Intelligence
Cyber Intelligence Weekly Echelon

Cyber Intelligence Weekly (February 23, 2025): Our Take on Three Things You Need to Know

By
Posted on Feb 23 / 2025

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight an upcoming webinar that we have on third-party risk management.

Join Paul Interval and Shir Butbul this Thursday, for a live session packed with expert insights and actionable strategies. 🔍 Where third-party risks hide & their impact on security 🔐 The role of CIS Control 15 in vendor risk management 📋 Risk-based due diligence & contract safeguards 🛠 Practical tools to streamline and strengthen your TPRM program Reserve your seat before it is too late: https://lnkd.in/gZd7PxVg

https://lnkd.in/gZd7PxVg

Away we go!

 

1.  Bybit Hacked: $1.4 Billion in Ethereum Stolen in Massive Cyber Heist”

Cryptocurrency exchange Bybit has confirmed that it fell victim to a massive security breach, resulting in the theft of approximately 401,346 ETH, valued at $1.4 billion. The attack, which targeted one of the company's cold wallets, marks one of the largest crypto heists in history. Bybit CEO Ben Zhou reassured users that the company remains financially solvent and capable of covering the losses, even if the stolen funds are not recovered.

Initial investigations suggest that the hackers managed to gain access to Bybit’s offline wallet and transferred the stolen assets to an online "warm" wallet. Experts, including blockchain security firm Elliptic and independent investigator ZachXBT, have drawn parallels between this breach and previous high-profile hacks, raising concerns that state-sponsored cybercriminals may have been involved. Some security analysts speculate that North Korea’s Lazarus Group—which has been linked to past crypto-related cyberattacks—could be behind this latest breach.

In response, Bybit has engaged forensic cybersecurity teams and law enforcement agencies to track the stolen funds and strengthen its security measures. The company is also reportedly securing bridge loans to compensate for the financial shortfall. Meanwhile, the incident has reignited debates on cryptocurrency security, highlighting the persistent vulnerabilities faced by digital asset platforms. With global regulators already scrutinizing crypto exchanges, Bybit’s crisis underscores the urgent need for stronger security protocols and regulatory oversight in the industry.

US Treasury Breached using Compromised BeyondTrust Service

In a letter sent to the Senate Committee on Banking, Housing and Urban Affairs dated Dec 30, 2024, the US Treasury department admitted to a compromise where Chinese-backed hackers had compromised Treasury computers and accessed unclassified information.

The attack was perpetrated through BeyondTrust’s cloud-based service used to provide remote technical support to the department. The threat actor (TA) was able to obtain a BeyondTrust access key which was used to change the cloud service’s security and subsequently remotely access Treasury computers.

Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigations (FBI) were enlisted to assist the Treasury with their investigation. BeyondTrust services were disabled, and the Treasury is reporting that there is no evidence of persistent access. This attack highlights the risk of supply chain attacks and unsecured cloud services.

BeyondTrust has released a report on their security investigation and a timeline of the events.

2.  Apple Pulls Advanced Data Protection in the UK Amid Government Encryption Demands

Apple has announced it will discontinue its Advanced Data Protection (ADP) feature in the United Kingdom, following demands from the British government for access to encrypted user data stored in iCloud. The move comes after officials invoked the Investigatory Powers Act (IPA) of 2016, which grants law enforcement the authority to compel tech companies to provide access to encrypted communications. Apple, which has long resisted such backdoor requests, stated it was “gravely disappointed” by the development but emphasized its commitment to user privacy worldwide.

ADP, an opt-in security feature introduced in late 2022, ensures end-to-end encryption for iCloud files, photos, and notes, making them accessible only to the user. Under the UK’s mandate, Apple was expected to create a system that would allow government agencies to bypass this encryption—something the company has consistently opposed, citing risks of broader exploitation by cybercriminals and authoritarian regimes. Rather than complying, Apple has decided to disable ADP for all UK users, with new activations already blocked and existing users set to lose access soon.

Privacy advocates and cybersecurity experts have criticized the UK’s stance, arguing that weakening encryption undermines national security by making user data vulnerable to hackers and foreign adversaries. The move has also sparked concerns among global policymakers, with some U.S. lawmakers warning that it could set a dangerous precedent for other governments seeking similar access. While Apple maintains that strong encryption is crucial to protecting users from growing cyber threats, the company’s decision highlights the growing tensions between governments and tech firms over digital privacy and security.

 

FunkSec: The Latest AI-Powered Ransomware Group

Check Point Research has recently uncovered how artificial intelligence (AI) is fundamentally reshaping the cyberthreat landscape through dual vectors—both empowering new ransomware actors and inadvertently amplifying the effectiveness of social engineering. The investigation of “FunkSec”, a ransomware-as-a-service group that emerged in late 2024, depicts how AI enables even technically inexperienced threat actors (TAs) to swiftly develop refined malware while improving tooling to double-extort victims (i.e., combining data theft with encryption).

Key technical findings from Check Point’s analysis reveal AI’s transformative role in FunkSec’s operations:

  • Code analysis exposed AI-generated code comments and structure in their custom Rust ransomware, including public messages where the group directly credits AI-agents for ransomware development
  • The group leverages and markets a custom AI chatbot based on Miniapps for operational support, deliberately configured without standard ethical guardrails found in prominent large-language models (LLMs) like OpenAI’s ChatGPT (see image below from Check Point’s analysis)
  • Rapid iteration of their ransomware variants suggests AI-based development, with multiple versions released days apart showing sophisticated improvements despite operators’ apparent lack of advanced coding skills or basic cybercrime knowledge (i.e., a lead profile attributed to FunkSec posted threads on a secure messaging platform stating “I wanna [sic] learn hacking website[s] and databases”)

Figure 1:  FunkSec Custom Miniapps Chabot

The research uncovered evidence linking the operations to Algeria, with Indicators of Compromise (IOCs) including a key ransomware sample containing paths referencing the development environment. While FunkSec claimed over 85 victims in December 2024 alone, surpassing every major ransomware group during that month, Check Point’s analysis suggests many of their claimed data leaks recycle content from previous hacktivist campaigns. This finding highlights how AI tools can amplify perceived capabilities while masking actual technical sophistication, raising concerns about false-flag operations in which custom AI-agents are used to better mimic other threat actors’ techniques, tactics, and procedures (TTPs).

This landmark research illustrates how AI access is fundamentally altering the economics and effectiveness of cybercrime through multiple vectors:

  • Enabling rapid malware development and operation automation
  • Amplifying perceived capabilities while lowering technical barriers to entry
  • Creating new attack surfaces through legitimate AI feature exploitation

Security teams must prepare for this new paradigm where AI simultaneously empowers threat actors while potentially undermining traditional security indicators through legitimate features. A full technical analysis of Funk-Sec's AI-enabled operation can be found in Check Point’s research.

3.  FBI and CISA Issue Warning on Ghost (Cring) Ransomware Surge

The Ghost ransomware group, also known as Cring, has been actively targeting organizations worldwide by exploiting unpatched vulnerabilities in internet-facing systems, according to a joint alert from the FBI and Cybersecurity and Infrastructure Security Agency (CISA). The group, believed to be operating from China, has been linked to attacks on critical infrastructure, government networks, healthcare institutions, and businesses in over 70 countries. Ghost actors rapidly deploy ransomware, often compromising systems and encrypting data within a day of gaining access.

The attackers focus on outdated software and unpatched security gaps, leveraging vulnerabilities in Fortinet security appliances, Adobe ColdFusion, and Microsoft Exchange ProxyShell exploits. Once inside, they use tools like Cobalt Strike and Mimikatz to escalate privileges and move within the network. The group's tactics include encrypting files, deploying ransom notes, and threatening to leak stolen data if victims refuse to pay. While ransom demands vary, they can reach hundreds of thousands of dollars in cryptocurrency.

Unlike some ransomware groups that establish long-term persistence, Ghost operators prioritize speed, preferring to move on to other targets when they encounter well-defended systems. Organizations are advised to implement multi-factor authentication (MFA), patch known vulnerabilities, segment networks, and monitor for unauthorized activity to reduce their risk of falling victim to these attacks. The FBI and CISA have urged affected organizations to report incidents immediately and refrain from paying ransoms, as doing so encourages further attacks and does not guarantee data recovery.

 

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?