📄 Original Report (PDF): Download EQST Insight 2025 April →
April 2025’s EQST Insight examines the rising wave of cyberattacks targeting medical institutions, the rapidly evolving Vanhelsing ransomware, and a critical middleware bypass vulnerability in Next.js (CVE-2025-29927).
Headline: Cyber Attacks on Healthcare — Trends & Response Strategies
Healthcare organisations have become prime ransomware targets, with attackers recognising that patient safety pressures create urgency to pay ransoms quickly. EQST analysed a series of attacks on Korean medical institutions, noting common entry vectors: phishing emails targeting clinical staff, exploitation of unpatched VPN appliances, and abuse of remote desktop services. The consequences extend beyond data loss — ransomware-induced EHR outages have directly impacted patient care, forcing hospitals to divert ambulances and cancel surgeries. EQST recommends healthcare organisations classify clinical systems as critical infrastructure, mandate network segmentation between clinical and administrative systems, and rehearse downtime procedures so staff can operate safely when digital systems are unavailable.
Keep Up with Ransomware: Vanhelsing — A Rapidly Evolving Threat
Vanhelsing ransomware emerged and rapidly evolved its capabilities within months of its first observed campaigns. EQST tracked multiple Vanhelsing versions, noting significant iteration in its evasion techniques: successive versions added process injection improvements, anti-analysis checks, and network communication obfuscation. The speed of development suggests a well-resourced and technically sophisticated team. Vanhelsing has been observed targeting energy and utilities sectors in Europe and Asia. EQST provides version-specific indicators and recommends monitoring for the behavioural patterns common across all Vanhelsing versions rather than relying solely on hash-based detection.
Research & Technique: Next.js Middleware Bypass — CVE-2025-29927
EQST disclosed CVE-2025-29927, a vulnerability in Next.js middleware that allows attackers to bypass authentication and authorisation controls implemented in the middleware layer. By manipulating specific HTTP headers, an attacker can cause the Next.js runtime to skip middleware execution entirely, accessing protected routes without valid credentials. The vulnerability affects a wide range of Next.js applications that rely on middleware for security enforcement. Vercel and the Next.js team released patches promptly, but EQST notes that many self-hosted Next.js deployments lag on framework updates. Developers should audit their middleware security model and not rely solely on the framework layer for access control — apply defence in depth at the API and database layers as well.
Source: SK Shieldus EQST Insight, April 2025 — skshieldus.com
