Qilin ransomware investigation maps full intrusion chain — Huntress analysts reconstructed a Qilin ransomware attack from a single compromised endpoint, correlating limited logs to reveal rogue remote-access sessions, credential theft, lateral movement and final encryption in a mid-sized organisation (22-11-2025) [Global]. The case gives DFIR teams concrete indicators of compromise, persistence techniques and timeline-reconstruction methods they can adapt into hunt queries, tabletop exercises and more resilient evidence-collection strategies (Source: BleepingComputer, 22-11-2025).

Daily ransomware report tracks cross-sector victim flow — Purple Ops’ Daily Ransomware Report for 23 November highlights fresh victims across professional services, manufacturing, energy and local government, with activity clustered around a handful of prolific affiliate groups and leak sites (23-11-2025) [Global]. The telemetry gives incident responders an up-to-the-minute view of which sectors and geographies are under pressure, helping them prioritise hunting, playbook testing and executive briefings around current threat dynamics (Source: Purple Ops, 23-11-2025).

CrowdStrike fires insider who shared internal screenshots with hackers — CrowdStrike confirmed that an employee was dismissed after investigators found they had taken screenshots of internal dashboards and passed them to the Scattered Lapsus$ Hunters collective, though no customer environments were breached (21-11-2025) [US]. The case shows how even top-tier security vendors face insider risk, reinforcing the need for access review, user-behaviour analytics and clear legal and HR processes around privileged system-monitoring (Source: BleepingComputer, 21-11-2025).

WhatsApp API flaw let researchers scrape 3.5 billion accounts — Security researchers compiled a dataset of 3.5 billion active WhatsApp numbers and associated profile information by abusing a contact-discovery API that lacked effective rate limiting, prompting Meta to deploy tighter throttling controls (22-11-2025) [Global]. For cyber investigators and defenders, the study illustrates how ungoverned APIs can leak OSINT at massive scale, making API inventory, abuse detection and privacy-by-design requirements central to modern investigative tradecraft (Source: BleepingComputer, 22-11-2025).

Iberia discloses customer data leak after vendor breach — Spanish flag carrier Iberia is notifying customers that a third-party supplier handling communications systems was compromised, exposing names, email addresses and some loyalty details while flight safety and payment data remained unaffected (23-11-2025) [EU]. The incident underlines the aviation sector’s dependence on outsourced platforms and the need for robust third-party risk management, data minimisation and shared incident-response playbooks with critical suppliers (Source: BleepingComputer, 23-11-2025).

Cox Enterprises breach tied to Oracle E-Business Suite zero-day — Cox Enterprises confirmed a breach in which attackers exploited a zero-day in Oracle E-Business Suite to access HR-related data, including employee identifiers, salary details and limited banking information for staff (22-11-2025) [US]. The case shows how ERP platforms have become high-value entry points for both data theft and extortion, demanding tight segmentation, strong identity controls and dedicated monitoring around business-critical applications (Source: BleepingComputer, 22-11-2025).

Vendor hack at SitusAMC exposes data for major US banks — Reporting from India’s Times of India describes how a cyberattack on real-estate technology vendor SitusAMC has potentially exposed mortgage-related data for customers of JPMorgan Chase, Citibank, Morgan Stanley and other US financial giants (23-11-2025) [US/APAC]. The breach highlights systemic concentration risk in financial-services supply chains and the importance of vendor assessments, contractual breach-notification clauses and coordinated communications between banks, regulators and affected customers (Source: The Times of India, 23-11-2025).

Oracle Identity Manager zero-day added to CISA KEV list — Purple Ops and CISA warn that CVE-2025-61757, a pre-authentication remote code-execution flaw in Oracle Identity Manager, is being actively exploited against exposed identity infrastructure and must be patched on an urgent basis (23-11-2025) [Global]. The advisory underscores how IAM platforms are now prime targets for initial access and privilege escalation, pushing defenders to harden external interfaces, review logs for suspicious admin actions and prioritise compensating controls while patching (Source: Purple Ops, 23-11-2025).

Markdown-to-PDF processing flaw enables RCE (CVE-2025-65108) — Researchers detailed how maliciously crafted markdown files can trigger remote code execution when converted to PDF by vulnerable pipelines, impacting CI/CD systems and automated document-generation services across multiple platforms (24-11-2025) [Global]. The finding reminds security teams that content-processing tools in build chains and back-office workflows are part of the attack surface and must be sandboxed, monitored and patched with the same urgency as internet-facing applications (Source: Purple Ops, 24-11-2025).

APT31 targets Russian IT firms via global cloud infrastructure — The Hacker News reports that China-linked APT31 has run long-running espionage campaigns against Russian IT and software providers, abusing global cloud services and stealthy tunnelling to blend malicious traffic into normal operations (22-11-2025) [EMEA/APAC]. For threat-hunting teams, the campaign reinforces the need for deep inspection of cloud egress, strong identity governance and anomaly detection tuned specifically to managed service and software-supply-chain environments (Source: The Hacker News, 22-11-2025).

Delhi Police arrest over 42 suspects in Operation CyHawk — Delhi Police say a 48-hour operation codenamed CyHawk registered 23 FIRs and led to more than 42 arrests tied to phishing, fake tech-support, investment scams and other cyber-enabled frauds linked to hundreds of citizen complaints (22-11-2025) [APAC]. The crackdown highlights how intelligence-led targeting of call centres and mule networks can disrupt large-scale fraud ecosystems when combined with telecom, banking and national cybercrime-portal data (Source: The Statesman, 22-11-2025).

Myanmar arrests nearly 1,600 foreign workers in scam-hub raids — Myanmar’s military authorities report detaining almost 1,600 foreign nationals and seizing thousands of devices in raids on the Shwe Kokko cyber-fraud zone, part of a wider campaign targeting online-scam compounds along the Thai border (23-11-2025) [APAC]. For investigators and policymakers, the operation promises a trove of digital evidence on global scam networks and illustrates how geopolitical pressure is beginning to reshape the cybercrime landscape in Southeast Asia (Source: Al Mayadeen English, 23-11-2025).

Uttarakhand police detain three over trafficking recruits to Myanmar scam centres — Police in India’s Uttarakhand state arrested three individuals accused of fraudulently transporting jobseekers via Thailand to Myanmar, where they were allegedly forced to work in cybercrime compounds targeting global victims (24-11-2025) [APAC]. The case exposes how human trafficking and online-fraud economies intersect, emphasising the value of cross-border coordination, victim support and digital forensics to map recruiters, travel brokers and scam-centre operators (Source: OneIndia, 24-11-2025).

G7 interior and security ministers pledge tighter coordination on cyber threats — A communiqué from the G7 Interior and Security Ministers’ meeting in Ottawa sets out commitments to deepen cooperation against transnational organised crime, cyber-enabled offences, online child abuse and malicious state activity (23-11-2025) [Global]. For cyber leaders, the statement foreshadows closer information-sharing, more joint investigations and potential convergence of domestic cyber policies, sanctions tools and cross-border evidence frameworks across G7 states (Source: Government of Canada, 23-11-2025).

UAE Cyber Security Council warns travellers about “juice jacking” risk — The UAE Cyber Security Council cautioned that around 79% of travellers expose themselves to data theft by charging phones at unsecured public USB ports, urging people to rely on personal chargers and power-only cables instead (23-11-2025) [EMEA]. The advisory is a timely nudge for organisations to update travel-security guidance, enforce USB-data blocking and remind staff that seemingly harmless charging points can become vectors for malware and credential theft (Source: Gulf News, 23-11-2025).

Guide breaks down Cyber Essentials device-security standards — Neumetric published a detailed overview of UK Cyber Essentials device-security requirements, stressing secure configuration, patch management, access control, malware protection and application control across laptops, mobiles and servers (21-11-2025) [EMEA]. The guide offers compliance and IT teams a practical checklist they can map into endpoint-hardening projects and supplier due-diligence, especially where Cyber Essentials-style controls are becoming de facto procurement expectations (Source: Neumetric, 21-11-2025).

Legal-sector consultancy ELE achieves Cyber Essentials Plus — Professional-services marketing firm ELE announced it has obtained Cyber Essentials Plus certification, following independent technical testing of patching, configuration, malware protection and perimeter security controls (21-11-2025) [EMEA]. For law firms, chambers and their vendors, the case illustrates how security certifications are becoming competitive differentiators and increasingly expected in client due-diligence for organisations handling sensitive legal and client data (Source: PSM – The Professionals, 21-11-2025).

Tripwire distils lessons from the UK NCSC 2025 Annual Review — Tripwire’s analysis of the UK NCSC 2025 Annual Review highlights the agency’s focus on supply-chain risk, secure-by-design products and uplift of baseline controls such as Cyber Essentials and the Cyber Assessment Framework (21-11-2025) [EMEA]. Compliance leaders can treat the review as a strategic roadmap, aligning governance programmes, third-party assessments and board reporting with the NCSC’s view of where systemic resilience must improve next (Source: Tripwire, 21-11-2025).