Cyber Intelligence Weekly

Cyber Intelligence Weekly (October 19, 2025): Our Take on Three Things You Need to Know

By
Posted on Oct 19 / 2025

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight that we will be onsite at @TRISS this year!

We’re excited to sponsor the Three Rivers Information Security Symposium (TRISS), a full-day event featuring learning, networking, and collaboration.

Feel free to reach out to myself or Benjamin Tumolo to meet on-site!

Away we go!

1.  Identity Hacks Surge 32% in 2025 — Stolen Credentials Lead the Way

Microsoft’s latest Digital Defense Report 2025 paints a stark picture: identity-based cyberattacks continue to be the easiest way for criminals to break into organizations. Despite billions spent annually on sophisticated security controls, more than 97% of all identity attacks still involve simple password guessing or stolen credentials. In the first half of 2025 alone, these attacks surged by 32%, underscoring how fundamental weaknesses remain the go-to entry point for threat actors.

According to Microsoft, attackers increasingly rely on credential leaks, infostealer malware, and social engineering to compromise accounts. Help desk scams are surging — with attackers impersonating employees or contractors, requesting password resets, and walking away with keys to the kingdom. High-profile incidents tied to the Scattered Spider threat group illustrate how human trust is often more vulnerable than technical systems. Microsoft also cited its efforts to disrupt Lumma Stealer infrastructure, a widely used malware family responsible for credential theft at scale.

The ripple effects are clear in the ransomware ecosystem. Microsoft incident responders noted that 19% of all analyzed intrusions had ransomware as the ultimate goal, with attackers regularly rotating through multiple ransomware-as-a-service (RaaS) variants like Dragon Force, RansomHub, Qilin, and Vice Society. Many intrusions start not with exotic exploits, but with a compromised account or a bypassed multi-factor authentication flow. Even antivirus defenses are being sidestepped by exploiting AV exclusion misconfigurations, which were abused in 30% of ransomware cases tracked this year.

Perhaps the only sliver of good news is that while ransomware remains relentless, the pace of encryption-stage attacks has slowed compared to the previous year. Still, the message from Microsoft’s research is unmistakable: passwords remain the weakest link, and identity security — including stronger MFA enforcement, rigorous credential hygiene, and continuous monitoring — must become a top priority. Technology may evolve, but attackers will always take the easiest path in.

CISA Releases Microsoft Cloud Log Implementation Playbook

The Cybersecurity and Infrastructure Security Agency (CISA) has released a Microsoft Expanded Cloud Logs Implementation Playbook to help organizations get the most out of the new logging capabilities of Microsoft Purview Audit (Standard). The playbook provides step-by-step guidance to detect and defend against advanced intrusions techniques using the expanded logging capabilities.

The playbook provides for:

  • Utilizing Microsoft Purview Audit (Standard) logs to conduct forensic and compliance investigations by allowing access to events like mail items accessed, mail items sent, and user searches in SharePoint Online and Exchange Online.
  • Administrative guide to ingest new logs into Microsoft Sentinel and third-party Security Information and Event Management (SIEM) systems like Splunk.
  • Perspective on significant events from M365 services.

This playbook can help to uplevel the capabilities of security operations teams and empower security teams to operationalize the newly expanded cloud logging capabilities of M365.

2.  Envoy Air Confirms Oracle E-Business Suite Breach Linked to Clop

Envoy Air, a regional carrier owned by American Airlines, has confirmed that hackers gained access to its Oracle E-Business Suite system, making it the second organization to publicly acknowledge being caught up in the growing Clop ransomware campaign. The company said the breach led to the compromise of certain business information and contact details but stressed that no sensitive customer or flight operations data was impacted.

The incident, attributed to the Russian-speaking Clop group, is part of a broader exploitation wave targeting Oracle E-Business Suite vulnerabilities. Oracle previously confirmed the existence of a patch for at least one of the flaws involved, while the FBI described one of the exploited bugs as a “‘stop-what-you’re-doing and patch immediately’” vulnerability. Security researchers believe many more victims have yet to surface, pointing to the scope and stealth of the campaign.

Envoy’s disclosure came shortly after Clop listed American Airlines on its leak site, though the parent company clarified the attack was isolated to its subsidiary. Following detection, Envoy said it launched an internal investigation, engaged law enforcement, and reviewed affected data. No operational disruptions occurred, and flight and ground services remain fully functional.

The Envoy Air breach underscores how core business systems—not just customer-facing infrastructure—can become prime targets in sophisticated exploitation campaigns. As attackers increasingly weaponize enterprise applications like Oracle E-Business Suite, patching cycles, third-party dependencies, and monitoring around ERP platforms have become critical defensive priorities. Organizations relying on these systems must assume that they are high-value targets and treat their security posture accordingly.

LLMs Misleading Users with Incorrect or Malicious Login URLs

Security researchers at Netcraft analyzed AI language models’ behavior when prompted for login URLs across 50 well-known brands. Their investigation revealed that about one-third of the URLs returned by the models were incorrect—either pointing to inactive or unregistered domains (29%) or to unrelated active domains (5%)—with only 66% linking to legitimate brand domains

In operational terms, these models do not retrieve verified URLs from authoritative sources; instead, they synthesize plausible-looking domain names based on probabilistic patterns learned during training. When prompted with queries such as “Where do I log in to [service]?”, the models often produce responses that appear syntactically valid and contextually appropriate, even if the referenced domain does not exist or belongs to an unrelated entity. This behavior reflects the models’ reliance on generative pattern recognition rather than real-time validation or access to up-to-date domain registries.

Users who follow these hallucinated links may be directed to inactive webpages or to malicious or spoofed sites designed to capture user credentials or distribute malware. This vulnerability is particularly acute for lesser-known services, which are underrepresented in the models’ training data and therefore more susceptible to URL hallucination.

This finding underscores a key limitation of generative AI in high‑stakes applications: confident output does not guarantee accuracy. When applied to sensitive tasks like login assistance, AI systems must incorporate validation mechanisms to prevent hallucinations from translating into security threats. Until such safeguards are standard, users and organizations should treat AI‑provided URLs with caution.

Experts recommend implementing runtime validation layers that cross-reference AI‑generated URLs against trusted, authoritative sources. This “source‑of‑truth” approach would ensure only vetted URLs are provided to users, reducing the risk of misleading or dangerous links.

3.  Secret FBI Task Force vs. Russian Ransomware

Recent reports in France’s Le Monde and Germany’s Die Zeit have exposed a clandestine FBI initiative code‑named “Group 78,” apparently aimed at busting Russian ransomware rings. According to these investigations, the FBI quietly introduced Group 78 at joint Europol/Eurojust meetings in late 2024, startling European partners with its aggressive mandate.

The task force immediately focused on Black Basta, a notorious Russian-speaking ransomware gang, drawing scrutiny from officials across Europe. For years Western law enforcement has been hunting groups like Black Basta, but these new disclosures suggest the U.S. was prepared to take unprecedented measures on foreign soil. Le Monde reports that in closed-door briefings a U.S. agent outlined Group 78’s two‑pronged strategy: the first was to carry out covert operations inside Russia to make life hard for Black Basta members and drive them into jurisdictions where they could be arrested, and the second was to use intelligence or other means to “manipulate” Russian authorities into abandoning the gang.

In practice, that meant pushing hackers out of their safe havens – potentially even hunting them on Russian turf – and shaking Moscow’s protection of cybercriminals. Such tactics go far beyond normal cross-border police work. In fact, Western allies have recently targeted ransomware gangs with sanctions, court cases, and infrastructure hacks, but openly conducting operations inside Russia would mark a dramatic escalation.

As one participant noted to Follow the Money, a covert unit like Group 78 “blurs the lines between judicial cooperation and intelligence work,” raising hard questions about sovereignty and oversight. European officials at the meetings were reportedly “stunned” by the revelation of Group 78.

Normally such law‑enforcement conferences stress partnership and respecting each nation’s rules, so news of a secret U.S. campaign in Russia caused concern. Investigators privately warned that these methods risk undermining collaborative investigations; as one source phrased it, “we don’t want anything to do with it” and feared it could harm the integrity of cases.

Notably, Black Basta itself collapsed soon after – its internal chat logs were leaked online early in 2025 and its alleged leader was identified – but it’s unclear whether Group 78 played a role. In policy terms, this episode puts law‑enforcement leaders on the spot. Cybersecurity experts note that governments must pursue ransomware wherever it hides, but doing so by covert means inside another country is fraught. It risks diplomatic blowback with Russia and could endanger shared trust among allies if left unchecked. As Wired reports, US agencies have already disrupted Russian gangs by hacking their servers, slamming sanctions on their wallets and boss-lists, and working extradition cases – all aggressive steps already straining relations. Group 78’s tactics, however, verge into what many consider intelligence‑agency territory. In the coming months policymakers may debate whether the fight against cybercrime justifies such off‑book operations. What is clear is that the shadow war with ransomware has entered a new and controversial phase.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?