Threat Report 181

In this week's report 

A large-scale, active campaign has compromised login credentials for more than 86,000 Fortinet firewalls across the UK and beyond — significant enough that the National Cyber Security Centre has stepped in with formal guidance.

A critical flaw in Splunk Enterprise lets attackers run code on your systems with no username or password required. It's already being exploited in the wild and has prompted an NHS alert.

And iRhythm, a cardiac monitoring company, has been hit by a cyberattack in which hackers stole patient health data and issued a ransom demand, the latest in a rising tide of attacks targeting healthcare technology firms.

Read the full breakdown below...

FortiBleed: Over 86,000 Fortinet Firewalls Compromised in Active Campaign

A large-scale cyber campaign, known as FortiBleed, has stolen the login credentials for more than 86,644 Fortinet FortiGate firewalls and VPN gateways across 194 countries. Attackers believed to be a Russian-speaking criminal group exploited a flaw in how Fortinet stores passwords. When an older Fortinet device is upgraded to a newer version of its software, administrator passwords stay stored as weak, crackable codes until the administrator logs in again after the upgrade. The attackers used a network of powerful computers to crack these codes at scale, producing a verified database of working usernames and passwords for tens of thousands of internet-facing devices. CISA issued a formal warning, and the UK's NCSC published specific guidance for UK organisations on 18 June 2026.

Fortinet products are widely used as firewalls and VPN gateways across UK businesses, NHS trusts, and NHS supplier organisations. If the credentials for your Fortinet device are in this database, an attacker could log in to your network right now using a real, valid username and password — bypassing most security controls without triggering an obvious alert. VPN access is especially dangerous in healthcare settings because it can provide a direct path into internal systems that hold patient records, clinical tools, and supplier connections. DSPT-registered organisations should treat this as an urgent operational risk. The NCSC has formally asked UK organisations using Fortinet edge devices with SSL VPN enabled to investigate their exposure immediately.

Recommendations

• Use Fortinet's published guidance and the FortiBleed checker tools shared by NCSC to find out whether your device credentials are in the compromised dataset.
• Change all administrator passwords on Fortinet devices immediately, regardless of whether you believe you are affected. Do not wait for confirmation.
• Make sure all Fortinet firmware is updated to the latest version, and verify that the password re-hashing process has completed — this only happens after the administrator logs in following an upgrade.
• Review VPN access logs for any unusual logins, particularly outside of working hours or from IP addresses you do not recognise.
• If a managed IT provider manages your Fortinet infrastructure, request written confirmation that they have checked for exposure and rotated all credentials.
• Log this as an active risk in your DSPT risk register and record the date that remediation was completed.

Critical Splunk Flaw Actively Exploited — Unauthenticated Attackers Can Run Code on Your Systems

A critical security flaw in Splunk Enterprise, a widely used tool for collecting and monitoring IT and security data, allows attackers with no username or password to run commands directly on the affected server. Tracked as CVE-2026-20253 and rated 9.8 out of 10 for severity, the flaw sits inside a component called the PostgreSQL Sidecar Service. Splunk disclosed the vulnerability on 10 June 2026. On 18 June, Splunk confirmed it had seen limited real-world exploitation in the wild. CISA added the flaw to its Known Exploited Vulnerabilities catalogue and required US federal agencies to patch by 21 June 2026. The NHS England National CSOC issued alert CC-4798 on 17 June 2026, assessing that exploitation is "highly likely."

Splunk is used by IT and security teams across NHS trusts and NHS supplier organisations to collect and review security logs and alerts. If an attacker can run code on a Splunk server, they can access, change, or delete your security event data effectively hiding their own activity from your monitoring team. A compromised Splunk instance can make a wider attack invisible until significant damage has already been done. This is particularly relevant for DSPT compliance, which depends on logging and monitoring systems being reliable, accurate, and tamper-resistant. Organisations that use Splunk as their main monitoring platform should treat this as a critical priority.

Recommendations

• Upgrade Splunk Enterprise to version 10.2.4 or above (for the 10.2 release line) or version 10.0.7 or above (for the 10.0 release line) immediately.

• If you use Splunk Cloud, check your dashboard for confirmation that the patch has been applied — Splunk has said it is patching Cloud instances automatically.

• Review Splunk access logs for signs of unauthenticated access to PostgreSQL Sidecar Service endpoints, particularly in the period before patching.

• If you are an NHS supplier running Splunk on behalf of an NHS trust or healthcare customer, treat this as a critical patching obligation and notify your customer in writing once patching is complete.

• Log the completed patch in your DSPT risk register, including the Splunk version applied and the date the update was confirmed.

Cardiac Monitoring Firm iRhythm Discloses Patient Data Breach After Ransom Demand

iRhythm Holdings, the company behind the Zio wearable cardiac monitoring patch, has confirmed that hackers broke into third-party business applications, stole patient health information and company data, and then demanded a ransom to prevent that data from being released. The breach was identified on 8 June 2026. Attackers gained access through social engineering, a technique where criminals manipulate staff into handing over login access, and then exfiltrated data from cloud-hosted systems. iRhythm confirmed that its clinical and medical device systems, patient safety infrastructure, and financial reporting systems were not directly affected. No ransomware group has publicly claimed responsibility. The company disclosed the incident to the US Securities and Exchange Commission and made it public in mid-June 2026.

This breach follows directly after the Novo Nordisk clinical trial data theft reported in last week's Periculo threat report, and forms part of a clear and accelerating pattern: healthcare technology companies are being systematically targeted because of the combination of sensitive patient data and the operational pressure healthcare organisations feel to resolve disruptions quickly. iRhythm's Zio cardiac patches are used internationally, and the company works with clinicians and healthcare systems beyond the United States. More broadly, UK digital health organisations and NHS suppliers should see this as a direct warning. Third-party-hosted applications, cloud platforms and business tools that sit outside your core clinical systems are an increasingly common entry point for attackers. If you are unclear about what data you hold in these systems and how it is protected, now is the time to find out.

Recommendations

• If your organisation uses iRhythm services or shares data with iRhythm as part of a clinical monitoring arrangement, contact iRhythm directly to confirm whether any of your patients' data may have been included in the breach.

• Remind clinical and administrative staff about the risks of social engineering — particularly calls or emails asking for login credentials, account access, or verification of personal details.

• Review which third-party-hosted applications your organisation uses that hold patient or staff data, and confirm that each one has appropriate breach notification procedures in place.

• If you are a DSPT-registered organisation and share data with iRhythm or similar medical device companies, review your data processing agreements and assess whether this breach triggers any reporting obligations.

• Consider how quickly you would know if a third-party cloud application holding your data was compromised. If the answer is that you rely on the supplier to tell you, revisit your supplier assurance process.

Want Help Staying Ahead of Threats Like These?

Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services and find out how we support UK digital health organisations, healthtechs, and NHS suppliers with practical, hands-on cybersecurity assurance.