Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to the latest edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.
This week’s roundup highlights the growing impact of cyber threats across healthcare, critical infrastructure, and widely used platforms. We examine a disruptive cyberattack on a Massachusetts hospital, Russia-linked Forest Blizzard activity leveraging home routers for espionage, and a stealthy IoT-focused botnet campaign. We also cover a ransomware incident affecting a Dutch healthcare software provider, along with active exploitation of a critical vulnerability in Ninja Forms that puts thousands of WordPress sites at risk of full compromise.
- Massachusetts Hospital Diverts Ambulances as Cyberattack Causes Disruption
Signature Healthcare, a regional provider based in Brockton, Massachusetts, recently experienced a cyber incident that significantly disrupted operations and forced the diversion of ambulance traffic. The organization operates Brockton Hospital, a 200-bed community facility, as well as Signature Medical Group, which includes more than 150 physicians across multiple locations.
The incident was identified on Monday, prompting the organization to activate its incident response protocols and shift to downtime procedures to maintain patient safety and continuity of care. While inpatient services and emergency walk-in care remained operational, ambulance diversions continued into Tuesday, reflecting ongoing strain on critical systems.
Although core medical services such as surgeries and procedures were not impacted, several disruptions were reported. Chemotherapy infusion services were temporarily suspended, with affected patients notified of delays. Additional service interruptions were observed across urgent care locations and physician practices. Retail pharmacy operations were also affected, while some locations reopened for consultations, they were unable to process prescriptions due to system limitations.
At this stage, Signature Healthcare has not confirmed whether the incident involved ransomware, and no threat actor has publicly claimed responsibility. However, it is not uncommon for ransomware groups to delay attribution, often revealing victims only after negotiations have stalled in an effort to increase pressure.
This incident reflects a broader and ongoing trend of cyberattacks targeting healthcare organizations globally. Such attacks frequently disrupt clinical operations and, in some cases, lead to large-scale data breaches. In more severe instances, cyber incidents have been linked to patient safety risks, including reported fatalities in the United States, Germany, and the United Kingdom. The situation underscores the critical importance of resilience planning in environments where operational disruption can have direct consequences for human life.
- Russian Forest Blizzard Hackers Hijack Home Routers for Global Spying
A threat group linked to Russian military intelligence, commonly tracked as Forest Blizzard (also known as Fancy Bear), has been observed leveraging thousands of compromised home and small office routers to support a large-scale cyber espionage operation. According to findings published by Microsoft Threat Intelligence on April 7, the campaign has been active since at least August 2025, though its scale and sophistication have only recently come into focus.
The operation primarily targets Small Office/Home Office (SOHO) networking devices, which often lack enterprise-grade security controls. By compromising these routers, the attackers are able to manipulate Domain Name System (DNS) processes, effectively rerouting internet traffic through infrastructure under their control. This technique, known as DNS hijacking, allows the group to silently intercept and monitor user activity. Researchers noted that the attackers are using legitimate tools such as dnsmasq to manage traffic redirection, enabling persistent and low-visibility surveillance across a broad set of victims.
Microsoft attributes part of the activity to a subgroup identified as Storm-2754, which appears to be using the compromised devices to build a covert proxy network. This infrastructure supports both passive intelligence gathering and more active intrusion techniques, including Adversary-in-the-Middle (AiTM) attacks. In these scenarios, attackers position themselves between users and legitimate services to capture credentials, session tokens, and sensitive communications.
The campaign has affected more than 5,000 consumer devices and at least 200 organizations globally. Notably, the attackers have targeted Microsoft Outlook Web Access to intercept email traffic, with confirmed compromises involving government entities in Africa. Key sectors impacted include energy, telecommunications, and information technology.
This activity highlights a growing risk associated with unsecured edge devices, particularly in hybrid and remote work environments. Even when corporate networks are well-defended, compromised home infrastructure can expose access credentials and sensitive data.
To mitigate these risks, Microsoft recommends enforcing multi-factor authentication (MFA) and adopting passwordless authentication where possible. Organizations are also advised to limit reliance on consumer-grade networking equipment for business operations and ensure that all devices are regularly updated and properly secured.
- Evasive Masjesu DDoS Botnet Targets IoT Devices
Trellix researchers have conducted an in-depth analysis of *Masjesu*, a botnet engineered to carry out large-scale distributed denial-of-service (DDoS) attacks by compromising Internet of Things (IoT) devices. Active since at least 2023, Masjesu has been marketed primarily via Telegram, where its operator promotes its ability to generate high-volume attacks reaching hundreds of gigabytes. The messaging targets both Chinese- and English-speaking audiences, indicating a broad, international customer base.
Although the operator’s current Telegram channel has a relatively modest following, earlier channels were reportedly removed for policy violations, suggesting a wider underlying user network. Analysis of attack telemetry shows that the majority of infected devices are located in Vietnam, with additional concentrations in countries such as Brazil, India, Iran, Kenya, and Ukraine. The distribution across multiple autonomous systems indicates a decentralized infrastructure rather than reliance on a single hosting provider.
Technically, Masjesu demonstrates considerable flexibility, with support for multiple CPU architectures including ARM, MIPS, x86, and others commonly found in IoT environments. It propagates by exploiting known vulnerabilities in a range of devices, including D-Link and Netgear routers, GPON and Huawei gateways, DVR systems, and exposed UPnP services.
Once deployed, the malware establishes persistence through several mechanisms. It disguises itself by mimicking legitimate system processes, modifies execution paths, and creates scheduled tasks to ensure regular execution. It also employs basic defensive measures, such as terminating competing processes and restricting access to shared directories, likely to maintain exclusive control of the infected system.
Masjesu maintains communication with its command-and-control infrastructure using encrypted configuration data that is decrypted at runtime. Through this channel, operators can issue commands to launch a wide variety of DDoS attack types, including TCP, UDP, HTTP, and protocol-specific floods.
Overall, Masjesu reflects the continued evolution of IoT botnets, combining broad device compatibility, resilient persistence techniques, and flexible attack capabilities to sustain large-scale, distributed attack operations.
- Dutch Healthcare Software Vendor Goes Dark After Ransomware Attack
A ransomware attack has disrupted operations at Dutch healthcare software provider ChipSoft, a company whose systems support approximately 80% of hospitals in the Netherlands. The incident, first identified on April 7, 2026, forced the company’s website offline and prompted an ongoing investigation into the scope and impact of the breach.
The attack was confirmed by Z-CERT, the Netherlands’ cybersecurity response organization for the healthcare sector, which is currently coordinating with ChipSoft, affected healthcare institutions, and relevant partners. While the threat actor behind the intrusion has not yet been identified, authorities are working to assess the extent of the compromise and any potential risks to connected systems.
Despite the disruption to ChipSoft’s public-facing services, most hospitals have been able to maintain access to patient portals and continue operations. However, the level of dependency on ChipSoft’s software varies across institutions. According to local reporting, 11 hospitals have taken systems offline as a precaution, with the majority being organizations that rely more heavily on the platform for core clinical and administrative functions.
Z-CERT has advised healthcare organizations to proactively monitor their environments for unusual activity, particularly network anomalies that could indicate lateral movement or further compromise. Institutions are also encouraged to report suspicious findings to support broader incident response efforts. Strengthening incident response capabilities, improving system visibility, and implementing comprehensive disaster recovery planning are essential steps to mitigate the operational and clinical risks associated with such attacks.
- Hackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to Takeover
A critical vulnerability has been identified in the File Uploads add-on for the Ninja Forms WordPress plugin, exposing tens of thousands of websites to potential full compromise. According to cybersecurity firm Defiant, the issue affects an estimated 50,000 deployments, with active exploitation attempts already observed in the wild.
Tracked as CVE-2026-0740 and assigned a CVSS score of 9.8, the flaw stems from insufficient validation of uploaded files. Specifically, the add-on fails to properly verify file types and does not sanitize filenames before storing them on the server. This oversight allows attackers to upload malicious files, such as PHP scripts, disguised as legitimate uploads.
Because the vulnerability does not enforce strict controls on file naming or destination paths, it also introduces the risk of path traversal. This enables attackers to place files in sensitive directories, including the webroot, significantly increasing the likelihood of successful exploitation.
In practical terms, an unauthenticated attacker can leverage this weakness to upload and execute malicious code on the target server, resulting in remote code execution. This could allow the deployment of web shells, providing persistent access and effectively granting full control over the compromised website.
The vulnerability was discovered by security researcher Sélim Lanouar through the Wordfence bug bounty program and reported in January. He was awarded $2,145 for the finding.
Given the severity of the issue and evidence of ongoing exploitation attempts, users are strongly advised to update to version 3.3.27 of the File Uploads add-on immediately, as all earlier versions remain vulnerable.
References:
https://hackread.com/russian-forest-blizzard-hackers-hijack-home-routers/
https://www.securityweek.com/evasive-masjesu-ddos-botnet-targets-iot-devices/
https://www.theregister.com/2026/04/08/chipsoft_ransomware/
