© Canary Trap 2024 All Rights Reserved
Share

Canary Trap’s Bi-Weekly Cyber Roundup

Canary Trap’s Bi-Weekly Cyber Roundup

Welcome to Canary Trap’s “Bi-Weekly Cyber Roundup”. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity, and this bi-weekly publication is your gateway to the latest news.

In this week’s cybersecurity round-up, we examine a series of high-impact incidents affecting both the public and private sectors. From major retail disruptions at Marks & Spencer and a data breach at Hertz to a municipality taken offline and Microsoft’s sweeping cloud cleanup. We also explore a sophisticated crypto-theft campaign exploiting Zoom’s remote control feature, underscoring the ongoing risks posed by social engineering and platform misuse.

  • Hertz Says Hackers Stole Customer Credit Card and Driver’s License Data

Hertz has disclosed a data breach stemming from a cyberattack on a third-party vendor, Cleo Communications, which exposed sensitive customer information. The breach occurred between October and December 2024 and was linked to zero-day vulnerabilities in Cleo’s file transfer software. Although confirmed by Hertz on February 10th, a more detailed analysis completed in April revealed that the compromised data may include customers’ names, birth dates, contact details, driver’s license numbers, credit card information, and in limited cases, Social Security and passport numbers.

The breach has been reported to law enforcement and regulatory authorities. Hertz notes that Cleo has since patched the vulnerabilities, and there is currently no evidence of fraudulent use of the stolen data. However, the exact number of affected customers remains undisclosed.

This incident is part of a broader campaign attributed to the Russia-linked Clop ransomware group, which previously claimed responsibility for exploiting Cleo vulnerabilities and leaking data from dozens of organizations. Hertz’s public notice spans multiple regions, including North America, Europe, and Australia.

  • Cyberattack Hits British Retailer Marks & Spencer & Disrupts Contactless Payments and Click & Collect Services

Marks & Spencer (M&S), a major UK retailer, experienced a cybersecurity incident over the Easter weekend that disrupted some in-store services, although its online operations remained functional. In a statement to the London Stock Exchange, M&S acknowledged the incident and noted that temporary adjustments to store operations were necessary to protect both customers and the business.

The company has engaged cybersecurity specialists and notified relevant authorities as part of its ongoing investigation. While specific details about the nature of the attack remain undisclosed, M&S confirmed that services such as in-store click-and-collect, gift card payments, and some contactless payment methods were affected. Although systems are largely restored, technical difficulties persist in certain areas.

While the exact cause of the disruption has not been confirmed, the extent of operational impact has led to speculation that ransomware could be involved. At this stage, there is no confirmation regarding any compromise of customer data. M&S has stated it is taking steps to further secure its network and maintain service continuity.

The incident disrupted contactless payments and delayed its Click & Collect service. The disruption occurred over the Easter weekend, prompting public frustration and drawing attention to the company’s digital resilience.

In response, M&S initiated an internal investigation supported by external cybersecurity specialists and notified the Information Commissioner’s Office (ICO) and the National Cyber Security Centre. While the retailer’s website and mobile app remained operational, customers faced notable difficulties in-store, including failed gift card transactions and poor communication during the service interruption.

Chief Executive Stuart Machin publicly apologized, acknowledging the operational setbacks and confirming that temporary measures were implemented to safeguard both customers and business operations. M&S emphasized that enhancing cybersecurity remains a top priority and assured stakeholders it is actively working to strengthen its digital defenses.

The incident follows a growing trend of cyberattacks targeting major UK organizations, such as Royal Mail, WH Smith, and Transport for London. Commenting on the broader implications, James Hadley of Immersive Labs noted that incidents like this underscore the disconnect between perceived and actual cyber resilience, advocating for more frequent crisis simulations and proactive defense strategies.

M&S continues to monitor the situation and has committed to keeping customers and investors informed as investigations progress.

  • Microsoft Purges Millions of Cloud Tenants in Wake of Storm-0558

Microsoft is ramping up its cybersecurity efforts under the Secure Future Initiative (SFI), a comprehensive plan launched in response to high-profile intrusions in 2023 involving Chinese and Russian threat actors. These attacks, which exposed weaknesses in Microsoft’s identity and cloud security practices, prompted criticism from the U.S. Cyber Safety Review Board and led the company to commit to broad organizational and technical reforms.

As part of this initiative, Microsoft has deactivated over 550,000 inactive Azure tenants and migrated the majority of its cloud resources to Azure Resource Manager to improve administrative control and visibility. On the network side, the company has cataloged 99% of its assets and is pursuing segmentation strategies to contain future breaches.

The company is also tightening security around its engineering infrastructure. Over 99% of Azure DevOps pipelines have now been inventoried, and access to production systems is protected with multifactor authentication and proof-of-presence controls. Admin privileges have been scaled back to reduce attack surfaces.

A key focus of Microsoft’s recent efforts involves improving the security of identity tokens in Entra ID. The company now validates 90% of issued tokens using a standardized, hardened identity SDK, enabling faster security updates and consistent protection across its ecosystem. Other enhancements include widespread MFA adoption, token validation improvements, and secure handling of signing keys using hardware-based modules.

Microsoft has also begun relocating its MSA and Entra ID signing services to **Azure confidential virtual machines**, further hardening its identity infrastructure. These steps are informed by internal red team assessments to preempt real-world attack methods.

Despite these strides, experts caution that gaps remain. Security researchers recommend that Microsoft extend its new identity SDK across all applications, provide stronger protections for third-party apps, and improve transparency around key lifecycle management. Moreover, foundational components still require memory-safe code and rigorous external testing to ensure they’re resilient against evolving threats.

While Microsoft’s progress is notable, the road ahead remains long. Security leaders liken this transformation to the company’s landmark Trustworthy Computing overhaul in 2002—but with a focus now on maturing practices and embedding security into development workflows by design.

  • City of Abilene Goes Offline in Wake of Cyberattack

The city of Abilene, Texas, has taken portions of its IT infrastructure offline in response to a recent cyberattack that disrupted internal servers. The incident, first detected on April 18th, prompted the municipality to activate its incident response protocols and engage external cybersecurity specialists to assess the extent and nature of the breach.

In a public statement, city officials confirmed that while the investigation is ongoing, precautionary measures, such as disconnecting affected systems, have been implemented to protect critical infrastructure. Emergency services remain fully operational, and water utility payments can still be processed, although delays in other municipal services and communication may occur as systems are gradually restored.

Additionally, credit card processing at government offices is currently unavailable, with payments limited to cash, checks, and online transactions. The city has committed to sharing updates as new information becomes available.

This event follows a broader pattern of cyberattacks on public institutions. Earlier in April, the Lower Sioux Indian Community in Minnesota experienced a significant breach that disrupted services across multiple sectors, including healthcare and gaming. The attack was later claimed by the RansomHub threat group, highlighting the persistent and widespread nature of ransomware campaigns targeting local governments and critical service providers.

  • Hackers Abuse Zoom Remote Control Feature for Crypto-Theft Attacks

A sophisticated phishing campaign attributed to a threat group known as *Elusive Comet* is targeting cryptocurrency users through social engineering attacks that exploit Zoom’s remote control functionality. According to cybersecurity firm Trail of Bits, the attackers are using deceptive interview invitations—purportedly from Bloomberg Crypto—as a pretext to gain unauthorized access to victims’ systems.

These attacks begin with fraudulent outreach via email or social media platforms like X (formerly Twitter), using fake accounts that impersonate crypto journalists or Bloomberg personnel. Victims are invited to schedule a Zoom interview through a legitimate Calendly link, which adds credibility and reduces suspicion.

During the Zoom meeting, attackers initiate a screen-sharing session and send a remote control request—disguised to appear as a system-generated Zoom notification by setting their display name to “Zoom.” This manipulative tactic is designed to exploit user familiarity with routine Zoom prompts, making it more likely the victim will approve the request without scrutiny.

Once granted control, the attacker can access sensitive data, execute transactions, deploy malware, or establish persistent backdoor access. This approach mirrors techniques used in the high-profile Bybit cryptocurrency heist, in which attackers leveraged social engineering rather than software vulnerabilities to carry out the attack.

Trail of Bits warns that such attacks are particularly dangerous due to how convincingly they imitate legitimate Zoom behavior. The firm advises that organizations working with sensitive information—especially in the cryptocurrency sector—should strongly consider removing the Zoom desktop client altogether. As a preventive measure, they also recommend deploying macOS Privacy Preferences Policy Control (PPPC) profiles to block unauthorized accessibility permissions, further mitigating the risk of remote control abuse.

References:

https://www.theverge.com/news/648741/hertz-customer-data-breach-hackers-cleo-vulnerability

https://www.securityweek.com/cyberattack-hits-british-retailer-marks-spencer/

https://hackread.com/ms-cyberattack-contactless-payments-click-collect/

https://www.darkreading.com/cloud-security/microsoft-millions-cloud-tenants-storm-0558

https://www.darkreading.com/vulnerabilities-threats/city-abilene-offline-after-cyberattack

https://www.bleepingcomputer.com/news/security/hackers-abuse-zoom-remote-control-feature-for-crypto-theft-attacks/

Share post:

Take the next step to
engage with Canary Trap

If you require our cybersecurity services please share your details below and we will be in touch!

Popup Form

  • This field is for validation purposes and should be left unchanged.

MISSISSAUGA (CAN HQ)

  • 2425 Matheson Boulevard East
  • 8th Floor
  • Mississauga, Ontario
  • L4W 5K4

BUFFALO (USA HQ)

  • 50 Fountain Plaza
  • Suite 1400
  • Buffalo, New York
  • 14202

WINNIPEG

  • 201 Portage Avenue
  • 18th Floor
  • Winnipeg, Manitoba
  • R3B 3K6

TAMPA

  • 4830 West Kennedy Boulevard
  • Suite 600
  • Tampa, Florida
  • 33609

© 2025 Canary Trap. All rights reserved | Privacy Policy To Top