Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to Canary Trap’s “Bi-Weekly Cyber Roundup”. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity, and this bi-weekly publication is your gateway to the latest news.
In this week’s roundup, we will explore several pressing cybersecurity developments, from Medusa ransomware attacks that could have significant financial repercussions, to the increasing cybercriminal activity surrounding major events like March Madness. We’ll also discuss the potential risks posed by 23andMe’s bankruptcy filing, a lengthy breach by Chinese hackers in an Asian telecom, and the looming end-of-life for Windows 10, which leaves SMBs vulnerable. Additionally, we’ll examine the evolving landscape of ransomware, with a particular focus on critical infrastructure as a prime target.
- Cybersecurity Officials Warn Against Potentially Costly Medusa Ransomware Attacks
The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning about the growing threat posed by Medusa ransomware, a ransomware-as-a-service (RaaS) operation that has been active since 2021. In a recent advisory, officials highlighted that Medusa has impacted hundreds of victims, primarily leveraging phishing campaigns to steal credentials and gain unauthorized access to systems.
To mitigate the risk of infection, CISA advises organizations to keep operating systems, software, and firmware updated with the latest security patches. Additionally, implementing multifactor authentication (MFA) for critical services such as email and VPNs is strongly recommended. Security experts also emphasize the importance of using strong, complex passwords while cautioning against frequent, mandatory password changes, as they may inadvertently reduce security.
Medusa operates using a double extortion model in which attackers encrypt a victim’s data and threaten to publish stolen information unless a ransom is paid. The group maintains a dedicated data-leak website where victims are publicly listed alongside countdown timers leading to the release of their data. Ransom demands are displayed on the site, with direct links to cryptocurrency wallets controlled by Medusa affiliates. Attackers also offer victims an option to delay data exposure by paying $10,000 in cryptocurrency for each additional day.
Since February, Medusa operators have targeted over 300 organizations across multiple industries, including healthcare, education, legal services, insurance, technology, and manufacturing. Given the scope and persistence of these attacks, cybersecurity officials urge organizations to implement robust security measures and remain vigilant against evolving ransomware threats.
- March Madness Meets Cyber Mayhem: How Cybercriminals Are Playing Offense This Season
As March Madness captivates fans nationwide, cybercriminals are seizing the opportunity to exploit the excitement surrounding the tournament. From phishing scams and fraudulent betting apps to credential theft schemes, attackers are leveraging the increased online activity to deceive unsuspecting users. With the rise of digital sports betting, this annual event has become a prime target for cyber threats.
The expansion of sports gambling beyond traditional office pools has created new attack vectors for credential harvesting and financial fraud. Threat actors are disguising their scams as tournament brackets, betting promotions, and registration forms, luring users into providing login credentials or linking bank accounts to fraudulent platforms. A single click on what appears to be an innocent bracket challenge or promotional offer can result in financial compromise before the tournament even begins. Social engineering tactics play a key role, as attackers manipulate urgency and the allure of easy winnings to encourage victims to act without scrutiny.
With fans frequently checking scores, streaming games, and logging into betting apps, mobile platforms have become a primary focus for cybercriminals. Fake betting apps, phishing login pages, and malicious streaming links can bypass traditional security defenses. Organizations should adopt a mobile-first security strategy, ensuring real-time threat detection to mitigate risk. Enterprises should implement continuous mobile security monitoring to protect both corporate and personal devices from evolving cyber threats.
March Madness-themed phishing campaigns exploit psychological triggers such as urgency, greed, and familiarity. While most users recognize common scams, they may be less cautious when faced with an enticing sportsbook promotion or a bracket invitation from a seemingly trusted source. Enhanced phishing awareness training and proactive security policies can prevent users from falling victim to these deceptive tactics. Organizations must reinforce cybersecurity best practices to ensure employees remain vigilant. Additionally, sticking to reputable sources when purchasing tickets, engaging in sports betting, or accessing tournament-related content is key. Installing applications from advertising links should be avoided at all times and users must separate personal and work-related online activities to stay secure and protect their organization.
While sportsbooks have security measures in place to prevent unauthorized withdrawals, fraudsters can still inflict financial damage by placing fraudulent bets using compromised accounts. Users should be cautious of unsolicited offers and enable multi-factor authentication (MFA) to add an extra layer of protection. Cybercriminals may be aggressive during March Madness, but with a strong security strategy, fans can ensure they stay ahead of the game.
- 23andMe Bankruptcy Filing May Put Sensitive Data at Risk
Genetic testing company 23andMe has filed for bankruptcy, raising serious concerns among security professionals about the fate of its highly sensitive genetic data. The company initiated voluntary Chapter 11 proceedings in the U.S. Bankruptcy Court for the Eastern District of Missouri, aiming to facilitate a sale process that maximizes business value while continuing operations.
As part of its restructuring, 23andMe intends to sell most of its assets but has assured customers that its approach to data security and privacy will remain unchanged. The company also emphasized its commitment to finding a buyer who shares its dedication to protecting genetic information. Customers retain access to their data and can opt to delete it or modify their research consent preferences.
Despite these assurances, security experts and regulators remain deeply concerned about potential data misuse. Genetic information is particularly valuable due to its immutable and highly personal nature, making it an attractive target for cybercriminals and malicious actors. The fear is that, during bankruptcy proceedings, sensitive data could be sold to repay creditors or acquired by entities with questionable intentions.
Last year, 23andMe suffered a data breach due to a credential-stuffing attack, further damaging trust in its ability to safeguard user information. Regulatory bodies, including the California Attorney General’s office, the UK’s Information Commissioner’s Office, and Canada’s Privacy Commissioner, have issued warnings to customers, with some advising them to delete their data as a precaution.
Security experts highlight the potential dangers if this data falls into the wrong hands. Cybercriminals could exploit it for identity theft, extortion, genetic discrimination, or highly targeted social engineering attacks. There is also concern that health insurers, data brokers, or third-party claims processors might use the data to refine algorithms, assess risk factors, or influence coverage eligibility in ways that disadvantage individuals.
Experts recommend that customers take immediate action to protect their genetic data. This includes reviewing their consent settings for research studies and initiating data deletion if they no longer wish to store their information with 23andMe. Additionally, customers should familiarize themselves with the company’s privacy policy to fully understand data retention practices.
- Chinese Hackers Breach Asian Telecom, Remain Undetected for Over 4 Years
A major telecommunications company in Asia was reportedly compromised by a Chinese state-sponsored hacking group, which maintained persistent access to the organization’s systems for over four years, according to an investigation by incident response firm Sygnia. The firm has identified the group as “Weaver Ant,” describing them as a stealthy and highly persistent threat actor. The name of the telecom provider affected has not been disclosed.
Sygnia’s report details that the attackers exploited a public-facing application to deploy two types of web shells, an encrypted variant of the well-known China Chopper and a previously undocumented tool referred to as INMemory. The latter is designed to decode and execute code entirely in memory, without writing anything to disk, thereby avoiding detection. China Chopper has been used by several Chinese hacking groups in the past.
The attack chain involved the use of web shells and tunneling techniques to maintain persistence and facilitate cyber espionage, which included gathering sensitive information from the telecom provider. The attackers deployed a recursive HTTP tunnel tool, which enabled lateral movement within the compromised network, leveraging SMB protocols—a method also seen in other attacks such as those attributed to Elephant Beetle.
Additionally, the encrypted traffic passing through the web shell tunnel enabled a range of post-exploitation activities, including bypassing security mechanisms such as Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI). The attackers also used PowerShell scripts executed without invoking PowerShell.exe and conducted reconnaissance within the compromised Active Directory environment to locate high-privilege accounts and critical servers.
Chinese cybersecurity firms QiAnXin and Antiy have also reported on spear-phishing attacks attributed to a threat actor known as APT-Q-20, which uses open-source tools like AntSword, IceScorpion, Metasploit, and Quasar RAT to infiltrate systems. Other methods used in the attacks include exploiting known security vulnerabilities and weak passwords in IoT devices, such as routers and cameras. Despite the use of these tools, the Chinese firms characterized the group’s tactics as somewhat rudimentary.
These developments highlight the ongoing complexity of cyber crimes and the evolving tactics employed by attackers across the globe.
- Windows 10 End-of-Life Puts SMB at Risk
As the October deadline approaches for the retirement of Windows 10, IT and security teams must act swiftly to either prepare for or execute migration plans to the newer operating system. While hardware upgrade costs often dominate discussions, organizations must also consider the hidden risks, such as legacy systems running custom software and misconfigurations following migration, that can introduce unexpected vulnerabilities into their infrastructure.
Forrester’s Senior Analysts emphasize the importance of asset management, stating that it has evolved from a “nice-to-have” to a critical necessity for both IT and SecOps teams. He stresses that visibility into the systems within the organization is crucial to control the flow of enterprise data. Asset management systems can identify Windows 10 devices, whether corporate or user-owned, and provide administrators with the tools to manage and protect them. Without this visibility, organizations may unknowingly run unprotected Windows 10 systems on critical devices, potentially introducing vulnerabilities.
Effective migration goes beyond simply upgrading the operating system; proper system configuration is equally important. As organizations work to transition to Windows 11-compliant hardware, existing Windows 10 systems could end up misconfigured if the hardware is not carefully managed. The days of applying a “golden image” configuration across all systems are gone, as even identical hardware models may contain variations in components. Instead, it is more effective to use policies that are independent of hardware configurations to ensure consistency and minimize errors.
While asset management software is the preferred method for mapping an organization’s infrastructure, many organizations still rely on vulnerability management tools to handle asset identification, patching, and configuration. Bryan Marlatt, Chief Regional Officer at CyXcel, highlights that while vulnerability management products can detect network-connected and IoT devices, they may still miss certain systems, particularly those in the cloud or on-premises that require special handling.
It is crucial to isolate Windows 10 systems, particularly in environments where remote workers may be using personal, unprotected devices. These systems should be restricted to using only web-based software-as-a-service applications to limit exposure to risks. He recommends limiting connections to Windows 10 systems and controlling what they can access, especially when dealing with operational technology systems.
For small- and medium-sized businesses struggling to meet the costs of upgrading to Windows 11, there are preventive measures they can take to mitigate the risks posed by legacy Windows 10 systems. These include purchasing extended support from Microsoft, deploying endpoint detection and response (EDR) software, isolating Windows 10 systems on network segments that don’t have direct internet access, and tightening corporate governance to ensure compliance with security standards.
Reducing internet exposure for legacy systems and tightening security controls to limit where these systems can connect externally is another important step. Increasing browser security and utilizing Safe Browsing features can help mitigate the risks associated with these outdated systems. Additionally, improving telemetry sent to security operations centers (SOCs) will help detect and respond to any exploit attempts on high-risk endpoints.
Finally, organizations must consider the implications of running legacy systems on their cyber insurance coverage. As cyber insurance policies are up for renewal, it is essential to have a clear plan for managing unsupported products. Insurers are increasingly scrutinizing how enterprises handle legacy systems to assess the risks and potential liabilities associated with running outdated software. Failure to address these risks could affect premiums or even invalidate coverage.
- Ransomware Shifts Tactics as Payouts Drop: Critical Infrastructure in the Crosshairs
A recent analysis of cybersecurity trends in the latter half of 2024 reveals that attackers are adapting their tactics rather than abandoning them. Researchers from Ontinue identify four key evolving trends: malware distribution through browser extensions and malvertising, more sophisticated phishing and vishing techniques, growing attacks on IoT and OT devices, and the continued evolution of ransomware.
Ransomware attacks are particularly noteworthy. Despite a drop in ransom payments—from $1.25 billion in 2023 to $813.5 million in 2024—the number of reported breaches has increased. This suggests that ransomware groups are ramping up attacks to compensate for lower success rates. Experts believe this shift may push attackers toward higher-stakes targets like supply chain attacks or critical infrastructure. While some organizations are opting not to pay, the potential consequences of ransomware attacks—especially in sectors like critical infrastructure—make paying a difficult choice for many.
Alongside these changes in ransomware tactics, attackers are refining their use of malware delivery methods. Browser extensions, for example, are increasingly exploited to distribute information-stealing malware. These extensions can persist even after a system is reimaged, as users may unknowingly restore infected profiles during recovery.
Phishing and vishing campaigns are also evolving. Phishing attacks are becoming more sophisticated, utilizing legitimate websites and obscure domain variations to evade detection. Meanwhile, vishing—voice phishing—has skyrocketed, with cybercriminals leveraging AI-driven voice cloning to create realistic deepfakes that impersonate trusted individuals, making it harder for victims to identify fraudulent calls. Experts emphasize the importance of user vigilance in countering these threats, recommending that individuals always verify the identity of callers.
Additionally, attacks on IoT and OT devices are increasing, primarily due to their weaker security and their critical role in infrastructure systems. Many IoT devices have insufficient protections, making them vulnerable to exploits like remote code execution and privilege escalation. The growing convergence of IoT with corporate networks—due to increased remote work—amplifies the risk. Similarly, OT devices, often lacking robust security measures, remain targets for both cybercriminals and nation-state actors, with notable concerns regarding water systems in the U.S., which have been manipulated in past attacks.
Overall, the report illustrates how cyber threats are not diminishing but evolving, with attackers continuously refining their methods to maximize impact. While the specific threats remain largely unchanged, the tactics used to exploit them are increasingly sophisticated.
References:
https://www.secureworld.io/industry-news/march-madness-cyber-mayhem
https://www.darkreading.com/cyber-risk/23andme-bankruptcy-filing-sensitive-data-at-risk
https://thehackernews.com/2025/03/chinese-hackers-breach-asian-telecom.html
https://www.darkreading.com/endpoint-security/windows-10-end-of-life-puts-smb-at-risk
