Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to Canary Trap’s Bi-Weekly Cyber Roundup. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.
This week’s roundup highlights several developments that underscore the evolving risks across today’s digital landscape. We begin with a technical failure in a Swiss e-voting pilot that left more than 2,000 ballots unreadable after encryption keys stored on USB devices failed. We then examine a wave of high-severity vulnerability patches issued by major vendors, including Fortinet, Ivanti, and Intel. In the regulatory sphere, a European legal opinion suggests banks should reimburse cybercrime victims before resolving liability disputes. We also cover a confirmed data breach at Michelin tied to an attack targeting Oracle E-Business Suite environments, and conclude with research on the KadNap botnet, which has compromised over 14,000 devices to covertly route malicious internet traffic.
- Swiss E-Voting Pilot Can’t Count 2,048 Ballots After USB Keys Fail to Decrypt Them
A pilot electronic voting program in the Swiss canton of Basel-Stadt has been suspended after a technical failure prevented officials from counting more than 2,000 ballots cast during national referendums on March 8. The pilot was limited in scope, allowing approximately 10,300 residents living abroad and 30 voters with disabilities to participate electronically.
Although the system successfully received 2,048 votes, election officials were unable to decrypt them using the hardware provided. According to canton representatives, multiple USB devices containing the required access codes were tested, but none succeeded in unlocking the ballots despite assistance from IT specialists. As a result, the votes could not be included in the official tally.
The affected ballots represented less than four percent of votes cast in Basel-Stadt and would not have altered the referendum outcomes. Nevertheless, authorities acknowledged that the incident compromised the political rights of those voters and have postponed the final certification of results until March 21. The canton has also suspended the e-voting trial until at least the end of the year while an independent technical review is conducted. In parallel, the public prosecutor’s office has opened a criminal investigation to determine whether any wrongdoing occurred.
Switzerland has been cautiously testing electronic voting in four of its 26 cantons, primarily to facilitate participation by citizens living abroad who often face delays with postal ballots. The country has previously struggled with e-voting initiatives; a nationwide system was halted in 2019 after researchers uncovered security vulnerabilities in its software.
Officials emphasized that the issue appears isolated to Basel-Stadt, noting that e-voting pilots in the cantons of Thurgau, Graubünden, and St. Gallen, as well as the Swiss Post platform used nationally, were not affected.
- Fortinet, Ivanti, Intel Patch High-Severity Vulnerabilities
Several major technology vendors, including Fortinet, Ivanti, and Intel, have released security updates addressing dozens of vulnerabilities that could potentially enable arbitrary code execution, privilege escalation, or the bypassing of security protections.
Fortinet disclosed patches for 22 vulnerabilities affecting multiple products, including FortiWeb, FortiSwitchAXFixed, FortiManager, and FortiClientLinux. Some of the most serious issues could allow remote, unauthenticated attackers to bypass authentication rate limits or execute unauthorized commands on affected systems. Another vulnerability in FortiClientLinux, related to improper handling of symbolic links, could allow a local attacker to escalate privileges to root. The company also resolved several medium- and low-severity flaws that could lead to issues such as data manipulation, information disclosure, denial-of-service conditions, arbitrary command execution, or social engineering risks. Fortinet stated that it has no evidence that any of these vulnerabilities are currently being exploited.
Ivanti also issued a security fix for a high-severity vulnerability affecting versions of its Desktop and Server Management (DSM) software prior to version 2026.1.1. If exploited, the flaw could allow an attacker to elevate privileges within affected environments. At the time of disclosure, Ivanti reported no signs of active exploitation.
Meanwhile, Intel released an advisory addressing nine vulnerabilities in the UEFI firmware used on certain Intel reference platforms. Five of these were rated high severity and could allow local attackers to execute code, escalate privileges, or access sensitive information. Firmware updates have been made available for more than 45 affected processor models, and Intel similarly reported no known exploitation of these issues in the wild.
- EU Legal Eagle Says Banks Should Refund Cybercrime Victims First, Argue Later
A senior legal advisor to the European Union has proposed a significant shift in how banks handle reimbursements for victims of online financial fraud. In a recent legal opinion, Advocate General Athanasios Rantos recommended a reinterpretation of the Second Payment Services Directive (PSD2) that would require banks to reimburse fraud victims immediately, rather than delaying repayment while determining whether the customer acted negligently.
Under the current framework, banks typically investigate fraud claims before deciding whether to compensate victims. During this process, institutions often invoke the concept of “gross negligence”, for example, when a customer unknowingly shares login credentials or one-time passcodes with scammers, to justify refusing or delaying reimbursement. As a result, victims can be left facing significant financial hardship while disputes are resolved.
Rantos’s proposal would reverse this dynamic. Banks would be required to refund customers promptly after an unauthorized transaction is reported, even if negligence is suspected. Financial institutions could later attempt to recover the funds if an investigation proves that the customer’s actions contributed to the fraud. Supporters argue that this approach would provide victims with immediate financial protection while still allowing banks to pursue negligence claims afterward.
The recommendation comes as the EU prepares broader reforms through the proposed Third Payment Services Directive (PSD3) and the accompanying Payment Services Regulation (PSR). These measures aim to strengthen fraud prevention by improving Strong Customer Authentication (SCA) requirements and increasing data sharing between merchants and payment providers to better verify transactions.
Because PSD3 and PSR could take years to move through the legislative process, Rantos has suggested accelerating consumer protections by reinterpreting PSD2 in the interim. If adopted by the court, the change would shift more immediate financial risk to banks and place greater pressure on them to detect account compromise and fraudulent activity before payments are processed.
- Michelin Confirms Data Breach Linked to Oracles EBS Attack
French tire manufacturer Michelin has confirmed that it was affected by a large-scale cybercrime campaign targeting organizations using Oracle E-Business Suite (EBS). The attack has been publicly attributed to the Cl0p ransomware group, which has claimed responsibility for exploiting previously unknown vulnerabilities in Oracle’s enterprise management platform to access corporate data.
Although Cl0p has acted as the public face of the campaign, cybersecurity researchers believe the operation is likely linked to a broader threat actor cluster, particularly FIN11, which has historically been associated with large-scale data-theft and extortion operations.
The campaign reportedly targeted more than 100 organizations, several of which have appeared on Cl0p’s leak site. Michelin confirmed it was among the affected companies, stating that attackers exploited a zero-day vulnerability in its Oracle EBS environment. According to the company, internal teams quickly investigated the incident and implemented remediation measures, and the issue has since been resolved.
Michelin acknowledged that some files were accessed during the breach but indicated that the exposure was limited to a small volume of localized data and did not involve sensitive information or technical systems. The company also emphasized that the incident did not involve ransomware deployment and did not disrupt its global operations.
Despite those assurances, cybercriminals have published more than 315GB of data they claim was stolen from Michelin. While the contents have not been fully verified, preliminary analysis of file structures suggests that at least some of the data appears to originate from an Oracle EBS environment.
Michelin is not the only organization to confirm involvement in the campaign. Entertainment company Madison Square Garden Entertainment has also acknowledged being targeted, following the earlier release of more than 210GB of allegedly stolen files linked to the same operation.
- KadNap Bot Compromises 14,000+ Devices to Route Malicious Traffic
Security researchers have identified a large-scale malware campaign known as KadNap that has compromised more than 14,000 edge devices, primarily ASUS routers, converting them into a covert proxy botnet used to relay malicious internet traffic. First observed in August 2025, the campaign disproportionately affects the United States, which accounts for more than 60% of infections, though victims have also been identified in Taiwan, Hong Kong, the United Kingdom, Brazil, France, Italy, and Spain.
KadNap operates by installing a malicious ELF binary on infected routers, targeting both ARM and MIPS architectures. Once active, the malware suppresses visible activity by redirecting its input and output streams to `/dev/null`, then collects system information such as the device’s external IP address and synchronizes time through public network time protocol (NTP) servers. These details are used to generate identifiers that allow the infected device to join a peer-to-peer network.
Unlike traditional botnets that rely on centralized command-and-control servers, KadNap uses a modified version of the Kademlia distributed hash table (DHT) protocol to obscure its infrastructure. Through this peer-to-peer model, infected devices can locate command servers without directly revealing their addresses, complicating detection and blocking efforts. However, analysis indicates the implementation is not fully decentralized; infected devices consistently connect through two intermediary nodes before reaching command servers, suggesting attackers maintain persistent infrastructure to retain control.
Once connected, the malware exchanges encrypted communications with peers and retrieves additional payloads that can modify firewall rules, open new communication channels, or execute further malicious scripts.
Traffic routed through compromised devices is believed to be monetized through a proxy service known as Doppelganger, likely associated with infrastructure previously linked to TheMoon malware. This network enables threat actors to mask their activity while conducting operations such as brute-force attacks or targeted exploitation, leaving organizations exposed to persistent and difficult-to-trace threats.
References:
https://www.theregister.com/2026/03/11/swiss_evote_usb_snafu/
https://www.securityweek.com/fortinet-ivanti-intel-patch-high-severity-vulnerabilities/
https://www.theregister.com/2026/03/11/eu_psd2_compensation/
https://www.securityweek.com/michelin-confirms-data-breach-linked-to-oracle-ebs-attack/
