Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to Canary Trap’s Bi-Weekly Cyber Roundup. Our mission is to keep you informed with the most pressing developments in the world of cybersecurity. This digest serves as your gateway to critical updates and emerging threats across the industry.
Cybersecurity threats continue to escalate across industries and borders, with recent developments highlighting the growing sophistication and impact of cyberattacks. From the rise of Interlock ransomware targeting healthcare systems and smart city infrastructure, to Bluetooth vulnerabilities threatening automotive security, the digital landscape is under siege. High-profile breaches, such as the attack on telecom giant Orange and the state-level response in Minnesota, underscore the urgency. Meanwhile, new research reveals that the financial toll of data breaches has reached record-breaking levels.
- Interlock Ransomware Threat Expands Across the US and Europe, Hits Healthcare and Smart Cities
A recent joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) has highlighted a rising cybersecurity threat posed by the Interlock ransomware group. This evolving threat actor is drawing attention for its sophisticated use of psychological tactics and unconventional access methods that are challenging standard ransomware defense strategies across multiple industries.
First identified in September 2024, the Interlock ransomware variant targets both Windows and Linux environments, with particular focus on encrypting virtual machines (VMs). Unlike many ransomware groups that rely on well-known techniques such as phishing or exploiting Remote Desktop Protocol (RDP) vulnerabilities, Interlock is utilizing lesser-seen entry points to gain initial access.
Interlock actors have been observed exploiting drive-by downloads, malicious payloads delivered through legitimate websites that have been compromised. Additionally, a social engineering technique known as “ClickFix” has been used to mislead users into executing malware under the guise of resolving a system issue. These deceptive tactics are designed to bypass traditional security awareness measures and target user behavior and trust.
Once a foothold is gained, attackers proceed with lateral movement, credential harvesting, and deeper infiltration into connected systems. The group’s double extortion model involves both encrypting data and exfiltrating it, pressuring victims to pay to both restore access and prevent public disclosure of sensitive information.
Rather than including ransom demands directly in the note, victims are instructed to connect with the attackers via a Tor-based .onion site using a unique identifier, further obfuscating the actors’ trail and complicating response efforts.
Experts emphasize that Interlock’s true danger lies not in its encryption mechanism but in its calculated manipulation of organizational blind spots. Sanchit Vir Gogia, Chief Analyst and CEO of Greyhound Research, notes that Interlock effectively exploits routine digital behaviors and patching cycles. By mimicking trusted interface elements, such as using familiar UI components to deploy remote access trojans, it reduces user suspicion and increases its effectiveness.
While the advisory did not specify affected entities, previous incidents have shown a concentration of attacks on healthcare providers, including DaVita and Kettering Health. Other impacted sectors include education, manufacturing, government, and technology. Looking ahead, organizations involved in energy, transportation, and financial services may be particularly vulnerable, especially those with significant virtualization infrastructure.
Given the dynamic nature of the threat, organizations are advised to adopt a multi-layered cybersecurity strategy. While virtual machines have been the primary targets to date, experts warn that attackers may soon shift toward physical servers and endpoints.
Recommended defensive measures include:
- Deploying advanced endpoint detection and response (EDR) tools
- Implementing DNS filtering and web application firewalls
- Conducting regular staff training on social engineering threats such as ClickFix
- Patching known software and firmware vulnerabilities promptly
- Segmenting networks to contain threats and limit lateral movement
- Enforcing strong identity and access controls, including multi-factor authentication (MFA)
Cybersecurity consultants underscore the importance of going beyond conventional protocols.
- PerfektBlue Bug Chain Exposes Cars to Bluetooth Hacking
Recent research has uncovered a series of critical vulnerabilities affecting Bluetooth technology used in vehicle infotainment systems, posing potential cybersecurity risks for several leading automakers, including Mercedes-Benz, Škoda, and Volkswagen.
The security flaws, collectively identified as PerfektBlue by cybersecurity firm PCA Security, originate from a widely integrated Bluetooth software stack known as Blue SDK, developed by OpenSynergy. These vulnerabilities could allow malicious actors to remotely execute code on infotainment systems by exploiting a previously trusted Bluetooth connection, such as a driver’s smartphone, requiring only minimal user interaction, like responding to an on-screen prompt.
Infotainment systems, while designed primarily for user convenience, such as playing music, providing navigation, or managing calls, are deeply embedded within a vehicle’s broader digital ecosystem. These systems often communicate with other internal components through protocols like CAN bus or Ethernet. Ideally, digital gateways are in place to regulate this communication, ensuring that external connections cannot influence sensitive vehicle operations. However, implementation varies significantly between manufacturers. In some cases, this segmentation is insufficient, leaving room for attackers to move laterally across the vehicle’s internal network once initial access is achieved.
The PerfektBlue vulnerability chain is particularly concerning due to its exploitation of previously paired devices. Once a Bluetooth device has been trusted by the system, it typically enjoys elevated access privileges. This allows attackers, if they retain, spoof, or recover such a device, to bypass initial security checks and initiate a connection without the need for full reauthentication. The attack must be launched within standard Bluetooth range, roughly 10 meters, but this could be accomplished discreetly by placing a hidden device near the target vehicle in a parking area.
PerfektBlue consists of four interrelated security flaws that, when combined, enable an attacker to bypass multiple layers of defense. These include a memory corruption issue capable of disrupting or redirecting software processes, improper validation of data input lengths in Bluetooth exchanges, a method for escalating user privileges, and a flaw allowing reconnection by previously paired or impersonated devices without user consent.
While technical specifics have not yet been made public, PCA Security has disclosed the vulnerabilities to affected vendors and relevant authorities. Placeholder CVEs (Common Vulnerabilities and Exposures) have been submitted and are pending publication.
The broader implication of these findings is that even a single accepted prompt by an unsuspecting driver could open the door to unauthorized access. Once compromised, the attacker might gain control over sensitive functions such as GPS data, microphone access, or potentially, in less segmented systems, areas related to vehicle safety and operation.
This discovery highlights the growing cybersecurity challenges facing modern vehicles. As automotive technology continues to evolve and integrate with consumer electronics, ensuring robust digital safeguards will be critical to maintaining both user privacy and vehicle safety.
- Telecom Giant Orange Hit by Cyberattack
French telecommunications leader Orange has confirmed a recent cyberattack that affected its IT infrastructure, causing service disruptions primarily in France.
In an official announcement dated July 25th, the company stated that the intrusion was rapidly identified, and its cybersecurity team, in coordination with Orange Cyberdefense, acted swiftly to isolate the compromised systems to mitigate the impact. This containment process temporarily disrupted certain internal management tools and customer-facing platforms for both enterprise and individual users.
Orange has indicated that full-service restoration is anticipated by July 30th. At this stage of the investigation, there is no indication that any customer or business data has been compromised or exfiltrated.
Relevant regulatory and law enforcement authorities have been informed, though the company has chosen not to release further details at this time due to the sensitivity of the matter.
This incident follows a similar report earlier this year. In February, a threat actor claimed responsibility for exfiltrating several gigabytes of data from Orange systems, primarily involving Orange Romania. The allegedly compromised data included internal documents, customer and employee records, contracts, invoices, source code, and a large number of email addresses.
At that time, Orange acknowledged the breach but clarified that only a non-essential application had been affected. Subsequently, the Babuk ransomware group claimed to possess and attempted to sell the same data. According to Orange, the information appeared to be a repetition of the February incident rather than evidence of a new breach.
- Minnesota Activates National Guard in Response to Cyberattack
On Tuesday, Minnesota Governor Tim Walz authorized the deployment of the National Guard’s cybersecurity specialists to assist the City of Saint Paul in addressing a recent cyber incident that significantly disrupted municipal systems.
The breach, which occurred over the weekend, prompted city officials to proactively shut down several internal systems on Monday in an effort to contain the threat. A public notice on Saint Paul’s official website confirmed the disruption, stating that the city is actively responding to a “digital security incident” affecting access to internal services and select online platforms. Collaborative efforts are underway involving local, state, and federal agencies to investigate and remediate the incident.
Due to the scope and complexity of the attack, Governor Walz issued an executive order declaring a state of emergency. This action enabled the immediate activation of Minnesota’s National Guard cyber protection team to support response and recovery operations.
“Our top priority is restoring the City of Saint Paul’s cybersecurity infrastructure and ensuring long-term resilience,” said Governor Walz. “The Minnesota National Guard will work in close coordination with city, state, and federal partners to mitigate damage and protect residents from further risk.”
While essential services such as emergency response remain fully operational, certain non-critical services, such as library access, online payment portals, and public Wi-Fi, may experience temporary outages.
Although disconnecting systems is a standard protocol during ransomware incidents, city representatives have not disclosed specific details about the nature of the intrusion or whether any ransom demands were issued. Officials confirmed during a Tuesday press briefing that the cyberattack specifically targeted the city’s information technology infrastructure and that a full investigation is currently underway.
- Research shows data breach costs have reached an all-time high
In 2025, the average cost of a data breach for U.S. companies surged by 9%, reaching a record high of $10.22 million, according to IBM’s 20th annual Cost of a Data Breach Report. This sharp rise contrasts with a 9% decrease in the global average, which dropped to $4.44 million, the first global decline in five years.
IBM attributes the international decline to faster detection and shorter investigation periods, both of which have helped reduce overall breach expenses. However, in the United States, heightened regulatory penalties and increasing costs tied to detection and escalation have driven the financial toll of breaches even higher.
The head of IBM X-Force, noted, “The growing disparity in breach costs highlights the unique challenges U.S. companies face, particularly as they grapple with stricter regulatory environments and steeper fines.”
The report reveals that while breach containment times are improving, averaging 241 days globally, the lowest in nine years, financial impacts remain uneven. Rapid detection significantly curtails damage by limiting attackers’ window of access, thereby reducing potential harm to critical systems and data. IBM X-Force emphasized, “When it comes to data breaches, speed of response is directly linked to financial impact.”
Detection and escalation costs, while down nearly 10% globally to an average of $1.47 million, continue to be the most significant contributor to breach-related expenses. Other categories, including lost business ($1.38 million), post-incident response ($1.2 million), and notification efforts (approximately $390,000), also declined slightly.
Healthcare organizations, despite a notable 24% reduction in average breach costs year-over-year, remain the most financially impacted industry for the 14th consecutive year, with an average cost of $7.42 million per breach. The financial, industrial, energy, and technology sectors followed closely behind.
However, not all industries benefited from reduced costs. Sectors such as entertainment, media, hospitality, education, research, retail, and government experienced increases in breach-related expenses during 2025.
IBM’s findings also provide insight into breach causation. Malicious activity, including cyberattacks, accounted for 51% of incidents. Human error was responsible for 26%, while system or infrastructure failures contributed 23%. Phishing was the leading method of initial breach, involved in 16% of cases. Supply chain vulnerabilities and denial-of-service attacks followed, comprising 15% and 13% of breaches, respectively.
Of the 600 organizations analyzed between March 2024 and February 2025, nearly two-thirds reported they were still in the process of recovering from breaches. Recovery timelines frequently extend beyond 100 days, with approximately half of affected organizations needing between 101 and 150 days to fully recover.
The report also highlights a shift in ransomware response strategies. The proportion of organizations declining to pay ransom demands rose from 59% in 2024 to 63% in 2025, indicating a stronger stance against extortion tactics.
In addition, the intersection of cybersecurity and artificial intelligence is becoming increasingly critical. Thirteen percent of organizations reported breaches involving AI systems, and nearly a third of those incidents resulted in operational disruptions or exposure of sensitive data. Notably, close to two-thirds of these organizations lacked formal governance policies around AI, a gap that leaves them more vulnerable to emerging AI-targeted threats.
The study, conducted by the Ponemon Institute on behalf of IBM, underscores the evolving and uneven nature of data breach impacts, particularly as organizations adapt to new technologies and regulatory landscapes.
References:
https://www.bankinfosecurity.com/perfektblue-bug-chain-exposes-cars-to-bluetooth-hacking-a-28958
https://www.securityweek.com/telecom-giant-orange-hit-by-cyberattack/
https://www.securityweek.com/minnesota-activates-national-guard-in-response-to-cyberattack/
https://cyberscoop.com/ibm-cost-data-breach-2025/
