Why Some Organisations Recover Quickly from Ransomware — DFIR teams are increasingly prioritising restoration engineering, immutable backups, and rehearsed decision paths to shorten dwell-to-recovery timelines after encryption events. (01-01-2026) [EMEA]. For responders, the operational lesson is that evidence preservation, segmentation, and recovery orchestration must be designed together, otherwise post-incident forensics and business continuity will conflict under time pressure. (Source: Infosecurity Magazine, 01-01-2026).

Cyberattacks surge 49% in PH, healthcare becomes top target — A new Philippines-focused update highlights rising cyberattack volume with healthcare singled out as a leading target category, increasing the likelihood of multi-party incident response involving providers and vendors. (02-01-2026) [APAC]. For DFIR, this reinforces the need for rapid scoping across SaaS, EHR integrations, and identity logs, because patient-data investigations hinge on correlating activity across multiple systems and third parties. (Source: InsiderPH, 02-01-2026).

2.2M Chrome, Firefox, Edge users impacted by meeting-stealing malware — Investigators traced a malicious browser-extension campaign that targeted conferencing and session artefacts, expanding the typical phishing-to-token theft pipeline into collaboration tooling. (02-01-2026) [AMER]. The investigative impact is that responders must treat browser extension inventories and sync telemetry as primary evidence sources, because credential compromise can occur without classic endpoint malware indicators. (Source: Cybernews, 02-01-2026).

Sunken Ships: Will Orgs Learn From Ivanti EPMM Attacks? — New analysis revisits Ivanti EPMM compromise patterns and the downstream investigative challenges created by device-management tooling that can yield broad visibility when abused. (01-01-2026) [AMER]. For cyber investigations, this matters because mobile device management and certificate injection scenarios complicate attribution and timeline reconstruction, requiring deeper inspection of proxy logs, certificate stores, and device enrolment histories. (Source: Dark Reading, 01-01-2026).

Clop tied to Korean Air vendor breach — Reporting indicates a vendor-linked breach affecting Korean Air data, underscoring the recurring pattern of third-party compromise driving enterprise exposure. (01-01-2026) [APAC]. This matters operationally because incident containment and notification depend on quickly validating vendor access paths, scoping shared data sets, and coordinating remediation SLAs, all while attackers exploit ambiguity in supplier responsibility. (Source: BankInfoSecurity, 01-01-2026).

New York-based fashion maker claimed by Russia-linked hackers — A ransomware group claimed to have targeted Esquire Brands and exfiltrated data, reflecting continued pressure on consumer-facing supply chains and retail-adjacent manufacturers. (02-01-2026) [AMER]. The business impact is that double-extortion threats force organisations to align incident response, legal, and customer communications rapidly, while ensuring forensics and containment do not compromise evidentiary integrity. (Source: Cybernews, 02-01-2026).

IBM API Connect authentication bypass (CVE-2025-13915) disclosed — IBM warned that API Connect is affected by a critical authentication bypass (CVSS 9.8) that could allow remote, unauthenticated access where exposed and unpatched. (02-01-2026) [AMER]. This matters because API gateways sit on high-value trust boundaries, so rapid patching and compensating controls (WAF rules, network isolation, access review) are essential to prevent systemic downstream compromise. (Source: IBM, 02-01-2026).

MongoBleed exposure grows as PoC circulates (CVE-2025-14847) — A public proof-of-concept increased the practical risk for MongoBleed, with reporting highlighting large numbers of exposed MongoDB instances and the possibility of memory disclosure without authentication. (30-12-2025) [GLOBAL]. For threat teams, this matters because exposed databases can leak credentials and keys that enable lateral movement, so internet-facing inventory, patch verification, and access restriction should be treated as urgent. (Source: TechRadar, 30-12-2025).

Two cybersecurity professionals plead guilty as BlackCat affiliates — US authorities secured guilty pleas from two individuals described as cybersecurity professionals who admitted to acting as ransomware affiliates in attacks that sought multi-million dollar extortion payments. (30-12-2025) [AMER]. The enforcement signal is that insider-enabled or “moonlighting” crime will attract sustained scrutiny, and organisations should strengthen monitoring, access governance, and conflict-of-interest controls for privileged technical roles. (Source: BankInfoSecurity, 30-12-2025).

DoJ-linked reporting on malware-based ATM jackpotting indictments — US prosecutors charged dozens of alleged gang members in a case describing malware-driven ATM “jackpotting” and associated laundering activity across a multi-jurisdictional network. (02-01-2026) [AMER]. This matters because ATM malware investigations depend on correlating physical intrusion, endpoint artefacts, and cash-out patterns, and the case underscores the convergence of cyber, organised crime, and terrorism-financing risk. (Source: HS Today, 02-01-2026).

China cybersecurity law amendments take effect — Compliance briefings note China’s amended Cybersecurity Law taking effect on 01-01-2026, alongside tighter cross-border data transfer expectations and enforcement posture. (01-01-2026) [APAC]. This matters because multinational organisations will need clearer data localisation controls, stronger supplier assurances, and faster incident escalation paths to reduce regulatory exposure when handling China-linked systems and personal data flows. (Source: VinciWorks, 01-01-2026).

Hong Kong critical infrastructure ordinance goes live — Legal analysis highlights Hong Kong’s Protection of Critical Infrastructures (Computer Systems) Ordinance coming into effect on 01-01-2026, including incident notification expectations for designated operators. (01-01-2026) [APAC]. The practical impact is that regulated entities must formalise cyber governance, reporting playbooks, and vendor oversight, because enforcement risk increases when incident notification and operational security requirements become mandatory. (Source: Slaughter and May, 01-01-2026).

EU CER Directive: national strategy deadline approaches — The European Commission reiterates that Member States must adopt a national strategy and complete a risk assessment for critical entities by 17-01-2026 under the CER Directive. (02-01-2026) [EMEA]. This matters for compliance leaders because it drives near-term governance, reporting, and resilience-control uplift across regulated sectors, and will influence procurement, assurance, and supervisory expectations ahead of national implementation actions. (Source: European Commission, 02-01-2026).

UK NCSC launches new sanitisation assurance service — The UK NCSC states it will launch a new Sanitisation Service Assurance delivered by Cyber Resilience Test Facilities on 05-01-2026, expanding formal assurance options for data sanitisation. (02-01-2026) [EMEA]. For organisations with sensitive data handling obligations, this matters because assured sanitisation supports defensible disposal and decommissioning practices, reducing residual-data risk that can trigger regulatory and contractual exposure. (Source: NCSC, 02-01-2026).

Manage My Health issues breach clarification update — Manage My Health published further factual clarification about an unauthorised access incident as forensic work and containment steps continue for the patient-portal service. (02-01-2026) [APAC]. This matters because consumer-facing healthcare platforms concentrate identifiers and clinical context, so breach scope, third-party access review, and notification quality directly affect fraud risk, patient trust, and regulatory scrutiny. (Source: Manage My Health, 02-01-2026).

Scoop republishes MMH breach update and timeline — A parallel publication of the Manage My Health update reiterates timeline details and the commitment to verified communications while investigations and stakeholder notifications progress. (02-01-2026) [APAC]. The operational takeaway is that consistent, source-of-truth communications reduce misinformation risk and support user protective actions (credential resets, monitoring), while preserving investigative integrity and avoiding contradictory statements across channels. (Source: Scoop, 02-01-2026).