Microsoft details disruption of Teams-themed session theft by Storm-2372 — Microsoft outlined how attackers abused device code auth flows and Teams chats to capture tokens and hijack sessions (07-10-2025) [Global]. DFIR teams should hunt for anomalous device code prompts and review Teams-related OAuth activity to detect session theft and persistence (Source: Microsoft Security Blog, 07-10-2025).

Active exploitation of GoAnywhere MFT CVE-2025-10035 investigated — Microsoft reported real-world exploitation of a critical deserialization flaw in GoAnywhere MFT enabling RCE via forged license responses (06-10-2025) [Global]. IR playbooks should add indicators, review MFT exposure, and validate patch and containment steps for third-party file transfer systems (Source: Microsoft Security Blog, 06-10-2025).

CISA issues two new ICS advisories for OT operators — CISA released updated advisories with vulnerabilities, impact, and mitigations for industrial control products (07-10-2025) [US/Global]. SOC and IR teams supporting OT should validate compensating controls and asset inventories and prioritize vendor fixes in maintenance windows (Source: CISA, 07-10-2025).

Two teenagers arrested over Kido nurseries cyberattack and extortion — Metropolitan Police detained two 17-year-olds after the September breach that exposed data of ~8,000 children and triggered dark-web leaks (07-10-2025) [UK/EU]. The case underlines risks of third-party SaaS in childcare and the need for rapid victim notification and evidence preservation workflows (Source: The Guardian, 07-10-2025).

Serbian aviation agency attack tied to suspected Chinese cyber-espionage — Investigators linked a compromise of Serbia’s aviation authority to state-aligned actors using phishing and backdoors (07-10-2025) [EU/APAC]. Aviation regulators and suppliers should increase telemetry retention and exchange indicators with national CSIRTs due to cross-border targeting (Source: SC Media, 07-10-2025).

Researchers flag sensitive-data exposure in India’s income-tax portal — A security flaw reportedly exposed taxpayer details; researchers notified CERT-In and authorities began remediation (07-10-2025) [India/APAC]. Incident handling with government platforms demands strict coordinated disclosure, legal liaison, and rapid log preservation for root-cause analysis (Source: TechCrunch, 07-10-2025).

Qilin group claims data theft against Japan’s Asahi Group — The ransomware outfit posted images and alleged exfiltration of ~27GB after production disruptions at multiple breweries (07-10-2025) [Japan/APAC]. Food & beverage manufacturers should review OT/IT segmentation and supplier access to limit lateral movement and production impact (Source: Reuters, 07-10-2025).

US radiology practice breach impacts over 171,000 individuals — Doctors Imaging Group disclosed theft of PHI/PII from network servers with notification processes underway (08-10-2025) [US/AMER]. Healthcare providers should verify segmentation of imaging systems and strengthen DLP and encryption for stored referrals and reports (Source: SC Media / SecurityWeek brief, 08-10-2025).

Radiant gang claims extortion attempt on unnamed Minnesota hospital — Actors set an 13-10-2025 deadline and threatened to reveal the target’s identity if demands aren’t met (08-10-2025) [US/AMER]. Hospitals should validate ransomware tabletop outcomes and pre-stage patient-care continuity and disclosure plans for extortion-without-encryption events (Source: SC Media brief, 08-10-2025).

CISA adds seven vulnerabilities to Known Exploited catalog — The update compels US federal agencies to remediate newly added KEVs on a fixed timeline under BOD 22-01 (06-10-2025) [US/Global]. Enterprise defenders should map asset exposure to the KEV list and prioritize patching to reduce real-world exploitation risk (Source: CISA, 06-10-2025).

ACSC issues critical alert for Oracle E-Business Suite — Australia’s cyber authority warned organisations to urgently apply Oracle’s guidance for a critical EBS vulnerability (07-10-2025) [Australia/APAC]. ERP teams should assess exposure, apply patches, and conduct compromise assessments using Oracle IoCs to prevent data theft and fraud (Source: ACSC, 07-10-2025).

CERT-FR highlights public exploit code for Cisco ASA/FTD flaws — France’s CERT updated its alert noting public exploit availability for ASA/FTD vulnerabilities impacting VPN/web services (06-10-2025) [France/EU]. Organisations using Cisco edge devices should implement vendor mitigations, hunt for signs of compromise, and restrict management exposure (Source: CERT-FR, 06-10-2025).

Europol-supported action dismantles tech-enabled luxury car theft ring — Coordinated searches on 07-10-2025 led to nine arrests across Italy with links to Belgium and Spain, seizing assets and tools (07-10-2025) [EU]. The case shows continued LE focus on organised groups abusing keyless entry/relay devices and cross-border logistics—useful for threat intel mapping (Source: Europol, 07-10-2025).

Eurojust details judicial coordination supporting EU vehicle theft arrests — Eurojust noted judicial assistance enabling arrests and seizures across three Member States tied to more than 100 stolen vehicles (07-10-2025) [EU]. Cross-agency coordination artefacts (MLATs, warrants, evidence sharing) are instructive for corporate liaison teams responding to transnational cyber-enabled crime (Source: Eurojust, 07-10-2025).

EU Council set to vote on CSAR “Chat Control” with encryption impacts — A 14-10-2025 vote could mandate client-side scanning for CSAM detection, drawing strong criticism from privacy and security experts (06-10-2025) [EU]. DFIR leaders should prepare guidance for clients on lawful access requests and evaluate risks to end-to-end encrypted workflows (Source: CyberScoop, 06-10-2025).

US shutdown curtails CISA operations; information-sharing law lapses — Reporting highlights staff furloughs and expiration of legal protections underpinning public-private cyber threat sharing (02-10-2025) [US]. Organisations relying on US sharing channels should diversify intel sources and reinforce bilateral exchange while monitoring legislative fixes (Source: The Washington Post, 02-10-2025).

CISA emergency directive on potential compromise of Cisco devices — ED 25-03 mandates inventories, reporting, and mitigations for ASA/FTD devices across federal agencies with tight deadlines (25-09-2025) [US]. Even outside US federal scope, similar governance steps (asset discovery, restricted management, rapid patching) offer a strong policy baseline (Source: CISA, 25-09-2025).

UK NCSC CTO urges observability and threat hunting to bolster resilience — NCSC published guidance emphasising telemetry, hypothesis-driven hunting, and measurable outcomes for national cyber resilience (08-10-2025) [UK/EU]. CISOs can align SOC KPIs to this guidance and incorporate logging baselines and hunt plans into compliance evidence (Source: NCSC UK, 08-10-2025).

CISA’s latest ICS advisories outline vendor fixes and mitigations — Updated advisories support regulated sectors’ control assessments and maintenance planning (07-10-2025) [US/Global]. OT compliance programmes (e.g., NIS2, sector codes) should reference these advisories to evidence vulnerability management (Source: CISA, 07-10-2025).

ACSC guidance on Oracle EBS informs audit and remediation tracking — The alert provides steps and expectations that map to access control, patch cadence, and incident logging requirements (07-10-2025) [Australia/APAC]. Mapping ERP remediation to policy controls helps auditors validate risk treatment and change management (Source: ACSC, 07-10-2025).