Listen to this Post

Introduction:
The June 2026 cyber extortion campaign against pharmaceutical giant Novo Nordisk represents a paradigm shift in cyber warfare, moving beyond traditional ransomware encryption toward the systematic expropriation of core algorithmic intellectual property. When security researcher Andy Jenkinson of WHITETHORN SHIELD privately provided the company with a detailed Security Assessment Report identifying a forgotten Azure-hosted login portal with a mismatched certificate—untouched since 2020 and actively exploitable for credential theft—the response was three weeks of silence, no acknowledgment, and no fix. This incident underscores a critical truth: attackers rarely break in; they simply walk through doors left wide open.
Learning Objectives:
- Understand the technical anatomy of exposed cloud credentials and misconfigured Azure assets that enable initial access
- Master detection and remediation techniques for forgotten subdomains, expired certificates, and hardcoded secrets
- Implement post-breach vulnerability assessment workflows to prevent repeat compromises
You Should Know:
1. The Anatomy of a Cloud Credential Exposure
The FulcrumSec threat actor group, active since September 2025, has claimed approximately 25 victims across 11 countries. Their playbook is remarkably consistent: they enter through exposed credentials, not zero-day exploits. In the Novo Nordisk breach, FulcrumSec claims they entered via two public-facing sandbox and development subdomains that were meant to be private and were likely forgotten: `dev.nnedl.pub.aws.novonordisk.com` and datahub-sand.novonordisk.com. Their JavaScript contained an Azure container registry credential and a GitHub personal access token, which had access to hundreds of private repositories.
Step-by-Step Guide: Detecting Exposed Credentials in Your Environment
Linux/macOS:
Scan for hardcoded secrets in code repositories
git log -p | grep -iE "(password|secret|key|token|credential)" --color=always
Search for Azure credentials in environment files
find . -type f -1ame ".env" -o -1ame ".json" | xargs grep -iE "azure|container|registry|storage"
Check for exposed GitHub tokens in JavaScript files
grep -rE "gh[bash]<em>[A-Za-z0-9</em>]{36,}" --include=".js" --include=".ts"
Windows (PowerShell):
Search for credential patterns in files
Get-ChildItem -Recurse -Include .js,.json,.env | Select-String -Pattern "password|secret|token|credential" -CaseSensitive
Check Azure CLI for cached credentials
az account show --query "{Name:name, ID:id, Tenant:tenantId}" --output table
The key lesson: credentials should never be hardcoded. Use Azure Key Vault or AWS Secrets Manager with managed identities for secure access.
2. Certificate Mismatch Vulnerabilities in Azure
The forgotten Azure-hosted login portal identified by Jenkinson had a mismatched certificate—a classic sign of an asset that has been neglected since 2020. When certificates expire or do not match the hostname, users receive security warnings that many ignore, creating a perfect phishing opportunity. Attackers can exploit this by presenting an arbitrary untrusted certificate, capturing credentials through man-in-the-middle attacks.
Step-by-Step Guide: Auditing Azure Certificate Bindings
- List all App Services and their custom domains:
az webapp list --query "[].{name:name, hostNames:hostNames}" --output table
2. Check TLS/SSL bindings for each web app:
az webapp config ssl list --resource-group <RESOURCE_GROUP> --query "[].{name:name, thumbprint:thumbprint, hostName:hostName}" --output table
3. Verify certificate expiration dates:
az webapp config ssl list --resource-group <RESOURCE_GROUP> --query "[].{name:name, expirationDate:expirationDate}" --output table | grep -v "null"
4. Test certificate validity from an external perspective:
openssl s_client -connect <YOUR_DOMAIN>:443 -servername <YOUR_DOMAIN> 2>/dev/null | openssl x509 -1oout -dates
If the certificate subject does not match the hostname or the certificate has expired, immediate remediation is required. As Microsoft notes, it’s a best practice to provide a custom TLS certificate for applications that rely on certificate pinning, and to add a custom domain to a web app with a valid certificate.
3. The Post-Breach Remediation Failure
Perhaps the most alarming aspect of this incident is that Novo Nordisk had already suffered a confirmed cyber incident on June 11, 2026, yet still failed to act on the vulnerability report. The company disclosed unauthorized access to a limited number of internal IT systems, with attackers copying “certain non-public data, including personal data”. Despite this breach serving as the catalyst for Jenkinson’s research, the company ignored the findings.
Step-by-Step Guide: Post-Breach Vulnerability Assessment
1. Conduct a comprehensive external attack surface discovery:
Using subdomain enumeration tools amass enum -d <yourdomain.com> -o subdomains.txt Check for expired or mismatched certificates httpx -l subdomains.txt -status-code -title -tech-detect -follow-redirects
2. Inventory all cloud assets, including forgotten ones:
List all Azure resources across subscriptions
az resource list --query "[].{name:name, type:type, location:location}" --output table
Identify public-facing endpoints
az network public-ip list --query "[].{name:name, ipAddress:ipAddress, dnsSettings:fqdn}" --output table
3. Implement continuous vulnerability scanning:
Using Nuclei for template-based scanning nuclei -l subdomains.txt -t cves/ -t misconfiguration/ -t exposures/ -severity critical,high
- Establish a remediation SLA: Critical vulnerabilities should be patched within 24-48 hours, especially post-breach.
4. Understanding Responsible Disclosure Timelines
The debate around Jenkinson’s decision to go public after three weeks of silence touches on a sensitive issue in cybersecurity. Industry standards for responsible disclosure typically range from 30-90 days depending on severity. The Coordinated Vulnerability Disclosure (CVD) model requires coordination between the reporter and the service provider before information is publicly released, with 90 days being a common initial target.
However, when a company has already suffered a breach and fails to acknowledge or act on a detailed security assessment, the calculus changes. As Jenkinson noted, “A simple thank you for your email takes seconds, reports like this take hours of research and years of experience to be able to deliver them”. Three weeks of silence following a confirmed breach is not responsible behavior—it is negligence.
Step-by-Step Guide: Establishing a Responsible Disclosure Program
- Create a public security contact: [email protected] with PGP key
- Publish a disclosure policy with clear timelines (30 days for critical, 60 for high, 90 for medium)
- Implement a vulnerability management triage process with SLAs for acknowledgment (24 hours) and initial assessment (72 hours)
- Designate a point of contact for security researchers and maintain communication throughout the remediation process
5. Cloud Hardening Against Credential Theft
The Novo Nordisk breach reportedly happened through exposed GitHub and Azure credentials. A compromised GitHub token combined with an Azure container registry credential enabled lateral movement across the infrastructure. The attackers allegedly used a zero-day vulnerability combined with staged tooling such as MeshCentral and counterfeit Azure binaries.
Step-by-Step Guide: Hardening Cloud Credentials
1. Rotate all credentials immediately after a breach:
Azure: Rotate service principal credentials az ad sp credential reset --id <SERVICE_PRINCIPAL_ID> --display-1ame "NewCredential" GitHub: Regenerate personal access tokens Navigate to GitHub Settings > Developer settings > Personal access tokens > Generate new token
2. Implement conditional access policies in Azure AD:
Require multi-factor authentication for all cloud access
New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxAgeMultiFactor":"until-revoked"}}') -DisplayName "RequireMFA" -Type "TokenLifetimePolicy"
- Enable Azure Defender for Cloud to continuously monitor for misconfigurations:
az security assessment-metadata list --query "[].{name:name, displayName:displayName, severity:severity}" --output table
4. Implement secret scanning in GitHub:
Enable push protection for secrets gh api -X PATCH repos/<owner>/<repo>/code-security-and-analysis -f advanced_security=true -f secret_scanning=true -f secret_scanning_push_protection=true
6. The AI Intellectual Property Threat
A second attacker using the alias “Dragonfly” claimed to have stolen AI assets, including a 16.7 GB AI model named NovoPert, 113 training runs, source code, and a proprietary training dataset. The theft of 30 “trained” AI models and nearly half a terabyte of proprietary microscopy data represents a new frontier in corporate espionage. If these proprietary AI models are leaked or sold to competitors, it could erode the company’s multi-billion-dollar competitive moat.
Step-by-Step Guide: Protecting AI Assets
- Encrypt AI models at rest and in transit:
Azure: Enable encryption for ML workspaces az ml workspace update --1ame <WORKSPACE> --resource-group <RG> --enable-data-encryption true
2. Implement role-based access control for model registries:
Restrict access to model artifacts az role assignment create --assignee <PRINCIPAL_ID> --role "Reader" --scope "/subscriptions/<SUB>/resourceGroups/<RG>/providers/Microsoft.MachineLearningServices/workspaces/<WORKSPACE>/models"
3. Audit access logs for model downloads:
Query Azure Activity Log for model access az monitor activity-log list --resource-id /subscriptions/<SUB>/resourceGroups/<RG>/providers/Microsoft.MachineLearningServices/workspaces/<WORKSPACE> --query "[?contains(operationName.value, 'Model')]" --output table
What Undercode Say:
- Key Takeaway 1: Cloud credentials are the new perimeter. A single exposed GitHub token or Azure credential can provide attackers with unfettered access to hundreds of repositories and the entire cloud infrastructure. Organizations must treat code security with the same gravity as physical laboratory security.
-
Key Takeaway 2: Post-breach remediation is not optional. When a company has already suffered a breach and then ignores a detailed vulnerability report, it transitions from being a victim to being negligent. Board members and shareholders have a right to ask why known, exploitable vulnerabilities were ignored after a breach had already occurred.
Analysis: The Novo Nordisk incident reveals a systemic failure in how large organizations handle security research and vulnerability disclosure. The company had over two months of dwell time from the initial intrusion in March 2026 until discovery in June. During this period, attackers had ample opportunity for reconnaissance, privilege escalation, and staged data collection. The fact that a forgotten Azure portal with a mismatched certificate—an easily detectable issue—remained unaddressed for years and continued to be exploitable even after a breach is a damning indictment of the organization’s security posture. The pharmaceutical industry must now recognize that their crown jewels—proprietary AI models, drug formulas, and clinical trial data—live on cloud servers, and if those servers are vulnerable, the entire pipeline is at risk.
Prediction:
- -1 The Novo Nordisk incident will trigger a wave of regulatory scrutiny under the EU’s NIS2 Directive and GDPR, potentially resulting in significant financial penalties that could exceed the $25 million ransom demand.
- +1 This high-profile breach will accelerate the adoption of AI-powered attack surface management tools, as organizations realize they cannot manually inventory every cloud asset and certificate across their environments.
- -1 The “steal and squeeze” extortion model demonstrated by FulcrumSec will be adopted by more threat actors, leading to an increase in data extortion attacks that bypass traditional ransomware encryption entirely.
- +1 Security researchers will become more aggressive in public disclosures when companies ignore responsible reports, potentially shortening disclosure timelines from 90 days to 30 days or less for critical vulnerabilities affecting already-breached organizations.
- -1 The pharmaceutical industry will face a “brain drain” as AI and data scientists reconsider working for companies that cannot protect their most valuable intellectual property assets.
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Andy Jenkinson – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


