Threat Report 167

In this week’s report: multiple critical vulnerabilities in Veeam Backup (CVSS 9.9) that put recovery systems at direct risk, an actively exploited authentication bypass in Ivanti Endpoint Manager exposing stored credentials, a credential-theft campaign using fake VPN clients, two Google Chrome zero‑days already being exploited, a major data breach at global IT outsourcer Telus Digital linked to ShinyHunters, and an Iran‑linked destructive attack on one of the world’s largest medical device manufacturers. Your full breakdown and guidance in the stories below...

Critical Flaws Found in Veeam Backup Software Put Recovery Systems at Risk

Veeam has released a security bulletin fixing three critical vulnerabilities in its Backup & Replication software. All three — CVE-2026-21666, CVE-2026-21667, and CVE-2026-21708 — allow an authenticated attacker to run malicious code on the backup server remotely. Each carries a CVSS severity score of 9.9 out of 10. Veeam also fixed two additional high-severity flaws in the same update. The vulnerabilities affect all versions up to and including 12.3.2.4165. Veeam has confirmed that older, unsupported versions are likely affected as well.

Veeam Backup & Replication is one of the most widely used backup and recovery tools in the world, including across NHS trusts and their suppliers. Backup systems are a critical last line of defence against ransomware. If an attacker can run code on a backup server, they could destroy or corrupt your backups before launching a wider attack — making recovery far more difficult, or even impossible. For NHS suppliers, robust backup and recovery is a key requirement under the DSPT. A compromised backup solution puts that compliance, and your customers' data, at serious risk.

Recommendations:

• Check whether your organisation uses Veeam Backup & Replication and identify your current installed version.
• Apply the security update from Veeam's Security Bulletin KB4830 as soon as possible.
• If you are running an unsupported version of the product, prioritise migration to a supported release.
• Restrict network access to backup servers so that only authorised systems and accounts can connect to them.
• Ensure backup data is stored in a way that prevents easy deletion or encryption by an attacker — this includes offsite copies or immutable backup storage.

Ivanti Endpoint Manager Flaw Actively Exploited to Leak Stored Credentials

A vulnerability in Ivanti Endpoint Manager (EPM) — a tool used by IT teams to manage and monitor devices across a network — is now being actively exploited. The flaw, CVE-2026-1603, has a CVSS score of 8.6. It allows an attacker to bypass the login screen entirely and access credential data stored on the server, without needing a username or password. The US government's cyber security agency, CISA, has added it to its Known Exploited Vulnerabilities Catalogue. This means confirmed exploitation has been observed in the wild. NHS England's National CSOC has assessed that further exploitation is highly likely. A patch has been available since February 2026 but may not yet have been applied in all affected organisations.

Ivanti products are used widely across enterprise and public-sector environments, including the NHS. This flaw allows an unauthenticated attacker to extract credentials stored on the Ivanti EPM server. Those credentials could include service account passwords that would give an attacker deeper access to your network. For organisations holding health data, a compromise of endpoint management systems can quickly escalate into a serious breach. NHS suppliers with DSPT obligations should treat this as an urgent patching priority.

Recommendations:

• Check whether your organisation uses Ivanti Endpoint Manager and identify your current installed version.
• Apply the patch from Ivanti's Security Advisory for EPM February 2026 without delay. The fix requires updating to EPM 2024 SU4 SR1 or later.
• As a precaution, rotate any credentials or service account passwords stored within or processed by Ivanti EPM.
• Review access logs on the Ivanti EPM server for any signs of unusual or unauthenticated access attempts.
• If patching cannot be applied immediately, consider isolating the server from external access until the update is in place.

Fake VPN Clients Used in Active Campaign to Steal Enterprise Credentials

Microsoft has disclosed details of an ongoing credential-theft campaign carried out by a group called Storm-2561. The attackers have built fake websites that look like the official download pages for well-known VPN products from vendors including Cisco, Fortinet, CheckPoint, Ivanti, SonicWall, Sophos, and WatchGuard. They push these fake pages to the top of search engine results. When a user clicks and downloads what they believe is a legitimate VPN installer, they are actually installing malware. The fake application asks the user to enter their credentials, silently sends those credentials to the attackers, then shows an error message and directs the victim to the real vendor's website — so the user has no reason to suspect anything went wrong. The campaign has been running since mid-January 2026. The fake installers were signed with a valid digital certificate, which has since been revoked.

VPN software is used every day by staff working from home or accessing systems remotely — including across the NHS and its supply chain. Because the fake pages look genuine and appear near the top of search results, users who are simply trying to do their job can unknowingly hand their credentials to attackers. Stolen VPN credentials can give an attacker direct access to your internal network. For health organisations handling patient data, that can quickly lead to a serious breach. The campaign targets products from many different vendors, so no single type of organisation is safe.

Recommendations:

• Alert staff to this campaign — particularly IT teams and remote workers who may be searching online for VPN software or updates.
• Remind users to download software only from official vendor websites accessed via a verified internal link or IT portal, not via search engine results.
• Enforce multi-factor authentication on all VPN accounts so that a stolen password alone is not enough to gain access.
• Where possible, have IT push VPN software centrally to devices rather than asking users to download it themselves.
• Review endpoint security settings to ensure that unexpectedly signed or unsigned installers are flagged before they can run.

Iran-Linked Group Claims Destructive Attack on Global Medical Device Firm

An Iran-linked group called Handala, believed to be connected to Iran's Ministry of Intelligence and Security, has claimed responsibility for a cyberattack on Stryker, one of the world's largest medical device companies. On 11 March 2026, Stryker confirmed it was experiencing a "global network disruption" to its Microsoft environment as a result of a cyberattack. Initial reports suggested that some employee devices, including personal phones, had been wiped. Handala claimed to have destroyed over 200,000 systems and servers and stolen 50 terabytes of data. Stryker said it found no evidence of ransomware. CISA confirmed it was investigating and providing technical assistance. The group said the attack was in retaliation for US military actions in the Middle East. Check Point Research described the incident as "a significant escalation" and a "wake-up call for the entire medtech sector."

This is the first time Handala is reported to have carried out a destructive attack against a major global company. The fact that the target was a medical device company — one whose products are used in hospitals worldwide, including in the UK — is significant. The NCSC issued guidance in early March 2026 urging UK businesses to review their defences in light of heightened Iranian cyber activity. UK organisations that supply to the NHS, or that use Stryker equipment, should be aware that nation-state threats are no longer limited to government or defence targets. If Stryker's internal systems were genuinely affected, there may be downstream consequences for product support, software updates, or data that has been shared with NHS procurement teams.

Recommendations:

• Review the NCSC's guidance on preparing for elevated cyber threats linked to the Iran conflict, available at ncsc.gov.uk.
• If your organisation has a supplier relationship with Stryker, or uses Stryker medical devices, contact them to ask whether any shared systems or data were affected.
• Ensure all externally facing systems — particularly remote access tools, email platforms, and supplier portals — are fully patched and protected with MFA.
• Check that your incident response plan is up to date and that staff know what steps to take if a disruption occurs.
• Report any suspicious activity that may be linked to Iranian threat actors to report@ncsc.gov.uk.

Two Google Chrome Zero-Days Actively Exploited Before Patches Were Available

Google has pushed an emergency security update for Chrome after discovering that two high-severity vulnerabilities were already being exploited before the patches were released. The first, CVE-2026-3909, is a memory flaw in Skia — the graphics library Chrome uses to display web content. The second, CVE-2026-3910, is a flaw in V8, the part of Chrome that runs JavaScript on webpages. A flaw in V8 can sometimes be triggered just by visiting a malicious or compromised website, without clicking on anything. Google has confirmed that working exploits exist for both vulnerabilities but has not released further details while most users are still updating. The fix is included in the latest Stable channel release for Windows, macOS, and Linux. Users who have not restarted Chrome recently may not yet have the update installed.

Chrome is the most widely used browser in the world, including across the NHS, digital health organisations, and their suppliers. A V8 vulnerability is particularly concerning because it can potentially be exploited simply by visiting the wrong webpage. Staff who are browsing as part of their daily work could be at risk without knowing it. For organisations managing fleets of devices, ensuring Chrome is kept up to date is an important and often-overlooked control. NHS England has also issued a cyber alert for this vulnerability, confirming its relevance for health sector organisations.

Recommendations:

• Check that all devices in your organisation are running the latest version of Chrome. You can verify this by navigating to Chrome's Settings menu and selecting "About Chrome."
• Restart Chrome if an update is pending — updates only take effect after a browser restart.
• Consider enabling automatic browser updates across your device fleet if this is not already in place.
• Remind staff not to dismiss browser update notifications, particularly when zero-days are being actively exploited.
• If your organisation uses Chromium-based browsers such as Microsoft Edge, check whether similar patches are available and apply them promptly.

Major IT Outsourcer Telus Digital Hit by Data Breach Linked to ShinyHunters

Telus Digital, a large global IT outsourcing company, has confirmed it suffered a cyberattack involving unauthorised access to a number of its systems. The company said it "took immediate steps to address the unauthorised activity and secure its systems." Reports suggest that up to a petabyte of data may have been stolen. The criminal gang ShinyHunters is believed to be behind the attack. According to reports, the attackers were able to obtain valid Google Cloud Platform credentials through a separate, earlier breach at Salesloft, a sales engagement platform used by many businesses — demonstrating how one breach can create a path into another organisation's systems. The same Register report also disclosed that attackers used fake HR portal pages to steal the personal and financial details of hundreds of Starbucks employees, including Social Security numbers and bank account information.

IT outsourcers often have broad access to the systems and data of their clients. A breach at a company like Telus Digital can therefore have consequences for any organisation that uses them as a supplier. This is a clear example of third-party and supply chain risk in action. UK organisations are required to manage this risk under the DSPT, Cyber Essentials, and UK GDPR. The Salesloft connection also shows that cloud credential theft from one platform can quickly become an entry point into another organisation's infrastructure. Checking what access your third-party suppliers hold — and whether those suppliers have suffered incidents — is an important part of your supply chain security programme.

Recommendations:

• Review your list of third-party IT suppliers and check whether any of them have reported security incidents recently.
• Ask your suppliers, particularly IT outsourcers and managed service providers, to confirm whether they were affected by the Telus Digital breach or any related incident.
• Audit what access your third-party suppliers have to your systems and data, and remove any access that is no longer needed.
• Ensure that cloud platform credentials used by third parties are subject to the same MFA and access control requirements as internal accounts.
• Keep track of breach notifications from your suppliers. Under your DSPT obligations, a breach at a supplier that affects your data may need to be reported to the ICO.

Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services.