Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to Canary Trap’s Bi-Weekly Cyber Roundup. Our mission is to keep you informed with the most pressing developments in the world of cybersecurity. This digest serves as your gateway to critical updates and emerging threats across the industry.
Cyber threats continue to evolve at a rapid pace, impacting organizations of all sizes across the globe. This week’s cybersecurity roundup highlights major developments, from new warnings to Canadian small businesses and critical Microsoft updates, to the rise of powerful cybercriminal alliances and growing ransomware activity across Europe. Stay informed with the latest updates shaping the cybersecurity landscape.
- “Don’t Underestimate the Threat:” National Cyber Security Program Warns Canadian Small Businesses
Cybercrime has surged to unprecedented levels across the globe, and Canadian small and medium-sized enterprises (SMEs) may be underestimating just how vulnerable they really are. According to cybersecurity experts, many business owners believe they’re too small to be targeted, a misconception that could prove costly.
Canada’s national cybersecurity authority, the Communications Security Establishment (CSE), recently reported a growing number of cyber threats impacting not only governments, large corporations, and critical infrastructure, but also smaller businesses. “Don’t underestimate the threat,” cautioned Sami Khoury, head of the federal government’s Cyber Security program, in a recent interview with BNN Bloomberg. “SMEs should not assume they’re immune to cyber incidents.”
SMEs play a crucial role in larger supply chains, often serving as indirect gateways to bigger organizations. This makes them appealing targets for attackers who may deploy ransomware, phishing campaigns, or credential theft to gain entry. Weak password practices and limited cybersecurity awareness compound the risk.
A survey conducted by the Insurance Bureau of Canada (IBC) revealed that while 48% of small and medium-sized business leaders recognize their vulnerability, only 6% believe a cyberattack will actually happen to them. Meanwhile, data from the Business Development Bank of Canada (BDC) suggests that nearly three-quarters of small businesses in Canada have already experienced a cybersecurity incident. Many businesses may not fully grasp the operational and financial impact of recovering from a cyberattack.
For small business owners, a cyberattack can be devastating. Jocelyn Rhindress of the Canadian Federation of Independent Business (CFIB) emphasized that many entrepreneurs lose more than just revenue, they risk their entire livelihood. “We’ve spoken to business owners who were hacked, held for ransom, or forced to shut down entirely following a cyberattack,” said Rhindress. “With ongoing economic pressures, a data breach can be the final blow.”
Cybersecurity expert Ali Dehghantanha from the University of Guelph noted that hackers typically look for “easy targets” rather than specific organizations. “Attackers aren’t focused on brand names or reputations, they go after whoever has the weakest defenses,” he explained. Many SMEs lack proactive monitoring or incident response systems, meaning breaches often go undetected until significant damage has occurred. By the time a compromise is discovered, attackers have usually already exfiltrated sensitive data and launched ransomware operations.
Dehghantanha warns that recovery costs can be overwhelming, both financially and legally. “Once data is stolen, companies face regulatory reporting obligations, potential lawsuits, and high recovery expenses. Prevention typically costs a fraction of what recovery does,” he said.
The rapid growth of artificial intelligence is introducing new challenges in identifying and mitigating cyber threats. The IBC survey found that only 45% of Canadian SMEs have measures in place to detect or respond to AI-driven scams.
Third-party risks are another rising concern. As businesses increasingly depend on cloud providers, vendors, and outsourced IT partners, 27% of SMEs report anxiety about potential legal exposure from third-party data breaches.
Additionally, according to the CFIB, human error remains the leading cause of cybersecurity incidents, accounting for up to 95% of attacks. Weak passwords, phishing emails, outdated software, and malware remain the most common entry points for hackers. “If businesses can strengthen passwords, keep systems updated, train staff to recognize phishing, and use anti-malware tools, they can mitigate the majority of cyber risks,” said Rhindress.
The message from experts is clear: no organization is too small to be targeted. Cybersecurity must become a business priority, not an afterthought. Investing in preventive measures such as employee training, strong authentication, and real-time monitoring can help SMEs avoid the devastating consequences of an attack. In an era where cybercrime is more sophisticated than ever, overconfidence can be a serious liability.
- Act Now — Microsoft Issues Emergency Windows Update As Attacks Begin
Less than a week after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted federal agencies to patch Windows systems amid ongoing Server Message Block (SMB) attacks, a new wave of exploits has emerged, this time targeting Windows Server Update Services (WSUS). CISA has now confirmed that attackers are actively exploiting CVE-2025-59287, a critical remote code execution (RCE) vulnerability within WSUS that could allow threat actors to execute malicious code remotely across a network.
Microsoft clarified that not all Windows Servers are automatically at risk: “The WSUS Server Role is not enabled by default on Windows servers. Systems without this role enabled are not affected. However, once WSUS is activated, the server becomes vulnerable if the patch is not installed beforehand.”
Cybersecurity researchers at Eye Security conducted an internet-wide scan to assess potential exposure. According to researcher Bas van den Berg, their team searched for WSUS servers using the Shodan and Fofa platforms, specifically identifying Internet Information Service (IIS) servers operating on ports 8530 (HTTP) and 8531 (HTTPS).
Their findings were concerning, approximately 8,000 servers were initially identified as potentially exposed. After notifying authorities and intelligence partners, Eye Security later confirmed via LinkedIn that at least 2,500 WSUS servers remain vulnerable and accessible globally, actively targeted in ongoing attacks.
In response to the escalating threat, CISA has issued a Binding Operational Directive requiring certain federal agencies to apply Microsoft’s security updates within two weeks. The agency also strongly advises all organizations, public and private, to take immediate action. CISA warns that failure to apply the fix could enable an unauthenticated attacker to achieve remote code execution with system-level privileges, potentially leading to full network compromise.
Recommended Mitigation Steps include: identifying all servers running WSUS that may be exposed, applying Microsoft’s out-of-band patch released on October 23, 2025, to all affected systems, and rebooting WSUS servers after installation to ensure full remediation.
If patching is not immediately possible, disable the WSUS role and block inbound traffic to ports 8530 and 8531 at the host firewall level. Microsoft further cautions administrators not to reverse any temporary mitigations until the official update has been successfully applied.
The resurgence of Windows Server-related exploits underscores the persistent threat landscape targeting enterprise infrastructure. With active exploitation already confirmed, timely patching and network hardening are essential to prevent potential breaches.
- A Cybercrime Merger Like No Other — Scattered Spider, LAPSUS$, and ShinyHunters Join Forces
A new cybercrime alliance known as Scattered LAPSUS$ Hunters (SLH) has surfaced, merging members and tactics from three notorious groups Scattered Spider, LAPSUS$, and ShinyHunters. Since its formation in early August 2025, the collective has created and lost at least 16 Telegram channels, each iteration quickly replaced after being taken down.
According to a recent Trustwave SpiderLabs report, this repeated pattern of removal and reappearance highlights both the platform’s moderation efforts and the group’s persistence in maintaining a public-facing presence.
SLH has been conducting data extortion campaigns targeting various organizations, including recent attacks against Salesforce users. One of their main operations appears to be an “extortion-as-a-service” (EaaS) model, where affiliates can leverage the SLH brand to demand ransoms from victims, using its name recognition to amplify pressure.
The collective seems to operate under a broader cybercriminal network known as “The Com,” which functions as a loose federation of groups that collaborate and share branding. SLH has also been connected to CryptoChameleon and Crimson Collective, both of which share similar tactics and communication methods.
Telegram remains the primary coordination platform for SLH members, mirroring the media-centric approach of hacktivist movements. Their channels serve dual purposes, acting as a public propaganda outlet to broadcast messages and a marketplace for promoting illicit services.
As the group evolved, they began posting updates signed by the “SLH/SLSH Operations Centre,” creating an illusion of structure and professionalism to strengthen their perceived legitimacy within the cybercriminal ecosystem.
SLH channels have also been used to accuse Chinese state-sponsored hackers of exploiting vulnerabilities they claimed to have found first, while simultaneously launching verbal attacks against U.S. and U.K. law enforcement. The group has even incentivized followers to harass corporate executives via email, offering small payouts for such participation.
Notable members such as Rey, SLSHsupport, and yuka (aka Yukari or Cvsp) appear to maintain engagement and technical operations, with yuka known for exploit development and serving as an initial access broker (IAB).
Although data theft and extortion remain SLH’s primary activities, Trustwave analysts believe the group is experimenting with ransomware development. A rumored project dubbed Sh1nySp1d3r (or ShinySp1d3r) could position them as competitors to LockBit and DragonForce, suggesting a potential pivot toward ransomware-as-a-service (RaaS).
Trustwave characterizes SLH’s behavior as a hybrid of cybercrime and hacktivism, blending financial motives with a need for recognition. Their operations demonstrate advanced manipulation of branding, public perception, and social media visibility to maintain credibility among peers and targets alike.
Meanwhile, other actors such as DragonForce have launched new malware using bring-your-own-vulnerable-driver (BYOVD) techniques to disable antivirus protections. The group has allied with LockBit and Qilin, forming a ransomware cartel that shares infrastructure and resources, effectively lowering the technical barrier for newcomers.
DragonForce has been observed working with Scattered Spider, which often serves as an affiliate responsible for initial intrusion through phishing and vishing before deploying remote access tools like ScreenConnect, AnyDesk, TeamViewer, and Splashtop.
Interestingly, DragonForce’s ransomware code is based on the leaked Conti source code, which they modified only slightly, mainly encrypting configuration data to conceal command-line arguments, while retaining all core functionalities.
The rise of Scattered LAPSUS$ Hunters and their alignment with other established actors marks a concerning evolution in cybercrime organization. Their combination of social engineering, technical exploits, and narrative manipulation underscores a shift toward more structured, brand-driven criminal enterprises that blend traditional cyberattacks with coordinated psychological and media tactics.
- Microsoft Removing Defender Application Guard from Office
Microsoft has announced plans to fully phase out Microsoft Defender Application Guard (MDAG) for Office by December 2027, beginning the process with the February 2026 release of Office version 2602.
Originally built for Windows 10 and Windows 11 Enterprise editions, MDAG was designed to enhance protection against malicious Office documents. It isolated potentially unsafe Word, Excel, and PowerPoint files within a Hyper-V-based virtual container, effectively keeping threats away from the host operating system and safeguarding corporate data.
Microsoft first revealed its intention to deprecate MDAG in November 2023, advising organizations to adopt alternative security measures such as Defender for Endpoint Attack Surface Reduction (ASR) rules, Protected View, and Windows Defender Application Control (WDAC).
Five months later, in April 2024, Microsoft officially began retiring the feature. The company explained that going forward, Office files would open in Protected View, a restricted mode that disables most editing capabilities to reduce risk.
“Files will open in Protected View instead. Admins should enable Microsoft Defender for Endpoint ASR rules and Windows Defender Application Control to maintain security. No admin action is required for removal.”
Microsoft stated that this transition aligns with the end of support for Windows 11 version 23H2, aiming to simplify the security experience for enterprise users while maintaining a strong defense against document-based threats.
The removal of MDAG will occur gradually across different Office update channels:
- Current Channel: February 2026 (version 2602)
- Monthly Enterprise Channel: April 2026
- Semi-Annual Enterprise Channel: July 2026
Microsoft expects the complete removal to be finalized with Office version 2612, which will reach:
- Current Channel users by December 2026
- Monthly Enterprise Channel users by February 2027
- Semi-Annual Enterprise Channel users by July 2027
Recommendations for IT Administrators.
To maintain strong protection against malicious Office files after MDAG’s retirement, Microsoft advises IT teams to:
- Enable Defender for Endpoint ASR rules to prevent dangerous actions within Office documents.
- Activate WDAC to restrict execution to trusted, signed applications only.
Defender Application Guard for Office was initially introduced in November 2019 as a limited preview and later made available to organizations with Microsoft 365 E5 or E5 Security licenses. After several years of service, its capabilities are now being integrated into other Microsoft 365 security features, signaling a strategic move toward a more unified protection model.
- Europe Sees Increase in Ransomware, Extortion Attacks
European organizations are increasingly in the crosshairs of ransomware operators, now representing nearly 22% of global ransomware and extortion victims, according to CrowdStrike’s newly released 2025 European Threat Landscape Report.
The findings reveal that the UK, Germany, France, Italy, and Spain are among the most heavily targeted nations, with threat activity in the region accelerating dramatically. CrowdStrike researchers observed a 13% year-over-year increase in entries on dedicated leak sites (DLS) naming European entities. Notably, some groups, such as Scattered Spider, have cut their attack deployment time to as little as 24 hours.
The report identifies manufacturing, professional services, technology, industrial and engineering, and retail as the most frequently attacked industries. Ransomware families like Akira, LockBit, RansomHub, INC, Lynx, and Sinobi have been particularly active across Europe, especially in big-game hunting (BGH) campaigns that target large, high-value organizations.
Researchers attribute Europe’s prominence as a target to several factors: its complex legal frameworks, geopolitical tensions, and the financial appeal of established businesses across the continent.
CrowdStrike notes that Russia’s invasion of Ukraine and the Israel–Hamas conflict continue to amplify regional cyber risks. These events have contributed to a rise in DDoS attacks, hack-and-leak operations, and website defacements, reflecting the intersection of political motives and cybercrime.
Looking ahead, vishing (voice phishing) is expected to become a dominant tactic among cybercriminals. Attackers use phone calls to trick victims into sharing credentials or sensitive information. With the integration of AI voice cloning technologies, these scams are becoming increasingly convincing, often mimicking trusted voices to gain access.
While North America remains a preferred target for many groups, CrowdStrike assesses with moderate confidence that Europe will face growing exposure to vishing and similar AI-enhanced social engineering tactics.
Beyond traditional cyberattacks, the report highlights a disturbing evolution: the convergence of digital and physical crime. Threat actors are exploiting models such as malware-as-a-service (MaaS), violence-as-a-service, and physical cryptocurrency theft.
Since 2024, CrowdStrike has documented 17 incidents involving kidnappings and physical attacks, many tied to groups like “The Com”, a network of young, English-speaking hackers, and the Russia-linked Renaissance Spider. These groups reportedly coordinate via Telegram-based networks, engaging in activities ranging from arson to kidnapping, including the January 2025 abduction of a Ledger cryptocurrency wallet co-founder in France.
To counter this rising tide of cyber and hybrid attacks, CrowdStrike advises European organizations to:
- Leverage agentic AI to enhance and scale security operations.
- Strengthen identity management across the enterprise ecosystem.
- Eliminate visibility gaps across domains and networks.
- Treat cloud environments as core infrastructure requiring robust defense measures.
As ransomware operators continue to evolve and operate at unprecedented speed, proactive security modernization will be essential for European organizations striving to stay ahead of adversaries in 2025 and beyond.
References:
https://thehackernews.com/2025/11/a-cybercrime-merger-like-no-other.html
https://www.darkreading.com/cyberattacks-data-breaches/europe-increase-ransomware-extortion
