CISA’s KEV catalog grew to 1,480+ entries after 245 additions in 2025 — U.S. CISA reported its Known Exploited Vulnerabilities catalog expanded about 20% in 2025, reinforcing exploit-confirmed patching as the most defensible prioritization signal (05-01-2026) [AMER]. DFIR and IR teams can use KEV alignment to justify emergency change windows, tighten compensating controls where patching lags, and structure after-action reviews around exploit exposure, not generic severity scores. (Source: SecurityWeek, 05-01-2026).

Greece says nationwide aviation communications outage is unlikely to be cyber — Greek officials said a radio communications failure that grounded flights was unlikely to be a cyberattack while investigations continued into technical and operational causes (05-01-2026) [EMEA]. For incident responders, the case underscores running parallel “cyber vs. safety/operations” evidence tracks—preserving logs and telemetry, maintaining chain-of-custody, and avoiding premature attribution that can misdirect containment and external communications. (Source: SecurityWeek, 05-01-2026).

Honeypot operation observed actors tied to “Scattered Lapsus$ Hunters” — Researchers said a controlled honeypot “breach” lured attackers and captured infrastructure and behavior artifacts associated with the Scattered Lapsus$ Hunters persona (06-01-2026) [AMER]. Investigators can translate this telemetry into attribution-quality indicators, strengthen intrusion-chain reconstruction, and produce court-ready reporting by correlating observed tooling, hosting choices, and exfil patterns with victim-side logs. (Source: SecurityWeek, 06-01-2026).

Report links dozens of breaches to a single initial access broker using infostealers — A report described an initial access broker alleged to have leveraged infostealer-derived credentials to compromise many organizations across multiple sectors and geographies (06-01-2026) [EMEA]. This matters because “valid account” intrusions often evade perimeter defenses; investigation teams should correlate stealer log exposure with SSO and VPN telemetry, accelerate credential resets and MFA hardening, and hunt for persistence on identity infrastructure. (Source: SecurityWeek, 06-01-2026).

Brightspeed investigates breach and data-theft claims by an extortion gang — U.S. broadband provider Brightspeed said it is investigating alleged breach claims and assessing the scope and authenticity of data purportedly stolen (05-01-2026) [AMER]. ISP incidents carry broad downstream risk—responders should validate customer exposure, monitor for follow-on phishing and SIM-swap abuse, preserve evidence for notifications, and coordinate with partners whose connectivity or identity services depend on the provider. (Source: BleepingComputer, 05-01-2026).

Jaguar Land Rover quantified sustained disruption after a 2025 cyberattack — Jaguar Land Rover reported a 43% drop in quarterly wholesale volumes following a September 2025 cyberattack, showing recovery and production impacts extending into financial reporting (06-01-2026) [EMEA]. For major-incident managers, the lesson is to align recovery objectives with manufacturing and ERP dependencies, track “time-to-ship” as a resilience metric, and ensure crisis communications and insurance evidence reflect operational realities, not just system restoration. (Source: BleepingComputer, 06-01-2026).

NordVPN disputed a breach claim after a threat actor leaked data — NordVPN said it investigated after a hacker leaked data and alleged compromise, disputing the breach narrative and characterizing the exposed material as non-sensitive (06-01-2026) [EMEA]. Even disputed leak events require defensive action: verify credentials in the wild, monitor brand-abuse phishing, and publish clear technical findings so customers and responders can distinguish rumor-driven noise from indicators that warrant containment and fraud controls. (Source: SecurityWeek, 06-01-2026).

Open WebUI flaw disclosed with account takeover risk in some deployments — Researchers disclosed a high-severity vulnerability in Open WebUI that could expose users to account takeover depending on how the AI interface is deployed and integrated (07-01-2026) [AMER]. AI front-ends are increasingly enterprise gateways, so defenders should patch quickly, isolate service accounts, enforce least privilege on admin functions, and ensure logging captures user actions and data access for forensic reconstruction if compromise is suspected. (Source: Infosecurity Magazine, 07-01-2026).

Microsoft warns routing misconfigurations are enabling domain spoofing in phishing — Microsoft warned threat actors are exploiting complex routing and misconfigured spoof protections to send phishing that appears internal, including campaigns leveraging phishing-as-a-service tooling (07-01-2026) [AMER]. This matters because “internal-looking” messages bypass human trust checks; SOC teams should validate SPF/DKIM/DMARC enforcement across routes, audit mail exceptions, and add detections for anomalous internal sender patterns and suspicious authentication results. (Source: SecurityWeek, 07-01-2026).

Totolink EX200 issue can start unauthenticated root Telnet and enable takeover — Researchers reported a flaw that can cause Totolink EX200 devices to start an unauthenticated root-level Telnet service, enabling full compromise of exposed extenders (07-01-2026) [APAC]. Edge and IoT-adjacent devices are common pivots, so security teams should inventory extenders, segment networks, watch for Telnet scanning and brute force, and treat consumer-grade networking in business settings as a high-risk surface needing strict hardening. (Source: SecurityWeek, 07-01-2026).

UK plan to strengthen public-sector cyber defenses signals sustained threat pressure — The UK announced measures to strengthen public-sector cybersecurity and resilience across critical services, reflecting persistent targeting of hospitals, transport, energy, and local government (07-01-2026) [EMEA]. For threat intel and operations teams, the takeaway is to anticipate tightened baselines and reporting expectations, map ransomware playbooks to sector dependencies, and prioritize detections and response readiness for service-provider compromise and OT-adjacent IT intrusion paths. (Source: BleepingComputer, 07-01-2026).

U.S. DOJ: Defendant pleaded guilty in fantasy sports/betting account hacking case — U.S. prosecutors announced a guilty plea tied to hacking thousands of accounts at a fantasy sports and betting site and monetizing access to steal funds from victims (06-01-2026) [AMER]. The case shows how credential-stuffing and account takeover become chargeable intrusion chains; organizations should retain auth logs, fraud telemetry, and loss data so incident reports can support prosecution, restitution, and stronger control requirements for high-risk login flows. (Source: U.S. Department of Justice, 06-01-2026).

India: Police arrested suspects in “digital arrest” scam impersonating officials — Police in Lucknow reported arrests linked to a “digital arrest” fraud in which suspects posed as officials and coerced victims into transferring money through mule accounts (07-01-2026) [APAC]. For cybercrime responders, the operational value is recognizing coercion patterns (video calls, WhatsApp, urgency scripts) and integrating mule-account analytics with bank and telecom partners to disrupt funds flow quickly and improve victim safeguarding during live incidents. (Source: Times of India, 07-01-2026).

UK unveiled a Government Cyber Action Plan alongside debate on resilience legislation — The UK government announced a Government Cyber Action Plan as Parliament debated the Cybersecurity and Resilience Bill, positioning the move as a reset for public-sector security and accountability (06-01-2026) [EMEA]. For cyber leaders, policy-to-operations translation is immediate: expect clearer baseline controls for suppliers, stronger incident-preparedness expectations, and more scrutiny on demonstrable recovery capability, not just preventative tooling and compliance checkboxes. (Source: The Record, 06-01-2026).

California launched a tool to curb data broker collection and resale of personal data — California rolled out a mechanism for consumers to stop data brokers from collecting and selling personal information, with enforcement and penalties tied to non-compliance (06-01-2026) [AMER]. Security and privacy teams should update data maps, broker/vendor inventories, and deletion workflows, ensuring audit-ready proof of fulfillment while building breach response playbooks that include broker-related exposure risks and notification decision support. (Source: Los Angeles Times, 06-01-2026).

EU signaled tougher enforcement of digital rules during 2026 — Reporting indicated the EU is preparing for stronger enforcement of major digital regulations in 2026, increasing pressure on large platforms through competition and transparency obligations (04-01-2026) [EMEA]. For cyber and governance teams, this reinforces convergence between security, transparency, and platform controls; incident communications, evidence retention, and risk registers should anticipate multi-regulator scrutiny spanning cybersecurity posture, integrity, and operational resilience. (Source: Financial Times, 04-01-2026).

NIST noted a CSF 2.0 quick-start draft with comment window through Jan 7, 2026 — NIST highlighted a public comment window running through 07-01-2026 for a CSF 2.0 quick-start guide focused on integrating cybersecurity with enterprise risk management (07-01-2026) [AMER]. For compliance teams, aligning controls and reporting to CSF 2.0 language helps standardize governance evidence, while DFIR programs can map lessons learned and recovery metrics into “outcomes” that boards and auditors can track consistently over time. (Source: NIST, 07-01-2026).

NIST draft SP 800-70 Rev. 5 for security configuration checklists remains open for comment — NIST released a draft update to SP 800-70 (Security Configuration Checklists) and opened a public comment period for the revision (09-12-2025) [AMER]. For defenders, checklist rigor reduces incident-response toil by establishing known-good baselines, speeding triage of “misconfig vs. intrusion,” and improving restoration quality during re-imaging and recovery when time pressure can otherwise introduce drift and hidden risk. (Source: NIST CSRC, 09-12-2025).

Vendor guidance emphasized evidence-driven readiness for the EU Cyber Resilience Act — Red Hat outlined its approach to EU Cyber Resilience Act readiness, emphasizing secure-by-design engineering and alignment with evolving software supply-chain standardization (06-01-2026) [EMEA]. CRA preparation is documentation-heavy in practice, so product security teams should tighten SBOM generation, vulnerability handling SLAs, coordinated disclosure processes, and audit-ready records that demonstrate conformity and timely remediation when regulators or customers request proof. (Source: Red Hat, 06-01-2026).

Ledger said customer data was exposed via third-party payment processor Global-e breach — Ledger said some customer personal data was exposed after hackers breached third-party payment processor Global-e, while Ledger stated its own systems and product security were not compromised (05-01-2026) [EMEA]. Third-party breaches still drive direct fraud risk, so teams should warn users about targeted phishing and SIM-swap attempts, validate vendor incident timelines, and ensure supplier risk programs verify downstream data handling, retention, and breach notification triggers. (Source: BleepingComputer, 05-01-2026).

Illinois DHS disclosed a data breach window spanning multiple years — Illinois’ Department of Human Services reported a prolonged breach period and outlined impacted individuals and exposed information categories as part of its disclosure (06-01-2026) [AMER]. Multi-year dwell time elevates regulatory and legal scrutiny, so responders should reconstruct identity and access history, reassess retention and minimization, and prepare defensible narratives explaining detection gaps, containment steps, and controls implemented to prevent recurrence. (Source: STLPR, 06-01-2026).