Cisco fixes Unified Communications RCE zero day exploited in attacks — Cisco released emergency patches for CVE-2026-20045 affecting Unified CM, IM&P, Unity Connection and Webex Calling Dedicated Instance after confirming attempted in-the-wild exploitation, with patch guidance published on 21-01-2026 [AMER]. For IR teams, prioritize external exposure triage, collect web UI and auth logs for crafted-request patterns, and preserve VM snapshots before patching to support root-cause analysis and potential lateral-movement scoping. (Source: BleepingComputer, 21-01-2026).

CISA releases 10 Industrial Control Systems advisories — CISA published a bundled set of ICS advisories covering multiple vendors and product lines, prompting operators to review mitigations and update plans for OT environments on 22-01-2026 [AMER]. For DFIR and response leads, this is a reminder to validate asset inventories against affected versions, ensure offline evidence capture procedures exist for safety-critical systems, and pre-stage patch windows and compensating controls to reduce dwell time if exploitation starts. (Source: CISA (GovDelivery), 22-01-2026).

Tudou Guarantee appears to halt public transactions after illicit activity findings — Blockchain analytics reporting indicates the Telegram-based “Tudou Guarantee” marketplace in Southeast Asia paused transactions in public groups after researchers tied it to large-scale illicit USDT flows, with the update published on 20-01-2026 [APAC]. Investigators should treat this as a lead for victim tracing and wallet clustering, preserving channel artifacts and transaction identifiers now, because marketplace disruptions often trigger rapid migration to new channels and can erase attribution breadcrumbs. (Source: Security Affairs, 20-01-2026).

Black Basta ransomware group exposed in Europe; alleged leader named — European and Ukrainian authorities identified alleged Black Basta operators and linked a suspected Russian ringleader to the group, alongside raids and seizures in Ukraine reported on 21-01-2026 [EMEA]. For cyber investigators, the named personas, regions, and seized-device details help enrich entity graphs, support intelligence-led hunting for tooling overlap, and improve evidence packages when mapping extortion chats, crypto flows, and infrastructure to real-world actors. (Source: Bitdefender, 21-01-2026).

European Space Agency breach claims expose spacecraft and mission data — Reporting indicates another incident impacting European Space Agency-linked systems, with claims of exposed spacecraft and mission data discussed publicly on 22-01-2026 [EMEA]. For responders, this underscores the need for strict segmentation and immutable logging in research and mission networks, and it highlights the evidentiary value of correlating exfiltration claims with egress telemetry, identity events, and third-party access records before narratives harden in the public domain. (Source: Bitdefender, 22-01-2026).

EU plans phase out of high risk telecom suppliers, in proposals seen as targeting China — The European Commission proposed mandatory removal of “high-risk” telecom suppliers from critical infrastructure with a three-year timeline, a move widely seen as aimed at Huawei/ZTE, reported on 21-01-2026 [EMEA]. For incident readiness, this is a consequential supply-chain shock: organizations should anticipate emergency change windows, preserve baseline configs and firmware provenance, and plan for forensic continuity when swapping network components that store logs, keys, or lawful-intercept interfaces. (Source: AP, 21-01-2026).

Hackers targeting Cisco Unified CM zero-day — Threat reporting says attackers are actively targeting CVE-2026-20045 in Cisco Unified CM-family products for unauthenticated code execution, with details summarized on 22-01-2026 [AMER]. For defenders, treat this as an internet-exposure crisis: prioritize external scanning for affected services, hunt for anomalous management-interface traffic, and ensure detections cover post-exploitation privilege escalation from user-level to root as described in vendor and media analysis. (Source: SecurityWeek, 22-01-2026).

Chainlit AI framework bugs let hackers breach cloud environments — Two high-severity Chainlit vulnerabilities (file read and SSRF) can be chained to access secrets and pivot inside cloud networks when the framework is internet-facing, with reporting published on 21-01-2026 [AMER]. This matters because AI app frameworks often sit beside privileged credentials and internal APIs, so teams should inventory exposed Chainlit instances, rotate potentially accessed secrets, and add egress controls plus SSRF-aware logging to detect data pulls from metadata services or internal endpoints. (Source: BleepingComputer, 21-01-2026).

High Severity Vulnerability in Cisco Products — Singapore’s Cyber Security Agency urged immediate updates for Cisco Unified CM and related products, noting reported in-the-wild exploitation and the risk of user-level access escalating to root, posted on 23-01-2026 [APAC]. For global SOCs, CSA advisories are useful corroboration when deciding on emergency patching, and they provide a defensible, time-stamped trigger to accelerate change-control, executive comms, and incident response readiness. (Source: CSA Singapore, 23-01-2026).

Ghana arrests nine Nigerians in cybercrime crackdown in Accra — Ghanaian agencies conducted intelligence-led raids around Accra, arresting suspected organizers and detaining additional individuals believed to be coerced into online fraud, with the report published on 20-01-2026 [EMEA]. For DFIR and fraud teams, this highlights the blended cybercrime/trafficking model behind romance and BEC scams and reinforces the value of preserving chat logs, money-mule trails, and device images that can tie social-engineering playbooks to real-world coordinators across borders. (Source: ICLG, 20-01-2026).

Black Basta ransomware group exposed in Europe; alleged leader named — Authorities in Europe and Ukraine linked suspected members and an alleged leader to Black Basta while executing searches and seizures, with details published on 21-01-2026 [EMEA]. For practitioners, law-enforcement disclosures can materially improve attribution confidence and victim notification, enabling faster correlation between extortion infrastructure, leaked negotiation data, and internal incident timelines when preparing referrals or coordinating cross-border containment. (Source: Bitdefender, 21-01-2026).

Ireland plans law allowing law enforcement to use spyware — Irish officials signaled plans to draft legislation creating a legal basis for covert surveillance software and expanded lawful interception powers, reported on 23-01-2026 [EMEA]. For security teams, this affects how encrypted-communications risk is discussed with leadership and counsel, and it increases the importance of endpoint hardening, mobile threat defense, and robust audit trails to detect and prove (or disprove) sophisticated surveillance activity. (Source: The Record, 23-01-2026).

EU plans phase out of high risk telecom suppliers, in proposals seen as targeting China — The EU announced proposals to mandate removal of “high-risk” vendor equipment from telecom and other critical sectors across member states, with reporting dated 21-01-2026 [EMEA]. Policy-driven rip-and-replace programs can create temporary exposure through rushed migrations, so cyber leaders should demand compensating controls, formal verification of new supply-chain attestations, and post-change forensic validation to ensure logging and detection coverage remain intact. (Source: AP, 21-01-2026).

Cyber Security and Resilience (Network and Information Systems) Bill — The UK Parliament’s bill tracker shows the Cyber Security and Resilience (NIS) Bill status and an update timestamp of 22-01-2026, signaling continued movement and scrutiny of reporting and regulatory scope [EMEA]. Compliance teams should monitor the bill’s stages and publications, because changes to incident reporting thresholds and regulated-entity definitions can quickly reshape DFIR runbooks, evidence retention periods, and escalation paths for suppliers supporting essential services. (Source: UK Parliament, 22-01-2026).

Transit Agencies: Draft CSF Community Profile — NIST’s CSRC announced a draft CSF Community Profile for transit agencies, aimed at aligning sector outcomes with CSF 2.0 functions, posted on 22-01-2026 [AMER]. For compliance and resilience programs, profiles like this translate abstract controls into operational priorities (govern/identify/protect/detect/respond/recover), helping teams justify budget, standardize third-party requirements, and measure maturity in ways regulators and insurers increasingly expect. (Source: NIST CSRC, 22-01-2026).

Legislators Push to Make Companies Tell Customers When Their Products Will Die — Massachusetts lawmakers introduced bills requiring manufacturers to disclose how long connected devices will receive software and security updates, with the article dated 22-01-2026 [AMER]. If such disclosure norms spread, procurement and compliance teams can better enforce support-life SLAs, reduce “zombie IoT” risk, and build clearer end-of-life evidence trails that matter for breach investigations, vulnerability management metrics, and consumer-protection expectations. (Source: WIRED, 22-01-2026).

Under Armour investigates reported account compromise affecting customers — Under Armour said it is investigating a reported compromise affecting customer accounts, with initial details reported on 23-01-2026 [AMER]. For consumer-data response, the priority is rapid credential-stuffing assessment, password-reset enforcement, and clear user comms, while internally preserving authentication logs and third-party identity telemetry to confirm whether compromise stemmed from reused credentials, session theft, or a deeper breach requiring broader containment. (Source: AP, 23-01-2026).

Online retailer PcComponentes says data breach claims are fake — Spanish online retailer PcComponentes disputed breach claims and said alleged data samples were fabricated, as reported on 23-01-2026 [EMEA]. For DFIR teams supporting consumer services, even “fake” breach chatter demands verification: validate database integrity, review auth and API logs for scraping, and check whether credential-stuffing or infostealer-driven logins could explain account abuse without a direct backend compromise. (Source: BleepingComputer, 23-01-2026).