Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity, and this bi-weekly publication is your gateway to the latest news.
This week’s cybersecurity roundup dives into pressing global threats and vulnerabilities impacting industries and governments alike. Highlights include Zafran’s discovery of a widespread WAF vulnerability affecting Fortune 1000 companies, and scammers exploiting the Canada Post strike for fraudulent campaigns. We also cover Deloitte’s response to claims of data theft by a ransomware group, the use of QR codes to bypass browser isolation for malicious command-and-control communication, and a scam campaign using fake video conferencing apps to steal sensitive data from Web3 professionals.
- Zafran Uncovers Widespread WAF Vulnerability at Fortune 1000 Companies
Researchers at Zafran have identified a critical misconfiguration affecting Web Application Firewalls (WAFs) used by major providers like Akamai, Cloudflare, and Imperva, exposing over 140,000 domains—including those of prominent companies such as JPMorgan Chase, Visa, and Intel. This flaw compromises the effectiveness of WAFs, leaving web applications vulnerable to serious threats like Distributed Denial-of-Service (DDoS) attacks and data breaches.
The issue arises from a systemic weakness in how WAFs are configured when serving as Content Delivery Networks (CDNs). Specifically, backend servers fail to validate traffic exclusively from approved CDN providers, allowing attackers to bypass WAF protections and exploit backend systems directly. This misconfiguration affects 40% of Fortune 1000 companies’ critical infrastructure.
Key findings include that attackers can map backend IP addresses and bypass security layers. Affected companies face risks of credential theft, ransomware attacks, and operational disruption and vulnerable industries, such as finance and healthcare, face potential financial losses of up to $1.8 million per DDoS incident.
To mitigate the risks, Zafran recommends implementing IP whitelisting to restrict server access to trusted CDNs. Using shared secrets and custom HTTP headers for request validation. Additionally, deploying mutual TLS (mTLS) for robust authentication between CDNs and origin servers, though its adoption may require additional resources.
This vulnerability underscores the importance of proper configuration and continuous evaluation of security measures. As businesses increasingly rely on CDN-based WAFs, addressing such architectural flaws is critical to strengthening their defense against sophisticated cyberattacks.
- Scammers Exploit Canada Post Strike with Fraud Campaigns
Canadians are experiencing a dramatic rise in scams as cybercriminals exploit confusion surrounding the ongoing Canada Post strike. This surge includes phishing emails, smishing text messages, and deepfake-based fraud targeting unsuspecting individuals. The strike, which began on November 15 following failed negotiations between Canada Post and the Canadian Union of Postal Workers (CUPW), has disrupted national mail services, creating an ideal environment for scammers to take advantage of heightened uncertainty, particularly during the busy holiday shopping season.
The scams range from fake package delivery notifications to advanced deepfake phone calls designed to steal personal and financial information. Fraudsters send messages mimicking official Canada Post communications, often claiming issues such as “missing address” problems or payment requirements to release packages. These phishing messages direct victims to fraudulent websites that harvest sensitive details or request small payments that expose victims’ financial data.
One of the most concerning developments is the use of deepfake technology. Scammers are deploying realistic voice and video manipulations to impersonate Canada Post representatives, making it harder for victims to distinguish real from fake. This method is particularly effective in pressuring individuals to provide sensitive information under the guise of resolving delivery issues.
Scammers have also been exploiting the strike-induced delays by posing as courier services offering priority delivery for a fee. These schemes prey on holiday shipping stress and the urgency created by disruptions in regular services. According to cybersecurity experts, the timing of these fraudulent campaigns demonstrates how cybercriminals capitalize on real-world events to increase their success rates.
The Canada Post strike has caused significant logistical and economic disruptions. Businesses across Canada, particularly small- and medium-sized enterprises, have faced substantial losses during the critical holiday period, with daily revenue losses estimated at $76.6 million by the Canadian Federation of Independent Business (CFIB). These losses are compounded by existing supply chain challenges, including recent port and rail disruptions.
Cybersecurity experts emphasize the importance of vigilance in combating these scams. An exponential rise in fraud cases during the strike, with up to 87 incidents linked to the same IP address in a single day was recorded. Authorities urge Canadians to verify communications, avoid clicking on suspicious links, and monitor financial accounts for unauthorized transactions.
Additional advice includes recognizing common red flags in fraudulent communications, such as grammatical errors, unfamiliar tracking numbers, and non-standard URLs. Deepfake calls often exhibit subtle inconsistencies in speech or audio quality, which can help individuals identify potential scams. Reporting suspicious activity to the Canadian Anti-Fraud Centre (CAFC) is also critical in tracking and mitigating these threats.
- Deloitte Responds After Ransomware Group Claims Data Theft
Deloitte has addressed claims made by the ransomware group Brain Cipher, which alleges the theft of over one terabyte of data from the company. The group announced its attack on a Tor-based website, stating the data would be released in five days if a ransom was not paid. Brain Cipher claims the stolen data’s volume is over one terabyte when compressed.
In response, a Deloitte spokesperson clarified that their internal investigation indicated that the allegations relate to a single client’s system which is outside of the Deloitte network. No Deloitte systems have been impacted.
Brain Cipher, active since at least April 2024, gained a reputation in June following a cyberattack on an Indonesian data center that disrupted government operations and critical services. The group has targeted various sectors, including healthcare, education, and manufacturing, using malware based on LockBit to encrypt files and exfiltrate data. Links to other ransomware groups, such as SenSayQ and EstateRansomware, have also been identified.
This marks the second hacking-related incident Deloitte has faced in recent months. In September, the hacker IntelBroker claimed to have accessed sensitive Deloitte data, though the company stated the impact of that breach was limited.
- QR Codes Bypass Browser Isolation for Malicious C2 Communication
Mandiant researchers have discovered a groundbreaking method to bypass browser isolation technologies using QR codes for command-and-control (C2) communications. Highlighting potential vulnerabilities in browser isolation systems and emphasizing the need for layered security defenses.
Browser isolation is a security measure that processes web browsing activity in a remote environment, such as cloud-hosted virtual machines. By executing scripts and content in these isolated browsers, only a visual representation (pixel stream) is transmitted to the user’s local browser. This protects the local system from exposure to malicious code embedded in web pages.
Many C2 servers rely on HTTP for communication, but browser isolation effectively filters out such malicious traffic, rendering traditional C2 communication methods ineffective. A novel technique seeks to exploit a gap in this protection.
C2 channels enable attackers to control compromised devices remotely, execute commands, and exfiltrate data. Browser isolation protects against these threats by sandboxing browser activity in a secure, separate environment, preventing direct interaction between malicious scripts and the underlying system. By filtering HTTP responses and transmitting only visual content, browser isolation disrupts traditional C2 techniques that rely on direct interaction with the target system.
The researchers developed a technique that encodes malicious instructions in QR codes displayed on a webpage. Since browser isolation does not strip visual elements, these QR codes are rendered on the local browser. In a proof-of-concept, a headless browser controlled by malware on the victim’s device captures and decodes the QR codes to execute the embedded commands. The study demonstrated the attack on Google Chrome using Cobalt Strike’s External C2 feature, a commonly exploited penetration testing tool.
While the QR code method is innovative, it has several practical constraints. Such as, each QR code can carry a maximum of 2,189 bytes, further reduced by error correction requirements or decoding inefficiencies. Also, the technique allows data transfer rates of approximately 438 bytes per second due to the latency of about 5 seconds per request, making it unsuitable for large payloads. Additional defenses, such as domain reputation analysis, URL scanning, and data loss prevention, were not considered in the study and could mitigate the attack.
Although this QR code-based C2 method is constrained by bandwidth and speed, it remains a potential threat, especially in environments lacking robust defenses. Security administrators should implement proactive measures, such as: Monitoring for unusual traffic patterns and automation tools, like headless browsers. And strengthening existing defenses with domain reputation checks and heuristic analysis.
- Hackers Using Fake Video Conferencing Apps to Steal Web3 Professionals’ Data
Cybersecurity experts have identified a scam campaign exploiting fake video conferencing applications to distribute a data-stealing malware known as Realst. This operation, targeting individuals in the Web3 sector, uses the pretense of business meetings to deceive victims into installing malicious software.
Attackers are fabricating fake companies and enhancing their credibility using AI. They contact victims to arrange video calls, directing them to download a fraudulent meeting app from the website, which is actually the Realst infostealer.
The campaign employs deceptive platform names like Clusee, Cuesee, Meeten, Meetone, and Meetio. Attackers typically approach targets via Telegram, presenting investment opportunities and urging them to join video calls hosted on these fake platforms. Victims are prompted to download the software for either Windows or macOS, depending on their device. Once the malicious app is installed on macOS, it displays a compatibility error message, prompting users to enter their system password to “resolve” the issue. This tactic exploits the osascript method, a technique commonly used by other macOS malware families like Atomic macOS Stealer, Cuckoo, MacStealer, Banshee Stealer, and Cthulhu Stealer. The malware’s primary objective is to harvest sensitive data, including cryptocurrency wallet information, and send it to a remote server.
Additionally, Realst is designed to extract Telegram credentials, banking details, iCloud Keychain data, and browser cookies from popular browsers such as Google Chrome, Microsoft Edge, Opera, Brave, Arc, Cốc Cốc, and Vivaldi. This campaign highlights the importance of vigilance and robust security measures, particularly for individuals working in emerging digital industries like Web3.
References:
https://www.secureworld.io/industry-news/waf-widespread-vulnerability-zafran
https://www.secureworld.io/industry-news/canada-post-strike-fraud
https://www.securityweek.com/deloitte-responds-after-ransomware-groups-claims-data-theft/
https://thehackernews.com/2024/12/hackers-using-fake-video-conferencing.html