Help Net Security: “Ransomware’s new playbook is chaos” as tactics and extortion pressure evolve — Help Net Security summarized late-2025 ransomware trends including weekend/holiday timing, expanding extortion tactics, and shifting payment dynamics that complicate response coordination (31-12-2025) [AMER]. For IR teams, the operational takeaway is to harden “thin coverage” periods with pre-approved containment steps, identity telemetry retention, and escalation runbooks that assume fast lateral movement and multi-channel coercion. (Source: Help Net Security, 31-12-2025).

Survey signals security operations strain as executives say cybersecurity outgrew IT — A Help Net Security write-up highlighted leadership concerns that staffing and maintenance workloads reduce time available for monitoring and incident response, increasing exposure during sustained threat conditions (30-12-2025) [EMEA]. For DFIR leaders, this matters because resourcing gaps directly affect dwell time and evidence quality—making disciplined log coverage, automation, and clearly delegated on-call authority core resilience controls rather than “nice-to-haves.” (Source: Help Net Security, 30-12-2025).

Mustang Panda linked to kernel-mode rootkit activity, per Kaspersky reporting — SecurityWeek reported Kaspersky findings that Mustang Panda used a signed driver with shellcode to protect itself and inject ToneShell against Asian targets (30-12-2025) [APAC]. For investigators, kernel-mode tradecraft raises the bar for acquisition and triage: prioritize memory capture, driver inventory, code-signing provenance checks, and EDR telemetry preservation before remediation destroys high-value artifacts. (Source: SecurityWeek, 30-12-2025).

EmEditor supply-chain incident delivered infostealer via manipulated download flow — SecurityWeek described a supply-chain attack where EmEditor’s “Download Now” path could serve a malicious installer during a defined window, enabling infostealer deployment (29-12-2025) [AMER]. For cyber investigations teams, this creates a clear scoping checklist: map software provenance, validate installer signatures and hashes, and correlate outbound credential theft with install timestamps to separate user compromise from enterprise footholds. (Source: SecurityWeek, 29-12-2025).

European Space Agency confirms breach and ongoing forensic investigation — SecurityWeek reported ESA confirmed some external science collaboration servers were compromised after an actor claimed theft and offered data for sale, with ESA pursuing forensic investigation and stakeholder notification (31-12-2025) [EMEA]. For responders, the key is containment without evidence loss: isolate exposed collaboration infrastructure, rotate tokens/credentials potentially present in repositories, and preserve access logs and Bitbucket artifacts to support impact analysis and third-party disclosures. (Source: SecurityWeek, 31-12-2025).

Korean Air employee data exposed via Oracle EBS campaign impact at supplier — SecurityWeek reported Korean Air said roughly 30,000 employee records were compromised following a breach at catering supplier KC&D, linked in reporting to the broader Oracle E-Business Suite exploitation campaign (30-12-2025) [APAC]. For DFIR teams, this underscores supplier-path incident handling: validate segmentation claims, demand shared IoCs and timelines, and preserve identity, HR, and finance access trails where employee bank data and payroll processes are at risk. (Source: SecurityWeek, 30-12-2025).

Fortinet warns CVE-2020-12812 2FA bypass seeing renewed attacker interest — SecurityWeek reported Fortinet warned a five-year-old FortiOS improper-authentication issue can allow bypass of 2FA in certain LDAP/username-case configurations and is again being exploited (29-12-2025) [AMER]. For defenders, this is a practical exposure-management lesson: legacy edge misconfigurations remain prime entry points, so validate 2FA enforcement behavior, audit auth logs for anomalous case-variant usernames, and align patching with internet-facing asset criticality. (Source: SecurityWeek, 29-12-2025).

NHS England cyber alert flags MongoDB CVE-2025-14847 active exploitation risk — NHS England’s National CSOC published an alert warning CVE-2025-14847 (“MongoBleed”) could allow remote extraction of secrets/credentials from MongoDB and assessed further exploitation as highly likely (30-12-2025) [EMEA]. For threat intel and IR teams, this matters because memory-disclosure can silently compromise downstream systems—prompting urgent patching, credential rotation, and rapid hunting for anomalous auth token use and unusual MongoDB traffic patterns. (Source: NHS England, 30-12-2025).

US DoJ: tech executive charged in LexisNexis data theft and extortion scheme — The US Department of Justice announced charges alleging theft of LexisNexis customer data and attempted extortion tied to the compromised dataset (31-12-2025) [AMER]. For investigators and eDiscovery teams, the case highlights the evidentiary value of access logs, privileged account audits, and communications preservation when proving data-exfiltration intent and mapping insider-enabled abuse paths. (Source: U.S. Department of Justice, 31-12-2025).

No additional credible updates in the last 72h.

Infosecurity Magazine reviews 2025 cyber insurance market pressures and compliance expectations — Infosecurity Magazine published a 2025 market overview describing softer pricing alongside continued pressure on controls, reporting, and compliance evidence in underwriting and renewals (31-12-2025) [EMEA]. For security leaders, this is policy-adjacent reality: insurance-driven control validation increasingly shapes incident reporting timelines, tabletop cadence, and documentation quality—often becoming a forcing function for measurable resilience. (Source: Infosecurity Magazine, 31-12-2025).

AI governance readiness gap grows as enterprises report “shadow AI” and rising AI-enabled threats — Help Net Security summarized reporting that many organizations lack visibility into most AI tool usage and feel unprepared for AI-driven attacks, widening the governance and oversight gap (30-12-2025) [AMER]. For cyber programs, the implication is immediate policy work: define acceptable-use and data-handling rules for genAI, instrument telemetry for AI SaaS access, and ensure incident response can trace prompts, plugins, and data flows during investigations. (Source: Help Net Security, 30-12-2025).

NHS England guidance provides remediation anchors for MongoDB CVE-2025-14847 — NHS England’s alert listed affected MongoDB versions and pointed organizations to definitive remediation sources, framing the issue as active exploitation with high likelihood of further abuse (30-12-2025) [EMEA]. For compliance owners, such national advisories provide defensible justification for emergency change windows, compensating controls, and credential-rotation documentation when audit trails must explain accelerated patch SLAs. (Source: NHS England, 30-12-2025).

Red Hat updates CVE record tracked via EUVD (EUVD-2025-55182) — Red Hat’s CVE entry shows an update timestamp within the window and references EUVD tracking for CVE-2025-55182, supporting coordinated vulnerability communication across vendors and ecosystem consumers (30-12-2025) [EMEA]. For governance teams, vendor CVE record updates are practical compliance triggers: re-check affected-product inventories, refresh risk acceptances, and ensure patch evidence aligns with the latest advisory state rather than stale severity assumptions. (Source: Red Hat, 30-12-2025).

Aflac notifies ~22.65M individuals after June 2025 intrusion review — SecurityWeek reported Aflac began notifying impacted individuals after concluding its review, with exposed data including identifiers and health/insurance information while noting ransomware encryption was not deployed (29-12-2025) [AMER]. For breach-response teams, the lesson is disclosure-ready evidence discipline: document scoping methods, preserve impacted-file access trails, and align consumer notifications with verifiable data categories to reduce regulatory and litigation risk. (Source: SecurityWeek, 29-12-2025).

Wired subscriber data leak expands with claims of broader Condé Nast records theft — SecurityWeek reported an actor released millions of Wired subscriber records and threatened additional Condé Nast data, with analysis pointing to access control weaknesses as a plausible exposure path (29-12-2025) [AMER]. For practitioners, this reinforces consumer-data leak playbooks: validate authorization controls (IDOR/broken access control), rotate affected credentials/tokens, and preserve web/app logs to support rapid user notification and containment. (Source: SecurityWeek, 29-12-2025).