Attackers are getting in. Security teams have long accepted that premise. What is unsettling is where they are entering from.

They are coming through software packages that development teams trust by default, hijacking single sign-on accounts that serve as master keys to dozens of business applications, and pulling firewall configuration files that reveal how a network is built. They are landing in healthcare systems where patient records, medical histories, and Social Security numbers sit steps away from daily operations that cannot afford to stop for an investigation.

The attack surface has expanded beyond anything resembling a perimeter. It now includes vendors, identity platforms, SaaS tools, and connected devices adopted to make work easier. Once an attacker reaches any one of those entry points, the question immediately becomes: how far can they move before something stops them?

Healthcare’s Compounding Exposure

Healthcare takes a sustained hit in the latest ColorTokens Threat Advisory report, and the reasons compound each other. Patient data is deeply personal, difficult to replace, and valuable on criminal markets, while hospitals cannot pause operations to investigate an intrusion.

Caribbean Medical Center in Puerto Rico reported a cyberattack that later appeared on the HHS Office for Civil Rights breach portal as affecting up to 92,000 individuals. The hospital said its monitoring systems detected the intrusion in time to contain it. A ransomware group called The Gentlemen subsequently claimed responsibility on its dark web leak site, asserting it had stolen sensitive patient data.

The timeline at Murray County Medical Center in Minnesota illustrates how long breach response can stretch. Suspicious activity was detected on August 21, 2025, but it took until January 27, 2026, to confirm that patient and employee data had been compromised, including names, dates of birth, Social Security numbers, driver’s license details, health insurance information, and medical histories. Five months to understand what was taken is not simply a database problem. It is a trust problem.

North Texas Behavioral Health Authority shows how even a brief intrusion generates months of consequence. NTBHA found that a third party had accessed its network across a two-day window beginning October 13, 2025, and the breach affected 285,086 individuals which is the sixth-largest healthcare data breach reported to OCR so far in 2026. Notification letters did not go out until March 6, 2026. NTBHA said it reset passwords, expanded multi-factor authentication, and deployed advanced endpoint detection and response tools after the incident. It’s the kind of measures that make the persistent case for readiness built before a breach rather than response assembled after one.

Also Read: Microsegmentation in 2026: Stay Operational During Breaches

Finance and the Vendor Layer

The Marquis incident demonstrates how attackers have learned to avoid the hardened front door by walking through the vendor beside it.

Marquis is a Texas-based fintech company that provides data analytics tools to hundreds of banks — a position that grants it access to significant volumes of sensitive financial data without itself being a bank. Attackers reportedly hit the company with ransomware, affecting at least 672,075 people. Stolen data included names, home addresses, bank account details, card numbers, and Social Security numbers.

Marquis later filed a lawsuit against SonicWall, its firewall provider, alleging that a security flaw allowed attackers to exfiltrate firewall configuration files — files that reportedly gave them a detailed map of the network before the attack began. A configuration file may sound unremarkable, but it amounts to a building blueprint: it shows where the doors, cameras, and blind spots are, even if it does not hold the valuables directly.

This is why third-party risk keeps showing up in serious breach stories. Your defenses can depend on systems you do not fully control.

One Account, Many Rooms

ADT detected unauthorized access to customer data on April 20. Names, phone numbers, and addresses were stolen; in a smaller number of cases, the last four digits of Social Security numbers or Tax IDs were among the exposed records. Payment information and customer security systems were not affected.

ShinyHunters told BleepingComputer that the intrusion began with a vishing attack (phishing conducted over the phone) that compromised an employee’s Okta single sign-on account. A convincing call did what malware was not needed to do. The group claimed to have then pulled data from ADT’s Salesforce instance, and has reportedly run similar campaigns against Microsoft Entra, Google SSO, and platforms including Microsoft 365, Slack, and Zendesk.

One compromised identity becomes a corridor into a dozen applications at once. The width of that corridor determines how far an attacker travels before anyone closes it.

Also Read: Microsegmentation and EDR Integration Imperative

Vulnerabilities Already Moving

The report also tracks active exploitation in the wild. CVE-2026-34841, tied to a compromised axios npm package, scored 9.8 and deployed a cross-platform Remote Access Trojan through a hidden dependency. It’s a supply chain attack embedded inside a widely-used library. Cisco Integrated Management Controller carries CVE-2026-20093, scored 9.3, where an unauthenticated attacker can gain administrator access without credentials. CISA added eight actively exploited flaws to its Known Exploited Vulnerabilities catalog, including three affecting Cisco Catalyst SD-WAN Manager, with federal agencies directed to address them by late April and early May 2026.

Reducing the Blast Radius

The incidents across this report share a common shape. An attacker reaches one trusted system and immediately looks for the next reachable one. Practical responses follow from that pattern.

• Patch affected systems based on vendor guidance, prioritizing severe CVEs flagged in the report
• Reset passwords and expand multi-factor authentication wherever unauthorized access is suspected
• Use phishing-resistant MFA for Okta, Microsoft Entra, and Google Workspace
• Audit SaaS permissions through single sign-on and remove unnecessary access across connected platforms
• Train employees to recognize vishing attempts that pressure them to share credentials or approve login prompts
• Apply microsegmentation to limit lateral movement and create adaptive perimeters around workloads, users, and connected devices

Also Read: Breach Ready Microsegmentation Architecture for Cyber Defense

The Architecture Behind Every Access Point

The blast radius in every one of these incidents grew because there was no internal boundary to slow it down. The two-day NTBHA intrusion became a three-month investigation. The Okta account became a Salesforce dataset. The configuration file became a network roadmap. These are failures of containment architecture.

That is the shift microsegmentation forces. Not whether attackers can find a door, but how much of the building that door actually opens.

Get the full threat advisory report for the complete breach breakdowns, CVE details, and attack timelines. If you want to see how these patterns map to your own environment, talk to our advisors.

And if you want a clear picture of where your exposure actually sits, start with a free breach readiness and impact assessment.

The post The Breach Did Not Knock on the Front Door appeared first on ColorTokens.

*** This is a Security Bloggers Network syndicated blog from ColorTokens authored by Tanuj Mitra. Read the original post at: https://colortokens.com/blogs/ransomware-attacks-lateral-movement-risk/