Digital Forensics Magazine — 48h News Roundup
Window: 2026-02-25 00:00 to 2026-02-27 23:59 (UTC)
Snapshot Summary
| Sector / Section | Headline Highlights | Count |
|---|---|---|
| DFIR & Incident Response | Cisco SD-WAN hunting guidance | 2 |
| Cyber Investigations | Carding extradition; Conti probe | 2 |
| Major Cyber Incidents | Odido leak; Marseille breach | 2 |
| Exploits & Threat Intelligence | SD-WAN zero-day; Apex One RCE | 3 |
| Law Enforcement | $580M crypto seizures; AECA arrest | 2 |
| Policy | EU security measures; CI protection | 2 |
| Standards & Compliance | UK NIS bill; age-check enforcement | 2 |
| Consumer App Data Leaks | ManoMano breach; Coupang fallout | 2 |
Digital Forensics & Incident Response
NSA partners publish Cisco Catalyst SD-WAN hunt/hardening guidance — [AMER] NSA and international partners released an incident-response alert plus a dedicated threat-hunting and hardening guide focused on active exploitation of Cisco Catalyst SD-WAN (including CVE-2026-20127 and follow-on root activity) and recommended artifact collection and containment steps. For DFIR teams, the value is operational: it prioritizes what logs and filesystem evidence to pull, how to spot rogue peers/config drift, and when to rebuild versus “clean,” reducing dwell time and re-compromise risk. (Source: NSA, 26-02-2026).
NHS England issues cyber alert on Cisco SD-WAN exploitation — [EMEA] NHS England published Cyber Alert CC-4748 warning organisations about ongoing exploitation affecting Cisco Catalyst SD-WAN, with mitigation guidance aimed at restricting exposure, applying vendor fixes, and validating whether management interfaces were reachable from the internet. This matters for responders because it translates vendor/partner reporting into concrete defensive actions (patch, segmentation, externalised logging, and investigation triggers) that can be applied quickly across estates with limited change windows. (Source: NHS England, 26-02-2026).
Cyber Investigations
Chilean national extradited to face “carding” and ID charges — [AMER] U.S. prosecutors said a Chilean national was extradited and arraigned in Utah over allegations he ran an online card shop (including via Telegram channels) trafficking stolen payment-card data tied to roughly 26,528 cards, alongside identity-transfer charges. For investigators, the release is a reminder to preserve chat-platform evidence, pivot from marketplace handles to financial/hosting infrastructure, and plan cross-border legal process early because extraditions hinge on documentation quality and timeline discipline. (Source: U.S. DOJ (USAO-UT), 26-02-2026).
Moscow case alleges attempted extortion of Conti-linked actors — [EMEA] Russian authorities accused a Moscow resident of posing as an FSB officer to extort money from individuals tied to the former Conti ransomware operation, with reporting indicating pre-trial detention and a long-running investigation timeline. The investigative takeaway is that ransomware ecosystems generate secondary fraud and coercion cases; attribution work, leak analysis, and financial trails from earlier intrusions can resurface years later as evidence in adjacent prosecutions and intel collection. (Source: The Record, 25-02-2026).
Major Cyber Incidents
Odido says hackers began publishing stolen customer data — [EMEA] Dutch telecom Odido said the criminal group behind a major Netherlands breach started leaking customer information online, with reporting describing millions of affected customers and the firm’s decision not to negotiate with the attackers. For IR leads, this underscores the need to prepare “leak day” playbooks (identity-protection comms, fraud monitoring, and regulator reporting) in parallel with technical containment, because extortion timelines can force public response before full scoping is complete. (Source: Reuters, 26-02-2026).
Olympique de Marseille confirms attempted cyberattack after leak claim — [EMEA] Olympique de Marseille said it was targeted by an attempted cyberattack after a threat actor claimed access and posted a sample of allegedly stolen data, while the club reported normal operations and advised vigilance against phishing. The case is a practical example of handling “breach claim + sample leak” scenarios: responders should validate data provenance, lock down CMS/admin accounts, accelerate credential hygiene, and coordinate legal/regulatory steps even when the organisation cannot yet confirm full data exfiltration. (Source: BleepingComputer, 26-02-2026).
Exploits & Threat Intelligence
Cisco Catalyst SD-WAN auth-bypass bug used in “zero-day” activity — [GLOBAL] Reporting said Cisco warned CVE-2026-20127 enabled attackers to compromise Catalyst SD-WAN controllers/managers, add rogue peers, and potentially chain activity for deeper control, with telemetry suggesting exploitation dating back to at least 2023. For threat-hunters, the operational priority is to search for unauthorized peering, suspicious vmanage-admin/root access, downgrade/upgrade patterns, and missing/tampered logs—then treat any confirmed exposure as a rebuild event rather than a simple patch-and-pray fix. (Source: BleepingComputer, 25-02-2026).
Trend Micro patches critical Apex One management-console RCE paths — [APAC] Trend Micro issued fixes for two critical Apex One management-console path traversal vulnerabilities enabling remote code execution on unpatched systems, with guidance emphasizing rapid updates and restricting console exposure. This matters because endpoint-management consoles are high-value choke points: compromise can quickly become fleet-wide execution, so defenders should treat console exposure as an emergency, validate internet reachability, rotate admin credentials/tokens, and ensure EDR telemetry is preserved to catch post-exploit lateral movement. (Source: BleepingComputer, 26-02-2026).
Ransomware payment rate reported at record lows despite more claims — [GLOBAL] Chainalysis data highlighted in reporting indicated ransomware victim payment rates fell to about 28% last year even as the number of claimed attacks increased, continuing a multi-year decline. For DFIR and leadership teams, this is a signal to double down on “pay-not-required” resilience—tested restores, immutable/offline backups, credential recovery, and extortion response comms—because attackers may escalate pressure (leaks, harassment) when fewer victims pay. (Source: BleepingComputer, 26-02-2026).
Law Enforcement
DOJ says scam-strike-force crypto freezes/seizures topped $580M — [AMER] U.S. prosecutors said cryptocurrency freezes and seizures linked to “scam center” activity surpassed $580 million, describing confidence/crypto-investment fraud operations tied to Chinese transnational criminal groups and scam compounds in Southeast Asia. For practitioners, the message is twofold: preserve on-chain evidence early (wallet clustering, exchange subpoenas) and coordinate victim-asset recovery workflows, because enforcement success increasingly depends on rapid tracing, legal process, and tight timing to prevent laundering. (Source: U.S. DOJ (USAO-DC), 26-02-2026).
Former U.S. Air Force pilot arrested over alleged unlicensed training — [AMER] The U.S. announced the arrest of a former Air Force officer/pilot accused of conspiring to provide combat aircraft training to Chinese military pilots without the required authorization under export-control rules. For cyber and counterintelligence teams, this matters because adversaries often blend human recruitment with technical collection; organisations should enhance insider-risk monitoring, restrict sensitive training content, and treat unusual travel/contracting patterns as investigative triggers alongside traditional digital indicators. (Source: U.S. DOJ (OPA), 25-02-2026).
Policy
EU advances action plan to protect undersea cables — [EMEA] The European Commission set out an action plan aimed at better protecting undersea cables, a critical dependency for internet connectivity and cross-border services, with initiatives spanning prevention, detection, response, and recovery. For DFIR and resilience planners, the relevance is direct: cable disruptions can cascade into major service outages and evidence gaps, so organisations should validate alternate connectivity paths, align incident comms with telecom dependencies, and include supply-chain/physical sabotage scenarios in tabletop exercises. (Source: European Commission, 26-02-2026).
Sweden urges energy sector to raise security amid cyber threats — [EMEA] Swedish authorities urged energy firms to strengthen security in response to elevated threat conditions and recent cyber and sabotage concerns affecting critical infrastructure across Europe. The operational impact is that policy signals often translate into audits and mandatory reporting; IR leaders should ensure OT/IT logging, incident criteria, and third-party access controls are “inspection ready,” because post-incident scrutiny tends to focus on visibility, segmentation, and vendor remote-access governance. (Source: Reuters, 26-02-2026).
Standards & Compliance
UK Cyber Security and Resilience (NIS) Bill updated in Parliament — [EMEA] The UK Parliament’s bill page shows the Cyber Security and Resilience (Network and Information Systems) Bill—amending the NIS Regulations 2018—was updated on 25 February 2026, continuing legislative work on essential-service security and resilience requirements. For compliance teams, this is a heads-up to map likely scope changes (operators, supply chain, reporting duties) and to align evidence collection now—asset inventories, incident records, and governance artefacts—so DFIR outputs can satisfy future regulatory expectations. (Source: UK Parliament, 25-02-2026).
Ofcom fines porn company £1.35m for failing to implement age checks — [EMEA] Ofcom’s news and updates list includes an enforcement action fining a porn provider for not having age checks, reinforcing online safety compliance pressure on consumer-facing platforms handling sensitive audiences. For cyber and privacy professionals, enforcement like this tends to drive accelerated identity/age-verification deployments and new data flows; that increases breach impact unless teams tighten vendor risk controls, secure PII at rest/in transit, and build audit-ready logging around verification services. (Source: Ofcom, 23-02-2026).
Consumer App Data Leaks
ManoMano breach notifications cite third-party compromise affecting 38M — [EMEA] ManoMano said a third-party service provider was compromised, leading to unauthorised extraction of customer personal data and breach notifications affecting an estimated 38 million individuals. For defenders, third-party breach mechanics are the lesson: ensure supplier access is least-privilege and time-bounded, require tamper-evident logging from vendors, and pre-stage customer-notification workflows so incident response can move in parallel with procurement and legal teams. (Source: BleepingComputer, 26-02-2026).
Coupang faces market fallout amid ongoing breach investigation — [APAC] Reuters reported continued fallout around Coupang’s previously disclosed user-data leak, with a government-led investigation ongoing and an updated assessment attributing issues to management failure rather than a sophisticated cyberattack. The DFIR angle is reputational and regulatory: even “non-APT” breaches can trigger prolonged scrutiny, so teams should preserve investigative records, document control gaps and remediation, and improve customer-facing fraud monitoring because churn and secondary scams often follow large-scale consumer data exposure. (Source: Reuters, 26-02-2026).
Editorial Perspective
The most actionable theme this cycle is the Cisco SD-WAN exploitation guidance: multiple public-sector channels are converging on the same operational advice—inventory fast, hunt for compromise, and be prepared to rebuild, not just patch.
At the same time, data-leak dynamics remain unforgiving: Odido’s publication pressure and consumer-platform fallout show that incident outcomes are increasingly dictated by extortion timelines and trust impact, not only technical recovery.
Finally, policy and enforcement updates point to tightening expectations for both resilience and accountability, making audit-ready logging, supplier governance, and well-rehearsed crisis communications as essential as detection engineering.
Reference Reading
- NSA: joint alert + threat hunting/hardening guide (Cisco SD-WAN)
- NHS England Cyber Alert CC-4748 (Cisco SD-WAN exploitation)
- BleepingComputer: Cisco Catalyst SD-WAN zero-day exploitation summary
- BleepingComputer: Trend Micro Apex One critical RCE fixes
- Reuters: Odido breach and ongoing data publication
- UK Parliament: Cyber Security and Resilience (NIS) Bill page
Tags
Cisco SD-WAN, CVE-2026-20127, Threat hunting, Incident response, Data breach, Ransomware, Supply chain risk, Telecom security, Critical infrastructure, Crypto fraud, Export controls, NIS compliance
