11.08.25 Threat Report

Here are some important developments that you need to know about in this week's Threat Report:

NHS credential theft to critical vulnerabilities affecting widely-used systems, here's what's been happening.

NHS Staff Credentials Stolen by Infostealer Malware

Cybercriminals have successfully stolen login credentials from thousands of NHS employees across the UK, compromising approximately 2,000 staff computers. The stolen data includes passwords for critical NHS systems, including internal email, Zoom, Zendesk, Salesforce, and NHS.uk. The attackers used sophisticated infostealer malware that not only captures passwords but also steals session cookies, effectively bypassing multi-factor authentication protections. The breach was discovered by Hudson Rock, a Tel Aviv-based cybersecurity firm, who found the stolen credentials being sold on criminal marketplaces. This represents a significant security incident that could potentially enable unauthorised access to sensitive NHS infrastructure and patient data.

This directly impacts UK NHS systems and demonstrates how credential theft can bypass even robust security measures like MFA, putting patient data and critical healthcare infrastructure at immediate risk.

Recommendations:

• Immediately reset passwords for all potentially affected NHS accounts and systems
• Review and strengthen endpoint security measures to detect infostealer malware
• Implement additional monitoring for unusual login patterns or access attempts
• Consider implementing zero-trust network access controls for critical systems

Critical Microsoft Exchange Vulnerability Prompts CISA Emergency Directive

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive regarding CVE-2025-53786, a high-severity vulnerability affecting Microsoft Exchange hybrid deployments. This flaw allows cybercriminals with administrative access to on-premise Exchange servers to escalate their privileges and potentially compromise an organisation's entire Exchange Online service. While Microsoft reports no active exploitation yet, CISA's emergency directive indicates the critical nature of this vulnerability. The flaw specifically targets hybrid-joined configurations, which are commonly used by healthcare organisations to bridge on-premise and cloud email systems. If exploited, this vulnerability could lead to complete domain compromise across both cloud and on-premise environments.

Many NHS trusts and healthcare organisations use hybrid Exchange deployments for email services, making this vulnerability particularly relevant for protecting sensitive healthcare communications and data.

Recommendations:

• Immediately review your Exchange hybrid deployment configuration using Microsoft's guidance
• Install Microsoft's April 2025 Exchange Server Hotfix Updates on on-premise servers
• Run the Microsoft Exchange Health Checker to identify any additional required steps
• Consider disconnecting public-facing Exchange servers that have reached end-of-life

IOCs: CVE-2025-53786

Trend Micro Apex One Security Software Under Active Attack

Two critical command injection vulnerabilities (CVE-2025-54948 and CVE-2025-54987) in Trend Micro's Apex One endpoint security software are being actively exploited by cybercriminals. These flaws affect the on-premise Apex One Management Console and allow unauthenticated attackers to remotely execute arbitrary code on vulnerable systems. The vulnerabilities stem from command injection issues that differ based on targeted CPU architectures but both enable complete system compromise. Trend Micro has released a short-term mitigation tool that blocks known exploits but disables the Remote Install Agent function. An official patch is expected around mid-August 2025. The irony here is particularly concerning – the very security software designed to protect healthcare organisations is itself being exploited as an attack vector.

Healthcare organisations rely heavily on endpoint security solutions like Apex One to protect medical devices and clinical workstations, making this vulnerability especially dangerous for patient safety and data security.

Recommendations:

• Immediately implement Trend Micro's mitigation tool if using on-premise Apex One
• Remove Apex One Management Console from public internet exposure where possible
• Apply source IP restrictions to limit access to trusted networks only
• Monitor for the official patch release expected mid-August and plan for rapid deployment

IOCs: CVE-2025-54948, CVE-2025-54987

Android Devices Targeted by Actively Exploited Qualcomm Vulnerabilities

Google has patched multiple critical vulnerabilities in Android, including two Qualcomm chipset flaws (CVE-2025-21479 and CVE-2025-27038) that are being actively exploited in the wild. These vulnerabilities affect the graphics components in Qualcomm-powered Android devices and can lead to memory corruption through unauthorised command execution. Security researchers suspect these flaws are being exploited by commercial spyware vendors for targeted attacks. The vulnerabilities have been added to CISA's Known Exploited Vulnerabilities catalogue, indicating their severity and active use by threat actors. Given the increasing use of mobile devices in healthcare settings – from clinical apps to patient monitoring systems – these vulnerabilities pose a significant risk to healthcare data security.

Mobile devices are increasingly integrated into healthcare workflows, and compromised devices could provide attackers with access to patient data, clinical systems, or serve as entry points into hospital networks.

Recommendations:

• Ensure all Android devices used in healthcare settings receive the August 2025 security updates
• Review and update mobile device management (MDM) policies to enforce timely patching
• Consider restricting access to sensitive healthcare systems from personal mobile devices
• Implement additional monitoring for unusual mobile device behaviour or network access patterns

IOCs: CVE-2025-21479, CVE-2025-27038

Threat Intelligence

Stay ahead of emerging cyber threats with real-time insights from our Threat Intelligence service. Contact us to find out more.