The IT Nerd

The ShinyHunters extortion gang has claimed responsibility for breaching Dutch telecommunications provider Odido and stealing millions of user records from its compromised systems.

Commenting on this news is Lidia Lopez, Senior Threat Intelligence Analyst at Outpost24:

“This incident fits a pattern we have been tracking from 2025 into 2026: ShinyHunters-linked operations often rely on social engineering to get legitimate access into SaaS environments, then export data and use leak sites for extortion. The common playbook is email and phone pretexting where attackers impersonate IT, a vendor, or support and push a fake “required update” or “security tool,” or trick staff into authorizing a rogue connected app. That gives them access through the identity layer, which can open downstream systems like customer support and contact platforms used across many organizations.

For Odido, “ShinyHunters” claims the breach is larger and includes “plain text” passwords, but that specific claim should be treated as unverified until independently validated or confirmed by the company or the authorities. Researchers suspect that the “plain text password” could refer to a readable password-like field in a CRM, such as a customer-service verification word stored in Salesforce, rather than customers’ online login passwords. Either way, plain text storage is serious: if it is a verification word, it makes impersonation and account fraud much easier when combined with identity data and financial identifiers; if it is an actual login password, it enables immediate account takeover at scale because attackers do not need to crack anything and password reuse can cascade the impact far beyond Odido.”

This is big as Odido has 6.9 million customers as of January 2024. So it is a safe bet that this will not end well for any of those customers. Which highlights the fact that all efforts need to be taken to keep the bad guys out so that conversations like this are not the norm.

Comparitech is reporting that the ransomware gang Rhysida yesterday took credit for a December 2025 cyber attack against the Cheyenne and Arapaho Tribes’ IT systems. 

Commenting on this is Rebecca Moody, Head of Data Research at Comparitech: 

“At the moment, it’s unclear what, if any, data Rhysida has actually stolen. According to the initial statement from the Cheyenne and Arapaho Tribes, no data was impacted in the recent cyber attack. However, we sometimes see these statements being updated following further investigations. Alternatively, Rhysida could have been successful in encrypting systems but not in stealing data, and has decided to try its luck at securing a ransom demand by alleging a breach anyway. 

Whatever the case, it’s important that the Cheyenne and Arapaho Tribes promptly address these latest claims and confirm whether or not Rhysida’s allegations are true. If data has been impacted, it’s crucial employees and citizens are able to take all of the necessary steps to safeguard their data as soon as possible. As a precaution, I’d recommend that they’re on high alert for any phishing messages and monitor accounts for any suspicious activity, just in case.”

Rhysida is another one of those threat actors who are claiming victims on a frequent basis. Your goal is to not be one of those victims. So consider securing your organization from threat actors like Rhysida a priority.

According to the U.S. Department of Health and Human Services Breach Portal, a major cyberattack on ApolloMD, a large healthcare services provider, exposed the personal information of 626,540 people in a breach that occurred May 22-23, 2025. Attackers accessed the company’s IT systems before being detected, and viewed sensitive data tied to ApolloMD’s affiliated physicians and practices, including patient names, addresses, medical diagnoses, insurance info, dates of service, and some social security numbers.

The company first reported the breach in September 2025, and provided authorities with the full number of victims this week.

The ransomware gang Qilin has claimed responsibility for the attack, adding the company to its Tor-based leak site in early June 2025. 

Here’s some commentary on this.

Vishal Agarwal, CTO Averlon:

   “The ApolloMD breach is unlikely to stem from a single missed vulnerability. Maintaining access for two days and reaching sensitive patient records suggests attackers were able to assemble an attack chain that led to protected health information.

   “In complex healthcare environments, applications and service identities often accumulate access over time. When systems are overprivileged, an attack chain does not stop at the initial compromise. It expands the blast radius and increases the volume of sensitive data that can be accessed.

   “In such environments, an assume-breach mindset and strict enforcement of least privilege are essential. Eliminating unnecessary access paths reduces blast radius and prevents an initial foothold from expanding into material data exposure.”

Michael Bell, CEO, Suzu Labs:

   “Dark web intelligence shows over 500 ApolloMD corporate credentials were already circulating on underground forums and Telegram channels before the breach. They came from third-party breaches going back years and were available to anyone who looked. When a healthcare organization holding data on 626,000 patients has that kind of credential exposure on the dark web unaddressed, the ransomware group doesn’t need a zero-day. They need a login.

   “238 gigabytes exfiltrated in 48 hours is not subtle. That should trigger every exfiltration alarm in the stack. If it didn’t, the monitoring wasn’t tuned for it. If it did and nobody acted, that’s worse. Qilin had a documented playbook before they hit ApolloMD. The Synnovis attack in 2024 crippled London hospitals and contributed to patient deaths. Their targeting, tools, and techniques were public knowledge.

   “Healthcare keeps treating vendor security like a regulatory exercise instead of an operational risk. ApolloMD touches patient data across dozens of physician groups. One vendor compromised, 626,000 patients exposed. And nine months between the breach and the HHS filing means those patients carried the exposure without knowing it. HIPAA requires notification within 60 days of discovery. The math doesn’t work.”

John Carberry, Solution Sleuth, Xcape, Inc.:

   “The ApolloMD data breach, which compromised the sensitive medical information of over 626,000 patients, serves as a stark warning that the healthcare industry has become a prime target for sophisticated extortionists globally. The Qilin ransomware group has been identified as the same Russian-linked entity behind the 2024 Synnovis attack. That incident disrupted London hospitals and reportedly led to at least one patient fatality, and they have now extended its “industrialized” extortion tactics to the U.S. healthcare system. Qilin’s impressive efficiency is underscored by its ability to exfiltrate 238GB of data, containing diagnoses and Social Security numbers, in just 48 hours, a speed that overwhelms conventional reactive defense strategies. The delayed revelation of the breach’s full extent, only recently reported to federal regulators, exposes the significant “visibility gap” inherent in managing third-party physician groups.

   “Security Operations Centers must understand that Qilin’s objective goes beyond mere financial gain; they leverage operational disruption and the considerable “shame value” associated with sensitive medical diagnoses to compel settlements. Qilin’s admitted involvement further emphasizes the persistent threat posed by ransomware groups to healthcare services and patient safety, echoing previous disruptive attacks on medical providers. The repercussions for patients can extend for years, even when services appear to be unaffected on the surface. Such patient information can be valuable to unscrupulous entities so further such misuses of the exfiltrated data are possible.

   “When ransomware can weaponize 600,000 medical records in a single weekend, it underscores the fact that “compliance” is just paperwork but cybersecurity is the lifeblood.”

Groups like Qilin highlights the fact that it’s not optional for organizations to have a robust defence strategy. It’s mandatory or they will simply become another statistic.

Comparitech is reporting that Sermo, a social network for doctors, yesterday confirmed it notified 2,674 people of a March 2024 data breach that leaked Social Security numbers.

Rebecca Moody, Head of Data Research, commented: 

“There are two concerning elements to this breach — first, the lengthy delay in notifying those involved in the initial breach from March 2024, and second, the fact that another ransomware gang claimed an attack on the organization nearly a year later. Medusa, the gang behind the second claim, isn’t known for making false claims, so we could likely see a further notification for this attack if users’ or employees’ data was breached. 

I would highly recommend that any user or employee of Sermo, whether they’re part of the 2024 breach or not, be on high alert for any suspicious activity (checking back through historic activity and monitoring things going forward) and take up some form of identity theft protection/monitoring.”

Well this sucks because it took a real long time for this to come to light. Nothing good will happen because of that. Let that be a lesson those in a similar position.

Comparitech is reporting that a ransomware group, Lynx, yesterday claimed a cyberattack against Lakelands Public Health in Ontario, Canada. The attack has not yet been confirmed. Bit seeing as this is in my backyard, I’m interested in following this story:

Commenting on this news is Rebecca Moody, Head of Data Research at Comparitech: 

“As Lakelands Public Health continues to grapple with this attack, it’s important it provides an update on its investigation and Lynx’s ransomware claim as soon as possible. That way, anyone involved can begin to mitigate any potential risks that may arise from the breach (e.g. by monitoring accounts for unauthorized activities and being on high alert for potential phishing messages).

Lynx has been around for nearly two years now and doesn’t tend to fabricate claims. Therefore, I think it’s highly likely there has been some kind of breach of data in this attack. Hopefully, it will be limited. According to our data, Lynx is responsible for the breach of nearly 213,500 records across 17 separate attacks (where breach figures and notifications have been provided).”

If or when this is confirmed, I would be very interested in what the Privacy Commissioner of Ontario has to say as this would have to be reported to them at the very least. That would be very instructive.

Today we’re covering Operation Neusploit, the advanced cyberespionage campaign identified by Zscaler ThreatLabz attributed with confidence to the Russia-linked APT28 (A.K.A. Fancy Bear) threat group, we’re sharing this perspective on its 7.8 score.

Neusploit weaponizes CVE-2026-21509, a Microsoft Office zero-day security bypass vulnerablity, to target government and executive organizations in Ukraine, Slovakia, and Romania. It uses native language social engineering ploys to launch multi-stage infection chains that begin by monitoring login events and forwarding emails to attackers. A dropper then downloads further malicious implants and a post-exploitation framework for command and control as well as lateral movement.

Given the campaign’s potential impact, some have questioned the vuln’s 7.8 Common Vulnerability Scoring System (CVSS) score vs. a higher one.

Sunil Gottumukkala, CEO of Averlon, explained:

   “A 7.8 CVSS score for this vulnerability is based on the prerequisites needed for exploitation: #1 the payload (in this case the specially crafted office file) to be delivered locally, and #2 the local user to open it. It cannot be exploited without end user interaction at that early and specific point in time.

“However, scoring that single specific slice of the exploit chain fails to capture just how effective modern, highly targeted social engineering has become, especially with AI. In campaigns like this, overcoming the user interaction prerequisite is becoming straightforward, and that initial foothold becomes the first step in a sophisticated attack chain that can quickly expand before organizations are able to patch.”

This is a big hint that the scoring of vulnerabilities needs a rethink to reflect the modern reality of cybersecurity. But I for one do not thing that this will happen anytime soon.

Comparitech is reporting that a Colorado healthcare clinic Alpine Ear, Nose & Throat began the notification of 65K+ people of a data breach from November 2024. Data exposed includes SSNs, credit card numbers, health insurance info, names, and more. 

Commenting on this news is Rebecca Moody, Head of Data Research at Comparitech: 

“It is always concerning when it takes an organization a long time to issue data breach notifications. And when the breach involves incredibly sensitive data, as it does in this case, the delay can have significant consequences. While AENT did post a notice on its website in January 2025, only those patients who visited the website would have seen it. Equally, as the investigation was still underway, the type of data involved wasn’t included, meaning some patients may not have paid the notification much attention. Therefore, many patients’ personal data may have been compromised for over a year without them knowing/without them taking the necessary measures. 

AENT is now offering those affected access to free credit monitoring services. Although this is a bit of a case of “shutting the barn door after the horse has bolted,” it is still crucial that anyone who is impacted in this event takes AENT up on this offer. This will allow them to check to see if their data has been compromised, and, if not, take necessary steps toward safeguarding it going forward.”

Another healthcare breach. Oh joy. But this is one that happened almost 2 years ago. This is a total #EpicFail on the part of Alpine Ear, Nose & Throat. Clearly these guys were not taking this seriously if it took them this long to do what is right and notify patients in a timely manner.