[AMER] Google’s M-Trends 2026 report said the median handoff from initial access to secondary operators dropped to 22 seconds in 2025, based on more than 500,000 hours of Mandiant incident-response work published on 23-03-2026. For DFIR teams, that sharply compresses containment windows and reinforces the need for identity isolation, automated triage, and pre-approved response playbooks before ransomware or hands-on-keyboard activity escalates. (Source: SecurityWeek, 23-03-2026)

[EMEA] The UK NCSC on 23-03-2026 published new guidance for securing online meetings, covering administrator controls, trusted downloads, passkeys, two-step verification, and safer participant management for organisations that rely on collaboration platforms. That matters operationally because video and meeting tools remain common intrusion pathways, so responders can use the checklist immediately to reduce exposed attack surface and improve readiness for phishing, account takeover, and post-compromise abuse. (Source: NCSC, 23-03-2026)

[AMER] The U.S. Department of Justice said on 20-03-2026 that three men were sentenced for helping North Korean IT workers obtain remote jobs and access U.S. networks through stolen identities, concluding a long-running investigation into sanctions evasion and covert network access. The case matters because it highlights how employment fraud, insider access, endpoint trust, and identity proofing failures can converge into durable compromise paths that investigators and corporate security teams must treat as one blended threat. (Source: DOJ, 20-03-2026)

[AMER] U.S. authorities sentenced a Nigerian national to more than seven years in prison on 23-03-2026 for a business email compromise scheme that hijacked accounts and redirected legitimate wire payments, according to court details reported by Recorded Future News. For investigators, it is a practical reminder that mailbox compromise, payment fraud, infrastructure tracing, and cross-border money movement still demand tightly joined forensic, legal, and banking workflows to recover evidence and map conspirators. (Source: The Record, 23-03-2026)

[APAC] Trio-Tech disclosed to U.S. regulators on 23-03-2026 that a Singapore subsidiary suffered a ransomware attack discovered on 11-03-2026, with file encryption inside the local network and incident-response work continuing across the semiconductor services business. The incident matters because it shows how regional subsidiary compromise can quickly become a public-company issue, forcing responders to align restoration, disclosure, legal hold, and third-party communications under tight operational and reporting deadlines. (Source: The Record, 23-03-2026)

[AMER] Aqua Security’s open-source Trivy ecosystem remained under active pressure on 23-03-2026 as attackers pushed malicious Docker images and tampered with GitHub repositories after the earlier compromise of the scanner’s build pipeline, extending a supply-chain incident into downstream developer tooling. This matters beyond one project because Trivy is widely embedded in build and cloud security workflows, so responders should review pipeline trust, artifact provenance, developer endpoint exposure, and secrets potentially exposed during the campaign. (Source: BleepingComputer, 23-03-2026)

[AMER] Oracle issued an out-of-band fix for critical vulnerability CVE-2026-21992 on 23-03-2026, warning that an unauthenticated attacker could remotely execute code in Identity Manager and Web Services Manager components of Fusion Middleware. For defenders, emergency vendor patching outside the regular cycle is a strong prioritisation signal, especially for internet-exposed identity services where compromise can cascade into credential abuse, privilege escalation, and broad enterprise trust failure. (Source: SecurityWeek, 23-03-2026)

[AMER] CISA ordered federal agencies on 23-03-2026 to patch three iOS flaws tied to the DarkSword exploit kit, citing their use in cryptocurrency theft and cyberespionage operations targeting Apple devices. The advisory matters because mobile-device compromise remains under-monitored in many investigations, so teams should treat phone telemetry, mobile threat hunting, and executive device patch latency as first-order threat intelligence concerns rather than edge cases. (Source: BleepingComputer, 23-03-2026)

[EMEA] Europol announced on 20-03-2026 that authorities from 23 countries shut down more than 373,000 dark web sites in a coordinated cybercrime operation, continuing multinational pressure on criminal infrastructure used for illicit services and data abuse. The action matters to practitioners because takedowns at this scale can generate fresh indicators, seized data, victim notifications, and infrastructure pivots, all of which can reshape attribution work and expose new investigative leads across multiple cases. (Source: Europol, 20-03-2026)

[AMER/EMEA] Reuters reported on 20-03-2026 that the United States, Germany, and Canada disrupted four major botnets that had infected more than three million devices, with Europol support and assistance from major technology companies in the coordinated operation. For law-enforcement-facing defenders, the case underlines the value of public-private disruption, sinkholing, and infrastructure seizure against DDoS and proxy botnets that can be repurposed for extortion, anonymisation, and broader criminal enablement. (Source: Reuters, 20-03-2026)

[EMEA] The European Commission said on 20-03-2026 that the first Administrative Cooperation Group meeting under the Cyber Resilience Act elected new leadership, a practical step toward coordinated enforcement of lifecycle cybersecurity requirements for products with digital elements across the EU. For vendors and compliance teams, the governance move signals that supervisory alignment is shifting from legislative text to operational implementation, making documentation, secure development evidence, vulnerability handling, and market-surveillance readiness more urgent. (Source: European Commission, 20-03-2026)

[EMEA] The UK NCSC announced on 23-03-2026 that CYBERUK 2026 will bring senior officials from the UK, Australia, Canada, Germany, and Japan to Glasgow in April, framing the event around how governments and industry can accelerate collective cyber defence. While not a regulation, the agenda matters because it points to near-term policy emphasis on international coordination, resilience, and shared response priorities that frequently shape procurement, guidance, and public-sector cyber expectations. (Source: NCSC, 23-03-2026)

[AMER] NIST’s publications index shows that on 23-03-2026 it released the initial public draft of SP 1347, the Cybersecurity Framework 2.0 Informative References Quick-Start Guide, alongside a final workforce and enterprise-risk quick-start document. For compliance teams, that is useful because it translates CSF 2.0 into more directly mappable references, helping organisations align controls, assessments, and audit narratives without rebuilding their crosswalks from scratch. (Source: NIST, 23-03-2026)

[AMER] NIST also published the final Secure Domain Name System Deployment Guide on 19-03-2026, updating baseline recommendations for protecting DNS integrity, availability, and confidentiality across enterprise environments. That matters because DNS remains both a core dependency and a high-value detection layer, so revised guidance can influence control design, logging strategy, resolver hardening, and evidence expected during security reviews or regulated assurance exercises. (Source: NIST, 19-03-2026)

[AMER] Navia Benefit Solutions disclosed on 19-03-2026 that attackers exposed sensitive information belonging to nearly 2.7 million people after access to its systems spanning late December 2025 through mid-January 2026. For practitioners, the scale and benefits-administration context make this a strong reminder that downstream service providers can hold dense identity and health-plan data, raising notification, fraud-monitoring, and third-party risk questions far beyond the breached entity itself. (Source: BleepingComputer, 19-03-2026)

[AMER] Kaplan breach notifications reported on 23-03-2026 said at least 230,000 people had Social Security and driver’s license numbers exposed after a 2025 cybersecurity incident, with filings sent to regulators in multiple U.S. states. The story matters because education and training platforms routinely aggregate long-lived identity records, making them attractive targets for fraud and account takeover well after the initial intrusion is contained. (Source: The Record, 23-03-2026)