Cyber Intelligence Weekly

Cyber Intelligence Weekly (September 28, 2025): Our Take on Three Things You Need to Know

By
Posted on Sep 28 / 2025

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight how we helped ESSA Bank & Trust turned a time of transition into a story of resilience.

With Echelon’s vCISO guidance, they achieved executive alignment, stronger visibility, and a smarter cybersecurity program.

See how strategy + execution created impact: https://lnkd.in/gH4A3Efp

Away we go!

1.  CISA Orders Rapid Patch of Cisco Firewall Zero-Days as ArcaneDoor Expands

CISA has issued an emergency directive ordering federal agencies to urgently patch three newly disclosed flaws in Cisco’s perimeter gear—two critical (CVE-2025-20333, CVE-2025-20363) and one medium (CVE-2025-20362)—after an advanced threat actor used them in a widespread campaign that has already compromised multiple U.S. government networks. The activity expands on “ArcaneDoor,” an espionage-focused operation Cisco exposed in 2024, and includes rare persistence by tampering with code in read-only memory so intruders survive reboots and even software upgrades. A U.S. official called the malware “very sophisticated,” and at least 10 organizations worldwide are known to be affected, with that tally expected to grow.

The directive sets an aggressive clock: agencies must image vulnerable devices, upgrade supported ASA/Firepower Threat Defense systems immediately, permanently disconnect any ASA models that go out of support on Sept. 30, and report back to CISA by Oct. 3. Cisco says it has observed active exploitation of two of the three CVEs and has shipped fixed software that also scrubs the persistence mechanisms. In parallel, the U.K. NCSC published fresh malware analysis, reflecting unusually deep U.S.–U.K. technical coordination on this case.

Why it matters: edge firewalls are the choke point for enterprise traffic. A foothold there lets an adversary silently inspect, reroute, or manipulate communications and pivot into internal networks. ArcaneDoor’s bespoke tooling and device knowledge are hallmarks of a state-backed team (Cisco tracks it as UAT4356), and the ROM persistence raises the bar for eviction—simple reboots and routine upgrades won’t cut it. Organizations outside government running Cisco ASA/FTD should assume similar exposure paths and move now.

What we’re telling clients: upgrade to Cisco’s fixed releases; verify ROM/boot integrity; rotate credentials tied to network management and remote access; audit configs for unauthorized changes (tunnels, ACLs, TACACS+/RADIUS servers, packet-capture or SPAN sessions); isolate management planes in dedicated VRFs with strict ACLs; and enable high-fidelity logging to a tamper-resistant SIEM. Treat any ASA nearing end-of-support as an operational risk, not a budgeting debate.

Cloud Security: Entra ID Flaw Showed How Fragile Identity Really Is

A security researcher uncovered a pair of flaws in Microsoft’s Entra ID (formerly Azure AD) that—before Microsoft’s fix—could have let an attacker impersonate users across any tenant and promote themselves to global administrator. The chain hinged on “Actor Tokens” from a legacy Access Control Service combined with lax tenant validation in the old Azure AD Graph API, creating a path to bypass key identity controls and seize cloud environments at scale. Microsoft assigned CVE-2025-55241 and emphasized that while the exposure was severe, there’s no evidence of abuse in the wild.

Timeline matters here. The researcher reported the issue on July 14; Microsoft pushed mitigation within days, confirmed a global fix by late July, and published the CVE in early September as part of its “Secure Future Initiative” clean-up of legacy identity paths. Independent write-ups and trade press described the bug bluntly: a potential route to “take over any Entra ID tenant globally” until the patch closed it. It’s a stark reminder that cloud identity isn’t just another app—it’s the blast radius.

For defenders, the lesson is to hunt legacy. Inventory and retire Azure AD Graph dependencies; constrain connected apps and service principals to minimum scopes; and monitor for anomalous cross-tenant access patterns and unexpected token use. Treat conditional access, MFA, and logging as necessary but not sufficient—assume there are still “back roads” via old APIs and tokens, and set tripwires (detections for unusual consent grants, privilege creation, and admin role changes) to catch them early.

2.  100,000 SIMs, 300 Servers: The Spam Machine That Could Have Hit NYC’s Cell Network

A sprawling SIM-farm network uncovered across the New York tri-state area has exposed just how industrialized phone-based abuse has become—and how close it veers to critical-infrastructure risk. According to the U.S. Secret Service, agents seized roughly 300 servers wired to more than 100,000 SIM cards within 35 miles of midtown Manhattan. At that scale, investigators say the operation could have blasted ~30 million texts per minute—enough traffic to swamp towers, degrade mobile service across New York City, or carpet-bomb the country with spam and smishing in minutes.

The takedown stems from a trail that reportedly began with 2023 holiday “swatting” calls targeting members of Congress. While SIM farms are typically profit engines for scams, spam, account farming, and ad fraud, officials say this network also serviced organized crime and state-aligned actors. Photos released by the Secret Service show tidy racks of high-density “SIM blocks,” the kind of professional setup usually seen offshore; SIM boxes are illegal to operate in the U.S. No arrests were announced, and agents emphasized action was timed to preempt potential disruption around the U.N. General Assembly.

Beyond the headline numbers, the mechanics matter for defenders. These farms rotate identities at machine speed, mask geography, and mimic legitimate consumer traffic—helping them bypass carrier filters and platform heuristics. The result is mass smishing, one-time-passcode capture attempts, fake account creation, and influence ops at scale. Enterprises should assume SMS is a hostile channel: push users toward phishing-resistant MFA (FIDO2/WebAuthn), rate-limit and monitor OTP requests, tighten new-account and password-reset flows, and work with messaging providers on A2P anomaly detection and content-filtering. Treat sudden spikes in SMS interactions—especially around payroll, benefits, finance, and identity workflows—as an incident, not a metric.

AI Security: Poisoned Calendar Invites Can Hijack AI Assistants

Researchers recently showed how something as mundane as a meeting invite can be weaponized to seize control of AI copilots. In a study nicknamed “Invitation Is All You Need,” attackers embedded malicious instructions inside calendar fields so that assistants parsing those events (e.g., when summarizing your day or drafting replies) quietly followed the attacker’s commands. The team demonstrated account takeover risks, data exfiltration, and cross-app abuse by chaining integrations—because once an assistant trusts event text, it can be steered to fetch secrets or send messages on the user’s behalf. Google patched Gemini’s handling of calendar invites after disclosure, but the underlying class of “prompt injection via trusted integrations” remains a broad ecosystem problem.

The attack works without a traditional exploit—no attachment to scan and no link to click. It abuses design assumptions: assistants often pre-process external content (calendar, email, CRM notes) and treat it as instructions. That means defenses based purely on URL/attachment filtering miss the threat. Security researchers and outlets covering the work warn that any assistant or agent that auto-ingests third-party data is exposed unless it treats all external text as hostile by default.

For enterprises, the takeaway is to bring classic “trust boundaries” to AI. Disable auto-adding invites where feasible; scope what assistants can do with sensitive connectors; and instrument audit logs for assistant-initiated actions (messages sent, files accessed, admin API calls). Red-team your own AI workflows with injection tests, and align with guidance like OWASP’s LLM Top 10 to sandbox untrusted content, enforce allow-lists for tools, and add human-in-the-loop checks for high-risk actions.

3. Scattered Spider: How a Help-Desk Hustle Became a $115M Ransom Machine

Another dazzling piece of research from Brian Krebs highlights how U.S. prosecutors have linked the Scattered Spider collective to at least $115 million in ransom payments and a brazen breach of the federal judiciary, unsealing charges that paint a fuller picture of one of today’s most disruptive cybercrime crews. Central to the case is 19-year-old U.K. national Thalha Jubair, arrested in London and accused of participating in 120 intrusions (47 U.S. entities) since 2022. Prosecutors say the crew’s playbook rarely changes: social-engineer a help desk, reset an admin account, raid data, then encrypt and extort. Two victims allegedly paid $25 million and $36.2 million, underscoring the group’s leverage—and its willingness to hit critical operations.

Court filings describe a remarkable intrusion into the U.S. Courts network that began with a simple password-reset call. Once inside, conspirators allegedly commandeered multiple accounts—including that of a federal judge—rifling inboxes for subpoenas tied to themselves and “Scattered Spider.” Investigators say they tied infrastructure back to Jubair through servers hosting stolen data and crypto wallets; one wallet reportedly held $36 million and funded tell-tale purchases like food deliveries and gaming credits. Online, aliases such as “EarthtoStar,” “Brad,” and others trace back through SIM-swapping rings, mass SMS phishing (the 0ktapus wave), and high-profile extortion campaigns against retailers, casinos, transit, and healthcare.

For defenders, the lesson isn’t new—but it’s urgent. Scattered Spider thrives on identity compromise and weak reset processes, not exotic zero-days. Enterprises should harden help-desk workflows with out-of-band, phishing-resistant verification; move users to FIDO2/WebAuthn to blunt SIM-swap OTP interception; lock down SSO (Okta/Entra ID) with strict device/IP restrictions and step-up policies; and continuously monitor for privilege elevation, token abuse, and mass data queries. Treat suspicious password resets, sudden MFA changes, and abnormal SaaS exports as incidents—not tickets.

If convicted in the U.S., Jubair faces up to 95 years. Meanwhile, the case signals tightening pressure on youthful “Com”-scene actors who blend social engineering, credential theft, and public bragging into a potent extortion machine. The tactics are simple; the consequences clearly aren’t.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?