Cyber Intelligence Weekly

Cyber Intelligence Weekly (September 21, 2025): Our Take on Three Things You Need to Know

By
Posted on Sep 21 / 2025

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight how we helped ESSA Bank & Trust turned a time of transition into a story of resilience.

With Echelon’s vCISO guidance, they achieved executive alignment, stronger visibility, and a smarter cybersecurity program.

See how strategy + execution created impact: https://lnkd.in/gH4A3Efp

Away we go!

1.  Jaguar Land Rover Cyber Shutdown Drags On – Risk in The Supply Chain

Jaguar Land Rover is entering its third week of crisis after an end-of-August cyberattack forced the automaker to shut down systems and idle UK plants. The company now says a “controlled restart” will “take time,” extending the pause at least into next week while government cyber teams and industry groups huddle with JLR to triage supplier impacts. With a supply chain touching ~200,000 jobs, dealers and parts networks are already feeling the strain—and insiders concede no one can say with confidence when lines will truly be humming again.

The financial stakes are stark. If production can’t resume until November, University of Birmingham’s David Bailey estimates more than £3.5 billion in lost revenue and roughly £250 million shaved off profit—about £72 million in revenue and £5 million in profit burned per day. JLR’s 2024 turnover suggests it can absorb a hit, but smaller Tier-1/Tier-2 suppliers lack that cushion. The timing couldn’t be worse: JLR is mid-rebrand and pushing hard on EV programs that were already slipping before the breach, raising the risk of knock-on cost cuts and delayed product milestones.

For now, inventory buffers are masking some pain on the retail side—sales and registrations continue (manually), and JLR models have led new-car views on Auto Trader across August–September. The harder bite is in after-sales: retailers report parts shortages for repairs, and the company is lobbying for emergency support to keep suppliers afloat during the outage window. Meanwhile, a hacker calling himself “Rey”—previously linked to the Hellcat crew that uses Scattered Spider-style social engineering—has claimed responsibility, echoing a March intrusion JLR never publicly detailed. The M&S precedent (seven weeks of online disruption, up to £300 million in profit impact) underlines how prolonged this kind of incident can become.

Takeaway for manufacturers: this looks like an identity-driven, IT-to-OT business-continuity event, not just “ransomware on a workstation.” Resilience now hinges on hardened workforce and vendor access (phishing-resistant MFA, just-in-time admin, PAM), segmentation that prevents IT outages from halting plant control systems, offline runbooks for sales/registration and parts flows, immutable backups of ERP/MES, and supplier-level tabletop exercises. If you’ve recently replatformed (new ERP, plant systems, or identity stacks), re-validate credential resets and legacy connectors—those “carried-over” seams are where operations break.

Using the AWS CLI and Securing CloudShell

Cloud environments often start with heavy reliance on graphical interfaces, but evolving toward command-line proficiency—especially with the AWS CLI—is key for secure and efficient cloud operations. AWS CloudShell provides a browser-based shell environment that removes the complexity of local terminal setup and enables seamless CLI access directly from the AWS Console.

CloudShell launches a container with a pre-installed, fully updated AWS CLI, bash or PowerShell support, and 1 GB of persistent KMS-encrypted storage. It handles authentication through container metadata, similar to how IAM roles work for EC2 instances. This approach avoids the need for local credentials, reducing the risk of leakage or misuse.

Credential resolution in the AWS CLI follows a specific order: command-line arguments, environment variables, credentials/config files, and finally metadata from the running environment. CloudShell leverages this last method, meaning credentials are never stored on disk, and the CLI operates using temporary, securely managed keys. This also makes it less susceptible to misuse since access requires console login, not external SSH or terminal sessions.

For organizations with tighter network controls, CloudShell can be restricted to specific VPCs. This allows integration with internal-only resources through PrivateLink and other private networking, all without the need to launch EC2 instances. It's an efficient way to support automation and operations in isolated environments.

Users can execute common commands like aws cloudformation describe-stacks directly in CloudShell. To streamline regional operations, specifying the --region flag helps avoid spawning separate CloudShell instances per region. Since CloudShell sessions assume IAM roles distinct from the console session, this can be useful for debugging and testing role-based permissions.

Additional features include file upload/download, Python support, and the ability to assume IAM roles for secure cross-account access. These capabilities make CloudShell a powerful environment for scripting, automation, and teaching cloud concepts without the security pitfalls of unmanaged credentials or local configuration issues.

Overall, CloudShell bridges the gap between ease of use and operational security, making it a strong default for CLI-based AWS work. It's particularly beneficial for training labs, day-to-day scripting, or secure admin access, especially in controlled enterprise environments.

2.  How an Obscure Token Chain Nearly Broke Azure Tenancy Boundaries

Microsoft dodged a worst-case cloud identity meltdown this summer after researcher Dirk-jan Mollema uncovered a pair of bugs in Entra ID (formerly Azure AD) that, chained together, could have granted “god-mode” access across virtually any Azure customer tenant. The issue centered on legacy plumbing: special “Actor Tokens” minted by the long-forgotten Access Control Service, plus lax tenant validation in the old Azure AD Graph API. In practice, a lowly trial tenant could have requested a token accepted by Azure AD Graph in someone else’s environment, then used it to create global admins, change policies, and impersonate users—sidestepping modern guardrails like Conditional Access and normal logging.

Timeline matters here. Mollema privately alerted Microsoft on July 14. Engineers hot-patched the validation logic across the cloud by July 17, confirmed the fix by July 23, added extra hardening in August, and assigned a CVE on September 4. Microsoft says it found no evidence of abuse. Even so, the episode lands in the shadow of 2023’s Storm-0558 token fiasco and underlines why Redmond’s Secure Future Initiative is ripping out legacy paths (like Azure AD Graph) in favor of Microsoft Graph and stricter token handling.

For defenders, the takeaways are plain: legacy compatibility is today’s soft underbelly. Prioritize killing off Azure AD Graph in favor of Microsoft Graph; audit every enterprise app consent and service principal (who can mint tokens, with what scopes, and for which resources); rotate app secrets/certs; enforce least-privilege scopes; and crank up detections on unusual token flows, cross-tenant API activity, and silent admin creation. If you maintain lab or trial tenants, fold them into your production identity controls—those “low-risk” corners can become high-impact pivots when legacy endpoints are still reachable.

Bottom line: identity is the cloud’s blast radius. Microsoft’s fast response avoided catastrophe, but enterprises can’t outsource responsibility for deprecations and app hygiene. Treat legacy identity APIs as change-management projects with deadlines, not footnotes.

A Pro-Russia Disinformation Campaign Is Using Free AI Tools to Fuel a ‘Content Explosion’

A sweeping pro-Russia disinformation campaign has been observed exploiting free, publicly available artificial intelligence tools to create and distribute a vast volume of fake content across the internet. The campaign, known as “Operation Overload” or “Matryoshka,” has rapidly expanded over the past year, using AI-generated images, videos, and websites to amplify false narratives and manipulate public opinion.

Between July 2023 and May 2025, Operation Overload more than doubled its output from 230 to 587 disinformation pieces, driven by a tactic known as “content amalgamation”—a strategy that uses consumer-grade AI tools to generate multiple media formats from the same false narratives.

The campaign relies on widely available tools, including image, voice, and video generators that require little to no technical expertise and are often accessible at low or no cost. Among the tools used was “Flux,” a text-to-image generator developed by Black Forest Labs. Researchers identified a series of highly inflammatory, AI-generated images depicting fictional race riots in cities like Berlin and Paris designed to stoke xenophobic fears. Forensic analysis found a 99% likelihood that the images were produced using Flux AI.

Operation Overload also engages in a tactic known as “fact-checker baiting.” Researchers documented over 170,000 emails sent to media outlets and verification organizations, encouraging them to investigate the false content. The apparent goal is to boost visibility—regardless of whether the material is verified or debunked.

The campaign's content is distributed through a network of more than 600 Telegram channels and bots, as well as accounts on platforms including X (formerly Twitter), Bluesky, and TikTok. On TikTok alone, 13 accounts linked to the campaign generated over 3 million views before removal. While Bluesky removed around 65% of suspicious accounts, researchers noted that X took little action in comparison.

As AI tools become more powerful and accessible, they offer not only immense creative potential but also a new pathway for coordinated manipulation. Without stronger oversight and safeguards, the line between real and fake may continue to blur.

3.  DOJ: Scattered Spider’s $115M Ransom Spree Reached a U.S. Court Network

A newly unsealed Justice Department complaint paints one of the clearest pictures yet of Scattered Spider’s playbook—and profits. Prosecutors say the social-engineering crew squeezed at least $115 million in ransoms from more than 120 intrusions since 2022, including 47 U.S. organizations, and even muscled into a U.S. federal court network. U.K. national Thalha Jubair, 19, was arrested in London and charged in the U.S. with computer fraud, wire fraud, and money laundering conspiracies; if convicted, he faces up to 95 years. Investigators say they followed payments, tooling, and data caches back to servers owned and registered to Jubair, noting two single-victim payouts of $25 million and $36.2 million.

The court intrusion was depressingly on-brand: a help-desk call on January 8 allegedly led to a password reset, takeover of internal accounts, and theft of personnel details. Prosecutors say the conspirators then accessed mailboxes—including that of a federal judge—searching for subpoenas that mentioned themselves or “Scattered Spider,” and even attempted an “emergency” data request to a financial firm using a compromised account. Forensics tie the operation together with the kind of breadcrumbs that sink modern crews: Telegram handles, gaming logins from the same IPs, food-delivery gift cards bought with crypto from seized wallets, and a July 2024 server seizure that revealed roughly $36 million in digital assets.

Beyond the headline numbers, the complaint reinforces what many incident responders already know about this group: speed, persistence, and ruthless simplicity. The pattern repeats—convince support to reset credentials, hijack an admin, exfiltrate, encrypt, extort. That reliability is precisely why the impact spans critical infrastructure, retail, insurance, aviation—and now the judiciary. Authorities in the U.K., U.S., Canada, Romania, Australia, and the Netherlands collaborated on the case; notably, Scattered Spider-linked channels went quiet last week amid talk of arrests.

For security leaders, the operational lesson is stark: your help desk is part of your identity perimeter. Lock down password-reset workflows with strong identity proofing (live callback to on-file numbers, HR-validated PINs, or passkeys), block help-desk resets for privileged roles, require number-matching MFA with device biometrics, and monitor for emergency access enablement, sudden role escalations, and atypical OAuth/API use. Back that with rigorous data-exfiltration detections, staged encryption kill switches, and pre-approved ransom decision paths. Social engineering remains their initial access; process discipline is yours.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?