Cyber Intelligence Weekly (April 13, 2025): Our Take on Three Things You Need to Know // Echelon Risk + Cyber

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight an upcoming webinar!

[Live Roundtable]: Leveling Up Your Defenses: The Power of Red and Purple Teaming

🛡️ Join us on May 14 at 1:00 PM EST for a live roundtable with our Offensive Security team Stephen Carlson, Devin Jones and Ben D'Attilio led by moderator Matt Donato!

They'll break down how combining red and purple teaming can expose blind spots, sharpen detection, and help organizations at any stage build a stronger security program.

Away we go!

1. Blue Shield Google Ads Misstep Exposes Health Information of 4.7 Million Members

Blue Shield of California has acknowledged that it accidentally shared sensitive health information belonging to nearly 4.7 million members with Google's advertising platform. According to a notification sent to affected individuals, the breach happened between 2021 and early 2024 and may have exposed details like medical appointment dates, healthcare providers, insurance plan information, and personal identifiers such as names, zip codes, and family demographics.

The leak stemmed from the use of Google Analytics tools on Blue Shield’s websites, which were incorrectly configured to send user data to Google Ads. This mistake could have allowed Google to target users with ads based on the type of medical services they sought — for example, specialists like fertility clinics, mental health providers, or oncologists. While Blue Shield insists there’s no evidence the data was misused beyond advertising purposes, it admitted that the scope of the exposure makes it difficult to confirm the full impact.

Blue Shield said it cut off the data flow to Google in January 2024 and has since launched a full review of its website practices. Privacy advocates and cybersecurity experts have pointed out that this incident represents more than a technical error — it could be a serious violation of HIPAA regulations designed to protect patients' confidential health information.

As concerns grow over how healthcare providers manage sensitive user data, this case underscores a larger industry issue: the frequent, often unintentional sharing of medical information with tech companies and third parties. For patients, it’s a sharp reminder that digital privacy risks extend far beyond the apps and ads we expect — and right into the heart of our healthcare systems.

Threat Actors Exploiting Critical Vulnerability to Attack Cloud Platforms

A recent critical vulnerability in the Aviatrix Controller platform, CVE-2024-50603 CVSS: 10, is allowing an unauthenticated, remote threat actors to run arbitrary commands against Aviatrix granting the threat actor full control of the platform. Aviatrix is a commonly used centralized management platform for cloud networking. This vulnerability is under active exploitation and being used to deploy XMRig cryptomining malware and the creation of Sliver backdoors providing persistent access to the impacted cloud platform. Aviatrix has released a security bulletin with details of the vulnerability and remediation instructions.

Aviatrix has released an emergency patch fixing the vulnerability, but organizations should review their cloud resource usage and network configuration to identify any potential impact from cryptojacking or a persistent backdoor. Cloud Security providers have also created crafted searches to hunt for exploitation of the vulnerability, check with your provider for specific guidance.

2. Verizon Releases 2025 Data Breach Investigations Report

Verizon’s 2025 Data Breach Investigations Report reveals a sharp rise in breaches linked to edge devices and third-party providers. Based on data from more than 22,000 security incidents across 139 countries, the report highlights that attackers are increasingly exploiting vulnerabilities in VPNs, IoT systems, and other internet-facing assets. While stolen credentials and phishing remain top entry methods, one-fifth of breaches now stem from the exploitation of known or zero-day vulnerabilities — a number that continues to climb year over year.

Notably, ransomware still plays a major role, involved in 44% of breaches. However, fewer victims are paying up: only a third opted to pay ransoms last year, with median payments dropping from $150,000 to $115,000. Meanwhile, cyberespionage efforts have surged, with nation-state actors from countries like North Korea and Iran blending traditional spying motives with financial gain, reflecting rising geopolitical tensions.

The report also shines a spotlight on third-party security gaps, noting that breaches involving vendors and partners have doubled compared to the previous year. Verizon found that weak supply chain security — including mishandled credentials and slow remediation of exposed API keys — continues to expand the attack surface for many companies. AI technologies have added new complications too, with organizations accidentally leaking sensitive data by mishandling generative AI tools.

Overall, Verizon’s findings make it clear that securing infrastructure, particularly cloud and edge environments, requires a more proactive approach. Organizations must not only tighten their internal defenses but also apply greater scrutiny and accountability to third-party partners to mitigate today’s evolving cyber risks.

Critical Alert: Incomplete NVIDIA Patch Leaves AI Infrastructure Vulnerable

Vulnerability Detection and Analysis

Security teams managing AI infrastructure should be aware of a significant risk recently uncovered by TrendMicro researchers. The September 2024 security update for a critical vulnerability (CVE-2024-0132) in NVIDIA’s Container Toolkit—essential for containerized AI workloads—was found to be incomplete (Esmail, 2025). Further analysis revealed both persistent Time-of-Check Time-of-Use (TOCTOU) vulnerabilities and a new denial-if-service issue affecting docker on Linux systems, which is particularly concerning for organizations deploying container-based AI solutions (Esmail, 2025).

Technical Exploitation Vectors

The incomplete patch allows for sophisticated exploitation scenarios with severe consequences. According to TrendMicro’s analysis, attackers could create malicious container images connected through volume symlinks to exploit the TOCTOU race condition. This would grant unauthorized access to the hist filesystem and potentially allow execution of arbitrary commands with root privileges through container runtime Unix sockets (Esmail, 2025). Additionally, the Docker-related vulnerability could trigger rapid mount table growth, exhausting available file descriptors and preventing new container creation—effectively causing system-wide operational disruption (Esmail, 2025).

Scope and Impact Assessment

The impact scope is particularly concerning for AI-focused enterprises. Affected versions include NVIDIA Container Toolkit 1.17.3 and earlier (in default configurations), while version 1.17.4 remains vulnerable if the “allow-cuda-compat-libs-from-container" feature is enabled (Esmail, 2025). Successful exploitation could lead to unauthorized access to sensitive host data, theft of proprietary AI models or other intellectual property, sever operational disruptions, and prolonged downtime due to resource exhaustion or system inaccessibility.

Mitigation Strategies for Security Teams

TrendMicro recommends several best practices to mitigate these vulnerabilities in AI infrastructure environments. While they are non-exhaustive, they provide effective protections while permanent fixes are developed and deployed:

Restrict Docker API access strictly to authorized personnel and minimize root-level permissions
Explicitly disable optional features in NVIDIA Container Toolkit 1.17.4 unless operationally required
Implement robust container image admission controls with automated vulnerability scanning in CI/CD pipelines
Regularly monitor Linux mount tables for abnormal growth that might indicate active exploitation
Conduct thorough audits of container-to-host interactions, limiting these strictly to essential use cases
Deploy runtime anomaly detection tools to identify unauthorized host filesystem access attempts
Validate all applied security patches to confirm effective vulnerability remediation (Esmail, 2025).

3. Inside the FBI’s 2024 IC3 Report: $16B Lost and a Growing Threat Landscape

The FBI’s Internet Crime Complaint Center (IC3) reported an unprecedented $16.6 billion in losses from cybercrime in 2024, with nearly 860,000 complaints submitted — the highest figures recorded since the center’s founding in 2000. Fraud dominated the landscape, accounting for the majority of financial losses, while ransomware continued to plague critical infrastructure organizations, with incidents rising by 9% over the previous year. Despite the FBI’s proactive efforts — including takedowns of ransomware groups like LockBit and providing thousands of decryption keys — cyber-enabled threats grew in scale and complexity.

Phishing remained the most reported type of crime, followed by extortion, personal data breaches, and investment scams. The elderly were disproportionately affected, with victims over 60 years old losing almost $5 billion in total. Meanwhile, international cooperation, particularly between the FBI and agencies in India and Ghana, led to a significant uptick in arrests targeting call center fraud operations.

One of the most concerning trends was the heavy use of cryptocurrency in scams, with over $9 billion in losses tied to digital assets. The FBI also noted a sharp rise in sextortion and toll fraud scams, and highlighted that a growing number of cyberattacks targeted organizations in critical infrastructure sectors. Officials stressed that reported figures likely represent only a fraction of the true impact, emphasizing the ongoing need for improved reporting and stronger cybersecurity practices.

While the numbers paint a grim picture, the FBI remains optimistic that greater public awareness, stronger partnerships with private companies, and aggressive disruption campaigns can help stem the rising tide of cybercrime. However, officials warned that the virtualization of daily life continues to widen the attack surface for opportunistic and organized threat actors alike.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about