Cyber Intelligence Weekly

Cyber Intelligence Weekly (July 20, 2025): Our Take on Three Things You Need to Know

By
Posted on Jul 20 / 2025

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight a great study, with our partners, the Detroit Pistons! The Detroit Pistons partnered with Echelon to uncover vulnerabilities, pressure-test their incident response, and build a cybersecurity strategy that actually works on and off the court.

✅ Pen tests with real-world findings

✅ Ransomware tabletop simulations with cross-functional teams

✅ Stronger policies + audit readiness

🏀 From game-day readiness to long-term resilience, see how they did it.

Download the case study here: https://echeloncyber.com/intelligence/entry/detroit-pistons-cybersecurity-framework-echelon-risk-and-cyber

Away we go!

1.  Inside Washington’s New $1 Billion Bet on Cyber Power

The massive spending bill signed at the end of last week quietly earmarks $1 billion over four years for “offensive cyber operations” run by U.S. Indo‑Pacific Command. Buried deep in the defense section, the line‑item says little about what that money will buy—only that it must “enhance and improve” the command’s ability to act against digital targets across Asia. In practice, that could range from purchasing zero‑day exploits and custom malware to building out the covert cloud infrastructure needed to launch and hide state‑backed hacks.

The windfall arrives as the same legislation strips roughly the same amount from federal cybersecurity defenses, including programs at the Cybersecurity and Infrastructure Security Agency that help states, cities, and hospitals harden their networks. Critics argue that the imbalance leaves domestic networks exposed while sharpening the spear abroad. “Expanding U.S. hacking while gutting our shields is an invitation for blow‑back we’re not ready for,” warned Senator Ron Wyden, who sits on the Intelligence Committee.

Supporters of the measure counter that a stronger offense is itself a form of deterrence, especially as Chinese operators grow bolder in targeting military and commercial assets. Yet even they acknowledge the risk of escalation. History shows that high‑end digital tools rarely stay in one set of hands; leaked or recycled exploits can—and often do—find their way into criminal campaigns that cripple everyday institutions.

Whether the billion‑dollar gamble ultimately bolsters national security or widens the attack surface will depend on how transparently the Pentagon coordinates with civilian agencies, how rigorously Congress oversees the new program, and how quickly the government rebuilds the defensive capabilities it just defunded. For now, the United States has signaled that it is willing to spend heavily to shape the cyber domain—while leaving its own back door cracked open.

AWS Web Console: Two Critical Username Enumeration Vulnerabilities

In a recent security report, Rhino Security Labs identified two critical username enumeration vulnerabilities within the AWS Web Console, leading to the assignment of CVE-2025-0693. These vulnerabilities allow unauthenticated attackers to discern valid AWS Identity and Access Management (IAM) usernames, potentially facilitating targeted attacks such as brute force attempts or social engineering.

Understanding Username Enumeration

Username enumeration occurs when an application inadvertently reveals whether a username exists within its system. This can happen through discrepancies in error messages, response times, or other system behaviors during authentication processes. Attackers exploit these cues to compile lists of valid usernames, which can then be used to orchestrate further attacks.

The Discovered Vulnerabilities

The research conducted by Rhino Security Labs uncovered two distinct vulnerabilities in the AWS Web Console:

Credential Verification Bug: This flaw resides in AWS's credential verification mechanism. When attempting to log in with a nonexistent username, the system's response differs subtly from the response given for existing usernames. These differences, though minor, can be detected and analyzed by attackers to confirm the validity of a username.

Password Reset Functionality Flaw: The second vulnerability is associated with the password reset feature. During the password recovery process, the system provides feedback indicating whether a username exists. For instance, entering a nonexistent username might prompt a message stating that the account does not exist, whereas a valid username would proceed to the next step of the recovery process.

Implications of the Vulnerabilities

The ability to enumerate usernames without authentication poses significant security risks:

  • Facilitated Brute Force Attacks: With a list of valid usernames, attackers can systematically attempt to guess passwords, increasing the likelihood of unauthorized access.
  • Enhanced Social Engineering: Knowledge of legitimate usernames enables attackers to craft more convincing phishing campaigns or pretexting strategies, thereby increasing the success rate of such attacks.
  • Targeted Exploitation: Attackers can focus their efforts on high-value accounts, such as those with administrative privileges, leading to more severe security breaches.

AWS's Shared Responsibility Model

AWS operates under a Shared Responsibility Model, where security is a joint effort between AWS and its customers. AWS is responsible for securing the underlying infrastructure, while customers are tasked with securing their data and configurations within the cloud. The discovered vulnerabilities fall under AWS's purview, as they pertain to the security of the AWS Web Console itself.

Response and Remediation

Upon identifying these vulnerabilities, Rhino Security Labs promptly reported them to AWS. Recognizing the severity of the issue, AWS collaborated closely with the researchers to develop and deploy patches, effectively mitigating the risks associated with these flaws. AWS customers are advised to ensure they are using the updated version of the AWS Web Console to benefit from these security enhancements.

Preventative Measures for Users

While AWS has addressed the immediate vulnerabilities, users should adopt best practices to enhance their security posture:

  • Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security, making unauthorized access more difficult even if a password is compromised.
  • Monitor Account Activity: Regularly review account logs for suspicious activities, such as failed login attempts, which could indicate enumeration or brute force attacks.
  • Implement Strong Password Policies: Encourage the use of complex, unique passwords and consider regular password rotations to reduce the risk of compromise.
  • Educate Users: Training users to recognize phishing attempts and other social engineering tactics can prevent attackers from exploiting enumerated usernames.

The discovery of these username enumeration vulnerabilities in the AWS Web Console underscores the importance of continuous security assessments, even within platforms managed by leading providers like AWS. It highlights the necessity for a collaborative approach to security, where both service providers and customers remain vigilant and proactive in identifying and addressing potential threats. By implementing robust security measures and adhering to best practices, organizations can significantly reduce the risks associated with such vulnerabilities.

2.  DragonForce Dragnet: UK Police Nab Four in Retail Cyber Siege

British investigators have moved swiftly against the extortion crew blamed for the recent ransomware and data-theft strikes on Marks & Spencer, Co-op and luxury retailer Harrods. In coordinated dawn raids across London and the West Midlands, the National Crime Agency (NCA) arrested a 20-year-old woman and three teenagers (two 19-year-old men and a 17-year-old boy) on suspicion of computer-misuse, blackmail, money-laundering and organised-crime offences.

The takedown follows a bruising spring for UK retail, during which the so-called “Scattered Spider/Octo Tempest” cluster leveraged clever help-desk impersonation to compromise VMware servers, freeze point-of-sale systems and threaten to leak stolen data unless multi-million-pound ransoms were paid. Investigators say the quartet helped launder crypto proceeds and ran the infrastructure used to push DragonForce ransomware – the same encryptor seen in the Marks & Spencer, Co-op and Harrods intrusions.

While the arrests will disrupt the gang’s UK node, the NCA cautions that the wider group remains active overseas. Retailers on both sides of the Atlantic have already reported follow-on phishing and SIM-swap probes clearly modelled on the earlier attacks. Companies are therefore urged to tighten help-desk identity-verification, reset VPN credentials, and invalidate all persistent VMware ESXi sessions – lessons painfully learned from the “CitrixBleed” and “ScreenConnect” waves now being repurposed against shopping chains.

The case also underscores a worrying demographic trend: cyber-crime crews are recruiting younger and younger talent. Two of the suspects still lived at home and boasted on Telegram of six-figure crypto “earnings.” Expect prosecutors to lean on money-laundering counts to deter would-be affiliates and to keep pressure on crypto-mixers still happy to wash retail-sector ransoms. For store chains juggling wafer-thin margins, the message is clear – invest in zero-trust controls now, or risk being the next headline.

Article content

Researchers Warn of ‘Living off AI’ attacks After POC Exploits Atlassian’s AI Agent Protocol

A recent proof-of-concept by Cato Networks has revealed a critical security concern involving Atlassian’s AI agent integration with Jira Service Management (JSM) via the Model Context Protocol (MCP). The findings underscore the potential for prompt injection attacks to exploit trusted AI workflows in enterprise environments.

An attacker submits a malicious support ticket to Jira Service Management (JSM) containing prompt injection. The AI agent, which is integrated into JSM through the Model Context Protocol (MCP), automatically reads the content of the ticket. Leveraging the underlying large language model, Claude, the agent interprets the instructions embedded within the ticket and acts autonomously without human oversight.

When connected via JSM, an external user can exploit this vulnerability to perform malicious actions, including:

  • Submitting a support case that initiates an Atlassian MCP interaction, which is later processed by a support engineer using tools like Claude Sonnet—thereby unintentionally triggering the malicious workflow.
  • Causing the support engineer to unknowingly execute injected commands via the Atlassian MCP workflow.
  • Accessing internal tenant data in JSM that should remain isolated from external users or threat actors.
  • Exfiltrating tenant data by having the AI agent write the extracted information directly into the ticket thread processed by the support engineer.

To help prevent or mitigate this attack, Cato Networks recommends setting up rules that block or generate alerts for remote MCP tool calls like create, add, or edit.

Recommend methods to implement strong safeguards within AI-agent ecosystems:

  • Sandboxing tool executions
  • Validating and signing MCP metadata
  • Restricting agent permissions
  • Monitoring agent behavior for anomalies

3.  OVERSTEP Rootkit Lets Hackers Re‑Infect Patched SonicWall Gateways

Google’s Threat Intelligence Group (GTIG) and Mandiant say a financially‑motivated crew they track as UNC6148 is quietly reclaiming fully‑patched devices by replaying administrator passwords and one‑time‑password seeds stolen months ago. Once back inside, the intruders deploy “OVERSTEP,” a user‑mode rootkit that inserts itself into the appliance’s boot sequence, hides its own files, and funnels fresh credentials and VPN tokens back to a command server. Because the malware wipes specific log entries on the fly, many victims learn of the compromise only after the attackers pivot deeper into the network.

Investigators believe the campaign began no later than October 2024, leveraging a grab‑bag of older SonicWall flaws — and possibly an undisclosed zero‑day — to harvest administrator databases (temp.db and persist.db) from vulnerable boxes. Those databases contain hashed passwords, session cookies, and even the seed values that generate OTP codes, allowing UNC6148 to waltz past multi‑factor protections long after patches are applied. In May one affected firm surfaced weeks later on the “World Leaks” extortion site, echoing earlier UNC6148 overlaps with Abyss/VSOCIETY ransomware activity.

OVERSTEP’s engineering is unapologetically persistent. The implant drops a doctored shared object into /usr/lib and forces the appliance to preload it every time a process starts, guaranteeing root‑level hooks for file‑system cloaking and a built‑in reverse‑shell trigger (“dobackshell”) that can be fired by hiding a keyword in any HTTP request. The backdoor’s “dopasswords” command zips up the very credential stores defenders rely on, then places them in a web‑exposed directory for easy pickup.

Mandiant and GTIG urge any organization still running SMA 100 gear — patched or not — to assume compromise until proven otherwise. Recommended triage includes capturing a full disk image (the rootkit hides live files), rotating every local and directory password, re‑seeding OTP tokens, and replacing any certificate keys stored on the device. With SonicWall ending support for the platform, the safest long‑term mitigation may be a fast‑tracked hardware refresh.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?