CISA refreshes RESURGE indicators for Ivanti device hunting — [AMER] CISA-backed guidance highlights that RESURGE can sit dormant on Ivanti Connect Secure devices and urges responders to use updated IoCs to identify and eradicate infections across fleets, including edge appliances that may be outside normal EDR coverage. This matters to DFIR teams because dormant edge-resident malware complicates scoping, log retention, and re-imaging decisions, and it reinforces the need for appliance-specific acquisition, time-bounded retro-hunting, and validation of remediation with network-side telemetry. (Source: BleepingComputer, 28-02-2026)

Critical Juniper PTX flaw enables full router takeover — [AMER] Juniper disclosed a critical PTX Series router vulnerability that could allow a full device takeover, increasing urgency for network and incident response teams supporting ISPs and large enterprises where these routers sit in core and peering roles. This matters operationally because compromised routing infrastructure can undermine evidence integrity (traffic redirection, covert exfiltration, log tampering) and demands playbooks that include control-plane forensics, config-baseline diffing, and rapid patch/rollback coordination with network engineering. (Source: BleepingComputer, 28-02-2026)

Sophos tracks hacktivist claims amid U.S.–Israel–Iran escalation — [EMEA] Sophos notes that on 28 February 2026 a hacktivist persona linked to Iran’s MOIS claimed attacks in Jordan and issued threats to additional countries, while cautioning that such actors often exaggerate impact but sometimes execute destructive activity. This matters for investigators because claim-validation workflows (victim confirmation, artifact correlation, and IOC matching) reduce misattribution risk during geopolitical crises, and help prioritize real intrusions over influence operations that can flood SOC and LE tip lines. (Source: Sophos, 02-03-2026)

UK NCA publishes Cyber Prevent reoffending read-out — [EMEA] The UK National Crime Agency released a programme-wide descriptive read-out on Cyber Prevent aimed at reducing cybercrime reoffending, providing a snapshot of feasibility and early outcomes to inform operational learning and casework planning. This matters for cyber investigators because prevention metrics influence resource allocation (referrals, offender management, and partnership interventions) and can shape how agencies triage repeat offenders, build evidential timelines, and coordinate disruption alongside prosecutions. (Source: National Crime Agency, 27-02-2026)

Cyber operations hit Iranian apps and sites following strikes — [EMEA] Reuters reported that cyber-enabled operations targeted Iranian digital services alongside the U.S.–Israeli strikes, including hacks affecting websites and the BadeSaba religious app, while observers tracked sharp drops in Iranian internet connectivity during the same window. This matters to incident responders and IR leads because it signals elevated spillover and retaliation risk, making rapid hardening of public-facing services, DDoS readiness, and credential-abuse monitoring critical for organizations with geopolitical exposure or regional users. (Source: Reuters, 01-03-2026)

University of Hawaiʻi Cancer Center breach details expand — [AMER] The University of Hawaiʻi disclosed that a ransomware-related incident at its Cancer Center exposed Social Security numbers for up to 1.15 million people, adding detail to an event the institution previously reported to lawmakers. This matters because healthcare DFIR teams must plan for dual-track response (clinical continuity plus identity exposure), and the scale of SSN impact elevates evidence-preservation, notification timing, and third-party review of access logs and backups as core investigative priorities. (Source: Civil Beat, 28-02-2026)

“ClawJacked” flaw lets malicious sites hijack OpenClaw AI agents — [AMER] Researchers disclosed a high-severity issue in the OpenClaw AI agent that could allow a malicious website to brute-force access to a locally running instance and take control, with a fix released in OpenClaw version 2026.2.26. This matters for threat intel and defenders because local-agent takeover expands the browser-to-endpoint attack surface, so organizations should treat agent endpoints as privileged services, enforce loopback authentication, and add detection for unusual local RPC activity and tool-invocation abuse paths. (Source: BleepingComputer, 01-03-2026)

Chainalysis: ransomware payments dip while attack volume rises — [AMER] Infosecurity Magazine reports Chainalysis findings showing overall ransomware payments declined (including an 8% drop) even as attacks surged, alongside a rise in median payment sizes that suggests polarization between opportunistic and high-value extortion. This matters to DFIR and incident leadership because response strategy increasingly hinges on segmentation of actor maturity (data theft-only vs. full encryption), negotiation risk modeling, and evidence-backed decisioning that aligns containment and recovery timelines with evolving extortion economics. (Source: Infosecurity Magazine, 02-03-2026)

UK NCA shares Cyber Prevent reoffending feasibility findings — [EMEA] The National Crime Agency published its first programme-wide descriptive reoffending read-out for Cyber Prevent, designed to test feasibility and provide an initial view of outcomes for interventions intended to stop cyber offenders returning to crime. This matters to law enforcement and partners because it informs how diversion and offender-management pathways can complement arrests, shaping referral thresholds, evidential monitoring, and multi-agency safeguarding when suspects sit below prosecution thresholds but still pose material cyber risk. (Source: National Crime Agency, 27-02-2026)

Europol spotlights cross-border “Allies” exercise outcomes — [EMEA] Europol described its February 2026 “Allies” exercise focused on cross-border cooperation and interoperability to pursue targets across Europe, reinforcing operational collaboration patterns relevant to cyber-enabled investigations and digital evidence workflows. This matters for cybercrime casework because joint exercises pressure-test real-world frictions—lawful access processes, evidence handling, and coordinated takedown timing—helping agencies and private-sector responders anticipate what data and preservation steps are most useful when incidents escalate into multinational investigations. (Source: Europol, 23-02-2026)

Middle East escalation drives heightened cyber-retaliation posture — [EMEA] Reuters reporting on cyber activity alongside U.S.–Israeli strikes on Iran underscores an active and fast-moving cyber dimension, with experts warning that additional retaliatory operations against U.S. and Israeli targets could follow. This matters for policy and risk leaders because it supports raising threat levels, accelerating patch and credential hygiene, and updating crisis comms and third-party dependencies (especially telecom and SaaS) to reduce blast radius if geopolitically motivated disruptions spill into civilian critical infrastructure. (Source: Reuters, 01-03-2026)

Nordic energy sector urged to increase cyber vigilance — [EMEA] Reuters reported Sweden’s signal intelligence agency urging higher security levels for the energy sector amid regional concern following a cyberattack on Polish infrastructure, even while noting no specific immediate threat. This matters for policy implementers because sector-wide vigilance measures (logging mandates, incident drills, and supplier assurance) often become the “new baseline,” and DFIR leaders should align their readiness with regulatory expectations that can tighten quickly during cross-border infrastructure scares. (Source: Reuters, 26-02-2026)

NIST highlights practical data-classification implementation guidance — [AMER] NIST’s NCCoE published guidance on data classification practices to help organizations discover, identify, and label unstructured data so that protection controls can be applied consistently across environments where sensitive content spreads quickly. This matters for compliance and eDiscovery because disciplined classification improves breach scoping and notification accuracy, reduces over-collection during forensics, and supports defensible retention and access-control decisions when organizations must evidence that “reasonable security” controls were applied to regulated datasets. (Source: NIST CSRC, 12-02-2026)

Exploited FileZen bug drives compliance-tied patch urgency — [APAC] Help Net Security reports CISA ordering mitigations for an actively exploited FileZen command injection vulnerability (CVE-2026-25108), while Japan’s CERT notes the product’s file-monitoring features may provide logs that help validate compromise and response actions. This matters for regulated environments because exploited-perimeter software often triggers audit questions around patch SLAs, exception handling, and evidence of due diligence, so teams should document detection steps, upgrade timelines, and post-remediation verification to meet internal control and external assurance requirements. (Source: Help Net Security, 25-02-2026)

UH Cancer Center breach exposes SSNs at scale — [AMER] Civil Beat reports the University of Hawaiʻi Cancer Center said a ransomware incident exposed Social Security numbers for up to 1.15 million people, affecting patients and others whose data was present in systems tied to clinical and administrative workflows. This matters to consumer-privacy responders because SSN exposure materially elevates identity risk, making fraud monitoring, identity protection offerings, and careful timing of notifications essential, while forensic teams must preserve logs, confirm exfiltration pathways, and validate what records were accessible. (Source: Civil Beat, 28-02-2026)

Substack notifies users of breach involving contact details — [AMER] BleepingComputer reports newsletter platform Substack notified users of a data breach involving stolen email addresses and phone numbers, an exposure pattern that commonly fuels credential stuffing, SIM-swap attempts, and targeted phishing of creators and subscribers. This matters for consumer app incident response because contact-data leaks propagate quickly into downstream fraud ecosystems, so organizations should accelerate abuse monitoring, require stronger MFA options, and provide clear, actionable guidance that helps users recognize takeover attempts and reduce recoverability risks tied to phone numbers. (Source: BleepingComputer, 05-02-2026)