Weekly Cyber Threat Briefing: Hypervisors, Healthcare Imaging, Teams Phishing and Supply Chain Risk
Cyber security this week is a reminder that attacks do not always start with an obvious “hack”. Sometimes it’s a single compromised credential, a routine software update, or a message that looks like normal collaboration in Microsoft Teams.
Below is a practical, UK-focused roundup of the key themes we’re seeing right now, plus a straightforward action list you can use to reduce risk quickly.
1) Ransomware targeting VMware ESXi: patching is not optional
Virtualisation platforms remain a high-value target because one successful compromise can impact dozens of servers at once. A known VMware ESXi vulnerability (CVE-2025-22225) has been confirmed as exploited in real-world campaigns, including ransomware activity. If ESXi underpins your critical systems, treat this as urgent.
What to do this week
Confirm ESXi patch levels against vendor guidance and prioritise remediation.
Lock down ESXi management access: restrict to a dedicated admin network/VPN, remove internet exposure, and tighten firewall rules.
Review privileged accounts: enforce MFA where possible, rotate admin credentials, and remove stale accounts.
Test backups properly: make sure you have immutable/offline copies and that restore works under pressure.
If you’re unsure whether your ESXi estate is exposed, our team can help you map risk and implement a patch and hardening plan. Start here: https://www.creative-n.com/cyber-security/cyber-security-assessment/
2) NHS cyber alerts and medical imaging software: don’t ignore “edge” systems
Medical imaging viewers and supporting workstations can become a stepping stone into wider networks. NHS cyber alerting has previously highlighted risks in DICOM viewer software where malicious files can trigger code execution when opened. Even if you’re not a healthcare provider, this matters if you support clinics, diagnostics, or any organisation that handles specialist imaging or file formats.
What to do this week
Identify where imaging viewers are installed (including shared clinical workstations and remote devices).
Apply vendor security updates and confirm versions after patching.
Segment specialist workstations from core systems (finance, HR, domain controllers).
Reinforce endpoint controls: EDR/AV health, device hardening, and least privilege.
Treat downloads cautiously: only use verified vendor sources and consider application allow listing for high-risk endpoints.
If you’re an NHS supplier, good security hygiene here supports your wider compliance posture and reduces third-party risk during assurance questionnaires.
3) Software supply chain risk in JavaScript and npm: trusted updates can betray you
Supply chain compromises in widely used packages remain a persistent problem. The practical risk is simple: a compromised dependency can quietly exfiltrate environment variables and secrets (API keys, tokens, database credentials), and this can happen during normal development or CI/CD activity.
What to do this week
Audit dependencies (including transitive packages) and investigate anything unexpected.
Use lockfiles and pin versions so you are not pulling silent updates.
Rotate secrets if you suspect exposure, and move secrets into a managed vault where possible.
Enforce MFA on developer accounts (npm, GitHub/GitLab, cloud portals).
Add automated scanning: SCA, secret scanning, and CI pipeline checks.
If your website or internal apps rely on JavaScript tooling, supply chain security is now part of “business as usual”, not an optional extra.
4) Microsoft Teams phishing: attackers are going where trust is highest
Phishing is no longer limited to email. We are seeing more examples of attacks that use Microsoft Teams chats or invitations to appear legitimate, often posing as IT support or a senior colleague. This is especially effective because people tend to trust collaboration tools and respond quickly.
What to do this week
Review Teams external access: if you don’t need open federation, restrict it.
Reinforce MFA and Conditional Access across Microsoft 365.
Train users on “new phishing surfaces”: Teams, shared documents, meeting invites, and voice calls.
Monitor sign-in logs for unusual locations/devices and impossible travel scenarios.
Make reporting easy: one internal process for staff to flag suspicious messages fast.
If you want a quick hardening review for Microsoft 365, speak to our team and we’ll help you prioritise the settings that reduce real-world risk.
5) Data breaches can be process failures, not cyber attacks
A recent UK council incident shows how personal data exposure can come from internal handling mistakes, not malware. Poor redaction, unclear workflows, and assumptions (“it’s already been removed”) can lead to unauthorised disclosure and reputational damage.
What to do this week
Re-check your redaction process: verify by opening files exactly as the recipient would.
Limit who can access complaint and HR data and keep audit trails.
Run refresher training for staff who handle sensitive data, including “secure sharing” basics.
Confirm incident reporting readiness: you should know what you’d do in the first 60 minutes of a data disclosure event.
Good governance is part of cyber resilience. It reduces your overall breach likelihood and improves response speed when something goes wrong.
6) National-scale data exposure: a single credential can have huge impact
France disclosed unauthorised access involving its national bank account registry (FICOBA), reportedly enabled through stolen credentials and impacting a large volume of records. The lesson for UK organisations is universal: credential security and access control design matter, especially where systems aggregate sensitive information.
What to do this week
Enforce MFA for privileged access and sensitive systems.
Apply least privilege: access based on operational need, not job title.
Use continuous monitoring for high-risk systems: alerting on unusual access patterns and bulk lookups.
Plan for phishing and credential theft as an expected event, not a remote possibility.
If you’re working towards Cyber Essentials, this aligns strongly with the core controls around secure configuration, access control, and patching: https://www.creative-n.com/cyber-essentials/
7) PayPal breach reminder: secure development needs guardrails
PayPal disclosed a breach linked to an application error that exposed sensitive customer information for a period of time. While the specifics vary by organisation, the broader takeaway is consistent: security issues are not always “hackers breaking in”. Sometimes it’s a defect in how data is handled and displayed, which then persists unnoticed.
What to do this week
Strengthen secure SDLC: code reviews, security testing, and privacy-by-design checks.
Add monitoring for anomalous data access and unexpected data flows.
Inventory sensitive data: know what you store, where it sits, and who can access it.
Review incident response so containment and notifications are not improvised.
Your 20-minute action checklist (do this now)
- Confirm patch status for critical infrastructure (especially ESXi and edge systems).
- Restrict admin interfaces and remove unnecessary internet exposure.
- Tighten Microsoft 365 security baseline: MFA, Conditional Access, and Teams external access.
- Run dependency and secret scans on live web projects and pipelines.
- Sanity-check your redaction and secure-sharing process for sensitive documents.
- Validate backups with a restore test, not assumptions.
Need help turning this into practical controls?
Creative Networks supports UK organisations with security assessments, Cyber Essentials, penetration testing, and ongoing hardening across Microsoft 365 and infrastructure.
Free cyber security assessment: https://www.creative-n.com/cyber-security/cyber-security-assessment/
Cyber Essentials support: https://www.creative-n.com/cyber-essentials/
Penetration testing: https://www.creative-n.com/pen-testing/
Free dark web scan report: https://www.creative-n.com/cyber-security/free-dark-web-scan/
