Cyber Intelligence Weekly

Cyber Intelligence Weekly (June 8, 2025): Our Take on Three Things You Need to Know

By
Posted on Jun 08 / 2025

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight an upcoming informative webinar that will highlight the changes coming down the pipe with HIPAA.

🔍 HIPAA is changing. Is your organization ready?

Join our experts, Josh Fleming, MSITM and Stephen Dyson, Senior Cybersecurity Managers, as they break down the proposed updates and what they mean for healthcare providers, payers, and partners.

Moderated by Cybersecurity Manager Alyson Pisarcik, this session will cover:

⚫ What’s actually changing and who’s impacted

⚫ Real-world strategies to ease implementation

⚫ Third-party oversight and new contingency planning

⚫ Whether you should prepare now… or wait

Reserve your spot: https://lnkd.in/gfA-Gna6

Away we go!

1.  Decoding the Chaos: Microsoft and CrowdStrike Align Threat Actor Names

In today’s cybersecurity battles, time is a luxury few defenders can afford. When seconds count, delays in identifying attackers can derail response efforts and give adversaries the upper hand. One of the quiet culprits behind these delays? A surprisingly chaotic naming system for threat actors. For years, cybersecurity vendors have used different names to describe the same hacking groups—leading to confusion, slow response times, and missed connections across platforms.

To bring clarity to this issue, Microsoft and CrowdStrike have announced a joint initiative to align their respective threat actor taxonomies. Rather than creating a single, universal naming system, this collaborative reference guide acts more like a translation key—allowing security teams to map names across vendors and gain a clearer, faster understanding of who’s behind the attack. For example, Microsoft's “Midnight Blizzard” is the same group CrowdStrike calls “Cozy Bear” and others know as APT29 or UNC2452. With this shared mapping, defenders can cut through the noise and move more decisively.

This is more than a branding exercise. When threat intelligence aligns, so do defensive strategies. Microsoft’s taxonomy—based on weather themes like “Tempest” for financially motivated actors or “Typhoon” for Chinese nation-state groups—helps contextualize motivation, origin, and tactics. CrowdStrike brings its own deep library of actor profiles into the mix. Together, they’re offering mutual customers and the broader security community a way to bridge insights, correlate events, and build resilience.

Importantly, this first-of-its-kind reference is just the beginning. Google’s Mandiant team and Palo Alto’s Unit 42 are set to join the effort, creating the possibility for industry-wide coherence in threat naming. As cyberattacks continue to evolve, initiatives like this give defenders a fighting chance—making sense of a chaotic threat landscape and helping turn intelligence into immediate, informed action.

EntraID Vulnerability: FIDO2 Passkey Misuse

In a recent analysis, security specialist Max Rozendaal from Secura unveiled a critical vulnerability within Microsoft's Entra ID (formerly Azure Active Directory) that can be exploited through the misuse of FIDO2 passkeys. This vulnerability allows attackers to escalate privileges and potentially take over Global Administrator accounts by abusing the FIDO2 Passkey provisioning API and its associated Graph permissions.

Understanding FIDO2 Passkeys

FIDO2 passkeys represent an evolution in passwordless authentication, utilizing public-key cryptography to offer robust, phishing-resistant security. Users authenticate using a cryptographic credential stored on devices like security keys or mobile phones, eliminating the need for traditional passwords. Microsoft has introduced a Graph API that enables administrators to pre-provision these passkeys for users, streamlining the adoption of passwordless authentication methods.

The Vulnerability Explained

The core of the vulnerability lies in the 'Create fido2AuthenticationMethod' API, which allows the provisioning of FIDO2 passkeys on behalf of users. This API requires the 'UserAuthenticationMethod.ReadWrite.All' application permission in an app-only access scenario. While intended for administrative convenience, this setup inadvertently opens a pathway for attackers.

If an attacker gains control over a service principal (an identity used by applications or services) endowed with the 'UserAuthenticationMethod.ReadWrite.All' permission, they can exploit this to add a FIDO2 passkey to any user account, including those with Global Administrator privileges. This process bypasses the need for the user's plaintext password and satisfies multi-factor authentication (MFA) requirements, effectively granting the attacker full access to the account.

Potential Attack Scenario

Consider an environment where FIDO2 passkeys are enabled, and a service principal possesses the 'UserAuthenticationMethod.ReadWrite.All' permission. An attacker who compromises this service principal can:

  • Authenticate as the Application: Utilize the compromised credentials to authenticate to the Microsoft Graph API.
  • Provision a FIDO2 Passkey: Invoke the 'Create fido2AuthenticationMethod' API to add a new FIDO2 passkey to a target user's account, such as a Global Administrator.
  • Gain Unauthorized Access: Use the newly provisioned passkey to authenticate as the target user, bypassing traditional password requirements and adhering to MFA policies.

This sequence grants the attacker elevated privileges without the need for the user's consent or knowledge.

Detection and Mitigation Strategies

To safeguard against this exploitation, organizations should implement the following measures:

  • Audit Application Permissions: Regularly review and minimize applications granted the 'UserAuthenticationMethod.ReadWrite.All' permission. Ensure that only essential applications have this level of access.
  • Monitor Audit Logs: Keep an eye on the Microsoft Entra admin center's audit logs for events labeled "User registered security info" and "Add Passkey (device-bound)." These logs can indicate the addition of FIDO2 security keys to accounts, especially those with high privileges.
  • Employ Delegated Permissions: Where feasible, use delegated permissions instead of application permissions. Delegated permissions require the signed-in user to have the necessary rights to perform actions on behalf of another user, adding an extra layer of security.
  • Restrict Privileged Access: Limit the number of accounts with Global Administrator roles and enforce strict access controls. Regularly review these accounts for any unauthorized changes.
  • Enhance Security Posture: Implement additional security measures such as Conditional Access Policies, Privileged Identity Management (PIM), and regular security assessments to identify and address potential vulnerabilities.

While FIDO2 passkeys offer a more secure and user-friendly authentication method, their implementation must be carefully managed to prevent potential abuse. The vulnerability highlighted by Max Rozendaal emphasizes the need for organizations to diligently monitor and control application permissions within their Entra ID environments. By adopting proactive security practices and maintaining vigilant oversight, organizations can harness the benefits of passwordless authentication without exposing themselves to undue risks. For a more detailed exploration of this vulnerability and its implications, refer to the original article by Secura.

2.  £47 Million Fraud at HMRC: What Every Organization Should Learn

A major phishing scheme has left the UK’s tax authority grappling with the fallout of a £47 million fraud. Criminals, posing as legitimate taxpayers, gained access to over 100,000 HMRC online accounts using stolen credentials—largely acquired through phishing techniques. While no taxpayer funds were directly stolen, the fraudsters used these compromised identities to file false rebate claims, attempting to siphon money from the government.

The attack, which came to light during a Treasury Select Committee hearing, sparked criticism of HMRC for not disclosing the breach earlier. Lawmakers expressed frustration that such a significant incident had not been proactively shared with Parliament. HMRC officials, meanwhile, emphasized that they had swiftly locked down affected accounts and erased fraudulent data to prevent further exploitation.

Interestingly, HMRC maintains this wasn’t a “cyberattack” in the traditional sense—no firewalls were breached, no internal systems penetrated. Instead, this was a case of identity fraud at scale, enabled by stolen personal data and manipulated through the tax agency’s own digital interfaces. For many victims, these fraudulent accounts were created before they ever signed up for online services, meaning they had no reason to suspect anything was wrong.

This incident reinforces the growing threat of impersonation-based fraud, especially as public institutions increase reliance on digital services. HMRC is now planning further investments in cybersecurity infrastructure, acknowledging the rising complexity of modern fraud tactics. In an age where phishing and identity theft can cause as much damage as a zero-day exploit, defending the user perimeter has never been more essential.

Microsoft Unveils AI security Agents to Combat Growing Threat Landscape

AI Agents for Autonomous Security Functions 

Microsoft has announced a significant evolution of their Security Copilot platform with the introduction of AI agents designed to autonomously assist with critical security functions, according to a recent announcement from their Corporate Vice President of Security (Jakkal, 2025). These agents come in response to the overwhelming volume of cyber threats, with Microsoft Threat Intelligence now processing 84 trillion signals per day and detecting over 30 billion phishing emails and 7,000 password attacks per second targeting customer in 2024 alone (Jakkal, 2025).

New Microsoft and Partner-Built Capabilities 

The enhanced Security Copilot will include six Microsoft-built agents focusing on phishing triage, alert triage, conditional access optimization, vulnerability remediation, and threat intelligence briefing (Jakkal, 2025). Additionally, five partner-built agents from OneTrust, Aviatrix, BlueVoyant, Tanium, and Fletch will extend the platform’s capabilities to address privacy breach response, network supervision, SecOps tooling, alert triage, and task optimization. According to Blake Brannon, Chief Product and Strategy Officer at OneTrust, “an agentic approach to privacy will be game-changing for the industry. Autonomous AI agents will help our customers scale, augment, and increase the effectiveness of their privacy operations” (Jakkal, 2025).

Enhanced Governance for AI Security 

Microsoft is also strengthening its solutions for securing AI itself, addressing growing concerns about effective AI governance. Their recent report found that 5% of organizations have experienced an increase in security incidents from AI usage, yet 60% have not yet implemented AI controls (Jakkal, 2025). New capabilities include AI security posture management for multi-model and multi-cloud environments (extending beyond Microsoft Azure to include Google VertexAI and AWS), enhanced detection for emerging AI threats identified by OWASP, and controls to prevent risky access and data leaks into shadow AI applications.

Strategic Implementation Recommendations 

As AI becomes more deeply integrated into security operations and business processes, a comprehensive approach to both securing with AI and securing AI itself is essential. Security practitioners should consider the following actions:

  • Evaluate the new agentic apabilities as potential tools to address the overwhelming volume of security alerts and incidents
  • Prioritize implementing AI governance controls, particularly as Microsoft’s data suggests most have not yet done so despite experiencing security incidents
  • Implement granular access controls for AI applications using solutions like Microsoft Entra internet access
  • Deploy data loss prevention controls for AI applications through specialized tools like Microsoft Purview to prevent sensitive data leakage
  • Develop comprehensive security policies that address both the use of AI for security and the security of AI systems themselves
  • Consider phased implementation of autonomous AI agents, starting with high-volume, low-complexity security tasks

3.  ChatGPT in the Wrong Hands: What OpenAI’s Crackdown Reveals About Threat Actor Tactics

OpenAI recently revealed that it dismantled dozens of accounts operated by state-sponsored and criminal threat groups that had been abusing ChatGPT for malicious purposes. From covert influence operations to malware development and fake job applications, the misuse of AI is no longer theoretical—it's happening in real-time, and at scale. While the company insists that the actors didn’t gain capabilities they couldn’t find elsewhere, the breadth and creativity of the exploitation is eye-opening.

Among the most alarming discoveries: threat actors tied to China, Russia, North Korea, Iran, and the Philippines used ChatGPT to generate persuasive disinformation posts across platforms like TikTok, X, and Facebook. These weren’t your run-of-the-mill bots. They tailored content to amplify geopolitical tension, attack Western institutions, and create the illusion of consensus through coordinated engagement. Russia, for example, focused efforts on German political discourse and anti-NATO narratives.

Malicious code development also featured prominently. OpenAI linked some activity to well-known hacking groups like APT5 and APT15, who used the chatbot to fine-tune password brute-force scripts, conduct reconnaissance, and even develop malware that could hijack Android devices and simulate human-like interaction. This hands-on refinement process—where code is tweaked through iterative prompts—underscores how AI can become a quiet but effective co-pilot for adversaries.

The deception didn’t stop there. North Korean actors used ChatGPT to fabricate résumés and personas for fraudulent employment schemes targeting U.S. companies. Meanwhile, criminal groups in Cambodia leveraged the tool for multilingual recruitment scams, luring victims into high-wage “microtask” roles that served as a gateway to wider fraud operations. OpenAI has since banned all identified accounts and shared indicators with industry peers. But the incident stands as a warning: even the most powerful AI tools can be twisted, fast, when placed in the wrong hands.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?