Cybersecurity Incidents & Trends in Canada

Executive Summary

Overview of Canada’s significant cybersecurity developments and incidents during the past month.
Highlight critical trends, threats, and policy initiatives shaping the cybersecurity landscape in Canada.

Emerging cyber threats increasingly target Canadian organizations, government agencies, and individuals, with recent attacks revealing sophisticated tactics by threat actors. Threat actors delivered the Formbook infostealer to companies via emails that posed as job candidates. Meanwhile, the Chameleon Trojan attacked Canadian financial institutions and a restaurant chain by masquerading as legitimate apps. Cybercriminals also used digital skimmers to steal e-commerce customer credentials from Magento platform sites, affecting various industries, including Canadian universities. Significant incidents include a data breach at Park’N Fly, which exposed the personal information of 1 million customers, and a cyberattack on AutoCanada that compromised its IT systems and caused financial losses. Threat actors also distributed Mandrake Android spyware through popular apps in Canada. Ontario’s Bill 194 aims to strengthen public sector cybersecurity, while the proposed Consumer Privacy Protection Act seeks to enhance data privacy. Threat intelligence reports highlight ongoing vulnerabilities and Canadian initiatives continue to promote cybersecurity awareness and education, with recent efforts focusing on AI security research.

Threat Landscape Analysis

Analysis of emerging cyber threats targeting Canadian organizations, government agencies, and individuals.
Examination of threat actors’ tactics, techniques, and procedures (TTPs) observed in recent cyber attacks in Canada.
Assessment of the evolving cybersecurity risks faced by different sectors and industries across Canada.

Formbook infostealer delivered to companies via job candidate lure

Broadcom researchers recently identified a threat actor who poses as a job candidate to deliver a malicious archive containing the Formbook infostealer disguised as a CV. The actor uses an email lure, including a brief motivation letter highlighting their purported experience in administration, finance, and accounting systems, expressing a desire to transition into a commercial role. The actor emailed companies in various countries, including the United States, United Kingdom, Canada, Belgium, India, Australia, the Netherlands, Finland, Ukraine, and others. (Source)

Chameleon Trojan masquerades as CRM app and security app in new campaigns

In July 2024, ThreatFabric researchers identified new Chameleon trojan campaigns targeting Canada and Europe. The malware attacked customers of specific financial organizations by masquerading as a security app and installing a security certificate released by the targeted bank. In the Canada campaign, the researchers observed Chameleon masquerading as a Customer Relationship Management (CRM) application to target a Canadian restaurant chain operating internationally.
The malware’s multi-stage infection chain involves a dropper capable of bypassing Android 13+ restrictions. In the Canada campaign, the researchers observed the dropper displaying a fake CRM login page once it was loaded. A subsequent message on the page prompted targets to reinstall the application, leading to the delivery of the Chameleon payload.
The naming for the malware’s dropper and payloads indicate that the intended victims of the Canada campaign are hospitality workers and potentially business-to-customer employees in general. (Source)

New malware campaign uses digital skimmers to steal e-commerce customer credentials

Malwarebytes researchers discovered a new malware campaign using digital skimmers to steal credentials from e-commerce stores running the Magento platform. The researchers identified over a dozen attacker-controlled websites set up to receive the stolen data and were able to prevent 1,121 theft attempts. The threat actors likely used the same vulnerability to plant malicious code in each compromised site.
The attack begins with the injection of skimmer code into the target site, with the researchers observing code injection into the site of a European beer manufacturer and a Canadian university that was compromised using remotely loaded JavaScript. Once the skimmer is on the site, a fake ‘Payment Method’ frame is inserted within the store’s page and used to steal customers’ payment information in real time, including names, addresses, email addresses, credit card account numbers, expiration dates, and CVV/CVC numbers. The stolen data redirects to the attacker’s C2, where it is stored in a database for use in future attacks or to be sold on the dark web. (Source)

Notable Cyber Incidents

Summary of significant cybersecurity incidents, data breaches, and cyber attacks reported in Canada during the month.
Case studies highlighting key details, impact, and response efforts for selected cyber incidents affecting Canadian entities.

Park’N Fly reveals data breach affecting 1 million customer files

Park’N Fly experienced a data breach in mid-July 2024, exposing the personal and account information of 1 million customers in Canada. Hackers accessed the company’s network using stolen VPN credentials. Exposed data includes full names, email addresses, physical addresses, Aeroplan numbers, and CAA numbers, but no financial information. Park’N Fly discovered the breach on August 1, 2024. Park’N Fly has restored impacted systems and is implementing additional security measures. Customers should be vigilant against phishing attempts. The breach has caused frustration among customers, particularly concerning the potential misuse of Aeroplan numbers. (Source)

Stealthy updated Mandrake Android spyware discovered

Discovery of Stealthy Mandrake Android Spyware in Google Play Apps
Five Android apps, cumulatively downloaded over 32,000 times from the Google Play Store since 2022, were found distributing a stealthier version of the Mandrake Android spyware. The most popular app, AirFS- File sharing via Wi-Fi, had over 30,000 downloads. Canada, Germany, and Italy residents downloaded the apps the most, and Google has since removed it from Google Play. The spyware installation involved a second-stage loader decryptor and established command-and-control server communications. Mandrake spyware enabled data gathering, screen recording, user interaction simulations, command execution, app installation, and file management while bypassing detection by monitoring for Frida security toolkit and device root status binaries. Kaspersky researchers reported this information. (Source)

AutoCanada Cyberattack and Financial Impact Report

AutoCanada experienced a cyberattack impacting its internal IT systems, potentially leading to disruptions. The company immediately acted to protect its network and data, contracting external cybersecurity experts for containment and remediation. The full scope and impact of the incident, including data compromise, are still under investigation. Business operations remain open but may face disruptions until systems restoration. AutoCanada operates 66 franchised dealerships in Canada and 18 in the US, generating over $6 billion in revenue last year.
AutoCanada also faced disruptions from CDK Global’s IT outage caused by the BlackSuit ransomware attack, affecting operations and resulting in lost sales and profits. The outage lasted from June 19 to July 1, with recovery and cleanup extending to the end of July. AutoCanada recorded a $33.1 million loss in Q2 2024, compared to a $45.2 million profit in the same quarter last year. Factors contributing to the loss include the CDK outage, increased OEM inventory, higher floorplan costs, rising unemployment, and falling GDP. (Source)

Ten people arrested, more than 100 charges laid in SIM swap scam: Toronto police (Source)
Contractor breached personal and family data of staff at Edmonton city, library and police (Source)
National Public Data data breach overview (Source)

Policy and Regulatory Updates

Overview of recent policy developments and regulatory initiatives related to cybersecurity in Canada.
Analysis of legislative proposals, government strategies, and regulatory frameworks to strengthen cybersecurity resilience and promote digital security in Canada.

Canada’s privacy Commissioner investigating Ticketmaster after data breach (Source)
Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024. Bill 194 should strengthen the protection of digital infrastructure and data privacy in Ontario’s public sector. (Source)
C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts. Currently: At consideration in committee in the House of Commons. (Source)(Source)

Threat Intelligence Highlights

Summary of threat intelligence reports and assessments from Canadian cybersecurity research organizations, government agencies, and private sector partners.
Key findings related to emerging cyber threats, vulnerabilities, and mitigation strategies relevant to Canadian stakeholders.

Cybersecurity Awareness and Education Initiatives

Overview of cybersecurity awareness campaigns, training programs, and educational resources available to Canadian citizens, businesses, and government entities.
Analysis of efforts to promote digital literacy and cybersecurity hygiene across different demographics and user groups in Canada.

Future Outlook and Recommendations

Projection of upcoming cybersecurity trends and challenges likely to impact Canada in the coming months.
Recommendations for policymakers, businesses, and individuals in Canada to enhance cybersecurity preparedness and resilience at the national, organizational, and individual levels.

CSE and NSERC to fund research on robust, secure and safe artificial intelligence

The Communications Security Establishment Canada (CSE) and the Natural Sciences and Engineering Research Council of Canada (NSERC) launched the first four communities created as part of the NSERC-CSE Research Communities grants. The community’s goals will be to research, develop, and demonstrate solutions for AI-related issues, including:

Training AI models in situations of unreliable data without relying on external, untrusted, pre-trained foundation models
Techniques to ensure fair, interpretable, and robust AI models
Establishing guidelines for AI use to ensure regulatory compliance and support the auditing process

RESOURCES

Disclaimer

This material is provided for informational purposes only. Accordingly, this material should not be viewed as a substitute for the guidance and recommendations of a trained professional. Additionally, Arceo Labs, Inc. d/b/a Resilience does not endorse any coverage, systems, processes, or protocols addressed herein. Any references to non-Resilience Websites are provided solely for convenience, and Resilience disclaims any responsibility with respect to such Websites. To the extent that this material contains any examples, please note that they are for illustrative purposes only. Additionally, examples are not intended to establish any standard of care, to serve as legal advice appropriate for any factual situation, or to provide an acknowledgment that any factual situation is covered by Resilience products. This material is not intended as a solicitation of insurance coverage.

Please contact us if you have any questions about this notification or if you would like to discuss it in further detail. Contact support@cyberresilience.com with any questions or to schedule a call with a member of our security team. If you are experiencing a security incident or need to report a new claim, please contact +1 (302) 722-7236 or call our emergency hotline claims_intl@cyberresilience.com.