Apache OpenOffice disputes Akira ransomware data-breach claim — The Apache Software Foundation said there is no evidence of compromise after threat actors claimed to have stolen 23 GB of OpenOffice documents (04-11-2025) [Global]. DFIR teams should verify claims against telemetry and hashes before treating them as confirmed breaches to avoid unnecessary incident escalation (Source: BleepingComputer, 04-11-2025).

Cargo thieves hack transport firms to hijack shipments — Researchers reported criminals using RATs and compromised load-board accounts to reroute goods and steal physical cargo (05-11-2025) [AMER]. Incident responders should watch for broker account takeovers and enforce MFA, session hygiene, and EDR detections tied to remote tooling in logistics environments (Source: SecurityWeek, 05-11-2025).

“SesameOp” backdoor abuses AI API for covert C2 — A threat actor used the OpenAI Assistants API and chained web shells to persist for months inside victim networks (05-11-2025) [Global]. DFIR teams should add API usage telemetry to egress monitoring and hunt for anomalous AI-service traffic as part of lateral movement and C2 triage (Source: SecurityWeek, 05-11-2025).

Europe cracks ring behind fake crypto platforms; nine arrested — Authorities across Europe dismantled infrastructure used to lure victims into sham trading portals and seized assets tied to the fraud (05-11-2025) [EMEA]. Investigators should correlate domain registrations, payment flows, and platform hosting footprints to link affiliate sites and accelerate victim notification (Source: The Record, 05-11-2025).

Poland details multi-target hacking wave against finance and services — Government officials outlined recent intrusions hitting a loan platform, a mobile payments system, and a travel agency amid rising regional threat activity (05-11-2025) [EMEA]. Casework should prioritize cross-sector IOCs and third-party risk mapping, as shared suppliers and integrations appear central to intrusion chains (Source: The Record, 05-11-2025).

Japanese retailer Askul confirms data leak after cyberattack — Askul said attackers accessed corporate data following a recent breach claimed by a Russia-linked group (03-11-2025) [APAC]. Retail and supply chain defenders should review partner access and enforce segmentation to limit exfiltration paths (Source: The Record, 03-11-2025).

Data breach at Swedish software supplier impacts millions — Sweden’s privacy authority opened an investigation into IT supplier Miljodata after a breach exposed sensitive data affecting up to 15 million users (05-11-2025) [EMEA]. Organizations relying on sector software should assess vendor incident notifications and rotate credentials/API keys integrated with affected platforms (Source: BleepingComputer, 05-11-2025).

Balancer DeFi exploit drains over $100M — Attackers abused protocol vulnerabilities and liquidity routes to siphon funds from the Balancer ecosystem (04-11-2025) [Global]. Incident responders in crypto/fintech should coordinate with chain analytics to trace flows and implement rapid governance/contract mitigations (Source: The Record, 04-11-2025).

Active exploitation: Post SMTP WordPress plugin hijacks admin accounts — Threat actors are taking over WordPress sites via a critical flaw in the Post SMTP plugin used on 400,000+ installations (04-11-2025) [Global]. Web ops should patch immediately, audit admin users, rotate credentials, and check logs for suspicious email routing and plugin modifications (Source: BleepingComputer, 04-11-2025).

Android November 2025 security bulletin fixes critical RCE — Google published patches addressing a critical System component remote code execution and other high-severity issues (03-11-2025) [Global]. Mobile fleet managers should enforce 2025-11-01/05 patch levels and verify OEM rollout timelines for at-risk devices (Source: Android Security Bulletin, 03-11-2025).

CISA issues five new ICS advisories (Fuji Electric, Survision, Delta, Radiometrics, IDIS) — U.S. CISA released multiple ICS advisories covering vulnerabilities across HMI/visualization and embedded systems used in industrial environments (04-11-2025) [AMER]. OT defenders should review vendor-specific mitigations and update asset SBOMs to track affected versions in production (Source: CISA, 04-11-2025).

Operation “Chargeback” targets card fraud & laundering networks — Europol coordinated an action day against three major networks impacting 4.3 million cardholders with estimated €300M damages (04-11-2025) [EMEA]. DFIR teams in financial services should ingest seized IOC sets and strengthen fraud analytics for mule accounts and synthetic IDs (Source: Europol, 04-11-2025).

Nine suspects arrested over fake cryptocurrency investment platforms — European authorities arrested suspects and took down infrastructure used to trick investors via bogus trading sites (05-11-2025) [EMEA]. SOCs should block associated domains and pivot on hosting/registrar overlaps to preempt copycat spin-ups (Source: The Record, 05-11-2025).

ENISA runs BlueOLEx 2025 executive cyber-crisis exercise — EU executives and the Commission tested cross-border communication and decision-making under a complex cyber crisis scenario (04-11-2025) [EMEA]. Public and private sector leaders should validate their crisis playbooks, cross-jurisdiction escalation paths, and media coordination (Source: ENISA, 04-11-2025).

EDPB holds 111th plenary meeting — The European Data Protection Board convened its latest plenary session outlining upcoming agenda items and coordination priorities (04-11-2025) [EMEA]. Privacy officers should watch for forthcoming guidance that can shift DPIA thresholds, international transfer practices, and enforcement focus (Source: EDPB, 04-11-2025).

UK ICO consults on enforcement procedural guidance — The ICO opened consultation on draft guidance detailing investigation and penalty processes under UK GDPR/DPA 2018 and PECR (31-10-2025; noted 04-11-2025) [EMEA]. Compliance teams should review proposed procedures and prepare for potential changes to timelines and evidence expectations (Source: ICO, 31-10-2025).

CISA adds two vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog — CISA updated KEV with actively exploited CVEs and urged prioritized remediation by U.S. federal agencies and critical infrastructure (04-11-2025) [AMER]. Security leads should map KEVs to internal asset inventories and enforce SLA-driven patching and compensating controls (Source: CISA, 04-11-2025).

Android November 2025 patch levels published (2025-11-01 / 2025-11-05) — Google detailed fixes for critical and high-severity issues across supported Android versions and partners (03-11-2025) [Global]. MDM policies should require current patch strings and verify OEM cadence for handset models in regulated environments (Source: Android Security Bulletin, 03-11-2025).

IETF updates TLS Extended Key Update draft — The TLS working group advanced an Internet-Draft proposing extended key update mechanisms to bolster long-lived TLS sessions (02-11-2025) [Global]. Standards watchers should assess impacts on session rekey strategies and forward secrecy in high-throughput services (Source: IETF Datatracker, 02-11-2025).