Source URL: https://blog.talosintelligence.com/ir-trends-q2-2025/
Source: Cisco Talos Blog
Title: IR Trends Q2 2025: Phishing attacks persist as actors leverage compromised valid accounts to enhance legitimacy
Feedly Summary: Phishing remained the top initial access method in Q2 2025, while ransomware incidents see the emergence of new Qilin tactics.
AI Summary and Description: Yes
**Summary:** The text provides a detailed analysis of recent cyber threat trends, particularly focusing on phishing attacks and ransomware incidents. The primary observation is the ongoing prevalence of phishing, now utilized in a third of engagements for initial access, although this is a decline from the previous quarter. The emergence and tactics related to Qilin ransomware, including its unique operational techniques, pose significant threats to organizations, especially in sectors like education.
**Detailed Description:** The text elaborates on several key points relevant to security professionals:
– **Phishing Attacks:**
– Phishing remains the most common initial access technique but showed a decrease in utilization (30% compared to 50% from the previous quarter).
– Attackers typically leverage compromised email accounts from trusted internal or partner sources, marking a significant tactic for evading security controls.
– Credential harvesting continues to be the primary aim of many phishing schemes, highlighting a shift towards capturing user credentials rather than immediate financial gain.
– **Ransomware Insights:**
– Ransomware incidents, specifically Qilin and Medusa, accounted for half of all engagements. Qilin, in particular, showcased a series of new and previously unreported tactics and tools.
– The attackers behind Qilin are using older versions of PowerShell (1.0) to avoid detection, taking advantage of the lack of security features present in later versions, effectively improving their operational stealth.
– The report indicates a potential rise in the operational tempo and the size of the Qilin group, emphasizing the need for heightened vigilance moving forward.
– **Recommendations for Mitigating Security Risks:**
– **Multi-Factor Authentication (MFA):** Misconfigurations, lack of MFA, and MFA bypasses were observed in over 40% of engagements. Recommendations include monitoring registration changes and unusual MFA usage.
– **Logging and Monitoring:** A quarter of incidents stemmed from inadequate logging, preventing effective investigations. Implementing centralized logging solutions like Security Information and Event Management (SIEM) is crucial for incident response and forensics.
– **Endpoint Protection:** Organizations are encouraged to strengthen their endpoint security solutions to prevent tampering and ensure continuous monitoring and defense.
– **Key Observations from the MITRE ATT&CK Framework:**
– Increased variety in credential access techniques has been noted.
– Phishing remains a significant attack vector alongside traditional access methods like brute force and exploitation of vulnerabilities.
This analysis underscores the importance of constant vigilance and adaptation in cybersecurity practices, especially regarding evolving phishing tactics and the persistent threat of ransomware. Security professionals should pay careful attention to emerging TTPs (tactics, techniques, and procedures) to fortify defenses accordingly.