Tag: Cyber Security

Jul 25, 2025Ravie LakshmananCyber Espionage / Malware

Russian aerospace and defense industries have become the target of a cyber espionage campaign that delivers a backdoor called EAGLET to facilitate data exfiltration.

The activity, dubbed Operation CargoTalon, has been assigned to a threat cluster tracked as UNG0901 (short for Unknown Group 901).

“The campaign is aimed at targeting employees of Voronezh Aircraft Production Association (VASO), one of the major aircraft production entities in Russia via using товарно-транспортная накладная (TTN) documents — critical to Russian logistics operations,” Seqrite Labs researcher Subhajeet Singha said in an analysis published this week.

The attack commences with a spear-phishing email bearing cargo delivery-themed lures that contain a ZIP archive, within which is a Windows shortcut (LNK) file that uses PowerShell to display a decoy Microsoft Excel document, while also deploying the EAGLET DLL implant on the host.

The decoy document, per Seqrite, references Obltransterminal, a Russian railway container terminal operator that was sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) in February 2024.

EAGLET is designed to gather system information and establish a connection to a hard-coded remote server (“185.225.17[.]104”) in order to process the HTTP response from the server and extract the commands to be executed on the compromised Windows machine.

The implant supports shell access and the ability to upload/download files, although the exact nature of the next-stage payloads delivered through this method is unknown, given that the command-and-control (C2) server is currently offline.

Seqrite said it also uncovered similar campaigns targeting the Russian military sector with EAGLET, not to mention source code and targeting overlaps with another threat cluster tracked as Head Mare that’s known to target Russian entities.

This includes the functional parallels between EAGLET and PhantomDL, a Go-based backdoor with a shell and file download/upload feature, as well as the similarities in the naming scheme used for the phishing message attachments.

The disclosure comes as the Russian state-sponsored hacking group called UAC-0184 (aka Hive0156) has been attributed to a fresh attack wave targeting victims in Ukraine with Remcos RAT as recently as this month.

While the threat actor has a history of delivering Remcos RAT since early 2024, newly spotted attack chains distributing the malware have been simplified, employing weaponized LNK or PowerShell files to retrieve the decoy file and the Hijack Loader (aka IDAT Loader) payload, which then launches Remcos RAT.

“Hive0156 delivers weaponized Microsoft LNK and PowerShell files, leading to the download and execution of Remcos RAT,” IBM X-Force said, adding it “observed key decoy documents featuring themes that suggest a focus on the Ukrainian military and evolving to a potential wider audience.”

Jul 25, 2025Ravie LakshmananMalware / Cloud Security

Threat hunters have disclosed two different malware campaigns that have targeted vulnerabilities and misconfigurations across cloud environments to deliver cryptocurrency miners.

The threat activity clusters have been codenamed Soco404 and Koske by cloud security firms Wiz and Aqua, respectively.

Soco404 “targets both Linux and Windows systems, deploying platform-specific malware,” Wiz researchers Maor Dokhanian, Shahar Dorfman, and Avigayil Mechtinger said. “They use process masquerading to disguise malicious activity as legitimate system processes.”

The activity is a reference to the fact that payloads are embedded in fake 404 HTML pages hosted on websites built using Google Sites. The bogus sites have since been taken down by Google.

Wiz posited that the campaign, which has been previously observed going after Apache Tomcat services with weak credentials, as well as susceptible Apache Struts and Atlassian Confluence servers using the Sysrv botnet, is part of a broader crypto-scam infrastructure, including fraudulent cryptocurrency trading platforms.

The latest campaign has also been found to target publicly-accessible PostgreSQL instances, with the attackers also abusing compromised Apache Tomcat servers to host payloads tailored for both Linux and Windows environments. Also hacked by the attackers is a legitimate Korean transportation website for malware delivery.

Once initial access is obtained, PostgreSQL’s COPY … FROM PROGRAM SQL command is exploited to run arbitrary shell commands on the host and achieve remote code execution.

“The attacker behind Soco404 appears to be conducting automated scans for exposed services, aiming to exploit any accessible entry point,” Wiz said. “Their use of a wide range of ingress tools, including Linux utilities like wget and curl, as well as Windows-native tools such as certutil and PowerShell, highlights an opportunistic strategy.”

On Linux systems, a dropper shell script is executed directly in memory to download and launch a next-stage payload, while simultaneously taking steps to terminate competing miners to maximize financial gain and limit forensic visibility by overwriting logs associated with cron and wtmp.

The payload executed in the next-stage is a binary that serves as a loader for the miner by contacting an external domain (“www.fastsoco[.]top”) that’s based on Google Sites.

The attack chain for Windows leverages the initial post-exploitation command to download and execute a Windows binary, which, like its Linux counterpart, functions akin to a loader that embeds both the miner and the WinRing0.sys driver, the latter being used to obtain NTSYSTEM privileges.

On top of that, the malware attempts to stop the Windows event log service and executes a self-deletion command to evade detection.

“Rather than relying on a single method or operating system, the attacker casts a wide net, deploying whichever tool or technique is available in the environment to deliver their payload,” the company said. “This flexible approach is characteristic of a broad, automated cryptomining campaign focused on maximizing reach and persistence across varied targets.”

The discovery of Soco404 dovetails with the emergence of a new Linux threat dubbed Koske that’s suspected to be developed with assistance from a large language model (LLM) and uses seemingly innocuous images of pandas to propagate the malware.

The attack starts with the exploitation of a misconfigured server, such as JupyterLab, to install various scripts from two JPEG images, including a C-based rootkit that’s used to hide malicious malware-related files using LD_PRELOAD and a shell script that ultimately downloads cryptocurrency miners on the infected system. Both payloads are directly executed in memory to avoid leaving traces on disk.

Koske’s end goal is to deploy CPU and GPU-optimized cryptocurrency miners that take advantage of the host’s computational resources to mine 18 distinct coins, such as Monero, Ravencoin, Zano, Nexa, and Tari, among others.

“These images are polyglot files, with malicious payloads appended to the end. Once downloaded, the malware extracts and executes the malicious segments in memory, bypassing antivirus tools,” Aqua researcher Assaf Morag said.

“This technique isn’t steganography but rather polyglot file abuse or malicious file embedding. This technique uses a valid JPG file with malicious shellcode hidden at the end. Only the last bytes are downloaded and executed, making it a sneaky form of polyglot abuse.”

Jul 25, 2025The Hacker NewsArtificial Intelligence / Data Privacy

A recent analysis of enterprise data suggests that generative AI tools developed in China are being used extensively by employees in the US and UK, often without oversight or approval from security teams. The study, conducted by Harmonic Security, also identifies hundreds of instances in which sensitive data was uploaded to platforms hosted in China, raising concerns over compliance, data residency, and commercial confidentiality.

Over a 30-day period, Harmonic examined the activity of a sample of 14,000 employees across a range of companies. Nearly 8 percent were found to have used China-based GenAI tools, including DeepSeek, Kimi Moonshot, Baidu Chat, Qwen (from Alibaba), and Manus. These applications, while powerful and easy to access, typically provide little information on how uploaded data is handled, stored, or reused.

The findings underline a widening gap between AI adoption and governance, especially in developer-heavy organizations where time-to-output often trumps policy compliance.

If you’re looking for a way to enforce your AI usage policy with granular controls, contact Harmonic Security.

Data Leakage at Scale

In total, over 17 megabytes of content were uploaded to these platforms by 1,059 users. Harmonic identified 535 separate incidents involving sensitive information. Nearly one-third of that material consisted of source code or engineering documentation. The remainder included documents related to mergers and acquisitions, financial reports, personally identifiable information, legal contracts, and customer records.

Harmonic’s study singled out DeepSeek as the most prevalent tool, associated with 85 percent of recorded incidents. Kimi Moonshot and Qwen are also seeing uptake. Collectively, these services are reshaping how GenAI appears inside corporate networks. It’s not through sanctioned platforms, but through quiet, user-led adoption.

Chinese GenAI services frequently operate under permissive or opaque data policies. In some cases, platform terms allow uploaded content to be used for further model training. The implications are substantial for firms operating in regulated sectors or handling proprietary software and internal business plans.

Policy Enforcement Through Technical Controls

Harmonic Security has developed tools to help enterprises regain control over how GenAI is used in the workplace. Its platform monitors AI activity in real time and enforces policy at the moment of use.

Companies have granular controls to block access to certain applications based on their HQ location, restrict specific types of data from being uploaded, and educate users through contextual prompts.

Governance as a Strategic Imperative

The rise of unauthorized GenAI use inside enterprises is no longer hypothetical. Harmonic’s data show that nearly one in twelve employees is already interacting with Chinese GenAI platforms, often with no awareness of data retention risks or jurisdictional exposure.

The findings suggest that awareness alone is insufficient. Firms will require active, enforced controls if they are to enable GenAI adoption without compromising compliance or security. As the technology matures, the ability to govern its use may prove just as consequential as the performance of the models themselves.

Harmonic makes it possible to embrace the benefits of GenAI without exposing your business to unnecessary risk.

Learn more about how Harmonic helps enforce AI policies and protect sensitive data at harmonic.security.

Jul 24, 2025Ravie LakshmananVirtualization / Network Security

Virtualization and networking infrastructure have been targeted by a threat actor codenamed Fire Ant as part of a prolonged cyber espionage campaign.

The activity, observed this year, is primarily designed Now to infiltrate organizations’ VMware ESXi and vCenter environments as well as network appliances, Sygnia said in a new report published today.

“The threat actor leveraged combinations of sophisticated and stealthy techniques creating multilayered attack kill chains to facilitate access to restricted and segmented network assets within presumed to be isolated environments,” the cybersecurity company said.

“The attacker demonstrated a high degree of persistence and operational maneuverability, operating through eradication efforts, adapting in real time to eradication and containment actions to maintain access to the compromise infrastructure.”

Fire Ant is assessed to share tooling and targeting overlaps with prior campaigns orchestrated by UNC3886, a China-nexus cyber espionage group known for its persistent targeting of edge devices and virtualization technologies since at least 2022.

Attacks mounted by the threat actor have been found to establish entrenched control of VMware ESXi hosts and vCenter servers, demonstrating advanced capabilities to pivot into guest environments and bypass network segmentation by compromising network appliances.

Another noteworthy aspect is the ability of the threat actor to maintain operational resilience by adapting to containment efforts, switching to different tools, dropping fallback backdoors for persistence, and altering network configurations to re-establish access to compromised networks.

Fire Ant’s breach of the virtualization management layer is achieved by the exploitation of CVE-2023-34048, a known security flaw in VMware vCenter Server that has been exploited by UNC3886 as a zero-day for years prior to it being patched by Broadcom in October 2023.

“From vCenter, they extracted the ‘vpxuser’ service account credentials and used them to access connected ESXi hosts,” Sygnia noted. “They deployed multiple persistent backdoors on both ESXi hosts and the vCenter to maintain access across reboots. The backdoor filename, hash and deployment technique aligned the VIRTUALPITA malware family.”

Also dropped is a Python-based implant (“autobackup.bin”) that provides remote command execution, and file download and upload capabilities. It runs in the background as a daemon.

Upon gaining unauthorized access to the hypervisor, the attackers are said to have leveraged another flaw in VMware Tools (CVE-2023-20867) to interact directly with guest virtual machines via PowerCLI, as well as interfered with the functioning of security tools and extracted credentials from memory snapshots, including that of domain controllers.

Some of the other crucial aspects of the threat actor’s tradecraft are as follows –

• Dropping V2Ray framework to facilitate guest network tunneling
• Deploying unregistered virtual machines directly on multiple ESXi hosts
• Breaking down network segmentation barriers and establishing cross-segments persistence
• Resist incident response and remediation efforts by re-compromising assets and, in some cases, blend in by renaming their payloads to impersonate forensic tools

The attack chain ultimately opened up a pathway for Fire Ant to maintain persistent, covert access from the hypervisor to guest operating systems. Sygnia also described the adversary as possessing a “deep understanding” of the target environment’s network architecture and policies in order to reach otherwise isolated assets.

Fire Ant is unusually focused on remaining undetected and leaves a minimal intrusion footprint. This is evidenced in the steps taken by the attackers to tamper with logging on ESXi hosts by terminating the “vmsyslogd” process, effectively suppressing an audit trail and limiting forensic visibility.

The findings underscore a worrying trend involving the persistent and successful targeting of network edge devices by threat actors, particularly those from China, in recent years.

“This campaign underscores the importance of visibility and detection within the hypervisor and infrastructure layer, where traditional endpoint security tools are ineffective,” Sygnia said.

“Fire Ant consistently targeted infrastructure systems such as ESXi hosts, vCenter servers, and F5 load balancers. The targeted systems are rarely integrated into standard detection and response programs. These assets lack detection and response solutions and generate limited telemetry, making them ideal long-term footholds for stealthy operation.”

Jul 24, 2025Ravie LakshmananVulnerability / Network Security

Mitel has released security updates to address a critical security flaw in MiVoice MX-ONE that could allow an attacker to bypass authentication protections.

“An authentication bypass vulnerability has been identified in the Provisioning Manager component of Mitel MiVoice MX-ONE, which, if successfully exploited, could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper access control,” the company said in an advisory released Wednesday.

“A successful exploit of this vulnerability could allow an attacker to gain unauthorized access to user or admin accounts in the system.”

The shortcoming, which is yet to be assigned a CVE identifier, carries a CVSS score of 9.4 out of a maximum of 10.0. It affects MiVoice MX-ONE versions from 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14).

Patches for the issue have been made available in MXO-15711_78SP0 and MXO-15711_78SP1 for MX-ONE versions 7.8 and 7.8 SP1, respectively. Customers using MiVoice MX-ONE version 7.3 and above are recommended to submit a patch request to their authorized service partner.

As mitigations until fixes can be applied, it’s advised to limit direct exposure of MX-ONE services to the public internet and ensure that they are placed within a trusted network.

Along with the authentication bypass flaw, Mitel has shipped updates to resolve a high-severity vulnerability in MiCollab (CVE-2025-52914, CVSS score: 8.8) that, if successfully exploited, could permit an authenticated attacker to carry out an SQL injection attack.

“A successful exploit could allow an attacker to access user provisioning information and execute arbitrary SQL database commands with potential impacts on the confidentiality, integrity, and availability of the system,” Mitel said.

The vulnerability, which impacts MiCollab versions 10.0 (10.0.0.26) to 10.0 SP1 FP1 (10.0.1.101) and 9.8 SP3 (9.8.3.1) and earlier, has been resolved in versions 10.1 (10.1.0.10), 9.8 SP3 FP1 (9.8.3.103), and later.

With shortcomings in Mitel devices coming under active attacks in the past, it’s essential that users move quickly to update their installations as soon as possible to mitigate potential threats.

Jul 24, 2025Ravie LakshmananMalware / Cybercrime

Cybersecurity researchers have shed light on a new versatile malware loader called CastleLoader that has been put to use in campaigns distributing various information stealers and remote access trojans (RATs).

The activity employs Cloudflare-themed ClickFix phishing attacks and fake GitHub repositories opened under the names of legitimate applications, Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News.

The malware loader, first observed in the wild earlier this year, has been used to distribute DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and even other loaders like Hijack Loader.

“It employs dead code injection and packing techniques to hinder analysis,” the company said. “After unpacking itself at runtime, it connects to a C2 (command-and-control) server, downloads target modules, and executes them.”

CastleLoader’s modular structure allows it to act as both a delivery mechanism and a staging utility, enabling threat actors to separate initial infection from payload deployment. This separation complicates attribution and response because it decouples the infection vector from the eventual malware behavior, giving attackers more flexibility in adapting campaigns over time.

CastleLoader payloads are distributed as portable executables containing an embedded shellcode, which then invokes the main module of the loader that, in turn, connects to the C2 server in order to fetch and execute the next-stage malware.

Attacks distributing the malware have relied on the prevalent ClickFix technique on domains posing as software development libraries, videoconferencing platforms, browser update notifications, or document verification systems, ultimately tricking users into copying and executing PowerShell commands that activate the infection chain.

Victims are directed to the bogus domains through Google searches, at which point they are served pages containing fake error messages and CAPTCHA verification boxes developed by the threat actors, asking them to carry out a series of instructions to supposedly address the issue.

Alternatively, CastleLoader leverages fake GitHub repositories mimicking legitimate tools as a distribution vector, causing users who unknowingly download them to compromise their machines with malware instead.

“This technique exploits developers’ trust in GitHub and their tendency to run installation commands from repositories that appear reputable,” PRODAFT said.

This strategic abuse of social engineering mirrors techniques used in initial access brokers (IABs), underscoring its role within a broader cybercrime supply chain.

PRODAFT said it has observed Hijack Loader being delivered via DeerStealer as well as CastleLoader, with the latter also propagating DeerStealer variants. This suggests the overlapping nature of these campaigns, despite them being orchestrated by different threat actors.

Since May 2025, CastleLoader campaigns have leveraged seven distinct C2 servers, with over 1,634 infection attempts recorded during the time period. Analysis of its C2 infrastructure and its web-based panel—which is used to oversee and manage the infections – shows that as many as 469 devices were compromised, resulting in an infection rate of 28.7%.

Researchers also observed elements of anti-sandboxing and obfuscation—features typical in advanced loaders like SmokeLoader or IceID. Combined with PowerShell abuse, GitHub impersonation, and dynamic unpacking, CastleLoader reflects a growing trend in stealth-first malware loaders that operate as stagers in malware-as-a-service (MaaS) ecosystems.

“Castle Loader is a new and active threat, rapidly adopted by various malicious campaigns to deploy an array of other loaders and stealers,” PRODAFT said. “Its sophisticated anti-analysis techniques and multi-stage infection process highlight its effectiveness as a primary distribution mechanism in the current threat landscape.”

“The C2 panel demonstrates operational capabilities typically associated with malware-as-a-service (MaaS) offerings, suggesting the operators have experience in cybercriminal infrastructure development.”

Jul 24, 2025Ravie LakshmananNetwork Security / Vulnerability

Sophos and SonicWall have alerted users of critical security flaws in Sophos Firewall and Secure Mobile Access (SMA) 100 Series appliances that could be exploited to achieve remote code execution.

The two vulnerabilities impacting Sophos Firewall are listed below –

• CVE-2025-6704 (CVSS score: 9.8) – An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode
• CVE-2025-7624 (CVSS score: 9.8) – An SQL injection vulnerability in the legacy (transparent) SMTP proxy can lead to remote code execution, if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA

Sophos said CVE-2025-6704 affects about 0.05% of devices, while CVE-2025-7624 impacts as many as 0.73% of devices. Both vulnerabilities have been addressed alongside a high-severity command injection vulnerability in the WebAdmin component (CVE-2025-7382, CVSS score: 8.8) that could result in pre-auth code execution on High Availability (HA) auxiliary devices, if OTP authentication for the admin user is enabled.

Also patched by the company are two other vulnerabilities –

• CVE-2024-13974 (CVSS score: 8.1) – A business logic vulnerability in the Up2Date component can lead to attackers controlling the firewall’s DNS environment to achieve remote code execution
• CVE-2024-13973 (CVSS score: 6.8) – A post-auth SQL injection vulnerability in WebAdmin can potentially lead to administrators achieving arbitrary code execution

The U.K. National Cyber Security Centre (NCSC) has been credited with discovering and reporting both CVE-2024-13974 and CVE-2024-13973. The issues affect the following versions –

• CVE-2024-13974 – Affects Sophos Firewall v21.0 GA (21.0.0) and older
• CVE-2024-13973 – Affects Sophos Firewall v21.0 GA (21.0.0) and older
• CVE-2025-6704 – Affects Sophos Firewall v21.5 GA (21.5.0) and older
• CVE-2025-7624 – Affects Sophos Firewall v21.5 GA (21.5.0) and older
• CVE-2025-7382 – Affects Sophos Firewall v21.5 GA (21.5.0) and older

The disclosure comes as SonicWall detailed a critical bug in the SMA 100 Series web management interface (CVE-2025-40599, CVSS score: 9.1) that a remote attacker with administrative privileges can exploit to upload arbitrary files and potentially achieve remote code execution.

The flaw impacts SMA 100 Series products (SMA 210, 410, 500v) and has been addressed in version 10.2.2.1-90sv.

SonicWall also pointed out that while the vulnerability has not been exploited, there exists a potential risk in light of a recent report from the Google Threat Intelligence Group (GTIG), which found evidence of a threat actor dubbed UNC6148 leveraging fully-patched SMA 100 series devices to deploy a backdoor called OVERSTEP.

Besides applying the fixes, the company is also recommending that customers of SMA 100 Series devices carry out the following steps –

• Disable remote management access on the external-facing interface (X1) to reduce the attack surface
• Reset all passwords and reinitialize OTP (One-Time Password) binding for users and administrators on the appliance
• Enforce multi-factor authentication (MFA) for all users
• Enable Web Application Firewall (WAF) on SMA 100

Organizations using SMA 100 Series devices are also advised to review appliance logs and connection history for anomalies and check for any signs of unauthorized access.

Organizations using the SMA 500v virtual product are required to backup the OVA file, export the configuration, remove the existing virtual machine and all associated virtual disks and snapshots, reinstall the new OVA from SonicWall using a hypervisor, and restore the configuration.

Jul 24, 2025Ravie LakshmananCyber Espionage / Malware

The Tibetan community has been targeted by a China-nexus cyber espionage group as part of two campaigns conducted last month ahead of the Dalai Lama’s 90th birthday on July 6, 2025.

The multi-stage attacks have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz.

“The attackers compromised a legitimate website, redirecting users via a malicious link and ultimately installing either the Gh0st RAT or PhantomNet (aka SManager) backdoor onto victim systems,” security researchers Sudeep Singh and Roy Tay said in a Wednesday report.

This is not the first time Chinese threat actors have resorted to watering hole attacks (aka strategic web compromises), a technique where adversaries break into websites frequently visited by a specific group to infect their devices with malware.

Over the past two years, hacking groups like EvilBamboo, Evasive Panda, and TAG-112 have all resorted to the approach to target the Tibetan diaspora with the ultimate goal of gathering sensitive information.

Operation GhostChat

The latest set of attacks observed by Zscaler entails the compromise of a web page to replace the link pointing to “tibetfund[.]org/90thbirthday” with a fraudulent version (“thedalailama90.niccenter[.]net”).

While the original web page is designed to send a message to the Dalai Lama, the replica page adds an option to send an encrypted message to the spiritual leader by downloading from “tbelement.niccenter[.]net” a secure chat application named TElement, which claims to be Tibetan version of Element.

Hosted on the website is a backdoored version of the open-source encrypted chat software containing a malicious DLL that’s sideloaded to launch Gh0st RAT, a remote access trojan widely used by various Chinese hacking groups. The web page also includes JavaScript code designed to collect the visitor’s IP address and user-agent information, and exfiltrate the details to the threat actor via an HTTP POST request.

Operation PhantomPrayers

Gh0st RAT is a fully-featured malware that supports file manipulation, screen capture, clipboard content extraction, webcam video recording, keylogging, audio recording and playback, process manipulation, and remote shell.

The second campaign, Operation PhantomPrayers, has been found to leverage another domain, “hhthedalailama90.niccenter[.]net,” to distribute a phony “90th Birthday Global Check-in” app (“DalaiLamaCheckin.exe,” dubbed PhantomPrayers) that, when opened, displays an interactive map and urges victims to “send your blessings” for the Dalai Lama by tapping their location on the map.

However, the malicious functionality is stealthily triggered in the background, using DLL side-loading techniques to launch PhantomNet, a backdoor that establishes contact with a command-and-control (C2) server over TCP to receive additional plugin DLLs for execution on the compromised machine.

“PhantomNet can be set to operate only during specific hours or days, but this capability is not enabled in the current sample,” the researchers said. “PhantomNet used modular plugin DLLs, AES-encrypted C2 traffic, and configurable timed operations, to stealthily manage compromised systems.”

Jul 24, 2025The Hacker News

Is Managing Customer Logins and Data Giving You Headaches? You’re Not Alone!

Today, we all expect super-fast, secure, and personalized online experiences. But let’s be honest, we’re also more careful about how our data is used. If something feels off, trust can vanish in an instant. Add to that the lightning-fast changes AI is bringing to everything from how we log in to spotting online fraud, and it’s a whole new ball game!

If you’re dealing with logins, data privacy, bringing new users on board, or building digital trust, this webinar is for you.

Join us for “Navigating Customer Identity in the AI Era,” where we’ll dive into the Auth0 2025 Customer Identity Trends Report. We’ll show you what’s working, what’s not, and how to tweak your strategy for the year ahead.

In just one session, you’ll get practical answers to real-world challenges like:

• How AI is changing what users expect – and where they’re starting to push back.
• The new identity threats on the rise – and how to stop them early.
• Making logins smoother and easier – without sacrificing security.
• Where AI can help you big time – and where you still need that human touch.
• What top digital companies are doing differently to stay ahead.

This session is perfect for anyone focused on making customer experiences better, boosting security, or driving digital innovation. Whether you’re an IT or security leader, a product team member, or part of marketing and customer experience, you’ll find valuable takeaways. Even if you’re leading digital transformation, this webinar offers key guidance to align AI with what customers truly want.

Watch this Webinar

“Navigating Customer Identity in the AI Era” is your chance to get ahead with insights from the Auth0 2025 CIAM Trends Report.

The webinar is on July 28, 2025, and with an expert from Auth0 by Okta, a trusted name in secure identity solutions. Registration is free, but spots are limited! Don’t miss out on future-proofing your identity strategy, staying compliant, and building massive digital trust.

As AI keeps evolving, your customer identity strategy needs to evolve with it. This webinar gives you the data, the trends, and the expert insights to make smarter decisions – starting now.

Don’t get left behind. Join us and become a leader in customer trust!

You wouldn’t run your blue team once a year, so why accept this substandard schedule for your offensive side?

Your cybersecurity teams are under intense pressure to be proactive and to find your network’s weaknesses before adversaries do. But in many organizations, offensive security is still treated as a one-time event: an annual pentest, a quarterly red team engagement, maybe an audit sprint before a compliance deadline.

That’s not defense. It’s a theater.

In the real world, adversaries don’t operate in bursts. Their recon is continuous, their tools and tactics are always evolving, and new vulnerabilities are often reverse-engineered into working exploits within hours of a patch release.

So, if your offensive validation isn’t just as dynamic, you’re not just lagging, you’re exposed.

It’s time to move beyond the once a year pentest.

It’s time to build an Offensive Security Operations Center.

Why annual pentesting falls short

Point-in-time penetration tests still serve a role, and are here to remain a compliance requirement. But they fall short in environments that change faster than they can be assessed. This is true for a number of reasons:

• The scope is limited. Most enterprise pentests are scoped to avoid business disruption, but we all know that attackers don’t care about your scope, or unless they’re in stealth mode, disrupting your business.
• Controls decay silently. Drift is constant. An EDR policy gets loosened. A SIEM rule breaks. And annual pentests are not built to catch these problems. The security control that “passed” in the test may very well fail when it really matters, two weeks later.
• Access escalates quietly. In Active Directory environments, misconfigurations accumulate silently over time, nested groups, stale accounts, over-privileged service identities, and well-known privilege escalation paths are commonplace. These aren’t just theoretical risks; they’ve been actively leveraged for decades. Attackers don’t need zero-days to succeed. They rely on weak trust relationships, configuration drift, and a lack of visibility.
• Timing lags. By the time a pentest report is delivered, your environment has already changed. You’re chasing what was, not what is. It’s like looking at last month’s video from your door camera to see what’s happening today.

However, this is not a call to abolish pentesting.

Quite the opposite, manual pentests bring human creativity, contextual awareness, and adversarial thinking that no automation can replicate.

But relying on them alone, especially when performed only once or twice a year, limits their impact.

Breach and Attack Simulation (BAS) doesn’t guess. It simulates real-world TTPs mapped to industry-recognized frameworks like MITRE ATT&CK® across the kill chain.

BAS answers a series of practical yet high-stakes questions:

• Can your SIEM catch a credential dumping attack?
• Will your EDR block known ransomware?
• Does your WAF stop critical web attacks like Citrix Bleed or IngressNightmare?

BAS is about controlled, safe, production-aware testing and executing the same techniques attackers use, against your actual controls without actually putting your data, bottom line, and reputation at risk. BAS will show you exactly what works, what fails, and where to best focus your efforts.

3. Exploit Chain Testing with Automated Pentesting

Sometimes individual vulnerabilities may not be harmful on their own. However, adversaries carefully chain multiple vulnerabilities and misconfigurations together to achieve their objectives. With Automated Penetration Testing, security teams can validate how a real compromise could unfold, step by step, end to end.

Automated Pentesting simulates an assumed breach from a domain-joined system, starting with access to a low-privileged or system-level user. From this foothold, it discovers and validates the shortest, stealthiest attack paths to critical assets, such as domain admin privileges, by chaining real techniques like credential theft, lateral movement, and privilege escalation.

Here’s an example:

• Initial access to an HR workstation exposes a Kerberoasting opportunity, triggered by misconfigured service account permissions.
• Offline password cracking reveals plaintext credentials.
• Those credentials enable lateral movement to another machine.
• Eventually, the simulation captures a domain admin’s NTLM hash, with no alerts triggered and no controls intervening.

This is just one scenario among thousands, but it mirrors the real tactics adversaries use to escalate their privileges inside your network.

4. Drift Detection and Posture Tracking

Security isn’t static. Rules change. Configurations shift. Controls fail quietly.

The Offensive SOC keeps score over time. It tracks when your prevention and detection layer solutions start to slip, like:

• An EDR policy update that disables known malware signatures
• A SIEM alert that quietly stops firing after a rule modification
• A firewall rule that’s altered during maintenance, leaving a port exposed

The Offensive SOC doesn’t just tell you what failed, it tells you when it started failing.

And this is how you stay ahead: not by reacting to alerts, but by catching your vulnerabilities before they’re exploited.

Where Picus fits in

Picus helps security teams operationalize the Offensive SOC, with a unified platform that continuously validates exposures across prevention, detection, and response layers.

We combine:

• BAS to test how your controls respond to real-world threats.
• Automated penetration testing to simulate attacker movement post-access, and identify high-risk paths.
• Known threat and mitigation libraries to simulate attacks and close gaps faster.
• Seamless integration with your existing SOC stack.

And Picus isn’t just making promises. The Blue Report 2024 found that:

• Organizations using Picus reduced critical vulnerabilities by over 50%.
• Customers doubled their prevention effectiveness in 90 days.
• Teams mitigated security gaps 81% faster using Picus.

With Picus, you can boldly move beyond assumptions and make decisions backed by validation.

That’s the value of an Offensive SOC: focused, efficient, and continuous security improvement.

Final thought: Validation isn’t a report, it’s a practice

Building an Offensive SOC isn’t about adding more dashboards, solutions, or noise; it’s about turning your reactive security operations center into a continuous validation engine.

It means proving what’s exploitable, what’s protected, and what needs attention.

Picus helps your security teams do exactly that, operationalizing validation across your entire stack.

Ready to explore the details?

Download The CISO’s Guide for Security and Exposure Validation to:

• Understand the complementary roles of Breach and Attack Simulation and Automated Penetration Testing
• Learn how to prioritize risk based on exploitability, not just severity
• See how to embed Adversarial Exposure Validation into your CTEM strategy for continuous, measurable improvement

🔗 Get the Exposure Validation Guide and make validation part of your everyday SOC operations, not just something you check off a list once a year.