Cyber Intelligence Weekly

Cyber Intelligence Weekly (September 7, 2025): Our Take on Three Things You Need to Know

By
Posted on Sep 07 / 2025

 

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight that on September 10, Echelon's experts @Josh Fleming, MSITM, AIGP, and @Stephen Dyson will share how to stay ahead with a governance blueprint that protects client data, meets compliance expectations, and keeps your business moving at the speed of innovation.

September 10 | 1:00 PM EST

Register now! https://lnkd.in/gWt_p8nR

Away we go!

1.   Red Sea Cable Cuts Jolt Azure: What Slows Where—and For How Long

Multiple undersea cable breaks in the Red Sea forced Microsoft to reroute Azure traffic early Sept. 6 UTC, producing latency spikes and degraded performance for customers whose paths normally traverse the Middle East. Azure’s status updates warned that some workloads between Europe and South Asia would experience slower connections through Sept. 7 while carriers rebalanced routes. Third-party telemetry flagged disruptions tied to the SEA-ME-WE 4 and IMEWE systems near Jeddah—two of the region’s main Asia-Europe arteries—though Microsoft hasn’t publicly named the specific cables.

Why this stings: these trunks don’t just carry consumer internet—they also haul hyperscaler backbone traffic. Losing even one pushes overflow onto longer, narrower paths, driving up round-trip times and packet loss for anything chatty or bandwidth-hungry (think real-time collaboration, multiplayer gaming, large data transfers, cross-region database replication). Microsoft shifted traffic onto alternate routes, but physics is undefeated: longer paths mean slower apps until capacity is restored.

Repairs will take time. Cable ships are limited, fixes require pinpointing faults on the seabed, and the Red Sea’s security climate slows operations. The corridor has form: February 2024 saw several Red Sea cables cut; other systems have since needed ad-hoc fixes and shunt repairs. Net-net for enterprises: Azure remains up, but anything reliant on Asia↔Europe or Gulf transit should expect elevated latency and occasional jitter.

What to do now: pin latency-sensitive workloads to a single region where practical; pause non-urgent cross-region data syncs; prefer store-and-forward over synchronous replication; enable CDN and DNS failover policies; widen client timeouts/retry logic; and keep users informed via status banners. Network teams should monitor Azure Service Health, carrier notices, and synthetic probes from South Asia/Gulf vantage points; where multi-cloud or private backbones exist, evaluate temporary traffic shifts until repairs land.

 

Critical Microsoft Exchange Vulnerability Puts Hybrid Clouds at Risk

Microsoft Exchange has long been a target for attackers, and a new vulnerability underscores why. A high-severity flaw (CVE-2025-53786, CVSS 8.0) affects on-premises Exchange servers deployed in hybrid configurations. Exploitation enables attackers with administrative access to escalate privileges into cloud environments—a particularly dangerous scenario as organizations increasingly rely on hybrid identity for seamless operations.

The vulnerability resides in how Exchange communicates with cloud identity providers. An attacker who compromises an on-prem Exchange server can abuse hybrid connectors to issue or manipulate tokens, granting themselves access to resources in Microsoft 365 or Azure. What makes this flaw especially concerning is its stealth—once attackers pivot into the cloud, activity may appear legitimate because it leverages trusted tokens.

Although there are currently no reports of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that exploitation is “likely,” citing the attractiveness of hybrid identity pathways to advanced threat actors. Similar vulnerabilities in the past—such as the ProxyLogon and ProxyShell flaws—were widely weaponized within days of disclosure.

If left unpatched, organizations risk a scenario where a single compromised server grants adversaries domain-wide cloud access. Attackers could exfiltrate email archives, manipulate calendars, access SharePoint data, or even deploy ransomware within Azure-hosted resources. Because hybrid deployments often connect sensitive workloads, the business impact could extend to data theft, compliance breaches, and operational downtime.

Recommendations:

  • Apply Microsoft’s patch immediately: Install the April 2025 (or newer) update for hybrid deployments.
  • Reset key credentials: Rotate service principal keyCredentials used by Exchange hybrid connectors.
  • Remove legacy servers: Decommission end-of-life Exchange or SharePoint servers that are still internet-facing.
  • Strengthen monitoring: Watch for anomalous token use and privilege escalation in Entra ID.
  • Enforce MFA and conditional access: Even if tokens are abused, additional controls reduce impact.
  • Isolate hybrid connectors: Limit access and apply network segmentation to servers bridging on-prem and cloud.

This vulnerability highlights the fragile trust boundary between on-premises infrastructure and the cloud. As more organizations transition, hybrid pathways become both essential and exploitable. Security teams must treat these connectors as high-value assets and apply continuous monitoring and defense in depth.

2. Qantas Cuts Exec Bonuses After Breach – A Board Level Cyber Reckoning

Qantas has tied executive pay to cyber risk in a very public way, shaving 15 percentage points off 2024/25 short-term bonuses for the CEO and senior leadership after a July breach exposed data tied to 5.7 million people. Chairman John Mullen framed the cut—about a A$250,000 hit for Group CEO Vanessa Hudson—as shared accountability despite what the airline says were rapid containment steps and extra protections for customers. The move landed alongside strong financials (about $1.5 billion in profit), underscoring how security failures now register as governance events, not just IT incidents.

The airline’s latest disclosure says a forensic probe is ongoing. Earlier advisories indicated 2.8 million customers had names, emails, and Frequent Flyer numbers exposed, with at least 1.7 million more seeing some mix of those details plus addresses, dates of birth, phone numbers, meal preferences, or gender. Qantas says no passports or payment cards were compromised and that the leaked data alone shouldn’t unlock loyalty accounts. The attack arrived amid broader airline-sector targeting linked by researchers to Scattered Spider; actors claiming ties to ShinyHunters later took credit and allegedly abused connected platforms—reportedly including Salesforce-related systems—to siphon data.

For security leaders, the through-lines are familiar: persistent social-engineering pressure on staff, sprawling SaaS and CRM ecosystems with OAuth and third-party app risk, and the reputational cost when customer data is mishandled. Qantas notes it’s folding lessons learned into its risk framework; peers should be doing the same—hardening identity flows around CRM access, pruning vendor integrations, enforcing high-friction approvals for data exports, and red-teaming help-desk workflows that attackers routinely phish.

The bigger signal is cultural: boards are increasingly willing to link bonus pools to security outcomes. That can be healthy if it’s paired with investment—detections around anomalous CRM queries, SaaS security posture management, secrets hygiene, and tabletop exercises that include PR, legal, and customer care. Otherwise, it’s just a fine levied on the people holding the bag.

Critical RCE Flaw in Anthropic’s MCP‑Inspector Exposes Developer Machines

A critical remote code execution (RCE) vulnerability was discovered in Anthropic’s MCP Inspector tool—a debugging utility for the Model Context Protocol (MCP). The vulnerability, tracked as CVE‑2025‑49596 with a CVSS score of 9.4, was reported by Avi Lumelsky of Oligo Security, and documented in both CSO Online and the Oligo Security blog.

The issue stems from MCP Inspector’s default behavior: it launches an HTTP server bound to all network interfaces (0.0.0.0) without requiring authentication or encryption. This means that even local or public network users can access endpoints like /sse, which relay commands to the developer’s host via standard input/output (stdio).

In practice, an attacker can chain a legacy browser vulnerability—known as the “0.0.0.0‑day”—with a cross-site request forgery (CSRF) attack on the Inspector’s SSE endpoint. Visiting a malicious website can trigger JavaScript that sends unauthorized requests to the locally running MCP Inspector, resulting in arbitrary code execution on the developer’s machine

Anthropic responded by releasing MCP Inspector version 0.14.1, which introduced session tokens, origin validation, and protections against DNS rebinding and CSRF attacks. The fix effectively closes the attack vector that enabled remote code execution, and users have been strongly advised to upgrade immediately

Mitigation instructions provided include: upgrading to version 0.14.1 or newer; avoiding exposure of local MCP services to untrusted networks; implementing authentication and encryption; and employing firewalls or network segmentation to restrict access

This vulnerability underscores the risks inherent in developer-focused AI tools when defaults are insecure—particularly those that bind to all interfaces without access controls. It highlights the importance of secure defaults, threat modeling for AI development environments, and the need to treat developer tools with the same scrutiny as production systems.

3. From Salesforce to Mailboxes: UNC6395 Turns Drift Integrations into Exfil Pipelines

A coordinated data-theft campaign is ripping through CRM stacks by abusing OAuth tokens tied to the “Salesloft Drift” ecosystem—not just Salesforce. Google’s Threat Intelligence Group (GTIG) says the actor, tracked as UNC6395, used compromised tokens beginning August 8 to bulk-export data from numerous corporate Salesforce orgs, pulling objects like Users, Accounts, Cases, and Opportunities. The haul wasn’t just PII; the operator sifted exports for secrets—AWS AKIA keys, passwords, and Snowflake tokens—then covered tracks by deleting query jobs (logs remained intact). On August 20, Salesforce and Salesloft revoked all active Drift access/refresh tokens and pulled the app from AppExchange, emphasizing the core Salesforce platform wasn’t the source issue.

New findings widen the blast radius. GTIG confirmed the actor also compromised OAuth tokens for the “Drift Email” integration, which on August 9 enabled access to a very small number of specifically linked Google Workspace mailboxes. Google has since revoked those tokens, disabled the Drift-Workspace integration, and is notifying admins; it stresses neither Google Workspace nor Alphabet were breached. Bottom line from GTIG: treat any authentication token stored in or connected to the Drift platform as potentially compromised, regardless of whether Salesforce was in the mix.

For defenders, this is another loud warning about SaaS-to-SaaS trust chains. Immediate actions: inventory every third-party integration connected to your Drift instance; revoke and rotate API keys, OAuth tokens, and passwords for connected apps (Salesforce, Google Workspace, Snowflake, etc.); and hunt across Salesforce Event Monitoring for anomalous activity from the Drift Connected App (e.g., UniqueQuery events and the connection user). Search synced records for embedded secrets (AKIA, “password”, Snowflake identifiers), and consider automated secret scanners (e.g., trufflehog) against exported data. On Salesforce, rein in Connected App scopes, enforce IP restrictions and login IP ranges, set tight session timeouts, and grant “API Enabled” only via targeted Permission Sets. Expect Tor-sourced traffic, custom user-agents (e.g., “Salesforce-Multi-Org-Fetcher/1.0”, “Salesforce-CLI/1.0”), and cloud hosts (AWS/DigitalOcean) in your indicators.

This isn’t a zero-day in the majors; it’s the predictable exploitation of over-permissive integrations and token reuse. The strategic fix is governance: continuous SaaS posture reviews, least-privilege scopes for every app connector, credential rotation on a schedule (and on signal), and formal incident playbooks for OAuth token compromise—because once a token jumps platforms, the blast radius does too.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?