What Happened
The Nightspire ransomware group added Canadian firm WaxWorks Inc. to its public extortion site on June 14, 2026. Nightspire claims to have exfiltrated sensitive data and is threatening to publish it unless a ransom is paid — the standard double-extortion playbook. The estimated date of the initial breach is May 17, 2026, suggesting the attackers spent nearly four weeks inside the network before the listing appeared.
Nightspire first emerged in March 2025 and has accumulated over 250 published victims across North America and Europe in roughly 15 months of operation. The group’s primary initial access vector is CVE-2024-55591, a critical authentication bypass vulnerability in Fortinet’s FortiOS and FortiProxy products. This vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog in early 2025 and has been exploited by multiple ransomware actors since. Organizations that did not apply Fortinet’s patches or replace end-of-life appliances remain exposed to this entry point.
Why This Matters for Canadian Organizations
WaxWorks is a Canadian company, making this a direct domestic incident rather than a secondhand warning from the United States or Europe. Canadian organizations in media, entertainment technology, and related sectors should treat this as a signal that Nightspire is actively targeting Canadian businesses — not simply noting it as a global trend.
The breach notification obligations here are immediate. Under PIPEDA and the Breach of Security Safeguards Regulations, organizations must notify the Office of the Privacy Commissioner of Canada and affected individuals when a breach creates a real risk of significant harm. An estimated breach date of May 17 and a public listing on June 14 means WaxWorks has a narrow window to assess what data was taken and trigger the mandatory notification process. If personal information about Canadian residents is confirmed in the exfiltrated data, notification requirements apply regardless of whether a ransom is paid.
The use of CVE-2024-55591 as the entry point is also a warning for any Canadian organization still running unpatched FortiOS or FortiProxy. This vulnerability was not a zero-day exploit — it was a known, catalogued flaw with patches available. Its repeated use by ransomware groups months after disclosure reflects a persistent gap between patch availability and patch deployment in many organizations.
What to Do
Canadian organizations running FortiOS or FortiProxy should verify immediately that all appliances are patched against CVE-2024-55591. Any appliance running an end-of-life firmware version with no available patch should be isolated or replaced. Organizations in sectors adjacent to WaxWorks — media, production, entertainment technology, digital distribution — should review their external attack surface for Fortinet devices and review firewall and VPN logs for anomalous authentication events from late April and May 2026. If a breach is suspected, engage a Canadian incident response firm and assess PIPEDA notification timelines before the 72-hour window closes.
Source: DeXpose
