Threat Report 168

This week's report covers a critical, actively exploited flaw in Microsoft SharePoint Server; a high-severity vulnerability in ConnectWise ScreenConnect being targeted by attackers; a supply chain attack on a widely used security scanning tool for software development pipelines; an FBI and CISA warning about Russian-linked actors posing as Signal support to steal accounts; and a phishing-led cyberattack on Intuitive, maker of the da Vinci robotic surgery system.

Attackers Actively Exploiting Critical Microsoft SharePoint Flaw

A critical vulnerability in Microsoft SharePoint Server — tracked as CVE-2026-20963 — is now being actively exploited by unknown attackers. The flaw carries a severity score of 9.8 out of 10. It allows an attacker with no login credentials to run their own code directly on a SharePoint server, simply by sending a specially crafted request. No user needs to click anything.

Microsoft patched the vulnerability as part of its January 2026 updates and stated at the time that exploitation was "less likely." That assessment has now changed. The US government's cybersecurity agency CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue on 19 March 2026 and gave federal agencies just three days to apply the fix. NHS England's National CSOC has assessed that further exploitation is highly likely.

Microsoft SharePoint is one of the most widely used platforms globally for document management, team collaboration, and internal intranets. It is used extensively across NHS trusts, local authorities, and the suppliers and technology partners that support them.

An attacker who can exploit this flaw remotely and without authentication could read or steal files, move deeper into your network, or use your SharePoint server as a launchpad for further attacks — potentially including ransomware. The fact that attackers are already exploiting this in the wild makes patching an immediate priority, not a scheduled task.

Recommendations

• Check whether your organisation uses any version of Microsoft SharePoint Server on-premises (this does not affect SharePoint Online in Microsoft 365).
• Identify your current version and apply the relevant January 2026 security update immediately: SharePoint Server Subscription Edition: KB5002822 / SharePoint Server 2019: KB5002825 / SharePoint Server Enterprise 2016: KB5002828.
• If you are running SharePoint Server 2007, 2010, or 2013, these versions are no longer supported and will not receive patches. Upgrade to a supported version as a priority.
• Restrict access to your SharePoint environment so it is not directly reachable from the open internet, where possible.
• Review access logs on your SharePoint server for any unusual activity, particularly unexpected file access or unauthenticated requests.

High-Severity Flaw in ConnectWise ScreenConnect Being Targeted by Attackers

ConnectWise has released a security update to fix a vulnerability in ScreenConnect, its widely used remote access and IT support tool. The flaw — CVE-2026-3564 — carries a severity score of 9.0 out of 10 and relates to how the software checks cryptographic signatures used for authentication. An attacker who can obtain server-level cryptographic material could use the flaw to gain unauthorised access to ScreenConnect, potentially with elevated privileges. ConnectWise has warned that this vulnerability is either already being targeted or is at high risk of being targeted. The fix is included in ScreenConnect version 26.1.

ScreenConnect is used by IT support teams and managed service providers to connect to and control devices remotely. It is a popular tool among NHS suppliers and managed service providers that support health organisations. Remote access tools have historically been a prime target for ransomware groups. If your organisation uses ScreenConnect — or if any of your IT suppliers do on your behalf — this vulnerability should be treated as time-sensitive. Under DSPT requirements, NHS suppliers are expected to maintain patching disciplines on tools that provide remote access to clinical or health data environments.

Recommendations

• Check whether your organisation or any IT supplier uses ConnectWise ScreenConnect and identify the version in use.
• Update to ScreenConnect version 26.1 or later as soon as possible.
• If your managed service provider uses ScreenConnect to support your systems, ask them to confirm their patching status.
• Review access logs within ScreenConnect for any unexpected or unauthorised sessions.
• Ensure that remote access tools are protected with multi-factor authentication and that access is limited to named, authorised users only.
• Consider this a reminder to audit all remote access tools in use across your environment — both those you manage and those your suppliers use.

Supply Chain Attack Compromises Popular Security Scanning Tool for Developers

Security researchers discovered that the aquasecurity/trivy-action GitHub Action — a widely used tool that scans software for vulnerabilities as part of automated development pipelines — was compromised in a supply chain attack. Versions prior to 0.35.0 were found to contain malicious code capable of stealing secrets and credentials from any system that ran the affected action. The compromise was active from 19:00 on 19 March 2026. A clean version (0.35.0) has since been released. Any pipeline that used the affected action after the compromise window should be treated as fully compromised, and all secrets should be rotated immediately.

This is a software supply chain attack — malicious code inserted into a legitimate, trusted tool, so that organisations are compromised simply by using software they already trust. For NHS suppliers and digital health companies that build or maintain software products, this is directly relevant. Tools like Trivy are commonly included in development pipelines as a security check. The DSPT includes requirements around secure development practices and supply chain risk; incidents like this are exactly the kind of scenario those requirements are designed to address.

Recommendations

• If your development team uses aquasecurity/trivy-action in any GitHub Actions pipeline, check the version in use and update to 0.35.0 immediately.
• Any pipeline that executed the affected action after 19:00 on 19 March 2026 should be treated as fully compromised. Rotate all secrets, tokens, API keys, and credentials that were accessible to that pipeline.
• If your organisation uses self-hosted GitHub runners, reset all additional credentials stored on those machines.
• Review your list of third-party GitHub Actions and other pipeline components for similar risks.
• Consider auditing your software development pipeline for reliance on external, open-source actions, and ensure you have a process for monitoring these for compromise.

FBI and CISA Warn of Russian-Linked Actors Posing as Signal Support

The FBI and CISA issued a joint advisory warning that Russian intelligence-affiliated actors are impersonating customer support services for messaging applications, primarily Signal, but also WhatsApp, in order to steal accounts. The attackers send messages claiming there has been suspicious activity on the target's account and urge them to click a verification link. When victims click through, attackers either link their own device to the victim's account, gaining the ability to read and send messages, or steal credentials and two-factor authentication codes to take over the account entirely. The campaign has compromised thousands of accounts. Targets include former government officials, military personnel, politicians, and journalists.

Russian state-sponsored actors have a long history of targeting UK government bodies, defence suppliers, and healthcare organisations. Senior staff, executives, policy leads, and communications professionals at NHS trusts, health technology companies, and government-adjacent organisations are exactly the kind of high-value targets this campaign is designed to reach. Signal is increasingly used within digital health and government circles for sensitive communications. The attack does not compromise Signal's encryption; it exploits the user's trust. Staff awareness of this technique is the most effective defence.

Recommendations

• Share awareness of this campaign with senior staff, communications teams, and anyone who handles sensitive information via messaging applications.
• Remind all staff that Signal, WhatsApp, and similar apps will never send unsolicited messages asking users to verify their account by clicking a link.
• Enable the Signal registration lock feature (Settings > Account > Registration Lock) to prevent account takeover even if a verification code is stolen.
• Review linked devices within Signal (Settings > Linked Devices) and remove any you do not recognise.
• Use app-based two-factor authentication codes rather than SMS codes wherever possible.
• Report any suspected account compromise or phishing attempt to report@ncsc.gov.uk.
  
  

Phishing Attack Hits Intuitive, Maker of the da Vinci Robotic Surgery System

Intuitive, the American company that makes the da Vinci robotic surgical system and the Ion endoluminal system, has disclosed that it suffered a cyberattack in March 2026. The incident began when a targeted phishing email successfully deceived one of its employees. Using that employee's access, the attackers were able to reach certain internal business applications and access customer business and contact information, employee records, and corporate data.

Intuitive said it activated its incident response protocols quickly and has fully contained the attack. Critically, the company confirmed that its surgical systems — including the da Vinci platform — were not affected, as they operate on a separate network from its internal business systems. Hospital customer networks were also confirmed to be unaffected. The appropriate data privacy regulators are being notified. The number of individuals affected and the identity of the attackers have not been disclosed.

This incident follows last week's report on the destructive Iranian attack on Stryker, another major medical device company. Together, they paint a clear picture: medical device manufacturers are increasingly in the crosshairs of cybercriminals and state-aligned attackers.

Intuitive's da Vinci systems are used in NHS hospitals across the UK for procedures including urology, gynaecology, and general surgery. While Intuitive has confirmed that the surgical platforms themselves were not compromised, the breach of customer contact and business data has direct implications for NHS trusts and private healthcare providers that have a commercial relationship with the company.

The attack also serves as a reminder that a single phishing email can be enough to trigger a breach at a major enterprise. For NHS suppliers and healthtech companies, staff awareness training and robust email security controls are not optional extras — they are core components of DSPT compliance and good cyber hygiene.

Recommendations

• If your organisation has a supplier or customer relationship with Intuitive, contact them to understand whether your organisation's data was included in the breach and what steps they are taking.
• Use this incident as a prompt to review your own phishing awareness training — particularly for staff who handle supplier contracts, procurement data, or patient-facing systems.
• Ensure your email security controls include spam filtering, impersonation detection, and sandboxing of suspicious attachments and links.
• Review the access rights of staff accounts that handle sensitive or commercially valuable data — limit access to only what is necessary for each role.
• Check that your incident response plan covers scenarios triggered by a single compromised account, not just large-scale technical attacks.
• If you are an NHS trust or NHS-contracted organisation, be alert to any follow-on phishing attempts that may use Intuitive branding or reference the incident.

Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services.