Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to Canary Trap’s Bi-Weekly Cyber Roundup. Our mission is to keep you informed with the most pressing developments in the world of cybersecurity. This digest serves as your gateway to critical updates and emerging threats across the industry.
This week’s roundup highlights the evolving tactics threat actors and defenders are grappling with across the cyber landscape. From payroll fraud schemes that exploit help desks through social engineering, to critical vulnerabilities in enterprise platforms from Ivanti, Microsoft, and Intel, the stories underscore persistent risks in identity, endpoint, and infrastructure security. We also examine new findings on a severe TDX flaw uncovered by a Google–Intel audit and take a closer look at North Korea–linked UNC1069, which continues to refine AI-assisted lures to target cryptocurrency organizations.
- Payroll Pirates Are Conning Help Desks to Steal Workers’ Identities and Redirect Paychecks
When attackers set their sights on payroll systems, the potential victim pool is effectively unlimited. As Binary Defense’s John Dwyer puts it, targeting paychecks turns “every employee into a target,” regardless of role or seniority.
Binary Defense’s ARC Labs recently investigated a payroll diversion incident at a healthcare organization that illustrates how effective low-tech, high-trust attacks have become. Rather than exploiting a software flaw, the attacker relied almost entirely on social engineering and procedural weaknesses, specifically help desk workflows and identity verification gaps.
The intrusion began with access to a shared mailbox used within the organization. While investigators could not definitively determine how the credentials were obtained, there was no evidence of recent phishing activity, suggesting they were likely sourced from a prior breach. With access to internal email conversations, the attacker gathered enough context to convincingly impersonate a physician.
Posing as the doctor, the attacker contacted the help desk claiming they were locked out of their account and unable to treat patients. The urgency of the request, combined with accurate personal details and appropriate access levels, led support staff to reset both the account password and multi-factor authentication. That single interaction effectively handed the attacker full control of the physician’s digital identity.
From there, the operation followed a familiar, but increasingly refined, business email compromise pattern. After authenticating through the organization’s own virtual desktop infrastructure, the attacker registered new authentication methods and accessed the Workday payroll system. Using trusted internal infrastructure allowed the activity to blend in with normal user behavior, bypassing many security controls that would typically flag anomalous logins.
Once inside Workday, the attacker modified the physician’s direct deposit details, redirecting their salary to an attacker-controlled bank account. The breach went unnoticed until the physician reported a missing paycheck.
What distinguishes this incident is not its technical sophistication, but its precision. By avoiding email-based attacks and operating entirely within trusted systems, the attacker reduced their detection footprint to near zero. From a security monitoring perspective, the actions appeared indistinguishable from legitimate user activity.
The case underscores a broader shift in the threat landscape: identity, not infrastructure, is now the primary attack surface. Payroll and HR platforms, often treated as back-office systems, have become high-value financial targets and should be protected accordingly.
Defensive measures are well understood but inconsistently applied. Changes to direct deposit information should trigger enhanced verification, cooling-off periods, and fraud reviews, similar to controls used for wire transfers and accounts payable. Payroll data should also be treated as a security telemetry source, not just an administrative record.
Ultimately, this incident highlights a growing risk for organizations that focus heavily on technical controls while underestimating process abuse. As attackers continue to weaponize trust, businesses must treat employee identities, and the systems tied to compensation, as privileged assets worthy of the same scrutiny as production servers or sensitive data stores.
- Ivanti Patches Endpoint Manager Vulnerabilities Disclosed in October 2025
Ivanti has released security updates addressing more than a dozen vulnerabilities in its Endpoint Manager (EPM) platform, including several issues that were publicly disclosed late last year and carry remote exploitation risk.
In a newly published advisory, Ivanti details fixes for two remotely exploitable flaws: a high-severity authentication bypass tracked as CVE-2026-1603 and a medium-severity SQL injection issue tracked as CVE-2026-1602. The authentication bypass could allow attackers to access credential data without proper authorization, while the SQL injection vulnerability could enable authenticated users to extract arbitrary data from the EPM database.
Both vulnerabilities are resolved in Endpoint Manager 2024 SU5. This release also addresses 11 additional medium-severity flaws that Ivanti previously disclosed in October. Collectively, these issues could be chained to enable privilege escalation and, in some scenarios, remote code execution.
The vulnerabilities were originally reported to Ivanti in November 2024 and later disclosed by Trend Micro’s Zero Day Initiative (ZDI), which labeled them as zero-day despite the fact that they were not actively exploited at the time of disclosure. Ivanti patched two high-severity issues in November 2025 and has now remediated the remaining flaws with the SU5 update.
Ivanti states that it has no evidence of active exploitation of these EPM vulnerabilities but strongly recommends that customers upgrade to EPM 2024 SU5 without delay. The company also reiterated that Endpoint Manager 2022 has reached end of life and no longer receives security updates, urging organizations still on that version to migrate to a supported release.
Separately, Ivanti provided updates to its advisory for two Endpoint Manager Mobile (EPMM) vulnerabilities, CVE-2026-1281 and CVE-2026-1340, both rated critical with CVSS scores of 9.8. These flaws, which allow unauthenticated remote code execution, were confirmed to have been exploited as zero-days to deploy web shells and reverse shells for persistence.
Following earlier guidance that included indicators of compromise and a detection script, Ivanti has now expanded its advisory to address potential false positives, helping defenders better validate suspected activity.
- Microsoft Patches 59 Vulnerabilities Including Six Actively Exploited Zero-Days
Microsoft has released its latest monthly security updates, addressing 59 vulnerabilities across the Windows ecosystem, including six flaws confirmed to be under active exploitation. The updates span Windows, Microsoft Office, and related components, reinforcing the urgency for organizations to patch promptly.
Of the vulnerabilities fixed this cycle, five are rated Critical, 52 Important, and two Moderate. Privilege escalation issues dominate this month’s release, accounting for nearly half of the total, followed by remote code execution, spoofing, information disclosure, security feature bypass, denial-of-service, and a single cross-site scripting flaw. Microsoft also issued additional fixes for its Edge browser following the January update, including a Moderate-severity spoofing issue affecting Edge for Android.
Six vulnerabilities stand out due to confirmed exploitation in the wild:
- CVE-2026-21510 and CVE-2026-21513: Security feature bypass flaws in Windows Shell and the MSHTML framework that allow attackers to circumvent protections through crafted files.
- CVE-2026-21514: A Microsoft Word flaw that enables local security bypass via untrusted input handling.
- CVE-2026-21519 and CVE-2026-21533: Local privilege escalation issues in Desktop Window Manager and Remote Desktop, respectively.
- CVE-2026-21525: A denial-of-service condition in the Windows Remote Access Connection Manager.
Several of these issues were identified by Microsoft’s own security teams in collaboration with Google Threat Intelligence Group. While Microsoft has not disclosed details on real-world exploitation, researchers note that some of these bugs allow malicious files to bypass user prompts, enabling attacks with minimal interaction.
Security experts caution that while the privilege escalation vulnerabilities require prior access, they are particularly dangerous when chained with phishing or remote code execution exploits, potentially allowing attackers to gain SYSTEM-level privileges and disable security controls.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added all six actively exploited flaws to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are required to apply patches by March 3, 2026, underscoring the seriousness of the threat.
Alongside vulnerability fixes, Microsoft is rolling out updated Secure Boot certificates to replace legacy certificates set to expire in mid-2026. While systems that miss the update will continue operating, they will gradually lose access to future boot-level protections, increasing long-term risk.
Microsoft also announced progress on broader security initiatives under its Secure Future and Windows Resiliency programs. These include Windows Baseline Security Mode, which aims to enable runtime integrity protections by default, and User Transparency and Consent, a new framework designed to provide clearer prompts when applications attempt to access sensitive resources or install additional software.
This Patch Tuesday reinforces two key realities: attackers continue to weaponize security feature bypasses and local privilege escalation flaws, and platform vendors are moving toward stricter default security models. Organizations should prioritize patching, especially for systems exposed to phishing or untrusted file handling, while preparing for tighter controls and transparency requirements in future Windows releases.
- Google-Intel Security Audit Reveals Severe TDX Vulnerability Allowing Full Compromise
Intel has completed a joint security assessment of its Trust Domain Extensions (TDX) technology in collaboration with Google, uncovering multiple security issues and areas for improvement in the process.
TDX is Intel’s confidential computing capability designed to protect sensitive workloads in cloud and multi-tenant environments. It enables the creation of hardware-isolated virtual machines, known as Trust Domains (TDs), that are intended to preserve data confidentiality and integrity even if the underlying hypervisor or cloud operator is compromised.
The review was conducted over a five-month period in 2025 by Google Cloud’s security team alongside Intel’s internal INT31 researchers. The teams performed an in-depth analysis of TDX Module version 1.5, which is responsible for implementing TDX’s core functionality. The assessment combined manual code review, purpose-built analysis tooling, and commercially available AI-assisted techniques.
As a result of this work, the researchers identified five security vulnerabilities, in addition to 35 bugs, design weaknesses, and recommendations aimed at strengthening the platform. Intel has since addressed all identified vulnerabilities and released a security advisory detailing the fixes. The resolved issues are tracked under CVE-2025-32007, CVE-2025-27940, CVE-2025-30513, CVE-2025-27572, and CVE-2025-32467, with potential impacts including privilege escalation and information disclosure.
Google’s disclosure highlighted CVE-2025-30513 as the most severe finding. According to Google, the flaw could allow an untrusted host operator to undermine TDX’s security model by exploiting a time-of-check to time-of-use (TOCTOU) condition during virtual machine migration. Specifically, the issue made it possible to alter a Trust Domain’s attributes from “migratable” to “debuggable” while its immutable state was being imported.
If exploited, this condition would expose the fully decrypted state of the Trust Domain to the host. An attacker could then reconstruct the virtual machine, extract sensitive data, or monitor it in real time. Notably, because migrations can occur at any stage of a Trust Domain’s lifecycle, the attack could be executed after successful attestation, when cryptographic secrets and sensitive workloads are already present.
The findings underscore both the complexity of securing hardware-based confidential computing and the value of independent, collaborative security reviews. Intel and Google framed the engagement as an example of proactive vulnerability discovery, aimed at strengthening the resilience of emerging cloud security technologies before they are widely exploited.
- North Korea-Linked UNC1069 Uses AI Lures to Attack Cryptocurrency Organizations
Researchers have identified a renewed campaign by North Korean aligned threat actor UNC1069 targeting the cryptocurrency ecosystem through sophisticated social engineering rather than software exploitation. The activity focuses on compromising both Windows and macOS systems to harvest credentials and sensitive data that can be used for financial theft.
According to Google Mandiant, the intrusion chain combines multiple deception techniques: impersonation over Telegram, fake Zoom meetings, ClickFix-style malware delivery, and the suspected use of AI-generated or recycled video content to convincingly mimic legitimate business interactions. UNC1069, also known as CryptoCore or MASAN, has been active since at least 2018 and has a long track record of posing as investors or venture capital representatives to lure victims.
In recent years, the group has shifted away from traditional finance targets toward Web3 organizations, including centralized exchanges, crypto startups, software developers, and venture capital firms. Google previously reported that UNC1069 has experimented with generative AI tools to create realistic lure content and, in some cases, to assist in malware development. The group has also leveraged deepfake imagery and video to enhance the credibility of its attacks.
The latest campaigns begin with outreach on Telegram, sometimes using compromised accounts belonging to real entrepreneurs. Victims are invited to schedule meetings via Calendly, which directs them to Zoom-themed phishing domains designed to closely resemble legitimate Zoom infrastructure. Once the target joins the “meeting,” they are presented with what appears to be a live video call, often suspected to be prerecorded footage from prior victims, before encountering a fabricated technical issue.
At that point, victims are instructed to run troubleshooting commands to resolve an alleged audio problem. On macOS systems, this leads to the execution of malicious AppleScript code that installs a Mach-O binary known as WAVESHAPER. This initial payload collects system details and deploys additional malware components, including multiple backdoors and data stealers written in Go, C++, Swift, and C.
Among these tools are DEEPBREATH, which manipulates macOS privacy controls to access sensitive data such as iCloud Keychain credentials and browser data, and CHROMEPUSH, a malicious browser extension disguised as a productivity tool that steals cookies, credentials, and keystrokes. Other components provide persistent remote access and system reconnaissance, underscoring the attackers’ intent to fully compromise the environment.
Mandiant notes that the breadth and redundancy of malware deployed in a single intrusion reflects a deliberate strategy to maximize credential theft and session hijacking, particularly for cryptocurrency-related accounts. The use of multiple newly observed malware families also signals an expansion in UNC1069’s technical sophistication and operational ambition.
For defenders, the campaign highlights the growing risk of workflow-based social engineering, especially in high-trust environments such as investor calls and partnership discussions. Verifying meeting links, restricting script execution, and treating “fix” instructions during calls with skepticism are increasingly critical controls for organizations operating in the crypto and financial technology space.
References:
https://www.theregister.com/2026/02/11/payroll_pirates_business_social_engineering/
https://thehackernews.com/2026/02/microsoft-patches-59-vulnerabilities.html
https://thehackernews.com/2026/02/north-korea-linked-unc1069-uses-ai.html
