Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Group-IB has published a report on SIM swapping attacks, finding that attackers continue to use social engineering to bypass technical security measures. SIM swapping is a technique in which an attacker takes over a victim’s phone number, which enables them to access the victim’s accounts. This involves tricking the telecom operator into reassigning the victim’s phone number to a SIM card controlled by the attacker.

Adversaries don’t need to force their way in when they can slip through an organization’s overlooked assets. Subdomain takeovers are a prime example of how attackers exploit misconfigured or abandoned DNS records to gain access, launch phishing campaigns, distribute malware, or take other malicious actions — all while operating under the guise of a legitimate corporate domain.

Cybersecurity incidents continue to make headlines, with the latest victim being Tata Technologies, a leading global engineering and technology services company. The HUNTUBS ransomware group has claimed responsibility for a major attack, leaking sensitive corporate data. The incident, which resulted in the theft of 1.4 TB of confidential data, has raised concerns about cybersecurity resilience among major enterprises.

Since its introduction into cybersecurity in the late 1980s as a tool for detecting unusual activity, artificial intelligence (AI) has grown in popularity and functionality, with a major surge of adoption happening in the past few years, thanks to its growing ability to perform tasks faster and more accurately than humans. However, AI has never operated in isolation; it has always relied on human input. And any advanced technology that requires human input can be used for both good and bad.

Between December 2024 and February 2025, the LevelBlue MDR team saw over a dozen attempts and a handful of successful intrusions by threat actors (TAs). Internally, we broadly attribute these attacks to the Black Basta ransomware gang. As outlined by other cybersecurity researchers’ reporting of similar tactics, techniques, and procedures (TTPs) observed; there is a high probability that this activity is from affiliate groups or initial access brokers.

The CrowdStrike 2025 Global Threat Report highlights the ongoing threat of identity-based attacks. Adversaries are increasingly exploiting stolen credentials to evade detection, and 79% of detections overall were classified as malware-free. Valid account abuse became the primary initial access method in 35% of cloud intrusions. The report also shares that access broker advertisements rose by 50% year-over-year, indicating a rise in demand for valid credentials and other forms of access.

North Korea’s Lazarus Group is evolving its tactics again. The latest campaign, dubbed Operation Marstech Mayhem, introduces an advanced implant named “Marstech1.” This malware is designed to compromise software developers and cryptocurrency wallets through manipulated open-source repositories. Unlike previous Lazarus operations, this campaign employs obfuscation techniques that make detection significantly harder. Read the full report here.