Connect with us

Infosecurity

Medtronic data breach: 3.8 million patients notified after ShinyHunters attack

Published

on

Medtronic data breach

3.8 million patients caught in Medtronic breach

Medtronic, the world’s largest medical device maker, has begun notifying more than 3.8 million people that their personal and health information may have been stolen in a cyberattack tied to the notorious ShinyHunters hacking group. The scale of the incident makes it one of the largest healthcare-related data breaches in recent memory.

The company first acknowledged the intrusion on April 24, saying an unauthorized party had accessed certain corporate IT systems. At the time, Medtronic stated it had not identified any connections to its customers. That assessment changed dramatically in late June.

On June 29, the California Attorney General’s office released a copy of Medtronic’s official notification letter. In it, the company warned that patient data was indeed compromised. “As a patient with a Medtronic medical device, our company collects data related to you in order to provide important product-related updates and to meet our legal obligations,” the letter stated.

What data was exposed?

According to the notification, hackers made off with a trove of sensitive information. The exposed data includes:

  • Social Security numbers
  • Health-related data
  • Full names
  • Contact information (addresses, phone numbers, emails)
  • Dates of birth

The company said it has “no evidence that impacted information has been publicly posted or exposed on the internet.” Still, the potential for identity theft or medical fraud remains significant. Medtronic is offering affected individuals 24 months of free credit monitoring, dark web surveillance, and identity theft restoration services.

ShinyHunters and the medtech threat

Security researchers have linked the Medtronic breach to the ShinyHunters cybercrime group. The gang has a long track record of targeting healthcare and technology firms, often selling stolen databases on underground forums. This incident underscores a worrying trend: medical device companies are increasingly in the crosshairs.

Medtronic’s size makes it a particularly attractive target. The company’s devices — including pacemakers, insulin pumps, and spinal cord stimulators — are implanted in millions of patients worldwide. That creates a vast repository of linked personal and medical data.

A pattern of attacks on medical device firms

The Medtronic breach is far from an isolated event. In March, Stryker, another major medical device manufacturer, disclosed that its systems had been wiped in a cyberattack. Federal prosecutors said Iran-backed hackers were behind that incident.

The Stryker attack had real-world consequences. It “had a direct impact on emergency medical services and hospitals within Maryland,” according to court documents. Some hospitals temporarily severed connections to Stryker systems, fearing they could be infected by the wiper malware. That kind of disruption — forcing hospitals to disconnect from critical medical equipment — is a nightmare scenario for healthcare providers.

Why healthcare data is a prime target

Patient records are among the most valuable types of stolen data on the black market. A single health record can sell for far more than a credit card number. That’s because it contains everything needed for identity theft: name, address, SSN, date of birth, and medical history. Criminals can use it to file fraudulent insurance claims, obtain prescription drugs, or open lines of credit.

For a company like Medtronic, the stakes are even higher. The data breach could erode patient trust in the safety of connected medical devices. Many patients already worry about the cybersecurity of implantable devices. Incidents like this only amplify those fears.

What Medtronic patients should do now

If you have a Medtronic device, you may be among the 3.8 million affected. The company is mailing notification letters, but you don’t have to wait. Here are steps to take immediately:

  • Enroll in the offered credit monitoring. Medtronic is providing 24 months of free service. Take advantage of it.
  • Place a fraud alert on your credit reports with Equifax, Experian, and TransUnion. This makes it harder for someone to open accounts in your name.
  • Monitor your medical bills and Explanation of Benefits (EOB) statements. Look for services you didn’t receive — that’s a red flag for medical identity theft.
  • Change passwords on any accounts you use to manage your Medtronic device or patient portal. Enable two-factor authentication where available.

The breach also serves as a reminder to review your privacy settings on any connected health device. How to check if your medical device data is secure is a topic more patients should learn about.

A growing regulatory spotlight

The Medtronic notification was publicly filed with the California Attorney General, as required by state law. California’s data breach notification rules are among the strictest in the U.S., mandating that companies disclose breaches affecting residents without delay.

Federal regulators are also paying closer attention. The FDA has issued guidance on cybersecurity for medical devices, and lawmakers have introduced bills aimed at strengthening protections. But the pace of regulation often lags behind the speed of cyberattacks.

For now, the burden falls on patients to stay vigilant. The Medtronic data breach is a stark reminder that in the age of connected healthcare, your medical data is only as secure as the weakest link in a global supply chain.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Infosecurity

Agentic AI Helped a Lone Attacker Breach Cloud Systems in 72 Hours — Here’s How

Published

on

A 72-Hour Cloud Compromise Fueled by Agentic AI

It used to take weeks for a lone attacker to pull off a cloud compromise. Now, thanks to agentic AI, it can happen in three days. That’s the central finding from a new report by Israeli security vendor Sygnia, titled Inside an AI-Assisted Cloud Attack: Familiar Techniques at Unfamiliar Speed.

The report details how a single threat actor broke into an AWS environment, aiming for extortion. They didn’t rely on novel malware or zero-day exploits. Instead, they weaponized AI to accelerate tried-and-tested cloud attack methods. The result? A complete compromise in just 72 hours — a timeline that would have traditionally spanned weeks.

This isn’t a story about a new vulnerability. It’s a story about speed, scale, and the exploitation of basic control gaps.

How the Attack Unfolded: Secrets, Backdoors, and Impact Actions

The attacker began by obtaining an access key to one of the target’s AWS accounts. The entry point? Weaknesses in an internet-facing application — a common but often overlooked flaw.

Once inside, they deployed agentic AI workflows to run four parallel tasks simultaneously:

  • Searching for secrets and credentials across the AWS environment. This included plaintext secrets in S3 buckets, API keys from application databases, credentials stored in AWS Secrets Manager, and parameters in AWS Systems Manager Parameter Store.
  • Creating backdoors and persistence mechanisms — such as spinning up new access keys and IAM users, establishing reverse shells on EC2 instances and ECS containers, and modifying deployment files.
  • Exfiltrating data from RDS databases.
  • Performing impact actions to demonstrate capability: denying access to S3 buckets, scaling ECS services down to zero, creating ACL rules to block network access, and purging SQS queues.

These aren’t exotic techniques. But running them concurrently with AI orchestration made them devastatingly fast.

Why the Attack Succeeded: Visibility and Identity Gaps

The report stresses that the attacker didn’t just benefit from AI. They also benefited from the organization’s weaknesses in visibility, monitoring, identity controls, and incident preparedness.

Secrets management was a mess. Identity governance had holes. Deployment workflows lacked guardrails. Cloud permissions were overly permissive. In short, the environment was primed for exploitation — and agentic AI simply turned the crank faster.

Avi Dayan, VP of incident response at Sygnia, put it bluntly: the key takeaway for his team was the speed of movement post-intrusion and the sheer volume of malicious activity executed in a short window.

“This case underscores a growing challenge for defenders,” Dayan said. “As large language models and agentic AI become more accessible, they have the potential to lower the barrier to entry, accelerate attack workflows, and enable less sophisticated or resource-constrained threat actors to operate with unprecedented speed and scale.”

What Defenders Can Do: Containment Measures That Matter

Sygnia’s report doesn’t just describe the problem — it offers a set of practical containment measures for network defenders. Here’s what they recommend:

  • Restrict cloud management access through IP allowlisting, permitting access only from trusted locations.
  • Disable remote access VPN connectivity until containment steps are complete.
  • Restrict outbound internet connectivity for workloads, servers, and cloud resources to approved destinations only.
  • Apply firewall policies and network ACLs to block communication with known malicious infrastructure and restrict access to accidentally exposed assets.
  • Enforce IP restrictions on source code repositories and development platforms.
  • Route all app traffic through web application firewalls (WAFs).
  • Implement network segmentation and isolation controls to limit lateral movement.

These aren’t flashy solutions. They’re basics. But as this attack shows, basics matter more than ever when attackers can move at AI speed.

The Bigger Picture: Agentic AI Lowers the Bar for Attackers

This isn’t the first time researchers have flagged the threat of agentic AI in cyberattacks. Earlier this year, a separate team claimed they had built the first fully agentic ransomware, dubbed JadePuffer. The pattern is clear: AI isn’t just helping defenders — it’s supercharging attackers.

What makes this case particularly sobering is that the attacker wasn’t a sophisticated nation-state group. It was a lone actor, using publicly available AI tools to multiply their reach. The techniques were old. The speed was new.

For cloud security teams, the message is urgent: fix your identity governance, lock down your secrets management, and improve your visibility. Because the next attacker might not need weeks. They might only need a weekend.

If you’re looking to shore up your defenses, start with cloud security breach prevention and incident response speed improvements. The clock is ticking faster than ever.

Continue Reading

Infosecurity

China-Linked Hackers Build a Proxy Army: New Malware Fuels a Growing Relay Network

Published

on

China-linked APT

The Relay Network That Keeps on Growing

A hacking group tied to China is quietly building a bigger, more dangerous network of hijacked devices. Researchers at Cisco Talos have been tracking a group they call UAT-7810, and what they’ve found is a sprawling mesh of compromised routers and other edge devices. The purpose? To let other hackers hide their tracks.

This is what security pros call an Operational Relay Box (ORB) network. Think of it as a botnet-for-hire, but instead of launching attacks, it routes traffic. Other threat actors pay — or trade favors — to bounce their malicious traffic through these boxes, making it nearly impossible to trace back to the source. Talos assesses with high confidence that UAT-7810 is a China-nexus advanced persistent threat (APT) group.

The network itself has a name: LapDogs. It was first exposed back in 2025, but it’s still alive and kicking. In fact, it’s getting bigger.

How They Break In: Old Bugs, New Victims

UAT-7810 doesn’t use sophisticated zero-days. Their playbook is simpler: scan for unpatched vulnerabilities in widely used hardware, then exploit them. It’s a low-effort, high-reward strategy that relies on one thing — organizations failing to apply security updates.

Since 2025, the group has been targeting flaws in Ruckus wireless routers. But earlier this year, they added a new trick: exploiting a bug in ASUS routers to fold those devices into the LapDogs network too. The choice of targets is telling. Routers sit at the edge of networks, often forgotten, rarely patched. They’re the perfect blind spot.

Talos researchers noted that the group’s infrastructure remains active. This isn’t a relic of past campaigns — it’s a live, breathing operation.

The Malware Arsenal: LONGLEASH, DOGLEASH, and JARLEASH

To manage and expand their proxy army, UAT-7810 has been developing a suite of custom malware. The centerpiece is an upgraded backdoor called LONGLEASH. It’s an evolution of an earlier tool, but with a crucial new capability: proxying. LONGLEASH can relay commands from one infected machine to another, turning each compromised device into a node in a larger relay chain.

But that’s not all. Talos uncovered two previously unknown backdoors:

  • DOGLEASH — a backdoor that runs commands on compromised Linux devices. It’s lightweight, designed for quick execution on routers and embedded systems.
  • JARLEASH — a Java-based tool used to manage the group’s command-and-control servers. Its configuration file contained comments written in Simplified Chinese, a strong indicator that the operators are Chinese-speaking.

The group also built a test program aimed at MIPS-based devices. That’s significant. MIPS architecture is common in older routers and IoT gear. By testing on MIPS, UAT-7810 signals they’re still refining their tools for the broadest possible range of hardware. They want every router they can get.

What This Means for Defenders

ORB networks like LapDogs are a growing headache for cybersecurity teams. They’re not just a problem for the owners of the hijacked devices — they’re a force multiplier for other attackers. A China-linked APT group targeting a high-value organization can route its espionage traffic through a dozen compromised home routers in three different countries. Good luck tracing that.

The takeaway here is brutally simple: patch your edge devices. Routers, firewalls, VPN concentrators — if it sits on the network boundary and has a web interface, it’s a target. UAT-7810 is exploiting known vulnerabilities, some of which have had patches available for months or years. The gap between a patch being released and an organization applying it is exactly the window these groups exploit.

For more context on how these relay networks operate, check out our earlier report on the LapDogs ORB network targeting US and Asia. And if you’re responsible for network security, now might be a good time to audit your router firmware versions.

Active and Adapting

Talos’s findings are based on direct tracking of the group’s malware and servers, which they confirm remain operational. UAT-7810 isn’t slowing down. They’re adding new exploits, developing new backdoors, and expanding their network of unwitting proxies. The LapDogs network may have been exposed in 2025, but it’s far from dead.

The lesson? In cybersecurity, the infrastructure that enables attacks is often more valuable than the attacks themselves. And right now, a China-linked APT is building infrastructure at scale.

Continue Reading

Infosecurity

Hackers Actively Exploit Maximum Severity Adobe ColdFusion Flaw Hours After Patch Release

Published

on

Adobe ColdFusion flaw

Critical ColdFusion Bug Under Active Attack

Adobe is urging every organization running Adobe ColdFusion to apply the latest patches immediately. A maximum severity vulnerability — rated a perfect 10 on the CVSS scale — is already being exploited in the wild.

The company released fixes for 11 CVEs on June 30 as part of bulletin APSB26-68. Six of those vulnerabilities received the highest possible severity score. Security researchers flagged that one of them, CVE-2026-48282, was targeted within hours of the bulletin going public.

It’s a path traversal weakness in the popular web application development platform. If exploited, it can lead to arbitrary code execution — giving attackers full control over the affected server.

According to data from the ShadowServer Foundation, there are 775 exposed ColdFusion instances online. That’s a relatively small attack surface, but each one represents a potential entry point into a corporate network.

What Makes This Adobe ColdFusion Flaw So Dangerous

Maximum severity bugs are rare. A CVSS score of 10 means the vulnerability is trivial to exploit and requires no user interaction. An attacker doesn’t need to trick an admin into clicking a link or opening a file. They can simply send a crafted request to the server and compromise it.

CVE-2026-48282 fits that description perfectly. It’s a path traversal flaw — a type of bug that lets an attacker read or write files outside the intended directory. In ColdFusion’s case, that can escalate to full remote code execution.

At the time of writing, CVE-2026-48282 and the other vulnerabilities listed in APSB26-68 were not yet in CISA’s Known Exploited Vulnerabilities catalog. That will almost certainly change in the coming days.

Adobe Changes Its Patching Cadence

Adobe is also changing how often it ships security updates. Starting this year, the company moved from a monthly to a twice-monthly publication schedule for security advisories.

Chief security officer Aanchal Gupta explained the reasoning: “Twice-monthly bulletins will enable us to keep pace with the era of frontier AI. More vulnerabilities found means more fixes to deploy and a once-a-month publication window is no longer fast enough to stay ahead of our adversaries.”

Gupta added that the new cadence is a direct result of investing in improved vulnerability discovery. “AI accelerates discovery, but resilience still rests on the fundamentals: visibility, layered controls, continuous monitoring, and the discipline to ship fixes quickly once they are found.”

It’s a clear acknowledgment that attackers are moving faster than ever. The exploitation of this Adobe ColdFusion flaw within hours of the patch proves that point.

ColdFusion Remains a Prime Target

Adobe said it is not aware of any other exploits in the wild for CVE-2026-48282 or the other flaws published in APSB26-68. But the company’s own history suggests caution is warranted.

In 2023, threat actors targeted ColdFusion in a wave of attacks — using them for crypto-mining, DDoS operations, and other malicious activity. The platform is a popular target because it often sits on internal networks and runs with high privileges.

For defenders, the message is simple: patch now. A vulnerability with a CVSS score of 10 that’s already being exploited is not something to leave for the next maintenance window.

What Administrators Should Do Right Now

If you run any version of ColdFusion, here are the immediate steps:

  • Review Adobe’s APSB26-68 security bulletin and identify your affected version.
  • Apply the latest patch immediately — do not wait for a scheduled maintenance window.
  • Check your logs for signs of exploitation, particularly unusual file access or unexpected process execution.
  • Ensure your ColdFusion instance is not directly exposed to the internet unless absolutely necessary.
  • Monitor CISA’s Known Exploited Vulnerabilities catalog for updates related to CVE-2026-48282.

The window between disclosure and exploitation is shrinking. This Adobe ColdFusion flaw is the latest reminder that patching speed matters more than ever.

Continue Reading

Trending