Snapshot Summary

Digital Forensics & Incident Response

SolarWinds WHD exploitation used to deploy Velociraptor — ([AMER]) Incident responders are tracking active exploitation of SolarWinds Web Help Desk flaws where intruders rapidly pivoted to Zoho/Cloudflare tunnels and deployed Velociraptor as a remote access and collection framework. For DFIR teams, this is a reminder to hunt for “legit tool” telemetry (MSI installs, VQL activity, Cloudflare Workers) and to preserve volatile evidence early because the attacker workflow is fast and cleanup-oriented. (Source: BleepingComputer, 10-02-2026).

NCSC guidance on strengthening vulnerability response “organizational memory” — ([EMEA]) The UK NCSC published a playbook-style blog on improving vulnerability management response so lessons from prior remediation cycles are not lost when teams rotate or incidents fade. For IR leaders, it maps directly to post-incident controls: keeping asset/patch evidence, repeating detection checks after fixes, and building a defensible audit trail that shortens containment time when the same weakness reappears in a new product line. (Source: UK NCSC, 10-02-2026).

Cyber Investigations

Cisco Talos details “VoidLink” operations targeting UAT-9921 — ([AMER]) Cisco Talos published an investigation into VoidLink activity, describing how the actor targets a tracked victim set (UAT-9921) and uses link-sorting and delivery infrastructure to steer victims into follow-on compromise paths. For investigators, the value is in infrastructure pivot points (redirectors, domains, hosting patterns) that can be turned into retro-hunts, plus a clearer attribution-quality narrative when assembling timelines and reporting to stakeholders. (Source: Cisco Talos, 10-02-2026).

Unit 42 updates the “Muddled Libra” intrusion playbook — ([AMER]) Palo Alto Networks Unit 42 published an updated “Muddled Libra” playbook that consolidates observed tactics, access methods, and monetization paths used across recent intrusions. DFIR and threat-hunting teams can translate the mapped TTPs into detection rules, especially around initial access artifacts and credential workflows, while investigations teams gain a structured lens for incident classification and more consistent evidence packaging across cases. (Source: Unit 42, 11-02-2026).

RenEngine loader campaign analysis ties delivery to Remcos RAT — ([EMEA]) BleepingComputer reported on research describing the “RenEngine” loader used to stage Remcos RAT, including the campaign’s delivery mechanics and infrastructure used to maintain resilience. For cyber investigations, this gives actionable pivots (loader behavior, network beacons, hosting traits) that help correlate seemingly small endpoint infections into a single campaign, improving scoping accuracy and supporting victim-to-victim linkage when sharing IOCs. (Source: BleepingComputer, 11-02-2026).

Major Cyber Incidents

Ransomware hits payment processor BridgePay, disrupting customers — ([AMER]) BridgePay confirmed a ransomware incident that forced operational disruption for customers relying on its payment processing services, with recovery and restoration work continuing as impacts rippled into downstream merchants. For IR teams, this is a live case study in third-party dependency response: isolate integrations, validate settlement/transaction integrity, and preserve evidence across both the processor and affected customers to reduce fraud risk and speed claims/notifications. (Source: TechRadar, 09-02-2026).

European Commission investigates breach of mobile device management platform — ([EMEA]) The European Commission disclosed it detected traces of a cyberattack targeting infrastructure used to manage staff mobile devices, prompting an investigation into potential exposure of staff-related information. For defenders, MDM compromise is high-impact because it can enable stealthy device control, credential collection, and lateral movement; rapid scoping should include device enrollment logs, policy change history, certificate issuance events, and cross-tenant authentication anomalies. (Source: BleepingComputer, 09-02-2026).

Singapore details Operation CYBER GUARDIAN response to UNC3886 telco targeting — ([APAC]) Singapore’s authorities described a major defensive operation mounted with telecom operators to contain espionage activity attributed to UNC3886, with focus on limiting adversary movement in telco environments. For incident teams in critical infrastructure, the disclosure underscores the need to harden edge/network devices and privileged access paths, plus to test crisis coordination playbooks that span regulators, national CERT functions, and multiple private operators under time pressure. (Source: IMDA Singapore, 09-02-2026).

Exploits & Threat Intelligence

CISA adds six actively exploited vulnerabilities to KEV catalog — ([AMER]) CISA added six new vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation, tightening deadlines for federal remediation and offering a clear prioritization signal for everyone else. For defenders, KEV adds are a practical “patch now” trigger: use them to re-rank backlog, validate compensating controls, and ensure exploit-path telemetry (web shells, suspicious auth, abnormal process trees) is being logged before and after patching. (Source: CISA, 10-02-2026).

Microsoft February 2026 Patch Tuesday fixes six exploited zero-days — ([AMER]) Microsoft’s February 2026 Patch Tuesday shipped fixes for dozens of issues, including six zero-days reported as actively exploited, raising immediate patch urgency for Windows and enterprise estates. For DFIR and SecOps, the “in-the-wild” set should drive rapid exposure analysis (where vulnerable components are present), threat-hunts for matching post-exploitation behaviors, and careful change control to avoid breaking critical systems while still closing privilege escalation and remote attack paths quickly. (Source: BleepingComputer, 11-02-2026).

BeyondTrust discloses critical unauthenticated RCE in Remote Support/PRA — ([AMER]) BeyondTrust disclosed a critical OS command injection issue (CVE-2026-1731) affecting Remote Support and certain Privileged Remote Access versions that could allow remote code execution without authentication. For threat teams, internet-exposed remote support tooling is a prime initial-access target; prioritize asset discovery, patch verification, and monitoring for anomalous process execution and web request patterns that suggest probing or exploitation attempts against helpdesk-style entry points. (Source: TechRadar, 10-02-2026).

Law Enforcement

Fugitive tied to $73M “pig butchering” fraud sentenced to 20 years — ([AMER]) A court sentenced a dual national in absentia to 20 years for operating an international “pig butchering” cryptocurrency investment scheme that defrauded victims of more than $73 million. For investigators and IR teams, the case highlights how scam ecosystems blend identity fraud, crypto off-ramps, and cross-border money movement; preserving chat logs, KYC artifacts, wallet traces, and exchange interaction records is essential for recoveries and referral-ready evidentiary packages. (Source: BleepingComputer, 10-02-2026).

India launches new CBI cybercrime branch and I4C coordination dashboard — ([APAC]) India’s Ministry of Home Affairs announced the inauguration of a dedicated CBI cybercrime branch alongside a State Cyber Crime Coordination Centre dashboard under the I4C ecosystem to improve operational coordination. For cyber professionals, these institutional changes can accelerate evidence requests and multi-jurisdiction case handling; incident responders operating in India should align reporting workflows, retain enriched logs, and document loss timelines to support rapid freezing and fraud-blocking actions. (Source: Press Information Bureau (India), 11-02-2026).

Policy

ENISA publishes International Strategy 2026 — ([EMEA]) ENISA released its International Strategy 2026, outlining how the agency will engage non-EU partners and international organizations to strengthen cybersecurity outcomes aligned to EU policy priorities. For CISOs and policy-aware responders, it signals where future cross-border collaboration, information sharing, and coordinated capacity-building may concentrate, which can influence incident coordination expectations, reporting norms, and the practical reach of EU cyber initiatives across suppliers and affiliates. (Source: ENISA, 09-02-2026).

European Commission clears Google acquisition of Wiz — ([EMEA]) The European Commission announced unconditional merger approval for Google’s acquisition of cloud security firm Wiz, concluding the deal raised no competition concerns in the EEA. For enterprise security leaders, consolidation at the cloud-security layer can affect product roadmaps, pricing leverage, and data residency/legal review; DFIR teams should track any resulting tooling migrations that could impact log retention, detection baselines, and evidence accessibility during investigations. (Source: European Commission, 10-02-2026).

India convenes national conference on dismantling cyber-enabled fraud ecosystems — ([APAC]) India announced a two-day national conference (10–11 February 2026) focused on tackling cyber-enabled frauds and breaking the supporting criminal ecosystem, organized with CBI and I4C participation. For defenders, policy focus on fraud ecosystems typically translates into stronger reporting expectations and faster disruption actions; organizations should tune detection for mule-account patterns, SIM-swap indicators, and cross-channel social engineering, and be ready to share high-fidelity indicators. (Source: Press Information Bureau (India), 09-02-2026).

Standards & Compliance

EDPB/EDPS publish Joint Opinion 2/2026 on the EU “Digital Omnibus” proposal — ([EMEA]) The European data protection authorities published a joint opinion on the proposed “Digital Omnibus” regulation, focusing on how simplification efforts should still preserve fundamental privacy and data protection safeguards. For compliance and incident teams, these opinions often foreshadow regulator expectations on governance and accountability; aligning breach response documentation, DPIA/records of processing, and processor controls now can reduce enforcement risk as legislative changes mature into binding requirements. (Source: EDPB/EDPS, 11-02-2026).

IETF posts draft “Post-Session Execution Assurance (PSEA)” security model — ([AMER]) The IETF datatracker posted a new Internet-Draft describing Post-Session Execution Assurance (PSEA), a security model aimed at verifying authority at the moment an action is executed rather than only at initial authentication time. For architects and assessors, it’s relevant to modern “continuous authorization” patterns (high-risk admin actions, token abuse, session hijack mitigation) and can inform future control language, design reviews, and threat models in identity-heavy environments. (Source: IETF Datatracker, 09-02-2026).

Consumer App Data Leaks

Stalkerware vendor breach leaks 500,000+ sensitive records — ([EMEA]) A stalkerware developer associated with apps used for covert tracking suffered a breach that exposed hundreds of thousands of records, including customer and purchase-related details, after a vulnerability was exploited and data posted online. For practitioners, these leaks fuel follow-on harm (doxxing, extortion, account takeover) and raise notification complexity; consumer-facing organizations should warn users about scam outreach, reset exposed identifiers where possible, and coordinate with platforms on abuse reporting. (Source: TechRadar, 10-02-2026).

Photo ID apps leak user data via misconfigured Firebase, including GPS — ([AMER]) Researchers reported that three popular photo identification apps exposed user data through misconfigured Firebase databases, potentially including names, images, tokens, and GPS coordinates for affected users. For DFIR and privacy teams, Firebase misconfigurations remain a recurring root cause; implement continuous cloud data exposure monitoring, validate authentication rules, rotate exposed tokens, and treat location fields as high-risk data requiring tighter access controls and incident-ready logging. (Source: TechRadar, 09-02-2026).

Substack confirms breach exposing user emails and phone numbers — ([AMER]) Substack disclosed an incident where an unauthorized party accessed internal user data including email addresses and phone numbers, with the company stating passwords and payment details were not affected. For defenders, this is a classic “contact-data breach” scenario that enables targeted phishing and SIM-swap attempts; recommend heightened monitoring for social engineering, enforce strong MFA on email/telephony accounts, and make sure breach comms clearly differentiate between authentication secrets and metadata exposure. (Source: The Verge, 05-02-2026).

Editorial Perspective

The last 48 hours underline a familiar operational truth: attackers increasingly blend “legitimate” admin and monitoring tools into intrusion chains, compressing dwell time and making evidence collection windows smaller.

At the same time, public-sector disclosures—from the European Commission’s MDM incident to Singapore’s telco response—show that identity, endpoint management, and edge infrastructure remain the pressure points for both espionage and broad disruption.

Treat KEV and exploited zero-day lists as workflow triggers, not reading material, and pair that urgency with disciplined vulnerability-response memory so your next incident starts with a playbook, not a scramble.

Reference Reading

• CISA Adds Six Known Exploited Vulnerabilities to Catalog
• Microsoft February 2026 Patch Tuesday fixes 6 zero-days
• Singapore: Operation CYBER GUARDIAN (UNC3886) press release
• Threat actors exploit SolarWinds WHD flaws to deploy Velociraptor
• Unit 42: Muddled Libra playbook
• EDPB/EDPS Joint Opinion 2/2026 (Digital Omnibus)

Tags

DFIR, incident-response, ransomware, KEV, zero-day, patch-management, MDM, telecom-security, fraud-ecosystems, data-breach, IOCs, privacy-compliance

Share