What do a pharma firm, a hospital service provider, and your smart doorbell have in common?

They were all targets in cyberattacks last month.

Here’s the August end-of-month threat rundown from the ColorTokens Threat Advisory Team, a peek into how threat actors are rewriting the rules, one zero-day or botnet at a time. And if you think this stuff is limited to shadowy forums and tech talk, think again. These breaches ripple through hospitals, slow down drug development, and turn ordinary routers into covert money machines. Here’s what stood out, and why it matters more than ever.

Access Brief | ColorTokens Threat Advisory team highlights critical vulnerabilities.

Ransomware Went Cloud-Native

Remember when ransomware meant locking up on-prem servers and tossing a note demanding Bitcoin?

Storm-0501 didn’t exactly follow the usual. These threat actors ditched traditional ransomware for something far more insidious: cloud-native extortion. No malware needed. Just native tools in Azure, stolen credentials, and a playbook that wipes out your backups before you even know what hit you.

Instead of encrypting files the old-fashioned way, Storm-0501 is:

• Hijacking cloud accounts
• Exfiltrating data directly from storage buckets
• Destroying backups and restore points
• Then… asking for ransom, using your own Teams accounts

“Storm-0501 shows us that ransomware is migrating to the cloud and learning new tricks.” — Microsoft Security

For companies relying on cloud-first IT, this is a right-now reality. And it’s forcing security teams to rethink how to get ready for breaches in the age of SaaS and remote work.

The Pharma Hit That Could Stall Research

In the first week of August, ransomware actors breached Inotiv, a drug development company. Systems encrypted. Files locked. Research interrupted.

Qilin, the group behind the hit, claims they stole 176GB of data, over 162,000 files. Some of those files have already been leaked. While the company hasn’t disclosed everything, this much is clear: patient safety, clinical trials, and critical research timelines can be derailed in a single click.

Qilin didn’t wait for payment negotiations. They went straight to public pressure, listing Inotiv on their leak site.

For life sciences and healthcare firms, the implications are chilling:

• Sensitive IP and research data are now targets
• Operational delays can cost lives, not just money
• Public exposure adds legal and reputational fallout

Inotiv’s response involved external security teams, offline workarounds, and ongoing recovery. But this attack is part of a rising trend: ransomware gangs targeting critical supply chain nodes in healthcare and pharma.

Read More | What is Microsegmentation and How Can it Limit the Spread of Attackers

From Routers to Revenue Streams: IoT Botnets Are Back with a Twist

Imagine your security camera quietly making someone else rich. That’s the playbook for two botnets making waves: PolarEdge and Gayfemboy.

These are stealthy, persistent, and designed to milk your bandwidth for passive income. Here’s how:

• PolarEdge hijacks devices like routers, IP cameras, and VoIP phones.
• It installs a TLS-based backdoor that turns them into “Operational Relay Boxes”—quietly routing traffic for bad actors, all while staying invisible to ISPs.
• Gayfemboy, a mutated Mirai variant, doesn’t stop at hijacking—it installs crypto miners, maintains persistence, and launches DDoS attacks on demand.

Some of these infections date back to mid-2023 and still haven’t been cleaned up. Over 40,000 devices are believed to be compromised.

So, what can you do?

• Segment your networks—keep IoT devices far from sensitive assets.
• Change default passwords. Immediately.
• Turn off remote access unless absolutely necessary.
• Update firmware and kill end-of-life hardware.

Access Report | ColorTokens Named a Leader in the Forrester Wave Microsegmentation Report

624,000 Patients Caught in a Healthcare Breach That Took a Year to Disclose

Healthcare Services Group (HSGI) finally notified victims of a breach that happened almost a year ago. Ten months passed between the breach and public disclosure. The breach affected over 624,000 people, exposing:

• Names
• Social Security Numbers
• Driver’s license and state ID numbers
• Financial account data

Why the delay?

The data review process took time, according to HSGI. But for patients, that delay means a long window where identity theft could’ve already started.

Even more alarming, the breach affected systems used by healthcare facilities across the U.S.—places where digital interruptions can quite literally mean life or death.

The silver lining is that HSGI is offering credit monitoring. But the data is already out there.

The Fake IT Call That Fooled Google’ and the pointers

And finally, let’ look at the voice phishing tactic that’s scaling up in terrifying ways.

Google’s Threat Intelligence Group flagged a sophisticated campaign targeting Salesforce environments. Here’s the scam:

1. The attacker calls pretending to be IT support.
2. They guide the victim to install a fake Salesforce Data Loader app.
3. That app quietly steals CRM data and spreads into other platforms like Okta and Microsoft 365. 
4. Then, months later, a separate group reaches out demanding ransom, threatening data leaks. 

Even Google got hit. They caught it early, and only basic business data was taken. But if it can happen to them, what chance does your average retail chain or university have?

Google is urging 2.5 billion Gmail users to reset passwords. And the extortionists claim to be ShinyHunters (or are impersonating them), using fear to amp up their demands.

You Can’t Patch Human Trust

Attackers aren’t waiting. They’re moving to the cloud, hijacking your routers, tricking employees with a phone call, and investing in concerted efforts. And they’re hitting healthcare, finance, pharma, and manufacturing because they know these sectors can’t afford downtime.

The way is not just patching a few CVEs. It’s getting ready before, during, and after a breach.

If you want help getting there, our threat advisors are ready to walk you through what’s working, what’s risky, and what needs to change.

The post When Hackers Pivot and Hospitals Freeze: What the Latest Threats Reveal About Cybercrime’s New Playbook appeared first on ColorTokens.

*** This is a Security Bloggers Network syndicated blog from ColorTokens authored by Tanuj Mitra. Read the original post at: https://colortokens.com/blogs/ransomware-protection-threat-advisory-august/