Cyber Intelligence Weekly: The 3 New Stories You Need to Know this Week (Issue 178 – February 16, 2025)

Cyber Intelligence Weekly: The 3 New Stories You Need to Know this Week (Issue 178 – February 16, 2025)

Dear Friends and Colleagues,

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight a new piece of thought leadership from our very own @Emmanuel Petrov and @Alex Watts on the lack of security with DeepSeek.

🚨 The Security Paradox: Flaws in DeepSeek Expose Industry-Wide AI Safety Challenges Cybersecurity experts Emmanuel Petrov and Alex Watts uncover the hidden risks of DeepSeek R1, revealing critical security flaws that could have serious consequences for businesses adopting AI.

Their deep dive exposes open databases, model jailbreaks, and data privacy risks. AI innovation is moving fast, but security needs to keep up. Before businesses rush to adopt these models, they need to consider the risks.

This article breaks down what these vulnerabilities mean and how organizations can take a smarter approach to AI security. Learn more here: https://lnkd.in/ejet95pM

Article content
Learn more here:

 

 Away we go!

 

1.  Microsoft’s February 2025 Patch Tuesday Addresses Several Critical Vulnerabilities

 Microsoft has rolled out its latest Patch Tuesday updates for February 2025, addressing 56 security flaws, including two zero-day vulnerabilities that are actively being exploited. One of the most critical patches fixes CVE-2025-21418, a buffer overflow vulnerability that affects all supported Windows operating systems. Given its low attack complexity and the fact that no user interaction is required, this exploit is a high-priority concern for enterprises. Another notable fix is for CVE-2025-21391, an elevation of privilege flaw in Windows Storage that allows attackers to delete critical files, potentially leading to full system compromise.

Security experts have drawn attention to the ongoing trend of privilege escalation exploits within Windows, with three similar vulnerabilities surfacing annually since 2022. The Lazarus Group, a North Korean threat actor, previously leveraged a related vulnerability in 2024, raising concerns about nation-state cyber threats. Additionally, CVE-2025-21377, a publicly disclosed Windows NTLM hash-stealing vulnerability, is another critical issue requiring immediate patching. Microsoft warns that even minimal interaction with a malicious file could trigger exploitation, making it a significant risk for organizations.

Beyond Microsoft, Apple, Adobe, and Google have also released security updates. Apple’s iOS 18.3.1 patch addresses a zero-day flaw (CVE-2025-24200) reportedly used in targeted attacks, while Adobe has issued fixes for 45 vulnerabilities across multiple products, including Photoshop and Illustrator. Google Chrome has also pushed a security update, prompting related updates for Microsoft Edge and other Chromium-based browsers. As security threats continue to evolve, IT administrators and end-users should prioritize these updates to mitigate risks and safeguard their systems.


Article content

US Government Agency Falls Victim to Cryptojacking

In a recently released document viewed by Scoop News Group, the beleaguered United States (US) Agency for International Development (USAID) was the subject of a cryptomining attack last fall resulting in $500,000 worth of Azure charges.

Microsoft had reached out to USAID that a global administrator account without multifactor authentication (MFA) in a test environment had been breached following a password spraying attack. The Global Admin account was then used to create another account which was used to deploy cryptomining process. Interestingly, USAID had received consistent “A” grades during audits on compliance with the Federal Information Technology Aquisition Reform Act, which measures a government agencies efficiency in information technology (IT) and software modernization.

As surprising as it sounds, this is not the first time a government agency was the target of a cryptomining operation. In 2018, threat actors conducted a cryptomining attack on a web plug-in used by government websites in the United Kingdom, US, and Ireland.

An undisclosed US government agency was subject to a similar attack as USAID where an AWS token was found exposed on a public GitHub page resulting in cryptomining within their AWS resources. Finally in 2022, a joint cybersecurity advisory detailed a persistent attack by an Iranian-sponsored threat actor who has been deploying cryptomining software on federal executive branch networks. 

These attacks show that no one is safe from cryptojacking attackers, failing to secure your cloud accounts makes you a target. 

Article content

2.       International Crackdown on Phobos Ransomware Gang Leads to Arrests

Authorities have dismantled a major cybercriminal network responsible for deploying Phobos ransomware, a malicious operation that targeted over 1,000 victims globally and extorted more than $16 million in ransom payments. In a coordinated effort, U.S. and European law enforcement agencies arrested two Russian nationals, Roman Berezhnoy and Egor Nikolaevich Glebov, who are alleged to be key figures in the ransomware network. The arrests were part of an extensive international operation that also led to the seizure of over 100 servers associated with the cybercriminal group.

Operating under the names "8Base" and "Affiliate 2803", the suspects infiltrated organizations ranging from healthcare providers to educational institutions, encrypting their data and demanding payment for decryption keys. The hackers also threatened to leak sensitive files if victims refused to pay, using a darknet website to publish stolen data. Authorities believe the group maintained a structured ransom collection system, requiring affiliates to pay a fee to Phobos administrators in exchange for decryption tools.

This takedown marks another significant law enforcement success in combating ransomware threats. The arrests follow the extradition of Evgenii Ptitsyn, another key figure in the Phobos network, and come on the heels of previous takedowns of major ransomware groups like LockBit and ALPHV. While the disruption of 8Base is a major victory, cybersecurity experts warn that ransomware groups often rebrand and resurface under new names, making continued vigilance essential. Organizations are urged to strengthen their cybersecurity defenses and follow the latest guidelines from CISA and Europol to mitigate ransomware risks.


Article content

 The Security Paradox: How DeepSeek R1 Traded Security for Performance  

In a troubling development that compounds recently identified DeepSeek’s R1 model security flaws, Wiz Research has uncovered a critical database exposure that leaks sensitive user data and internal systems information.

The model, built on DeepSeek-V3 base architecture and enhanced through large-scale reinforcement learning, has achieved impressive performance metrics—ranking 6th on the Chatbot Arena benchmarking and surpassing Meta’s Llama 3.1 and several proprietary models including ChatGPT-4o and Anthropic’s Claude 3.5 Sonnet.

However, the model is now under scrutiny after Wiz researchers discovered an exposed ClickHouse database containing over 1 million lines of sensitive log data, including chat histories, backend details, and API keys. Accessible without authentication, the database allowed full control over database operations and potential privilege escalation within DeepSeek’s environment. The exposed open-source database utilized by DeepSeek contained plaintext chat messages, revealing not only user data but potentially the inner working of the AI model itself.  

This report comes on the heels of an investigation from security firm KELA, revealing how DeepSeek’s R1’s architecture choices prioritize performance and accessibility over security hardening. KELA’s red team successfully executed various attack patterns, from basic prompt injections to elaborate jailbreaks, generating harmful content including malware code and attack instructions with detailed explanations.  

Article content
Figure 1: KELA’s Red Team Jailbreaking DeepSeek R1 to Write Custom Infostealer Malware

These dual security reports demonstrate the compounding risks in modern open-source AI systems, and how advanced AI development can coincide with fundamental security vulnerabilities. While KELA’s research revealed that DeePSeek R1’s advanced reasoning capabilities created security vulnerabilities through its transparency #DeepThink feature, Wiz’s discovery shows that even basic infrastructure security remains a critical challenge.  

Most concerning is how easily these flaws were discovered using straightforward and well-known methods. Wiz relied on basic reconnaissance techniques, stopping at enumeration queries to adhere to ethical research practices, while KELA deployed the “Evil Jailbreak”, patched in leading models over two years ago. Threat actors, however, are likely to execute more intrusive queries, raising concerns about whether the recent suspected DDoS attack on DeepSeek’s servers exposed additional vulnerabilities that have not been publicly reported.  

These concerns are heightened by reports that DeepSeek stores user data in China, which has already triggered a data privacy investigation by Italy’s data protection authority. Additionally, reports indicate that Microsoft security researchers have warned OpenAI about suspicious activity from DeepSeek in late 2024, which allegedly exfiltrated a large amount of data using OpenAI’s API.  

Key recommendations for security teams:  

  • Implement comprehensive security assessments that cover both AI-specific vulnerabilities and fundamental infrastructure security  
  • Enforce mandatory security benchmarking alongside performance metrics in model evaluation frameworks  
  • Establish strict access controls and authentication requirements for all supporting infrastructure, tools, and databases tied to AI systems  
  • Maintain rigorous monitoring of exposed attack surfaces, including non-standard ports and development environments  
  • Design comprehensive vendor risk management plans to account for the security risks of open-source software 

 

Article content

 


3.  State of Texas Investigates DeepSeek for Potential Data Privacy Violations

Texas Attorney General Ken Paxton has launched an investigation into DeepSeek, a Chinese artificial intelligence company, over potential violations of the Texas Data Privacy and Security Act. The probe aims to determine whether DeepSeek poses a threat to user data privacy and national security, citing concerns that the AI platform may be operating as a proxy for the Chinese Communist Party (CCP). The investigation follows recent moves by Texas, New York, and Virginia to ban the use of DeepSeek on government devices, citing security risks.

As part of the inquiry, Paxton’s office has sent legal requests to Google and Apple, asking them to provide documentation on their assessment of DeepSeek before approving the app for their platforms. The Attorney General has also demanded details on what security reviews were conducted prior to making the AI tool available for public download. In a statement, Paxton accused DeepSeek of attempting to undermine American AI leadership and compromise the personal data of U.S. citizens.

The crackdown on DeepSeek is part of a broader national effort to limit the influence of foreign AI companies suspected of data exploitation. A bipartisan bill introduced this week in Congress proposes banning federal employees from using DeepSeek on government-issued devices. With increasing scrutiny from state and federal officials, the future of DeepSeek in the U.S. remains uncertain, as regulators continue to evaluate the platform's potential risks to national security and user privacy.

 

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

It’s great to see Microsoft staying on top of vulnerabilities with their update. Regular patches are essential in keeping systems secure and preventing future breaches.

Like
Reply

AI innovation is moving fast, but security needs to keep up!

To view or add a comment, sign in

More articles by Dan Desko

Others also viewed

Explore content categories