November tested the resilience of healthcare IT teams. From ransomware campaigns to critical flaws in trusted platforms like VMware, Fortinet, and Okta, cyber threats came from all angles, targeting systems that healthcare organizations rely on daily.
These challenges involve safeguarding patient care and protecting systems. Each threat underscores the need to stay prepared and proactive in the face of evolving risks.
Here’s a recap of November’s key threats and actionable steps your organization can take to strengthen defenses and stay secure.
VMware Helldown Ransomware Campaign
The Helldown ransomware campaign exploited vulnerabilities in VMware’s ESXi hypervisors, targeting virtualized environments critical to healthcare operations. These attacks threatened patient data and operational continuity, underscoring the need for robust defenses in cloud and virtual infrastructures.
Apply VMware’s latest security patches, review access controls, and limit administrative privileges to prevent further compromise.
For more details, check out our Helldown VMWare bulletin.
Fortinet VPN Brute-Force Exploits
Fortinet VPNs faced a surge of brute-force attacks, exposing a design flaw in the logging mechanism that allowed attackers to validate credentials undetected. These vulnerabilities highlighted the critical importance of multi-factor authentication (MFA) and strong password policies.
Implement MFA, monitor for suspicious login attempts, and tighten password policies to mitigate these risks.
For more insights, read our Fortinet VPN bulletin.
LightSpy and DeepData Framework Attacks
The APT41 group used LightSpy malware and the DeepData framework to exploit vulnerabilities in Microsoft and Fortinet products. These sophisticated campaigns targeted healthcare organizations to steal sensitive data and disrupt critical systems.
Strengthen defenses by applying patches, segmenting networks, and deploying advanced endpoint detection tools to identify and block malicious activity.
Learn more in our LightSpy and DeepData bulletin.
UPDATE: FortiManager Authentication Vulnerability Actively Exploited by DeepData Malware Campaign
An API vulnerability in FortiManager allowed attackers to execute arbitrary code and exploit affected systems using the DeepData malware campaign. With a CVSS score of 9.8, this flaw exposed sensitive configurations and credentials, posing a significant risk to healthcare networks.
Fortinet released updates for versions 7.2.8 and 7.4.5, while organizations implemented mitigations for older versions, such as limiting device connections to trusted IP addresses and using custom certificates.
For a detailed analysis, visit our FortiManager DeepData bulletin.
Remote Authentication Bypass in Palo Alto Firewall Provides Administrative Privileges
A remote authentication bypass vulnerability in Palo Alto Networks’ firewalls gave attackers administrative privileges, jeopardizing healthcare systems relying on these devices for network security.
Healthcare organizations responded by upgrading affected devices to the latest software versions and deploying mitigations, including strict access controls and enhanced monitoring for unusual activity.
Learn more about this critical threat in our Palo Alto firewall bulletin.
Becton Dickinson Unauthorized Access Incident
Becton Dickinson (BD) disclosed unauthorized access to product service credentials used by its technical support teams. Although no incidents of data misuse have been reported, this vulnerability posed potential risks, including system downtime, data manipulation, or delays in medication delivery.
BD terminated the unauthorized access, implemented additional security measures, and advised customers to update their credentials to mitigate further risks.
For more details, read our Becton Dickinson bulletin.
Actively Exploited Microsoft Exchange Vulnerability Patched
A zero-day vulnerability in Microsoft Exchange was actively exploited in November, enabling attackers to bypass authentication and gain unauthorized access to mail servers. This flaw posed a severe risk to healthcare organizations that rely on Exchange for secure communication.
Healthcare IT teams rapidly deployed Microsoft’s patches to close the vulnerability and conducted audits to ensure their systems were compromise-free.
For more insights, explore our Microsoft Exchange bulletin.
NTLM Spoofing Vulnerability
A critical NTLM vulnerability enabled attackers to obtain user credentials with minimal interaction, allowing unauthorized access to sensitive systems.
Suggested measures, such as applying Microsoft’s November updates, enforcing MFA, and educating users to avoid interacting with suspicious files, reduce the risk of exploitation.
Check out our detailed analysis in the NTLM spoofing bulletin.
RISK:STATION Zero-Click Allows Root Level RCE on Millions of Synology NAS
A critical bug in Synology NAS devices allowed attackers to execute root-level remote code without user interaction. This vulnerability allowed data theft, ransomware infections, and system backdoors.
Healthcare teams secured NAS devices by applying patches, reviewing network access controls, and segmenting storage to prevent unauthorized access.
For more details, see our RISK:STATION NAS bulletin.
Midnight Blizzard Spear-Phishing Campaign
The Russian threat group Midnight Blizzard launched a phishing campaign targeting healthcare organizations. Using malicious Remote Desktop Protocol (RDP) files, attackers gained unauthorized access to networks, deployed ransomware, and harvested credentials.
To counteract this threat, restrict RDP connections, train staff to recognize phishing attempts, and implement phishing-resistant authentication methods.
Explore the full story in our Midnight Blizzard bulletin.
Okta Authentication Bypass
A vulnerability in Okta’s AD/LDAP Delegated Authentication system allowed attackers to bypass password verification for usernames exceeding 52 characters. Without MFA, this flaw posed a serious threat to healthcare networks.
Healthcare IT teams should act quickly to enable MFA, review logs for unauthorized access, and update to Okta’s patched version to secure their systems.
For more details, see our Okta authentication bulletin.
Building Resilience in Healthcare IT
Cybersecurity isn’t just about patching systems—it’s about creating a culture of resilience. It’s about empowering your teams, staying ahead of emerging threats, and ensuring that patient care never skips a beat.
Are you curious about how the pros do it? Watch Keeping Healthcare Healthy: A Cybersecurity Discussion, our on-demand expert panel, to hear real-world strategies and practical advice from leaders on the frontlines of healthcare cybersecurity. You’ll walk away with actionable insights to strengthen defenses and safeguard what matters most.
