At 6:32 a.m., a hospital in Belgium pulled the plug on its own servers. Something was already inside the network, and no one could say how far it had spread.

By mid-morning, scheduled procedures were canceled. Critical patients were transferred out with help from the Red Cross. Staff went back to paper. Emergency services ran at reduced capacity. Systems that normally stay invisible suddenly became the story.

The latest ColorTokens Threat Advisory brief shows this pattern repeating across healthcare, finance, and connected infrastructure. Attackers are moving laterally and hitting organizations where downtime directly threatens lives, trust, and money.

Explore Key Findings | 8.8 Million Infected, 145,000 Records Exposed, Hospitals Forced Offline

Healthcare Attacks Are Lingering Longer Than You Think

In the United States, AllerVie Health uncovered unauthorized access that lasted more than a week. Artemis Healthcare confirmed attackers had access for nearly a month before detection. Central Maine Healthcare reported attackers remained inside systems for over two months before removal.

In each case, attackers reached systems holding patient records, Social Security numbers, treatment details, and insurance information. Some groups stole data. Others leaked it publicly after ransom demands failed. What mattered most was not the malware family or the ransom note, but the amount of time attackers had to move freely.

Every additional day inside a healthcare network widens the blast radius. Once attackers can move between systems, the question shifts from whether care is disrupted to how severe that disruption becomes.

Hospitals continue the work of recovery long after headlines fade. Patients face lasting identity risks. Staff lose confidence in systems they rely on daily. The damage keeps compounding.

Are You Breach Ready? Uncover hidden lateral attack risks in just 5 days. Get a free Breach Readiness and Impact Assessment with a visual roadmap of what to fix first.

Email and Browsers Are Quietly Helping Attackers In

Microsoft reported a sharp rise in phishing campaigns that appear to come from inside the organization. Misconfigured email routing allows attackers to spoof internal domains, making messages look legitimate even when they are not.

These emails deliver invoice fraud, fake HR notices, document shares, and credential traps. When a user clicks, attackers gain access that feels earned because it arrives through a trusted channel.

On a different front, researchers uncovered a browser-based operation that infected more than 8.8 million users across Chrome, Edge, and Firefox. The extensions looked harmless and, in some cases, stayed clean for years before activating.

The malware hid inside image files, waited days before executing, and only triggered on a small percentage of page loads. By the time defenders noticed, the infrastructure was already established. Attackers understand this pattern. Familiar tools draw less scrutiny, and they know how to take advantage of that comfort. 

Finance and Vendors Are Expanding the Blast Radius

Financial services did not escape this cycle.

France’s national postal and banking services were knocked offline by a large network attack that disrupted digital payments and online access nationwide. Core services survived, but customer-facing platforms went dark.

In the United States, a single software vendor breach exposed data from multiple banks. Customers were affected even though their banks’ own systems were never compromised. Names, Social Security numbers, and account details passed through a third party and out of reach.

When attackers move laterally through shared platforms, the boundary between your environment and someone else’s collapses faster than most teams expect.

IoT and OT Attacks Are Built for Persistence

The RondoDox botnet offers a glimpse of where this trend is heading. Attackers exploited a critical flaw in modern web frameworks to compromise IoT devices and servers at scale. Once inside, the malware removed competing threats, established persistence, and actively blocked reinfection by rivals.

Some infected systems were cleaned every forty five seconds to maintain exclusive control.

IoT and OT environments often lack visibility, consistent patching, and segmentation. Once compromised, they become long-term infrastructure for attackers rather than one-time victims.

When these systems connect back to enterprise networks, lateral movement follows naturally.

Access Forrester Wave Report | Discover why ColorTokens was rated ‘Superior’ in OT, IoT, and Healthcare Security.

Why Lateral Movement Is the Main Risk

Initial access is only the opening move. Impact depends on what happens next and how far an attacker can travel once inside the environment.

Most breaches in this report lasted weeks because nothing blocked internal movement. Credentials continued to work. Network paths stayed open. Systems trusted one another by default.

Attackers do not need access to everything. They only need enough reach to land on something valuable.

Once that threshold is crossed, containment becomes slow and painful.

What Actually Helps Contain These Attacks

Patching, email authentication, and monitoring all matter. None of them stop an attacker who is already inside from moving laterally.

Containment changes the outcome. Segmenting networks so workloads communicate only with what they need sharply limits attacker movement. Isolating medical devices, IoT systems, and third-party platforms reduces spillover. Blocking east-west traffic by default turns open corridors into dead ends.

When lateral movement stops, dwell time drops. Impact stays contained, and recovery becomes manageable.

The Pattern Is Clear Even If the Attacks Differ

Across sectors and tools, attacker behavior remains consistent.

They move patiently, rely on trusted paths, and benefit from flat networks that were never built to contain failure. The incidents in this report are previews of what happens when lateral movement goes unchecked.

Organizations that recover fastest will be the ones that assume breach, plan for movement, and design containment before the next early-morning shutdown forces the issue.

If you want the timelines, indicators, and technical details behind these incidents, the full threat advisory brief goes deeper.

To get a clearer view of how these risks apply to your own environment, request a Breach Readiness and Impact Assessment. Or reach out to one of our advisors if you want guidance on tackling any of the threats in this report.

The post When Hospitals Go Dark and Browsers Turn Rogue appeared first on ColorTokens.

*** This is a Security Bloggers Network syndicated blog from ColorTokens authored by Tanuj Mitra. Read the original post at: https://colortokens.com/blogs/when-hospitals-go-dark-and-browsers-turn-rogue/