Critical Vulnerability in Advantech Products — Singapore’s CSA warned that a critical Advantech flaw (CVE-2025-52694) carries a CVSS 10.0 and urged immediate upgrades to fixed versions [APAC]. DFIR teams should treat internet-exposed OT/edge devices as high-risk, hunt for anomalous management access and new binaries, and validate compensating controls (network segmentation, allowlists) while patch windows are arranged. (Source: Cyber Security Agency of Singapore, 12-01-2026).

CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks — CISA directed agencies to remediate an actively exploited Gogs PutContents API path-traversal/RCE issue (CVE-2025-8110) after zero-day activity was observed in the wild [AMER]. Incident responders should assume initial access via exposed dev services, review repo write events and Git config changes, rotate credentials/tokens, and add detections for web-to-shell execution chains on build and SCM hosts. (Source: BleepingComputer, 12-01-2026).

Microsoft January 2026 Patch Tuesday fixes 3 zero-days, 114 flaws — Microsoft’s January security release shipped fixes for 114 vulnerabilities, including three zero-days (one exploited and two publicly disclosed) that affect Windows environments [AMER]. DFIR practitioners should prioritize patch validation on authentication, browser/Office, and privilege-boundary components, then verify endpoint telemetry for pre-patch exploitation indicators (new scheduled tasks, unusual DLL loads, LSASS access) before broad rollout. (Source: BleepingComputer, 13-01-2026).

Armenia probes alleged sale of 8 million government records on hacker forum — Armenian officials opened an investigation after a threat actor advertised millions of records tied to government notification systems for sale, while a government-linked body publicly disputed an email-platform breach [EMEA]. Forensic teams should separate “data source” from “data distribution,” preserve portal and IAM logs quickly, and validate whether infostealer-driven credential reuse enabled access to citizen-facing platforms. (Source: The Record, 12-01-2026).

Greece rules out cyberattack as cause of airspace disruption, minister says — Greek authorities said a disruption that affected airspace operations was not caused by a cyberattack, following initial concern and technical checks [EMEA]. This is a reminder for investigators to run parallel hypotheses (IT fault, comms failure, cyber) and to retain flight-ops, network and identity telemetry early so post-incident conclusions are evidence-led rather than assumption-led. (Source: Reuters, 13-01-2026).

Cyberattack forces Belgian hospital to transfer critical care patients — A cyberattack linked to reported ransomware forced AZ Monica hospital to shut down servers, cancel procedures and transfer unstable critical-care patients as access to electronic records was disrupted [EMEA]. Healthcare responders should prioritize patient-safety workflows, isolate clinical networks, and capture volatile evidence from EHR adjacents (VDI, Citrix, VPN, backup consoles) because those pivots often determine containment and recovery speed. (Source: The Record, 14-01-2026).

Cyberattack at Kyowon exposes over 9 million user accounts to possible breach: Sources — South Korean authorities and KISA-linked investigators assessed that a suspected ransomware incident at Kyowon Group could involve roughly 9.6 million accounts across affiliates, with breach confirmation still under investigation [APAC]. IR teams should treat this as a multi-tenant identity and directory incident, accelerate log centralization across subsidiaries, and validate whether ransomware “traces” indicate lateral movement, data staging, or merely an aborted encryption attempt. (Source: Korea JoongAng Daily, 14-01-2026).

Endesa and Energía XXI notify customers of data breach — Spain’s Endesa/Energía XXI disclosed unauthorized access to a commercial platform and warned that customer identifiers and payment-related data (including IBANs) may have been exposed, while passwords were reportedly not [EMEA]. For responders, this is a classic “CRM/portal compromise” scenario: confirm scope via access logs and export events, rotate API keys and service accounts, and coordinate fraud monitoring because exposed billing artifacts drive rapid social-engineering and account-takeover attempts. (Source: SC Media, 13-01-2026).

Polish minister says failed cyberattack on power system under control — Poland’s energy minister said a cyberattack attempt targeting the national power system was thwarted and the situation was under control, signalling heightened critical-infrastructure targeting [EMEA]. DFIR leaders should use the event as a trigger to validate OT incident playbooks, test segmentation between corporate IT and SCADA management, and ensure immutable logging and secure time sources are in place for credible post-event reconstruction. (Source: Reuters, 14-01-2026).

New VoidLink malware framework targets Linux cloud servers — Researchers reported a cloud-native Linux malware framework dubbed VoidLink, featuring modular loaders/implants and plugins aimed at modern cloud server stacks [AMER]. Threat intel and detection engineering teams should map its components to cloud control-plane activity (IAM abuse, token theft, container persistence), add eBPF/endpoint and audit-log detections, and review hardened images because stealthy Linux frameworks often bypass Windows-centric monitoring. (Source: BleepingComputer, 13-01-2026).

Kremlin-linked hackers pose as charities to spy on Ukraine’s military — A Russia-linked espionage cluster was reported using charity impersonation and messaging-app lures to deliver a newly described backdoor (“PluggyApe”) to targets tied to Ukraine’s defense forces [EMEA]. For defenders, the operational lesson is that “trusted channel” delivery is replacing bulk phishing, so SOCs should tighten controls around archive/executable handoffs in chat apps, and hunt for first-stage droppers arriving via Signal/WhatsApp workflows on both endpoints and BYOD devices. (Source: The Record, 13-01-2026).

SAP’s January 2026 Security Updates Patch Critical Vulnerabilities — SAP released its first 2026 patch cycle covering dozens of issues, including critical flaws such as SQL injection and remote code execution across enterprise components [EMEA]. Threat teams should watch for rapid weaponization against internet-facing SAP services, while operations teams prioritize emergency change windows, validate kernel and app-layer mitigations, and monitor for exploitation artifacts (new users, RFC abuse, unusual ICM requests) post-patching. (Source: SecurityWeek, 13-01-2026).

Spanish police arrest 10 in operation against Black Axe — Spanish police, supported by Europol, announced arrests tied to the Black Axe cybercrime network, a group long associated with online fraud and money laundering operations [EMEA]. For investigators, these actions can surface valuable infrastructure, mule-account patterns and device evidence, so organizations should re-check payment-fraud rules, enrich threat intel with seized indicators when released, and preserve suspicious transaction logs for potential victim notifications. (Source: CyberScoop, 13-01-2026).

Police across Europe charge 23, including ringleader, in iSpoof case — European law enforcement said 23 people, including an alleged ringleader, were charged in follow-on action linked to the iSpoof phone-spoofing fraud ecosystem [EMEA]. DFIR and fraud teams should treat the case as a signal that telecom and VoIP abuse evidence is being actively leveraged, and ensure call-analytics, SIP logs and customer complaint data are retained in forensically sound form to support downstream subpoenas and restitution efforts. (Source: Europol, 12-01-2026).

Tennessee man to plead guilty to hacking Supreme Court’s electronic case filing system — Court filings indicate a Tennessee man is expected to plead guilty to a misdemeanor for unauthorized access to the U.S. Supreme Court’s electronic case filing system over multiple days [AMER]. The case underlines how “low-and-slow” unauthorized access can persist without immediate impact signals, so security teams should baseline access patterns for court/records portals, enforce MFA and rate limits, and keep tamper-evident audit trails suitable for legal proceedings. (Source: The Record, 13-01-2026).

Germany, Israel set to sign cyber defence deal, sources say — Germany and Israel were reported to be finalizing a cyber defense agreement, reflecting deeper bilateral coordination amid elevated state and criminal threat activity [EMEA]. For cyber leaders, such deals can change information-sharing and incident-response expectations (including CNI), so practitioners should monitor for new joint advisories, updated reporting pathways, and any procurement or interoperability requirements that may affect detection and response tooling. (Source: Reuters, 14-01-2026).

Warner warns Hill about cyber offense-defense disagreement — A U.S. Senate leader cautioned that congressional disagreement over the balance of cyber offense and defense could weaken national readiness and coherence in cyber strategy [AMER]. For practitioners, policy uncertainty can translate into shifting authorities, disclosure norms and funding priorities, so organizations should keep incident reporting and legal review processes flexible and maintain strong public-private coordination channels independent of short-term political swings. (Source: CyberScoop, 13-01-2026).

France fines two telcos €42M for poor security — France’s data protection regulator imposed fines totaling €42 million on two telecom providers over inadequate security controls linked to compromise and customer-data exposure [EMEA]. Compliance and DFIR teams should use the enforcement as a benchmark: document control effectiveness (not just policy), prove timely remediation, and ensure breach-ready evidence packages (risk assessments, patch SLAs, access reviews) can withstand regulator scrutiny. (Source: The Register, 14-01-2026).

SingCERT Security Bulletin (January 2026) — Singapore’s SingCERT published its January 2026 security bulletin consolidating notable vulnerabilities and recommended mitigations for organizations and users [APAC]. Standards-aligned programs can operationalize this by mapping bulletin items to internal patch SLAs and CIS/NIST control evidence, then tracking closure with measurable artifacts (scan deltas, configuration baselines, exception approvals) to support audit and continuous compliance. (Source: Cyber Security Agency of Singapore, 14-01-2026).

Manage My Health data breach: A timeline of what happened, and everything we know so far — New Zealand outlet RNZ detailed an ongoing response to the Manage My Health breach, where a threat actor claimed theft of sensitive health documents and extortion attempts affecting a subset of registered users [APAC]. Consumer-facing DFIR playbooks should prioritize identity-protection guidance, phishing warnings, and coordinated comms with healthcare providers, while investigators preserve authentication telemetry to confirm whether credential compromise, weak MFA adoption, or application flaws enabled access. (Source: RNZ, 14-01-2026).

Meta denies data breach of 17.5 million users; asks users to ignore password reset emails — Meta said an external party triggered password-reset emails for some Instagram users and stated there was no breach of its systems, countering claims of a large-scale data leak [APAC]. For consumer-security teams, this is a high-volume “account scare” pattern: ensure reset flows are rate-limited and abuse-monitored, communicate clearly to reduce credential stuffing follow-on, and watch for phishing kits that replay the same reset-email narrative to harvest logins. (Source: The Economic Times, 12-01-2026).