Healthcare Under Siege: Novo Nordisk and iRhythm Breached, as White House Overhauls National Security Cyber Policy

A new Resecurity report identifies the target as the Italian port of Ancona and confirms the stolen port safety plans were leaked in January 2026 after the $10 million ransom was not paid. This escalation from data theft to public leak significantly increases the national security risk. The report also provides new technical details, including 'Cyber Observables' for hunting, such as monitoring for `vssadmin.exe delete shadows` and large data egress, and adds network segmentation and immutable backups to mitigation strategies. The attack is now explicitly described as a double-extortion campaign.

Novo Nordisk has confirmed the data breach was orchestrated by the cyber-extortion group FulcrumSec. The attackers claim to have maintained network access for over two months, exfiltrating 1.3TB of sensitive data, including drug research, internal AI models, source code, and records for 11,500 pseudonymized patients. The initial access vector was identified as a compromised GitHub access token. Novo Nordisk refused FulcrumSec's $25 million ransom demand, prompting the group to threaten private sales of the stolen intellectual property to competitors, significantly escalating the incident's severity and potential long-term impact.

Microsoft has officially acknowledged the 'RoguePlanet' zero-day vulnerability in Defender, assigning it CVE-2026-50656. The company confirmed it is actively developing a security update to address the local privilege escalation flaw, which allows SYSTEM-level control on Windows 10 and 11. This official response follows the public disclosure and PoC release by researcher 'Nightmare Eclipse'. While a timeline for the patch is not yet available, the confirmation provides a clearer path towards remediation for the critical vulnerability.

Further analysis of CVE-2026-20262 reveals that the path traversal vulnerability is actively exploited to achieve Remote Code Execution (RCE). Attackers are leveraging the flaw to write malicious .war files to the web server's deployment directory. These files are then automatically executed by the underlying WildFly server, granting the attacker a web shell and full RCE capabilities. This provides a clearer understanding of the exploitation chain and the direct path to complete system compromise, enabling network control, lateral movement, and persistence.

The custom Go-based RAT is named 'Backdoor.Turn' and employs a sophisticated C2 mechanism involving anonymous token acquisition, Microsoft Teams TURN relay servers, and QUIC tunnels. Initial access vectors include SQL/MSSQL vulnerabilities or initial access brokers. The backdoor is a full-featured RAT for post-exploitation persistence, capable of executing commands, scanning networks, mapping Active Directory, and exfiltrating credentials, indicating a more advanced and evasive threat.

Security researchers uncovered an 8.3-terabyte Elasticsearch cluster containing 24 billion records, including plaintext usernames, passwords, and login URLs. This compilation, primarily from infostealer malware and Telegram channels, was publicly accessible and actively updated, posing an extreme risk of account takeover. This discovery represents a massive escalation of the threat from aggregated infostealer logs, far exceeding previous known compilations and highlighting the industrial scale of credential theft. The inclusion of login URLs makes mass account takeover highly efficient for attackers.