<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[CISO HQ ]]></title><description><![CDATA[CISO HQ is an independent publication for Chief Information Security Officers and cybersecurity leaders. We cover the latest cyber threats, industry trends, funding, M&A, executive moves, and the technologies shaping enterprise security. ]]></description><link>https://www.cisohq.io</link><image><url>https://substackcdn.com/image/fetch/$s_!T2is!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F802272e2-c335-4db1-835a-9f659f19ffba_1280x1280.png</url><title>CISO HQ </title><link>https://www.cisohq.io</link></image><generator>Substack</generator><lastBuildDate>Fri, 03 Jul 2026 16:11:12 GMT</lastBuildDate><atom:link href="https://www.cisohq.io/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[Media Network]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[cisohq@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[cisohq@substack.com]]></itunes:email><itunes:name><![CDATA[Media Network]]></itunes:name></itunes:owner><itunes:author><![CDATA[Media Network]]></itunes:author><googleplay:owner><![CDATA[cisohq@substack.com]]></googleplay:owner><googleplay:email><![CDATA[cisohq@substack.com]]></googleplay:email><googleplay:author><![CDATA[Media Network]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[ChocoPoC Malware Targets Researchers Through Trojanized PoC Exploits]]></title><description><![CDATA[ChocoPoC malware targets security researchers through trojanized GitHub proof-of-concept exploits and malicious PyPI dependencies.]]></description><link>https://www.cisohq.io/p/chocopoc-malware-targets-researchers</link><guid isPermaLink="false">https://www.cisohq.io/p/chocopoc-malware-targets-researchers</guid><dc:creator><![CDATA[John Kevin Hao]]></dc:creator><pubDate>Thu, 02 Jul 2026 16:31:50 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!e4uX!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4f82cde0-9cb9-4959-9f15-ea8afdfbaae0_1280x853.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!e4uX!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4f82cde0-9cb9-4959-9f15-ea8afdfbaae0_1280x853.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!e4uX!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4f82cde0-9cb9-4959-9f15-ea8afdfbaae0_1280x853.jpeg 424w, https://substackcdn.com/image/fetch/$s_!e4uX!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4f82cde0-9cb9-4959-9f15-ea8afdfbaae0_1280x853.jpeg 848w, https://substackcdn.com/image/fetch/$s_!e4uX!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4f82cde0-9cb9-4959-9f15-ea8afdfbaae0_1280x853.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!e4uX!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4f82cde0-9cb9-4959-9f15-ea8afdfbaae0_1280x853.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!e4uX!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4f82cde0-9cb9-4959-9f15-ea8afdfbaae0_1280x853.jpeg" width="1280" height="853" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/4f82cde0-9cb9-4959-9f15-ea8afdfbaae0_1280x853.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:853,&quot;width&quot;:1280,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:87527,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.cisohq.io/i/204706906?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4f82cde0-9cb9-4959-9f15-ea8afdfbaae0_1280x853.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!e4uX!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4f82cde0-9cb9-4959-9f15-ea8afdfbaae0_1280x853.jpeg 424w, https://substackcdn.com/image/fetch/$s_!e4uX!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4f82cde0-9cb9-4959-9f15-ea8afdfbaae0_1280x853.jpeg 848w, https://substackcdn.com/image/fetch/$s_!e4uX!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4f82cde0-9cb9-4959-9f15-ea8afdfbaae0_1280x853.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!e4uX!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4f82cde0-9cb9-4959-9f15-ea8afdfbaae0_1280x853.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.cisohq.io/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.cisohq.io/subscribe?"><span>Subscribe now</span></a></p><h2><strong>What happened</strong></h2><p>Multiple weaponized proof-of-concept exploit repositories on GitHub were found delivering a Python-based remote access trojan named ChocoPoC. The campaign appears designed to target cybersecurity researchers, vulnerability testers, penetration testers, and others who download and run exploit code from public repositories.</p><p>ChocoPoC stands out because the malware is not embedded directly inside the exploit file. Instead, the attackers add malicious Python packages to the proof-of-concept repository&#8217;s dependency list. When a victim clones one of the malicious repositories, a trojanized package named frint is automatically fetched and installed. During installation, frint pulls another malicious dependency named skytext, which contains a compiled native Python extension.</p><p>When the proof-of-concept exploit runs, the extension executes automatically and decrypts additional embedded Python code. That code triggers a downloader that retrieves the final ChocoPoC payload from a Mapbox dataset.</p><p>The ChocoPoC remote access trojan can execute arbitrary shell commands and Python code, upload files and directories, collect browser passwords, cookies, autofill data, and browsing history, search for text, markdown, and database files, gather shell history, collect network configuration, and enumerate running processes. Mapbox datasets are also abused for data exfiltration, though larger file uploads are handled separately through an HTTP server.</p><p>Sekoia identified at least seven GitHub proof-of-concept repositories distributing ChocoPoC. The repositories hosted exploits for FortiWeb, React2Shell, MongoBleed, PAN-OS, Ivanti Sentry, Check Point VPN, and Joomla SP Page Builder vulnerabilities.</p><p>The malicious skytext package was downloaded 2,400 times, mostly on Linux-based systems. Downloads increased after the disclosure of a popular vulnerability, suggesting the attackers used trending security issues to lure researchers into testing malicious PoC repositories.</p><p>Before using frint and skytext, the campaign used two other packages, slogsec and logcrypt.cryptography, with similar source code and the same ChocoPoC payload. Sekoia said the campaign appears to rely on compromised accounts to publish malicious PyPI packages and proof-of-concept repositories. Researchers found email addresses tied to GitHub committers linked to earlier PoC trojanizing activity, with some credentials appearing in leak databases and one login likely originating from an infostealer compromise.</p><h2><strong>Who is affected</strong></h2><p>Cybersecurity researchers, penetration testers, vulnerability analysts, red teams, and low-skilled hackers who downloaded and ran the malicious proof-of-concept repositories may be affected.</p><p>The risk is especially relevant to Linux-based systems, which accounted for most skytext downloads.</p><p>Organizations may also be affected if researchers tested the malicious PoCs on workstations containing browser credentials, shell history, API keys, internal documentation, databases, source code, or access to security tooling.</p><p>Security teams should pay attention if staff downloaded PoCs for FortiWeb, React2Shell, MongoBleed, PAN-OS, Ivanti Sentry, Check Point VPN, or Joomla SP Page Builder vulnerabilities from untrusted GitHub repositories.</p><h2><strong>Why CISOs should care</strong></h2><p>This campaign highlights a persistent risk in security research workflows: defenders often run untrusted exploit code while investigating new vulnerabilities. Attackers can exploit that habit by publishing trojanized proof-of-concepts around trending vulnerabilities.</p><p>For CISOs, the dependency-based delivery method is especially important. The exploit code itself may appear clean, while the malicious behavior lives in a package dependency that looks harmless during review. That makes manual inspection harder if teams only examine the main PoC file.</p><p>The targeting of researchers also creates enterprise risk. Security teams often use privileged workstations, browser sessions, internal tools, VPN access, and vulnerability management systems. A compromised researcher machine can expose credentials, internal notes, exploit testing environments, and access paths into the organization.</p><p>The use of compromised accounts to publish malicious packages and repositories also reinforces that reputation alone is not enough. A GitHub or PyPI account may look legitimate while being controlled by an attacker.</p><h2><strong>3 practical actions</strong></h2><ol><li><p><strong>Run proof-of-concepts only in isolated environments:</strong> Researchers should execute unverified exploit code in disposable virtual machines, containers, or lab systems without access to production credentials, browser sessions, SSH keys, or internal repositories.</p></li><li><p><strong>Review dependencies, not only exploit files:</strong> ChocoPoC was delivered through malicious Python packages added to PoC dependency lists. Security teams should inspect requirements files, package installation scripts, native extensions, dependency chains, and network activity before running public exploit code.</p></li><li><p><strong>Monitor researcher workstations for unusual behavior:</strong> ChocoPoC can execute commands, steal browser data, collect shell history, and upload files. Defenders should watch for suspicious Python package installs, unexpected Mapbox dataset access, outbound HTTP uploads, unusual shell activity, and credential access from research systems.</p></li></ol><p>Also on the news today:</p><ul><li><p><a href="https://www.cisohq.io/p/medtronic-notifies-customers-impacted">Medtronic Notifies Customers Impacted by ShinyHunters Data Breach</a></p></li><li><p><a href="https://www.cisohq.io/p/kubota-says-hackers-had-month-long?r=8ol09l">Kubota Says Hackers Had Month-Long Access to Network Systems</a></p></li><li><p><a href="https://www.cisohq.io/p/fortibleed-credential-theft-campaign?r=8ol09l">FortiBleed Credential Theft Campaign Linked to Lynx Ransomware</a></p></li></ul><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.cisohq.io/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.cisohq.io/subscribe?"><span>Subscribe now</span></a></p>]]></content:encoded></item><item><title><![CDATA[Kubota Says Hackers Had Month-Long Access to Network Systems]]></title><description><![CDATA[Kubota disclosed a data breach after hackers accessed network systems for over a month, exposing employee and dependent information.]]></description><link>https://www.cisohq.io/p/kubota-says-hackers-had-month-long</link><guid isPermaLink="false">https://www.cisohq.io/p/kubota-says-hackers-had-month-long</guid><dc:creator><![CDATA[John Kevin Hao]]></dc:creator><pubDate>Thu, 02 Jul 2026 16:25:06 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!p1gN!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbe02779e-3c98-4db4-a09e-335b4fec6672_1280x853.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!p1gN!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbe02779e-3c98-4db4-a09e-335b4fec6672_1280x853.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!p1gN!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbe02779e-3c98-4db4-a09e-335b4fec6672_1280x853.jpeg 424w, https://substackcdn.com/image/fetch/$s_!p1gN!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbe02779e-3c98-4db4-a09e-335b4fec6672_1280x853.jpeg 848w, https://substackcdn.com/image/fetch/$s_!p1gN!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbe02779e-3c98-4db4-a09e-335b4fec6672_1280x853.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!p1gN!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbe02779e-3c98-4db4-a09e-335b4fec6672_1280x853.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!p1gN!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbe02779e-3c98-4db4-a09e-335b4fec6672_1280x853.jpeg" width="1280" height="853" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/be02779e-3c98-4db4-a09e-335b4fec6672_1280x853.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:853,&quot;width&quot;:1280,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:62720,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.cisohq.io/i/204699984?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbe02779e-3c98-4db4-a09e-335b4fec6672_1280x853.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!p1gN!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbe02779e-3c98-4db4-a09e-335b4fec6672_1280x853.jpeg 424w, https://substackcdn.com/image/fetch/$s_!p1gN!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbe02779e-3c98-4db4-a09e-335b4fec6672_1280x853.jpeg 848w, https://substackcdn.com/image/fetch/$s_!p1gN!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbe02779e-3c98-4db4-a09e-335b4fec6672_1280x853.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!p1gN!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbe02779e-3c98-4db4-a09e-335b4fec6672_1280x853.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.cisohq.io/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.cisohq.io/subscribe?"><span>Subscribe now</span></a></p><h2><strong>What happened</strong></h2><p>Kubota North America Corporation disclosed that hackers had access to some of its network systems for more than a month earlier this year. The company&#8217;s investigation found that the threat actor accessed certain systems between March 16 and April 20. During that period, the attacker accessed files containing personal information belonging to employees and their dependents.</p><p>Kubota is part of the Japanese industrial manufacturer known for agricultural and construction equipment. Its North American division includes facilities that produce tractors, mowers, and utility vehicles. The potentially exposed information includes full names, Social Security numbers, dates of birth, taxpayer IDs, driver&#8217;s license or other government ID numbers, direct deposit bank account information, corporate payment card information, and benefits enrollment and limited claims data. Some of the exposed information may also belong to employee dependents. Kubota said the exact data types vary by person.</p><p>The company began sending personalized notification letters by email on June 30, informing affected individuals about the specific information exposed in their case. Kubota is offering Kroll identity protection services to help affected individuals respond to the risk. The company advised recipients to monitor healthcare-related statements and bank accounts and to report suspicious activity to authorities. Kubota said it implemented additional security measures to help prevent similar incidents.</p><p>At the time of reporting, no ransomware or data extortion group had claimed responsibility for the attack. Kubota did not mention any operational or business disruption tied to the incident.</p><h2><strong>Who is affected</strong></h2><p>Kubota North America employees and their dependents are affected if their information was included in the files accessed by the attacker. The potentially exposed information may include names, Social Security numbers, dates of birth, taxpayer IDs, government ID numbers, bank account information, corporate payment card information, benefits enrollment data, and limited claims information. Because dependent data may also be involved, affected households could face broader identity theft, healthcare fraud, tax fraud, payroll fraud, and financial account risk.</p><h2><strong>Why CISOs should care</strong></h2><p>This incident shows how employee and dependent data can become a major breach exposure even when customer-facing operations are not publicly reported as disrupted.</p><p>For CISOs, the month-long access window is especially important. Attackers had access to some Kubota network systems from March 16 to April 20, giving them time to locate sensitive HR, benefits, payroll, and dependent information.</p><p>The exposed data categories also increase the risk of downstream fraud. Direct deposit bank account information, Social Security numbers, government IDs, taxpayer IDs, and benefits information can support identity theft, payroll diversion, tax fraud, and healthcare-related scams.</p><p>The lack of a ransomware or extortion claim does not reduce the need for full incident response. Data theft incidents without public ransomware branding can still involve stolen information that may later be sold, used for fraud, or leveraged in targeted social engineering.</p><h2><strong>3 practical actions</strong></h2><ol><li><p><strong>Review access to HR, payroll, and benefits data:</strong> Kubota said files containing employee and dependent information were accessed. CISOs should enforce least privilege, strong logging, and segmentation around systems storing payroll, tax, benefits, and dependent records.</p></li><li><p><strong>Prepare identity protection and fraud guidance for employees:</strong> The exposed data includes Social Security numbers, government IDs, bank account information, and benefits data. Organizations should provide clear instructions for credit monitoring, bank account review, healthcare statement monitoring, and suspicious activity reporting.</p></li><li><p><strong>Investigate long-dwell network access thoroughly:</strong> The attacker accessed systems for more than a month. Security teams should review authentication logs, file access records, lateral movement, persistence mechanisms, data staging, and outbound transfers before closing the incident.</p></li></ol><p>Also on the news today:</p><ul><li><p><a href="https://www.cisohq.io/p/medtronic-notifies-customers-impacted">Medtronic Notifies Customers Impacted by ShinyHunters Data Breach</a></p></li><li><p><a href="https://www.cisohq.io/p/fortibleed-credential-theft-campaign?r=8ol09l">FortiBleed Credential Theft Campaign Linked to Lynx Ransomware</a></p></li><li><p><a href="https://www.cisohq.io/p/chocopoc-malware-targets-researchers?r=8ol09l">ChocoPoC Malware Targets Researchers Through Trojanized PoC Exploits</a></p></li></ul><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.cisohq.io/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.cisohq.io/subscribe?"><span>Subscribe now</span></a></p>]]></content:encoded></item><item><title><![CDATA[FortiBleed Credential Theft Campaign Linked to Lynx Ransomware]]></title><description><![CDATA[FortiBleed has been linked to INC and Lynx ransomware, with attackers using FortiGate sniffers to harvest credentials at scale.]]></description><link>https://www.cisohq.io/p/fortibleed-credential-theft-campaign</link><guid isPermaLink="false">https://www.cisohq.io/p/fortibleed-credential-theft-campaign</guid><dc:creator><![CDATA[John Kevin Hao]]></dc:creator><pubDate>Thu, 02 Jul 2026 15:37:37 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!rEu1!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F16c5548b-e0d6-41e2-ba58-abc77bc25ac1_1280x853.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!rEu1!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F16c5548b-e0d6-41e2-ba58-abc77bc25ac1_1280x853.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!rEu1!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F16c5548b-e0d6-41e2-ba58-abc77bc25ac1_1280x853.jpeg 424w, https://substackcdn.com/image/fetch/$s_!rEu1!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F16c5548b-e0d6-41e2-ba58-abc77bc25ac1_1280x853.jpeg 848w, https://substackcdn.com/image/fetch/$s_!rEu1!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F16c5548b-e0d6-41e2-ba58-abc77bc25ac1_1280x853.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!rEu1!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F16c5548b-e0d6-41e2-ba58-abc77bc25ac1_1280x853.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!rEu1!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F16c5548b-e0d6-41e2-ba58-abc77bc25ac1_1280x853.jpeg" width="1280" height="853" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/16c5548b-e0d6-41e2-ba58-abc77bc25ac1_1280x853.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:853,&quot;width&quot;:1280,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:27221,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.cisohq.io/i/204698375?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F16c5548b-e0d6-41e2-ba58-abc77bc25ac1_1280x853.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!rEu1!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F16c5548b-e0d6-41e2-ba58-abc77bc25ac1_1280x853.jpeg 424w, https://substackcdn.com/image/fetch/$s_!rEu1!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F16c5548b-e0d6-41e2-ba58-abc77bc25ac1_1280x853.jpeg 848w, https://substackcdn.com/image/fetch/$s_!rEu1!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F16c5548b-e0d6-41e2-ba58-abc77bc25ac1_1280x853.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!rEu1!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F16c5548b-e0d6-41e2-ba58-abc77bc25ac1_1280x853.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.cisohq.io/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.cisohq.io/subscribe?"><span>Subscribe now</span></a></p><h2><strong>What happened</strong></h2><p>The FortiBleed credential theft campaign has been linked to the INC and Lynx ransomware operations, suggesting that stolen Fortinet credentials may have been intended to support future network intrusions. The campaign first drew attention after a server containing credentials stolen from more than 73,000 Fortinet devices was found exposed online. Researchers found FortiGate configuration files, harvested credentials, password-cracking infrastructure, and systems used for credential-stuffing attacks.</p><p>Follow-up research from SOCRadar found that the operation used a custom packet-sniffing tool called FortiGate Sniffer on compromised FortiGate firewalls. The tool allowed attackers to intercept VPN credentials and other authentication data directly from network traffic passing through the devices. SOCRadar later identified a Windows server tied to FortiBleed infrastructure. During analysis of that server, researchers found evidence that the threat actor had accessed negotiation panels for both the Lynx and INC ransomware groups.</p><p>Screenshots shared showed browser sessions accessing ransomware administration panels containing victim chats used during negotiations. SOCRadar said this provides direct evidence that an individual with access to FortiBleed infrastructure was also involved with the ransomware groups&#8217; negotiation platforms.</p><p>The company also said it identified more than 200 additional operational servers beyond those originally tied to the campaign. Researchers found victim information harvested during FortiBleed that overlapped with organizations later listed on the INC ransomware leak site. </p><p>SOCRadar also said the operation appears to involve roughly 20 members with defined roles. The campaign was also larger than initially understood. Researchers said FortiBleed targeted more than 430,000 FortiGate firewalls worldwide and deployed traffic sniffers on approximately 19,000 devices.</p><p>After affected organizations were notified, the number of compromised devices reportedly fell to around 11,000. Researchers also identified roughly 500 servers used by the operation. SOCRadar believes the attackers may have exploited a previously undisclosed Nextcloud zero-day vulnerability to expand access after initial compromise, though technical details have not yet been released. The researchers also found persistent backdoor accounts using the username adminin on compromised systems and said they are continuing efforts to recover ransomware decryption keys.</p><h2><strong>Who is affected</strong></h2><p>Organizations using FortiGate firewalls may be affected, especially those whose devices were compromised during the FortiBleed campaign or whose credentials were included in the exposed data. The campaign targeted more than 430,000 FortiGate firewalls and reportedly deployed sniffers on about 19,000 devices. Around 11,000 compromised devices remained after victim notification efforts reduced the count.</p><p>Organizations whose Fortinet VPN credentials, configuration files, or authentication data were captured may face risk beyond the firewall itself. Stolen credentials can support VPN access, lateral movement, credential stuffing, ransomware staging, and intrusion into downstream systems. Organizations later appearing on the INC ransomware leak site may also be affected if their data overlapped with information harvested during FortiBleed.</p><h2><strong>Why CISOs should care</strong></h2><p>This development changes FortiBleed from a large credential theft campaign into a possible ransomware enablement operation. The connection to INC and Lynx negotiation panels suggests the stolen Fortinet access may have been used, sold, or prepared for follow-on extortion activity.</p><p>For CISOs, the key issue is that compromised firewalls can become credential collection points. A FortiGate compromise is not only a perimeter device issue. If attackers deployed sniffers, they may have captured VPN credentials, authentication data, configuration details, and other information moving through the device.</p><p>The scale also matters. Targeting more than 430,000 FortiGate firewalls and deploying sniffers to roughly 19,000 devices shows how quickly edge infrastructure compromise can become a mass credential operation.</p><p>The reported backdoor account named adminin is especially important for incident response. Even if organizations patched or changed passwords, persistent accounts may allow attackers to retain access if not identified and removed.</p><h2><strong>3 practical actions</strong></h2><ol><li><p><strong>Treat FortiBleed exposure as a ransomware precursor:</strong> SOCRadar linked FortiBleed infrastructure to INC and Lynx ransomware negotiation panels. CISOs should assume stolen Fortinet credentials may be used for intrusion, extortion, or brokered access, and should escalate response beyond routine password resets.</p></li><li><p><strong>Hunt for FortiGate Sniffer and persistent accounts:</strong> The campaign used custom sniffers and researchers found backdoor accounts using the username adminin. Security teams should review FortiGate configurations, local accounts, SSH access, diagnostic activity, unexpected processes, and configuration changes.</p></li><li><p><strong>Rotate credentials that passed through compromised firewalls:</strong> Because the campaign captured authentication traffic, organizations should rotate Fortinet VPN credentials, administrator accounts, domain credentials, service accounts, and any credentials reused across exposed systems.</p></li></ol><p>Also on the news today:</p><ul><li><p><a href="https://www.cisohq.io/p/medtronic-notifies-customers-impacted">Medtronic Notifies Customers Impacted by ShinyHunters Data Breach</a></p></li><li><p><a href="https://www.cisohq.io/p/kubota-says-hackers-had-month-long?r=8ol09l">Kubota Says Hackers Had Month-Long Access to Network Systems</a></p></li><li><p><a href="https://www.cisohq.io/p/chocopoc-malware-targets-researchers?r=8ol09l">ChocoPoC Malware Targets Researchers Through Trojanized PoC Exploits</a></p></li></ul><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.cisohq.io/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.cisohq.io/subscribe?"><span>Subscribe now</span></a></p>]]></content:encoded></item><item><title><![CDATA[Medtronic Notifies Customers Impacted by ShinyHunters Data Breach]]></title><description><![CDATA[Medtronic is notifying customers after a ShinyHunters-linked breach exposed names, contact details, Social Security numbers, and health data.]]></description><link>https://www.cisohq.io/p/medtronic-notifies-customers-impacted</link><guid isPermaLink="false">https://www.cisohq.io/p/medtronic-notifies-customers-impacted</guid><dc:creator><![CDATA[John Kevin Hao]]></dc:creator><pubDate>Thu, 02 Jul 2026 15:29:38 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!2PK2!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F12ecfa39-aa3a-4691-ad28-81977a0819cc_1920x1280.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!2PK2!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F12ecfa39-aa3a-4691-ad28-81977a0819cc_1920x1280.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!2PK2!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F12ecfa39-aa3a-4691-ad28-81977a0819cc_1920x1280.jpeg 424w, https://substackcdn.com/image/fetch/$s_!2PK2!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F12ecfa39-aa3a-4691-ad28-81977a0819cc_1920x1280.jpeg 848w, https://substackcdn.com/image/fetch/$s_!2PK2!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F12ecfa39-aa3a-4691-ad28-81977a0819cc_1920x1280.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!2PK2!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F12ecfa39-aa3a-4691-ad28-81977a0819cc_1920x1280.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!2PK2!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F12ecfa39-aa3a-4691-ad28-81977a0819cc_1920x1280.jpeg" width="1456" height="971" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/12ecfa39-aa3a-4691-ad28-81977a0819cc_1920x1280.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:971,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:458534,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.cisohq.io/i/204697403?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F12ecfa39-aa3a-4691-ad28-81977a0819cc_1920x1280.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!2PK2!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F12ecfa39-aa3a-4691-ad28-81977a0819cc_1920x1280.jpeg 424w, https://substackcdn.com/image/fetch/$s_!2PK2!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F12ecfa39-aa3a-4691-ad28-81977a0819cc_1920x1280.jpeg 848w, https://substackcdn.com/image/fetch/$s_!2PK2!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F12ecfa39-aa3a-4691-ad28-81977a0819cc_1920x1280.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!2PK2!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F12ecfa39-aa3a-4691-ad28-81977a0819cc_1920x1280.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.cisohq.io/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.cisohq.io/subscribe?"><span>Subscribe now</span></a></p><h2><strong>What happened</strong></h2><p>Medical device company Medtronic is notifying affected customers after a data breach exposed personal information to an unauthorized third party. Medtronic previously confirmed that hackers compromised certain corporate IT systems. The ShinyHunters data extortion group claimed responsibility for the attack and alleged that it had obtained 9 million Medtronic records containing personally identifiable information and internal corporate data.</p><p>Medtronic said it became aware of unusual activity on certain corporate IT systems on April 15, 2026. The company launched an investigation with support from third-party cybersecurity experts to determine the scope and impact of the incident. The investigation found that an unauthorized actor accessed certain Medtronic corporate IT systems between April 13 and April 19, 2026. The potentially exposed information may include full names, contact information, dates of birth, Social Security numbers, and health-related information.</p><p>ShinyHunters listed Medtronic on its dark web extortion portal on April 18 and threatened to publish the allegedly stolen data if a ransom was not paid by April 21. The Medtronic entry was later removed from the group&#8217;s listing. Medtronic said the stolen data was not exposed online. The company also said all Medtronic devices remain safe to use and were not affected by the cybersecurity incident. Affected individuals are being offered 24 months of credit monitoring and identity theft protection services.</p><h2><strong>Who is affected</strong></h2><p>Medtronic customers whose information was included in the compromised corporate systems may be affected. The potentially exposed information may include full names, contact information, dates of birth, Social Security numbers, and health-related information. The breach does not affect Medtronic&#8217;s medical devices, which the company said remain safe to use. Customers receiving notifications should treat the incident as a personal data and identity risk event, especially because Social Security numbers and health-related information may be involved.</p><h2><strong>Why CISOs should care</strong></h2><p>This incident highlights the sensitive nature of healthcare and medical device company data. Even when connected medical devices are not affected, corporate IT systems can still hold customer information that creates identity theft, fraud, phishing, and social engineering risk.</p><p>For CISOs, the ShinyHunters involvement is also important. Data extortion groups often use public leak threats to pressure victims, creating reputational, legal, and customer trust challenges even before stolen data is verified or published.</p><p>The short access window is another key point. Medtronic said the unauthorized actor accessed certain systems between April 13 and April 19, and the company became aware of unusual activity on April 15. Security teams need strong visibility into corporate environments so they can determine what was accessed, what was exfiltrated, and whether customer notification is required.</p><p>The assurance that medical devices were not affected also reinforces the need for clear incident scoping. Healthcare technology companies must be able to distinguish corporate IT compromise from product or device security impact quickly and credibly.</p><h2><strong>3 practical actions</strong></h2><ol><li><p><strong>Separate corporate IT breach response from product safety assessment:</strong> Medtronic said its devices remain safe to use and were not affected. Healthcare technology CISOs should maintain incident response processes that quickly determine whether an event affects corporate systems, customer data, connected products, or patient safety.</p></li><li><p><strong>Prepare customer notification for health-related data exposure:</strong> The potentially exposed data includes Social Security numbers and health-related information. Security teams should prepare clear notifications, identity protection support, fraud guidance, and call center scripts for affected customers.</p></li><li><p><strong>Monitor for extortion-driven data leak claims:</strong> ShinyHunters listed Medtronic on its dark web portal before the entry was later removed. Organizations should monitor extortion sites, validate attacker claims through forensics, and coordinate legal, communications, and customer response teams before public data exposure occurs.</p></li></ol><p>Also on the news today:</p><ul><li><p><a href="https://www.cisohq.io/p/fortibleed-credential-theft-campaign?r=8ol09l">FortiBleed Credential Theft Campaign Linked to Lynx Ransomware</a></p></li><li><p><a href="https://www.cisohq.io/p/kubota-says-hackers-had-month-long?r=8ol09l">Kubota Says Hackers Had Month-Long Access to Network Systems</a></p></li><li><p><a href="https://www.cisohq.io/p/chocopoc-malware-targets-researchers?r=8ol09l">ChocoPoC Malware Targets Researchers Through Trojanized PoC Exploits</a></p></li></ul><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.cisohq.io/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.cisohq.io/subscribe?"><span>Subscribe now</span></a></p><p></p>]]></content:encoded></item></channel></rss>