Cyber Intelligence Weekly (May 4, 2025): Our Take on Three Things You Need to Know // Echelon Risk + Cyber

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight an upcoming webinar!

[Live Roundtable]: Leveling Up Your Defenses: The Power of Red and Purple Teaming

🛡️ Join us on May 14 at 1:00 PM EST for a live roundtable with our Offensive Security team.

They'll break down how combining red and purple teaming can expose blind spots, sharpen detection, and help organizations at any stage build a stronger security program.

Away we go!

1. PowerSchool Breach Fallout: Toronto School District Faces Second Extortion Threat

Months after education technology provider PowerSchool paid off cybercriminals in hopes of containing a data breach, the Toronto District School Board (TDSB) has disclosed that the stolen data has resurfaced in a new extortion attempt. In a letter sent to families and staff this week, TDSB confirmed that a hacker has returned with ransom demands, leveraging sensitive student and staff information previously thought to be deleted.

The December 2024 incident impacted thousands of educational institutions across North America. At the time, PowerSchool believed it had mitigated the damage by paying a ransom and receiving apparent proof that the stolen data had been destroyed. However, that belief has now been undermined by the emergence of new threats targeting multiple school boards individually.

The compromised information includes a wide range of personal details dating back several decades—names, birthdates, healthcare identifiers, residency status, and medical and disciplinary records. TDSB, which serves more than 235,000 students, is now working alongside authorities and privacy regulators to assess the extent of the exposure and offer support to those affected.

This isn’t the first time Toronto’s school board has faced cyber extortion. Just last summer, it was targeted by the LockBit ransomware gang, which demanded payment under threat of leaking student data. The latest development highlights the growing challenge school systems face in defending against persistent and evolving cyber threats—even after ransoms are paid.

Cloud Risk Report Shows Most Incidents Stem from Known Risks

A recent report by ZEST Security, titled the "Cloud Risk Exposure Impact Report," has unveiled a concerning trend in cybersecurity: over 62% of security incidents stem from risks that organizations were already aware of but had not yet addressed. This statistic underscores a significant challenge in the realm of cloud security, where known vulnerabilities remain unmitigated, leaving systems exposed to potential attacks.

Key Findings of the Report

The report, which surveyed more than 150 security decision-makers from large U.S. enterprises, highlights several critical insights:

Prevalence of Known Risks Leading to Incidents: A significant majority of security incidents—over 62%—originate from vulnerabilities that security teams had previously identified. Despite being aware of these issues and having initiated remediation processes, the necessary fixes were not implemented in time to prevent incidents.

Disparity Between Remediation and Exploitation Timelines: The data reveals a stark contrast between the time organizations take to remediate vulnerabilities and the speed at which attackers exploit them. Specifically, it takes organizations ten times longer to address and fix vulnerabilities than it takes for malicious actors to exploit these weaknesses. This discrepancy provides attackers with a substantial advantage, increasing the risk of successful breaches.

Financial Implications of Remediation Efforts: The process of remediation is not only time-consuming but also financially burdensome. On average, organizations spend over $2 million annually on remediation efforts, accounting for the time, resources, and labor involved. This figure excludes additional indirect costs arising from security incidents, such as those related to insurance claims and compliance with regulatory requirements.

Implications for Cloud Security

The findings from ZEST Security's report shed light on systemic issues within cloud security practices:

Inefficiencies in Vulnerability Management: The fact that a majority of incidents are linked to known but unaddressed risks suggests that current vulnerability management processes are insufficient. Delays in remediation can result from various factors, including resource constraints, inadequate prioritization, or complex approval workflows.

Attacker Advantage: The rapid pace at which attackers can exploit vulnerabilities compared to the sluggish remediation timelines of organizations creates a favorable environment for malicious activities. This imbalance necessitates a reevaluation of current security strategies to enhance responsiveness and reduce exposure windows.

Economic Strain: The substantial financial outlay for remediation highlights the economic impact of delayed vulnerability management. Beyond direct remediation costs, organizations may face expenses related to incident response, legal liabilities, and reputational damage.

Recommendations for Organizations

To address these challenges, organizations should consider the following strategies:

Prioritize Risk Remediation: Develop a risk-based approach to vulnerability management, focusing on addressing the most critical vulnerabilities that pose the highest threat to the organization. This prioritization ensures that resources are allocated effectively to mitigate the most pressing risks first.
Streamline Remediation Processes: Evaluate and optimize existing workflows to reduce bottlenecks in the remediation process. Implementing automated tools and fostering cross-departmental collaboration can accelerate the identification and resolution of vulnerabilities.
Enhance Monitoring and Detection: Invest in advanced threat detection systems that can identify and alert security teams to potential exploits in real-time. Proactive monitoring enables organizations to respond swiftly to emerging threats, minimizing potential damage.
Continuous Training and Awareness: Regularly train security personnel on the latest threat landscapes and remediation techniques. An informed and skilled team is better equipped to handle vulnerabilities efficiently and effectively.
Leverage Artificial Intelligence and Automation: Incorporate AI-driven solutions to analyze vulnerabilities and predict potential exploits. Automation can handle routine tasks, allowing security teams to focus on more complex issues and reducing the overall time to remediation.

Conclusion

ZEST Security's "Cloud Risk Exposure Impact Report" serves as a critical reminder of the vulnerabilities that persist within organizational infrastructures due to delayed remediation. By acknowledging the direct link between known risks and security incidents, organizations are prompted to reassess and enhance their vulnerability management practices. Emphasizing timely remediation, adopting advanced security technologies, and fostering a culture of continuous improvement are essential steps toward fortifying cloud security and reducing the incidence of preventable breaches.

2. $2 Billion Heist: Hackers Breach Thousands of Japanese Trading Accounts

Japan’s financial watchdog has sounded the alarm over a dramatic rise in fraudulent trading activity, with nearly $2 billion in unauthorized stock transactions reported in April alone. The Financial Services Agency (FSA) confirmed that nearly 5,000 accounts across nine brokerage firms were compromised by hackers who used stolen credentials to execute thousands of trades.

In these schemes, attackers typically gain access through phishing and credential theft, then manipulate victim accounts to sell off existing holdings. The proceeds are used to purchase low-cap domestic and international stocks—often those that the attackers already hold—allowing them to inflate values and cash in on the artificially boosted prices. Though initially attributing many purchases to Chinese markets, the FSA has since removed any mention of specific countries in its public statements.

The volume of fraudulent activity has escalated sharply. Between January and March, roughly $665 million in unauthorized transactions were reported. But in April alone, the figure ballooned to over $1.9 billion in trades—suggesting a coordinated, large-scale effort that may still be unfolding. Cybersecurity analysts point to increasingly sophisticated phishing toolkits and language-localized attacks as factors fueling the surge.

Authorities are urging investors to use stronger security measures like multi-factor authentication, avoid reusing passwords, and only access trading platforms via official bookmarks. The FSA also emphasized the importance of frequent account checks and warned that threats like this can impact any brokerage unless proactive defenses are in place.

Rules File Backdoor: New Attack Vector Weaponizes AI Coding Assistants

Novel Supply Chain Attack Vector Discovered

Pillar Security researchers have uncovered a new supply chain attack vector named “Rules File Backdoor” that enables threat actors to silently compromise AI-generated code by injecting malicious instructions into configuration files used by popular AI coding assistants like GitHub Copilot and Cursor (Pillar Security, 2025). This technique is particularly concerning given that 97% of enterprise developers now use generative AI coding tools, according to a 2024 GitHub survey, making these tools an increasingly critical part of development infrastructure (Pillar Security, 2025).

Technical Attack Mechanisms

The attack exploits how AI coding assistants process contextual information in rule files—configuration files intended to guide AI agent behavior when generating code. By embedding carefully crafted prompts within seemingly benign rule files, attackers can influence the AI to produce code containing security vulnerabilities and backdoors (Pillar Security, 2025). The technique leverages multiple technical mechanisms, including contextual manipulation, unicode obfuscation using invisible characters, semantic hijacking, and cross-agent vulnerability that works across different AI coding assistants (Pillar Security, 2025).

Persistence and Stealth Characteristics

What makes this attack particularly pernicious is its persistent nature and invisibility to code reviewers. Once a poisoned rule file is incorporated into a project repository, it affects all future code generations sessions by team members and often survives project forking, creating a vector for supply chain attacks affecting downstream dependencies (Pillar Security, 2025). The researchers demonstrated the attack in both Cursor and GitHub Copilot environments, displaying how AI-generated code can be manipulated to include malicious elements like external script tags without the developer’s knowledge.

Mitigation Strategies for Development Teams

Security practitioners must evolve their practices to address this new attack surface as AI coding assistants become more deeply integrated into development workflows. Key defensive measures include:

Implement comprehensive validation processes for AI configuration files, treating them with the same scrutiny as executable code
Deploy detection tools capable of identifying suspicious patterns in rule files, particularly focusing on invisible Unicode characters and unusual formatting
Implement more rigorous code review practices specifically designed to detect unexpected additions generated by AI assistants
Verify the source and integrity of shared rule files before incorporating them into projects
Consider implementing sandboxed environments for initial evaluation of AI-generated code
Establish governance process for approving and auditing AI configuration files

3. Cisco Issues Urgent Patch for Critical IOS XE Vulnerability Enabling Full Device Takeover

Cisco has issued a security update to address a newly disclosed, critical vulnerability in its IOS XE Software for Wireless LAN Controllers (WLCs), warning that the flaw could allow remote attackers to hijack vulnerable devices with full root access. The flaw, tracked as CVE-2025-20188, has been assigned a CVSS score of 10.0, the highest possible severity rating.

The flaw stems from a hard-coded JSON Web Token (JWT) embedded in a feature called Out-of-Band AP Image Download, which, if enabled, allows attackers to impersonate trusted users without authentication. Once exploited, the vulnerability lets attackers upload arbitrary files, traverse file paths, and execute commands with elevated privileges. Cisco notes that while the vulnerable feature is disabled by default, it may be turned on in enterprise environments that use the feature for faster access point provisioning or firmware recovery.

Affected products include the Catalyst 9800 Series Wireless Controllers, including cloud and embedded variants for Catalyst 9300, 9400, and 9500 switches, as well as Embedded Wireless Controllers on Catalyst APs. Cisco has released free software patches to address the vulnerability but confirmed no viable workarounds aside from disabling the affected feature. To check if a device is exposed, administrators can run the command show running-config | include ap upgrade — if it returns ap upgrade method https, the device is vulnerable.

Although Cisco says it is not aware of any active exploitation in the wild at this time, security experts warn that the ease of exploit — coupled with the flaw’s severity — makes scanning for exposed systems a near certainty. Organizations are urged to patch immediately and review their configurations. Cisco has also published a detailed security advisory for further guidance and use of the Cisco Software Checker to verify device status and patch requirements.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about