Skip to content
All posts

Threat Report 177

By  Craig Pepper  ·  8 minute read

This week's report covers five active threats. A critical flaw in Ghost CMS is being used to hijack hundreds of websites and deliver malware to unsuspecting visitors. NGINX, the web server used across much of the UK's digital infrastructure, has a serious vulnerability that is already being exploited in the wild. Researchers at UK-based Fox-IT have uncovered a sophisticated North Korean hacking tool that hides in memory and evades security software, now being used against financial firms. The FBI has issued a warning about a new phishing kit called Kali365 that bypasses Microsoft 365 multi-factor authentication at scale, compromising hundreds of organisations every day. And Cisco has disclosed yet another maximum-severity vulnerability, this time in its Secure Workload platform, allowing unauthenticated attackers to access data across customer boundaries. Full details and recommended actions for each are below.

Ghost CMS Flaw Exploited to Hijack 700+ Websites for Social Engineering Attacks

A serious flaw in Ghost CMS — a popular open-source blogging and publishing platform used by many organisations — is being exploited on a large scale. The vulnerability is tracked as CVE-2026-26980 and has a severity score of 9.4 out of 10. It is a SQL injection flaw, meaning an attacker can send specially crafted database commands to the website and get back the site's admin API key without needing a username or password.

Once attackers have the admin key, they take control of the website. Researchers at QiAnXin XLab found that more than 700 websites have already been compromised, including those belonging to universities, blockchain projects, and AI companies. The attackers inject malicious JavaScript code into the bottom of published articles. When real visitors open those articles, the code checks whether they are a genuine user and, if so, shows them a fake CAPTCHA verification page. That page tricks them into running a malicious Windows PowerShell command on their own computer, which installs malware.

Ghost CMS is used by many UK organisations, charities, and digital health teams to run their public-facing websites, blogs, and knowledge bases. A compromised Ghost site can be used to deliver malware to every visitor — including patients, customers, and staff — without any warning. Universities are already among the confirmed victims, and educational and healthcare websites are trusted by visitors, which makes them especially effective as a delivery point for social engineering attacks. For any UK organisation running Ghost CMS, this is an active risk right now.

Recommendations

  • Check whether your website or any websites managed by your organisation run Ghost CMS. Contact your web developer or hosting provider if you are unsure.
  • Upgrade Ghost CMS to the latest version immediately. The fix is included in the most recent release.
  • Rotate your Ghost admin API keys and all admin account passwords after upgrading.
  • Review your website's published content and code for any unexpected JavaScript injected at the bottom of articles or pages.
  • Ask your web hosting provider for confirmation of the update and any checks for signs of compromise.
  • If your site collects personal data or is used by patients or service users, review whether any compromise needs to be reported under UK GDPR.
  • Consider adding a web application firewall (WAF) in front of your website if one is not already in place.

NGINX Web Server Flaw Actively Exploited, Crashing Servers and Risking Code Execution

A serious vulnerability in NGINX, one of the most widely used web server and reverse proxy platforms in the world, is being actively exploited. The flaw is tracked as CVE-2026-42945 and has a severity score of 9.2 out of 10. It was nicknamed "NGINX Rift" by researchers.

The bug is a heap buffer overflow in the part of NGINX that handles URL rewrite rules. An attacker who can send crafted network requests to an affected server can crash NGINX worker processes, causing the website or application behind it to go offline. Security researchers at AlmaLinux and VulnCheck confirmed that turning this crash into full remote code execution is hard but not impossible, and would allow an attacker to run any code they want on the server. Exploitation activity began within days of the flaw being publicly disclosed. VulnCheck confirmed that threat actors had already begun probing and attacking exposed servers.

NGINX is used on a huge proportion of UK web infrastructure — from NHS patient portals and GP booking systems to digital health apps and NHS supplier websites. It is also widely used as a reverse proxy in front of other applications, meaning a single NGINX server can sit in front of many services at once. A crashed NGINX server means none of the services behind it are reachable. For NHS-connected organisations, an outage affecting patient access, appointment booking, or clinical tools could have a direct impact on care. If code execution becomes possible, an attacker could access everything the server touches.

Recommendations

  • Check whether your organisation uses NGINX (Open Source or NGINX Plus) as a web server or reverse proxy. Ask your engineering or IT team.
  • Apply the available NGINX security patches as soon as possible.
  • Check whether the NGINX configuration uses rewrite directives (the "rewrite" or "return" directives in config files) — these are required for the vulnerability to be exploitable.
  • Restrict which IP addresses can reach NGINX management interfaces and limit exposure of NGINX to the internet where not required.
  • Review NGINX access logs for unusual or repeated crafted request patterns that may indicate probing.
  • If a managed service provider runs your web infrastructure, ask for written confirmation of patch status.
  • Bring NGINX into your standard patching and asset inventory process if it is not already included.

North Korean Lazarus Group Deploys Invisible Memory-Only Malware Against Financial Firms

Researchers at Fox-IT, a UK-based subsidiary of NCC Group, have published detailed findings on a new malware tool used by the North Korean state-sponsored hacking group known as Lazarus. The malware is called RemotePE, and it is a remote access trojan — a tool that gives attackers full control of a victim's computer. What makes RemotePE unusual is that it never saves itself to the victim's hard drive. It runs entirely in memory, which makes it very hard for security software to find.

The attack starts with social engineering — for example, a convincing fake job offer or message sent to an employee. Once the attacker gets a foothold on a device, they load a series of stages that decrypt and launch RemotePE entirely in memory. RemotePE then connects back to an attacker-controlled server and can read, move, or delete files, run programmes, kill processes, and carry out other commands. It also uses advanced techniques to disable Windows event logging and avoid detection by endpoint security tools. Fox-IT confirmed that neither the loader nor the malware were detected by any tool on VirusTotal at the time of publication.

The Lazarus Group is linked to North Korea's intelligence services and is known for targeting banks, financial institutions, healthcare organisations, and cryptocurrency platforms worldwide.

Why this matters

UK financial institutions, NHS-connected payment processors, and digital health companies that handle financial data or valuable intellectual property are all plausible targets for Lazarus. The fact that this malware is undetectable by standard endpoint tools at the time of discovery is a significant concern. Many organisations rely heavily on endpoint security products as a primary defence. If an attacker gets in via social engineering — a convincing message, a fake job offer, or a spoofed contact — and then deploys RemotePE, the organisation may have no immediate indication that anything is wrong. This is a reminder that technical defences alone are not enough when attacks begin with human deception.

Recommendations

  • Share awareness of social engineering tactics with all staff, particularly those in finance, HR, procurement, and clinical leadership roles — these are common initial targets.
  • Review endpoint detection and response (EDR) coverage and confirm it is deployed on all devices, including laptops used remotely.
  • Enable memory-based threat detection if your EDR platform supports it, as file-based scanning alone will not catch this malware.
  • Review privileged access controls and ensure that accounts with elevated rights are protected with phishing-resistant multi-factor authentication (such as hardware security keys).
  • Review network monitoring for unusual outbound connections, particularly to unfamiliar external IP addresses.
  • If your organisation receives unexpected job-related messages or contact from unknown parties via LinkedIn or email, treat these with extra caution and report them to your security team.
  • Consider threat intelligence subscriptions that cover North Korean APT activity if you are in a high-risk sector.

FBI Warns: New Phishing Kit Bypasses Microsoft 365 MFA at Scale

The FBI has issued a public warning about a phishing-as-a-service platform called Kali365, which is being sold on Telegram and used to steal Microsoft OAuth tokens — effectively bypassing multi-factor authentication (MFA) on Microsoft 365 accounts. Hundreds of organisations are being compromised every day.

Kali365 works in two main ways. In the first, attackers send a phishing email pretending to come from a trusted service — such as Adobe Acrobat Sign, DocuSign, or SharePoint. The email contains a device code and instructions telling the recipient to enter the code into a real Microsoft page. If they do, the attacker's device is registered to the victim's Microsoft 365 account, giving the attacker full access to emails, Teams, SharePoint, and other services — without needing the victim's password or MFA code.

In the second method, the attacker acts as a silent go-between, forwarding the victim's real login to Microsoft and capturing the session cookies that result. Those cookies let the attacker replay the session later as if they were the legitimate user. Kali365 is sold for $250 per month per target organisation and supports 14 languages. Security firm Arctic Wolf and Microsoft both confirmed the scale of the activity.

The NHS and its suppliers are among the UK's largest users of Microsoft 365. MFA is widely promoted as one of the most effective ways to stop account takeover, and many organisations have invested heavily in rolling it out. Kali365 shows that standard MFA — including SMS codes and authenticator apps — can be bypassed if users are tricked into completing a device code flow. A compromised M365 account gives an attacker access to emails, documents, and shared drives, which could include patient data, contracts, clinical information, or supplier credentials. For NHS suppliers required to meet DSPT obligations, an account compromise of this kind may trigger a reportable breach if personal data is accessed.

Recommendations

  • Brief all staff — including clinical, admin, and management teams — on the specific danger of entering device codes or clicking links in emails claiming to be from DocuSign, Adobe, or SharePoint unless they themselves initiated the action.
  • Work with your IT team or provider to implement Conditional Access policies in Microsoft Entra ID (formerly Azure AD) that block device code flow authentication for users who do not need it.
  • Disable or restrict "authentication transfer" policies, which let users move sessions between devices, unless specifically required.
  • Review Microsoft 365 sign-in logs for any new device registrations, unfamiliar locations, or sessions that occurred outside normal working hours.
  • Consider moving to phishing-resistant MFA methods, such as FIDO2 hardware keys or Windows Hello for Business, particularly for admin accounts and anyone with access to patient or sensitive data.
  • If any account compromise is suspected, revoke all active sessions in the Microsoft admin portal immediately and force a password reset.

Cisco Secure Workload Hit by Maximum-Severity Bug Allowing Cross-Tenant Data Access

Cisco has disclosed a maximum-severity vulnerability in its Secure Workload platform, a product used by large enterprises to manage and secure workloads in data centres and cloud environments. The vulnerability is tracked as CVE-2026-20223 and has a score of 10.0 out of 10.

The flaw is in the internal REST API that Secure Workload uses internally. An attacker who can reach these endpoints does not need a username or password. Sending crafted requests is enough to grant them Site Admin privileges — the highest level of access in the product. With that access, an attacker can read sensitive information and make configuration changes across tenant boundaries, meaning a compromise of one customer's environment could potentially expose data belonging to other customers on the same platform. This is especially serious for cloud or multi-tenant deployments where different organisations share the same underlying infrastructure.

Cisco has confirmed there are no workarounds. The only fix is to install the patched release. Cisco said it discovered the flaw during internal security testing, and has not confirmed active exploitation at the time of publication. However, Cisco has suffered a run of maximum-severity vulnerabilities across multiple products in recent months, and unpatched critical bugs rarely stay quiet for long. Cloud-hosted SaaS deployments of Secure Workload have already been patched by Cisco automatically.

Large NHS trusts, NHS-connected data centres, and enterprise-scale NHS suppliers that use Cisco Secure Workload to protect their data centre environments will want to check their version and patch status immediately. A 10.0-score flaw with no workaround and cross-tenant implications is one of the most urgent patch obligations a team can face. Even for organisations not directly using Secure Workload, this is a further signal that Cisco infrastructure across the board needs careful attention to version control and patch management, given the volume of high-severity Cisco advisories in recent weeks.

Recommendations

  • Identify whether your organisation uses Cisco Secure Workload in either on-premises or SaaS form. Check with your network or data centre team.
  • If you use the SaaS version, Cisco has already applied the patch — verify this with Cisco or your account manager.
  • If you use the on-premises version, upgrade Secure Workload Cluster Software to version 3.10.8.3 (for the 3.10 branch) or 4.0.3.17 (for the 4.0 branch) as soon as possible.
  • If you are on version 3.9 or earlier, you must migrate to a supported release. Contact Cisco for migration guidance.
  • Until patched, review network access controls to limit which systems can reach Secure Workload's internal API endpoints.
  • Ask your managed service provider for written confirmation of version and patch status if they manage this platform on your behalf.
  • Log this vulnerability in your DSPT risk register until a confirmed patch has been applied, particularly if Secure Workload is used to protect environments that process personal or patient data.

Stay ahead of threats like these

Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services and find out how we support UK digital health organisations, healthtechs, and NHS suppliers with practical, hands-on cybersecurity assurance.

https://www.periculo.co.uk/contact-us

Contact Us

Related posts