Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to Canary Trap’s Bi-Weekly Cyber Roundup. Our mission is to keep you informed with the most pressing developments in the world of cybersecurity. This digest serves as your gateway to critical updates and emerging threats across the industry.
Cybersecurity threats continue to escalate across industries, with recent incidents highlighting vulnerabilities in both public and private sectors. From the breach of 140,000 social insurance numbers at Nova Scotia Power to an extortion-driven data leak involving Scania’s insurance claims, attackers are becoming increasingly bold and sophisticated. This week’s roundup also examines a stealthy campaign using Cloudflare Tunnels, a critical patch for Citrix NetScaler, and a newly discovered Linux udisks flaw that could allow attackers to gain root access on major distributions.
- Thieves Gain Access to About 140,000 Social Insurance Numbers in NS Power Database
Nova Scotia Power’s CEO, Peter Gregg, revealed that up to 140,000 social insurance numbers may have been compromised in a recent cyberattack targeting the utility’s customer data.
In an interview last Thursday, Gregg explained that the utility, which is privately owned, collected these numbers to verify customer identities. He noted that in cases where multiple customers shared the same name, the social insurance number (SIN) helped distinguish between them.
Gregg stated that the ransomware incident, discovered on May 23, affected the data of approximately 280,000 customers, over half of the utility’s customer base. When asked how many of those records included SINs, he estimated it was about half.
However, cybersecurity expert Claudiu Popa criticized the practice of storing such sensitive information. Popa, who leads the non-profit organization KnowledgeFlow, argued that there are safer alternatives for identifying customers with similar names, and that storing SINs poses unnecessary risk.
He pointed out that government guidelines discourage using SINs for identity verification unless absolutely required by law. The federal government warns that these identifiers are meant for employment and government services, and misuse could lead to fraud such as unauthorized access to tax refunds or government benefits.
Popa emphasized the potential danger, stating that social insurance numbers can be exploited in a wide range of fraudulent activities.
Gregg clarified that customers were not obligated to provide their SINs; they did so voluntarily. He added that the breach, initially detected in mid-March and disclosed publicly in late April, is still under investigation. Gregg acknowledged concerns about transparency and said the company will share more specific details as they are confirmed.
“We want to ensure we communicate facts, not assumptions,” he said. “As we progress in the investigation and validate the information, we’ll keep our customers informed.”
- Scania Confirms Insurance Claim Data Breach in Extortion Attempt
Scania, a leading manufacturer in the automotive sector, has reported a cybersecurity breach involving unauthorized access to its Financial Services systems. The attackers exploited compromised login credentials to obtain insurance claim-related documents. Scania revealed that several of its employees received threatening emails from the attackers, who demanded a ransom and warned that the stolen data would be leaked if their conditions were not met.
Scania, a prominent Swedish producer of heavy-duty trucks, buses, and industrial engines, is part of the Volkswagen Group. The company, known for its robust and fuel-efficient engine technology, employs over 59,000 people and generates approximately $20.5 billion in annual revenue, selling more than 100,000 vehicles each year.
The breach came to light after Hackmanac, a threat intelligence platform, observed a post on a hacking forum by a user known as ‘hensi.’ This individual claimed to have exfiltrated data from the domain ‘insurance.scania.com’ and offered it for sale to an exclusive buyer.
Scania confirmed that the incident occurred on May 28, 2025, and involved credentials associated with an external IT partner. These credentials are believed to have been compromised by infostealer malware. According to the company, the attacker used the stolen credentials to access a system used for processing insurance claims and downloaded related documents.
“The system in question, insurance.scania.com, is operated by a third-party provider,” a Scania representative explained. “On May 28 and 29, a threat actor used legitimate but compromised credentials to access insurance-related data. Our current understanding is that the login information was exposed through password-stealing malware.”
Insurance claim files often include personal and sensitive information, including financial and medical details. The full scope of individuals affected by this breach has not yet been determined.
Following the data theft, the attacker reached out directly to Scania employees via a proton.me email address, attempting to extort the company. They later distributed samples of the stolen documents on hacking forums. Scania reported that a second, unrelated email account, also compromised, was used in a follow-up attempt to pressure the company.
The compromised application has since been taken offline, and Scania has initiated a formal investigation. The company reported the incident to relevant privacy regulators and stated that the overall impact of the breach was limited.
- Serpentine#Cloud Uses Cloudflare Tunnels in Sneak Attacks
Security researchers have identified a sophisticated cyber campaign, dubbed Serpentine#Cloud, that utilizes Windows shortcut (.lnk) files to deliver remote payloads through a complex chain of events.
According to a report released last week, the attackers are using Cloudflare Tunnel services alongside Python-based loaders to inject payloads directly into memory. These payloads are deployed via a series of shortcut files and obfuscated scripts, a method designed to evade detection.
Similar methods were reported earlier in the year by Trend Micro’s Zero Day Initiative, which attributed similar .lnk-based attacks to a state-sponsored actor. However, in the case of Serpentine#Cloud, Securonix has not assigned attribution to any particular group due to the adversary’s heavy use of obfuscation. That said, code comments and scripting habits suggest the attacker is fluent in English.
Although the campaign shows signs of advanced tactics, including the use of in-memory execution and tunneling infrastructure, there are indicators, such as reliance on open source tools and inconsistent coding practices, that suggest it may not be linked to a well-established nation-state group like Russia, China, North Korea, or Iran.
This campaign has been monitored for about a month, with some indicators pointing to activity dating back to late last year. The campaign is still ongoing, and further updates are expected as new data becomes available.
The initial infection begins with a phishing email containing a link to download a compressed file—usually framed as an invoice or payment-related document. The downloaded ZIP archive contains a disguised .lnk file, which masquerades as a legitimate document. When opened, it triggers a remote code execution sequence.
This .lnk file leads to the download of a heavily obfuscated batch script, which performs several functions: it launches a fake PDF as a decoy, checks for antivirus tools, downloads and runs additional Python-based payloads, and sets up persistence via the Windows startup directory. The ultimate payload is a memory-resident Python shellcode loader that establishes a backdoor.
The final purpose of the backdoor remains unclear, and no specific actor or motivation has yet been confirmed. However, victims identified so far are primarily located in the U.S., U.K., Germany, and other countries across Europe and Asia.
The campaign’s infrastructure relies on Cloudflare’s trycloudflare[.]com service, typically used by developers to expose local servers without altering firewall settings. In this case, attackers are leveraging the service for covert payload hosting and command-and-control (C2) communication.
Using Cloudflare offers several advantages: encrypted HTTPS traffic, trusted SSL certificates, and infrastructure that is rarely blocked by default. This allows malicious activity to blend in with legitimate network traffic. While the individual components of the attack are not new, their orchestration in this campaign is what stands out. He describes the operation as a multi-layered infection process combining phishing, script obfuscation, in-memory execution, and evasion techniques. The progressive use of file types and scripting masks the attack’s true intention until the final payload is executed in memory, making detection difficult and highlighting the need for improved visibility into endpoint behavior.
Because the attack chain begins with phishing, standard security hygiene remains essential: avoid opening email attachments or clicking on links from unknown senders, enhance user awareness through training, and stay informed about the latest phishing techniques.
- Critical Vulnerability Patched in Citrix NetScaler
Last Tuesday, Citrix released security updates to fix four vulnerabilities affecting three of its products, including a critical issue impacting NetScaler ADC and NetScaler Gateway.
The most severe of the flaws, identified as CVE-2025-5777 and carrying a CVSS score of 9.3, stems from an out-of-bounds memory read due to inadequate input validation.
According to Citrix’s advisory, the vulnerability affects only NetScaler setups configured as Gateway (such as VPN virtual servers, ICA Proxy, CVPN, or RDP Proxy) or those using Authentication, Authorization, and Accounting (AAA) virtual servers.
The issue has been resolved in NetScaler ADC versions 14.1-43.56, 13.1-58.32, 13.1-FIPS, 13.1-NDcPP 13.1-37.235, and 12.1-FIPS 12.1-55.328, as well as in NetScaler Gateway versions 14.1-43.56 and 13.1-58.32.
The patches also fix CVE-2025-5349, a high-severity vulnerability tied to improper access controls in the NetScaler Management Interface.
Citrix noted that older NetScaler ADC and Gateway versions 12.1 and 13.0, which are no longer supported, are also impacted by these vulnerabilities. Customers using these versions are advised to upgrade to supported releases without delay.
Additionally, Citrix addressed a high-severity improper privilege management issue in its Secure Access Client for Windows, which could be exploited to gain System-level access. Tracked as CVE-2025-0320, this flaw was patched in version 25.5.1.15 of the client.
Another high-severity privilege escalation vulnerability, labeled CVE-2025-4879, was fixed in Citrix Workspace app for Windows version 2409, as well as in hotfixes for the 2402 LTSR CU2 and CU3 versions.
- New Linux udisks Flaw Lets Attackers Get Root on Major Linux Distros
Two newly identified local privilege escalation (LPE) vulnerabilities can allow attackers to obtain root-level access on systems running major Linux distributions.
The first vulnerability, listed as CVE-2025-6018, stems from a misconfiguration in the Pluggable Authentication Modules (PAM) framework on openSUSE Leap 15 and SUSE Linux Enterprise 15. This flaw could let a local user escalate their privileges to that of the “allow_active” user.
The second issue, tracked as CVE-2025-6019, affects the libblockdev component and allows a user with “allow_active” permissions to escalate their access to root through the udisks daemon—a storage service enabled by default on most Linux systems.
Although the two vulnerabilities can be combined to create a “local-to-root” attack chain that allows full system takeover on SUSE platforms, the udisks/libblockdev vulnerability alone is a significant threat.
Since, udisks is pre-installed on nearly every Linux distribution, a broad range of systems is exposed to this vulnerability and with now known methods to obtain ‘allow_active’ privileges, such as exploiting the PAM misconfiguration, it’s possible to chain these flaws for an almost effortless root compromise.
Security researchers have released detailed advisories and shared relevant patches via Openwall. emphasizing the critical nature of the issue. With root access enabling attackers to modify security agents, maintain persistent access, and move laterally across systems, leaving even one server unpatched could compromise your entire infrastructure. Organizations must prioritize patching both PAM and libblockdev/udisks components immediately.
Following the disclosures of proof-of-concepts online, bugs like this are quickly weaponized by attackers, within a couple of weeks they can be used to compromise organizations around the globe.
References:
https://www.darkreading.com/cloud-security/serpentinecloud-cloudflare-tunnels-sneak-attacks
https://www.securityweek.com/critical-vulnerability-patched-in-citrix-netscaler/
