

AI SOC Analysts enable security teams to reduce risk, control cost, and deliver more with less. By automating triage, investigation, and even remediation, they directly improve operational efficiency, reduce the burden on human analysts, and ensure threats are handled before they escalate.

Reducing noise, focusing on what matters

AI SOC Analysts apply context and behavioral analysis to understand the threat level of an alert, suppressing low-value alerts and elevating high-risk activity. This drastically reduces alert fatigue and ensures analyst time is spent on real threats, not redundant noise. The result: stronger coverage and faster action, without scaling headcount. Organizations that deploy agentic AI SOC Analysts can see upwards of a 90% reduction in false positive alerts that need analyst review.

Increasing analyst efficiency and throughput

Traditional investigation workflows are filled with repetitive, time-consuming tasks: pulling logs, linking evidence, and writing summaries. AI SOC Analysts automate this work, mirroring how experienced analysts think and investigate. The result is a dramatic increase in productivity. Teams can process more cases faster, and focus on strategic tasks like threat hunting and tuning detections.

Learning and adapting over time

AI-driven systems do not remain static. Unlike SOAR playbooks, agentic AI continuously improves based on analyst feedback, historical data, and threat intelligence. This means investigation accuracy increases, false positives are reduced, and the SOC becomes more efficient over time. What starts as an automation tool becomes a compounding asset that grows more effective with use. They can even surface insights for detection engineers to create new rules or tune existing ones.

Metrics that matter to SOC leaders

AI SOC Analysts drive improvements in the key metrics used to evaluate SOC performance and business impact:

• Mean time to investigate and mean time to respond: Automated investigations reduce the time from hours to minutes, limiting exposure and enabling faster containment.
• Dwell time: Faster triage and detection shrinks the window in which attackers can move, steal data, or escalate.
• Alert closure rates: Higher rates of resolution reflect stronger SOC throughput and fewer ignored alerts.
• Analyst productivity: When analysts spend less time on repetitive tasks and more time on proactive work, team value increases without growing headcount.

Unlocking value from your existing stack and team

AI SOC Analysts enhance the ROI of your existing security stack. By ingesting data from your SIEM, EDR, cloud, and identity platforms, AI ensures every signal is investigated. This closes the loop on alerts that would otherwise be ignored, turning your existing stack into a higher-value investment.

AI also helps develop internal talent. Clear, consistent investigations act as on-the-job training for junior analysts. They gain exposure to advanced investigative methods without needing years of experience. The result is a more capable team, built faster and at lower cost.

How Prophet Security Aligns Security with Business Outcomes

Prophet Security helps organizations move beyond manual investigations and alert fatigue by delivering an agentic AI SOC platform that automates triage, accelerates investigations, and ensures every alert gets the attention it deserves. By integrating across your existing stack, Prophet AI improves analyst efficiency, reduces incident dwell time, and drives faster, more consistent security outcomes.

Security leaders use Prophet AI to get more value from the people and tools they already have, improve their security posture, and turn day-to-day SOC operations into measurable business results. Visit Prophet Security today to request a demo and see firsthand how Prophet AI can elevate your SOC operations.

Jun 27, 2025Ravie LakshmananMalware / Cyber Attack

A new campaign has been observed leveraging fake websites advertising popular software such as WPS Office, Sogou, and DeepSeek to deliver Sainbox RAT and the open-source Hidden rootkit.

The activity has been attributed with medium confidence to a Chinese hacking group called Silver Fox (aka Void Arachne), citing similarities in tradecraft with previous campaigns attributed to the threat actor.

The phishing websites (“wpsice[.]com”) have been found to distribute malicious MSI installers in the Chinese language, indicating that the targets of the campaign are Chinese speakers.

“The malware payloads include the Sainbox RAT, a variant of Gh0st RAT, and a variant of the open-source Hidden rootkit,” Netskope Threat Labs researcher Leandro Fróes said.

This is not the first time the threat actor has resorted to this modus operandi. In July 2024, eSentire detailed a campaign that targeted Chinese-speaking Windows users with fake Google Chrome sites to deliver Gh0st RAT.

Then earlier this February, Morphisec disclosed another campaign that also leveraged bogus sites advertising the web browser that distributed ValleyRAT (aka Winos 4.0), a different version of Gh0st RAT.

ValleyRAT was first documented by Proofpoint in September 2023 as part of a campaign that also singled out Chinese-speaking users with Sainbox RAT and Purple Fox.

In the latest attack wave spotted by Netskope, the malicious MSI installers downloaded from the websites are designed to launch a legitimate executable named “shine.exe,” which sideloads a rogue DLL “libcef.dll” using DLL side-loading techniques.

The DLL’s primary objective is to extract shellcode from a text file (“1.txt”) present in the installer and then run it, ultimately resulting in the execution of another DLL payload, a remote access trojan called Sainbox.

“The .data section of the analyzed payload contains another PE binary that may be executed, depending on the malware’s configuration,” Fróes explained. “The embedded file is a rootkit driver based on the open-source project Hidden.”

While Sainbox comes fitted with capabilities to download additional payloads and steal data, Hidden offers attackers an array of stealthy features to hide malware-related processes and Windows Registry keys on compromised hosts.

“Using variants of commodity RATs, such as Gh0st RAT, and open-source kernel rootkits, such as Hidden, gives the attackers control and stealth without requiring a lot of custom development,” Netskope said.

Jun 27, 2025Ravie LakshmananNetwork Security / Vulnerability

Threat intelligence firm GreyNoise is warning of a “notable surge” in scanning activity targeting Progress MOVEit Transfer systems starting May 27, 2025—suggesting that attackers may be preparing for another mass exploitation campaign or probing for unpatched systems.

MOVEit Transfer is a popular managed file transfer solution used by businesses and government agencies to share sensitive data securely. Because it often handles high-value information, it has become a favorite target for attackers.

“Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day,” the company said. “But on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 28.”

Since then, daily scanner IP volume has remained intermittently elevated between 200 to 300 IPs per day, GreyNoise added, stating it marks a “significant deviation” from usual behavior.

As many as 682 unique IPs have been flagged in connection with the activity over the past 90 days, with 449 IP addresses observed in the past 24 hours alone. Of the 449 IPs, 344 have been categorized as suspicious and 77 have been marked malicious.

A majority of the IP addresses geolocate to the United States, followed by Germany, Japan, Singapore, Brazil, the Netherlands, South Korea, Hong Kong, and Indonesia.

GreyNoise also said it detected low-volume exploitation attempts to weaponize two known MOVEit Transfer flaws (CVE-2023-34362 and CVE-2023-36934) on June 12, 2025. It’s worth noting that CVE-2023-34362 was abused by Cl0p ransomware actors as part of a widespread campaign in 2023, impacting more than 2,770 organizations.

The spike in scanning activity is an indication that MOVEit Transfer instances are once again under the threat actor’s scanner, making it essential that users block the offending IP addresses, make sure the software is up-to-date, and avoid publicly exposing them over the internet.

Cybersecurity researchers have detailed a new campaign dubbed OneClik that leverages Microsoft’s ClickOnce software deployment technology and bespoke Golang backdoors to compromise organizations within the energy, oil, and gas sectors.

“The campaign exhibits characteristics aligned with Chinese-affiliated threat actors, though attribution remains cautious,” Trellix researchers Nico Paulo Yturriaga and Pham Duy Phuc said in a technical write-up.

“Its methods reflect a broader shift toward ‘living-off-the-land’ tactics, blending malicious operations within cloud and enterprise tooling to evade traditional detection mechanisms.”

The phishing attacks, in a nutshell, make use of a .NET-based loader called OneClikNet to deploy a sophisticated Go-based backdoor codenamed RunnerBeacon that’s designed to communicate with attacker-controlled infrastructure that’s obscured using Amazon Web Services (AWS) cloud services.

ClickOnce is offered by Microsoft as a way to install and update Windows-based applications with minimal user interaction. It was introduced in .NET Framework 2.0. However, the technology can be an attractive means for threat actors looking to execute their malicious payloads without raising any red flags.

As noted in the MITRE ATT&CK framework, ClickOnce applications can be used to run malicious code through a trusted Windows binary, “dfsvc.exe,” that’s responsible for installing, launching, and updating the apps. The apps are launched as a child process of “dfsvc.exe.”

“Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install,” MITRE explains. “As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.”

Trellix said the attack chains begin with phishing emails containing a link to a fake hardware analysis website that serves as a conduit for delivering a ClickOnce application, which, in turn, runs an executable using dfsvc.exe.

The binary is a ClickOnce loader that’s launched by injecting the malicious code via another technique known as AppDomainManager injection, ultimately resulting in the execution of an encrypted shellcode in memory to load the RunnerBeacon backdoor.

The Golang implant can communicate with a command-and-control (C2) server over HTTP(s), WebSockets, raw TCP, and SMB named pipes, allowing it to perform file operations, enumerate and terminate running processes, execute shell commands, escalate privileges using token theft and impersonation, and achieve lateral movement.

Additionally, the backdoor incorporates anti-analysis features to evade detection, and supports network operations like port scanning, port forwarding, and SOCKS5 protocol to facilitate proxy and routing features.

“RunnerBeacon’s design closely parallels known Go-based Cobalt Strike beacons (e.g. the Geacon/Geacon plus/Geacon Pro family),” the researchers said.

“Like Geacon, the set of commands (shell, process enumeration, file I/O, proxying, etc.) and use of cross-protocol C2 are very similar. These structural and functional similarities suggest RunnerBeacon may be an evolved fork or a privately modified variant of Geacon, tailored for stealthier, and cloud-friendly operations.”

Three different variants of OneClick have been observed in March 2025 alone: v1a, BPI-MDM, and v1d, with each iteration demonstrating progressively improved capabilities to fly under the radar. That said, a variant of RunnerBeacon was identified in September 2023 at a company in the Middle East in the oil and gas sector.

Although techniques like AppDomainManager injection have been used by China– and North Korea-linked threat actors in the past, the activity has not benefited formally attributed to any known threat actor or group.

The development comes as QiAnXin detailed a campaign mounted by a threat actor it tracks as APT-Q-14 that has also employed ClickOnce apps to propagate malware by exploiting a zero-day cross-site scripting (XSS) flaw in the web version of an unnamed email platform. The vulnerability, it said, has since been patched.

The XSS flaw is automatically triggered when a victim opens a phishing email, causing the download of the ClickOne app. “The body of the phishing email comes from Yahoo News, which coincides with the victim industry,” QiAnXin noted.

The intrusion sequence serves a mailbox instruction manual as a decoy, while a malicious trojan is stealthily installed on the Windows host to collect and exfiltrate system information to a C2 server and receive unknown next-stage payloads.

The Chinese cybersecurity company said APT-Q-14 also focuses on zero-day vulnerabilities in email software for the Android platform.

APT-Q-14 has been described by QiAnXin as originating from Northeast Asia and having overlaps with other clusters dubbed APT-Q-12 (aka Pseudo Hunter) and APT-Q-15, which are assessed to be sub-groups within a South Korea-aligned threat group known as DarkHotel (aka APT-C-06).

Earlier this week, Beijing-based 360 Threat Intelligence Center disclosed DarkHotel’s use of the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate Microsoft Defender Antivirus and deploy malware as part of a phishing attack that delivered fake MSI installation packages in February 2025.

The malware is engineered to establish communication with a remote server to download, decrypt, and execute unspecified shellcode.

“In general, the [hacking group’s] tactics have tended to be ‘simple’ in recent years: Different from the previous use of heavy-weight vulnerabilities, it has adopted flexible and novel delivery methods and attack techniques,” the company said. “In terms of attack targets, APT-C-06 still focuses on North Korean-related traders, and the number of targets attacked in the same period is greater.”

Jun 26, 2025Ravie LakshmananOpen Source / Vulnerability

Cybersecurity researchers have disclosed a critical vulnerability in the Open VSX Registry (“open-vsx[.]org”) that, if successfully exploited, could have enabled attackers to take control of the entire Visual Studio Code extensions marketplace, posing a severe supply chain risk.

“This vulnerability provides attackers full control over the entire extensions marketplace, and in turn, full control over millions of developer machines,” Koi Security researcher Oren Yomtov said. “By exploiting a CI issue a malicious actor could publish malicious updates to every extension on Open VSX.”

Following responsible disclosure on May 4, 2025, the multiple rounds of fixes were proposed by the maintainers, before it was finally deployed on June 25.

Open VSX Registry is an open-source project and alternative to the Visual Studio Marketplace. It’s maintained by the Eclipse Foundation. Several code editors like Cursor, Windsurf, Google Cloud Shell Editor, Gitpod, and others integrate it into their services.

“This widespread adoption means that a compromise of Open VSX is a supply-chain nightmare scenario,” Yomtov said. “Every single time an extension is installed, or an extension update fetched silently in the background, these actions go through Open VSX.”

The vulnerability discovered by Koi Security is rooted in the publish-extensions repository, which includes scripts to publish open-source VS Code extensions to open-vsx.org.

Developers can request their extension to be auto-published by submitting a pull request to add it to the extensions.json file present in the repository, after which it’s approved and merged.

In the backend, this plays out in the form of a GitHub Actions workflow that’s daily run at 03:03 a.m. UTC that takes as input a list of comma-separated extensions from the JSON file and publishes them to the registry using the vsce npm package.

“This workflow runs with privileged credentials including a secret token (OVSX_PAT) of the @open-vsx service account that has the power to publish (or overwrite) any extension in the marketplace,” Yomtov said. “In theory, only trusted code should ever see that token.”

“The root of the vulnerability is that npm install runs the arbitrary build scripts of all the auto-published extensions, and their dependencies, while providing them with access to the OVSX_PAT environment variable.”

This means that it’s possible to obtain access to the @open-vsx account’s token, enabling privileged access to the Open VSX Registry, and providing an attacker with the ability to publish new extensions and tamper with existing ones to insert malicious code.

The risk posed by extensions has not gone unnoticed by MITRE, which has introduced a new “IDE Extensions” technique in its ATT&CK framework as of April 2025, stating it could be abused by malicious actors to establish persistent access to victim systems.

“Every marketplace item is a potential backdoor,” Yomtov said. “They’re unvetted software dependencies with privileged access, and they deserve the same diligence as any package from PyPI, npm, Hugginface, or GitHub. If left unchecked, they create a sprawling, invisible supply chain that attackers are increasingly exploiting.”

Jun 26, 2025Ravie LakshmananCyber Attack / Malware Analysis

The ClickFix social engineering tactic as an initial access vector using fake CAPTCHA verifications increased by 517% between the second half of 2024 and the first half of this year, according to data from ESET.

“The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware from nation-state-aligned threat actors,” Jiří Kropáč, Director of Threat Prevention Labs at ESET, said.

ClickFix has become a widely popular and deceptive method that employs bogus error messages or CAPTCHA verification checks to deceive victims into copying and pasting a malicious script into either the Windows Run dialog or the Apple macOS Terminal app, and running it.

The Slovak cybersecurity company said the highest volume of ClickFix detections is concentrated around Japan, Peru, Poland, Spain, and Slovakia.

The prevalence and effectiveness of this attack method have led to threat actors advertising builders that provide other attackers with ClickFix-weaponized landing pages, ESET added.

From ClickFix to FileFix

The development comes as security researcher mrd0x demonstrated a proof-of-concept (PoC) alternative to ClickFix named FileFix that works by tricking users into copying and pasting a file path into Windows File Explorer.

The technique essentially involves achieving the same as ClickFix but in a different manner by combining File Explorer’s ability to execute operating system commands through the address bar with a web browser’s file upload feature.

In the attack scenario devised by the researcher, a threat actor may devise a phishing page that, instead of displaying a fake CAPTCHA check to the prospective target, presents a message stating a document has been shared with them and that they need to copy and paste the file path on the address bar by pressing CTRL + L.

The phishing page also includes a prominent “Open File Explorer” that, upon clicking, opens the File Explorer and copies a malicious PowerShell command to the user’s clipboard. Thus, when the victim pastes the “file path,” the attacker’s command is executed instead.

This, in turn, is achieved by altering the copied file path to prepend the PowerShell command before it followed by adding spaces to hide it from view and a pound sign (“#”) to treat the fake file path as a comment: “Powershell.exe -c ping example.com<space># C:\<path_to_file>\decoy.doc“

“Additionally, our PowerShell command will concatenate the dummy file path after a comment in order to hide the command and show the file path instead,” mrd0x said.

Phishing Campaigns Galore

The surge in ClickFix campaigns also coincides with the discovery of various phishing campaigns that –

• Leverage a .gov domain to send phishing emails that masquerade as unpaid toll to take users to bogus pages that are designed to collect their personal and financial information
• Make use of long-lived domains (LLDs), a technique called strategic domain aging, to either host or use them to redirect users to custom CAPTCHA check pages, completing which they are led to spoofed Microsoft Teams pages to steal their Microsoft account credentials
• Distribute malicious Windows shortcut (LNK) files within ZIP archives to launch PowerShell code responsible for deploying Remcos RAT
• Employ lures which supposedly warn users that their mailbox is almost full and that they need to “clear storage” by clicking a button embedded in the message, performing which takes the user to a phishing page hosted on IPFS that steals users email credentials. Interestingly, the emails also include a RAR archive attachment that, once extracted and executed, drops the XWorm malware.
• Incorporate a URL that lets to a PDF document, which, in turn, contains another URL that drops a ZIP archive, which includes an executable responsible for launching an AutoIT-based Lumma Stealer
• Weaponize a legitimate front-end platform called Vercel to host bogus sites that propagate a malicious version of LogMeIn to gain full control over victims’ machines
• Impersonate U.S. state Departments of Motor Vehicles (DMVs) to send SMS messages about unpaid toll violations and redirect recipients to deceptive sites that harvest personal information and credit card details
• Utilize SharePoint-themed emails to redirect users to credential harvesting pages hosted on “*.sharepoint[.]com” domains that siphon users’ Microsoft account passwords.

“Emails containing SharePoint links are less likely to be flagged as malicious or phishing by EDR or antivirus software. Users also tend to be less suspicious, believing Microsoft links are inherently safer,” CyberProof said.

“Since phishing pages are hosted on SharePoint, they are often dynamic and accessible only through a specific link for a limited time, making them harder for automated crawlers, scanners, and sandboxes to detect.”

Jun 26, 2025Ravie LakshmananVulnerability, Network Security

Cisco has released updates to address two maximum-severity security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could permit an unauthenticated attacker to execute arbitrary commands as the root user.

The vulnerabilities, assigned the CVE identifiers CVE-2025-20281 and CVE-2025-20282, carry a CVSS score of 10.0 each. A description of the defects is below –

• CVE-2025-20281 – An unauthenticated remote code execution vulnerability affecting Cisco ISE and ISE-PIC releases 3.3 and later that could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root
• CVE-2025-20282 – An unauthenticated remote code execution vulnerability affecting Cisco ISE and ISE-PIC release 3.4 that could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and execute those files on the underlying operating system as root

Cisco said CVE-2025-20281 is the result of insufficient validation of user-supplied input, which an attacker could exploit by sending a crafted API request to obtain elevated privileges and run commands.

In contrast, CVE-2025-20282 stems from a lack of file validation checks that would otherwise prevent the uploaded files from being placed in privileged directories.

“A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system,” Cisco said.

The networking equipment vendor said there are no workarounds that address the issues. The shortcomings have been addressed in the below versions –

• CVE-2025-20281 – Cisco ISE or ISE-PIC 3.3 Patch 6 (ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz), 3.4 Patch 2 (ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz)
• CVE-2025-20282 – Cisco ISE or ISE-PIC 3.4 Patch 2 (ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz)

The company credited Bobby Gould of Trend Micro Zero Day Initiative and Kentaro Kawane of GMO Cybersecurity for reporting CVE-2025-20281. Kawane, who previously reported CVE-2025-20286 (CVSS score: 9.9), has also been acknowledged for reporting CVE-2025-20282.

While there is no evidence that the vulnerabilities have been exploited in the wild, it’s essential that users move quickly to apply the fixes to safeguard against potential threats.

SaaS Adoption is Skyrocketing, Resilience Hasn’t Kept Pace

SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience.

It doesn’t.

These platforms weren’t built with full-scale data protection in mind. Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage.

Modern organizations are being stretched across:

• Hybrid and multi-cloud environments with decentralized data sprawl
• Complex integration layers between IaaS, SaaS, and legacy systems
• Expanding regulatory pressure with steeper penalties for noncompliance
• Escalating ransomware threats and insider risk
• Shrinking recovery windows and rising expectations for uptime

Built-in protections were never meant to handle this level of complexity, and they rarely do. By the time you realize the gap, the damage is already done.

Why Traditional Protection Falls Short

Too many businesses still rely on outdated, fragmented, or overly simplistic backup strategies. They assume that cloud equals safe; or worse, that native features like recycle bins or version history are “good enough.” But most built-in tools are shallow by design. They prioritize collaboration and performance, not resilience.

And while that’s great for getting work done, it’s not enough to keep your business running when the unexpected hits. Let’s break down the risks.

1. Human Error Is Ubiquitous

Start with a question: What’s the most common reason for data loss in SaaS environments? Simple mistakes. Data loss goes beyond cyberthreats and natural disasters. Files are deleted, syncs are misconfigured, records are overwritten in bulk by well-meaning users, rushed decisions, or miscommunication. These are everyday mistakes caused by trusted employees whose intentions are aligned with yours.

So, data risk is inherently part of owning data. But most SaaS platforms offer limited rollback options, and some don’t cover the specific types of data you actually lost. If you don’t catch the mistake in time, or if the data bypasses the recycle bin entirely, it’s gone; for many mistakes, recovery isn’t as simple as clicking “undo.”

As organizations lean more heavily on SaaS tools for business-critical operations, the cost of these errors rises. One wrong deletion shouldn’t derail a product launch, delay an audit, or disrupt customer service. But without a recovery plan that goes deeper than native tools, that’s exactly what can happen.

2. Legal, Compliance, and Regulatory Risks

Compliance is about proving you can find your data, restore it, and report on it quickly. In 2024, new regulations and smarter attackers raised the stakes even higher. Frameworks like GDPR, HIPAA, SOX, and NIS2 come with real teeth: heavy fines, operational disruption, and reputational damage.

Now, organizations can’t afford to rely on good intentions. They need tools built for full accountability. Unfortunately, most native SaaS platforms don’t give you that level of control or visibility, meaning they don’t meet most regulatory requirements. Retention policies are too short, recovery options too limited, and auditing capabilities too shallow.

Many industries require organizations to retain records for years, not weeks. Staying compliant (and staying in control) requires a real strategy and the right tools to back it up.

3. The True Cost of Data Loss

For some large enterprises, the importance of compliance is understood, but not necessarily prioritized. But, importantly, understand that fines you pay for data loss or noncompliance are just the minimum, mandatory cost. Even for the largest organizations with the heaviest checkbooks, downtime hits hard.

Data loss rarely stays in the IT department. Amid a crisis or serious incident, teams are pulled away from critical projects. Customers grow frustrated with lack of service. Revenue takes a hit as your business simply cannot continue operations. And beyond it all, trust with investors, partners, or the public begins to erode.

Too often, businesses treat data loss as hypothetical. But this landslide can start with a single missing file, record, or user. Ask any team that’s been through it, and you’ll hear, “once is enough.” Whether it was ransomware, accidental deletion, or a failed recovery, the damage is rarely isolated, and the true costs are never foreseen.

4. Internal Threats

Internal threats are some of the most underestimated risks out there, and some of the most damaging. Employees, contractors, and vendors with access to sensitive systems can expose data, whether by mistake or on purpose. With teams spread out and systems more open than ever, oversight is tougher, and internal threats can slip past traditional defenses. These aren’t headline-making attacks from the outside, but rather quiet breaches from within. By the time you catch them, critical data may already be gone.

Whether malicious or accidental, insider threats are one of the most underestimated risks in SaaS. With teams working across locations, systems, and devices, visibility is limited — and oversight is tougher than ever.

Access mismanagement, privilege creep, and poor Role-Based Access Control (RBAC) hygiene can expose sensitive data in ways external actors never could. Most SaaS platforms weren’t built to detect or respond to these kinds of quiet, internal failures.

5. Cyberthreats Are Evolving Faster Than Defense

Today’s attacks steal data, corrupt environments, and pressure businesses through multi-phase extortion. Groups like Akira have shown how easily attackers can pivot into SaaS environments, exploiting token misconfigurations and shared credentials, leading the charge on ransomware for 18 consecutive months. If something as quiet, indiscriminate, and devastating as Akira is ransomware’s most common form, it’s impossible to foresee the true danger of cyberthreats in coming years.

What we do know is that, in 2024, the average ransom payment exceeded half a million dollars, and targeted organizations of every size, type, and industry. Even when data isn’t encrypted directly, business operations still grind to a halt. And in a multi-cloud world, one compromised app can cascade across others.

SaaS providers aren’t built to defend your business against these threats. They’ll keep the lights on. They won’t get your data back.

6. Recovery Speed Defines Success

Disruptions come in many forms — ransomware, outages, natural disasters — and when they hit, the clock starts ticking. Most teams aren’t set up to recover quickly enough. According to Gartner, ransomware recovery often drags on for weeks. Downtime cuts into revenue, frustrates customers, and drains internal resources. In sectors like healthcare, finance, and government, where every minute counts, the cost can escalate fast.

Customers expect availability. When systems go dark, patience wears thin, and brand trust takes a hit. But in many organizations, recovery is still manual, clunky, or all-or-nothing. You’re forced to choose between waiting hours to restore everything — or giving up on what’s lost.

The Lesson is Clear

The shift to SaaS has reshaped how organizations approach data management, revealing crucial lessons about efficiency, agility, and resource optimization. Modern businesses have the potential to thrive when they adopt a SaaS data solution, which remains the clear, strategic choice for future-ready IT operations. But as we’ve seen, the bar is set high.

What Modern SaaS Data Resilience Looks Like

SaaS applications are incredibly powerful — but they also introduce real risk to your data. Protecting that data isn’t easy, but it’s essential. Doing it right means having the ability to:

• Restore data quickly and precisely — even down to a single object or record
• Run automated, policy-driven backups without constant oversight
• Build in security from the start with features like immutability, encryption, and RBAC
• Align retention policies with your compliance obligations
• Manage everything — SaaS, IaaS, hybrid — from a single, unified interface

It’s a long list. And a complex one. But modern resilience isn’t just a checklist — it’s a mindset. And it demands a platform built to keep up. For everything you need to know, read this e-book:

6 Essential Traits of Modern SaaS Data Resilience

SaaS Data Resilience with Veeam Data Cloud

Protecting your data shouldn’t be complicated. With Veeam Data Cloud, you’re empowered by a unified cloud platform, integrating industry-leading innovation, modern cloud-native technologies, and powerful AI acceleration to secure, protect, and manage your data wherever it resides.

• Realize True Resilience: Ensure uninterrupted business operations through intelligent automation, policy-driven protection, and precise, rapid recoveries.
• Embed Security at Every Level: Safeguard your sensitive data proactively with integrated Zero Trust architecture, robust encryption, immutability, and intelligent threat detection.
• Drive Operational Excellence: Streamline operations, significantly reduce total cost of ownership (TCO), and boost efficiency with an intuitive, AI-accelerated interface.

Don’t wait for disruption to test your readiness. Choose Veeam Data Cloud and confidently embrace a future where your data resilience strategy actively drives efficiency, compliance, and business continuity.

Jun 26, 2025Ravie LakshmananCyber Espionage / Malware

An Iranian state-sponsored hacking group associated with the Islamic Revolutionary Guard Corps (IRGC) has been linked to a spear-phishing campaign targeting journalists, high-profile cyber security experts, and computer science professors in Israel.

“In some of those campaigns, Israeli technology and cyber security professionals were approached by attackers who posed as fictitious assistants to technology executives or researchers through emails and WhatsApp messages,” Check Point said in a report published Wednesday. “The threat actors directed victims who engaged with them to fake Gmail login pages or Google Meet invitations.”

The cybersecurity company attributed the activity to a threat cluster it tracks as Educated Manticore, which overlaps with APT35 (and its sub-cluster APT42), CALANQUE, Charming Kitten, CharmingCypress, Cobalt Illusion, ITG18, Magic Hound, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453, and Yellow Garuda.

The advanced persistent threat (APT) group has a long history of orchestrating social engineering attacks using elaborate lures, approaching targets on various platforms like Facebook and LinkedIn using fictitious personas to trick victims into deploying malware on their systems.

Check Point said it observed a new wave of attacks starting mid-June 2025 following the outbreak of the Iran-Israel war that targeted Israeli individuals using fake meeting decoys, either via emails or WhatsApp messages tailored to the targets. It’s believed that the messages are crafted using artificial intelligence (AI) tools.

One of the WhatsApp messages flagged by the company took advantage of the current geopolitical tensions between the two countries to coax the victim into joining a meeting, claiming they needed their immediate assistance on an AI-based threat detection system to counter a surge in cyber attacks targeting Israel since June 12.

The initial messages, like those observed in previous Charming Kitten campaigns, are devoid of any malicious artifacts and are primarily designed to gain the trust of their targets. Once the threat actors build rapport over the course of the conversation, the attack moves to the next phase by sharing links that direct the victims to fake landing pages capable of harvesting their Google account credentials.

“Before sending the phishing link, threat actors ask the victim for their email address,” Check Point said. “This address is then pre-filled on the credential phishing page to increase credibility and mimic the appearance of a legitimate Google authentication flow.”

“The custom phishing kit […] closely imitates familiar login pages, like those from Google, using modern web technologies such as React-based Single Page Applications (SPA) and dynamic page routing. It also uses real-time WebSocket connections to send stolen data, and the design allows it to hide its code from additional scrutiny.”

The fake page is part of a custom phishing kit that can not only capture their credentials, but also two-factor authentication (2FA) codes, effectively facilitating 2FA relay attacks. The kit also incorporates a passive keylogger to record all keystrokes entered by the victim and exfiltrate them in the event the user abandons the process midway.

Some of the social engineering efforts have also involved the use of Google Sites domains to host bogus Google Meet pages with an image that mimics the legitimate meeting page. Clicking anywhere on the image directs the victim to phishing pages that trigger the authentication process.

“Educated Manticore continues to pose a persistent and high-impact threat, particularly to individuals in Israel during the escalation phase of the Iran-Israel conflict,” Check Point said.

“The group continues to operate steadily, characterized by aggressive spear-phishing, rapid setup of domains, subdomains, and infrastructure, and fast-paced takedowns when identified. This agility allows them to remain effective under heightened scrutiny.”

Jun 26, 2025Ravie LakshmananThreat Intelligence / Ransomware

Cybersecurity researchers are calling attention to a series of cyber attacks targeting financial organizations across Africa since at least July 2023 using a mix of open-source and publicly available tools to maintain access.

Palo Alto Networks Unit 42 is tracking the activity under the moniker CL-CRI-1014, where “CL” refers to “cluster” and “CRI” stands for “criminal motivation.”

It’s suspected that the end goal of the attacks is to obtain initial access and then sell it to other criminal actors on underground forums, making the threat actor an initial access broker (IAB).

“The threat actor copies signatures from legitimate applications to forge file signatures, to disguise their toolset and mask their malicious activities,” researchers Tom Fakterman and Guy Levi said. “Threat actors often spoof legitimate products for malicious purposes.”

The attacks are characterized by the deployment of tools like PoshC2 for command-and-control (C2), Chisel for tunneling malicious network traffic, and Classroom Spy for remote administration.

The exact method the threat actors use to breach target networks is not clear. Once a foothold is obtained, the attack chains have been found to deploy MeshCentral Agent and later Classroom Spy to commandeer the machines, and then drop Chisel to bypass firewalls and spread PoshC2 to other Windows hosts on the compromised network.

To sidestep detection efforts, the payloads are passed off as legitimate software, using the icons of Microsoft Teams, Palo Alto Networks Cortex, and Broadcom VMware Tools. PoshC2 is persisted on the systems using three different methods –

• Setting up a service
• Saving a Windows shortcut (LNK) file to the tool in the Startup folder
• Using a scheduled task under the name “Palo Alto Cortex Services”

In some incidents observed by the cybersecurity company, the threat actors are said to have stolen user credentials and used them to set up a proxy using PoshC2.

“PoshC2 can use a proxy to communicate with a command-and-control (C2) server, and it appears that the threat actor tailored some of the PoshC2 implants specifically for the targeted environment,” the researchers noted.

This is not the first time PoshC2 has been used in attacks aimed at financial services in Africa. In September 2022, Check Point detailed a spear-phishing campaign dubbed DangerousSavanna that targeted financial and insurance companies located in Coast, Morocco, Cameroon, Senegal, and Togo to deliver Metasploit, PoshC2, DWservice, and AsyncRAT.

The disclosure comes as Trustwave SpiderLabs shed light on a new ransomware group called Dire Wolf that has already claimed 16 victims across the U.S., Thailand, Taiwan, Australia, Bahrain, Canada, India, Italy, Peru, and Singapore since its emergence last month. The top targeted sectors are technology, manufacturing, and financial services.

Analysis of the Dire Wolf locker has revealed that it’s written in Golang, and comes with capabilities to disable system logging, terminate a hard-coded list of 75 services and 59 applications, and inhibit recovery efforts by deleting shadow copies.

“Although no initial access, reconnaissance or lateral movement techniques used by Dire Wolf are known at this point, organizations shall follow good security practices as well as enable monitoring for the techniques revealed in this analysis,” the company said.