A ransomware crew doesn’t need to smash every door in your network. They just need one. And once they’re inside, they move sideways, quietly hopping from system to system, until they find the jackpot. That sideways move, known as lateral movement, is what turned a few isolated breaches into major headlines this month.
The ColorTokens Threat Advisory team in their latest threat intel brief highlights what happens when attackers are free to roam. From Google Ads data leaks to a record-breaking healthcare breach, the ability to contain intrusions decides the scale of damage.
Let’s break down the numbers, the misses, and the lessons.
Access Brief | ColorTokens Threat Advisory team highlights critical vulnerabilities in the first two weeks of August.
A Vulnerability That Lets Hackers “Log in as Anyone”
Security tools are supposed to keep you safe. But every so often, a flaw can wreak havoc.
That’s exactly what happened with FortiWeb, Fortinet’s web application firewall. Researchers uncovered a nasty authentication bypass vulnerability (CVE-2025-52970, cheekily dubbed “Fort-Majeure”) that lets attackers skip logins and impersonate any user.
Think about that. A product sold to guard your web applications can, in certain versions, hand attackers a master key if they tweak the right cookie.
“This bug represents the kind of silent failure that wasn’t meant to happen—where a system built to protect ends up trusting nothing as everything,” said the researcher who found it.
Exploiting it isn’t trivial. Hackers need to brute-force a validation number and hit during an active user session. But the bad news is if they get it right, they’re instantly sitting in an admin chair.
Lesson: Don’t rely on a single control. And never assume your defenses are immune from becoming the attack vector.
Read More | What is Microsegmentation and How Can it Limit the Spread of Attackers
Healthcare Breaches That Stretch the Imagination
When it comes to data breaches, size matters. And this month set a grim new record.
- UnitedHealth / Change Healthcare: The U.S. Department of Health and Human Services now confirms the Change Healthcare ransomware attack hit 192.7 million people. Nearly two-thirds of the U.S. population saw some part of their medical or insurance data exposed – one of the largest healthcare breach in American history.
- Sanderling Healthcare: Ransomware struck again, leaking Social Security numbers, insurance records, and even payment details. Lawsuits are already circling.
- Michigan Medicine: Over a thousand patients had their personal details exposed because postcards for a research study went out without envelopes. A simple mailing mishap became a compliance nightmare.
Healthcare sector is life-critical. Which is why lateral movement here doesn’t just mean lost data. It means delayed care, canceled procedures, and even financial and reputational harm.
Telecom Under Siege
It wasn’t just hospitals feeling the heat. Telecom providers in Europe took some serious hits:
- Bouygues Telecom (France): A breach exposed the personal and banking data of 6.4 million customers. No passwords were stolen, but IBANs (international bank account numbers) were. It opened the door to fraud and phishing.
- Colt Technology Services (UK): WarLock ransomware claimed responsibility for knocking services offline, with attackers offering to sell one million internal documents for $200,000. Researchers believe the entry point was a Microsoft SharePoint zero-day.
When telecoms stumble, ripple effects are brutal. Customers lose trust, businesses lose connectivity, and attackers walk away with both data and ransom leverage.
Even Google Wasn’t Safe
Yes, even Google. Attackers, specifically the ShinyHunters gang, breached a corporate Salesforce instance tied to Google Ads, leaking about 2.5 million records. They didn’t just break in through code. They used vishing (voice phishing) to trick employees into approving a malicious Salesforce app.
Once in, the group ran off with data via Salesforce’s Data Loader. The breach may sound small next to 192 million healthcare records, but it highlights a critical shift: attackers are blending social engineering with lateral movement inside SaaS ecosystems.
The $330 Billion Wake-Up Call for OT
It’s easy to think cyber risk lives only in the digital world. But the Dragos and Marsh McLennan report serves a brutal reminder: if operational technology (OT) goes down, the real world feels it fast.
Their model shows a catastrophic cyber event could rack up $330 billion in global losses, with over half of that from downtime alone. That’s spoiled food, halted manufacturing, missed shipping slots, safety fines, and a cascading chain of costs that make ransom demands look like pocket change.
However, our report also found three basic controls that slash the risk dramatically:
- OT-specific incident response plans: Practice how to isolate production lines, keep backups offline, and run safe shutdowns.
- Defensible segmentation: Keep IT and OT zones separated, lock down vendor access, and restrict east-west movement.
- Continuous monitoring: Baseline traffic, detect anomalies, and log everything—without disrupting fragile systems.
Access White Paper | Protecting industrial networks with zero trust controls and microsegmentation
Why Lateral Movement is the Common Thread
Different sectors, different attack vectors. But the same story repeats.
Attackers get in (via a zero-day, phishing call, or just sloppy mailing practices).
- They move laterally (pivoting across apps, databases, or OT networks).
- They escalate impact (data theft, downtime, or full-blown ransomware).
That second step, lateral movement, is the multiplier. Stop it there, and you turn a would-be catastrophe into a containable incident. Let it run unchecked, and suddenly you’re explaining to regulators why 192 million people need identity theft protection.
Access Report | ColorTokens Named a Leader in the Forrester Wave™ Microsegmentation Report
What You Can Do Next
Here’s the takeaway:
- Adopt microsegmentation, isolate your network into small, controllable segments to stop attackers from roaming freely. It gives you granular control over internal traffic and drastically reduces the threat of lateral movement.
- Patch fast, especially for those critical flaws like the FortiWeb bypass and Microsoft GDI+ vulnerabilities.
- Audit who can move where across your systems. Assume breaches will happen. Design your network so attackers can’t move sideways.
- Drill incident response not just for IT, but also for OT and cloud environments.
Because in every story above, the damage didn’t just come from the break-in. It came from the freedom of movement afterward.
Access the latest ColorTokens Threat Advisory
“The direct breach is rarely the most expensive part. The downtime is.” – Dragos / Marsh McLennan
These highlights are just the surface. The full threat intel brief has the attack flow diagrams, IOCs, and patch details you’ll need to brief your team properly. Grab the report and see the full attack flow.
If you want to know how ColorTokens can help, start a consultation with one of our top advisors.
