Full Report
This week Bill connects the hype of literary awards to cybersecurity conference season. We highlight key insights from the Q2 2025 IR Trends report, including phishing trends, new ransomware strains, and top targeted sectors. Finally, check out all the places Talos will be at Black Hat.
Analysis Summary
# Main Topic
Analysis of key threat intelligence findings from the Cisco Talos Incident Response Trends Q2 2025 report, focusing on prevalent attack vectors, ransomware activity, and top-targeted sectors.
## Key Points
- **Phishing Dominance:** Phishing remains the leading initial access vector, with credential harvesting identified as the primary objective for the majority of observed attacks, suggesting a preference for reliably profitable credential brokering over complex post-exploitation.
- **Ransomware Activity:** Ransomware and pre-ransomware incidents accounted for 50% of all IR engagements this quarter.
- **New Ransomware Strains:** Talos IR observed the introduction of Qilin and Medusa ransomware strains for the first time, alongside continued activity from Chaos ransomware.
- **Stealthy Tactics:** Attackers employed stealthy techniques, including "bring your own binary" scenarios utilizing the original version of PowerShell (1.0, from 2006) in ransomware attacks.
- **MFA Evasion:** Insights detailed how attackers exploit self-service options in Multi-Factor Authentication (MFA) deployments to register their own devices, bypassing security controls.
## Threat Actors
- **Specific Actors:** Not explicitly attributed by name in the summary, but activity involves groups deploying Qilin, Medusa, and Chaos ransomware strains during Q2 2025 engagements.
## TTPs
- **Initial Access:** Phishing (credential harvesting focus).
- **Execution/Defense Evasion:** Use of legacy PowerShell 1.0 ("bring your own binary") to execute malicious actions stealthily.
- **Authorization/Authentication Bypass:** Exploitation of MFA self-service features to introduce attacker-controlled registration devices.
## Affected Systems
- **Targeted Sectors:** Education was identified as the most targeted industry vertical during Q2 2025.
- **Software/Configuration:** Systems with MFA installations featuring self-service options are vulnerable to enrollment manipulation.
## Mitigations
- **MFA Security:** Ensure proper configuration and rigorous monitoring of Multi-Factor Authentication (MFA) deployments, specifically reviewing and restricting device registration capabilities.
- **Logging and Monitoring:** Prioritize centralized logging for enhanced visibility across the environment.
- **Endpoint Hardening:** Implement specific steps to harden Endpoint Detection and Response (EDR) systems against advanced evasive tactics like BYOB.
## Conclusion
The threat landscape remains dominated by phishing, increasingly focused on harvesting credentials. The rise of new ransomware strains alongside the use of aging infrastructure (like PowerShell 1.0) highlights the need for defenses that focus on behavior rather than mere signature detection. Organizations, particularly in the Education sector, must immediately review MFA configurations and EDR hardening controls to counter prevalent initial access and execution techniques identified in Q2 2025.