• Threat actors predominately exploited public-facing applications for the second quarter in a row, with this tactic appearing in nearly 40 percent of Cisco Talos Incident Response (Talos IR) engagements - a notable decrease from over 60 percent last quarter, when engagements involving ToolShell surged. • This quarter included exploitation of Oracle E-Business Suite (EBS) and React2Shell, as well as the deployment of malware implants previously associated with advanced persistent threat (APT) groups. • Phishing was the second-most common tactic for initial access, and this quarter included a campaign specifically targeting Native American tribal organizations for credential harvesting. • Once the adversaries compromised a legitimate account, they leverage it to send out further internal phishes and gain more credentials. • Ransomware incidents made up only approximately 13 percent of engagements this quarter, a decrease from 20 percent last quarter and a steep drop from nearly 50 percent in Q1 and Q2. • Talos IR did not respond to any previously unseen ransomware variants.
Article Summaries:
- Cisco Talos reports that in Q4 2025 exploitation of public‑facing applications remains the leading initial‑access tactic, accounting for nearly 40 % of incident‑response engagements-down from over 60 % in Q3. The quarter saw attacks on Oracle E‑Business Suite (CVE‑2025‑61882) and the React2Shell vulnerability (CVE‑2025‑55182), with threat actors quickly leveraging newly disclosed flaws to deploy web shells and, in some cases, Monero‑mining malware. Phishing was the second‑most common technique, highlighted by a credential‑harvesting campaign targeting Native American tribal organizations that used compromised accounts to spread further internal phishing. Ransomware incidents fell to about 13 % of engagements, and the Qilin ransomware family continued to dominate the remaining cases. The findings underscore the critical need for timely patching and robust segmentation of internet‑facing assets.
Sources: