✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Health Care / Life Sciences
Breach intelligence, attack campaigns, and threat reports targeting the Health Care / Life Sciences sector.
Explore Other Sectors
Health Care / Life Sciences Threat Reports
Bluekit's Evolution: Browser-in-the-Middle Phishing Attacks
In June 2026, the Bluekit phishing-as-a-service platform introduced browser-in-the-middle (BitM) capabilities, enhancing its ability to steal user credentials. This method involves the attacker controlling a browser session that loads legitimate login pages, intercepting user inputs and session tokens. By leveraging the open-source JavaScript library 'rrweb,' Bluekit streams the page's DOM over a WebSocket connection, allowing real-time interaction and data theft. This evolution signifies a shift towards more sophisticated phishing techniques that can bypass traditional security measures, including multi-factor authentication (MFA). Organizations must be aware of these advanced tactics to bolster their defenses against such threats.
13 hours ago
Kill Chain
Cisco SD-WAN Zero-Day CVE-2026-20245 Exploited
In June 2026, a high-severity zero-day vulnerability, CVE-2026-20245, was discovered in Cisco Catalyst SD-WAN Manager. This flaw allows authenticated attackers with netadmin privileges to execute arbitrary commands as root by uploading specially crafted files. Exploitation of this vulnerability has been observed in the wild, leading to unauthorized configuration changes on edge devices. Notably, attackers have been exploiting this vulnerability for months prior to its public disclosure, highlighting significant security gaps in the SD-WAN infrastructure. The exploitation of CVE-2026-20245 underscores a concerning trend of increasing attacks targeting SD-WAN solutions. Organizations relying on Cisco's SD-WAN products must prioritize immediate mitigation strategies, as the absence of a patch leaves systems vulnerable to potential breaches and operational disruptions.
14 hours ago
Kill Chain
Understanding 'Prompt Injection as Role Confusion' and Its Implications for AI Security
In February 2026, researchers Charles Ye, Jasmine Cui, and Dylan Hadfield-Menell published a study titled "Prompt Injection as Role Confusion," highlighting a critical vulnerability in large language models (LLMs). The study reveals that LLMs often misinterpret the source of text based on its style rather than its origin, leading to 'role confusion.' This flaw allows malicious actors to craft inputs that mimic authoritative roles, effectively bypassing safety protocols and manipulating the model's behavior. The researchers demonstrated that by injecting deceptive reasoning into user prompts and tool outputs, they achieved success rates of 60% on StrongREJECT and 61% on agent exfiltration tasks across various LLMs. This indicates a significant security gap where models assign authority in latent space, making them susceptible to prompt injection attacks. ([arxiv.org](https://arxiv.org/abs/2603.12277?utm_source=openai)) The study underscores the urgent need for enhanced security measures in AI systems, as prompt injection attacks exploit fundamental weaknesses in LLMs' role recognition. As AI integration expands across industries, understanding and mitigating such vulnerabilities is crucial to prevent unauthorized data access and manipulation. ([arxiv.org](https://arxiv.org/abs/2603.12277?utm_source=openai))
22 hours ago
Kill Chain
Critical Check Point VPN Vulnerability Exploited by Ransomware
In May 2026, a critical authentication bypass vulnerability (CVE-2026-50751) was discovered in Check Point's Remote Access VPN and Mobile Access products, specifically affecting configurations using the deprecated IKEv1 protocol. This flaw allowed unauthenticated attackers to establish VPN sessions without valid credentials, granting them unauthorized access to internal networks. Exploitation of this vulnerability began on May 7, 2026, with at least one incident linked to a Qilin ransomware affiliate. The vulnerability was publicly disclosed on June 8, 2026, and patches were subsequently released. ([mishcon.com](https://www.mishcon.com/news/active-exploitation-of-check-point-vpn-authentication-bypass-vulnerability-cve202650751?utm_source=openai)) The incident underscores the risks associated with relying on outdated protocols and the importance of timely patching. It also highlights the evolving tactics of ransomware groups, who are increasingly exploiting vulnerabilities in widely used security products to gain initial access. Organizations must reassess their security architectures to ensure they are not solely dependent on perimeter defenses, which can be compromised through such vulnerabilities.
22 hours ago
Kill Chain
Operation Endgame: A Major Blow to Amadey and StealC Malware Networks
In June 2026, an international coalition led by Europol, in partnership with Microsoft and other private entities, executed Operation Endgame to dismantle the infrastructure supporting the Amadey and StealC malware operations. This coordinated effort resulted in the disruption of 326 servers and 142 domains, the identification of over €41 million in illicit cryptocurrency, and the recovery of approximately 27 million stolen credentials from more than 385,000 compromised systems. The operation targeted the cybercrime assembly line, aiming to increase friction for cybercriminals and hinder their ability to conduct attacks. The significance of this operation lies in its comprehensive approach to disrupting malware-as-a-service platforms that facilitate initial access, credential theft, and subsequent deployment of ransomware or financial fraud. By targeting the foundational infrastructure of these malware families, law enforcement and private partners have set a precedent for future collaborative efforts to combat cybercrime at its roots.
1 day ago
Kill Chain
Cisco SD-WAN Zero-Day CVE-2026-20245: Active Exploitation with No Patch Available
In June 2026, Cisco disclosed CVE-2026-20245, a high-severity zero-day vulnerability in its Catalyst SD-WAN Manager, which was actively exploited in the wild. This flaw allows authenticated attackers with netadmin privileges to upload crafted files and execute arbitrary commands as root, potentially compromising the entire SD-WAN infrastructure. The vulnerability affects all deployment types, including on-premises, Cloud-Pro, Cisco Managed Cloud, and FedRAMP environments. Notably, this marks the seventh SD-WAN zero-day exploited in 2026, highlighting a concerning trend of targeted attacks on Cisco's SD-WAN solutions. Organizations utilizing Cisco SD-WAN should prioritize mitigating this vulnerability by restricting and auditing netadmin accounts, isolating management interfaces, and monitoring for anomalous command executions. ([thecybersignal.com](https://www.thecybersignal.com/cisco-catalyst-sd-wan-manager-cve-2026-20245-zero-day-exploited-no-patch-2026/?utm_source=openai))
1 day ago
Kill Chain
Global Coalition Dismantles Amadey and StealC Malware Networks
In June 2026, an international law enforcement operation, in collaboration with private sector partners including Microsoft, Bitdefender, Bitsight, and ESET, successfully dismantled the infrastructure supporting the Amadey and StealC malware networks. This coordinated effort led to the seizure of 326 servers and 142 domains, the identification and restriction of over $47 million in illicit cryptocurrency assets, and the recovery of approximately 27 million stolen login credentials. The operation targeted the 'assembly lines' used by cybercriminals to launch ransomware, financial fraud, and attacks on critical infrastructure. This takedown underscores the growing effectiveness of public-private partnerships in combating cybercrime. By disrupting the infrastructure of malware-as-a-service operations like Amadey and StealC, authorities have significantly hindered the ability of cybercriminals to execute large-scale attacks, highlighting the importance of collaborative efforts in enhancing global cybersecurity.
1 day ago
Kill Chain
Critical macOS Vulnerability Allows Disabling of Security Tools Without Admin Credentials
In June 2026, researchers at XM Cyber identified a macOS vulnerability that allows users with standard privileges to disable enterprise security tools and execute privileged functions without administrator credentials. This flaw exploits how macOS establishes and validates application trust information, enabling attackers to impersonate trusted application components and perform actions reserved for privileged processes. The technique was demonstrated to disable CrowdStrike Falcon Endpoint Detection and Response (EDR) and Kandji Mobile Device Management (MDM) without triggering alerts or requiring kernel exploits. The issue potentially affects other macOS applications that provide privileged Cross-Process Communication (XPC) services and rely on Apple's CDHash for verifying application authenticity. XM Cyber plans to release an open-source tool named XPC Hunter at Black Hat USA in August to help security researchers identify similar vulnerabilities across macOS applications. Apple has been notified but has not responded at press time. This vulnerability underscores the need for organizations to reassess their macOS security configurations and implement additional safeguards to prevent unauthorized access and manipulation of security tools.
1 day ago
Kill Chain
Critical Cisco Unified CM Vulnerability CVE-2026-20230 Exploited in the Wild
In June 2026, a critical server-side request forgery (SSRF) vulnerability, identified as CVE-2026-20230, was discovered in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (SME). This flaw allows unauthenticated remote attackers to send crafted HTTP requests, enabling arbitrary file writes to the underlying operating system and potential privilege escalation to root. The vulnerability specifically affects deployments with the WebDialer service enabled, which is disabled by default. Cisco has assigned a Security Impact Rating of Critical due to the severity of the potential exploit. The public availability of proof-of-concept exploit code has led to active exploitation of this vulnerability in the wild. Organizations using affected Cisco Unified CM versions are urged to apply the provided patches immediately or disable the WebDialer service to mitigate the risk of unauthorized access and control over their telephony infrastructure.
1 day ago
Kill Chain
The Rise of Autonomous AI Cyber Threats in 2026
In early 2026, the cybersecurity landscape experienced a paradigm shift with the emergence of frontier agentic AI models capable of autonomously discovering and exploiting software vulnerabilities at unprecedented speeds. These AI entities can identify, weaponize, and execute attacks before human defenders can respond, rendering traditional defense mechanisms inadequate. The convergence of IT and OT systems further amplifies the risk, as AI-driven breaches can seamlessly transition from digital to physical infrastructures, leading to potential operational disruptions and safety hazards. This development underscores the urgent need for organizations to reassess their cybersecurity strategies. The rapid evolution of AI-driven threats necessitates the adoption of advanced defense mechanisms that can operate at machine speed, ensuring resilience against these sophisticated adversaries.
1 day ago
Kill Chain
AI-Driven Acceleration in Vulnerability Exploitation Demands Immediate Action
In June 2026, a report highlighted the dramatic acceleration in the exploitation of software vulnerabilities due to AI advancements. The Zero Day Clock indicated that the average time from vulnerability disclosure to exploitation had decreased from 53 days in 2024 to just 8 hours in 2026. This rapid reduction challenges traditional vulnerability management practices, which relied on longer remediation windows. Organizations now face increased risks as attackers can exploit vulnerabilities almost immediately after disclosure, outpacing conventional patching and mitigation efforts. This development underscores the urgent need for organizations to adopt proactive security measures, such as continuous threat exposure management and automated security validation, to effectively address the evolving threat landscape.
2 days ago
Kill Chain
Scattered Spider's 2024 Cyberattack on Transport for London: A Case Study
In late August 2024, the cybercriminal group Scattered Spider infiltrated Transport for London's (TfL) systems, compromising the Oyster refunds system and causing significant operational disruptions. The attack led to the theft of customer data and forced all 28,000 TfL employees to reset their passwords, resulting in financial damages estimated at £29 million ($38.3 million). This incident underscores the escalating threat posed by cybercriminal groups targeting critical infrastructure. Organizations must enhance their cybersecurity measures to prevent similar breaches and mitigate potential operational and financial impacts.
2 days ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports