Cyber Intelligence Weekly

Cyber Intelligence Weekly (August 17, 2025): Our Take on Three Things You Need to Know

By
Posted on Aug 17 / 2025

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight how Echelon helped the Detroit Pistons up their cybersecurity game!

Echelon worked with the Detroit Pistons to identify vulnerabilities, strengthen incident response, and keep operations ready on and off the court.

🔗 See how they raised their cybersecurity game: https://lnkd.in/ehpZvTD2

Away we go!

1.  U.S. and Allies Knock BlackSuit Offline After $370M Ransom Spree

U.S. authorities have confirmed a coordinated operation that pulled the plug on BlackSuit’s core infrastructure, two weeks after the gang’s Tor leak and negotiation sites lit up with a seizure notice. Investigators say the crew—an evolution of Royal—has compromised more than 450 U.S. organizations since 2022 and amassed over $370 million in ransom payments. Officials framed the action as a public-safety imperative given BlackSuit’s appetite for hospitals, schools, local governments and other critical services.

The takedown, run under Operation Checkmate and led by HSI with the FBI, DOJ, Europol and partners in the U.K., Germany, France, Ireland, Ukraine, Lithuania and Canada, seized servers, domains, and digital assets used to deploy malware, extort victims and launder proceeds. German police said they confiscated technical infrastructure and “secured substantial amounts of data,” which is now being analyzed to unmask additional operators and facilitators. Prosecutors in the Eastern District of Virginia are coordinating U.S. charges alongside DOJ’s National Security Division and international counterparts.

BlackSuit/Royal has been linked to dozens of high-impact incidents, notably the 2023 Dallas attack that disrupted emergency services and courts, as well as intrusions at grade schools and colleges, Kadokawa, Tampa Bay Zoo, and Octapharma, the latter forcing temporary closure of nearly 200 plasma collection centers. Demands routinely climbed into eight figures—some as high as $60 million—backed by a double-extortion playbook that locked systems and threatened data leaks.

Even as infrastructure fell, parts of the crew began regrouping. Cisco Talos reports a pivot to a successor brand dubbed Chaos, with overlapping code paths, ransom-note structure and tooling. DOJ separately announced the seizure of $2.4 million in crypto tied to a Chaos member known as “Hors,” linked to attacks in Texas and beyond—an early signal that financial pressure will accompany future infrastructure disruptions.

Improved “Vulnerable by Design” AWS Tool for Training or Research

Rhino Security Labs has improved its wildly successful CloudGoat tool to expand its capabilities. Cloud platform specific penetration testing and lab work is still new with not a lot of great assets to increase your own capabilities to conduct testing against AWS or help train your staff on common misconfigurations. Contained within the tool are resources for directed learning and skills testing using capture-the flag competitions and vulnerable-by-design virtual machines and web applications.

CloudGoat 2 improves upon the original by improving the user interface, simplified python-based creation and destruction of infrastructure for testing and introduction of scenarios for the learning environment. Scenarios included from launch are:

  • rce_web_app – Find the secret endpoint and exploit a web app remote code execution vulnerability to gain root EC2 access inside a VPC.
  • iam_privesc_by_attachment – Discover and attach existing instance profiles to elevate privileges.
  • iam_privesc_by_rollback – Enumerate IAM policy versions and roll back to a previous version with higher privileges.
  • codebuild_secrets – Explore CodeBuild and SSM to discover plaintext secrets in a secure database.
  • ec2_ssrf – Find and exploit the EC2 metadata service to get keys using an SSRF vulnerability in a web app.

2.  Federal Courts Revert to Paper After Case-Filing Hack Exposes Sealed Records

The federal judiciary is scrambling after a breach of its case-filing platform (CM/ECF) discovered around July 4 forced multiple courts to fall back on paper for sealed matters. Officials fear the compromise may include sealed dockets, arrest and search warrants, and—most alarmingly—the identities of confidential informants and cooperating witnesses across several states. Weeks on, agencies still haven’t publicly nailed down the full scope or exact intrusion path.

Early reporting points to Russian involvement, but investigators also see signs that multiple espionage crews and possibly criminal groups piggybacked on the same weak points. The attack wasn’t cutting-edge so much as opportunistic: sources say intruders reused basic authentication and query flaws first flagged after a 2020 judiciary breach—and in some districts even stole filing-system source code. The problem is magnified by CM/ECF’s decentralization: more than 200 locally managed instances with uneven logging, slow patch uptake, and two-factor authentication only recently mandated.

Risk triage is now front-and-center. Courts in at least three districts have barred uploading sealed filings and shifted the most sensitive activity to pen-and-paper or isolated workflows. While the judiciary notes that most filings are public and that the most sensitive national-security data lives outside CM/ECF, exposure of sealed criminal materials can still tip off targets, jeopardize witnesses, and contaminate active investigations.

The takeaway for defenders is unambiguous: fix what’s already known to be broken. For the judiciary, that means accelerating the planned platform overhaul; enforcing MFA and identity controls uniformly; centralizing telemetry and retention for forensic reconstruction; and moving sealed/highly sensitive documents to air-gapped or segmented systems with strict access governance. For every enterprise watching from the sidelines, it’s another reminder that unpatched, decentralized systems—not zero-days—remain the shortest path to the worst-case headline.

Article content

Asana’s MCP AI Connector Likely Exposing Corporate Data

A recently discovered vulnerability in Asana's Model Context Protocol (MCP) AI connector allowed unauthorized access to sensitive data across different organizations using the platform. Asana's MCP server, which facilitates AI integrations, was taken offline after the company identified a bug. Researchers from Upguard identified that this bug could have exposed data from one organization's projects, tasks, and other Asana objects to users from other organizations. The security flaw was identified a month after the server’s release. The vulnerability could have exposed internal project details and metadata of affected customers; however, no malicious exploitation was reported.

MCPs are an AI Broker Agent used to connect AI platforms to existing enterprise productivity applications - for which there is high demand in the fast-paced industry and popular AI industry. However, MCP servers can present significant attack surfaces, and organizations must conduct proper due diligence before adoption.

Recommendations:

  • CSOs with Asana’s Model Context Protocol (MCP) server in their environment should scour their logs and metadata for data leaks after the discovery of a serious vulnerability
  • Limit Data Access: Restrict the data that MCP projects can access to minimize exposure.
  • Audit Logs: Regularly review logs and metadata for any unauthorized access or anomalies.
  • Implement Guardrails: Ensure that AI integrations have strict access controls and are monitored for unusual activities.
  • Treat Bugs Seriously: Address internal software flaws promptly, as they can have real-world security implications.

3.  North Korea’s ScarCruft Adds an Extortion Play to Its Spy Toolkit

ScarCruft—one of North Korea’s most active espionage teams—has started pairing classic spying tradecraft with a new ransomware play. In a recent South Korea–focused wave, researchers at S2W say the group (specifically its ChinopuNK subgroup) pushed phishing archives that unzip to a malicious LNK. That shortcut launches an AutoIt loader, which pulls a full kit: info-stealers, backdoors, and a newly observed encryptor S2W dubs VCD for the extension it adds to locked files. The note appears in both Korean and English—an unmistakable signal that this isn’t just collection; it’s leverage.

Behind the lure (“postal-code update” decoys), ScarCruft cycled more than nine payloads. Notables include LightPeek and FadeStealer for data theft and surveillance; NubSpy, a backdoor that hides command-and-control in PubNub’s legitimate real-time messaging traffic; and CHILLYCHINO, a Rust-based evolution of the group’s older Chinotto malware. A Python loader (TxPyLoader) using transacted hollowing rounds out the chain. S2W attributes with high confidence based on tool lineage and the group’s long-running habit of blending into chat/notification platforms to mask C2.

Why it matters: ScarCruft has historically stolen policy and personal data across South Korea, Japan, Vietnam, Russia, and Nepal; folding in VCD hints at a broader operating model—financial pressure and disruption alongside espionage. That tracks with Pyongyang’s playbook: state-tasked crews that both gather intelligence and raise funds for a heavily sanctioned regime. Even a “single-country” APT adopting double-extortion-style tactics raises the baseline risk for governments, media, NGOs, and researchers already in the group’s sights.

Defenders should treat this like a mixed APT/ransomware incident. Priorities: block shortcut-file execution from email/archives; lock down script interpreters (PowerShell/AutoIt) with constrained language mode and application control; inspect egress to real-time messaging services (e.g., PubNub/Ably) and alert on first-time use; hunt for rapid creation of files ending .VCD; and monitor for unusual parent/child chains (LNK → AutoIt → PowerShell/Python). As ever, tighten MFA and conditional access, and use EDR to flag clipboard-driven “Click-to-Run” patterns common in lure chains.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?