[AMER] CISA, FBI and NSA warned on 07-04-2026 that Iranian-affiliated actors are exploiting internet-connected programmable logic controllers across U.S. critical infrastructure, with defenders urged to isolate exposed OT and review controller logic changes. For DFIR teams, this raises immediate need for engineering workstation triage, remote-access validation and preservation of OT logs before adversaries can move from reconnaissance into disruptive manipulation of physical processes (Source: CISA, 07-04-2026).

[APAC] Singapore’s CSA issued an alert on 06-04-2026 covering active exploitation of a critical FortiClient EMS flaw, directing administrators to apply a hotfix immediately and update to the latest release once available. This matters for incident responders because externally reachable management platforms remain a favored foothold for both espionage and ransomware operators, so rapid scoping, credential review and exposed-asset containment should follow patching (Source: CSA Singapore, 06-04-2026).

[EMEA] German political party Die Linke said a serious cyberattack is under criminal investigation after Qilin threatened to publish stolen material, forcing temporary shutdowns of parts of the party’s IT environment on 06-04-2026. The case matters to investigators because it blends extortion, democratic-target risk and potential evidence loss, making rapid legal process, dark-web monitoring and chain-of-custody handling essential for any leaked internal data (Source: The Record, 06-04-2026).

[AMER] Snowflake told BleepingComputer on 07-04-2026 that unusual activity affecting a small number of customer accounts was linked to a third-party integration breach, after stolen authentication tokens were used in broader data-theft attacks. For investigators, the incident underscores how token provenance, SaaS audit trails and integration-level telemetry now sit at the center of cloud breach reconstruction when no direct platform vulnerability is involved (Source: BleepingComputer, 07-04-2026).

[AMER] A Massachusetts hospital began diverting ambulances and warning patients of delays after a cyberattack disrupted technology systems, while maintaining inpatient and scheduled emergency care as of 07-04-2026. The incident matters because healthcare outages continue to spill directly into clinical operations, so continuity planning, medical-device dependency mapping and regulator-ready incident documentation remain core response tasks for hospital security teams (Source: The Record, 07-04-2026).

[AMER] More than a dozen organizations were hit in data-theft attacks disclosed on 07-04-2026 after a SaaS integrator was breached and authentication tokens were abused, with many downstream impacts centered on Snowflake-connected environments. For defenders, the case highlights how one upstream compromise can trigger multi-victim cloud incidents at speed, demanding immediate token revocation, third-party trust review and coordinated customer notification workflows (Source: BleepingComputer, 07-04-2026).

[EMEA] The UK NCSC published new details on 07-04-2026 showing APT28 has exploited vulnerable routers since 2024 to hijack DNS traffic, enabling adversary-in-the-middle collection of passwords and authentication tokens. This intelligence matters because small-office and home-office network gear remains a weak edge-control layer, so defenders should hunt for malicious resolver changes, unusual VPS destinations and router admin activity tied to credential theft (Source: NCSC, 07-04-2026).

[AMER] BleepingComputer reported on 07-04-2026 that attackers are actively exploiting CVE-2026-0740 in the Ninja Forms File Upload add-on for WordPress, a flaw that allows unauthenticated arbitrary file upload and can lead to remote code execution. The issue matters for threat teams because internet-facing CMS plugins still give opportunistic actors rapid mass-exploitation paths, making version inventory, web-shell hunting and WAF telemetry review high-priority actions (Source: BleepingComputer, 07-04-2026).

[AMER] The U.S. Justice Department announced on 07-04-2026 a court-authorized operation to neutralize the U.S. portion of a SOHO router botnet controlled by a Russian military intelligence unit behind DNS hijacking activity. This is significant for practitioners because it shows how technical disruption, private-sector telemetry and judicial process can combine to cut off credential-theft infrastructure before victim remediation is fully complete (Source: U.S. Department of Justice, 07-04-2026).

[EMEA] German federal police publicly identified two Russian nationals as the leaders of the GandCrab and REvil ransomware operations in reporting published on 06-04-2026, tying them to at least 130 extortion cases in Germany. The announcement matters because naming operators sharpens attribution for legacy casework, sanctions screening and victim outreach, while reinforcing that historical ransomware campaigns continue to generate investigative value years after peak activity (Source: BleepingComputer, 06-04-2026).

[EMEA] The Record reported on 06-04-2026 that major platforms plan to keep scanning for child sexual abuse material in Europe even after the EU legal basis for voluntary scanning expired, creating an immediate policy and compliance fault line. The development matters because organizations operating communications services now face heightened tension between child-safety expectations, ePrivacy constraints and the need for clear statutory authority before large-scale content scanning continues (Source: The Record, 06-04-2026).

[AMER] NIST launched development of an AI RMF Profile for Trustworthy AI in Critical Infrastructure on 07-04-2026, aiming to give operators and suppliers actionable requirements for deploying AI-enabled tools across critical sectors. This matters for cyber leaders because it signals a governance shift from general AI principles toward sector-ready risk management language that procurement, engineering and assurance teams can operationalize together (Source: NIST, 07-04-2026).

[EMEA] ENISA said on 03-04-2026 that it is advancing certification support for European Digital Identity Wallets, with public consultation open through 30-04-2026 and Member States expected to provide at least one certified wallet by end-2026. For compliance teams, this is a concrete signal that identity-wallet assurance will move from policy aspiration to auditable control expectations, affecting procurement, scheme readiness and cross-border digital identity deployments (Source: ENISA, 03-04-2026).

[GLOBAL] ISO/IEC FDIS 27017 moved into final draft approval on 06-04-2026, updating cloud-service security control guidance aligned to ISO/IEC 27002:2022 for both cloud service providers and customers. This matters because organizations mapping cloud assurance programs, contract clauses and shared-responsibility controls now have a near-final benchmark that will influence audits, security baselines and evidence requirements across multinational environments (Source: ISO, 06-04-2026).

No additional credible updates in the last 72h.