Cyber Intelligence Weekly (July 6, 2025): Our Take on Three Things You Need to Know // Echelon Risk + Cyber

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight a great study, with our partners, the Detroit Pistons! The Detroit Pistons partnered with Echelon to uncover vulnerabilities, pressure-test their incident response, and build a cybersecurity strategy that actually works on and off the court.

✅ Pen tests with real-world findings

✅ Ransomware tabletop simulations with cross-functional teams

✅ Stronger policies + audit readiness

🏀 From game-day readiness to long-term resilience, see how they did it.

Download the case study here: https://echeloncyber.com/intelligence/entry/detroit-pistons-cybersecurity-framework-echelon-risk-and-cyber

Away we go!

1. Fast-Food, Slow Security: How a Chatbot Exposed McDonald’s Candidate Data

McDonald’s recruitment funnel just took an embarrassing turn. Two independent security researchers, Ian Carroll and Sam Curry, dug into “McHire,” the online application portal that funnels millions of job-seekers through Paradox.ai’s Olivia chatbot. Within half an hour the pair found an internal login page meant for Paradox staff, guessed the credentials “admin / 123456,” and suddenly held administrator-level access to years’ worth of applicant chats. By tweaking a single ID number they could read any conversation—including names, email addresses, phone numbers, and résumé details—across what they estimate to be more than 64 million records.

The incident wasn’t a sophisticated hack so much as a lesson in basic cyber hygiene. No multi-factor authentication protected the forgotten test account; no rate-limiting blocked rapid-fire login attempts; and an easily abused API exposed sequential applicant IDs. In a statement, Paradox.ai conceded the problem, saying the vulnerable account “hadn’t been touched since 2019” and that only seven files were actually accessed before the researchers reported the flaw. McDonald’s, for its part, pinned the blame squarely on its vendor and demanded an immediate fix. Both companies say the hole was patched the same day.

Even if only a handful of records were viewed, the potential fallout is huge. An attacker harvesting job-seeker data could run highly tailored payroll-or banking-change phishing campaigns—exactly the sort of social-engineering scam that routinely drains victims’ accounts. Add the stigma some applicants feel about minimum-wage work, and the privacy implications deepen. The episode also highlights a broader risk: AI tools are racing into HR pipelines faster than security teams can bolt them down, creating fresh, high-volume targets for data thieves.

Paradox.ai says it will launch a formal bug-bounty program and tighten credential hygiene, yet the bigger takeaway is painfully simple. If your platform is trusted with millions of identities, a six-digit default password and dormant test environment are not “edge-case” oversights—they’re an open invitation.

NATO Issues Security Advisory for VMWare Cloud

Broadcom-owned VMware has released critical security updates addressing several high-severity vulnerabilities affecting its infrastructure products, including Cloud Foundation, ESXi, vCenter Server, Workstation, and Fusion. These flaws could lead to data leakage, unauthorized command execution, and denial-of-service attacks, and there are no known workarounds.

The most serious issue, flagged by NATO’s Cyber Security Centre, is CVE-2025-41229, a directory traversal vulnerability in VMware Cloud Foundation rated 8.2 on the CVSS scale. It allows attackers with network access to port 443 to access internal services. This issue is part of advisory VMSA-2025-0009, which also addresses an information disclosure bug (CVSS 7.5) and a missing-authorization flaw (CVSS 7.3).

A separate advisory, VMSA-2025-0010, includes four additional vulnerabilities across vCenter Server, Workstation, Fusion, and ESXi. The most critical of these, CVE-2025-41225, is an authenticated command execution flaw in vCenter Server (CVSS 8.8) that could allow users with permission to modify alarms to run arbitrary commands. The remaining flaws involve two denial-of-service issues (CVSS 6.8 and 5.5) and a reflected cross-site scripting bug (CVSS 4.3).

VMware advises immediate patching—especially upgrading Cloud Foundation to version 5.2.1.2—as there are no temporary mitigations and no current evidence of active exploitation.

2. DragonForce Dragnet: UK Police Nab Four in Retail Cyber Siege

British investigators have moved swiftly against the extortion crew blamed for the recent ransomware and data-theft strikes on Marks & Spencer, Co-op and luxury retailer Harrods. In coordinated dawn raids across London and the West Midlands, the National Crime Agency (NCA) arrested a 20-year-old woman and three teenagers (two 19-year-old men and a 17-year-old boy) on suspicion of computer-misuse, blackmail, money-laundering and organised-crime offences.

The takedown follows a bruising spring for UK retail, during which the so-called “Scattered Spider/Octo Tempest” cluster leveraged clever help-desk impersonation to compromise VMware servers, freeze point-of-sale systems and threaten to leak stolen data unless multi-million-pound ransoms were paid. Investigators say the quartet helped launder crypto proceeds and ran the infrastructure used to push DragonForce ransomware – the same encryptor seen in the Marks & Spencer, Co-op and Harrods intrusions.

While the arrests will disrupt the gang’s UK node, the NCA cautions that the wider group remains active overseas. Retailers on both sides of the Atlantic have already reported follow-on phishing and SIM-swap probes clearly modelled on the earlier attacks. Companies are therefore urged to tighten help-desk identity-verification, reset VPN credentials, and invalidate all persistent VMware ESXi sessions – lessons painfully learned from the “CitrixBleed” and “ScreenConnect” waves now being repurposed against shopping chains.

The case also underscores a worrying demographic trend: cyber-crime crews are recruiting younger and younger talent. Two of the suspects still lived at home and boasted on Telegram of six-figure crypto “earnings.” Expect prosecutors to lean on money-laundering counts to deter would-be affiliates and to keep pressure on crypto-mixers still happy to wash retail-sector ransoms. For store chains juggling wafer-thin margins, the message is clear – invest in zero-trust controls now, or risk being the next headline.

TokenBreak: New Technique to Bypass AI Moderation

A groundbreaking new attack technique dubbed "TokenBreak" has emerged, capable of bypassing the safety and content moderation guardrails of Large Language Models (LLMs) with minimal input changes. Discovered by cybersecurity researchers, TokenBreak exploits vulnerabilities in an LLM's tokenization strategy – the process by which raw text is converted into numerical representations for the model to understand.

The attack works by subtly altering input words, often by adding a single character, in a way that confuses the text classification model. For instance, "instructions" might become "finstructions" or "idiot" could become "hidiot." Crucially, while these minor modifications cause the protection model to misclassify the input as benign, the LLM itself (and any human reader) can still fully comprehend the original intent. This allows malicious actors to execute prompt injection attacks and elicit undesirable or harmful responses from the AI, despite the implemented safeguards.

HiddenLayer researchers, who reported this finding, emphasize that the susceptibility to TokenBreak often correlates with the underlying model's architecture and its tokenization strategy, particularly those using BPE (Byte Pair Encoding) or WordPiece. They recommend adopting Unigram tokenizers as a primary defense, along with training models on examples of bypass tricks and ensuring alignment between tokenization and model logic. This discovery highlights the ongoing challenge of securing AI systems against sophisticated adversarial attacks that exploit the very mechanisms designed for their functionality.

3. CISA Sounds the Alarm: ‘Citrix Bleed 2’ Must Be Patched in 24 Hours

The Cybersecurity and Infrastructure Security Agency (CISA) broke with its own precedent late Thursday, giving federal civilian departments just 24 hours to patch a flaw inside Citrix NetScaler ADC and Gateway appliances. The vulnerability — cataloged as CVE-2025-5777 but already nicknamed “Citrix Bleed 2” by researchers — lets an intruder pull active session tokens straight from memory, making it trivial to hijack user log-ins and vault past multifactor authentication. Acting Executive Assistant Director Chris Butera called the bug “a significant, unacceptable risk,” adding that incident responders have already watched adversaries use it in the wild.

Citrix first disclosed the issue three weeks ago and rated it 9.2/10 on the severity scale, yet exploitation appears to have started almost immediately. Threat hunters have since tied at least one attacking IP address to the RansomHub crew— a ransomware outfit that CISA spotlighted last year — and emergency responders say thousands of government and commercial boxes remain exposed on the open internet. Much like the original “Citrix Bleed” in 2023, hospitals, airlines, defense contractors and state agencies rely on these appliances to broker remote access, meaning a single un-patched device can become a turnkey backdoor.

By forcing the shortest patch deadline in KEV-catalog history, CISA hopes to avoid a replay of last year’s fiasco, when ransomware gangs used Citrix Bleed to hit Boeing, Toyota, multiple U.S. municipalities and a swath of European hospitals. Federal IT shops must now install the fixed firmware, kill every active ICA and PCoIP session, and comb logs for brute-force pulls of the /oauth/idp/.well-known/openid-configuration endpoint — the tell-tale sign that an attacker has scraped tokens.

Private-sector organizations would be wise to mirror the urgency. NetScaler boxes that sit in front of identity providers or VPN concentrators effectively hold the keys to the kingdom; once a token is stolen, it can be replayed from anywhere in the world with no user interaction. At minimum, defenders should patch, rotate all admin credentials, and stand up alerts for large or malformed GET requests on NetScaler gateways. As history has shown, delaying those steps can turn a simple firmware update into a multimillion-dollar ransom negotiation.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about