Intelligence
Cyber Intelligence Weekly Echelon

Cyber Intelligence Weekly (April 13, 2025): Our Take on Three Things You Need to Know

By
Posted on Apr 13 / 2025

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight a great new article by our very own @Alyssa Slayton.

AI Governance: Top 10 Considerations for 2025 🚀

As AI technologies continue to evolve at a rapid pace, understanding the governance landscape becomes crucial for businesses across all sectors.

Alyssa Slayton's latest article provides essential insights into the critical areas of focus for responsible AI development and deployment. Stay ahead of the curve by incorporating these governance strategies to ensure your AI systems are ethical, compliant, and effectively managed.

Read the full article today for a deeper dive!

More here: https://lnkd.in/gaDaTxtY

Article content

Away we go!

1.  The Rise of the Smishing Triad: How Phishers Turned Apple Pay into a Global Fraud Scheme

A great recent piece from Brian Krebs unveils that a China-based cybercriminal collective known as the “Smishing Triad” is drawing new attention for its innovative tactics and global reach. Once focused on impersonating toll operators and delivery companies, the group has now expanded to directly target major international financial institutions. Their updated strategy involves phishing campaigns that trick victims into unknowingly linking their payment cards to mobile wallets controlled by the criminals, who then use those digital wallets for illicit transactions worldwide.

The scam begins with a spoofed message—often via iMessage or RCS—that directs users to a fake website designed to capture their card details. Victims are asked to verify a one-time code supposedly sent by their bank, but in reality, this code enables the criminals to add the card to a mobile wallet on an Apple or Android device they control. These compromised devices, often loaded with multiple stolen cards, are resold in bulk or used to conduct tap-to-pay fraud, particularly through apps like Z-NFC that can remotely relay transactions.

Researchers say the Smishing Triad is scaling at an alarming rate, with over 25,000 phishing domains active during any given week and infrastructure housed largely within Chinese hosting platforms. Sophisticated backend systems and virtualized device farms allow for massive, automated messaging operations. Some vendors boast hundreds of support staff managing “smishing-as-a-service” kits targeting banks and payment providers in over 120 countries.

Security firms Prodaft and SilentPush report that the Triad’s operations now span multiple sectors and continents, exploiting weak authentication practices like SMS-based codes for digital wallet enrollment. As some financial institutions begin shifting to more secure in-app verifications, experts stress that broader industry adoption of stronger validation mechanisms is urgently needed to curb this growing form of digital fraud.

Cloud Security Report Finds that Cloud Security Incidents have increased 154%

Checkpoint’s 2024 Cloud Security Report finds that between 2023 and 2024 cloud security incidents increased 154% year over year. This increase shows that the complexity and sophistication of cloud threats has and will continue to increase. Many organizations are in the midst or have migrated many critical services and resources to the cloud increasing their attack surface and introducing complexities into their security program. Highlights from the report include:

 

  • A near 154% increase in cloud security incidents compared to last year, with 61% of organizations reporting significant disruptions.
  • An overwhelming 96% of respondents report concerns about their ability to effectively manage cloud risks.
  • Ninety-one per cent of organizations now prioritize AI to enhance their security posture.
  • Only 25% of organizations have fully implemented Cloud Native Application Protection Platforms (CNAPP).
  • Fifty-four per cent of respondents face challenges in maintaining consistent regulatory standards across multi-cloud environments with 49% struggling to integrate cloud services into legacy systems.

Additionally, The Cloud Security Alliance reports that on average it takes two days to address even the most critical vulnerability. The drastic increase in cloud security incidents and length of time it takes to address critical cloud vulnerabilities show a need to be more proactive in managing cloud risks by implementing AI-powered tooling, effectively identifying and tracking cloud related risks and threats, and moving towards a zero-trust model. Modernizing the security approach can help to limit an organization's exposure as their presence in the cloud increases.

2.  1.6 Million Affected in Cyberattack on Lab Partner for Planned Parenthood

A cyberattack on a lab services provider for Planned Parenthood has compromised the personal and medical information of roughly 1.6 million people. The affected company, Laboratory Services Cooperative (LSC), announced the breach after completing a months-long investigation that began following the discovery of suspicious activity on its systems back in October. By February, it was confirmed that hackers had accessed and exfiltrated files containing deeply personal data.

The information taken includes a wide range of sensitive records — from medical histories, lab results, and diagnoses to insurance details, financial accounts, and Social Security numbers. Even employee data, including that of dependents, was affected. LSC noted that it serves a number of Planned Parenthood centers across 30 states and D.C., and anyone who received lab work through one of those centers could potentially be impacted.

LSC has not identified the attackers, and so far, no group has claimed responsibility. However, the company has hired cybersecurity experts to monitor the dark web and stated that, as of April 10, none of the stolen data appears to have been posted. In response, LSC is offering one year of credit monitoring to those affected and is providing a call center to help determine if individuals were part of a partnered center.

This breach comes amid heightened scrutiny and politicization of reproductive health data. In recent years, there have been disturbing trends involving the tracking and misuse of patient data related to abortion services. With abortion access increasingly criminalized in certain states, the potential exposure of such records has intensified fears around surveillance, privacy, and legal risk for patients and providers alike.

Anthropic’s Red Team Reveals Rapid AI Advancement in Cybersecurity Capabilities

Accelerating AI Proficiency in Cybersecurity 

Recent findings from Anthropic’s Frontier Red Team highlight concerning process in AI capabilities related to national security risks, particularly in cybersecurity. In their March 2025 report, Anthropic reveals that in less than a year, their AI model Claude (across all generations) went form solving “less than a quarter to nearly all” of certain cybersecurity challenges, demonstrating a dramatic improvement from “high schooler to undergraduate level” in Capture the Flagg (CTF) exercises (Anthropic, 2025). This rapid acceleration in cyber capabilities represents what Anthropic describes as a “zero to one moment” for AI in the cybersecurity domain.

Benchmark Performance Improvements 

Particularly noteworthy is Claude 3.7 Sonnet’s performance eon Cybench—a public benhcmark using CTF challenges to evaluate LLMs—where it now solves about one-third of challenges within five attempts, up from approximately 5% with their frontier model just one year earlier (Anthropic, 2025). The improvements span multiple categories of cybersecurity tasks, including discovering and exploiting vulnerabilities in insecure software, web applications, and cryptographic protocols. While these capabilities still alg behind expert humans, particularly in reverse engineering and binary executables and performing reconnaissance in network environments, the pace of advancement is significant (Anthropic, 2025).

Simulated Attack Capabilities 

More concerning though are the findings from experiments conducted with Carnegie Mellin University researchers, who tested the models on realistic, large cyber ranges simulating actual cyber operations. While the models could not autonomously succeed in these complex network environments, when equipped with specialized software tools built by cybersecurity researchers, Claude could successfully replicate attacks similar to known large-scale thefts of personally identifiable information from credit reporting agencies (Anthropic, 2025).

Implications for Cybersecurity Practitioners 

Security practitioners should prepare for a rapidly evolving threat landscape as AI capabilities enhance attacker toolkits. As Anthropic notes, their evaluation infrastructure positions them to “provide warning when the model’s autonomous capabilities improve, while also potentially helping to improve the utility of AI for cyber defense” (Anthropic, 2024). Key actions for security teams include:

 

  • Reassess cybersecurity defenses assuming adversaries may have access to increasingly sophisticated AI capabilities
  • Implement more robust detection mechanisms for novel attack patterns
  • Consider how AI tools might be leveraged defensively to identify vulnerabilities before attackers do
  • Increase investment in security staff training specific to AI-enabled threats
  • Develop and test incident response procedures for AI-assisted attacks
  • Establish partnerships with AI security research organizations to stay informed of capability advancements

3. Attackers Mimic Legitimate Devices to Bypass MFA and Steal Millions

A great piece of intel from our friends at @Expel, highlights the Moroccan cybercrime group known as Atlas Lion has been quietly infiltrating major retailers, restaurants, and other large organizations by slipping attacker-controlled virtual machines (VMs) into cloud networks. Rather than deploying sophisticated malware or exploiting obscure vulnerabilities, the group is taking advantage of legitimate cloud onboarding processes to disguise their infrastructure as company-owned systems. Cybersecurity firm Expel recently uncovered this activity and published a detailed breakdown of the group's latest tactics.

In one observed campaign, Atlas Lion launched a phishing attack via fake IT helpdesk messages. These messages redirected victims to realistic login pages where credentials and multi-factor authentication (MFA) codes were harvested. The attackers quickly used that access to enroll their own MFA apps and reset passwords, effectively locking victims out and ensuring persistent access. From there, they registered new virtual machines in Microsoft Azure and connected them directly to the organization's domain using the stolen credentials — blending in with everyday device activity.

What gave them away wasn’t the cleverness of the tactic, but a simple oversight: the attackers used a previously blacklisted IP address. When the required Microsoft Defender endpoint software was automatically installed on the fake VM, it flagged the suspicious IP, prompting defenders to act. The rogue machine was removed and user credentials reset within minutes — but the incident underscores how easily attackers can abuse legitimate workflows to mask malicious intent.

Even after being removed, Atlas Lion returned hours later, poking around for documentation on device enrollment, BYOD policies, VPN configurations, and — most tellingly — the organization’s gift card issuance process. That’s been the group’s longstanding play: creating fraudulent gift cards to resell or redeem through illicit channels. As defenders prepare for more advanced attacks from this persistent group, the case serves as a reminder that effective security often hinges on catching what looks like normal behavior — until it isn’t.

 

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?