Threat Report 183
This week’s activity highlights several active threats...
Attackers are currently breaking into Citrix NetScaler devices using two separate flaws, and one of these is already being used by a ransomware group against dozens of organisations.
Criminal groups, including ransomware gangs are actively exploiting a serious vulnerability in Microsoft SharePoint.
A widely used remote support tool, SimpleHelp, has a critical weakness that lets attackers take full control of managed devices without needing a password at all.
Threat actors linked to North Korea have seeded widely used open-source code libraries with more than 100 fake or malicious packages designed to steal information from software developers.
A US healthcare supplier was also breached after attackers social-engineered their way in through a third-party contractor, a reminder of the risk NHS suppliers carry through their own vendors.
Full report below...
Citrix NetScaler Hit by Two Serious Flaws, One Already Used by Ransomware Gang
Citrix NetScaler is a device many organisations use to let staff, partners and sometimes patients log in securely from outside the office, a bit like a digital front door. Two separate weaknesses have now been found in it. The first, nicknamed "Citrix Bleed 2" (CVE-2025-5777), lets an attacker read small pieces of the device's memory without logging in at all. Those pieces can include session tokens, which work like a spare key that lets someone into an account even with the right password changed, and multi-factor authentication turned on. A ransomware gang called Anubis has been using this flaw for months and has now hit at least 91 organisations, more than half in the United States, with the rest spread across the UK, Australia, France and Canada. The second flaw (CVE-2026-8451) is brand new, and attackers started using it within 24 hours of it becoming public. NHS England issued alert CC-4805 in response and says further attacks are highly likely.
NetScaler devices usually sit right at the edge of a network, guarding remote access into the systems behind them. Because this flaw can be used to steal session tokens, even well-protected accounts with multi-factor authentication can still be broken into. For NHS suppliers and digital health organisations that use NetScaler to give staff or systems remote access, this is a DSPT-relevant risk: a successful break-in could count as a reportable incident, and healthcare has already been one of the sectors most targeted by the Anubis gang.
Recommendations
- Check whether your organisation runs Citrix NetScaler ADC or Gateway, and note the version in use.
- Apply Citrix's patches for both CVE-2025-5777 and CVE-2026-8451 immediately if this has not already been done.
- Review NetScaler access logs for unusual session activity, especially where single sign-on (SAML) is used.
- Treat credentials and session tokens tied to any unpatched device as potentially exposed, and rotate them.
- Ask any IT provider or supplier managing NetScaler on your behalf to confirm in writing that both flaws have been patched.
- Log the risk and the date it was fixed in your DSPT risk register.
Microsoft SharePoint Flaw Being Used by Ransomware Gangs
Microsoft SharePoint, used by many organisations including NHS trusts to store and share documents, has a serious flaw known as CVE-2026-45659. Someone who already has even a very basic SharePoint account, nothing more than ordinary "site member" access, can use this flaw to run their own code on the server and effectively take it over. Microsoft fixed the flaw back in May, but the US Cybersecurity and Infrastructure Security Agency has now confirmed that criminal groups, including ransomware gangs, are actively exploiting it on servers that have not yet been patched. NHS England issued alert CC-4806 on 2 July 2026 and assesses further exploitation as highly likely.
SharePoint often holds sensitive material such as patient information, HR records, contracts and policies. Because this attack only needs a low-level account rather than an administrator one, any organisation running its own SharePoint server (this does not affect Microsoft 365's SharePoint Online) is at real risk if it has not patched. Once inside, attackers can use SharePoint as a launchpad into the wider network, which is exactly the kind of foothold ransomware gangs look for. NHS suppliers running on-premises SharePoint should treat patching as urgent.
Recommendations
- Confirm whether your organisation runs on-premises SharePoint Server (SharePoint Online in Microsoft 365 is not affected).
- Apply Microsoft's security update for CVE-2026-45659 immediately if it has not already been installed.
- Review SharePoint audit logs for unusual activity, particularly from low-privilege accounts.
- Tighten who has "Site Member" access or above, and remove access that is no longer needed.
- Treat any suspected exploitation as a possible ransomware precursor and involve your incident response team early.
- Record the patch status and completion date in your DSPT risk register.
SimpleHelp Has a Flaw That Hands Over Full Control
SimpleHelp is remote monitoring and management software, the kind of tool IT support teams and managed service providers use to connect to and control other people's computers to fix problems. A critical flaw (CVE-2026-48558) means that, where a certain login method is switched on, an attacker with no account at all can forge a login token and get full "technician" access, which is enough to control every computer the tool manages. Criminals are already using this flaw to install information-stealing malware known as Djinn Stealer. It has been given one of the highest possible severity scores, and the NHS England National CSOC assesses that further exploitation is highly likely.
Remote support tools like SimpleHelp are often used by third-party IT providers and managed service providers to look after many client organisations at once, including NHS suppliers and smaller digital health companies who outsource their IT support. If an attacker breaks into the support platform itself, they can potentially reach every computer it manages in one go. This is a textbook supply chain risk, and it deserves urgent attention from anyone using SimpleHelp directly, or indirectly through a support provider.
Recommendations
- Ask your IT support provider or managed service provider whether they use SimpleHelp and, if so, whether the fix has been applied (version 5.5.16 or 6.0 RC2 and later).
- If you run SimpleHelp yourselves, check whether the affected login method (OpenID Connect) is switched on, and patch immediately regardless.
- Review technician account activity for anything unexpected, particularly new sessions or bulk access to devices.
- Reset credentials for any accounts that may have been exposed and consider turning off the affected login method until patching is confirmed.
- Treat this as a supplier assurance matter: ask managed service providers and IT support partners for written confirmation that they have fixed it.
North Korean Hackers Flood Free Code Libraries With Over 100 Fake Tools
Security researchers at Socket have found that hackers linked to North Korea published 108 fake or booby-trapped software packages and browser add-ons across several free, widely used code libraries, including npm, Packagist, Go and the Google Chrome Web Store. The campaign, called PolinRider, is linked to an older North Korean operation known for tricking software developers with fake job offers and interviews. The bad packages are made to look like normal, trustworthy tools that a developer might download without checking too closely, and researchers expect more to keep appearing.
Many NHS suppliers and digital health companies build their own software, and almost all modern software is built using hundreds of small, free code packages written by other people. If a developer accidentally installs one of these fake packages, attackers can gain a foothold inside the company's own systems or steal passwords and access keys that can later be used to attack the company's customers, including NHS organisations. It only takes one bad building block to put everything built on top of it at risk.
Recommendations
- Remind development teams to check package names carefully before installing anything new, especially ones that look almost identical to well-known packages.
- Use tools that scan open-source dependencies for known malicious or suspicious packages before they are added to a project.
- Review recent additions to your software's dependency list for anything unexpected or unfamiliar.
- Limit how much access build systems and developer accounts have, so that one compromised package cannot reach everything.
- If your organisation is an NHS supplier, add open-source supply chain checks to your existing supplier assurance and DSPT processes.
AdaptHealth Breached After Contractor Social Engineering Attack
AdaptHealth, a US company that supplies home medical equipment, has said criminals tricked one of its outside contractors into handing over access to its cloud systems. Once inside, the attackers reached the company's patient management system, its document storage, and portals linked to electronic health records. They stole a file of passwords used for insurance billing, along with personal and health information belonging to patients. AdaptHealth found out about the break-in when the attackers contacted the company directly in mid-June to say they had stolen data. A criminal group called ShinyHunters has since claimed responsibility and listed AdaptHealth on its leak site, threatening to publish the stolen data if a ransom is not paid.
This breach was not caused by a software bug. It happened because someone was tricked into handing over access, which shows that even well-patched systems can be broken through people rather than technology. NHS suppliers and digital health companies often rely on third-party contractors and cloud platforms in the same way AdaptHealth did, so this is a reminder that supplier and contractor access needs the same scrutiny as staff accounts. ShinyHunters has targeted healthcare and other data-rich organisations before, and stolen password files can be reused to break into other connected systems, so any organisation with shared supplier relationships should treat this as a warning sign.
Recommendations
- Review which third-party contractors and suppliers have access to your cloud systems, and limit that access to only what they need.
- Provide regular social engineering and phishing awareness training to staff and contractors who can approve access requests.
- Require multi-factor authentication for all contractor and third-party accounts, not just employee accounts.
- Check whether any of your suppliers reuse passwords across systems, and ask them to confirm this practice has been reviewed.
- Have a clear, tested process for verifying unexpected contact from anyone claiming to have breached your systems, and involve your incident response team immediately.
- Log third-party access reviews and contractor security assurance in your DSPT supplier records.
Want Help Staying Ahead of Threats Like These?
Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services and find out how we support UK digital health organisations, healthtechs, and NHS suppliers with practical, hands-on cybersecurity assurance.