Key Findings

• Exploitation of public-facing applications remained the top method of initial access, though it declined from 62% to about 40% of engagements.

• Phishing was the second-most common tactic, notably targeting Native American tribal organizations, and credential harvesting often led to further internal attacks.

• Ransomware incidents continued to fall, making up only 13% of cases, with Qilin ransomware still dominant.

Background

Cisco Talos Incident Response's report for Q4 2025 is now available, providing insights into the evolving threat landscape. The report highlights key trends observed during incident response engagements, offering security teams valuable information to enhance their defensive strategies.

Exploitation of Public-Facing Applications

Attackers are quickly leveraging both newly disclosed and older vulnerabilities in internet-facing applications, underscoring the need for rapid patching and minimizing exposure. This method of initial access declined from 62% to about 40% of engagements, but remains a significant concern.

Phishing and Credential Harvesting

The increase in targeted phishing and MFA abuse demonstrates that adversaries are adapting their techniques to bypass common security controls. Notably, Native American tribal organizations were targeted by phishing campaigns, highlighting the need for increased vigilance in under-resourced sectors.

Ransomware Decline

While ransomware incidents continued to fall, making up only 13% of cases, the Qilin ransomware strain remained dominant. This underscores the evolving nature of the ransomware threat and the importance of proactive defense strategies.

Recommendations

Security teams should focus on:

• Promptly patching systems to address vulnerabilities

• Ensuring MFA is well-configured and monitored

• Maintaining detailed logs to spot and investigate suspicious activity

• Collaborating with incident response experts to limit the damage in the event of an attack

Top Security Headlines

• Poland's energy grid was targeted by never-before-seen wiper malware, likely the work of a Russian government hacker group.

• The North Korean hacker group Konni is using AI-generated PowerShell malware to target developers and engineers in the blockchain sector.

• Two high-severity vulnerabilities in the n8n platform could allow authenticated remote code execution.

• 31 more suspects have been charged in a nationwide ATM jackpotting scam, bringing the total to 87 suspects.

Sources

• https://blog.talosintelligence.com/im-locked-in/

• https://securityonline.info/locked-out-of-the-crate-microsofts-smart-security-cripples-asus-rog-ally/

• https://news.backbox.org/2026/01/29/im-locked-in/

• https://www.reddit.com/r/GCSE/comments/1qpnw95/im_locked_in/

• https://www.tiktok.com/discover/locked-in

• https://www.instagram.com/reel/DT_8TocjLu3/