Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to Canary Trap’s Bi-Weekly Cyber Roundup. Our mission is to keep you informed with the most pressing developments in the world of cybersecurity. This digest serves as your gateway to critical updates and emerging threats across the industry.
In this post, we explore a series of recent cybersecurity incidents and vulnerabilities affecting both public and private sectors. From major financial impacts at companies like Coinbase and Marks & Spencer, to critical infrastructure concerns in Alabama’s state government, these developments underscore the growing complexity and reach of cyber threats. We’ll also examine technical flaws, including a serious vulnerability in OpenPGP.js and active exploitation of Ivanti EPMM weaknesses, as well as privacy concerns stemming from a Virgin Media 02 exposure. Together, these cases highlight the urgent need for vigilance, resilience, and proactive security measures across industries.
- Leading Crypto Firm Coinbase Faces up to $400m Hit From Cyber Attack
Coinbase, one of the largest cryptocurrency platforms globally, has disclosed a significant cybersecurity incident that could result in losses between $180 million and $400 million, according to a filing with the U.S. Securities and Exchange Commission (SEC). The financial impact includes remediation efforts and voluntary reimbursements to affected customers, though the final figure may fluctuate based on further developments, such as legal claims or potential recoveries.
The breach involved a sophisticated social engineering attack in which threat actors allegedly obtained access to less than 1% of Coinbase’s customer data. The company stated that the attackers posed as legitimate representatives of the firm, using the stolen information to deceive customers into transferring cryptocurrency assets.
Coinbase believes the attackers gained this data by illicitly paying contractors and employees for internal access. The employees implicated in the breach have since been terminated.
Following the incident, the attackers demanded a $20 million payment in exchange for their silence. Coinbase declined to pay the ransom and instead committed to reimbursing all customers affected by the fraud. Additionally, the company announced the creation of a $20 million reward fund to incentivize information that leads to the identification and prosecution of those responsible.
In a public statement, Coinbase expressed regret for the disruption and concern caused to impacted users. It urged all customers to remain vigilant, emphasizing that the company will never ask for passwords, two-factor authentication (2FA) codes, or asset transfers to unfamiliar wallets or addresses. Users are advised to lock their accounts and report suspicious activity immediately.
The announcement triggered a 4.1% drop in Coinbase’s share price and comes just days before the company is scheduled to be added to the S&P 500 index—a milestone that reflects growing mainstream recognition of the cryptocurrency sector.
The incident underscores the evolving risks facing digital asset firms as they scale. According to blockchain research firm Chainalysis, cryptocurrency-related cybercrime led to losses totaling $2.2 billion in 2024 alone.
- Alabama Says ‘Cybersecurity Event’ Could Disrupt State Government Services
Alabama Governor Kay Ivey has confirmed that the state is actively addressing a cybersecurity incident that has affected government systems. In a statement issued Monday morning, Governor Ivey urged residents to remain patient amid potential interruptions in access to government websites and communication channels.
According to the statement, the issue was first identified on May 9th. Since then, the Alabama Office of Information Technology(OIT) has been working continuously to assess and contain the situation. Preliminary findings indicate that while some state employee credentials were compromised, there is currently no evidence that personal data belonging to Alabama residents has been accessed.
To support transparency, OIT has launched a dedicated webpage to provide ongoing updates as the investigation continues. Governor Ivey also emphasized that all state employees are being reminded to remain vigilant for phishing attempts and other suspicious activity.
At this stage, the origin and full scope of the breach remain under investigation. The state has engaged an external cybersecurity firm to assist with the response and remediation efforts—a standard procedure in incidents of this nature.
As of early Tuesday, no further public updates had been released.
This event follows a broader trend of cyberattacks targeting state and local governments in the United States. Similar incidents in recent years have disrupted public services in states such as Rhode Island, Oregon, and Virginia, as well as in several municipalities across Texas and Pennsylvania.
- Virgin Media 02 Vuln Exposes Call Recipient Location
Virgin Media O2 (VMO2), a major telecommunications provider in the UK, has resolved a security vulnerability affecting its 4G Calling and Wi-Fi Calling functionalities.
Originally introduced by O2 UK in 2017, prior to its 2021 merger with Virgin Media, the 4G Calling service, also known as Voice over LTE (VoLTE), enables voice calls over an LTE data connection rather than traditional circuit-switched voice networks. Wi-Fi Calling provides a similar service over wireless internet, offering functionality akin to Apple’s FaceTime Audio.
Cybersecurity researcher Daniel Williams discovered that both services were unintentionally exposing sensitive metadata during call setup. The exposed data, embedded in Session Initiation Protocol (SIP) headers, included the International Mobile Subscriber Identity (IMSI), device-specific IMEI numbers, and cell tower identifiers. These details could potentially be used to infer a call recipient’s approximate location.
According to Williams, under certain conditions, it was possible to estimate the target’s location within a radius of approximately 100 square meters, about the size of two adjacent football fields. He demonstrated that by inputting the leaked identifiers into publicly accessible tools such as CellMapper, someone with even a basic grasp of mobile networks could pinpoint a user’s location without their consent.
Williams publicly disclosed the issue on May 17th but initially received no response from Virgin Media O2. The company has since acknowledged the report and confirmed that a patch has been deployed.
“Our engineering teams have been working on and testing a fix for a number of weeks,” a VMO2 spokesperson stated. “We can confirm this is now fully implemented. Testing indicates the issue has been successfully addressed, and no action is required from our customers. We thank Daniel Williams for bringing this to our attention.”
Williams later confirmed that the vulnerability had been resolved and commended the company for taking corrective action.
- Marks & Spencer Faces $402 Million Profit Hit After Cyberattack
British retail leader Marks & Spencer (M&S) has announced it may incur losses of up to £300 million ($402 million) for the 2025/26 fiscal year due to the aftermath of a major cyberattack. In a recent filing with the London Stock Exchange, the company cited disruptions to operations, recovery-related expenditures, and lost sales as contributing factors.
The breach, which remains under investigation, has severely affected M&S’s digital infrastructure. Online retail services remain offline, with the company estimating that normal operations may not resume until July.
According to the update, food sales have been negatively affected due to stock shortages, though improvements are underway. Additionally, the retailer is facing elevated waste and logistics costs, primarily due to the temporary shift to manual processing methods during the systems outage.
In its Clothing, Home & Beauty divisions, the pause in online shopping has significantly affected revenue and trading profit. However, physical store performance has remained stable. M&S anticipates online disruption will extend through June and into July, further increasing inventory management expenses in the second quarter.
The company currently projects a potential £300 million reduction in group operating profit but intends to mitigate the impact through cost controls, insurance claims, and adjustments to its trading strategy.
The incident was initially reported by BleepingComputer, which identified the attackers as part of the Scattered Spider cybercrime group. The perpetrators reportedly used a DragonForce encryptor to lock down VMware ESXi virtual machines, severely affecting operations across M&S’s 1,400 locations and halting online order processing.
M&S later confirmed that customer data was exfiltrated prior to the encryption of its systems. The same group is believed to be behind recent cyber incidents involving other major British retailers. The Co-op disclosed a breach that exposed data of both current and former members, while Harrods confirmed attempts to infiltrate its network, prompting restrictions on internet access within its infrastructure.
In response, the UK’s National Cyber Security Centre (NCSC) has issued updated guidance to help organizations bolster their cyber defenses. The NCSC emphasized that these attacks should serve as a warning to businesses across the country, noting the increasing sophistication and frequency of targeted attacks against the retail sector.
Meanwhile, Google has issued a separate advisory stating that Scattered Spider actors have also begun targeting retailers in the United States, highlighting the growing international scope of the threat.
- A Critical Flaw in OpenPGP.js Lets Attackers Spoof Message Signatures
A critical vulnerability in OpenPGP.js, identified as CVE-2025-47934, has been addressed in recent updates. This flaw impacts the library’s ability to correctly verify message signatures, potentially allowing threat actors to spoof signed content.
OpenPGP.js is a widely used open-source JavaScript library that supports the OpenPGP encryption standard, enabling secure communications through end-to-end encryption in web applications and related environments.
The issue affects versions 5.0.1 through 5.11.2 and 6.0.0 through 6.1.0. In these versions, improperly validated inline-signed and signed-and-encrypted messages could be manipulated by an attacker. Specifically, an attacker could use a legitimate message signature and signed data to fabricate a message containing arbitrary content that would still pass signature verification. This misleading behavior does not impact detached signature verification, as that process does not return embedded signed content.
According to the project’s advisory, the flaw lies in how the openpgp.verify and openpgp.decrypt functions handle extracted data. Because these methods may return content that differs from what was originally signed, verification results can be falsely trusted. Successful exploitation requires possession of both a valid signature (inline or detached) and the original plaintext used in the signed message.
The vulnerability was discovered by Edoardo Geraci and Thomas Rinsma of Codean Labs. It has been fixed in version 5.11.3 and 6.1.1 of OpenPGP.js. Developers using affected versions are encouraged to update immediately or apply workarounds that involve manually validating the signed content to ensure its integrity.
- Wiz Warns of Ongoing Exploitation of Recent Ivanti Vulnerabilities
Security firm Wiz has reported that malicious actors are actively exploiting two recently patched vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). These issues, now identified as CVE-2025-4427 and CVE-2025-4428, were both addressed by Ivanti on May 13 following evidence of limited zero-day exploitation.
The vulnerabilities, classified as an authentication bypass and a remote code execution (RCE) flaw post-authentication, originated in open-source libraries incorporated into the EPMM platform. Although each carries a medium severity rating, Wiz warns that the combination of the two significantly elevates the overall risk, potentially enabling attackers to execute unauthenticated remote code on affected systems.
According to Wiz’s analysis the authentication bypass stems from improper request handling within EPMM’s route configuration, allowing unauthorized access due to gaps in the Spring framework’s security rules.
The RCE vulnerability results from unsafe processing of user-supplied input in error messages. Specifically, when this input is passed to a Spring function, it enables attackers to inject a crafted format parameter capable of executing arbitrary Java code.
Since the release of a public proof-of-concept (PoC) exploit on May 16th, Wiz has observed active exploitation in the wild. The firm identified several malicious payloads, including Sliver beacons communicating with a known command-and-control (C&C) server. This same server has been previously associated with attacks targeting Palo Alto Networks PAN-OS devices, indicating a possible pattern of opportunistic exploitation by the same threat actor.
Wiz also noted that the C&C server’s certificate has remained unchanged since November 2024, further supporting the theory of a persistent threat actor leveraging similar attack methods across different platforms.
Organizations using Ivanti EPMM are strongly advised to apply the security updates included in versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. Additionally, implementing access control lists (ACLs) or an external web application firewall (WAF) to filter API access can help mitigate exposure.
References:
https://www.bbc.com/news/articles/c80k5plpx8do
https://therecord.media/alabama-says-cyber-event-could-cause-disruptions
https://www.darkreading.com/vulnerabilities-threats/virgin-media-02-call-recipient-location
https://www.securityweek.com/wiz-warns-of-ongoing-exploitation-of-recent-ivanti-vulnerabilities/
