Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to Canary Trap’s Bi-Weekly Cyber Roundup. Our mission is to keep you informed with the most pressing developments in the world of cybersecurity. This digest serves as your gateway to critical updates and emerging threats across the industry.
The past week has been packed with major developments in cybersecurity, from record-shattering DDoS attacks and critical Cisco zero-day exploits to high-profile arrests and multimillion-dollar ransomware operations. At the same time, the rise of AI-powered attack tools like SpamGPT underscores how quickly adversaries are adapting their methods. Here’s a roundup of the most significant stories shaping the security landscape right now.
- Record-Breaking DDoS Attack Peaks at 22 Tbps and 10 Bbps
Cloudflare announced this week that it successfully stopped another record-breaking distributed denial-of-service (DDoS) attack, marking a new milestone in the scale and sophistication of such threats.
The short-lived but massive assault lasted just 40 seconds, reaching a staggering 22.2 terabits per second (Tbps) and 10.6 billion packets per second (Bpps), nearly double the size of the previous largest recorded DDoS attempt.
According to Cloudflare, the attack was aimed at a single IP address belonging to a European network infrastructure provider. Despite its unprecedented scale, the company’s automated defenses absorbed and neutralized the traffic without service disruption.
While attribution remains uncertain, Cloudflare suggested that the Aisuru botnet, a network of compromised Internet of Things (IoT) devices such as routers and DVRs, may have been behind the attack. Aisuru has a track record of high-profile campaigns, including the 6.3 Tbps strike against security researcher Brian Krebs’ website earlier this year.
Cloudflare’s telemetry indicated the traffic came from more than 404,000 unique IPs across 14 different autonomous systems (ASNs). Importantly, the addresses were confirmed not to be spoofed, signaling the scale of real-world compromised devices fueling the onslaught.
The attack employed a UDP-based carpet bombing technique, targeting an average of 31,000 destination ports per second, with bursts peaking at 47,000 ports, yet all funneled against a single IP address.
This event underscores a worrying trend: DDoS attacks are growing faster in both size and frequency. In fact, Cloudflare previously reported that the number of attacks blocked in just the first half of 2025 had already surpassed the total mitigated in all of 2024.
- Cisco Warns of IOS Zero-Day Vulnerability Exploited in Attacks
Cisco has rolled out urgent security fixes to address a zero-day vulnerability in its IOS and IOS XE software that attackers are already leveraging in live campaigns.
The issue, cataloged as CVE-2025-20352, stems from a stack-based buffer overflow within the Simple Network Management Protocol (SNMP) subsystem. Any device running IOS or IOS XE with SNMP enabled is at risk.
Low-privileged authenticated attackers can exploit the flaw to trigger denial-of-service (DoS) conditions on unpatched systems.
High-privileged attackers can go a step further, executing arbitrary code with root access and potentially taking full control of affected devices.
Exploitation requires sending specially crafted SNMP packets over IPv4 or IPv6. Cisco’s Product Security Incident Response Team (PSIRT) confirmed that attackers have already weaponized this flaw in the wild, often after obtaining valid local admin credentials.
Currently, there are no permanent workarounds beyond updating to the patched releases. Cisco recommends urgent upgrades to the fixed software builds. For environments where immediate patching isn’t possible, administrators can reduce exposure by restricting SNMP access to trusted networks and users.
“To fully resolve this vulnerability and prevent further exploitation, customers must update to the fixed software releases,” Cisco emphasized in its advisory.
Alongside this zero-day patch, Cisco shipped 13 more security updates today:
CVE-2025-20240 – A reflected cross-site scripting (XSS) bug in IOS XE that can let unauthenticated attackers steal session cookies.
CVE-2025-20149 – A DoS vulnerability that allows authenticated local users to crash and reload devices.
This follows Cisco’s May release addressing a critical IOS XE flaw in Wireless LAN Controllers that allowed remote takeover via a hardcoded JSON Web Token (JWT).
- UK Agency Makes Arrest in Airport Cyberattack Investigation
The UK’s National Crime Agency (NCA) has arrested a suspect in connection with a major ransomware attack that recently disrupted airport operations worldwide.
The cyberattack, which began on September 19, targeted Collins Aerospace technology, specifically the ARINC SelfServ cMUSE software. This system is widely used at airports to manage passenger check-ins and baggage handling. The outage forced multiple airports to revert to manual processes, resulting in chaos across Europe and beyond.
Airports hit by the incident included London Heathrow, Berlin Brandenburg, and Brussels Airport, where hundreds of flights were delayed or canceled. The disruption spilled into the workweek, causing significant operational strain on both sides of the Atlantic.
Following the incident, the NCA, working with a regional organized crime unit, detained a man in his forties in West Sussex under suspicion of Computer Misuse Act offences. He has since been released on conditional bail as investigations continue.
Paul Foster, Deputy Director of the NCA’s National Cyber Crime Unit, emphasized that while the arrest marks progress, the probe remains ongoing. He reiterated the persistent and global nature of cybercrime, stressing the NCA’s commitment to protecting the public in collaboration with international partners.
Meanwhile, Collins Aerospace confirmed the disruption was cyber-related, acknowledging that its check-in and baggage systems had malfunctioned. Several airports, including Brussels, described the event explicitly as a cyberattack and warned travelers of continued delays as manual processes were put in place.
The European Union Agency for Cybersecurity (ENISA) later confirmed the incident was a ransomware attack, though no group has yet claimed responsibility.
This attack underscores the fragility of critical infrastructure when targeted by cybercriminals. Aviation, which relies heavily on interconnected technologies, remains an attractive target for ransomware operators. The investigation is ongoing, and authorities are working to uncover the full scope of the breach and identify those behind it.
- DOJ: Scattered Spider Took $115 Million in Ransoms, Breached a US Court System
A U.S. Department of Justice (DOJ) complaint unsealed this week shed new light on the Scattered Spider cybercrime group, revealing that the operation extorted more than $115 million from victims over the past three years and even managed to compromise a U.S. federal court system.
Authorities announced the arrest of 19-year-old U.K. citizen Thalha Jubair, who was taken into custody in London and charged in the U.S. with conspiracy to commit computer fraud, wire fraud, and money laundering. Prosecutors allege that Jubair and his associates were behind at least 120 cyberattacks, including intrusions affecting 47 organizations based in the U.S.
According to investigators, victims collectively paid more than $115 million in ransom to the group, with two organizations alone handing over $25 million and $36.2 million in separate incidents. The FBI says it traced ransom flows, stolen data, and attack infrastructure back to servers registered to Jubair.
The DOJ states that Jubair and his co-conspirators were active from May 2022 until this month, targeting major corporations as well as the United States Courts network, where they accessed sensitive employee information and attempted to locate subpoenas related to themselves and the Scattered Spider group.
Investigators noted that most of the incidents bore Scattered Spider’s familiar social engineering fingerprint: attackers posing as employees would call an organization’s helpdesk, request a password reset, compromise administrator accounts, and then exfiltrate sensitive data before deploying ransomware.
“These attacks caused significant disruption to U.S. businesses, critical infrastructure, and even the federal court system,” said Acting Assistant Attorney General Matthew Galeotti, emphasizing the escalating risk posed by increasingly bold cybercriminal operations. If convicted, Jubair could face up to 95 years in prison.
Court filings allege that Jubair phoned the judiciary’s IT helpdesk in January, successfully obtaining a reset for a court employee’s account. Once inside, he and accomplices compromised additional accounts, including one belonging to a federal judge, and searched email inboxes for subpoenas linked to Scattered Spider.
Attackers also attempted to access another judge’s account connected to prior legal proceedings involving the group and even sent a fraudulent request for sensitive customer data from a compromised account.
Investigators found evidence that Jubair’s servers were used to manage these intrusions, download stolen data, and perform reconnaissance on targeted victims. Prosecutors say the stolen information included thousands of records on court personnel.
Authorities were able to link Jubair to the servers and cryptocurrency wallets through a mix of digital breadcrumbs and real-world activity. Among the clues:
Telegram accounts tied to Jubair were used to discuss cyberattacks, ransom payments, and profit-sharing. An IP address linked to his gaming account was also used to log into one of those Telegram accounts. A cryptocurrency wallet connected to his servers held $36 million in ransom payments and was used to purchase gift cards for food deliveries traced back to Jubair’s London apartment complex. Investigators also found gift cards redeemed on gaming platforms through accounts in his name. A witness later identified Jubair from a photo lineup as the individual behind one of the Telegram accounts.
The FBI coordinated the case with the U.K. National Crime Agency, West Midlands Police, City of London Police, and partners in Canada, Romania, Australia, and the Netherlands. Jubair appeared in Westminster Magistrates Court on Thursday, alongside another teenager, 18-year-old Owen Flowers, accused of participating in a cyberattack against Transport for London in 2024.
Scattered Spider has previously claimed responsibility for high-profile breaches affecting companies in the insurance, retail, and aviation sectors. However, recent law enforcement pressure has shaken the group. Just last week, members abruptly shut down one of their Telegram channels, hinting at the arrests and criminal cases as the reason for stepping back.
- SpamGPT: The AI Tool Elevating Email Security Threats for Enterprises
A new toolkit called SpamGPT has surfaced on dark web forums, and it’s being marketed as a breakthrough for cybercriminals. Unlike traditional spam tools, this platform blends generative AI with a full suite of automation capabilities, making it easier than ever to launch large-scale phishing and spam campaigns.
SpamGPT is being touted as a “spam-as-a-service” platform that combines the look and feel of a professional email marketing solution with malicious intent. From managing SMTP servers to fine-tuning inbox deliverability, it packages advanced attack infrastructure into a user-friendly dashboard.
At first glance, SpamGPT resembles a high-end marketing platform, complete with campaign managers, analytics dashboards, and deliverability testing modules. The difference? Every feature is optimized for cybercrime.
The interface is dark-themed, polished, and includes tools for campaign creation and scheduling, SMTP/IMAP setup and validation, real-time monitoring and analytics, and more.
The platform even comes with an AI assistant called “KaliGPT,” designed to generate phishing templates, suggest subject lines, and refine targeting strategies. In effect, attackers no longer need copywriting skills, SpamGPT provides ready-to-use social engineering content on demand.
One of SpamGPT’s selling points is its focus on scale and inbox success. Advertisements claim that it can reliably land phishing emails in Gmail, Outlook, Yahoo, and Microsoft 365 inboxes, bypassing modern spam filters.
This is achieved by abusing legitimate cloud providers such as AWS or SendGrid, blending malicious traffic with trusted mail streams. Attackers can also spoof multiple sender identities, manipulate headers, and rotate SMTP accounts, all from within the platform. These tactics help bypass authentication checks in environments where DMARC, SPF, and DKIM policies are not strictly enforced.
SpamGPT also offers an SMTP “cracking” training program, teaching buyers how to generate or compromise servers at scale. This means even low-skilled actors can obtain a steady supply of SMTP credentials to fuel their campaigns.
The platform doesn’t stop at sending emails, it delivers full campaign orchestration and reporting, much like enterprise-grade CRMs. Operators can rotate multiple SMTP servers to avoid throttling, test inbox placement automatically with IMAP accounts, and track delivery rates, opens, and engagement in real time.
Historically, running a successful phishing campaign required technical expertise and infrastructure. SpamGPT changes that equation. With a GUI-driven toolkit priced around $5,000, even less-experienced actors can execute sophisticated campaigns with minimal effort.
This democratization of phishing-as-a-service means enterprises face a growing volume of AI-enhanced phishing attempts, crafted to be persuasive, scalable, and harder to filter. Organizations can take several proactive measures, like enforcing strict email authentication, adopt AI-driven email security tools capable of spotting AI-generated phishing attempts, and monitor for abnormal email behavior and leverage threat intelligence sharing to stay ahead of evolving tactics.
SpamGPT highlights a new frontier in cybercrime, where generative AI is directly weaponized for mass phishing. The same technologies that help legitimate businesses reach customers are now being twisted to exploit trust at scale. Defenders must adapt just as quickly, combining policy enforcement, advanced detection, and collaboration to counter this rising threat.
References:
https://www.securityweek.com/record-breaking-ddos-attack-peaks-at-22-tbps-and-10-bpps/
https://www.theregister.com/2025/09/24/uk_agency_makes_arrest_in/
https://www.varonis.com/blog/spamgpt
