Cyber Intelligence Weekly (July 6, 2025): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight an upcoming informative webinar that will highlight the changes coming down the pipe with HIPAA.

🔍 HIPAA is changing. Is your organization ready?

Join our experts, Josh Fleming, MSITM and Stephen Dyson, Senior Cybersecurity Managers, as they break down the proposed updates and what they mean for healthcare providers, payers, and partners.

Moderated by Cybersecurity Manager Alyson Pisarcik, this session will cover:

⚫ What’s actually changing and who’s impacted

⚫ Real-world strategies to ease implementation

⚫ Third-party oversight and new contingency planning

⚫ Whether you should prepare now… or wait

Reserve your spot: https://lnkd.in/gfA-Gna6

Away we go!

1.  FBI Investigates Former Ransomware Negotiator in Alleged Extortion Kickback Scheme

According to a breaking story by Bloomberg, Federal authorities are investigating a former employee of a prominent ransomware negotiation firm for allegedly exploiting their insider position to profit alongside cybercriminals. The individual, previously employed by Chicago-based DigitalMint, is suspected of colluding with ransomware gangs—helping to broker ransom payments while quietly taking a cut of the funds extracted from victim companies.

DigitalMint, known for assisting victims with navigating extortion threats and facilitating cryptocurrency payments, confirmed the investigation, noting the employee in question was immediately terminated upon discovery of the misconduct. The firm emphasized that it is fully cooperating with the Department of Justice and is not a target of the inquiry. While the DOJ has yet to offer public comment, the case has stirred concern across the cyber insurance and incident response industries.

This situation revives long-standing concerns about ethical conflicts in the ransomware negotiation ecosystem. When negotiators operate on percentage-based fees, there's a perverse incentive to recommend higher payments—even when alternative options may be in the client’s best interest. Experts warn that these “moral hazards” have plagued the industry for years, often hidden behind the opaque nature of ransomware response.

With digital extortion on the rise and ransom demands often soaring into the millions, trust in those guiding victims through recovery is paramount. This case serves as a stark reminder: without rigorous oversight and transparent business practices, the very people hired to help companies in crisis can become part of the problem.

North Korean Cloud Threat: TradeTraitor

TradeTraitor (also known as Jade Sleet, UNC4899, Slow Pisces) is a North Korea–linked, state-sponsored threat actor known for executing financially motivated cloud-based cyberattacks to fund the regime and evade sanctions. Evolving from the legacy of APT38 (notably behind the 2016 Bangladesh Bank heist), TradeTraitor has been responsible for several high-profile cryptocurrency heists, including the $625 million Ronin Bridge breach in 2022, $308 million from Bitcoin.DMM.com in 2024, and $1.5 billion from Bybit in 2025.

Attack Profile & Tactics

Initial Access & Supply Chain Exploitation: TradeTraitor frequently targets developers using spear-phishing tactics such as fake job offers, malicious PDFs, and booby-trapped Python packages. They exploit cloud supply chains by injecting JavaScript into AWS S3-hosted applications, compromising software and wallet services to redirect crypto transactions.

Cloud Credential Theft & Abuse: The group focuses on stealing AWS credentials—both session tokens and long-term access keys—from compromised developer endpoints. These credentials are then used to perform deep reconnaissance across the victim's AWS environment, targeting IAM roles, S3 buckets, and content delivery configurations.

Persistence & Defense Evasion

They maintain long-term access by manipulating IAM roles or enrolling virtual MFA. To cover their tracks, they often delete logs, disable monitoring services, and revert malicious changes post-exfiltration.

Payload Injection & Impact

TradeTraitor injects JavaScript payloads into legitimate front-end infrastructure, enabling them to hijack crypto wallet functionality and execute unauthorized withdrawals. These tactics have enabled multi-million and even billion-dollar thefts from Web3 infrastructure.

Incident Response & Mitigation

To defend against TradeTraitor, the article emphasizes cloud-native detection and response practices. Key recommendations include enabling multi-region CloudTrail logging, monitoring for IAM anomalies, enforcing short-lived credentials and MFA, blocking unauthorized IAM changes outside CI/CD, and hardening S3 buckets with Object Lock and real-time monitoring for deletion events.

The TradeTraitor profile highlights a shift toward advanced nation-state actors leveraging cloud-native environments and supply chain access as attack surfaces. Defenders are urged to elevate cloud governance and detection maturity to counter these highly adaptive adversaries.

2.  DOJ Cracks Down on Covert North Korean Tech Workforce Embedded in U.S. Companies

The Justice Department has revealed a sprawling enforcement campaign that exposed how North Korean operatives, using fake identities and stolen credentials, secured remote jobs at more than 100 U.S. companies. Through the help of domestic enablers, these operatives infiltrated firms across the country—some even in defense and blockchain sectors—earning millions of dollars that were ultimately funneled back to the North Korean regime.

In one particularly elaborate setup, American facilitators created fake companies and websites to serve as fronts, housed corporate laptops at their homes, and connected them to devices allowing remote control from abroad. Federal agents executed raids in 16 states, seizing nearly 200 laptops from so-called “laptop farms” and taking down dozens of fraudulent domains and financial accounts linked to these operations. In one disturbing case, the insiders managed to access controlled defense data from a California-based AI contractor, raising serious national security concerns.

Two U.S. nationals, Zhenxing “Danny” Wang and Kejia “Tony” Wang, were named as key accomplices in the scheme. Prosecutors allege they stole and exploited the identities of over 80 Americans to help North Koreans secure jobs under false pretenses, even vetting potential fake identities for low risk and tax advantages. One has already agreed to plead guilty, while the other remains in custody.

Although this enforcement action disrupted a significant arm of North Korea’s revenue generation machine, cybersecurity experts warn this is just one battle in a broader digital cold war. With state-sponsored impersonators embedded in remote workforces, the threat is both economic and strategic—and it’s not going away anytime soon.

Azure Machine Learning Service Privileged Escalation Flaw

A critical privilege escalation vulnerability was discovered in Azure Machine Learning (AML) by researchers at Orca Security. The flaw allows attackers who have write access to the AML-backed storage account to modify pipeline "invoker" scripts—Python files automatically executed by AML pipelines—resulting in arbitrary code execution on compute instances running under elevated managed identities.

AML pipelines generate invoker scripts stored in a storage account, which control task execution on compute instances. These scripts run with the AML compute instance’s managed identity, meaning that modifying them grants an attacker the ability to execute code with whatever permissions the identity holds. These permissions can range from resource-level access to subscription-wide Owner privileges.

Orca Security demonstrated two privilege escalation scenarios. First, with user-assigned managed identities, attackers could alter scripts to access Azure Key Vaults and extract secrets outside the AML workspace. Second, with system-assigned managed identities that have single sign-on (SSO) enabled (the default setting), attackers could escalate privileges up to the subscription Owner level by exploiting inherited high-level permissions.

Microsoft acknowledged the issue but stated it stems from a design decision where storage account write access is effectively equivalent to compute instance access. In response, Microsoft patched AML so that pipelines now use code snapshots instead of retrieving scripts at runtime, preventing attackers from tampering with scripts after deployment. They also improved documentation regarding SSO, identity usage, and code provenance.

Recommended mitigations include restricting write permissions on storage accounts to trusted identities only, disabling default SSO on compute instances to prevent broad identity inheritance, using least-privilege managed identities (favoring system-assigned roles), enforcing immutability and versioning on pipeline scripts, and implementing checksum validation to verify script integrity before execution.

This vulnerability highlights the risks that arise at the intersection of cloud storage misconfigurations and identity-based privilege escalation, especially in AI and machine learning pipelines. It underscores the importance of applying least-privilege principles, securing cloud storage resources, and carefully validating execution environments to safeguard cloud-native assets.

3.  Ingram Micro Hit by SafePay Ransomware, Causing Major IT Supply Chain Interruption

A major IT distribution heavyweight has found itself grappling with internal chaos following a ransomware incident linked to the SafePay group, one of the more prolific threat actors of 2025. Ingram Micro—recognized globally for powering cloud, software, and hardware supply chains—experienced a widespread outage that left its website, ordering systems, and several key business platforms inaccessible.

While the company remained silent publicly about the root cause, reports from within the organization point to a ransomware strike discovered early Thursday morning. Employees began noticing ransom messages on their devices, believed to be left by the SafePay gang. This group has been climbing the ranks of notoriety by exploiting remote access tools and VPNs, and early indicators suggest that Ingram Micro’s GlobalProtect VPN was the potential entry point.

In response to the attack, internal systems were taken offline, and some employees were instructed to work from home, avoiding company VPN access altogether. Platforms central to Ingram Micro’s operations, including their Xvantage distribution tool and license provisioning system Impulse, were reportedly down. However, communications tools like Microsoft Teams and SharePoint appeared unaffected, offering a partial lifeline to the company's day-to-day collaboration.

Despite mounting disruption, no formal breach notification or cyberattack disclosure has been issued by the company as of this writing. As Ingram Micro works behind the scenes to contain the fallout, the incident serves as a fresh reminder of how even the most established tech infrastructure can be upended when perimeter defenses are breached.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about