Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to Canary Trap’s “Bi-Weekly Cyber Roundup”. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity, and this bi-weekly publication is your gateway to the latest news.
This week’s cybersecurity roundup highlights a series of high-impact breaches, government responses, and ongoing threats across the digital landscape. From a hack targeting TeleMessage, the secure messaging platform used by U.S. officials, to NSO Group’s hefty penalty over its WhatsApp spyware, the headlines underscore both technical and legal battles in the cyber world. Meanwhile, critical infrastructure in Nova Scotia, WordPress sites, and even operational technology systems have faced fresh attacks. On a more proactive front, 41 nations have joined forces in NATO’s Locked Shields 2025 cyber defense exercise, reflecting the growing need for global cyber readiness.
- TeleMessage, the Signal Clone Used by US Government Officials, Suffers Hack
TeleMessage, a secure messaging platform derived from the Signal protocol, has been temporarily shut down following a reported cybersecurity breach that may have exposed sensitive U.S. government communications. The decision to suspend the app was made “out of an abundance of caution,” as investigations continue.
The breach gained public attention when U.S. National Security Advisor Mike Waltz was seen using TeleMessage during a cabinet meeting with former President Donald Trump. Waltz had previously come under scrutiny for inadvertently inviting a journalist to a Signal chat discussing classified military plans, raising concerns over the use of non-government-approved messaging tools for official matters.
To address these concerns, U.S. officials had turned to TeleMessage, a lesser-known Israeli-based company offering a modified version of Signal with built-in archiving features. However, it now appears that this alternative was also vulnerable. Reports indicate that hackers accessed a range of data from TeleMessage, including message content, contact lists of officials, and administrative login credentials. The compromised information spans beyond just the Signal clone and includes chats from TeleMessage’s versions of WhatsApp, Telegram, and WeChat.
The breach extended beyond government data, affecting institutions such as Coinbase, Scotiabank, and U.S. Customs and Border Protection, suggesting weaknesses in TeleMessage’s encryption practices, particularly in its archiving systems.
TeleMessage, owned by compliance technology provider Smarsh, responded by pausing its operations and hiring a third-party cybersecurity firm to conduct a thorough investigation. Smarsh emphasized that its other services remain unaffected.
- Customers’ Personal Information Stolen During Cybersecurity Breach: Nova Scotia Power
Nova Scotia Power has disclosed a cybersecurity incident in which unauthorized individuals accessed parts of its computer network, resulting in the compromise of some customer information. The breach was discovered last Friday after the utility provider detected unusual activity within its systems.
Initially, the company acknowledged that there had been unauthorized access to certain areas of its Canadian network but did not indicate that personal data had been affected. However, in an updated statement, Nova Scotia Power confirmed that some customer information was indeed taken during the incident.
In response to the breach, the utility company has implemented measures to contain the issue and has launched a formal investigation with the support of external cybersecurity professionals. Law enforcement has also been notified and is now involved in the matter.
Nova Scotia Power emphasized that it is taking the situation very seriously and has committed to providing clear communication and support to all customers impacted by the breach. Those affected will be contacted directly with further details and assistance.
- Spyware Maker NSO Ordered to Pay $167 Million Over WhatsApp Hack
Meta has secured a significant legal victory against Israeli spyware firm NSO Group, with a jury awarding the tech giant over $167 million in damages. The decision stems from a 2019 lawsuit filed by Meta, following the discovery that NSO had exploited a zero-day vulnerability in WhatsApp to deliver spyware to approximately 1,400 users. These users included journalists, human rights activists, and other individuals targeted by repressive regimes.
The ruling builds on a prior 2024 judgment that held NSO liable for its role in the breach. While NSO claims its software is intended for use by government agencies to combat crime and terrorism, its technology has repeatedly been implicated in unauthorized surveillance. The company maintains it is not accountable for how clients deploy its tools.
Meta, which owns WhatsApp, hailed the verdict as a milestone in protecting user privacy and security. The company emphasized that the outcome sends a strong message against the misuse of surveillance technology and supports global efforts to hold spyware developers accountable. Meta also highlighted that the legal process forced NSO to admit it spends tens of millions of dollars annually developing techniques to infiltrate devices.
In addition to the jury award, NSO must pay $444,000 in compensatory damages to Meta. Despite the ruling, Meta acknowledged that collecting the full judgment will be challenging, as legal appeals are expected. NSO indicated it plans to continue fighting the decision, insisting that its technology is used responsibly and remains vital in the fight against crime and terrorism.
Meta’s case received support from other tech firms, including Apple, which had pursued its own legal action against NSO before withdrawing to avoid revealing sensitive cybersecurity information.
This case marks a pivotal moment in the global conversation on digital privacy and spyware accountability.
- 41 Countries Taking Part in NATO’s Locked Shields 2025 Cyber Defense Exercise
This week, the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, is conducting Locked Shields 2025, a large-scale and highly complex international cyber defense exercise. The event has brought together approximately 4,000 cybersecurity professionals from 41 NATO allied and partner nations, mirroring participation levels from the previous year.
Locked Shields is designed to test the capabilities and resilience of national cybersecurity teams through a highly realistic and demanding simulation. The exercise centers on defending critical infrastructure and national IT systems, ranging from telecommunications to military networks, under constant and evolving cyberattack scenarios. Seventeen “blue teams” are participating, tasked with protecting over 8,000 virtual systems hosted by Estonia’s CR14 Foundation cyber range.
This year’s event introduces new challenges involving emerging technologies such as artificial intelligence and quantum computing. Beyond technical defense, teams must also respond to wider strategic threats, including disinformation campaigns, legal dilemmas, public relations crises, and broader infrastructure complications—all under time-sensitive, high-pressure conditions.
Mart Noorma, Director of the NATO CCDCOE, highlighted the rising frequency and severity of cyberattacks worldwide. Citing examples from Ukraine, where critical infrastructure like energy grids and communication systems are often targeted, Noorma emphasized that such threats are global and growing. He pointed to recent ransomware attacks on hospitals and disruptions to public services as further evidence of this trend.
According to Noorma, Locked Shields not only hones participants’ technical skills but also reinforces the importance of international collaboration and shared resilience. As cyber threats become increasingly sophisticated and the boundary between wartime and peacetime operations becomes less defined, the exercise underscores the need for coordinated preparation and robust defense strategies among nations.
- Unsophisticated Cyber Actor(s) Targeting Operational Technology
The Cybersecurity and Infrastructure Security Agency (CISA) has observed a growing trend in which less sophisticated cyber actors are targeting industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks, particularly within the United States’ critical infrastructure sectors. These sectors include vital domains such as Oil and Natural Gas, Energy, and Transportation Systems.
While many of these cyber attempts rely on rudimentary and low-level attack techniques, they remain a serious concern due to widespread vulnerabilities in system configurations and inadequate cybersecurity practices, commonly referred to as poor cyber hygiene. These weaknesses can create openings for attackers to gain unauthorized access and, in some cases, cause significant disruption.
Potential impacts from such breaches range from website defacements and unauthorized system modifications to broader operational interference. In extreme scenarios, these incidents may even result in physical damage to equipment or facilities. Despite the simplicity of the attacks, the consequences can be far-reaching, especially when critical systems are left exposed to the internet or misconfigured without proper oversight.
CISA emphasizes the importance of proactive security measures and strongly encourages asset owners and operators in critical infrastructure sectors to assess their systems for vulnerabilities. They also recommend reviewing CISA’s provided guidance, which outlines practical steps to reduce exposure and strengthen defenses against cyber threats.
The agency’s fact sheet includes strategies for identifying exposed assets, implementing robust authentication, segmenting operational networks, and maintaining updated software and firmware. By adopting these best practices, organizations can significantly reduce their risk of compromise, even from attackers using basic techniques.
- Second OttoKit Vulnerability Exploited to Hack WordPress Sites
A second serious vulnerability has been identified in the OttoKit WordPress plugin, just weeks after cybercriminals began exploiting a different flaw. OttoKit, formerly known as SureTriggers, is used on over 100,000 websites and offers automation tools for connecting apps, plugins, and other systems.
Security researchers have now warned of a new flaw, labeled CVE-2025-27007, which carries a critical CVSS score of 9.8. This vulnerability could allow unauthenticated attackers to connect to and compromise vulnerable websites. The issue lies in the plugin’s create_wp_connection() function, which fails to properly verify users’ credentials, opening the door to privilege escalation.
While successful exploitation depends on specific conditions, such as the absence of application passwords and no prior plugin connections using them, it’s still a high-risk vulnerability. In these rare but possible scenarios, attackers can exploit the flaw without needing any valid user credentials.
If attackers gain partial access, such as being able to generate an application password, they could exploit the vulnerability more easily and open further avenues for control over the website.
This warning comes shortly after the discovery of another OttoKit vulnerability (CVE-2025-3102), which allowed attackers to create admin accounts on newly set-up or unconfigured sites.
Attackers appear to be combining these exploits to first establish a connection and then escalate privileges by creating admin accounts. In response, Defiant has provided indicators of compromise (IoCs) to help administrators detect intrusions.
The plugin’s developer has released version 1.0.83, which addresses both vulnerabilities. Website owners are strongly urged to update immediately to protect their sites from potential takeover.
References:
https://www.bitdefender.com/en-us/blog/hotforsecurity/telemessage-signal-clone-us-government-hack
https://www.securityweek.com/spyware-maker-nso-ordered-to-pay-167-million-over-whatsapp-hack/
https://www.securityweek.com/second-ottokit-vulnerability-exploited-to-hack-wordpress-sites/
