Share

Canary Trap’s Bi-Weekly Cyber Roundup

Canary Trap’s Bi-Weekly Cyber Roundup

Welcome to Canary Trap’s “Bi-Weekly Cyber Roundup”. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity, and this bi-weekly publication is your gateway to the latest news.

In this week’s round-up we will cover a series of alarming cybersecurity incidents affecting industries ranging from healthcare and education to retail and finance. Casio’s website was compromised by a malicious skimmer, potentially exposing customer payment data. Meanwhile, security researchers have discovered that certain medical monitoring machines are secretly exfiltrating patient information, prompting urgent warnings to disconnect affected devices. In the healthcare sector, a ransomware attack on the New York Blood Center has disrupted operations, leading to canceled donation drives and forcing contingency measures. In Canada, New Brunswick Liquor successfully prevented a cyber attack, while Ontario’s largest school board is fighting a significant data breach involving student records dating back to 1985. 

  • Casio Website Infected With Skimmer

A recent security incident has compromised the Casio UK website along with 16 other victims, where a web skimmer was deployed to manipulate the payment process and steal visitor data, according to web security firm Jscrambler.

The malicious activity on Casio UK’s site persisted from January 14th to January 24th before being removed last week upon discovery. Unlike traditional skimmers that typically target checkout pages, this attack was unique in that the skimmer was active across the entire website—except for the checkout page itself.  

Attackers injected a skimmer loader that retrieved a secondary skimming script from an attacker-controlled server, subtly modifying the payment process in a way that appeared legitimate to visitors. Instead of harvesting payment details directly from the checkout page, the skimmer intercepted clicks on the checkout button and redirected users to a fraudulent payment form.  

The manipulated payment flow involved three stages: first, users were prompted to enter personal details such as their name, address, email, and phone number; second, they were shown shipping cost information; and finally, they were asked to input credit card details, including card number, name, expiration date, and CVV. Once the victim submitted the form, they received an error message instructing them to review their details and try again—after which they were redirected to the legitimate checkout page and prompted to re-enter the same information. 

This attack specifically targeted users proceeding through the standard checkout process. However, those who opted for the “Buy Now” button bypassed the fraudulent form and remained unaffected.  

Jscrambler attributes the success of this attack to Casio UK’s website security configuration. The site had a content security policy set to “report-only,” meaning security events were merely logged in the browser console rather than actively blocking malicious activity.  

Further analysis revealed that all 17 compromised sites loaded the skimmer script from the same Russian hosting provider. Additionally, similarities in the skimming code across all infections suggest that the attackers likely used the same toolkit to deploy their attacks.

  • Medical Monitoring Machines Spotted Stealing Patient Data, Users Warned to Pull the Plug ASAP

The U.S. Food and Drug Administration (FDA) has issued an urgent advisory to healthcare providers and facilities using Contec patient monitoring devices, urging them to disconnect these systems from the internet immediately.

The affected devices, including the Contec CMS8000—also marketed as the Epsimed MN-120—contain three critical security vulnerabilities (CVE-2024-12248, CVSS 9.3; CVE-2025-0626, CVSS 7.5; and CVE-2025-0683, CVSS 5.9). According to the Cybersecurity and Infrastructure Security Agency (CISA), these flaws could enable attackers to remotely execute code, crash the system, and, most concerningly, extract sensitive patient data.

Once connected to the internet, the CMS8000 reportedly begins collecting and transmitting personally identifiable and protected health information beyond the healthcare facility’s network. The FDA has emphasized the severity of this issue, advising users to immediately disable Wi-Fi functionality and cease using the device for remote patient monitoring. Although there are no confirmed cases of exploitation, both the FDA and CISA warn that any unsecured devices could be vulnerable to cyberattacks. If compromised, these systems could serve as entry points for lateral movement within a healthcare network, escalating security risks.

CISA has clarified that the device’s undocumented backdoor is not related to remote software updates. Instead, it appears to function solely as a data exfiltration mechanism. The agency noted that this backdoor lacks integrity checks or version tracking, allowing files to be overwritten without notifying end users, effectively concealing unauthorized modifications from hospital IT and security teams. While neither agency explicitly confirmed the destination of the transmitted data, they referenced a “third-party university” as a recipient. Other reports suggest that this institution may be based in China.

  • Ransomware Attack on New York Blood Center Forces Workarounds, Drive Cancellations

A major independent blood center serving over 75 million people across the U.S. has suffered a ransomware attack, disrupting operations and requiring the rescheduling of blood drives.

New York Blood Center Enterprises (NYBC) identified suspicious activity within its IT systems on Sunday, later confirmed by external cybersecurity experts as a ransomware incident. The organization has engaged law enforcement and is actively working to contain the breach. “We recognize the vital importance of our services and remain committed to supporting the health of our communities,” NYBC stated. “We are in direct communication with hospital partners and are implementing workarounds to maintain operations and fulfill orders.”

While there is no definitive timeline for full system restoration, NYBC is collaborating with cybersecurity specialists to recover safely and efficiently. Blood donations are still being accepted, but processing may take longer than usual at donor centers and blood drives. The organization is keeping donors, sponsor organizations, and donor centers informed with updates as needed.  

An FAQ accompanying the statement notes that some donation center activities and blood drives may need to be rescheduled. Additionally, NYBC anticipates the need for an increased push for blood donations once the crisis subsides. As of now, no ransomware group has claimed responsibility for the attack.

NYBC expressed gratitude to hospitals, blood centers, and partner organizations assisting in response efforts. Founded in 1964, the organization operates multiple blood-related entities, including the New York Blood Center, Community Blood Center, Blood Bank of Delmarva, and others. Collectively, these entities collect approximately 4,000 blood product units daily and supply more than 400 hospitals across multiple states.

This incident is the latest in a series of ransomware attacks targeting blood centers and pathology services worldwide. Last year, nonprofit blood donation organization OneBlood suffered a ransomware attack that disrupted blood supply to 250 hospitals across the southeastern U.S., forcing hospitals to implement critical blood shortage protocols. More recently, OneBlood disclosed to state regulators that the attack led to the theft of sensitive personal information, including names and Social Security numbers.  

Similar attacks have affected healthcare services globally. In the UK, ransomware operators took down Synnovis, a major pathology services provider for hospitals and clinics, while South Africa’s national lab service also experienced a ransomware incident that hindered blood test processing amid ongoing health crises.  

As cyberattacks targeting healthcare and critical infrastructure continue to escalate, organizations like NYBC face mounting challenges in safeguarding essential services and responding to disruptions effectively.

  • N.B. Liquor Stopped Attempted Cyber Attack, CEO Says

N.B. Liquor CEO Lori Stickles confirmed that the company’s security measures successfully mitigated a recent attempted cyberattack. “We received an alert and were able to contain the threat by proactively shutting down our system,” Stickles stated in an interview on Thursday. “As a result, we prevented what could have been a full-scale cyberattack that might have compromised our control.”

She did not disclose specific details regarding the nature of the breach or the associated costs in revenue and third-party support. However, she confirmed that there was no evidence of ransomware or malware in the system.  

During the investigation, all corporate store point-of-sale systems remained offline for over two weeks. The only data exposure involved the active business directory, which Stickles described as an “internal phone book” containing business client and employee email addresses. Those affected have been notified, though she emphasized that most of the information was already publicly accessible and did not present privacy concerns.

The disruption also impacted internal operations, with corporate stores closing for a day and a half before reopening for cash-only transactions. They briefly shut down again last Friday morning but resumed operations later that afternoon. Stickles defended the closures, comparing the situation to stopping a moving vehicle. “If you don’t close the road, the car keeps advancing,” she explained. “By shutting down internet access and internal systems, we effectively halted any further movement within our network.” 

The investigation concluded last Friday, and corporate stores resumed debit and credit transactions by Sunday, Jan. 19. Cannabis N.B. locations also experienced temporary disruptions but quickly resumed cash transactions.  

  • Cyber Incident at Ontario’s Largest School Board Involves Data Going Back to 1985

A recent cybersecurity breach has compromised student records dating back to 1985, affecting schools in Toronto, Ontario, and other parts of North America. The breach involved PowerSchool, an education software provider used by school boards across Canada and the U.S. The company initially confirmed that some personally identifiable information had been accessed.

School boards in Ontario, Alberta, Newfoundland and Labrador, and Nova Scotia are currently assessing the full extent of the incident. The Toronto District School Board (TDSB) reported that student records from 1985 to 2017, including health card numbers, home addresses, and phone numbers, may have been exposed. Additionally, medical records, principal notes, and birthdates of students from 2017 to December 2024 might also be affected.  

York Region’s school board confirmed that data on students and staff dating back to 2005 was compromised. Ontario’s privacy commissioner stated that 19 school boards across the province were impacted. Other provinces also reported breaches.

According to PowerSchool, the breach stemmed from unauthorized access to its Student Information System via PowerServe, a customer portal. The company notified affected clients on January 7, emphasizing that those not using PowerSchool SIS were unaffected.

In response, the Privacy Commissioner of Canada expressed concern about the breach’s impact, emphasizing that organizations must implement security safeguards appropriate to the sensitivity of the data, particularly when handling children’s personal information.

The breach occurred between December 22 and December 28, raising concerns about data security measures and prompting further investigations.

 

References:

https://www.securityweek.com/casio-website-infected-with-skimmer/

https://www.theregister.com/2025/02/03/backdoored_contec_patient_monitors_leak_data/

https://therecord.media/ransomware-attack-new-york-blood-center-forces-workarounds?utm_medium=email&_hsenc=p2ANqtz-_sX89WWwA2z0TpGr_NDLwn_TyoNq11VceTzQdlwpthkJwT9RDExOSzuZTPzVo5qINiY1NpbAeGeED_vEmLm57By8is9i2U_sb-nO-b30yrBWEjMIs&_hsmi=344985862&utm_content=344985572&utm_source=hs_email

https://www.cbc.ca/news/canada/new-brunswick/nb-liquor-cyber-attack-stopped-1.7439525

https://globalnews.ca/news/10968495/tdsb-data-breach-details/

Share post: