ChipSoft (Netherlands) healthcare software vendor — Embargo ransomware, 66 Dutch DPA notifications

Proofpoint details UNK_DeadDrop, a North-Korea-aligned cluster (related to but distinct from Contagious Interview / Famous Chollima) that sent 250+ recruitment-themed phishing emails to ~100 finance, crypto, education and technology organisations over April–May 2026 (Proofpoint, 2026-06-15); the targeted geographies are a US majority followed by the UK, Australia, France, Germany and the Netherlands, among others (The Hacker News, 2026-06-16). The lure links to attacker-controlled GitHub/GitLab repositories carrying a .vscode/tasks.json with runOn: folderOpen; VS Code shows a workspace-trust prompt, but Cursor IDE executes the task silently with no prompt, dropping the open-source Overlord Go C2 that steals browser credentials and crypto wallets (The Hacker News, 2026-06-16). Mapped to T1566.002, T1195.001, T1059.004 and T1555.003.

Why it matters to us: public-sector and fintech development teams that have adopted Cursor are exposed to silent execution on repository open. Hunt for editor processes (code, cursor) spawning shell/script interpreters outside build directories (Sysmon EID 1 parent-image filter); enforce workspace-trust policy and restrict VSIX installation to an approved-publisher allowlist via enterprise policy.

More than 100 hotels in the Netherlands plus properties in Belgium and Ireland had guest reservation records (names, contact details, arrival/departure dates) exposed through a shared booking / channel-management / property-management SaaS layer rather than any single hotel's own systems (DutchNews.nl, 2026-06-03 · Techzine EU, 2026-06-03). Hospecs, coordinating the response, attributes the root cause to the upstream provider; the Dutch DPA (Autoriteit Persoonsgegevens) has opened an investigation and GDPR Art. 33/34 clocks are running for each hotel as an independent controller. Criminals are already sending contextually accurate "confirm and pay for your reservation" phishing referencing real upcoming stays. Defender takeaway: a textbook upstream-SaaS supply-chain breach where every downstream customer carries controller liability with zero visibility into the compromise — hunt for anomalous bulk-read API calls against reservation endpoints and treat reservation-context phishing as a known follow-on.

On 2026-05-28 the Cybercrime Team of the Dutch Politie Unit The Hague and the NCSC.nl jointly took down the Asocks residential-proxy infrastructure. Investigators identified and seized 200 control servers physically hosted at a Netherlands-based provider; the operation was triggered by a security-researcher tip routed through NCSC.nl to Politie (NL Times English summary; Risky Business News bulletin). The Asocks network covertly enrolled victim devices — computers, routers, tablets, smartphones, IoT — using malware tied to the PROXYLIB Go-based library and rented bandwidth to criminal customers for spam, phishing, credential-stuffing and DDoS. Reported total: ~17 million enrolled endpoints globally. Residential-proxy services like Asocks are the standard infrastructure layer behind source-IP-anonymised credential stuffing, account takeover and consent-grant phishing against public-facing login portals and VPN concentrators.

Defender takeaway: for a few weeks expect a measurable drop in Asocks-sourced traffic; per the Risky Bulletin write-up, Asocks joins a list of previously-disrupted residential-proxy networks (SocksEscort, Aisuru/Kimwolf, FirstVPN, IPIDEA, RapperBot), and operator migration to whichever survivors absorb the displaced demand will lag the takedown. Re-validate any blocklists keyed on Asocks exit-node ranges and retune residential-IP-burst detections (CGNAT, consumer-ISP RDNS) on M365 / Entra ID / VPN sign-in logs.

The Cybercrime Team of the Police Unit The Hague, with the Dutch NCSC, dismantled a large residential-proxy botnet — at least 17 million compromised consumer devices worldwide, run through ~200 servers all physically hosted in the Netherlands (2026-05-29); NL Times and other reporting identify the service as Asocks (the politie.nl primary states the scale and the NL-hosted infrastructure but does not name it). The operationally relevant point is what was hit: residential-proxy services are the anonymisation plumbing that launders credential-stuffing, scraping and fraud traffic to look like ordinary consumer ISP connections, defeating IP-reputation controls. The takedown degrades that capability industry-wide for a period, but — consistent with the W21 takedown pattern — expect infrastructure churn rather than a durable drop; the demand for residential-proxy egress is undiminished.

On 2026-05-18 the Dutch Fiscal Information and Investigation Service (FIOD) arrested two suspects — a 57-year-old man from Amsterdam and a 39-year-old man from The Hague, both connected to bulletproof-hosting operators (WorkTitans B.V. and MIRhosting) named in the related corroborating coverage — raiding four locations including data centres in Dronten and Schiphol-Rijk plus the suspects' residences in Enschede and Almere, and seizing 800 servers, laptops, phones and administrative records (FIOD, 2026-05-22 · BleepingComputer, 2026-05-22 · DutchNews.nl, 2026-05-22). The charges are filed under the Dutch Sanctions Act: the two firms are accused of sustaining bulletproof hosting infrastructure for Stark Industries Solutions Ltd, designated by the EU in May 2025 for facilitating Russian and Belarusian destabilisation operations. Recorded Future's Insikt Group had already documented the sanctions-evasion playbook last year — Stark Industries migrated its ASN (AS44477) to AS209847 (WorkTitans) and rebranded the operating brand to THE.Hosting while retaining the same RIPE maintainer objects under Dmitrii Miasnikov, a transparent shell concealing ownership continuity (Recorded Future Insikt Group, 2025-06).

This is one of the first publicly reported criminal enforcement actions in the EU directed at a bulletproof hoster acting as a proxy for a designated Russian entity, and the operational nexus to Switzerland is direct: per De Volkskrant reporting carried by BleepingComputer, Danish authorities have alleged that WorkTitans infrastructure supported NoName057(16) DDoS campaigns against EU and NATO member-state websites — Swiss federal and cantonal public-sector sites included. Defender vantage: the seized intelligence will generate lead packages on the criminal-customer book, but the immediate hunt value is at network level. AS44477 (legacy Stark) and AS209847 (THE.Hosting / WorkTitans) IP space has appeared in blocklist feeds since mid-2024; review ingress rate-limiting and scrubbing SLAs for any remaining traffic from this AS pair and from BGP-adjacent peers, and re-check application-layer rate limits on the citizen-facing portals NoName057(16) historically targeted.

Why it matters to us: Swiss public-sector portals have been a recurring NoName057(16) target; the takedown is a chance to re-baseline scrubbing capacity and re-check AS-level blocklists, not a sign that the threat is over (DDoS-for-hire reorganises quickly).

A coordinated international law enforcement action on 2026-05-19–20 took down First VPN, a Russian-language criminal anonymisation service established in 2014 and systematically marketed on cybercrime forums as a no-log, law-enforcement-resistant tool (Eurojust, 2026-05-21). Europol stated the service "appeared in almost every major cybercrime investigation the agency supported" (BleepingComputer, 2026-05-21). Led by French and Dutch investigators through a Eurojust joint investigation team established in November 2023, the operation seized more than 33 servers distributed across 27 countries (server-host count); 16 nations participated through Europol's Joint Cybercrime Action Taskforce; 7 nations sat on the Eurojust-led JIT, including Switzerland, France, Netherlands, Luxembourg, Romania, Ukraine, and the UK — signalling fedpol/GovCERT.ch operational involvement. Law enforcement arrested the administrator in Ukraine, captured the full user database (over 5,000 accounts) and cryptographic connection records, and generated 83 intelligence packages covering 506 users distributed to partner agencies; Help Net Security reporting confirms the captured data links to the Phobos ransomware-as-a-service operation and broader ransomware, fraud, and data theft investigations (Help Net Security, 2026-05-21). The primary domains (1vpns.com, 1vpns.net, 1vpns.org) and associated .onion mirrors were seized. Historical network flows to those domains in proxy or firewall logs now constitute potential investigative leads flowing through Europol sharing channels; Phobos affiliates have repeatedly targeted EU public-sector and healthcare organisations.

Investigators confirmed on 2026-05-18 that the cyberattack on ARWINI — the Arbeitsgemeinschaft Wirtschaftlichkeitsprüfung Niedersachsen e.V., which audits prescription cost-effectiveness for statutory-health-insurance (GKV) patients in Lower Saxony via data exchange with Kassenärztliche Vereinigung Niedersachsen (KVN), AOK and other insurers — resulted in confirmed exfiltration of personal data (Deutsches Ärzteblatt, 2026-05-18; Heise Security, 2026-05-18). Intrusion signs were detected on ARWINI servers on 2026-05-04 and all systems were shut down on the same day; ARWINI's own statement, cited by Borns IT Blog on 2026-05-16, said particularly sensitive personal data (besondere Kategorien — GDPR Art. 9) are likely affected, with health and billing data on ≥70,000 patients in scope (Borns IT Blog, 2026-05-16). The Polizeidirektion Hannover is the investigating authority; the Landesbeauftragter für Datenschutz Niedersachsen (LfD) and BSI have been notified under the GDPR 72-hour rule and the German KRITIS / NIS2UmsuCG framework. Heise reports the Kairos ransomware group has claimed the attack and is threatening to sell approximately 2.87 TB of stolen data on its leak site, with attackers' leak-site claim dated 2026-05-11. The technical pattern is consistent with double-extortion ransomware now in the operator-leak-site phase.

Why it matters to us: GKV bodies and their mandated third-party auditors are NIS2 entities; the supply-chain relationship between KVN/AOK and ARWINI is precisely the data-processor scope hit by NMDL/IGJ in the Netherlands (covered 2026-05-14). Defender pattern: any GKV / AHV / cantonal health-insurance data-exchange counterparty should be inventoried as an in-scope critical-supplier under §8b BSI-Gesetz / NIS2UmsuCG, with breach-notification playbooks rehearsed for the 72-hour GDPR clock from a third party's detection event, not just one's own. Monitor for downstream phishing using GKV billing-data lures targeting affected patient cohorts.

Four coordinated actions in the window degraded threat-actor infrastructure relevant to this audience. Operation Saffron dismantled First VPN — a Russian-language criminal anonymisation service marketed to ransomware operators — seizing 33+ servers with the user database captured; Switzerland was a named Joint Investigation Team participant, and the infrastructure is linked to Phobos RaaS (Eurojust; daily 2026-05-22). The Netherlands FIOD arrested two suspects for EU-sanctions evasion tied to the Stark Industries bulletproof-hosting front and seized ~800 servers, dismantling NoName057(16) DDoS plumbing (FIOD; daily 2026-05-23). The alleged operator of the Kimwolf 30+ Tbps IoT DDoS-for-hire botnet (AISURU variant) was arrested (US DoJ; daily 2026-05-23), and INTERPOL Operation Ramz logged 201 arrests across a 13-country MENA sweep including a PhaaS-server takedown (INTERPOL; daily 2026-05-19). The defender-relevant pattern: the takedowns hit anonymisation/hosting/DDoS plumbing rather than end actors, so expect short-term infrastructure churn (new VPN/hosting fronts, rebuilt botnet C2) rather than a durable drop in activity.

If you did nothing this week: Shadowserver telemetry cited by BleepingComputer counts ~850 internet-exposed EPMM instances globally with 508 in Europe and 182 in North America — i.e. European exposure is materially larger than the rest of the world combined (BleepingComputer, 2026-05-07). Ivanti's disclosure cites "a very limited number of customers" exploited via the May 2026 chain without naming them. EU public-record victims previously confirmed against Ivanti EPMM compromise per Help Net Security's January-2026-wave reporting are: European Commission (DG DIGIT), Dutch DPA / Autoriteit Persoonsgegevens, and Netherlands Council for the Judiciary / Raad voor de rechtspraak. The daily 2026-05-09 separately referenced Finnish Valtori (Government ICT Centre) per an NCSC-FI advisory not consolidated in the Help Net Security source. Whether the May 2026 wave caught additional named victims is not yet publicly disclosed at week-end (Help Net Security — European Commission Ivanti EPMM vulnerabilities, 2026-02-09 · CERT-FR CERTFR-2026-AVI-0552, 2026-05-07 · NCSC-CH 12548, 2026-05-08 · daily 2026-05-09 UPDATE).

The chain combines CVE-2026-5787 (CVSS 9.1, CWE-295) — Ivanti EPMM accepts a crafted Sentry registration request from an unauthenticated network-reachable attacker and issues that attacker a valid CA-signed client certificate with Sentry trust — with CVE-2026-6973 (CVSS 7.2, CWE-20) — a vulnerable admin REST API endpoint accepting attacker-controlled parameters that reach a server-side execution sink as the EPMM service account (Ivanti PSIRT — May 2026 EPMM Security Update · daily 2026-05-08 deep dive — full chain mechanics). The nominal "admin-required" label on CVE-2026-6973 is misleading: the Sentry-trust certificate issued by CVE-2026-5787 satisfies EPMM's administrative authentication gate, making the combined chain fully pre-authentication; the full CWE-295 → CWE-20 chain mechanics are documented in the 2026-05-08 daily deep dive (daily 2026-05-08 deep dive — full chain mechanics · SecurityWeek, 2026-05-08). The May 2026 EPMM update additionally addresses CVE-2026-5786 (CVSS 8.8, remote authenticated → administrative access), CVE-2026-5788 (CVSS 7.0, unauthenticated arbitrary method invocation), and CVE-2026-7821 (high-severity, vendor advisory only) — and supersedes the January 2026 RPM workaround for CVE-2026-1281 / CVE-2026-1340; operators that are still on the January workaround need to apply the proper patch now (SecurityWeek, 2026-05-08).

EPMM is one of the two dominant on-premises MDM platforms in EU public-sector and healthcare environments — both NIS2 Annex-I essential-entity categories — and a compromised EPMM server gives an attacker authorised silent push of policies, configurations, or wipe to every enrolled mobile device. ATT&CK coverage includes T1190 Exploit Public-Facing Application, T1078 Valid Accounts, T1059 Command and Scripting Interpreter, T1584.007 Compromise Infrastructure: Certificate Authorities, and T1072 Remote Device Management. Fixed builds: 12.6.1.1, 12.7.0.1, 12.8.0.1. If patching is not feasible within hours, remove TCP/443 on the EPMM admin interface from internet exposure, place it behind VPN with allowlisted management IPs, and review the EPMM admin console's Sentry-host registration list for unexpected entries — revoke any not on your inventory.

Two healthcare incidents define the sector picture this week, both with European public-sector concentration. Groupe 3R (Switzerland) — Akira leak-site listing on a Romandie medical-imaging operator running 20 centres across seven cantons; the operator confirmed publicly on 2026-04-30, will not pay ransom, and is operating with legacy examination data still inaccessible at week-end (Groupe 3R victim statement · daily 2026-05-10). ChipSoft (Netherlands) — The 7 April 2026 attack on the Dutch healthcare software vendor — whose HiX platform serves roughly 70% of Dutch hospitals — was first reported with attacker identity unknown (The Record, 2026-04-09); the Embargo ransomware group's claim of responsibility, alongside the 66 Dutch DPA notifications, was reported in the subsequent NL Times follow-up. On 28–29 April ChipSoft stated the exfiltrated data had been destroyed in language Dutch security experts noted strongly implies a ransom was paid (ChipSoft did not confirm) (NL Times, 2026-04-29 · daily 2026-05-07). Both incidents reinforce the same cross-finding pattern: ransomware operators' claims of data destruction are inherently unverifiable; GDPR breach-notification obligations and long-term breach-response posture do not expire when an attacker says they deleted the copy.

Public-sector administration concentration is unusually heavy in 2026-W19. France ANTS — Agence Nationale des Titres Sécurisés, the French government central identity registry (biometric passports, national identity cards, driving licences) — confirmed a data-records exposure that Help Net Security reports as "between 12 and 18 million" data records; 15-year-old suspect detained 2026-04-25; charges include unauthorised access, data theft, disruption of a state system, and possession of hacking tools (Help Net Security, 2026-05-04 · daily 2026-05-06 · daily 2026-05-07 UPDATE). Ivanti EPMM named EU victims previously associated with the platform per Help Net Security's January-2026-wave reporting: European Commission (DG DIGIT), Dutch DPA, and Netherlands Council for the Judiciary (Help Net Security explicitly attributes those three to the January 2026 CVE-2026-1281/1340 wave, not the May 2026 chain). The daily 2026-05-09 also referenced Finnish Valtori per NCSC-FI advisory not in the Help Net Security article. Each named entity ran EPMM in MDM capacity, meaning compromised admin APIs had device-management access to enrolled endpoints of employees with elevated privileges. Whether the May 2026 wave caught additional named victims is not yet publicly disclosed at week-end (Help Net Security, 2026-02-09 · daily 2026-05-09 UPDATE). Europol shadow IT — Correctiv / Solomon / Computer Weekly joint investigation disclosed that Europol operated CFN (since 2012) and "Pressure Cooker" data-processing platforms holding ≥ 2 PB outside standard EU data-protection oversight for over a decade; multiple categorised security deficiencies identified in a 2019 internal assessment including absent audit logs; per Correctiv, 15 of 150 recommendations remained unimplemented at EDPS monitoring closure in February 2026 (Correctiv, 2026-05-05 · Computer Weekly · daily 2026-05-07). Polish water OT intrusions at five small municipal facilities (covered in § 7) round out the public-sector concentration. The cross-cutting theme is that EU public-sector identity, governance, and small-municipal infrastructure are simultaneously under direct attack, governance review, and structural-coverage-gap pressure — and that the institutional response cycle inside EU public-sector entities is now playing out in real time across all three.

UPDATE (originally covered 2026-05-08):

The CISA KEV deadline for CVE-2026-6973 (Ivanti EPMM admin API RCE, CVSS 7.2) is tomorrow, 2026-05-10. Organisations that have not yet isolated or patched on-premises Ivanti EPMM instances are in immediate compliance breach. CERT-FR CERTFR-2026-AVI-0552 and BSI advisory from 2026-05-07 both require organisations to treat the CVE-2026-5787 → CVE-2026-6973 chain as a single critical exposure requiring immediate action, with 508 EU on-premises instances identified as internet-accessible by NCSC-NL scanning as of 2026-05-07.

Named victims confirmed in public statements or EU supervisory authority filings during the 36-hour window: European Commission (DG DIGIT notified, isolated affected infrastructure); Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (confirmed EPMM instance impacted in the 2026-05-03–07 exploitation wave, investigation ongoing); Netherlands Council for the Judiciary (Raad voor de rechtspraak) (EPMM administrative console was internet-accessible until 2026-05-05; extent of access under assessment); Finnish Valtori (Government ICT Centre, confirmed EPMM compromise affecting shared government IT services, NCSC-FI advisory published). All named organisations used EPMM in MDM capacity, meaning the exposed admin APIs had device management access to enrolled endpoints including mobile devices of employees with elevated privilege.

Credential-chaining risk: Ivanti disclosed a separate cluster of EPMM vulnerabilities in January 2026 (CVE-2026-1281 and CVE-2026-1340, tracked separately) in which admin-account credentials were extracted from compromised instances. Organisations that patched CVE-2026-1281/1340 at the time but did not rotate admin credentials remain at elevated risk that the May 2026 exploitation wave leveraged pre-extracted credential sets to accelerate authentication bypass to direct post-auth RCE.

(First covered 2026-05-06.) The Instructure/Canvas breach has expanded significantly in scope. The threat actor now claims access affecting 330 institutions across six countries, threatening to publish 16 million student and staff records. SURF (the Dutch National Research and Education Network) has confirmed 44 Dutch institutions among the victims. The attacker posted portal defacements at multiple universities and established a 2026-05-12 extortion deadline for ransom payment. Canvas services were taken offline again on 2026-05-07 for emergency patching. European DPAs in the Netherlands and Germany have opened preliminary inquiries into notification timing. Institutions using Canvas should assess GDPR Article 33/34 breach notification obligations before the May 12 deadline.