Intelligence
Cyber Intelligence Weekly Echelon

Cyber Intelligence Weekly (May 4, 2025): Our Take on Three Things You Need to Know

By
Posted on May 04 / 2025

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight an upcoming webinar!

[Live Roundtable]: Leveling Up Your Defenses: The Power of Red and Purple Teaming

🛡️ Join us on May 14 at 1:00 PM EST for a live roundtable with our Offensive Security team.

They'll break down how combining red and purple teaming can expose blind spots, sharpen detection, and help organizations at any stage build a stronger security program.

Register now to save your spot: https://lnkd.in/gea6_E-6

Register now to save your spot:

Away we go!

1.  Apple Warns Users in 100 Countries of Sophisticated Spyware Attacks

Apple has begun alerting individuals in over 100 countries that their iPhones were likely targeted by sophisticated spyware. The company issued personalized threat notifications to select users, warning that they may have been victims of highly advanced surveillance software—often referred to as mercenary spyware. While Apple has not identified who is behind these attacks, it stated with "high confidence" that the targeting was intentional and related to the recipients' personal identity or professional work.

Among the confirmed recipients of the alert are Italian journalist Cyrus Pellegrino and Dutch commentator Eva Vlaardingerbroek. Pellegrino, who works for Fanpage and has reported on political extremism in Italy, suspects the incident may be connected to a broader campaign involving Paragon spyware—a tool linked to dozens of earlier incidents reported on WhatsApp. Vlaardingerbroek shared her experience online, suggesting the attack was meant to intimidate her but affirmed she would not be silenced.

Apple has been issuing these kinds of warnings since 2021 and said that it has now notified users in more than 150 countries. The company emphasized the growing global threat of commercial surveillance tools and their ability to silently infiltrate personal devices, granting attackers complete access to messages, files, and activity. Victims typically have no indication their phones have been compromised until it's too late.

Pellegrino recounted how he reacted upon receiving the warning, choosing to isolate his phone immediately and quietly inform his family. He reflected on the deeply invasive nature of such spyware, describing smartphones as “the black boxes of our lives”—digital vaults filled with personal and professional data that, if accessed maliciously, could cause irreparable harm.

Threat Actors Exploiting Critical Vulnerability to Attack Cloud Platforms

A recent critical vulnerability in the Aviatrix Controller platform, CVE-2024-50603 CVSS: 10, is allowing an unauthenticated, remote threat actors to run arbitrary commands against Aviatrix granting the threat actor full control of the platform.

Aviatrix is a commonly used centralized management platform for cloud networking.  This vulnerability is under active exploitation and being used to deploy XMRig cryptomining malware and the creation of Sliver backdoors providing persistent access to the impacted cloud platform. Aviatrix has released a security bulletin with details of the vulnerability and remediation instructions.

Aviatrix has released an emergency patch fixing the vulnerability, but organizations should review their cloud resource usage and network configuration to identify any potential impact from cryptojacking or a persistent backdoor. Cloud Security providers have also created crafted searches to hunt for exploitation of the vulnerability, check with your provider for specific guidance.

2.  Ransomware Feast: Cyberattacks on Food Industry Double in 2025

The food and agriculture sector is experiencing a troubling surge in ransomware incidents in 2025, with reported attacks in the first quarter alone more than doubling compared to the same period last year. According to Jonathan Braley of the Food and Ag-ISAC, this wave of attacks began picking up speed late in 2024 and shows no signs of slowing. Despite growing concern, many of these incidents go unreported, leaving industry leaders in the dark about attack vectors, tools used, and remediation methods.

Speaking at this year’s RSA Conference, Braley emphasized the importance of transparency, urging organizations to share details of breaches more openly to help others avoid falling victim. He noted that while major campaigns like the Clop file transfer exploit drew attention, other groups such as RansomHub and Akira have also continued targeting food producers and processors with intensity. Data collected from a mix of dark web sources, industry members, and partner ISACs highlighted 84 attacks from January to March alone.

The fallout from these breaches can be significant. A recent incident at South Africa’s largest poultry supplier reportedly cost over $1 million in damages, while a ransomware attack on a major dairy plant in Siberia also made headlines. Analysts say the industry’s dependence on older operational systems and real-time supply logistics makes it particularly vulnerable — and attractive — to extortion campaigns.

Even more concerning, ransomware is now responsible for over half of all cyberattacks observed in the sector. As pressure builds to modernize infrastructure and tighten defenses, experts stress the urgency of cross-industry collaboration and threat intelligence sharing to keep critical food supply operations secure and resilient.

Rules File Backdoor: New Attack Vector Weaponizes AI Coding Assistants

Novel Supply Chain Attack Vector Discovered

Pillar Security researchers have uncovered a new supply chain attack vector named “Rules File Backdoor” that enables threat actors to silently compromise AI-generated code by injecting malicious instructions into configuration files used by popular AI coding assistants like GitHub Copilot and Cursor (Pillar Security, 2025). This technique is particularly concerning given that 97% of enterprise developers now use generative AI coding tools, according to a 2024 GitHub survey, making these tools an increasingly critical part of development infrastructure (Pillar Security, 2025).

Technical Attack Mechanisms

The attack exploits how AI coding assistants process contextual information in rule files—configuration files intended to guide AI agent behavior when generating code. By embedding carefully crafted prompts within seemingly benign rule files, attackers can influence the AI to produce code containing security vulnerabilities and backdoors (Pillar Security, 2025). The technique leverages multiple technical mechanisms, including contextual manipulation, unicode obfuscation using invisible characters, semantic hijacking, and cross-agent vulnerability that works across different AI coding assistants (Pillar Security, 2025).

Persistence and Stealth Characteristics

What makes this attack particularly pernicious is its persistent nature and invisibility to code reviewers. Once a poisoned rule file is incorporated into a project repository, it affects all future code generations sessions by team members and often survives project forking, creating a vector for supply chain attacks affecting downstream dependencies (Pillar Security, 2025). The researchers demonstrated the attack in both Cursor and GitHub Copilot environments, displaying how AI-generated code can be manipulated to include malicious elements like external script tags without the developer’s knowledge.

Mitigation Strategies for Development Teams

Security practitioners must evolve their practices to address this new attack surface as AI coding assistants become more deeply integrated into development workflows. Key defensive measures include:

  • Implement comprehensive validation processes for AI configuration files, treating them with the same scrutiny as executable code
  • Deploy detection tools capable of identifying suspicious patterns in rule files, particularly focusing on invisible Unicode characters and unusual formatting
  • Implement more rigorous code review practices specifically designed to detect unexpected additions generated by AI assistants
  • Verify the source and integrity of shared rule files before incorporating them into projects
  • Consider implementing sandboxed environments for initial evaluation of AI-generated code
  • Establish governance process for approving and auditing AI configuration files

3.  Co-op, Harrods, and M&S: Inside the Retail Cybersecurity Crisis

Several major UK retailers have recently found themselves in the crosshairs of cybercriminals. Marks & Spencer, Harrods, and Co-op each disclosed cybersecurity incidents over the past few weeks, resulting in significant operational disruptions. Marks & Spencer has paused online ordering and some internal processes, while Co-op issued alerts to staff to heighten security vigilance during remote work. Harrods acknowledged the breach but has yet to advise customers to take specific action.

While the exact nature of the attacks has not been fully disclosed, reports suggest that a ransomware collective may be involved. Bloomberg identified a group known as DragonForce, which offers hacking tools and services to affiliates, as a possible player. Meanwhile, Bleeping Computer has linked the incident at Marks & Spencer to a different group, Scattered Spider, which is notorious for its social engineering tactics and has previously targeted major brands in the U.S.

Scattered Spider has gained a reputation over the last two years as one of the more aggressive cybercrime collectives, relying on impersonation, phishing, and phone-based deception to infiltrate networks. Although the group lacks formal structure, its English-speaking members have pulled off high-profile breaches, often encrypting data and demanding ransom. If their involvement in this wave of UK attacks is confirmed, it would underscore their growing reach.

Retailers, already under pressure from supply chain instability and consumer behavior shifts, now face growing digital threats as well. These incidents highlight the ongoing vulnerability of even the most established companies and the pressing need for more resilient cybersecurity measures in sectors that interface directly with millions of consumers.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?