UK NCSC publishes secure connectivity principles for OT environments — The UK NCSC issued new guidance on “secure connectivity principles” for operational technology to reduce risk from remote access, third-party links, and flat networks (14-01-2026) [EMEA]. For incident responders and forensics teams, the principles translate directly into hardening and evidence-readiness actions (asset boundaries, logging points, and remote-access choke nodes) that reduce blast radius and speed containment when OT incidents hit mixed IT/OT estates (Source: NCSC, 14-01-2026).

CISA ICS advisory flags Siemens Industrial Edge Devices authorization bypass — CISA published an ICS advisory describing an authorization bypass risk affecting Siemens Industrial Edge Devices, with mitigations and vendor coordination details for defenders (15-01-2026) [AMER]. DFIR teams supporting industrial operators can use the advisory to prioritize exposure checks, tighten compensating controls, and pre-stage triage playbooks around affected edge nodes that often sit at IT/OT boundaries and hold high-value logs and credentials (Source: CISA, 15-01-2026).

Reuters: Chinese-linked activity targets U.S. entities with Venezuelan-themed malware — Reporting described a campaign attributed to Chinese-linked actors using Venezuelan-themed lures and malware to target U.S. organizations, per researchers cited by Reuters (15-01-2026) [AMER]. For investigators, the value is in converting tradecraft (lure themes, infrastructure patterns, and malware behavior) into hunting hypotheses, case linkage, and victim-notification workflows—especially where espionage intrusions can overlap with data theft and extortion in later phases (Source: Reuters, 15-01-2026).

Singapore court decision details seized items in alleged cybercrime case — Channel NewsAsia reported on a Singapore court decision involving a Chinese suspect seeking the return of seized items tied to U.S.-linked cybercrime allegations, with the judgment dated 15-01-2026 (16-01-2026) [APAC]. The reporting underscores how cross-border cyber investigations hinge on device seizure integrity, chain-of-custody, and mutual legal assistance—practical considerations DFIR practitioners should plan for when supporting law enforcement-facing matters (Source: Channel NewsAsia, 16-01-2026).

Belgian hospitals cancel surgeries and transfer patients after cyberattack — The Register reported that hospitals in Belgium shut down servers after a cyberattack, forcing cancelled procedures, ambulance refusals, and transfers of critical patients as operations degraded (14-01-2026) [EMEA]. For DFIR leaders, it’s a reminder that healthcare outages become safety incidents fast—so tabletop plans should include rapid “downtime-mode” documentation, segmented recovery paths for core clinical systems, and clear external coordination with national CERTs and prosecutors (Source: The Register, 14-01-2026).

Eurail discloses security breach with unauthorized access to customer data — Eurail published a notice stating it experienced a security breach that resulted in unauthorized access to customer data and that it launched an investigation with external specialists (15-01-2026) [EMEA]. Incident responders should treat travel and identity-document datasets as high-risk (passport/ID value, fraud potential), prioritizing credential resets, monitoring for downstream phishing, and ensuring evidence preservation for data-protection notifications and potential cross-jurisdiction regulator inquiries (Source: Eurail, 15-01-2026).

BleepingComputer: Fortinet FortiSIEM vulnerability now exploited in attacks — BleepingComputer reported that attackers are actively exploiting a critical Fortinet FortiSIEM vulnerability, with public proof-of-concept code accelerating risk for exposed deployments (16-01-2026) [AMER]. Because SIEM platforms centralize credentials, logs, and connector tokens, compromise can blind detection and enable lateral movement—so defenders should urgently patch, restrict management exposure, and review audit trails for anomalous admin actions and new integrations (Source: BleepingComputer, 16-01-2026).

Group-IB: “DeadLock” ransomware uses blockchain smart contracts in operations — Group-IB published analysis describing “DeadLock” ransomware activity leveraging Polygon smart contracts, highlighting a shift in how criminals may manage infrastructure and payments (15-01-2026) [EMEA]. For threat intel and IR teams, the tactic matters because it can complicate disruption and tracing—so playbooks should incorporate blockchain-aware enrichment, wallet and contract monitoring, and rapid stakeholder comms when attackers use on-chain artefacts as durable command, escrow, or signaling mechanisms (Source: Group-IB, 15-01-2026).

Singapore Police: five to be charged for alleged money-mule and scam-related activity — The Singapore Police Force announced five people will be charged for suspected involvement in money-mule and scam-related activities, reflecting ongoing enforcement against fraud ecosystems (15-01-2026) [APAC]. For cyber and financial-crime responders, these cases show why rapid freezing, payment-path tracing, and clean evidentiary exports (chat logs, device images, bank artifacts) are essential—especially when mule networks sit between phishing/impersonation and cash-out (Source: Singapore Police Force, 15-01-2026).

Europol publishes Working Arrangement with Argentina covering cybercrime cooperation — Europol published an updated Working Arrangement with Argentina, formalizing cooperation areas that include cybercrime and enabling structured information exchange (15-01-2026) [EMEA]. For practitioners, closer LE-to-LE pathways can translate into faster takedowns and better victim support, but it also raises the bar for defensible incident records—organizations should expect more cross-border inquiries and prepare standardized evidence packages and disclosure timelines (Source: Europol, 15-01-2026).

UK local government briefing outlines proposed Cyber Security and Resilience Bill impacts — A UK local-government policy briefing summarized proposed legislation described as a major update to UK cyber law, including potential expansion of scope and new resilience duties (14-01-2026) [EMEA]. For DFIR and governance teams, the practical takeaway is to pre-map “essential services” dependencies, tighten supplier assurance, and align incident reporting playbooks now—because legislative scope creep typically shortens timelines and increases evidentiary expectations once enacted (Source: Local Government Association, 14-01-2026).

EU brief tracks planned revision of the Cybersecurity Act and certification framework pressures — An EU Parliament briefing noted the European Commission was expected to present a revision of the EU Cybersecurity Act on 14-01-2026, reflecting ENISA resourcing and certification framework challenges (13-01-2026) [EMEA]. Cyber leaders should treat this as an early signal to review certification dependencies (managed security services, product assurance, supplier attestations) and anticipate policy-driven changes that could affect procurement, reporting, and audit evidence requirements across the EU market (Source: European Parliament (EPRS), 13-01-2026).

ETSI announces a new European standard setting baseline cybersecurity requirements for AI — ETSI announced publication of a standard aimed at “securing AI,” positioned as baseline cybersecurity requirements for AI models and systems (15-01-2026) [EMEA]. For compliance and assurance teams, this provides a concrete control anchor for AI risk assessments and supplier questionnaires—helping translate vague “secure AI” claims into testable requirements around resilience, governance, and attack-surface reduction (Source: ETSI, 15-01-2026).

PCI SSC releases v2.0 of the PCI Secure Software Standard — The PCI Security Standards Council announced version 2.0 of the PCI Secure Software Standard, outlining training and a transition period to move from prior versions (15-01-2026) [AMER]. Organizations building or buying payment software should treat this as a near-term compliance horizon: update SDLC evidence, align secure coding checkpoints to the new criteria, and ensure incident response can produce the artifacts (SBOMs, code review trails, release governance) auditors will expect (Source: PCI SSC, 15-01-2026).

Pax8 warns partners after mistaken email exposes data affecting ~1,800 MSPs — IT Pro reported that Pax8 disclosed a breach stemming from an email/attachment mishap that exposed partner-related business data impacting around 1,800 managed service providers (16-01-2026) [EMEA]. Even when PII isn’t central, leaked pricing, licensing and customer-environment details can fuel targeted phishing and competitive abuse—so affected firms should rotate exposed identifiers, monitor for social engineering, and log-preserve communications for contractual and regulatory obligations (Source: IT Pro, 16-01-2026).

Cybernews: criminals claim theft of customer records from TotalEnergies — Cybernews reported threat actors claiming to possess a large dataset allegedly tied to TotalEnergies customers, including identifiers such as emails, phone numbers, addresses and bank-related details (16-01-2026) [EMEA]. While claims require verification, consumer-impact teams should pre-stage fraud monitoring and comms, and defenders should validate exposure by cross-checking sample records, watching credential-stuffing signals, and coordinating with banking/identity partners to blunt downstream account takeover (Source: Cybernews, 16-01-2026).