Brute‑force and social‑engineering surge
Cyber intelligence accounts report a spike in persistent brute‑force attempts against network gear alongside faster ransomware campaigns and more convincing social‑engineering, citing vendor telemetry and incident trends (x.com). A separate X post shared simple user‑level advice — verify sources and keep systems patched — as immediate mitigation steps being promoted across the security community (x.com).
Hackers are spending more time hammering internet-facing gear and less time lingering once they get in. CrowdStrike says average eCrime “breakout time” fell to 29 minutes in 2025. (crowdstrike.com) That “edge” gear is the equipment at a network’s border — routers, firewalls and virtual private network gateways that sit on the public internet. The Cybersecurity and Infrastructure Security Agency said those devices are prime targets because attackers exploit known flaws, weak settings and misconfigurations to get initial access. (cisa.gov) CISA said on February 5, 2026 that federal civilian agencies must remove unsupported edge devices from their networks under Binding Operational Directive 26-02. The agency said unsupported hardware and software at the perimeter no longer receive security patches and are being exploited by persistent threat actors. (cisa.gov) Once attackers get in, the follow-on activity is moving faster. CrowdStrike said the fastest breakout it observed in 2025 took 27 seconds, and Palo Alto Networks’ Unit 42 said exfiltration speeds in the fastest attacks quadrupled in 2025. (crowdstrike.com) (paloaltonetworks.com) Identity theft is replacing smash-and-grab malware as the main route through many networks. Unit 42 said identity weaknesses played a material role in almost 90% of its investigations, and 87% of intrusions it handled involved activity across multiple attack surfaces. (paloaltonetworks.com) Social engineering is shifting too. Microsoft said in an April 6, 2026 research post that a widespread phishing campaign used artificial intelligence and automation to generate live device-authentication codes, while CrowdStrike said 87% of organizations in its 2025 ransomware survey saw AI making phishing lures more convincing. (microsoft.com) (crowdstrike.com) Microsoft said the campaign tailored emails to targets’ roles with themes like invoices, requests for proposals and manufacturing workflows. The company said the attackers used stolen tokens for email theft, inbox-rule persistence and reconnaissance through Microsoft Graph. (microsoft.com) Governments have been pushing the same defensive steps for months: replace unsupported edge devices, keep supported systems patched, and turn on the logging needed to spot intrusions. CISA’s February 4, 2025 edge-device guidance also urged manufacturers to build products that are secure by design, including better default logging for investigations. (cisa.gov 1) (cisa.gov 2) The immediate advice for users is less technical than the tooling behind the attacks: verify who is asking, how they are asking, and whether the system involved is fully updated. In a threat cycle measured in minutes and seconds, basic checks still buy time. (microsoft.com) (cisa.gov)
