Security intelligence covering Security & Risk Management: Governance, compliance, ethics, risk frameworks, legal regulations, and business continuity planning.https://cipherwatch.io/en-gbhttps://cipherwatch.io/articles/2026-06-16-doj-seizes-cfake-socfake-take-it-down-act-deepfake/https://cipherwatch.io/articles/2026-06-16-doj-seizes-cfake-socfake-take-it-down-act-deepfake/US authorities seized two of the largest non-consensual deepfake pornography platforms in a joint operation with French and Italian law enforcement, marking the first major criminal enforcement action under the TAKE IT DOWN Act signed into law in May 2025. A French national was arrested in Nice on 10 June; cryptocurrency proceeds have been seized pending forfeiture.Tue, 16 Jun 2026 00:00:00 GMTdeepfakelegislationtake-it-down-actdojai-misusenon-consensual-imageryhttps://cipherwatch.io/articles/2026-06-15-europol-audia6-crypto-laundering-ransomware/https://cipherwatch.io/articles/2026-06-15-europol-audia6-crypto-laundering-ransomware/Europol, in coordination with German BKA, Dutch FIOD, and Lithuanian law enforcement, has dismantled AudiA6 — a professional cryptocurrency money laundering service that processed more than €336 million in criminal proceeds for ransomware groups including Conti, REvil, and BlackCat/ALPHV. Seven individuals have been arrested across three countries and the service's infrastructure seized.Mon, 15 Jun 2026 00:00:00 GMTeuropolcryptocurrencymoney-launderingransomwarelaw-enforcementaudia6financial-crimetakedownhttps://cipherwatch.io/articles/2026-06-13-ai-workflow-security-governance-langflow-risk/https://cipherwatch.io/articles/2026-06-13-ai-workflow-security-governance-langflow-risk/Langflow CVE-2026-5027's active exploitation is accelerating because many enterprise Langflow deployments are outside the formal IT security perimeter — deployed by data science and developer teams without security review, not in the CMDB, not in the vulnerability scanning scope. This article provides a governance framework for bringing AI workflow tools under security management.Sat, 13 Jun 2026 00:00:00 GMTlangflowcve-2026-5027ai-governanceshadow-itrisk-managementvulnerability-managementai-toolsenterprise-securityprocurementhttps://cipherwatch.io/articles/2026-06-11-june-2026-patch-tuesday-enterprise-prioritisation/https://cipherwatch.io/articles/2026-06-11-june-2026-patch-tuesday-enterprise-prioritisation/Security teams face 198 CVEs from Microsoft's June 2026 Patch Tuesday plus concurrent advisories from SAP, Ivanti, Palo Alto, and CISA. This guide provides a decision framework for prioritising remediation across different infrastructure tiers — from internet-facing servers to workstations — with specific guidance for each of the highest-risk vulnerabilities.Thu, 11 Jun 2026 00:00:00 GMTpatch-managementrisk-managementmicrosoftpatch-tuesdayvulnerability-managemententerprise-securityremediationcvss2026https://cipherwatch.io/articles/2026-06-09-sap-netweaver-cve-2026-44748-saml-bypass-cvss-9-9/https://cipherwatch.io/articles/2026-06-09-sap-netweaver-cve-2026-44748-saml-bypass-cvss-9-9/SAP's June 2026 Security Patch Day includes CVE-2026-44748, a CVSS 9.9 authentication bypass in SAP NetWeaver Application Server ABAP that allows unauthenticated remote attackers to forge SAML assertions and impersonate any user including system administrators. Twenty-one additional CVEs were patched, including three rated Critical.Tue, 09 Jun 2026 00:00:00 GMTsapnetweaverabapcve-2026-44748samlauthentication-bypasscvss-9-9erp-securityenterprise-applicationshttps://cipherwatch.io/articles/2026-06-06-openai-chatgpt-lockdown-mode-enterprise-ai-security/https://cipherwatch.io/articles/2026-06-06-openai-chatgpt-lockdown-mode-enterprise-ai-security/OpenAI has released ChatGPT Lockdown Mode, a security configuration that prevents ChatGPT from loading external URLs, rendering images from arbitrary sources, or executing third-party plugin calls — the primary vectors for prompt-injection attacks that cause ChatGPT to exfiltrate data to attacker-controlled endpoints. Enterprise and education customers can now enforce Lockdown Mode organisation-wide via the admin console.Sat, 06 Jun 2026 00:00:00 GMTopenaichatgptprompt-injectionai-securitylockdown-modeenterprise-aidata-exfiltrationllm-securityhttps://cipherwatch.io/articles/2026-06-05-verizon-dbir-2026-vulnerability-exploitation-breach-vector/https://cipherwatch.io/articles/2026-06-05-verizon-dbir-2026-vulnerability-exploitation-breach-vector/Verizon's 2026 Data Breach Investigations Report, published mid-May, documents a structural shift in breach methodology: vulnerability exploitation has overtaken phishing as the most common initial access pathway in analysed breaches. The shift reflects a maturing attacker ecosystem that increasingly uses automated exploit delivery rather than requiring human interaction. Enterprise security programmes built around phishing awareness need recalibration.Fri, 05 Jun 2026 00:00:00 GMTverizon-dbirvulnerability-managementbreach-analysisthreat-intelligenceinitial-accesspatch-management2026https://cipherwatch.io/articles/2026-06-04-ransomware-healthcare-business-continuity-recovery/https://cipherwatch.io/articles/2026-06-04-ransomware-healthcare-business-continuity-recovery/When ransomware hits a healthcare organisation, the recovery sequence matters as much as the containment response. Clinical systems have dependencies that make naive 'restore in alphabetical order' approaches catastrophic. This guide covers healthcare-specific BCP prioritisation for ransomware recovery, including the clinical dependency chain that drives sequencing decisions.Thu, 04 Jun 2026 00:00:00 GMTransomwarehealthcarebusiness-continuityincident-responserecoverybcpclinical-systemsdisaster-recoveryhttps://cipherwatch.io/articles/2026-06-02-itsm-platform-security-governance-servicenow-jira/https://cipherwatch.io/articles/2026-06-02-itsm-platform-security-governance-servicenow-jira/The ServiceNow API breach this week highlights a category of platform that organisations consistently underestimate as an attack target: IT Service Management tools. ITSM platforms aggregate privileged information about the organisation's infrastructure, credentials, and operational processes — making them a high-value target and a high-consequence breach.Tue, 02 Jun 2026 00:00:00 GMTservicenowitsmjirafreshserviceplatform-securityrisk-managementdata-governancecredential-securityhttps://cipherwatch.io/articles/2026-06-01-enterprise-middleware-security-governance-weblogic/https://cipherwatch.io/articles/2026-06-01-enterprise-middleware-security-governance-weblogic/Oracle WebLogic, Red Hat JBoss/WildFly, and IBM WebSphere are foundational enterprise application infrastructure that frequently falls outside the scope of corporate vulnerability management programmes. CVE-2024-21182's CISA KEV addition — 18 months after the patch — reflects what happens when middleware is governed outside the security programme.Mon, 01 Jun 2026 00:00:00 GMToracleweblogicmiddlewarevulnerability-managementgovernanceenterprise-javarisk-managementapplication-securityhttps://cipherwatch.io/articles/2026-05-31-q2-2026-enterprise-threat-landscape-vulnerability-density/https://cipherwatch.io/articles/2026-05-31-q2-2026-enterprise-threat-landscape-vulnerability-density/Q2 2026 (April–June) has produced more simultaneous high-severity vulnerabilities in enterprise-critical infrastructure than any comparable period in recent years. Netlogon CVSS 9.8, three CVSS 10.0 in UniFi OS, AMD microarchitecture flaws, Linux kernel LPEs, and two Citrix exploitation waves — analysing the pattern reveals structural implications for how enterprises manage vulnerability risk.Sun, 31 May 2026 00:00:00 GMTvulnerability-managementthreat-landscapeq2-2026risk-managemententerprise-securityvulnerability-densitycisohttps://cipherwatch.io/articles/2026-05-30-may-2026-vulnerability-retrospective-patch-prioritisation/https://cipherwatch.io/articles/2026-05-30-may-2026-vulnerability-retrospective-patch-prioritisation/May 2026 produced an unusually dense cluster of high-severity vulnerabilities: Netlogon CVSS 9.8, Ubiquiti CVSS 10.0 × 3, AMD Zen 2 CVSS 8.8, golang/crypto CVSS 10.0, Linux ptrace four-exploit-chain. This retrospective ranks them by risk for organisations still working through the patching backlog.Sat, 30 May 2026 00:00:00 GMTpatch-managementvulnerability-prioritisationmay-2026risk-managementcisoenterprise-securityretrospectivehttps://cipherwatch.io/articles/2026-05-29-netlogon-vulnerability-enterprise-risk-management/https://cipherwatch.io/articles/2026-05-29-netlogon-vulnerability-enterprise-risk-management/A CVSS 9.8 vulnerability with active exploitation and a public PoC against domain controllers requires risk management decisions at the business level, not just patching at the technical level. This guide covers the risk assessment, escalation triggers, and business continuity considerations that security leadership should present to boards and executives.Fri, 29 May 2026 00:00:00 GMTrisk-managementactive-directorynetlogoncve-2026-41089business-continuityincident-responsegovernancecisohttps://cipherwatch.io/articles/2026-05-27-developer-workstation-supply-chain-risk-management/https://cipherwatch.io/articles/2026-05-27-developer-workstation-supply-chain-risk-management/TeamPCP's simultaneous three-vector attack on developer tooling reveals a governance gap that exists in most organisations: developer workstations accumulate privileged access over time but operate outside the security governance processes that manage server infrastructure. A developer machine with production credentials is server-equivalent infrastructure.Wed, 27 May 2026 00:00:00 GMTdeveloper-securitysupply-chainrisk-managementgovernancecredential-securityworkstation-securityhttps://cipherwatch.io/articles/2026-05-26-food-sector-ransomware-critical-infrastructure-risk/https://cipherwatch.io/articles/2026-05-26-food-sector-ransomware-critical-infrastructure-risk/The US food and agriculture sector was designated critical infrastructure in 2003. In 2026, ransomware attacks against it are rising 80 per cent year on year. The gap between regulatory classification and actual security maturity reflects structural problems in how cybersecurity investment decisions are made in distributed, margin-sensitive industries.Tue, 26 May 2026 00:00:00 GMTcritical-infrastructurefood-sectorransomwareregulatory-compliancerisk-managementot-securityhttps://cipherwatch.io/articles/2026-05-23-wordpress-plugin-security-enterprise-governance/https://cipherwatch.io/articles/2026-05-23-wordpress-plugin-security-enterprise-governance/Four CVSS 8.8 vulnerabilities in a 100,000-install WordPress plugin — discoverable by any registered member with a subscriber account — highlight the structural mismatch between how WordPress CMS security is governed in enterprise organisations and the actual risk it carries. Membership sites, intranet portals, and course platforms built on WordPress process regulated data and host privileged access, but rarely receive enterprise-grade security governance.Sat, 23 May 2026 00:00:00 GMTwordpresscms-securityplugin-governanceenterprise-securityrisk-managementsupply-chainhttps://cipherwatch.io/articles/2026-05-22-open-source-cryptography-supply-chain-risk-management/https://cipherwatch.io/articles/2026-05-22-open-source-cryptography-supply-chain-risk-management/The nine-CVE golang.org/x/crypto advisory is the latest in a pattern of mass security advisories from widely used open-source cryptographic libraries. For enterprise risk managers, the recurring pattern raises questions about how dependency-level cryptography risk is assessed, tracked, and communicated — and whether current SCA tooling is adequate for the velocity of advisory publication.Fri, 22 May 2026 00:00:00 GMTopen-sourcesupply-chaincryptographygolangdependency-managementscarisk-managementsbomhttps://cipherwatch.io/articles/2026-05-18-pwn2own-berlin-enterprise-risk-management-47-zero-days/https://cipherwatch.io/articles/2026-05-18-pwn2own-berlin-enterprise-risk-management-47-zero-days/Pwn2Own Berlin 2026 produced 47 unique zero-day vulnerabilities across Windows 11, VMware ESXi, Exchange Server, SharePoint, Oracle VirtualBox, Red Hat Enterprise Linux, and five AI products. For enterprise risk managers and CISOs, the results require a structured response that goes beyond individual CVE patches and addresses the systemic implications.Mon, 18 May 2026 00:00:00 GMTpwn2ownrisk-managemententerprise-securityvulnerability-managementcisogovernancehttps://cipherwatch.io/articles/2026-05-13-west-pharmaceutical-ransomware-sec-8k/https://cipherwatch.io/articles/2026-05-13-west-pharmaceutical-ransomware-sec-8k/West Pharmaceutical Services, an S&P 500 drug delivery component manufacturer, disclosed a ransomware attack via SEC Form 8-K, confirming system encryption and data exfiltration affecting its manufacturing and quality systems. The incident highlights regulatory obligations for publicly listed companies to disclose material cybersecurity incidents and the specific risks facing pharmaceutical supply chain manufacturers.Wed, 13 May 2026 00:00:00 GMTransomwaresec-disclosurepharmaceuticalmanufacturingregulatoryhttps://cipherwatch.io/articles/2026-05-11-canvas-lms-shinyhunters-deface-universities-confirmed/https://cipherwatch.io/articles/2026-05-11-canvas-lms-shinyhunters-deface-universities-confirmed/Instructure has confirmed that the ShinyHunters threat group exploited a vulnerability in Canvas LMS to deface login portals across multiple university clients with extortion messages. The attack moved beyond the data exposure incident disclosed on May 3 into active defacement — university login pages were replaced with ransom demands visible to students and staff. Instructure is notifying affected institutions and has issued an emergency patch.Mon, 11 May 2026 00:00:00 GMTcanvas-lmsinstructureshinyhuntersbreacheducationextortiondata-breachdefacementhttps://cipherwatch.io/articles/2026-05-09-north-korea-dprk-dev-indicted-ddos-cyberterrorism-tools/https://cipherwatch.io/articles/2026-05-09-north-korea-dprk-dev-indicted-ddos-cyberterrorism-tools/The US Department of Justice has indicted a North Korean software developer on charges of conspiracy to develop and sell cyberattack tools — including distributed denial-of-service infrastructure and cyberterrorism-enabling toolkits — through front companies operated by the Workers' Party of Korea. The indictment provides rare detail into how DPRK IT workers generate hard currency for the regime through offensive cyber tool sales, complementing the well-documented cryptocurrency theft and IT contractor programmes.Sat, 09 May 2026 00:00:00 GMTnorth-koreadprkdoj-indictmentddoscyberterrorismsanctionsthreat-actornation-staterevenue-generationhttps://cipherwatch.io/articles/2026-05-08-ftc-bans-kochava-location-data-sales-settlement/https://cipherwatch.io/articles/2026-05-08-ftc-bans-kochava-location-data-sales-settlement/The US Federal Trade Commission has reached a settlement banning Kochava and its Collective Data Solutions subsidiary from selling sensitive location data derived from consumer mobile devices — marking the FTC's most significant enforcement action against the location data broker industry. The settlement establishes a precedent with direct implications for any organisation that monetises or purchases precise consumer location data, including advertising technology companies, retail analytics firms, and financial services using location data for fraud detection.Fri, 08 May 2026 00:00:00 GMTftcprivacylocation-datadata-brokerenforcementkochavaadtechregulatorygdprcompliancehttps://cipherwatch.io/articles/2026-05-05-fortinet-2026-global-threat-landscape-ransomware-389pct/https://cipherwatch.io/articles/2026-05-05-fortinet-2026-global-threat-landscape-ransomware-389pct/Fortinet's 2026 Global Threat Landscape Report documents 7,831 confirmed ransomware victims in 2025 — a 389% increase over 2024's approximately 1,600 — alongside the first systematic evidence of AI-enabled cybercrime tooling (WormGPT, FraudGPT, BruteForceAI) being used at scale. Manufacturing, business services, and retail are the hardest-hit sectors. The report reframes the threat environment as fundamentally changed, not merely intensified.Tue, 05 May 2026 00:00:00 GMTthreat-intelligenceransomwareai-crimefortinetannual-reportthreat-landscapemanufacturingfinancial-crimehttps://cipherwatch.io/articles/2026-05-05-kidsprotect-android-stalkerware-vscode-tunnel-c2/https://cipherwatch.io/articles/2026-05-05-kidsprotect-android-stalkerware-vscode-tunnel-c2/A commercially marketed Android application called KidsProtect, presented as a parental control tool, has been analysed and found to function as stalkerware — secretly recording device location, SMS messages, call logs, and browser history without consent. The tool evades conventional network monitoring by routing command-and-control traffic through legitimate VS Code Remote Tunnels and Discord webhook endpoints. Its developer explicitly markets it as an undetectable monitoring solution on underground forums.Tue, 05 May 2026 00:00:00 GMTstalkerwareandroidmobile-securityprivacyvs-code-tunnel-abusediscord-abuseconsentdomestic-surveillancehttps://cipherwatch.io/articles/2026-05-04-europol-cryptofraud-50m-12-arrests/https://cipherwatch.io/articles/2026-05-04-europol-cryptofraud-50m-12-arrests/Europol has coordinated the dismantling of a €50 million cryptocurrency investment fraud network operating across six European countries, resulting in 12 arrests, 30 property searches, and the seizure of cryptocurrency holdings, luxury assets, and fraud operation infrastructure. The network ran AI-enhanced investment scam call centres and operated fraudulent crypto trading platforms that fabricated returns to sustain victim investment before executing exit scams.Mon, 04 May 2026 00:00:00 GMTeuropolcryptocurrencyinvestment-fraudsocial-engineeringlaw-enforcementfinancial-crimepig-butcheringhttps://cipherwatch.io/articles/2026-05-03-blackcat-alphv-two-sentenced-four-years/https://cipherwatch.io/articles/2026-05-03-blackcat-alphv-two-sentenced-four-years/A US federal court has sentenced two individuals with professional cybersecurity backgrounds to four-year prison terms for their roles in the BlackCat/ALPHV ransomware-as-a-service operation, marking a notable law enforcement outcome that demonstrates insider security knowledge is not a prosecution shield. The sentences follow guilty pleas and cooperation with investigators.Sun, 03 May 2026 00:00:00 GMTransomwarelaw-enforcementblackcat-alphvcybercrime-prosecutiondeterrencehttps://cipherwatch.io/articles/2026-05-01-fbi-cyber-cargo-theft-725-million/https://cipherwatch.io/articles/2026-05-01-fbi-cyber-cargo-theft-725-million/The FBI has issued a warning documenting a sharp surge in cyber-enabled cargo theft targeting the US transportation and logistics industry, with losses exceeding $725 million in 2025. Criminal organisations use phishing, broker impersonation, and freight marketplace account takeovers to divert physical shipments. Supply chain security teams and freight brokers should treat this advisory as a direct threat to physical goods in transit.Fri, 01 May 2026 00:00:00 GMTfbi-advisorycargo-theftsocial-engineeringlogistics-securityfreight-fraudsupply-chain-riskhttps://cipherwatch.io/articles/2026-04-30-wordpress-redirect-plugin-dormant-backdoor/https://cipherwatch.io/articles/2026-04-30-wordpress-redirect-plugin-dormant-backdoor/Researchers have uncovered a dormant backdoor in a widely-installed WordPress redirect management plugin that remained inactive for approximately three years before being activated by the attackers. The backdoor, present across an estimated 200,000+ active installations, highlights the long-game threat of supply chain compromise in the WordPress plugin ecosystem and the limits of periodic security scanning.Thu, 30 Apr 2026 00:00:00 GMTwordpresssupply-chainbackdoorplugin-securitywebsite-securitycms-securityhttps://cipherwatch.io/articles/2026-04-28-ftc-social-media-fraud-2-1-billion-ai-scams/https://cipherwatch.io/articles/2026-04-28-ftc-social-media-fraud-2-1-billion-ai-scams/The US Federal Trade Commission's annual consumer fraud report records $2.1 billion in social media scam losses in 2025, a 47% increase from 2024 driven by AI-generated deepfake impersonations, synthetic romance fraud accounts, and AI-personalised investment scam targeting. Investment scams account for 53% of losses at $1.1 billion. The report carries compliance implications for organisations under FTC Section 5 and EU AI Act Article 50 transparency obligations.Tue, 28 Apr 2026 00:00:00 GMTfraudftcsocial-mediaai-frauddeepfakeregulatoryinvestment-scamhttps://cipherwatch.io/articles/2026-04-27-nist-nvd-enrichment-lowest-priority-halt/https://cipherwatch.io/articles/2026-04-27-nist-nvd-enrichment-lowest-priority-halt/NIST has announced it will no longer provide full CVSS scoring, CPE matching, and CWE classification for the lowest-priority tier of CVE submissions in the NVD. The change, driven by a 263% surge in annual CVE volumes since 2024, means thousands of CVE records will remain in an unenriched 'DEFERRED' state — with no CVSS score, no affected product mapping, and no severity rating. Enterprise vulnerability management programmes that rely on NVD as their authoritative source must adapt their workflows immediately.Mon, 27 Apr 2026 00:00:00 GMTnvdnistvulnerability-managementcvsspatch-managementrisk-prioritisationhttps://cipherwatch.io/articles/2026-04-26-germany-bka-identifies-revil-gandcrab-leader-unkn/https://cipherwatch.io/articles/2026-04-26-germany-bka-identifies-revil-gandcrab-leader-unkn/Germany's federal criminal police (BKA) publicly attributed the REvil and GandCrab ransomware-as-a-service platforms to 31-year-old Russian national Daniil Shchukin, holding him responsible for 130+ attacks in Germany causing over €35 million in economic damage. Shchukin operates from Krasnodar and remains beyond extradition reach, but the attribution breaks the historical anonymity of top-tier RaaS operators and may precede US OFAC sanctions.Sun, 26 Apr 2026 00:00:00 GMTransomwareattributionrevilgandcrabgermanyrussialaw-enforcementhttps://cipherwatch.io/articles/2026-04-25-cisa-kev-simplehelp-samsung-magicinfo-new-additions/https://cipherwatch.io/articles/2026-04-25-cisa-kev-simplehelp-samsung-magicinfo-new-additions/CISA's Known Exploited Vulnerabilities catalogue has grown by four entries including critical flaws in SimpleHelp remote management tooling and Samsung's MagicINFO digital signage platform. Federal agencies face a May 2026 remediation deadline. Enterprise operators of RMM tools and display infrastructure should treat these as urgent.Sat, 25 Apr 2026 00:00:00 GMTcisa-kevsimplehelpsamsungrmm-toolsactively-exploitedcompliancehttps://cipherwatch.io/articles/2026-04-24-nasa-oig-chinese-spearphishing-defence-software-song-wu/https://cipherwatch.io/articles/2026-04-24-nasa-oig-chinese-spearphishing-defence-software-song-wu/A newly released NASA OIG report details a sustained Chinese spear-phishing operation by Song Wu that targeted NASA, DoD contractors, and universities to steal defence software source code. The campaign ran from 2017 to 2021 — a defence supply chain IP theft template that remains relevant today.Fri, 24 Apr 2026 00:00:00 GMTspear-phishingnation-statechinaintellectual-propertydefencehttps://cipherwatch.io/articles/2026-04-24-sap-abap-sql-injection-cve-2026-27681-erp-financial-risk/https://cipherwatch.io/articles/2026-04-24-sap-abap-sql-injection-cve-2026-27681-erp-financial-risk/A near-perfect CVSS 9.9 SQL injection vulnerability in SAP Business Planning and Consolidation and BW/4HANA allows any authenticated user with standard access to read, modify, and delete financial consolidation data. SAP patched the flaw in its April 2026 Security Patch Day; organisations should treat unpatched SAP financial systems as having their financial data integrity at risk from any internal user with SAP credentials.Fri, 24 Apr 2026 00:00:00 GMTsapsql-injectionerpfinancial-securitypatch-managemententerprise-riskhttps://cipherwatch.io/articles/2026-04-22-anthropic-claude-mythos-ai-zero-day-discovery/https://cipherwatch.io/articles/2026-04-22-anthropic-claude-mythos-ai-zero-day-discovery/Anthropic's specialised vulnerability-hunting AI, Claude Mythos, has systematically discovered thousands of zero-day vulnerabilities across Windows, macOS, Linux, and major browsers — including a 17-year-old NFS RCE in FreeBSD and a 27-year-old OpenBSD denial-of-service. Project Glasswing provides private early access to Microsoft, Google, Apple, and select others. The implications for enterprise risk governance are immediate.Wed, 22 Apr 2026 00:00:00 GMTai-securityzero-dayvulnerability-researchanthropicrisk-governancethreat-landscapehttps://cipherwatch.io/articles/2026-04-16-rockstar-shinyhunters-anodot-snowflake-third-party-breach/https://cipherwatch.io/articles/2026-04-16-rockstar-shinyhunters-anodot-snowflake-third-party-breach/ShinyHunters has released 78.6 million records stolen from Rockstar Games, following the company's refusal to pay a ransom by the April 14 deadline. The breach did not involve Rockstar's own systems: attackers compromised Anodot, a third-party SaaS analytics vendor with direct access to Rockstar's Snowflake data warehouse. No player records were exposed, but the incident illustrates the persistent enterprise risk of SaaS vendor data access.Thu, 16 Apr 2026 00:00:00 GMTthird-party-risksnowflakesaas-securitydata-breachshinyhunterssupply-chainanodotextortionvendor-riskhttps://cipherwatch.io/articles/2026-04-14-sharepoint-cve-2026-32201-kev-no-patch-zero-day/https://cipherwatch.io/articles/2026-04-14-sharepoint-cve-2026-32201-kev-no-patch-zero-day/CISA has added CVE-2026-32201, a Microsoft SharePoint Server spoofing vulnerability under active exploitation, to the KEV catalogue with a 28 April remediation deadline. The timing is unusual: Microsoft has not yet released a patch as of this alert, with the fix expected in tomorrow's Patch Tuesday release. Organisations must decide whether to implement mitigations today or accept overnight exposure until the patch lands.Tue, 14 Apr 2026 00:00:00 GMTmicrosoftsharepointzero-daycisa-kevpatch-tuesdayrisk-managementcveno-patchhttps://cipherwatch.io/articles/2026-04-11-nis2-enforcement-maturity-germany-bsi-deadline/https://cipherwatch.io/articles/2026-04-11-nis2-enforcement-maturity-germany-bsi-deadline/Eighteen months after the NIS2 transposition deadline, EU member states are moving from legislative implementation to active supervisory enforcement. Germany's BSI has set April 2026 as the registration deadline for essential and important entities under the national NIS2 implementation (NIS2UmsuCG). Organisations still treating NIS2 as a future requirement face immediate regulatory exposure as national competent authorities begin audit and penalty activity.Sat, 11 Apr 2026 00:00:00 GMTnis2gdprcomplianceregulatorygermanybsiincident-reportinggovernanceeuhttps://cipherwatch.io/articles/2026-04-10-circia-final-rule-mandatory-incident-reporting/https://cipherwatch.io/articles/2026-04-10-circia-final-rule-mandatory-incident-reporting/CISA is expected to publish the long-awaited CIRCIA final rule in May 2026, mandating 72-hour cyber incident reporting and 24-hour ransomware payment reporting for critical infrastructure sectors. With weeks remaining, organisations that have not started preparing face significant compliance and legal exposure when the rule takes effect.Fri, 10 Apr 2026 00:00:00 GMTcirciaregulatory-complianceincident-reportingransomwarecritical-infrastructurecisagovernancehttps://cipherwatch.io/articles/2026-04-06-handala-ransomware-surge-geopolitical-enterprise-risk/https://cipherwatch.io/articles/2026-04-06-handala-ransomware-surge-geopolitical-enterprise-risk/Handala ransomware claimed 23 victims in March 2026 — the group's most active month, accounting for more than half of its total 2026 activity to date. While predominantly targeting Israeli organisations with suspected IRGC ties, Handala has begun extending its reach into European financial services, healthcare, and utilities. The group deploys wiper functionality alongside ransomware, meaning recovery from an attack is frequently impossible even without a ransom payment.Mon, 06 Apr 2026 00:00:00 GMTransomwarehandalawipergeopoliticaliranthreat-intelligencebusiness-continuityhttps://cipherwatch.io/articles/2026-04-05-march-patch-tuesday-ciso-governance-risk/https://cipherwatch.io/articles/2026-04-05-march-patch-tuesday-ciso-governance-risk/March 2026 has been an unusually demanding patch cycle — 83 Microsoft CVEs, three new CISA KEV additions across F5, Citrix, and Active Directory, and concurrent exploitable vulnerabilities across Linux, PAN-OS, and Dell hardware. CISOs face board-level questions about patching velocity and exposure windows. This analysis provides the governance framework and risk metrics to answer those questions accurately.Sun, 05 Apr 2026 00:00:00 GMTpatch-managementgovernancecisorisk-metricskpiboard-reportingcompliance