Ivanti published a January 2026 Endpoint Manager Mobile (EPMM) security update, noting limited in-the-wild exploitation and directing customers to apply patches and review advisory guidance [AMER]. For DFIR teams, this is a rapid containment playbook: confirm affected versions, hunt for post-exploitation artifacts on MDM infrastructure, and prioritize credential/session invalidation because EPMM compromise can cascade into enterprise identity, email, and device trust. (Source: Ivanti, 30-01-2026).

A Trellix-backed analysis highlighted that healthcare breaches are reaching higher cost levels as adversaries exploit broader clinical attack surfaces, reinforcing the operational impacts of compromise in patient-facing environments [AMER]. Practically, responders should translate this into evidence-driven scoping: align EDR, network telemetry, and clinical system logs to map lateral movement into IoMT/clinical workflows, and validate downtime procedures and tabletop readiness before an incident forces manual care paths. (Source: Industrial Cyber, 30-01-2026).

A ransomware-linked incident at healthcare IT vendor TriZetto prompted investigation and notification activity indicating health insurance data was accessed and exfiltrated, with ongoing assessment of scope and affected parties [AMER]. For investigators, vendor-platform breaches demand disciplined chain-of-custody across tenant environments: preserve portal and SSO logs, validate which customer datasets were reachable from compromised accounts, and build a defensible timeline that supports regulatory notifications and third-party risk remediation. (Source: The Register, 30-01-2026).

CYFIRMA released late-January threat intelligence reporting that aggregates actor activity, malware operations, and victimology trends intended to support active investigations and proactive hunting across regions [APAC]. For casework, these roll-ups are most valuable when used as hypothesis generators: map stated TTPs to your telemetry, enrich indicators with internal sightings, and document why specific pivots were taken so investigative decisions remain reproducible under audit and potential legal scrutiny. (Source: CYFIRMA, 31-01-2026).

Officials in New Britain, Connecticut reported a cyberattack that disrupted some city services and triggered restoration efforts while core public operations were adjusted to keep essential functions running [AMER]. For responders, city networks are high-noise environments: prioritize identity containment, validate backups and offline restoration paths, and preserve email and endpoint telemetry early because municipal incidents often involve mixed objectives—extortion, data theft, and opportunistic lateral movement. (Source: CT Insider, 30-01-2026).

Hosting provider CloudCone reported a service disruption attributed to a security incident, stating it was working through recovery steps and customer communications as infrastructure was restored [AMER]. For incident teams relying on third-party hosting, this reinforces the need for forensic-ready vendor escalation: capture current system states, track provider-issued IOCs and timelines, and validate your own environment for credential reuse or exposed management interfaces that could amplify the blast radius. (Source: CloudCone, 31-01-2026).

Reporting indicated payments-focused fintech Marqeta faced a breach scenario with potential exposure implications for partners that integrate its issuing and processing capabilities, with investigation and mitigation steps ongoing [AMER]. This matters operationally because fintech incidents can propagate: responders should review API key rotation, validate tokenization and webhook integrity, and correlate fraud signals with security telemetry so containment decisions are driven by evidence rather than customer-impact lag. (Source: TechRadar, 01-02-2026).

Rapid7 reported critical Ivanti Endpoint Manager Mobile (EPMM) zero-day issues and noted a public proof-of-concept for remote code execution alongside exploitation signals, underscoring MDM as a repeat target [AMER]. For threat intel and DFIR, this drives immediate hunting: look for anomalous API access, new admin accounts, suspicious file writes on EPMM servers, and outbound beacons, then align findings to patch status so exposure can be measured and communicated with confidence. (Source: Rapid7, 30-01-2026).

Tenable published technical analysis and prioritization guidance around Ivanti EPMM zero-day vulnerabilities, contextualizing past exploitation patterns and urging fast remediation where internet exposure exists [AMER]. This matters because remediation alone is not assurance: security teams should use the write-up to create a detection-to-validation loop—translate CVE mechanics into SIEM queries, confirm exploitability by configuration, and preserve artifacts before patching to support root-cause analysis and potential legal actions. (Source: Tenable, 30-01-2026).

US authorities reportedly seized the RAMP cybercrime forum, replacing its content with a law-enforcement seizure notice as part of an effort to disrupt criminal marketplaces and user coordination [AMER]. For defenders, forum seizures are intelligence opportunities: preserve any accessible OSINT and shared indicators before they disappear, monitor for rebrands and migration channels, and anticipate retaliation or copycat campaigns that leverage the disruption to seed malware, phishing, and credential harvesting. (Source: IT Pro, 30-01-2026).

The US Department of Justice announced it secured forfeiture of approximately $400 million in assets tied to Helix and Coin Ninja, framing the action as a major disruption of cryptocurrency-based money laundering infrastructure [AMER]. This matters to cyber investigations because takedowns change adversary cash-out paths: analysts should update tracing heuristics, watch for liquidity shifts to alternative mixers or OTC brokers, and re-run attribution link analysis against seized-address clusters to strengthen ongoing cases. (Source: U.S. Department of Justice, 30-01-2026).

The UK and Japan launched a strategic cyber partnership committing both governments to closer cooperation on threat detection, national resilience, and innovation ecosystems, framed as part of a prime ministerial visit [EMEA/APAC]. For practitioners, bilateral policy frameworks often translate into operational change: expect increased information-sharing, joint exercises, and stronger expectations on supply-chain assurance and incident reporting pathways for organizations operating or providing services across both jurisdictions. (Source: GOV.UK, 31-01-2026).

The UK Parliament’s tracker for the Cyber Security and Resilience (Network and Information Systems) Bill shows continued progress and updated status entries during late January legislative activity [EMEA]. For compliance and response leaders, the direction of travel is clear: broadened scope and tougher incident-reporting expectations will require earlier evidence preservation, standardized regulator-ready reporting, and stronger third-party controls, so organizations should gap-assess now rather than wait for final implementation dates. (Source: UK Parliament, 30-01-2026).

NIST published IR 8446 comparing Germany’s BSI AIS 20/31 with NIST SP 800-90 series to clarify terminology, assumptions, and requirements for random number generation in cryptographic systems [AMER]. This matters because RNG quality underpins evidence integrity and secure communications: security architects and assessors should use the comparison to tighten validation criteria, reduce interoperability surprises, and document cryptographic design decisions in a way that supports audits, certifications, and incident postmortems. (Source: NIST CSRC, 29-01-2026).

Hikvision announced it was awarded ISO/IEC 29147 and ISO/IEC 30111 certification by BSI, positioning the recognition as validation of its vulnerability disclosure and handling processes [EMEA]. For defenders and procurement teams, certs are signals—not guarantees—so use this to strengthen vendor governance: require clear SLAs for coordinated disclosure, verify patch cadence and SBOM availability, and ensure vulnerability intake and remediation workflows align with your own compliance and risk thresholds. (Source: Hikvision, 30-01-2026).

South Korea’s e-commerce giant Coupang said a data leak affected roughly 33 million users, prompting customer notifications and raising scrutiny around how user information is stored and protected at scale [APAC]. For DFIR and security leaders, mass consumer leaks quickly become enterprise incidents: expect credential-stuffing and phishing spikes, prioritize rapid comms and monitoring, and validate data-minimization and retention practices so future investigations can narrow exposure scope and reduce regulatory fallout. (Source: Reuters, 30-01-2026).

A ransomware group claimed it breached Match Group dating apps (including Hinge and OkCupid) and Panera Bread, alleging data theft alongside extortion pressure and public-leak threats [AMER]. For consumer-focused organizations, these claims are operational triggers: start validation with authentication and admin logs, preserve evidence for downstream civil/regulatory processes, and prepare targeted customer protections (reset flows, fraud monitoring, and phishing advisories) while awaiting confirmation. (Source: Malwarebytes, 30-01-2026).