(MENAFN- Mid-East Info) News Summary:

• Newly disclosed SharePoint vulnerabilities caused a dramatic spike in cyberattacks during the quarter.

• Ransomware incidents accounted for about 20% of cases in Q3 2025, down from 50% in the previous quarter, but remains a persistent threat.

• Nearly one-third of incidents this quarter involved attackers bypassing or abusing multi-factor authentication (MFA).

Dubai, UAE, November 25, 2025 – Cisco Talos, one of the largest commercial threat intelligence teams globally, released its Incident Trends report for the third quarter of 2025, highlighting the latest threat trends, top ransomware families and new attacker tactics:

Ransomware Trends

Cisco Talos' Q3 2025 report reveals that ransomware incidents accounted for approximately 20% of cases in Q3 2025, down from 50% last quarter. Despite this decrease, Talos cautions that this drop does not necessarily signal a long-term downward trend, as ransomware remains one of the most persistent threats to organizations.

During the third quarter, Talos identified three new ransomware variants: Warlock, Babuk, and Kraken-alongside well-known threats like Qilin and LockBit. Qilin, which first appeared earlier this year, ramped up its attacks and is expected to remain a major risk through the end of 2025. In one case, criminals executed their ransomware just two days after the initial breach. LockBit, one of the world's most notorious ransomware groups, was also active.

One of the malware attacks investigated by Talos was attributed to Storm-2603, a group believed to operate from China. Notably, they utilized the legitimate security tool Velociraptor -a first in ransomware operations. Velociraptor is designed for deep visibility into computers and networks, enabling attackers to collect data, monitor activity, and maintain control after breaking in.

Exploitation of Public-Facing Applications

Over 60% of incidents this quarter began with exploitation of public-facing applications - a dramatic rise from less than 10% last quarter. This spike is primarily linked to a wave of attacks exploiting newly disclosed vulnerabilities in on-premises Microsoft SharePoint servers via the ToolShell attack chain.

This quarter's ToolShell activity highlights the importance of robust segmentation and rapid patching. The ToolShell attack wave also highlights how quickly cybercriminals mobilize once zero-day vulnerabilities are disclosed. The first known exploitation occurred a day before Microsoft's advisory, with most incidents handled by Talos occurring within the next ten days.

“The Talos data shows how quickly attackers exploit newly disclosed vulnerabilities in public-facing applications,” said Fady Younes, Managing Director for Cybersecurity at Cisco Middle East, Africa, Türkiye, Romania and CIS.“For organizations in the UAE expanding digital and cloud services, exploit protection and strong network segmentation are critical to reducing the risk of disruptive attacks. We support customers by combining Talos threat intelligence with our security solutions to help them identify vulnerable systems faster and respond more effectively when attacks occur.”

Multi-Factor Authentication (MFA) Abuse on the Rise

Nearly one-third of incidents this quarter involved attackers bypassing or abusing multi-factor authentication (MFA), often through techniques like overwhelming users with repeated login requests (“MFA bombing”) or exploiting weaknesses in MFA set-ups. These findings highlight that simply enabling MFA is not enough-organizations also need to monitor for suspicious login activity and ensure their MFA policies are robust.

Read the full analysis here:

MENAFN25112025005446012082ID1110392793