In this week’s report: multiple critical vulnerabilities in Veeam Backup (CVSS 9.9) that put recovery systems at direct risk, an actively exploited authentication bypass in Ivanti Endpoint Manager exposing stored credentials, a credential-theft campaign using fake VPN clients, two Google Chrome zero‑days already being exploited, a major data breach at global IT outsourcer Telus Digital linked to ShinyHunters, and an Iran‑linked destructive attack on one of the world’s largest medical device manufacturers. Your full breakdown and guidance in the stories below...
Veeam has released a security bulletin fixing three critical vulnerabilities in its Backup & Replication software. All three — CVE-2026-21666, CVE-2026-21667, and CVE-2026-21708 — allow an authenticated attacker to run malicious code on the backup server remotely. Each carries a CVSS severity score of 9.9 out of 10. Veeam also fixed two additional high-severity flaws in the same update. The vulnerabilities affect all versions up to and including 12.3.2.4165. Veeam has confirmed that older, unsupported versions are likely affected as well.
Veeam Backup & Replication is one of the most widely used backup and recovery tools in the world, including across NHS trusts and their suppliers. Backup systems are a critical last line of defence against ransomware. If an attacker can run code on a backup server, they could destroy or corrupt your backups before launching a wider attack — making recovery far more difficult, or even impossible. For NHS suppliers, robust backup and recovery is a key requirement under the DSPT. A compromised backup solution puts that compliance, and your customers' data, at serious risk.
Recommendations:
A vulnerability in Ivanti Endpoint Manager (EPM) — a tool used by IT teams to manage and monitor devices across a network — is now being actively exploited. The flaw, CVE-2026-1603, has a CVSS score of 8.6. It allows an attacker to bypass the login screen entirely and access credential data stored on the server, without needing a username or password. The US government's cyber security agency, CISA, has added it to its Known Exploited Vulnerabilities Catalogue. This means confirmed exploitation has been observed in the wild. NHS England's National CSOC has assessed that further exploitation is highly likely. A patch has been available since February 2026 but may not yet have been applied in all affected organisations.
Ivanti products are used widely across enterprise and public-sector environments, including the NHS. This flaw allows an unauthenticated attacker to extract credentials stored on the Ivanti EPM server. Those credentials could include service account passwords that would give an attacker deeper access to your network. For organisations holding health data, a compromise of endpoint management systems can quickly escalate into a serious breach. NHS suppliers with DSPT obligations should treat this as an urgent patching priority.
Recommendations:
Microsoft has disclosed details of an ongoing credential-theft campaign carried out by a group called Storm-2561. The attackers have built fake websites that look like the official download pages for well-known VPN products from vendors including Cisco, Fortinet, CheckPoint, Ivanti, SonicWall, Sophos, and WatchGuard. They push these fake pages to the top of search engine results. When a user clicks and downloads what they believe is a legitimate VPN installer, they are actually installing malware. The fake application asks the user to enter their credentials, silently sends those credentials to the attackers, then shows an error message and directs the victim to the real vendor's website — so the user has no reason to suspect anything went wrong. The campaign has been running since mid-January 2026. The fake installers were signed with a valid digital certificate, which has since been revoked.
VPN software is used every day by staff working from home or accessing systems remotely — including across the NHS and its supply chain. Because the fake pages look genuine and appear near the top of search results, users who are simply trying to do their job can unknowingly hand their credentials to attackers. Stolen VPN credentials can give an attacker direct access to your internal network. For health organisations handling patient data, that can quickly lead to a serious breach. The campaign targets products from many different vendors, so no single type of organisation is safe.
Recommendations:
An Iran-linked group called Handala, believed to be connected to Iran's Ministry of Intelligence and Security, has claimed responsibility for a cyberattack on Stryker, one of the world's largest medical device companies. On 11 March 2026, Stryker confirmed it was experiencing a "global network disruption" to its Microsoft environment as a result of a cyberattack. Initial reports suggested that some employee devices, including personal phones, had been wiped. Handala claimed to have destroyed over 200,000 systems and servers and stolen 50 terabytes of data. Stryker said it found no evidence of ransomware. CISA confirmed it was investigating and providing technical assistance. The group said the attack was in retaliation for US military actions in the Middle East. Check Point Research described the incident as "a significant escalation" and a "wake-up call for the entire medtech sector."
This is the first time Handala is reported to have carried out a destructive attack against a major global company. The fact that the target was a medical device company — one whose products are used in hospitals worldwide, including in the UK — is significant. The NCSC issued guidance in early March 2026 urging UK businesses to review their defences in light of heightened Iranian cyber activity. UK organisations that supply to the NHS, or that use Stryker equipment, should be aware that nation-state threats are no longer limited to government or defence targets. If Stryker's internal systems were genuinely affected, there may be downstream consequences for product support, software updates, or data that has been shared with NHS procurement teams.
Recommendations:
Google has pushed an emergency security update for Chrome after discovering that two high-severity vulnerabilities were already being exploited before the patches were released. The first, CVE-2026-3909, is a memory flaw in Skia — the graphics library Chrome uses to display web content. The second, CVE-2026-3910, is a flaw in V8, the part of Chrome that runs JavaScript on webpages. A flaw in V8 can sometimes be triggered just by visiting a malicious or compromised website, without clicking on anything. Google has confirmed that working exploits exist for both vulnerabilities but has not released further details while most users are still updating. The fix is included in the latest Stable channel release for Windows, macOS, and Linux. Users who have not restarted Chrome recently may not yet have the update installed.
Chrome is the most widely used browser in the world, including across the NHS, digital health organisations, and their suppliers. A V8 vulnerability is particularly concerning because it can potentially be exploited simply by visiting the wrong webpage. Staff who are browsing as part of their daily work could be at risk without knowing it. For organisations managing fleets of devices, ensuring Chrome is kept up to date is an important and often-overlooked control. NHS England has also issued a cyber alert for this vulnerability, confirming its relevance for health sector organisations.
Recommendations:
Telus Digital, a large global IT outsourcing company, has confirmed it suffered a cyberattack involving unauthorised access to a number of its systems. The company said it "took immediate steps to address the unauthorised activity and secure its systems." Reports suggest that up to a petabyte of data may have been stolen. The criminal gang ShinyHunters is believed to be behind the attack. According to reports, the attackers were able to obtain valid Google Cloud Platform credentials through a separate, earlier breach at Salesloft, a sales engagement platform used by many businesses — demonstrating how one breach can create a path into another organisation's systems. The same Register report also disclosed that attackers used fake HR portal pages to steal the personal and financial details of hundreds of Starbucks employees, including Social Security numbers and bank account information.
IT outsourcers often have broad access to the systems and data of their clients. A breach at a company like Telus Digital can therefore have consequences for any organisation that uses them as a supplier. This is a clear example of third-party and supply chain risk in action. UK organisations are required to manage this risk under the DSPT, Cyber Essentials, and UK GDPR. The Salesloft connection also shows that cloud credential theft from one platform can quickly become an entry point into another organisation's infrastructure. Checking what access your third-party suppliers hold — and whether those suppliers have suffered incidents — is an important part of your supply chain security programme.
Recommendations:
Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services.