© Canary Trap 2024 All Rights Reserved
Share

Canary Trap’s Bi-Weekly Cyber Roundup

Canary Trap’s Bi-Weekly Cyber Roundup

Welcome to Canary Trap’s “Bi-Weekly Cyber Roundup”. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity, and this bi-weekly publication is your gateway to the latest news.

In this week’s cybersecurity roundup, we cover a series of critical developments impacting cloud infrastructure, enterprise networks, and user safety. Highlights include Oracle’s confirmation of a cloud breach, a new Microsoft alert on tax-themed malware campaigns, and Medusa ransomware’s claim of a high-profile attack on NASCAR. We also examine the rising security risks posed by non-human identities, a critical FortiSwitch vulnerability patched by Fortinet, and urgent guidance from CISA on actively exploited zero-day flaws in CentreStack and Windows.

  • Oracle Confirms Cloud Hack

Oracle is reportedly notifying select customers of a data breach affecting parts of its cloud infrastructure, despite publicly denying that any compromise occurred. The incident first came to light when a hacker known as ‘rose87168’ claimed to have breached Oracle’s cloud environment and attempted to extort $20 million in exchange for not releasing customer data. When Oracle refused, the hacker began offering the stolen data, including encrypted credentials and user records allegedly tied to over 140,000 Oracle Cloud tenants.

Although Oracle has maintained in public statements that “there has been no breach of Oracle Cloud,” independent security researchers and affected customers have confirmed that some of the leaked data appears authentic and originates from production environments. The attacker has provided various materials to support the claims, including a video seemingly recorded during an internal Oracle meeting and samples of customer data.

Sources cited by cybersecurity firms suggest that Oracle has begun privately acknowledging the breach to impacted customers. Allegedly, the compromised systems involve older, so-called “Gen 1” infrastructure, a legacy environment no longer in active use. Some internal investigations have linked the intrusion to a Java vulnerability dating back to 2020, which enabled the attacker to implant a web shell and malware targeting Oracle’s identity management systems. The breach may have gone undetected until early 2025, with Oracle reportedly expelling the intruder shortly after receiving the ransom demand in March.

Conflicting reports exist about the scope and age of the compromised credentials. While Oracle is said to be minimizing the risk by describing the data as outdated, some sources indicate that credentials from as recently as 2024 may be included. Notably, customers have allegedly received only verbal notifications, fueling criticism about Oracle’s lack of transparency. Oracle received further criticism for using vague and selective language to obscure the extent of the incident. Specifically, references to legacy systems allow the company to maintain that “Oracle Cloud” itself was not breached, a distinction critics view as misleading.

Compounding Oracle’s challenges, a separate incident involving Oracle Health has surfaced, in which sensitive patient data from multiple U.S. healthcare organizations was reportedly exposed.

The situation remains fluid, with investigations ongoing by the FBI and CrowdStrike. However, industry observers continue to call for greater clarity and public accountability from Oracle.

  • Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware

Microsoft has issued a warning regarding a wave of tax-themed phishing campaigns targeting U.S. organizations, particularly around the 2025 tax season. These campaigns, attributed to the threat group Storm-0249, leverage sophisticated evasion techniques and phishing-as-a-service (PhaaS) infrastructure, specifically the RaccoonO365 platform to deploy malware and harvest credentials.

Attackers are using redirection techniques such as QR codes, URL shorteners, and legitimate file-hosting or business profile services to evade detection. Payloads include credential-stealing phishing pages disguised as Microsoft 365 login portals, as well as a variety of malware such as Remcos RAT, Latrodectus, AHKBot, GuLoader, and Brute Ratel (BRc4). Some campaigns exploit remote code execution flaws, while others rely on obfuscated download chains using JavaScript, MSI installers, PowerShell scripts, and AutoHotKey payloads.

One campaign involved PDF attachments containing shortened URLs that led to fake DocuSign portals. If a target passed the attacker’s filtering criteria, they were served BRc4, which in turn deployed Latrodectus. If not, a harmless PDF was delivered instead. Another large-scale effort targeted over 2,300 organizations using PDFs with embedded QR codes linking to RaccoonO365-hosted phishing sites. Additional variants employed .lnk file payloads, malicious macros in Excel documents, and ZIP file concatenation to bypass security controls. In some cases, malware loaders like GuLoader were used to install RATs such as Remcos.

Microsoft also observed related activity where Storm-0249 used fake Windows 11 Pro download sites promoted via Facebook ads to distribute updated versions of Latrodectus. Meanwhile, QR code phishing has become increasingly common across Europe and the U.S., with attackers using indirect URL redirection and open redirect vulnerabilities on legitimate websites to conceal malicious links.

These campaigns are part of a broader trend in phishing and social engineering attacks that increasingly rely on abusing trusted platforms, spoofed brand communications, and deceptive browser-based tactics (e.g., browser-in-the-browser or BitB) to gain access to user credentials and financial information.

To reduce exposure to these threats, organizations are strongly advised to implement phishing-resistant multi-factor authentication, leverage secure browsers with malicious site filtering, and enable network-level protections to block access to known malicious domains.

  • Medusa Ransomware Claims NASCAR Breach in Latest Attack

The Medusa ransomware group has reportedly added NASCAR to its list of high-profile victims, demanding a $4 million ransom under threat of publishing stolen internal data. According to leaked samples reviewed by cybersecurity sources, the compromised documents include raceway facility maps, internal communications, employee contact lists, and potentially credential-related information indicating a significant operational breach.

Alongside NASCAR, Medusa also claims responsibility for attacks on McFarland Commercial Insurance Services, Bridgebank Ltd, and Pulse Urgent Care. These incidents continue a pattern of aggressive targeting by the group, which has previously attacked public institutions and private companies, including the Minneapolis Public Schools in 2023.

Medusa has become increasingly sophisticated in its tactics, recently leveraging stolen digital certificates to disable security software and avoid detection. In response to this evolving threat, the FBI and CISA issued a joint advisory in March 2025 urging organizations to adopt stronger security controls, including multi-factor authentication and vigilant certificate monitoring.

As of now, NASCAR has not issued a public statement confirming or denying the breach. If verified, this would mark another notable cybersecurity incident for the motorsports organization, which has faced ransomware threats in the past. Given NASCAR’s financial and operational scale, it remains a lucrative target for cybercriminal operations like Medusa.

  • Explosive Growth of Non-Human Identities Creating Massive Security Blind Spots

The 2025 State of Secrets Sprawl report by GitGuardian paints a sobering picture of the growing exposure of sensitive credentials in today’s software ecosystems. At the heart of this issue is the rapid expansion of non-human identities (NHIs), such as service accounts, microservices, and AI agents, which now vastly outnumber human users in DevOps environments. These machine identities, essential for automation and scalability, are also driving a sharp increase in security risk due to inconsistent governance and poor secrets hygiene.

In 2024 alone, over 23.7 million new secrets were exposed on GitHub, marking a 25% increase from the previous year. The majority of these exposures are tied to NHIs, which now outpace human accounts by a ratio of at least 45 to 1. GitGuardian’s research highlights a troubling trend: 70% of credentials leaked in 2022 public repositories are still active today, underscoring a persistent failure in credential rotation and lifecycle management.

Despite common assumptions, private repositories are not significantly safer. In fact, they are about eight times more likely to contain hardcoded secrets than public ones. Critical credentials, such as AWS IAM keys and generic passwords, appear more frequently in private codebases, revealing a reliance on “security through obscurity” rather than structured secrets management practices.

The report also raises concerns about AI-assisted development tools, such as GitHub Copilot. Repositories utilizing AI coding tools showed a 40% higher incidence of secrets leaks, suggesting that the speed and convenience of AI may be inadvertently lowering secure coding standards.

The problem extends beyond source code. Collaboration platforms like Slack, Confluence, and Jira are emerging as hotspots for secret leaks. These platforms, often lacking robust access controls and used across all departments, were found to contain highly critical credentials in 38% of incidents, yet only 7% of those were also present in codebases, making them particularly challenging to secure.

Compounding the issue is the excessive permissions often tied to leaked credentials. Nearly all exposed GitHub and GitLab tokens offered elevated access, with 95% of GitHub tokens enabling full repository control. This level of privilege makes compromised credentials especially dangerous.

While the adoption of secret management solutions is growing, GitGuardian emphasizes that tools alone aren’t enough. Even projects using secret managers reported 5.1% secrets leak rate in 2024. The report calls for a holistic, proactive approach, combining automated detection, rapid remediation, and embedding security into every phase of the development lifecycle.

Ultimately, the findings serve as a call to action: as the number of machine identities grows, so does the complexity of managing their secrets. Organizations must move beyond fragmented, reactive strategies and adopt a continuous, end-to-end security model tailored to modern software delivery environments.

  • Fortinet Patches Critical FortiSwitch Vulnerability

Fortinet has released security updates addressing 10 vulnerabilities across its product suite, including a critical flaw in FortiSwitch. The most severe issue, CVE-2024-48887 (CVSS 9.3), allows remote unauthenticated attackers to change administrative passwords through specially crafted requests to the FortiSwitch GUI. The vulnerability affects FortiSwitch versions 6.4 through 7.6 and has been patched in versions 6.4.15, 7.0.11, 7.2.9, 7.4.5, and 7.6.1. Fortinet recommends disabling HTTP/HTTPS administrative access and restricting access to trusted hosts as mitigation measures.

Two additional high-severity flaws, CVE-2024-26013 and CVE-2024-50565, impact several products including FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiVoice, and FortiWeb. These vulnerabilities could enable man-in-the-middle attacks, allowing adversaries to intercept and impersonate management communications.

Another critical update addresses CVE-2024-54024, an OS command injection vulnerability in FortiIsolator. If exploited, it could permit a super-admin user with CLI access to execute arbitrary commands via malicious HTTP requests.

Additional medium- and low-severity vulnerabilities have been fixed, involving issues such as path traversal, command injection, credential exposure, and improper input handling across products like FortiWeb, FortiManager, and FortiClient.

While there are currently no reports of these vulnerabilities being actively exploited, Fortinet urges users to apply the updates promptly. 

  • CISA Urges Urgent Patching for Exploited CentreStack, Windows Zero-Days

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging immediate action to address two actively exploited zero-day vulnerabilities. One in Gladinet CentreStack and another in Microsoft Windows.

CentreStack Vulnerability (CVE-2025-30406, CVSS 9.0):

Disclosed on April 3, this critical flaw affects how CentreStack handles cryptographic keys for ASP.NET ViewState integrity. The platform uses a hardcoded or weakly protected `machineKey` in its IIS configuration, enabling attackers to forge ViewState data and potentially execute arbitrary code on the server through deserialization attacks. Although specific attack details remain undisclosed, exploitation has been observed since March. Gladinet has released a patch in version 16.4.10315.56368 and recommends either updating to the latest version or rotating `machineKey` values as a temporary measure.

Windows Vulnerability (CVE-2025-29824, CVSS 7.8):

This local privilege escalation flaw resides in the Common Log File System (CLFS) driver. Microsoft confirmed that it has been exploited in the wild using the PipeMagic malware, often linked to ransomware operations. The exploit has been observed in attacks targeting organizations in the U.S., Spain, Venezuela, and Saudi Arabia. A patch was issued as part of the April 2025 Patch Tuesday updates.

Both vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are required to apply the patches by April 29th, in accordance with Binding Operational Directive 22-01. While this mandate is specific to federal entities, CISA strongly recommends that all organizations, public and private, review the KEV list, identify exposed assets, and apply security updates without delay.

References:

https://www.securityweek.com/oracle-confirms-cloud-hack/

https://thehackernews.com/2025/04/microsoft-warns-of-tax-themed-email.html

https://hackread.com/medusa-ransomware-claims-nascar-breach-latest-attack/

https://thehackernews.com/2025/04/explosive-growth-of-non-human.html

https://www.securityweek.com/fortinet-patches-critical-fortiswitch-vulnerability/

https://www.securityweek.com/cisa-urges-urgent-patching-for-exploited-centrestack-windows-zero-days/

Share post:

Take the next step to
engage with Canary Trap

If you require our cybersecurity services please share your details below and we will be in touch!

Popup Form

  • This field is for validation purposes and should be left unchanged.

MISSISSAUGA (CAN HQ)

  • 2425 Matheson Boulevard East
  • 8th Floor
  • Mississauga, Ontario
  • L4W 5K4

BUFFALO (USA HQ)

  • 50 Fountain Plaza
  • Suite 1400
  • Buffalo, New York
  • 14202

WINNIPEG

  • 201 Portage Avenue
  • 18th Floor
  • Winnipeg, Manitoba
  • R3B 3K6

TAMPA

  • 4830 West Kennedy Boulevard
  • Suite 600
  • Tampa, Florida
  • 33609

© 2025 Canary Trap. All rights reserved | Privacy Policy To Top