Threat Report 163

This week's Threat Report: a ransomware campaign targeting healthcare supply chain vendors across the UK, A critical vulnerability in ConnectWise ScreenConnect being actively exploited, A credential-harvesting campaign abusing Microsoft Azure blob storage to trick users, and a high-severity flaw in Fortinet FortiOS could allow remote attackers to take control of firewalls. 

Ransomware Campaign Targeting UK Healthcare Supply Chain Vendors

NHS England published an alert warning that several UK-based suppliers to the health sector have been hit by a coordinated ransomware campaign over the past fortnight. The attackers appear to be using phishing emails that impersonate NHS procurement communications. Once a victim clicks the malicious link, ransomware is deployed that encrypts files and attempts to move sideways across the network. At least three suppliers have reported disruption to services that support NHS trusts.

If you supply products or services to the NHS, you are a target — not just the NHS itself. Attackers know that smaller suppliers often have fewer security controls than the trusts they serve. A successful attack on a supplier can disrupt patient care, breach sensitive data, and put your DSPT (Data Security and Protection Toolkit) compliance at risk. Under NHS contractual requirements, suppliers must report incidents promptly and demonstrate adequate security measures.

Recommendations

• Warn all staff about phishing emails that appear to come from NHS procurement or commissioning teams. Check sender addresses carefully.
• Ensure offline or immutable backups are in place and tested regularly.
• Review and restrict administrative privileges so that ransomware cannot easily spread across your network.
• If you are an NHS supplier, confirm your incident response plan is up to date and that you know how to report a cyber incident to NHS England.
• Check that your endpoint detection and response (EDR) tools are active and up to date on all devices.

Critical ConnectWise ScreenConnect Vulnerability Under Active Exploitation

A critical vulnerability (CVE-2026-2173) has been discovered in ConnectWise ScreenConnect, a remote access tool used widely by IT support teams and managed service providers (MSPs). The flaw allows an unauthenticated attacker — someone without a username or password — to gain full control of the ScreenConnect server. Security researchers confirmed that attackers are already exploiting this vulnerability in the wild to deploy backdoors and steal data. ConnectWise has released an emergency patch.

ScreenConnect is used by many IT support companies and MSPs that manage systems for healthcare organisations, including NHS trusts and GP practices. If an attacker compromises a ScreenConnect server, they could gain access to every device managed through it. This is a supply chain risk: even if your own organisation does not use ScreenConnect directly, your IT provider might. This type of vulnerability has been used in previous large-scale attacks against healthcare.

Recommendations

• If you use ConnectWise ScreenConnect, apply the emergency patch immediately. Do not delay.
• If a third-party IT provider manages your systems, contact them today and ask whether they use ScreenConnect and whether they have patched it.
• Review logs from your remote access tools for any unusual activity, especially unexpected logins or new user accounts.
• Consider restricting access to remote management tools so they are only reachable from known, trusted IP addresses.
• If you suspect compromise, isolate affected systems and engage your incident response process.

Credential-Harvesting Campaign Abusing Microsoft Azure Blob Storage

Security researchers have identified a widespread phishing campaign that uses Microsoft Azure blob storage to host fake login pages. Because the phishing pages sit on a legitimate Microsoft domain (blob.core.windows.net), they often bypass email security filters and appear trustworthy to victims. The fake pages mimic Microsoft 365 and Outlook login screens. When someone enters their username and password, the credentials are sent straight to the attackers. The campaign has been observed targeting organisations across Europe, including the UK.

Microsoft 365 is the standard email and productivity platform for a huge number of UK businesses and NHS organisations. Stolen credentials can give attackers access to emails, SharePoint files, Teams messages, and potentially patient data. Because the phishing pages are hosted on a genuine Microsoft domain, even security-aware users may be tricked. Organisations that rely solely on email filtering to catch phishing will find this campaign particularly difficult to detect.

Recommendations

• Enable multi-factor authentication (MFA) on all Microsoft 365 accounts. This is the single most effective defence against stolen passwords.
• Train staff to be suspicious of any unexpected login prompt, even if the URL looks like it belongs to Microsoft.
• Use conditional access policies to block logins from unusual locations or unmanaged devices.
• Review sign-in logs in Azure Active Directory (Entra ID) for failed or suspicious login attempts.
• Report any suspected phishing emails to your IT or security team and to the NCSC via report@phishing.gov.uk.

High-Severity Fortinet FortiOS Flaw Allows Remote Attacker Access

Fortinet has disclosed a high-severity vulnerability (CVE-2026-21345) in FortiOS, the operating system that runs on its widely used FortiGate firewalls. The flaw could allow a remote attacker to execute commands on the firewall without logging in. Fortinet has released updated firmware to fix the issue and has warned that proof-of-concept exploit code is circulating online, meaning attacks could begin at any time.

FortiGate firewalls are used by thousands of UK organisations, including healthcare providers and NHS-connected networks. A firewall is supposed to be the front door of your network security. If an attacker can take control of it remotely, they can bypass all the protections it provides, intercept traffic, and move into your internal network. Ransomware gangs have quickly weaponised previous Fortinet vulnerabilities, so the window to patch is very short.

Recommendations

• Check whether your organisation uses FortiGate firewalls and, if so, apply the firmware update released by Fortinet as a matter of urgency.
• If you cannot patch immediately, follow Fortinet's published workaround guidance to reduce your exposure.
• Review your firewall management interfaces — ensure they are not exposed to the public internet.
• Monitor firewall logs for unexpected configuration changes or unusual administrative sessions.
• If you use a managed firewall service, contact your provider to confirm the patch has been applied.

Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services.