In this week’s threat report: Microsoft’s September Patch Tuesday fixes 84 vulnerabilities, including two publicly disclosed zero-days; French regional health agencies report account impersonation attacks that stole patient data; a ransomware hit on a Brazilian healthcare supplier exposes sensitive information; and a third-party breach affecting LNER exposes customer contact details and journey history.
These incidents highlight three priorities for security leaders: rapid patching of internet-facing systems, stronger identity controls (especially MFA and least privilege), and rigorous supplier risk management across cloud and data pipelines. Full report below.
Microsoft's September Patch Tuesday Addresses Critical Zero-Day Flaws
Microsoft released its monthly security updates, addressing 84 vulnerabilities. This includes two zero-day vulnerabilities that were publicly disclosed before a patch was available, making them a higher risk. The patches cover a range of products heavily used in healthcare, including Windows, Microsoft Office, and SQL Server. The most common vulnerability types were elevation of privilege (allowing an attacker to gain higher-level permissions) and remote code execution (allowing an attacker to run their own code on a target system).
- Prioritise the deployment of September's patches, especially for critical and internet-facing systems.
- Focus on patching Windows SMB (CVE-2025-55234) and SQL Server (CVE-2024-21907) vulnerabilities, which were publicly disclosed.
- Ensure that endpoint protection and detection systems are updated to identify and block exploitation attempts against these new vulnerabilities.
- Review and harden SMB Server configurations to require signing and enable Extended Protection for Authentication (EPA).
Healthcare Professionals Impersonated in French Health Agency Attack
Three regional health agencies (ARS) in France reported cyber-attacks where attackers impersonated healthcare professionals to gain access to their systems. By using stolen credentials, the attackers were able to access regional e-health platforms and scrape the personal data of patients, including names, ages, and contact details. While no health information was exposed, the incident highlights the significant risk of phishing and credential theft targeting healthcare staff.
UK healthcare operates in a similar way, with regional bodies and shared digital platforms. This attack serves as a warning that a single compromised staff account can lead to a large-scale data breach. The stolen information is likely to be used in targeted phishing campaigns against patients, eroding trust and potentially leading to further fraud.
- Reinforce cybersecurity awareness training, focusing on phishing and social engineering threats.
- Implement multi-factor authentication (MFA) across all clinical and administrative systems to mitigate the impact of stolen credentials.
- Review and restrict access privileges to ensure staff can only access the data and systems they absolutely need.
- Monitor for unusual access patterns that could indicate a compromised account.
Ransomware Group Hits Healthcare Supply Chain via Cloud Misconfiguration
The ransomware group KillSec successfully attacked MedicSolution, a Brazilian healthcare software provider, by exploiting a misconfigured Amazon Web Services (AWS) cloud bucket. The attackers stole over 34GB of data, including highly sensitive patient information like medical evaluations, lab results, and unredacted photos. This is a classic supply chain attack, where a single vendor breach affects multiple healthcare institutions that rely on its software.
Many UK health tech companies and NHS suppliers store data on cloud services like AWS. This incident is a critical reminder that a simple misconfiguration can lead to a data breach. It highlights the importance of securing not just your own systems but also ensuring that your third-party suppliers have robust security practices.
- Review all cloud storage configurations to ensure they are not publicly exposed.
- Implement a robust third-party risk management program to assess the security posture of all suppliers.
- Encrypt all sensitive data at rest and in transit within cloud environments.
- Regularly conduct security audits and penetration tests of your cloud infrastructure.
LNER Customer Data Exposed via Third-Party Supplier Breach
LNER confirmed that an attacker accessed customer contact information and some details about previous journeys after breaking into systems at a supplier. Ticketing operations and rail services were not affected, and LNER says no bank, card, or password data was involved. Nonetheless, the operator is advising customers to remain vigilant for suspicious communications.
Based on what is known so far, the breach originated at a third-party supplier that handled files containing LNER customer data, exposing contact details—such as names, email addresses, and phone numbers—and elements of journey history that could be repurposed for convincing social-engineering lures tied to specific routes or dates. LNER has issued a public update and customer factsheet urging vigilance while withholding the supplier’s identity and limiting technical detail at this stage (The Register). LNER’s own media notice corroborates the supplier origin and confirms that no bank, payment-card, or password data were affected (LNER News). Beyond the immediate phishing and impersonation risk, organisations should anticipate attempts at account takeover via further social engineering, alongside heightened regulatory and contractual scrutiny of supplier security controls and due diligence across the transport supply chain.
Recommendations:
-
Review all third-party data processors and cloud storage configurations to ensure customer files are not publicly exposed, and confirm secure transfer mechanisms are enforced.
-
Implement a robust third-party risk management programme: assess suppliers’ security posture (MFA, least privilege, logging), mandate breach-notification SLAs, and require regular independent testing with the right to audit.
-
Rotate credentials and access paths used by suppliers (API keys, OAuth apps, service accounts), tighten IP allow-listing, and set short-lived access with automated expiry.
-
Strengthen anti-phishing defences aligned to this scenario, monitor for lookalike domains, run targeted simulations around refunds and service disruptions, and equip support teams with pre-approved customer guidance.
Threat Intelligence
Real-time intelligence tailored to your organisation with our compliance platform delivering live updates on the latest threats as they emerge.