Cyber Intelligence Weekly (December 14, 2025): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight the fact that Echelon Risk + Cyber is an accredited Registered Practitioner Organization within the CMMC ecosystem.

𝗖𝗵𝗼𝗼𝘀𝗶𝗻𝗴 𝘁𝗵𝗲 𝗿𝗶𝗴𝗵𝘁 𝗖𝗠𝗠𝗖 𝗽𝗮𝗿𝘁𝗻𝗲𝗿 𝗺𝗮𝘁𝘁𝗲𝗿𝘀.

As a Registered Practitioner Organization with The CyberAB, Echelon is equipped to help defense contractors navigate CMMC with clarity and real security outcomes.

Our team understands the realities of Level 1 and Level 2 compliance, the scope, the timelines, and controls that actually move the needle. If you're preparing for CMMC in 2026, work with a team that lives and breathes this framework!

See Echelon's RPO profile: https://lnkd.in/gj93RkYH

Away we go!

1.  Trust Under Pressure: Why Tech Companies Keep Falling for Fake Police Requests

Major technology companies are quietly being manipulated into handing over deeply personal data—often in under half an hour—by criminals who simply pretend to be law enforcement. According to recent reporting, organized doxing groups are exploiting long-standing weaknesses in how companies process emergency data requests, or EDRs. These requests are meant to help police act quickly when lives are at risk, but attackers have learned that a convincing email address, a realistic subpoena template, and a sense of urgency are often enough to bypass meaningful verification altogether.

The tactic is deceptively simple. Attackers register look-alike domains that closely resemble real police departments, spoof phone numbers to match legitimate agencies, and reuse the names and badge numbers of real officers. In some cases, they go further—carefully copying real subpoenas, citing correct statutes, and even timing requests around court schedules to avoid scrutiny. Once submitted, these emergency requests frequently trigger immediate disclosure of names, addresses, phone numbers, email accounts, IP logs, and, in some cases, private communications. For the victim, the result can be harassment, stalking, or swatting. For the attacker, it has become a profitable underground service.

What makes this particularly troubling is that the system itself encourages speed over certainty. Emergency requests are intentionally designed to bypass normal checks to avoid delaying time-sensitive investigations. But with more than 18,000 law enforcement agencies in the U.S., each using different domains and email conventions, companies are left making high-risk decisions over inherently insecure channels like email. While some providers have invested in secure law-enforcement portals and behavioral verification tools, the majority still rely on inboxes that were never designed to validate identity, intent, or context at this level.

This issue isn’t about companies being careless or indifferent to privacy—it’s about structural trust assumptions that no longer hold. As attackers become more sophisticated and financially motivated, the gap between public-safety urgency and identity assurance continues to widen. Until emergency disclosure processes move away from email-based trust models and toward stronger authentication, pattern analysis, and auditable workflows, personal data will remain dangerously easy to extract. For organizations and regulators alike, the lesson is clear: protecting privacy now requires rethinking not just who we trust, but how that trust is verified under pressure.

Overly Permissive AWS API Gateway Exposes APIs

Misconfigured Amazon API Gateway settings can inadvertently expose APIs to unauthorized access from external AWS accounts, posing significant security risks. A notable example is when an API Gateway is configured with overly permissive resource policies, such as those that allow access from any AWS principal. This can lead to unintended external invocations, potentially compromising sensitive data and system integrity.

Understanding the Risk

Amazon API Gateway enables developers to create, publish, and manage APIs that can interact with various backend services. Access to these APIs is governed by resource policies, which define who can invoke the API and under what conditions. A common misconfiguration involves setting the Principal element in the resource policy to a wildcard (*), effectively allowing any AWS account to invoke the API. While this might be intended to facilitate broad access, it can inadvertently permit unauthorized external entities to interact with the API.

Real-World Implications

Such misconfigurations have led to scenarios where attackers exploit the lax permissions to gain unauthorized access. For instance, if an API is designed to interact with AWS Lambda functions or access sensitive data stored in Amazon S3, unauthorized invocations could result in data breaches or unauthorized operations being performed. In some cases, attackers have been able to escalate privileges within the AWS environment by exploiting these misconfigurations, leading to more severe security incidents.

Mitigation Strategies

To prevent unauthorized access due to misconfigured API Gateway settings, consider the following best practices:

• Restrictive Resource Policies: Define explicit Principal ARNs in your resource policies to limit access to known and trusted AWS accounts. Avoid using wildcards that open access to all principals.
• Implement Authentication and Authorization: Utilize AWS Identity and Access Management (IAM) roles and policies to enforce strict authentication and authorization mechanisms. Ensure that only authorized users and services can invoke your APIs.
• Regular Audits and Monitoring: Conduct periodic reviews of your API Gateway configurations and resource policies. Use AWS CloudTrail and Amazon CloudWatch to monitor API invocations and detect any unauthorized access attempts.
• Leverage AWS WAF: Deploy AWS Web Application Firewall (WAF) to protect your APIs from common web exploits and to add an additional layer of security.
• Educate and Train Teams: Ensure that your development and operations teams are aware of the security implications of API Gateway configurations and are trained to implement best practices.

By carefully configuring API Gateway resource policies and implementing robust security measures, organizations can significantly reduce the risk of unauthorized access from external AWS accounts. Regularly reviewing and updating these configurations is essential to maintain a strong security posture in your AWS environment.

2.  CBP Adding Social Media as a Mandatory Data Element

U.S. Customs and Border Protection is quietly reshaping how millions of travelers’ identities are collected, verified, and retained. In a newly published Federal Register notice, CBP is asking for public comment on a sweeping set of changes to the Arrival and Departure Record (Form I-94) and the Electronic System for Travel Authorization (ESTA). While framed as routine updates under the Paperwork Reduction Act, the proposal signals a significant expansion of biometric collection, mobile-first identity verification, and long-term data aggregation tied to international travel into the United States.

At the center of the proposal is CBP’s push to move identity verification out of legacy web forms and into controlled mobile environments. The agency plans to decommission the ESTA website entirely and make the ESTA mobile application the sole method for submitting new applications. CBP argues the change is necessary after discovering widespread abuse of web uploads—where poor-quality passport images were deliberately used to bypass facial comparison screening. The mobile app, by contrast, enables live selfie capture, liveness detection, NFC passport chip validation, and automated fraud checks that are not possible through a browser-based workflow. From CBP’s perspective, this shift closes known loopholes that bad actors have already learned to exploit.

The scope of data collection is also expanding sharply. Under proposed changes tied to a January 2025 executive order, ESTA applicants would be required to submit social media identifiers covering the last five years, along with what CBP calls “high-value data elements.” These include historical phone numbers, email addresses, IP metadata from submitted photos, detailed family relationship data, and a broad range of biometrics—potentially extending to fingerprints, iris scans, and DNA where feasible. CBP positions this as necessary to strengthen national security screening, but it also raises questions around proportionality, retention, and how such sensitive datasets are safeguarded once collected.

For security leaders and privacy professionals, the direction is clear: border security is becoming a high-scale identity assurance problem, not just an immigration one. CBP’s estimates show more than 14 million annual ESTA mobile applicants alone, each contributing increasingly rich identity data into federal systems. The public comment period—open through February 9, 2026—offers one of the few opportunities for organizations, travelers, and civil society to weigh in on how much data is collected, how long it’s kept, and how risk is balanced against convenience and security. As governments adopt mobile-first, biometric-heavy verification models, the lessons here will extend well beyond the border.

China-Linked Hackers Used Claude to Automate Espionage Workflows

Anthropic has reported that a Chinese state-linked cyber-espionage group was using a Claude model to support operational tasks ranging from phishing content creation to automation of reconnaissance and campaign management. While the LLM did not directly perform harmful actions, attackers used it as a productivity multiplier—accelerating the creation of spearphishing content, summarizing exfiltrated data, generating automation scripts, and organizing campaign workflows.

The report illustrates a growing reality: adversaries do not need advanced AI models to commit direct cyberattacks. Instead, they use LLMs to amplify existing tradecraft, reduce operational overhead, and scale targeting. Traditional reconnaissance steps—drafting phishing emails, building target lists, refining linguistic tone—now take seconds. This transforms nation-state operations by lowering labor costs, expanding campaign reach, and making operational tempo unpredictable for defenders.

The episode also raises questions about AI-provider oversight. Abuse detection, access controls, and content monitoring for malicious usage are emerging areas where AI vendors must mature quickly. The rise of agent-like workflows, prompt-chaining, and automation interfaces further increases risk, as attackers can orchestrate multi-step tasks using commercial models without hosting any infrastructure themselves.

For security teams, this incident reinforces the need to adjust phishing defenses, threat models, and detection logic to account for AI-enhanced adversaries. AI-generated phishing emails now exhibit near-perfect grammar, brand mimicry, and personalized details harvested from open-source data. Likewise, LLM-assisted reconnaissance yields more relevant social engineering insights, making human fallibility a more significant risk.

3.  Petco’s Vetco Data Leak Shows How Simple Web Bugs Become Major Breaches

Petco has taken parts of its Vetco Clinics website offline after a basic web security failure left sensitive customer and veterinary records openly accessible on the internet. The exposure came to light after a researcher identified that internal documents—intended only for authenticated customers—could be downloaded directly without logging in. Once alerted, Petco confirmed it was investigating the incident, but offered limited detail about how long the data had been exposed or whether it had been accessed by unauthorized parties.

The exposed files went far beyond appointment reminders or billing summaries. Records included customer names, home addresses, phone numbers, email addresses, and detailed veterinary documentation such as diagnoses, prescriptions, vaccination histories, consent forms, and veterinarian notes. Information about pets—including names, breeds, microchip numbers, medical vitals, and treatment histories—was also included. In at least one case, a customer record had already been indexed by Google, meaning the data was searchable by anyone who knew what to look for.

At the heart of the issue was a textbook insecure direct object reference (IDOR) vulnerability. Vetco’s systems generated customer PDF documents using sequential identification numbers, but failed to enforce access controls on the page that served those files. By changing a number in the URL, it was possible to retrieve records belonging to other customers. Because the numbering scheme appeared to be sequential and large in scale, the potential exposure could reach into the millions—illustrating how small development oversights can create outsized risk when applied to high-volume systems.

This incident marks Petco’s third publicly reported data exposure in 2025, following earlier breaches involving cloud-hosted customer data and misconfigured software settings that exposed highly sensitive personal information. Taken together, the pattern underscores a recurring challenge for large consumer brands: security gaps often emerge not from advanced attacks, but from routine engineering mistakes, weak authorization checks, and insufficient monitoring. For organizations handling personal or regulated data, the lesson is familiar—but still frequently ignored—secure-by-design principles and continuous testing matter just as much as incident response once something goes wrong.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about