Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to the latest edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.
This week’s cybersecurity roundup highlights a series of high-impact incidents spanning data breaches, nation-state concerns, and evolving attack techniques. We cover the Navia breach affecting HackerOne employee data, new FCC restrictions on foreign-made routers, and a large-scale device code phishing campaign targeting Microsoft 365 environments. We also examine a critical TP-Link router vulnerability and review claims from Lapsus$ regarding a potential breach of AstraZeneca.
- Recent Navia Data Breach Impacts HackerOne Employee Data
A data breach at U.S.-based benefits provider Navia Benefit Solutions has exposed the personal information of nearly 300 employees of HackerOne, underscoring the ongoing risks associated with third-party service providers. The incident is part of a broader compromise affecting approximately 2.7 million individuals whose data was managed by Navia.
According to Navia, unauthorized access to its systems occurred between December 22, 2025, and January 15, 2026, with suspicious activity detected on January 23. The breach has been attributed to a likely Broken Object Level Authorization (BOLA) vulnerability, which allowed attackers to access sensitive records. Exposed data may include names, dates of birth, Social Security numbers, contact details, and information related to employee benefit programs such as FSAs, HRAs, and COBRA enrollment. While Navia stated that no financial or claims data was compromised, the nature of the exposed information presents a heightened risk for phishing and social engineering attacks.
HackerOne confirmed that 287 of its employees were impacted. However, the company raised concerns about delayed notification, noting that although Navia issued breach notices dated February 20, they were not received until March. This lag has drawn attention to gaps in incident communication and transparency, particularly critical when downstream organizations must respond quickly to protect affected individuals.
In response, HackerOne has initiated its own investigation and is working with Navia to better understand the root cause and scope of the breach. The company is also reassessing Navia’s security posture and evaluating whether to continue the relationship, signaling a broader need for stricter vendor risk management practices.
Navia has reported the incident to federal law enforcement, enhanced its internal security controls, and is offering 12 months of identity protection and credit monitoring services to those affected. While the company stated there is currently no evidence of misuse of the stolen data, such assurances are often preliminary and do not eliminate future risk.
This incident highlights a persistent challenge in cybersecurity: even organizations with mature security programs remain exposed through third-party dependencies. It reinforces the importance of continuous monitoring, vendor due diligence, and timely breach disclosure to mitigate downstream impact.
- FCC Bans New Routers Made Outside the U.S. Over National Security Risks
The U.S. Federal Communications Commission (FCC) has expanded its “Covered List” to include all foreign-manufactured consumer-grade routers, effectively prohibiting the authorization and future import of such devices into the United States. The move follows a determination by an Executive Branch, which concluded that routers produced outside the U.S. present significant national security and cybersecurity risks.
At the core of this decision is concern over supply chain integrity. The assessment highlights that the overwhelming reliance on foreign-made routers in American homes introduces systemic vulnerabilities, including the potential for embedded backdoors, unauthorized access, and large-scale surveillance. Compromised devices could enable threat actors to conduct data exfiltration, launch botnet attacks, or gain footholds in sensitive networks, including those tied to government and critical infrastructure.
The report also references activity from state-sponsored threat groups such as Flax Typhoon, Volt Typhoon, and Salt Typhoon, which have previously targeted U.S. sectors including energy, communications, transportation, and water systems. These campaigns underscore the strategic risk posed by insecure networking hardware at scale.
Importantly, the FCC’s action is forward-looking. Devices already approved and currently in use are not affected. However, any new foreign-made consumer routers will no longer be eligible for FCC authorization, effectively barring their legal sale and import moving forward.
There is a limited pathway for exceptions. Specific router models may still receive approval if vetted and cleared by agencies such as the Department of Homeland Security (DHS) or the Department of Defense, provided they meet stringent security requirements and are deemed not to pose unacceptable risks.
Overall, the decision reflects a broader shift toward securing technology supply chains and reducing dependency on potentially untrusted foreign hardware, particularly in areas that underpin national infrastructure and digital resilience.
- Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse
Cybersecurity researchers have identified a large-scale device code phishing campaign targeting Microsoft 365 accounts across more than 340 organizations in the United States, Canada, Australia, New Zealand, and Germany. First observed on February 19, 2026, the activity has rapidly intensified, reflecting both the scalability and effectiveness of the technique.
At the core of the campaign is the abuse of Microsoft’s OAuth device authorization flow. Unlike traditional credential phishing, this method tricks users into entering a legitimate device code on Microsoft’s official authentication page. Once the victim completes the login process, including multi-factor authentication, the attacker gains access and refresh tokens tied to the session. Critically, these tokens can remain valid even after a password reset, allowing persistent access to compromised accounts.
Attackers are leveraging Cloudflare Workers to host intermediary phishing infrastructure and redirect victims through multiple layers of legitimate services, including Cisco, Trend Micro, and Mimecast redirect links, to evade detection. Ultimately, captured sessions are funneled to attacker-controlled infrastructure hosted on Railway, a platform-as-a-service provider, effectively transforming it into a credential harvesting backend.
Victims are lured through a variety of pretexts, including construction bids, DocuSign-themed messages, voicemail alerts, and Microsoft Forms pages. Notably, instead of requiring users to manually enter a code provided in an email, some phishing pages dynamically generate and display the device code directly, streamlining the attack flow and increasing the likelihood of success.
The campaign has impacted a broad range of sectors, including construction, financial services, healthcare, government, and legal organizations, suggesting opportunistic targeting rather than a focus on a specific industry. A significant portion of the malicious activity has been traced to a small cluster of Railway-hosted IP addresses, which account for the majority of observed authentication events.
Researchers have linked this activity to a phishing-as-a-service (PhaaS) platform known as EvilTokens, which recently emerged on Telegram. The platform offers tooling to automate phishing campaigns, generate redirect links, and bypass spam filters, alongside operational support for affiliates, highlighting the continued commoditization of advanced attack techniques.
This campaign aligns with a broader trend observed since early 2025, where threat actors, including several Russia-aligned groups, have increasingly adopted device code phishing due to its ability to exploit trusted authentication workflows.
Given the use of legitimate Microsoft infrastructure and trusted cloud services, detection remains challenging. Organizations are advised to monitor authentication logs for suspicious sign-ins, particularly from Railway-associated IP addresses, revoke compromised tokens, and implement stricter access controls to mitigate risk.
- TP-Link Warns Users to Patch Critical Router Authentication Bypass Flaw
TP-Link has released security updates addressing multiple vulnerabilities in its Archer NX router series, including a critical flaw that could allow attackers to bypass authentication and gain full control over affected devices.
The most severe issue, tracked as CVE-2025-15517, impacts several models, including the Archer NX200, NX210, NX500, and NX600. The vulnerability stems from a missing authentication check within the router’s HTTP server, enabling unauthenticated attackers to access endpoints intended only for authorized users. Exploitation could allow malicious actors to perform privileged actions such as uploading firmware or modifying device configurations without credentials.
In addition to this flaw, TP-Link patched a hardcoded cryptographic key vulnerability (CVE-2025-15605) that could allow authenticated users to decrypt and manipulate configuration files. Two further command injection vulnerabilities (CVE-2025-15518 and CVE-2025-15519) were also addressed, which could enable attackers with administrative access to execute arbitrary system commands.
TP-Link has strongly urged users to update their firmware immediately, emphasizing that failure to do so leaves devices exposed to potential compromise.
These issues follow a pattern of ongoing security concerns for the vendor. In September, TP-Link issued patches for a previously disclosed flaw that had gone unaddressed for months and allowed attackers to intercept traffic and manipulate DNS queries. Additionally, multiple TP-Link vulnerabilities have been cataloged by CISA as actively exploited, including older flaws leveraged by botnets to compromise routers at scale.
The continued discovery of critical vulnerabilities, combined with regulatory scrutiny, including a lawsuit filed by the Texas Attorney General alleging misleading security claims, highlights the increasing pressure on network device manufacturers to improve security practices and timely patch management.
- Cybercrime Group Lapsus$ Claims the Hack of Pharma Giant AstraZeneca
The cybercrime group Lapsus$ has claimed responsibility for a breach of pharmaceutical giant AstraZeneca, alleging the theft of approximately 3GB of internal data. According to reports circulating on dark web forums and data leak sites associated with the group, the compromised information includes credentials, authentication tokens, internal source code (spanning technologies such as Java, Angular, and Python), and employee-related data. AstraZeneca has not yet confirmed the incident.
While the presence of credentials and tokens raises immediate concerns, the broader risk lies in how such data could be operationalized. Even in the absence of plaintext passwords or patient data, exposure of internal codebases and infrastructure-related information can significantly aid threat actors in mapping environments, identifying vulnerabilities, and crafting targeted phishing or follow-on intrusion campaigns. This type of access can serve as a foundation for deeper compromise, including lateral movement and potential disruption of business-critical systems.
Security analysts note that the structure and scope of the alleged dataset suggest more than a superficial leak. If validated, it would indicate meaningful internal exposure, potentially affecting development pipelines, access controls, and system architecture. For an organization like AstraZeneca, which operates in a highly sensitive sector involving intellectual property and critical research, such a breach could carry both operational and strategic implications.
The claim aligns with Lapsus$’s known tactics, which often involve breaching high-profile organizations and leveraging stolen data for extortion or resale. The group has a history of targeting entities where reputational impact and data sensitivity increase pressure to respond.
At this stage, the incident remains unverified, and caution is warranted in interpreting the claims. However, the situation underscores the continued targeting of healthcare and pharmaceutical organizations, not only for patient data but also for intellectual property and internal systems that can be exploited for financial or strategic gain.
References:
https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html
