Semperis warns holiday gaps increase ransomware risk for critical infrastructure — Researchers found that ransomware groups increasingly schedule intrusions for weekends and holidays, exploiting reduced on-call identity and IR staffing to extend dwell time inside OT-adjacent networks (25-11-2025) [GLOBAL]. This trend reinforces the need for 24/7 identity telemetry, automated containment actions, and pre-staged response playbooks for high-impact sectors (Source: Industrial Cyber, 25-11-2025).

Ransomware crews now auction stolen data to multiple buyers — Analysts report that several ransomware groups have shifted to multi-round “data auctions” after breaches, monetising exfiltrated files by selling access to multiple bidders instead of relying solely on extortion (24-11-2025) [GLOBAL]. DFIR teams must adapt by accelerating data-mapping, leak-site monitoring and legal coordination to counter long-tail exploitation of stolen datasets (Source: Cybersecurity Review, 24-11-2025).

Coordinated cyberattacks disrupt multiple London councils and shared services — Several London local authorities experienced a coordinated cyber incident impacting shared IT providers, forcing temporary shutdowns of public services while investigations focus on supplier compromise routes (26-11-2025) [EMEA]. The case highlights how interconnected municipal systems amplify blast radius and require forensic teams to map cross-council identity trust paths and supplier access in detail (Source: Breached Company, 26-11-2025).

Harvard probes phishing-driven compromise of alumni and donor systems — Investigators found that attackers used a targeted vishing call paired with tailored phishing emails to access Harvard’s advancement systems, exposing sensitive alumni and donor contact data (24-11-2025) [AMER]. The incident reinforces the need for telephone-metadata review, CRM audit logging and integrated social-engineering defence across high-value academic institutions (Source: The420, 24-11-2025).

Ransomware attack disrupts CodeRED emergency alert services across the US — OnSolve’s CodeRED system was forced offline after a ransomware intrusion disabled components of the emergency alerting platform, temporarily impacting notifications used by local agencies and first responders (24-11-2025) [AMER]. The outage underscores the fragility of SaaS-based life-safety systems and highlights the need for offline redundancy, vendor diligence and joint incident rehearsals with critical suppliers (Source: BleepingComputer, 24-11-2025).

NightSpire ransomware group claims attack on Indian industrial paper manufacturer — Balkrishna Paper Mills reported operational disruption after NightSpire actors leaked samples of allegedly stolen documents, suggesting a double-extortion intrusion targeting both IT and manufacturing systems (25-11-2025) [APAC]. The case highlights industrial firms’ exposure to ransomware crews exploiting legacy ERP systems, flat networks and OT-adjacent infrastructure (Source: HookPhish, 25-11-2025).

Banking industry vendor breach exposes sensitive Wall Street customer data — A compromise at financial-services provider SitusAMC enabled attackers to steal sensitive borrower and institutional data tied to major US banks, prompting a federal investigation into suspected supply-chain exploitation (24-11-2025) [AMER]. The breach reinforces the systemic risk posed by interconnected financial vendors and the importance of contract-level incident obligations and continuous monitoring (Source: Cybersecurity Dive, 24-11-2025).

Sha1-Hulud npm worm resurges, compromising packages used by Zapier and ENS — Researchers warn that a revived Sha1-Hulud npm worm has seeded tens of thousands of malicious repositories and infiltrated widely used packages, enabling credential theft and stealthy script injection across dependent ecosystems (23-11-2025) [GLOBAL]. The campaign highlights the urgency of SBOM adoption, dependency monitoring and developer-pipeline hardening as perimeter controls cannot detect package-level compromise (Source: StepSecurity, 23-11-2025).

FortiWeb CVE-2025-58034 under active exploitation despite available patches — Security analysts report that threat actors are actively exploiting a critical FortiWeb vulnerability to gain remote code execution on exposed appliances, prompting CISA to issue accelerated patch deadlines for federal agencies (24-11-2025) [GLOBAL]. Organisations using FortiWeb should prioritise emergency patching, review management-plane exposure and hunt for historical webshell or config-tampering indicators (Source: Data Breaches Digest, 24-11-2025).

Gujarat woman arrested for recruiting victims into transnational cyber-slavery rings — Police in Vadodara detained a woman accused of funnelling jobseekers into Southeast Asian cyber scam compounds, coordinating travel and documents for victims subsequently coerced into large-scale online fraud operations (25-11-2025) [APAC]. The case highlights how trafficking networks underpin global cybercrime and reinforces the need for digital forensics, financial-flow tracking and cross-border cooperation to dismantle these operations (Source: The Indian Express, 25-11-2025).

Karachi Police arrest suspect who stole data from over 100 women using phishing links — Pakistan’s cybercrime unit arrested a man accused of using cloned login pages and malicious messaging campaigns to steal mobile data and social media credentials from more than one hundred women across Karachi (25-11-2025) [APAC]. The operation underscores law enforcement’s growing focus on tech-enabled gender-based abuse and the importance of digital evidence handling in attribution and victim assistance (Source: TechJuice, 25-11-2025).

South Sudan passes controversial Cybercrime and Computer Misuse Bill — South Sudan’s Transitional National Legislative Assembly approved a cybercrime bill that officials claim is needed to curb online abuse, though rights groups warn the vague language could criminalise criticism and suppress digital activism (25-11-2025) [AFRICA]. The move highlights how cybercrime legislation in fragile states can conflict with privacy, press freedom and civil-society operations, complicating compliance and humanitarian engagement (Source: Radio Tamazuj, 25-11-2025).

Norway’s new archive law raises concerns over secure digital record-keeping — Analysts warn that Norway’s forthcoming archive law, which privileges paper-based records over digital systems, could undermine cybersecurity, fragment record-keeping and increase insider-risk across public institutions (25-11-2025) [EMEA]. The debate shows how misaligned legislation can weaken digital governance, hinder incident response and complicate e-discovery in regulated sectors (Source: AllCan/Scandinavian partner portals, 25-11-2025).

EU Cyber Resilience Act pushes SaaS providers toward deeper security maturity — Experts argue that while the EU CRA mandates stronger development, identity and vulnerability controls for SaaS vendors, compliance alone cannot stop modern phishing-resistant bypasses and token-theft attacks (26-11-2025) [EU]. CISOs must pair CRA readiness with behavioural analytics, threat modelling and secure SDLC guardrails to withstand real adversaries (Source: Security Boulevard, 26-11-2025).

Telefónica warns regulatory fragmentation is draining operator security capacity — A new Telefónica paper reports that overlapping frameworks such as NIS2, sectoral telecom rules and national mandates consume up to 80% of some operators’ cybersecurity operations time, reducing capacity for threat detection and incident response (24-11-2025) [GLOBAL]. The findings reinforce the need for harmonised controls and automated evidence collection across large enterprises (Source: Telefónica, 24-11-2025).

Misconfigured database exposes personal data of millions of Android fiction-app users — CyberNews investigators discovered an unsecured cloud database used by multiple Android fiction-reading apps, exposing more than 100 million user records including emails, profile information, reading history and, for some authors, government IDs and payment-related documents (25-11-2025) [GLOBAL]. The incident highlights persistent risks from mobile-app ecosystems where poor backend access controls and rapid development cycles create DFIR challenges in attribution and long-tail privacy impact (Source: CyberNews, 25-11-2025).