Welcome to another_secpro!

As we step out into another week of cybersecurity-related shenanigans, it's important to remember some perspective and how we frame the constant threat of the adversary. It's easy to become doom-and-gloom about the possibilities of every getting away from the constant worry of "the next big disaster". There's no magic fix for that, obviously, but we can take our time, gather our resources, and build plans and processes that cut the adversary off. As a part of that, tackling the problem of social engineering is one of the more challenging difficulties to tackle...

That's why we're back into social engineering this week and, this time, we're exploring how social engineering disrupts business operations.If you've missed our other investigations, then check them out here, here, here, and here.

If you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!

Cheers!
Austin Miller
Editor-in-Chief

In their latest research, Unit 42 explains that many social engineering attacks don’t need advanced hacking tools. Instead, they work because of three main weaknesses: low detection coverage, alert fatigue, and organisational failures.

Building a Threat-Led Cybersecurity Program with Cyberthreat Intelligence: This white paper addresses how organisations often struggle to turn threat-intelligence programmes into measurable business value: intelligence that is not actionable, too many feeds, poorly defined requirements, etc. It explains the evolving threat environment (rise of infostealers, generative AI, commodification of cybercrime) and then offers a practical blueprint for building or refining a “threat-led” security programme. It covers: forming a threat model; establishing Priority Intelligence Requirements (PIRs); integrating intelligence with risk management; mapping strategic/tactical/operational/technical intelligence; selecting tools and metrics; dealing with legal/regulatory constraints.

CYFIRMA Intelligence Report:This report provides a detailed breakdown of the latest active cyber-threats and trends, focusing on ransomware, malware, vulnerability exploitation, threat actors and data leaks. Key points include: Discovery of a new ransomware strain BAGAJAI, using strong hybrid encryption and moving toward a double-extortion/data-leak model; trend of PureRAT malware being used in hospitality sector spear-phishing campaigns (e.g., via Booking.com accounts) exploiting legitimate services to deliver RAT implants and steal credentials; focus on threat actor APT37 (aka ScarCruft) shifting toward mobile espionage across Asia and beyond, with credential dumping, exploitation of vulnerabilities etc.; a vulnerability in expr-eval JavaScript library (CVE-2025-12735) enabling remote JS code execution, posing risk across web apps. data-leak observation: e.g., claimed compromise of Pruksa Holding Public Company Limited in Thailand (real-estate), and leak of source-code from Internet Initiative Japan (IIJ) telecom provider.

LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices: Technical write-up of a commercial-grade Android spyware family (“LANDFALL”) observed being delivered via an exploit chain targeting Samsung devices. Includes malware capabilities, exploitation chain details, impacted OEM components and recommended detection/mitigation controls.

You Thought It Was Over? — Authentication Coercion Keeps Evolving:Deep dive into the resurgence/evolution of authentication-coercion techniques (coercing systems to authenticate to attacker-controlled hosts to harvest credentials). Explains RPC-based variants, detection pitfalls, and practical mitigations for endpoint and domain defenders. Actionable for blue teams

Russian attacks surge in Ukraine and Europe; Chinese groups target Latin America: A periodic APT report from ESET, summarising observed state-linked activity across regions between Apr–Sep 2025. Highlights targeting shifts, tooling and operational trends, and specific campaigns and IOCs useful to network defenders and threat intel teams.

New Hacking Techniques and Critical CVEs: Technical weekly summarising new exploitation chains, observed EDR evasion techniques, several zero-day exploit chains observed in the wild, and notable sector breaches. Contains technical indicators and exploit/prioritisation guidance for vulnerability management teams.

CISA / US-CERT Advisory update on the Akira ransomware:Government advisory updating TTPs, observed infrastructure and mitigations for Akira ransomware. Includes detection guidance, recommended mitigations for critical infrastructure and enterprise, and links to vendor detection rules. Important for orgs tracking ongoing ransomware campaigns and for continuous monitoring.

CISA Update & Implementation Guidance for Emergency Directive: Cisco ASA and Firepower Device Vulnerabilities: Implementation guidance updating remediation and detection guidance for multiple exploited vulnerabilities affecting Cisco ASA/Firepower devices; includes emergency directive implementation notes and recommended mitigations for operators managing affected gear.

Remember, remember the fifth of November, from Threat Source / Cisco Talos: Cisco Talos Threat Source newsletter and related technical writeups published last week, including detailed Talos research on the Kraken RaaS group and other active ransomware research. Talos’ write-ups are technical, often include IOCs and behavioural detection guidance for SOCs.

Chinese hackers used Anthropic AI to automate attacks from Aspicts: A deep dive into “Operation Endgame,” where threat actors leveraged Anthropic’s AI to run automated info-stealing campaigns, exploring both the technical mechanisms and the broader risk implications.

Claude Code Agent Attack: 30 High Value Targets Hit from Nate: Analysis of an AI-driven cyberattack on high-value targets using Claude Code agents, looking at how attackers exploit trust in AI and what defensive strategies could mitigate such risks.

The OWASP Top 10 Gets Modernized from Chris Hughes: A thoughtful breakdown of the 2025 update to the OWASP Top 10, explaining what’s changed, why it matters, and how the new version better reflects modern threat landscapes.

U.S. CISA Adds Oracle, Windows, Kentico, and Apple Flaws from Ethical Hacking News:A technical and policy-oriented post summarising recent zero-days added by CISA, with commentary on the potential impacts for organisations and security teams.

79% of Enterprises to Increase Investment in Threat Intelligence from Datayuan: Market-focused insight into how enterprises are shifting their security spend, especially on threat intel, in response to the rise of AI-agent threats; includes regional trends (APAC) and practical implications.

SCVI: Bridging Social and Cyber Dimensions for Comprehensive Vulnerability Assessment (Shutonu Mitra, Tomas Neguyen, Qi Zhang, Hyungmin Kim, Hossein Salemi, Chen-Wei Chang, Fengxiu Zhang, Michin Hong, Chang-Tien Lu, Hemant Purohit, Jin-Hee Cho) This paper introduces the Social Cyber Vulnerability Index (SCVI), a novel metric/framework that combines individual-level (awareness, behavioural traits, psychological attributes) and attack-level (frequency, consequence, sophistication) factors to assess socio-technical vulnerabilities in cyber contexts. The authors validate SCVI using survey data (iPoll) and textual data (Reddit scam reports), and compare it to traditional metrics like CVSS (Common Vulnerability Scoring System) and SVI (Social Vulnerability Index). They demonstrate SCVI’s superior ability to capture nuances in socio-cyber risk (e.g., demographic and regional disparities).

BotSim: LLM-Powered Malicious Social Botnet Simulation (Boyu Qiao, Kun Li, Wei Zhou, Shilong Li, Qianqian Lu, Songlin Hu):This study presents “BotSim”, a simulation framework for malicious social-bot activity powered by large language models (LLMs). The authors create an environment mixing intelligent agent bots and human users, simulate realistic social media interaction patterns (posting, commenting), and generate a dataset ("BotSim-24") of LLM-driven bot behaviour. They then benchmark detection algorithms and find that traditional bot-detection methods perform much worse on the LLM-driven bot dataset — highlighting a new frontier in adversarial social cybersecurity.

Red Teaming with Artificial Intelligence-Driven Cyberattacks: A Scoping Review (Mays Al-Azzawi, Dung Doan, Tuomo Sipola, Jari Hautamäki, Tero Kokkonen):This review article surveys the use of AI for adversarial/red-teaming cyberattacks. It analyses ~470 records, selects 11 for in-depth review, and characterises the methods by which AI is being leveraged for penetration testing, intrusion, social engineering, etc. The authors identify typical targets (sensitive data, systems, social profiles, URLs), and emphasise the increasing threat from AI-based attack automation. It also reflects on how red-teaming practices must evolve in response.

A Survey of Social Cybersecurity: Techniques for Attack Detection, Evaluations, Challenges, and Future Prospects (Aos Mulahuwaish, Basheer Qolomany, Kevin Gyorick, Jacques Bou Abdo, Mohammed Aledhari, Junaid Qadir, Kathleen Carley, Ala Al-Fuqaha):This survey paper focuses on “social cybersecurity” — the human/social dimension of cyber threats (e.g., cyber-bullying, spam, misinformation, terrorist activity over social platforms). It covers detection techniques, evaluation methodologies, the challenge of datasets and tools, and identifies future research directions.

Evolution Cybercrime — Key Trends, Cybersecurity Threats, and Mitigation Strategies from Historical Data (Muhammad Abdullah, Muhammad Munib Nawaz, Bilal Saleem, Maila Zahra, Effa binte Ashfaq, Zia Muhammad):This article provides a longitudinal analysis of cybercrime over ~20 years, tracing how cyber threats have evolved (from rudimentary internet fraud to AI-driven attacks, deep fakes, 5G vulnerabilities, cryptojacking, supply chain attacks). It uses historical data (e.g., FBI IC3 complaints) and highlights demographic/geographic patterns, victims, losses, and state-sponsored trends. It also offers mitigation strategy recommendations.

A Survey of Cyber Threat Attribution: Challenges, Techniques, and Future Directions(Nilantha Prasad, Abebe Diro, Matthew Warren, Mahesh Fernando):This paper examines the challenging problem of cyber threat attribution (identifying who is behind an attack). It reviews techniques from technical (IOCs, TTPs, malware profiling) to ML/AI-based methods, analyses gaps in existing research, and suggests future directions for more robust, reliable attribution in cyber contexts. The work is interdisciplinary and addresses both technical and intelligence-analysis aspects.