Intelligence
Cyber Intelligence Weekly Echelon

Cyber Intelligence Weekly (April 6, 2025): Our Take on Three Things You Need to Know

By
Posted on Apr 06 / 2025

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight a great new article by our very own @Alyssa Slayton.

AI Governance: Top 10 Considerations for 2025 🚀

As AI technologies continue to evolve at a rapid pace, understanding the governance landscape becomes crucial for businesses across all sectors. Alyssa Slayton's latest article provides essential insights into the critical areas of focus for responsible AI development and deployment.

Stay ahead of the curve by incorporating these governance strategies to ensure your AI systems are ethical, compliant, and effectively managed.

Read the full article today for a deeper dive! More here: https://lnkd.in/gaDaTxtY

Away we go!

1.  CISA Rings Alarm Over Active Exploitation of Ivanti Gateways

A newly discovered security flaw in Ivanti’s Connect Secure, Policy Secure, and ZTA Gateways is now under active exploitation, with cybersecurity agencies warning that suspected Chinese threat actors are behind the attacks. The bug, tracked as CVE-2025-22457, was initially overlooked as non-exploitable, but researchers later found that sophisticated adversaries were able to weaponize it to gain remote control of affected systems. Mandiant and Google's Threat Intelligence Group have linked the activity to a hacking collective known as UNC5221, known for previous attacks on Ivanti infrastructure.

Ivanti issued a patch back in February for the supported versions of its appliances, but older, end-of-life devices are no longer covered. Unfortunately, some of these unsupported systems have already been compromised. The hackers reportedly used an advanced toolkit called Spawn and a backdoor named Brushfire to maintain access and move laterally through networks. UNC5221 has a history of leveraging Ivanti vulnerabilities, including multiple prior bugs from recent years.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities catalog and is urging affected organizations to patch immediately or isolate any impacted devices. Those running unsupported systems face the highest risk, as Ivanti will no longer issue fixes or guidance for those products. Integrity checking tools are available to help detect compromise, and factory resets are recommended if a breach is discovered.

This latest wave of attacks serves as a reminder of the growing focus on edge devices by state-sponsored groups. With remote access systems acting as a gateway to enterprise environments, organizations must prioritize regular updates, endpoint monitoring, and patch management to stay ahead of evolving threats.

Microsoft Identifies Leaked ASP.NET Keys Enabling Code Injection Attacks

In February 2025, Microsoft issued a warning regarding a critical security lapse involving ASP.NET machine keys. Developers have been found incorporating publicly disclosed machine keys from accessible online resources into their applications, inadvertently exposing them to significant security threats. This practice has led to vulnerabilities that attackers can exploit to inject malicious code into web applications.

Understanding the Vulnerability

ASP.NET utilizes a feature called ViewState to maintain the state of web pages between user interactions. This mechanism stores data in a hidden field on the page, encoded using base64 and secured with a hash generated by a machine authentication code (MAC) key. The integrity of this data relies heavily on the secrecy of the machine key. If an attacker gains access to this key, they can manipulate the ViewState data to execute arbitrary code on the server.

Microsoft's threat intelligence team observed limited activity in December 2024, where an unidentified threat actor employed a publicly available, static ASP.NET machine key to inject malicious code. This attack facilitated the deployment of the Godzilla post-exploitation framework, granting the attacker extensive control over the compromised system.

Scope of the Issue

Alarmingly, Microsoft identified over 3,000 publicly disclosed machine keys that could be leveraged for such attacks, termed "ViewState code injection attacks." These keys are readily available across various code repositories and online platforms. The widespread availability of these keys exacerbates the risk, as developers might unknowingly incorporate them into their projects, assuming they are safe for use.

Unlike previous ViewState code injection attacks that relied on compromised or stolen keys often traded on dark web forums, these publicly disclosed keys pose a higher risk due to their accessibility. Their presence in multiple code repositories increases the likelihood of developers integrating them into their applications without proper scrutiny.

Attack Path

Source: https://thehackernews.com/2025/02/microsoft-identifies-3000-publicly.html

Mitigation Strategies

To address this pressing issue, Microsoft has taken proactive measures by removing key-related artifacts from instances where they were inadvertently included in its documentation. Additionally, Microsoft has provided a list of hash values corresponding to the publicly disclosed machine keys, urging organizations to verify their environments against this list. This verification process is crucial to identify and replace any compromised keys that may have been unknowingly adopted.

However, simply rotating the keys is not a comprehensive solution. In cases where exploitation has already occurred, attackers may have established persistent access to the system. Therefore, it's imperative to conduct thorough security assessments to detect and eliminate any unauthorized backdoors or malicious code that may have been implanted.

To prevent such vulnerabilities, developers are strongly advised against copying machine keys from public sources. Instead, they should generate unique keys for each application to ensure robust security. Regular rotation of these keys further enhances security by limiting the window of opportunity for potential attackers.

The exposure of ASP.NET machine keys underscores the critical importance of secure coding practices and vigilant key management. Developers must exercise caution and avoid sourcing security keys from public domains. Organizations should implement regular security audits to identify and rectify such vulnerabilities promptly. By adopting these proactive measures, the risk of ViewState code injection attacks can be significantly mitigated, safeguarding web applications from potential exploitation.

2.  CISA and FBI Warn of DNS Evasion Technique in Use by Nation-State Hackers

Federal agencies are sounding the alarm over a sophisticated evasion technique that’s complicating efforts to track and disrupt cyberattacks. Known as fast flux, this method rapidly rotates DNS records to disguise the true locations of malicious servers. The FBI, CISA, and international partners issued a joint advisory this week highlighting how both criminal syndicates and state-linked actors are using fast flux networks to cloak their infrastructure, particularly when operating botnets or launching phishing campaigns.

Fast flux is especially difficult to defend against because it leverages compromised devices across the internet as proxies, allowing attackers to switch IP addresses and DNS name servers at rapid intervals. This not only hampers efforts to block specific domains but also frustrates investigations. The advisory references previous use of fast flux by groups tied to ransomware operations like Hive and Nefilim, as well as Russian APT group Gamaredon.

Experts say this tactic increases operational resilience for threat actors, allowing their malware command and control servers to stay online longer while evading detection. During the early months of the war in Ukraine, analysts also observed fast flux usage by Russian-linked actors such as Trident Ursa to sustain their cyber operations against Ukrainian targets. Security professionals warn that without improved DNS visibility, fast flux techniques will remain a blind spot in many organizations’ defenses.

To counter the threat, authorities recommend a combination of threat intelligence, DNS traffic analysis, and anomaly detection. Organizations are urged to work closely with protective DNS service providers to monitor and block suspicious domains, analyze DNS query patterns, and share indicators of compromise with broader threat-sharing communities. The coordinated response aims to close what many believe is a long-standing defensive gap exploited by cyber adversaries around the globe.

Medium-Severity ChatGPT Vulnerability Emerges as Major Threat to Government and Financial Institutions

Vulnerability Details and Impact 

A year-old vulnerability in a third-party ChatGPT tool is being actively exploited against financial entities and U.S. government organizations, according to recent findings from cybersecurity firm Veriti (2025). The vulnerability, tracked as CVE-2024-27564, affects a pictureproxy.php file in an open-source ChatGPT interface developed by a Chinese developer—not OpenAI’s official product. Despite being classified as medium severity, the server-side request forgery (SSRF) vulnerability has become a significant real-world threat with proof-of-concept exploit code publicly available on GitHub (Veriti, 2025).

Scale and Targeting of Attacks 

The scale of exploitation is alarming, with Veriti observing over 10,000 attack attempts from a single IP address in just one week in early March (Veriti, 2025). Approximately one-third of targeted organizations are potentially vulnerable due to misconfigurations in their protection solutions. The attacks primarily target U.S. government agencies and financial institutions, with healthcare firms in Germany, Thailand, Indonesia, Colombia, and the U.K. also effected. As Veriti notes, “banks and fintech firms depend on AI-driven services and API integrations, making them vulnerable to SSRF attacks that access internal resources or steal sensitive data” (Veriti, 2025).

Shifting Paradigm in Vulnerability Assessment 

What makes this case particularly noteworthy is how it demonstrates that vulnerability severity ratings do not always correlate with actual exploitation risk. The CVE’s EPSS score jumped dramatically from 1.68% to 55.36% after Veriti’s research was published, highlighting how threat intelligence can reshape approaches to vulnerability prioritization beyond severity classification (Veriti, 2025). This case reinforces the danger of dismissing medium-severity vulnerabilities, especially in high-value targets like financial, healthcare, and government environments.

Urgent Mitigations and Strategic Implications 

Security practitioners must adapt their vulnerability management approaches as AI tools become more deeply integrated into enterprise environments. Key actions include:

  • Immediately check intrusion preventions systems and firewalls for misconfigurations related to this vulnerability
  • Monitor logs for the attacker IP addresses published by threat intelligence firms like Veriti
  • Perform a comprehensive review of vulnerability management practices to ensure medium-severity issues affecting critical systems receive appropriate attention
  • Develop more nuanced approaches to vulnerability prioritization that consider real-world exploitation patterns rather than relying solely on initial severity ratings
  • Implement additional monitoring for AI tool activity, particularly those that process or handle external resources
  • Consider implementing network segmentation for AI development environments

3.  Expert Witness Under Fire: FBI Investigates Forensic Consultant in 2,000+ Cases

A recent investigative piece from Brian Krebs outlines how a prominent computer forensics expert from Minnesota, whose testimony has influenced over 2,000 legal cases, is now under federal investigation. Mark Lanterman, a former Secret Service cybercrime investigator and founder of Computer Forensic Services, is being scrutinized by the FBI following revelations that parts of his educational and professional background may have been fabricated. The inquiry could have far-reaching implications, potentially prompting appeals in many cases where his testimony was deemed crucial.

Concerns over Lanterman's credentials were first raised by another forensics examiner, Sean Harrington, and later supported by attorneys at Perkins Coie LLP. Court documents show Lanterman claimed to hold degrees from the now-defunct Upsala College and to have completed postgraduate work at Harvard. However, investigators have been unable to verify these claims—Lanterman later admitted that his Harvard credentials came from an eight-week online course and that Upsala has no record of him attending.

Further scrutiny followed allegations of professional misconduct, including accusations that Lanterman’s firm once threatened to auction off sensitive client data in a billing dispute. In another case, he reportedly removed a personnel file from a police department under false pretenses. Lanterman has since withdrawn from at least one active case, citing personal reasons and signaling a handoff of his business to his children.

The fallout has already begun. A Minnesota man convicted in a high-profile murder case has filed a motion to reopen proceedings, claiming Lanterman’s discredited testimony helped seal his fate. Legal experts warn that this situation highlights the importance of rigorous vetting when introducing expert witnesses—a lapse that could now lead to years of court decisions being revisited.

 

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?