Cyber Intelligence Weekly

Cyber Intelligence Weekly (June 29, 2025): Our Take on Three Things You Need to Know

By
Posted on Jun 29 / 2025

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight an upcoming informative webinar that will highlight the changes coming down the pipe with HIPAA.

🔍 HIPAA is changing. Is your organization ready?

Join our experts, Josh Fleming, MSITM and Stephen Dyson, Senior Cybersecurity Managers, as they break down the proposed updates and what they mean for healthcare providers, payers, and partners.

Moderated by Cybersecurity Manager Alyson Pisarcik, this session will cover:

⚫ What’s actually changing and who’s impacted

⚫ Real-world strategies to ease implementation

⚫ Third-party oversight and new contingency planning

⚫ Whether you should prepare now… or wait

Reserve your spot: https://lnkd.in/gfA-Gna6

Away we go!

1.  Citrix Bleed Returns? New Flaw in NetScaler Draws Alarming Parallels

A newly discovered security issue in Citrix’s NetScaler Gateway product has raised eyebrows in the cybersecurity community, sparking concern that we may be seeing a sequel to the 2023 “Citrix Bleed” crisis. Security researchers at ReliaQuest have begun to observe early signs of exploitation tied to CVE-2025-5777—a flaw that could allow attackers to hijack user sessions and bypass multifactor authentication without the victim ever knowing.

The vulnerability stems from how NetScaler handles input validation when configured as a Gateway. By exploiting a memory overread issue, adversaries can harvest session tokens and impersonate legitimate users across enterprise systems. Though Citrix (now under Cloud Software Group) has stated there's no confirmed active exploitation, ReliaQuest’s findings suggest otherwise. Analysts have identified suspicious session behavior and reconnaissance activities across affected environments, hinting at early-stage intrusions.

What’s even more concerning is the historical precedent. In 2023, a similar vulnerability—dubbed Citrix Bleed—was weaponized in attacks against major organizations like Boeing and Comcast, with devastating consequences. Despite widespread patching, attackers continued to abuse the flaw due to poor session termination and lagging system upgrades. The latest vulnerability exhibits eerily similar behavior, only this time it targets session tokens rather than cookies, giving attackers the ability to linger even longer in compromised systems.

Citrix has issued patches and guidance to close the gap, urging users to update to supported software versions and proactively terminate active sessions. But as we’ve seen before, patching alone won’t be enough. Organizations must double down on detection, log review, and threat hunting efforts—especially for indicators like session reuse, strange LDAP queries, and unexpected IP logins. History doesn’t have to repeat itself, but only if we act fast.

Wide‑Scale Microsoft Entra ID Attacks: Exploiting TeamFiltration

A new threat campaign—tagged UNK_SneakyStrike by Proofpoint security researchers—leveraged the open-source red‑teaming tool TeamFiltration to launch large-scale password-spraying and account takeovers (ATOs) against Microsoft Entra ID (formerly Azure AD) environments.

Scope & Scale

  • Since December 2024, over 80,000 user accounts across roughly 100 cloud tenants have been targeted.
  • Peak activity occurred in January 2025, with bursts of up to 16,500 login attempts in a single day, followed by 4–5 day lulls.
  • IP analysis shows attacker infrastructure spread across AWS regions, notably in the US (42%), Ireland (11%), and the UK (8%).

How TeamFiltration Works

  • Relies on the Microsoft Teams API for valid user enumeration.
  • Employs AWS-hosted servers with rotating IPs to evade detection.
  • Executes systematic password spraying using disposable “sacrificial” Office 365 Business Basic accounts.
  • Exploits OAuth family refresh tokens to gain broader access across native applications like Teams, OneDrive, and Outlook.

Data Exfil and Persistence

  • Upon password compromise, attackers exfiltrate Teams chats, attachments, contacts, and more.
  • They establish persistence via OneDrive backdoors—uploading look-alike files containing macros or malware.

Detection Indicators

Proofpoint spotted:

  • A rare Teams-related user-agent string tied to TeamFiltration.
  • Requests originating from incompatible or spoofed client environments.
  • OAuth client IDs matching those hardcoded in the tool—strong indicators of malicious use.

Mitigation Recommendations

  • Enforce strong MFA on all identities and applications.
  • Tighten conditional access policies, closing gaps like MFA exemptions.
  • Monitor for anomalous Teams API use, unusual user-agent strings, or traffic from AWS IP ranges.
  • Block IOCs—including those from Proofpoint’s published indicators.
  • Audit OAuth client usage and restrict or rotate refresh token permissions.

Bottom Line

The UNK_SneakyStrike campaign demonstrates a dangerous shift: legitimate pentesting frameworks are now weaponized for cloud-native ATOs. By blending Teams‑API enumeration, AWS-based IP rotation, OAuth token abuse, and OneDrive backdoors, attackers can stealthily compromise and persist across environments. Security teams need to audit Teams and OAuth usage, enforce MFA, watch for odd API patterns, and treat such tools as potential threat vectors—not trusted infrastructure.

2.  Rising Cyber Threats as U.S.–Iran Conflict Escalates

As tensions between the U.S. and Iran deepen following recent military strikes on Iranian nuclear facilities, cybersecurity officials are warning that the digital fallout is already underway. The Department of Homeland Security (DHS) issued a bulletin emphasizing a growing risk of cyberattacks from Iranian state-sponsored hackers and aligned hacktivist groups. These actors, with a history of probing and exploiting vulnerable systems in critical U.S. infrastructure, are now expected to increase their activity in response to U.S. involvement in the conflict.

The bulletin suggests that low-sophistication attacks, such as defacements or denial-of-service (DDoS) campaigns, are likely in the short term. However, more coordinated and damaging actions—particularly against utilities, government agencies, and industries with weak perimeter defenses—remain a concern. DHS also cautioned that political and religious motives could drive retaliation efforts, not only in cyberspace but potentially through physical or violent actions aimed at perceived adversaries.

Security experts are pointing to past Iranian cyber campaigns, such as targeting water systems and food suppliers, as a warning. These attacks have historically leveraged poor password hygiene and misconfigured Internet-facing devices. With the situation rapidly evolving, U.S. state governments have already been briefed, and multiple governors have taken to public platforms urging local officials to bolster their defenses.

This moment serves as a stark reminder that geopolitical tensions abroad can translate into serious cybersecurity risks at home. Organizations should not only revisit their threat detection capabilities but also re-evaluate physical security, insider risk posture, and employee readiness for social engineering threats—especially given Iran’s documented use of psychological operations and propaganda during conflicts.

Article content

Disrupting Malicious Uses of AI – OpenAI June 2025 Report

In the latest quarterly threat intelligence release, OpenAI describes how it is detecting, disrupting, and exposing a diverse set of malicious AI-enabled operations. The report details 10 significant campaigns observed over the past three months—including influence operations, cyber espionage, scams, and deceptive employment schemes— with 4 likely linked to China, and others tied to Cambodia, the Philippines, Russia, Iran, North Korea, and other regions.

Key themes across the report:

Deceptive Employment Schemes: Threat actors, possibly DPRK-affiliated, used ChatGPT to generate custom résumés, automate IT installation instructions, tweak geolocation, and code scripts to automate mouse/keyboard actions.

Covert Influence Operations

  • “Sneer Review”: AI-generated comments targeted a Taiwanese game, false videos defamed a Pakistani activist, and inflammatory comments around USAID closure appeared—across TikTok, X, Facebook, Reddit.
  • “High Five”: A Filipino operation created bulk social media comments in English/Taglish to shape opinion around Bongbong Marcos. ChatGPT powered both analysis and PR prep.
  • “VAGue Focus”: Chinese-language ChatGPT accounts impersonated analysts to contact U.S. senators and researchers, apparently to collect intelligence.
  • “Helgoland Bite”: German-language influence targeting mirrored across X and Pravda-affiliated forums.
  • “Uncle Spam”: Recidivist Russia-linked efforts flooding U.S. political discourse with partisan content generated by AI—and attempts to compartmentalize campaigns for stealth.

Cyber Operations & Malware

  • “ScopeCreep”: Russian-speaking actors used AI assistance to write Go-based malware loaders, modify system certificates, adjust PowerShell scripts, disable Defender, and orchestrate multi-stage payloads.
  • “Vixen” and “Keyhole Panda”: China-linked campaigns leveraged AI for reconnaissance, payload generation, Docker, VPN setup, OSINT research, and persona/profile creation.

Scams & Social Engineering

  • “Wrong Number”: Cambodian task scams across languages (English, Spanish, Kinyarwanda, etc.) offering high pay for simple tasks, with AI used to translate messages and engineer trust through a “ping–zing–sting” funnel.

Defense Strategies Highlighted

OpenAI emphasizes the use of their own AI tools as operational force multipliers. They:

  • Ban malicious accounts swiftly.
  • Coordinate with platforms and law enforcement to disrupt activity.
  • Share detections and indicators with industry partners.

The report stresses that as threats evolve—with actors increasingly using AI to scale disinformation, malware, and fraud—defenses must scale too. This includes advanced detection systems, model usage monitoring, cross-platform coordination, and public transparency.

Why It Matters

  • These 10 campaigns underscore AI’s dual role: a potent enabler for both attackers and defenders.
  • Multi-national threat actors—from authoritarian states to criminal syndicates—are automating labor-intensive processes like persona creation, messaging, translation, malware development, and social influence.
  • The activity is largely low-visibility: many operations yield modest engagement but signal a strategic shift toward stealthy, AI-driven abuse.
  • The Chinese origin of 4 cases aligns with broader concerns about state-linked influence and cyber operations.

Bottom Line

The June 2025 OpenAI report makes it starkly clear: AI-powered misuses are already here—from scams and covert influence to malware and espionage. The core takeaway for security teams and enterprises:

 

  1. Assume AI will amplify adversaries at scale and speed.
  2. Integrate model-use monitoring and anomaly detection into security telemetry.
  3. Share intel across platforms to disrupt operations end-to-end.
  4. Public transparency builds collective defense, as others (e.g., Google, Anthropic) publish complementary threat intelligence.

3.  Cyberattack on UNFI Highlights Growing Risks to the Food Supply Chain

United Natural Foods Inc. (UNFI), a major supplier to grocery chains like Whole Foods, recently confirmed that a cyber incident earlier this month caused widespread operational disruption and is expected to negatively affect the company’s quarterly earnings. The attack, which struck on June 5, forced the company to shut down parts of its ordering infrastructure, prompting a shift to manual order processing across its vast distribution network.

While the breach didn’t involve the exposure of personal or health-related information, it significantly impacted UNFI’s ability to fulfill orders and raised costs associated with containment, investigation, and remediation. In its filing with the SEC, the company noted that the financial toll from the incident will likely result in a material dent in its net income and adjusted EBITDA for the fourth fiscal quarter of 2025.

Despite the short-term hit, UNFI says its long-term strategic outlook remains unchanged. The company has since restored key electronic systems used for ordering and invoicing and has resumed regular operations across its network. UNFI also expects its cybersecurity insurance to cover much of the financial fallout, though it anticipates the claims process will continue well into fiscal 2026.

This latest cyber event underscores the mounting pressure on food and agriculture firms to harden their digital infrastructure. As supply chain disruptions ripple into financial markets and consumer access, incidents like this serve as yet another wake-up call: resilience in this sector depends on proactive cybersecurity readiness.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?