Cyber Intelligence Weekly (May 4, 2025): Our Take on Three Things You Need to Know // Echelon Risk + Cyber

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight our HIPAA security checklist for the new HIPAA security rule updates coming!

New HIPAA Security Rule updates are on the horizon - is your healthcare organization ready?

Our team at Echelon Risk + Cyber created a practical HIPAA Compliance Checklist to help you stay ahead. From contingency planning to tabletop exercises, we break down what to do now to meet proposed rule changes before they become mandatory.

✅ Incident Response

✅ Risk Analysis

✅ ePHI Asset Inventory

✅ Staff Training …and more.

📄 Download the checklist: https://lnkd.in/egHbcPPe

Away we go!

1. Coinbase Uncovers Insider Scheme, Refuses to Pay $20M Ransom

Coinbase has revealed a security breach involving rogue overseas support agents who were bribed by cybercriminals to extract customer data. The attackers used this access to gather information on a small group of Coinbase users with the goal of launching highly targeted social engineering scams. While sensitive information such as names, email addresses, partial bank details, and ID images were accessed, Coinbase has confirmed that passwords, private keys, and customer funds remained secure throughout the incident.

In an attempt to cover their tracks, the attackers demanded a $20 million ransom from Coinbase. Rather than comply, the company took a stand and publicly exposed the extortion attempt. Coinbase has since pledged to reimburse users who were manipulated into transferring crypto to the attackers and is now offering a $20 million bounty for information that leads to the perpetrators’ arrest and conviction. Affected customers have already been notified.

To prevent similar incidents, Coinbase is making sweeping changes to its customer support operations. This includes opening a new support center in the U.S., adding more stringent identity checks, and implementing new monitoring systems to detect and prevent insider threats. The company also emphasized that it is working closely with law enforcement agencies and industry partners to trace stolen funds and hold those responsible accountable.

Coinbase’s response sends a strong message: the company won’t reward criminal behavior, and it’s committed to transparency and user protection. In an industry where trust is everything, Coinbase is betting that a clear and decisive stance on security will pay off in the long run.

Azure AI Faces Service Vulnerabilities

In early February 2025, Microsoft addressed two critical security vulnerabilities affecting its Azure AI Face Service and Microsoft Account systems. These flaws, identified as CVE-2025-21415 and CVE-2025-21396, posed significant security risks by potentially allowing unauthorized privilege escalation.

Details of the Vulnerabilities

CVE-2025-21415 (Azure AI Face Service Elevation of Privilege Vulnerability):

Severity: Rated with a CVSS score of 9.9, indicating a critical impact.

Nature: This vulnerability involves an authentication bypass through spoofing. An authorized attacker could exploit this flaw to elevate their privileges over a network.

Discovery: An anonymous researcher reported this issue, leading to Microsoft's prompt advisory and subsequent mitigation efforts.

CVE-2025-21396 (Microsoft Account Elevation of Privilege Vulnerability):

Severity: Assigned a CVSS score of 7.5, also categorized as critical.

Nature: This flaw results from missing authorization checks, which could allow an unauthorized attacker to escalate privileges over a network.

Discovery: The vulnerability was identified by a security researcher operating under the pseudonym "Sugobet."

Impact of Vulnerabilities

Successful exploitation of the vulnerabilities could allow a Threat Actor to:

Gain unauthenticated access to Microsoft Account services
Privilege escalation within Azure AI Face Service, potentially compromising sensitive and business critical data
Conduct large-scale attacks on Azure-based services

Microsoft's Response

Upon identification, Microsoft acted swiftly to address these vulnerabilities. The company released patches and confirmed that both issues have been fully mitigated, requiring no additional action from customers. Notably, Microsoft acknowledged the existence of a proof-of-concept (PoC) exploit for CVE-2025-21415, underscoring the urgency and importance of the patches.

Organizational Mitigations

Monitor Security Updates: Stay informed about Microsoft security advisories and apply patches promptly.
Implement Privileged Access Management (PAM): Restrict user permissions to minimize unauthorized privilege escalation risks.
Adopt a Zero-Trust Security Model: Enforce strict access controls and authentication measures.
Conduct Regular Security Audits: Identify and remediate potential vulnerabilities in cloud environments.
Using Continuous Monitoring Tools: Detect abnormal activities that may indicate security threats.

2. Fake Devs, Real Threat: How Pyongyang Infiltrates Western Tech

A growing number of North Korean IT operatives are being exposed for secretly working within Western tech companies, part of a larger scheme to funnel foreign income back to Pyongyang. Security researchers have now released a dataset containing over 1,000 email addresses tied to suspected operatives, along with photos of two key individuals allegedly operating under false identities. These IT workers, often based in countries like Laos and Russia, pose as freelance developers to land remote jobs at foreign firms and then use their access to support North Korea’s financially starved regime.

One of the individuals, going by the alias “Naoki Murano,” has been linked to a $6 million cryptocurrency theft from DeltaPrime, while another named “Jenson Collins” was involved in crypto projects tied to North Korea. Their online personas were crafted with fake resumes, doctored photos, and stolen credentials. Investigators believe they are part of an organized effort backed by North Korean military and intelligence entities that coach children into becoming skilled developers and hackers.

Cybersecurity firm DTEX and a loosely connected group of researchers known as the Misfits have published dozens of images showing these individuals enjoying lavish lifestyles in stark contrast to the economic hardship in North Korea—highlighting how successful some of these covert operations have become. Some of the workers reportedly used AI tools to enhance their job interviews and even manipulated their appearances during video calls.

U.S. officials and cybersecurity experts warn that these operations aren't just about cybercrime—they're about national security. The earnings from these IT scams reportedly fund missile programs and nuclear development. While efforts to uncover and disrupt these networks have grown in recent years, experts caution that North Korean operatives are adapting fast, moving onto new platforms and employing increasingly sophisticated evasion tactics.

Detecting and Countering Malicious Uses of Claude: Anthropic’s Threat Report

Evolving Threats in the LLM Landscape

Anthropic has released a comprehensive report detailing their efforts to detect and counter malicious uses of their Claude language model. The most significant finding was the discovery of a professional "influence-as-a-service" operation that represents a distinct evolution in how malicious actors leverage LLMs for influence campaigns (Anthropic, 2025). What makes this case particularly novel is that the operation used Claude not merely for content generation but as an orchestrator deciding when social media bot accounts would comment, like, or re-share posts from authentic users (Anthropic, 2025). This orchestration role demonstrates how AI models can be used to coordinate complex abuse systems involving many social media bots, a trend Anthropic expects to continue as agentic AI systems improve.

Case Studies of Malicious Usage

The report outlines several case studies illustrating diverse threat vectors. The influence-as-a-service operation managed over 100 social media bot accounts across Twitter/X and Facebook, with distinct political personas engaging with tens of thousands of authentic social media accounts (Anthropic, 2025). In another case, an actor used Claude to enhance systems for identifying and processing exposed credentials associated with security cameras while collecting information on internet-facing targets (Anthropic, 2025). The report also details a recruitment fraud campaign targeting job seekers in Eastern European countries, where Claude was used to enhance scam content, and a novice actor who leveraged Claude to develop malware that would typically require more advanced expertise (Anthropic, 2025). These examples highlight how generative AI can accelerate capability development for less sophisticated actors.

Detection and Investigation Methodologies

Anthropic's investigation team applied several advanced techniques to identify these malicious use cases. They utilized methods from their recently published research papers, including Clio and hierarchical summarization, which allowed them to efficiently analyze large volumes of conversation data to identify patterns of misuse (Anthropic, 2025). These approaches, combined with classifiers that analyze user inputs for potentially harmful requests and evaluate Claude's responses, enabled Anthropic to detect, investigate, and ban the accounts associated with these cases. These detection systems serve as a safety net, finding harms not caught by standard scaled detection while adding context about how bad actors are using their models maliciously.

Actionable Guidance for Security Practitioners

For security professionals working to protect against AI-enabled threats, Anthropic's report suggests several important strategies:
Monitor for Orchestration Patterns: Watch for signs that LLMs are being used to coordinate multiple bot accounts or automated systems, as this represents a significant evolution in threat tactics.
Implement Cross-Platform Detection: Deploy monitoring systems that can identify coordinated campaigns across multiple social media platforms and communication channels.
Assess Capability Transfer Risk: Evaluate how AI models might be used to transfer capabilities to less sophisticated actors within your threat landscape.
Apply Advanced Analytics: Utilize techniques/tooling similar to Anthropic's Clio and hierarchical summarization to efficiently analyze large volumes of user-AI interactions for malicious patterns.
Share Threat Intelligence: Contribute to industry-wide efforts to identify and counter AI-enabled threats by sharing anonymized attack data.
Deploy Multi-Layer Controls: Implement multiple layers of detection and prevention to catch different aspects of AI-enabled attacks.

3. Scattered Spider Crosses the Atlantic: U.S. Retailers Now Under Fire

A cybercrime group known for its aggressive social engineering tactics has shifted its focus from UK retailers to major U.S. retail chains. The collective, often referred to as Scattered Spider (also known as UNC3944 or Octo Tempest), recently launched a series of ransomware and extortion attacks across the U.K., targeting companies like Marks & Spencer, Co-op, and Harrods. These intrusions are now being replicated in the United States, according to analysts at Google’s Threat Intelligence Group.

The attackers have been linked to the DragonForce ransomware group, which encrypted systems at Marks & Spencer using malware tailored for VMware ESXi environments. The same group is believed to have stolen personal data from Co-op and triggered security lockdowns at Harrods. The National Cyber Security Centre in the UK has not officially confirmed a single actor behind all incidents, but issued guidance to help organizations bolster their cyber defenses.

Scattered Spider is a loosely organized group of young, English-speaking cybercriminals that coordinate attacks in real time via Telegram, Discord, and other platforms. Known for targeting companies with phishing, SIM-swapping, and MFA fatigue techniques, they’ve previously been involved in high-profile breaches of MGM Resorts, Coinbase, Twilio, and more.

Experts warn that U.S. companies should expect a continued wave of retail-focused ransomware incidents. The group’s tactics make them particularly dangerous—even against well-defended networks. Their evolving methods, use of third-party platforms, and impersonation techniques make them a growing threat on both sides of the Atlantic.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about