Cyber Intelligence Weekly

Cyber Intelligence Weekly (June 1, 2025): Our Take on Three Things You Need to Know

By
Posted on Jun 01 / 2025

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight an upcoming informative webinar that will highlight the changes coming down the pipe with HIPAA.

🔍 HIPAA is changing. Is your organization ready?

Join our experts, Josh Fleming, MSITM and Stephen Dyson, Senior Cybersecurity Managers, as they break down the proposed updates and what they mean for healthcare providers, payers, and partners.

Moderated by Cybersecurity Manager Alyson Pisarcik, this session will cover:

⚫ What’s actually changing and who’s impacted

⚫ Real-world strategies to ease implementation

⚫ Third-party oversight and new contingency planning

⚫ Whether you should prepare now… or wait

Reserve your spot: https://lnkd.in/gfA-Gna6

Away we go!

1.  Australia's New Ransomware Reporting Law: What Businesses Need to Know

Australia has enacted a pioneering law requiring certain organizations to report ransomware and cyber extortion payments to the government. Effective from May 30, 2025, under the Cyber Security Act 2024, businesses with an annual turnover exceeding AUD $3 million, as well as entities responsible for critical infrastructure, must notify the Australian Signals Directorate (ASD) within 72 hours of making such payments. Non-compliance may result in civil penalties, including fines of up to 60 penalty units, currently equivalent to AUD $19,800.

This legislative move aims to address the significant underreporting of ransomware incidents in Australia. According to the Australian Institute of Criminology, only about 20% of ransomware attacks are reported, leaving authorities with limited visibility into the scope and impact of these cyber threats. By mandating reporting, the government seeks to gather comprehensive data to better understand and combat ransomware activities.

Initially, the government will adopt an "education-first" approach, focusing on assisting organizations in understanding and complying with the new requirements. This phase will last until December 31, 2025, after which stricter enforcement measures will be implemented. The information collected will be used to analyze threat patterns, develop targeted cybersecurity strategies, and enhance support for affected businesses.

While the law does not prohibit ransom payments, it aligns with the government's stance against paying cybercriminals, emphasizing that such payments do not guarantee data recovery or prevent further attacks. The mandatory reporting is part of a broader effort to strengthen national cybersecurity and protect the economy from the growing threat of ransomware.

Google Cloud Platform TE.0 HTTP Request Smuggling

In July 2024, security researcher sw33tLie unveiled a critical vulnerability affecting thousands of websites hosted on Google Cloud Platform (GCP). This flaw, termed TE.0 HTTP Request Smuggling, posed significant security risks to numerous services utilizing GCP's Load Balancer, including the Identity-Aware Proxy (IAP).

Understanding HTTP Request Smuggling

HTTP Request Smuggling is a sophisticated web attack technique that exploits discrepancies in the processing of HTTP requests between front-end and back-end servers. By crafting malicious requests, attackers can manipulate server behavior, leading to unauthorized access, data breaches, and other malicious activities.

Discovery of TE.0 Variant

The TE.0 variant of HTTP Request Smuggling was identified during a comprehensive security assessment of GCP's infrastructure. This specific variant leverages inconsistencies in the interpretation of the "Transfer-Encoding" header set to "chunked" with a chunk size of zero. Such manipulation can cause front-end servers to misinterpret the end of an HTTP request, allowing malicious payloads to be forwarded to back-end servers undetected.

Impact on Google Cloud Platform

The widespread adoption of GCP's Load Balancer across various services amplified the potential impact of this vulnerability. Notably, the Identity-Aware Proxy (IAP), a service designed to provide secure access to applications, was among the affected services. Exploitation of this vulnerability could allow attackers to bypass authentication mechanisms, leading to unauthorized data access and potential system compromises.

Mitigation and Response

Upon discovery, the vulnerability was promptly reported to Google's security team. Google acknowledged the severity of the issue and initiated immediate remediation efforts. Patches were developed and deployed across the affected infrastructure to address the TE.0 HTTP Request Smuggling flaw. Users and administrators of GCP services were advised to review their configurations and apply necessary updates to ensure protection against potential exploits.

Broader Implications

This incident underscores the critical importance of continuous security assessments, especially within cloud environments. As cloud services become integral to modern infrastructure, ensuring their security is paramount. The discovery of the TE.0 vulnerability serves as a reminder of the evolving nature of cyber threats and the necessity for proactive measures to identify and mitigate such risks.

Recommendations for Security Professionals

  • Regular Security Audits: Conduct periodic assessments of cloud configurations and services to identify and address potential vulnerabilities.
  • Stay Informed: Keep abreast of emerging threats and vulnerabilities related to cloud services to implement timely defenses.
  • Collaborate with Providers: Engage with cloud service providers to understand their security measures and ensure they align with organizational requirements.
  • Implement Defense-in-Depth: Adopt a multi-layered security approach to protect against various attack vectors, including HTTP request smuggling.

The identification and remediation of the TE.0 HTTP Request Smuggling vulnerability highlights the dynamic challenges in securing cloud infrastructures. Proactive security practices and collaboration between researchers and service providers are essential to safeguard against such critical threats.

2.  Nation-State Hackers Exploit ConnectWise Tool in Targeted Attack

A major incident involving ConnectWise, a provider of IT management software, has come to light as the company confirmed that a nation-state threat actor targeted a limited set of its customers through its ScreenConnect platform. While ConnectWise hasn’t released many details, it said the activity appeared tied to a sophisticated adversary and impacted only a “very small number” of users. ScreenConnect is widely used by managed service providers and enterprise IT teams to deliver remote support—making it a high-value target for espionage and intrusion campaigns.

ConnectWise has engaged forensic experts from Mandiant to investigate the breach. The company says it has already contacted affected customers, implemented patches, and enhanced its security measures, including bolstering monitoring across its environment. According to their statement, there’s been no additional suspicious activity since those steps were taken. The breach was first reported by CRN, and while law enforcement is involved, specifics about the attacker’s identity or tactics remain undisclosed.

The software has been a known target in the past. Both Chinese and Russian cyber groups have exploited vulnerabilities in ScreenConnect. One recent bug, CVE-2024-1709, was especially damaging—it was used to infiltrate U.S. defense contractors, government networks in the U.K., and other institutions across Asia. Google and Mandiant have both confirmed its use by actors linked to China’s Ministry of State Security. Russian group Sandworm, tied to GRU Unit 74455, was also observed leveraging the same flaw.

Remote access tools like ScreenConnect are prized entry points for hackers due to their ability to reach multiple networks through one compromise. As these tools are embedded in the operations of MSPs, a single breach can cascade to dozens or hundreds of downstream victims. While ConnectWise insists the impact was minimal this time, the episode underscores the continued risks posed by vulnerable third-party tools, especially when exploited by nation-state actors.

AI Cloud Workloads Plagued by Critical Vulnerabilities and Risky Misconfigurations

Prevalence of Critical Vulnerabilities in AI Environments

Tenable’s 2025 Cloud AI Risk Report reveals alarming security issues in cloud-based AI implementations, with 70% of cloud AI workload containing unremediated critical vulnerabilities—significantly higher than the 50% rate observed in non-AI workloads (Tenable, 2025). The report highlights how AI adoption has accelerated dramatically, with prominent cloud services displaying substantial deployment rates: 60% of Azure user have configured Cognitive Services, 35% of AWS users have deployed SageMaker, and 20% of Google Cloud Platform users have implemented Vertex AI Workbench.

The “Jenga Concept” and Inherited Misconfigurations 

A particularly concerning trend identified in what Tenable calls then “Jenga concept” in AI services, where cloud providers layer services atop one another, crating building blocks that inherit risky default configurations often invisible to users (Tenable, 2025). For example, 77% of organizations using Google’s Vertex AI Workbench have at least one notebook instance configured with an overprivileged default Compute Engine service account. Similarly alarming, 91% of organizations using Amazon SageMaker have root access (i.e., administrator privileges) enabled in at least one notebook instance, and 14% of organizations using Amazon Bedrock have at least one AI training bucket configured without public access prevention.

Amplified Risks in AI Environments 

These misconfigurations pose heightened risks in AI environments due to the sensitive nature of AI training data and models. As Tenable notes, “AI big data has big implications for cloud workload security” with “a higher chance than standard workloads of containing sensitive data, heightening security risks when misconfigured” (Tenable, 2025). The report also found that many vulnerable AI workloads run on Unix-based systems with numerous libraries, including open-source ones, for which vulnerabilities are frequently reported but often remain unremediated—as evidenced by CVE-2023-38545 (i.e., a critical curl vulnerability observed in more than one-third of analyzed cloud AI workloads a year after disclosure) (Tenable, 2025).

Strategic Security Framework for AI Cloud Workloads 

Security practitioners must adapt their strategies to address the unique risks AI introduces as it becomes more critical to daily business and mission critical operations. Key actions organizations should take include:

  • Implement comprehensive exposure management for AI systems and data
  • Classify all AI components linked to high-business-impact assets as sensitive
  • Prevent unauthorized or overprivileged access to cloud-hosted AI models and data stores
  • Reduce excessive permissions and manage cloud identities using robust tools for least privilege
  • Prioritize vulnerability remediation by impact, with special attention to AI workloads containing sensitive data
  • Monitor for “Jenga-style” misconfigurations in cloud AI environments
  • Implement regular audit procedures specific to AI development environments

3.  Cybercriminal Behind $19M Baltimore Attack Faces Prison Time

An Iranian national has pleaded guilty for his role in a notorious ransomware campaign that wreaked havoc on several U.S. cities, including a high-profile attack that paralyzed Baltimore in 2019. The individual, 37-year-old Sina Gholinejad, admitted to two criminal charges: computer fraud and conspiracy to commit wire fraud. He now faces a potential prison sentence of up to 30 years.

Federal investigators say Gholinejad, who also used the alias “Sina Ghaaf,” played a key role in the Robbinhood ransomware operation. While not the sole architect, he conducted research to support the ransomware’s deployment, working alongside other conspirators based overseas. The Robbinhood malware was used to target local governments, nonprofits, and even medical organizations, freezing their systems and demanding cryptocurrency in return for access.

The Baltimore incident alone cost the city more than $19 million in recovery and response efforts. Other municipalities—like Greenville, North Carolina, and Yonkers, New York—were also affected. According to the Department of Justice, the group used VPNs and self-managed servers to hide their tracks and laundered the ransom payments through crypto mixing services and chain-hopping techniques to obscure the money trail.

Gholinejad was arrested in January in North Carolina and has since been in custody. The case underscores the global nature of modern cybercrime and the difficulty of attribution and enforcement when attackers operate across borders, but it also shows that persistence by law enforcement can eventually bring even distant perpetrators to justice.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?