#NSBCS.086 - The Enemy Within: Insider Threats Lurking in 2025
Source: NSB Cyber
The Enemy Within: Insider Threats Lurking in 2025
Insider threats pose a relentless challenge in cybersecurity, where trusted personnel - employees, contractors, or partners - abuse their access due to malice, carelessness, or coercion. These differ from external breaches by exploiting human elements, often bypassing standard safeguards. In 2025, incidents have risen by 48%, driven by remote work, financial strains, and geopolitical issues. The typical cost of a malicious insider breach is US$715,366, plus considerable damage to reputation.
A prominent case involves Taiwan Semiconductor Manufacturing Company (TSMC), the dominant force in advanced chips, producing over 90% globally. In July 2025, TSMC dismissed two engineers accused of pilfering 2-nanometre technology secrets, uncovered by internal monitoring. They, plus a third suspect, were arrested under Taiwan's National Security Act—a precedent for trade secrets. Prosecutors raided homes and questioned them, amid suspicions of espionage, though no foreign state was named. TSMC's CEO, C.C. Wei, noted the tech's intricacy makes full theft improbable, but it threatens Taiwan's economic and strategic stance.
Other 2025 examples include Rippling's lawsuit against rival Deel in March, alleging a planted spy—a 2023-hired compliance manager—stole customer lists, pricing, and staff data via Slack and Google Drive over four months, risking major losses. Similarly, former Tesla employees leaked personal data to foreign media, highlighting data exfiltration risks.
Insiders evade perimeter defences effortlessly, leveraging their legitimate access to navigate internal systems without triggering alarms that are typically designed for external intruders. To counter these threats effectively, organisations must adopt a multi-layered approach that integrates advanced tools, policy enforcement, and employee engagement.
Key countermeasures include:
User behaviour analytics (UBA): This involves deploying AI-driven systems to monitor and analyse patterns in user activity, flagging anomalies such as unusual data access or file transfers that could indicate malicious intent, thereby enabling early detection and response.
Least-privilege access principles: By restricting users to only the permissions necessary for their roles, organisations minimise the potential damage from a compromised insider, utilising tools like role-based access control (RBAC) to enforce these limits dynamically.
Continuous training and awareness programmes: Regular sessions educate staff on recognising phishing attempts, handling sensitive data, and reporting suspicious behaviour, fostering a security-conscious culture that reduces negligence-related incidents.
Offline backups and data segmentation: Maintaining isolated, immutable backups ensures that even if an insider attempts sabotage or ransomware deployment, critical data can be recovered without paying ransoms, while segmenting networks limits lateral movement within the organisation.
Combining technology with a vigilant culture helps organisations combat this enduring peril. Ultimately, proactive investment in these strategies not only mitigates risks but also builds resilience against the evolving landscape of insider threats and take #NoStepsBackward.
To explore NSB Cyber’s Threat Intelligence services, including ransomware response and ransomware negotiation, head here.
What we read this week
Researchers Uncover ECScape Flaw in Amazon ECS Enabling Cross-Task Credential Theft - Cybersecurity researchers have demonstrated an end-to-end privilege escalation chain in Amazon Elastic Container Service (ECS) that could permit attackers to conduct lateral movement, access sensitive data, and gain control over the cloud environment. The vulnerability, dubbed ECScape, exploits an undocumented ECS internal protocol to steal AWS credentials from other ECS tasks on the same EC2 instance, allowing a low-privileged container to obtain higher permissions. This flaw highlights the risks in shared infrastructure environments, and organisations are advised to implement strict isolation measures, monitor for anomalous activity, and apply least-privilege principles to mitigate potential exploits.
Fake VPN and Spam Blocker Apps Tied to VexTrio Used in Ad Fraud and Subscription Scams - Malicious applications developed by the VexTrio Viper network, posing as VPNs, device monitoring tools, RAM cleaners, dating services, and spam blockers, have infiltrated Apple and Google app stores. These apps, under developer names such as HolaCode and LocoMind, have amassed millions of downloads, deceiving users into unwanted subscriptions, bombarding them with advertisements, and collecting personal information including email addresses. Security experts recommend verifying app developers, reviewing permissions carefully, and utilising reputable app stores' reporting features to combat these deceptive practices.
Shared Secret: EDR Killer in the Kill Chain Deployed by Ransomware Groups - A new surge of sophisticated Endpoint Detection and Response (EDR) killer tools, frequently bundled with HeartCrypt, is being utilised by various ransomware groups to neutralise endpoint defences and enable ransomware deployment. These tools facilitate evasion of security measures, allowing threat actors to execute payloads unhindered. Analysts urge organisations to enhance endpoint monitoring, deploy multi-layered defences, and conduct regular security audits to detect and prevent such advanced evasion techniques.
Vibe Coding Tool Cursor Allows Persistent Code Execution via MCPoison Vulnerability - A critical flaw in the AI-powered code editor Cursor, named MCPoison, enables persistent remote code execution by manipulating the Model Context Protocol (MCP) configuration. This vulnerability permits attackers to inject malicious code that executes indefinitely, posing significant risks to developers relying on the tool. Recommendations include updating to patched versions immediately, avoiding untrusted sources for configurations, and implementing code review processes to safeguard development environments.
PBS Confirms Data Breach After Employee Info Leaked on Discord Servers - The Public Broadcasting Service (PBS) has verified a data breach exposing sensitive corporate contact information for nearly 4,000 employees and affiliates, with the compromised data circulating on Discord servers popular among PBS Kids fans. The incident underscores the dangers of unsecured data storage and sharing platforms. Organisations should enforce strict data access controls, monitor for unauthorised leaks, and provide employee training on data handling to prevent similar exposures.
References
https://thehackernews.com/2025/08/researchers-uncover-ecscape-flaw-in.html
https://thehackernews.com/2025/08/fake-vpn-and-spam-blocker-apps-tied-to.html
https://news.sophos.com/en-us/2025/08/06/shared-secret-edr-killer-in-the-kill-chain/
https://www.theregister.com/2025/08/05/mcpoison_bug_abuses_cursor_mcp/
https://www.bleepingcomputer.com/news/security/pbs-confirms-data-breach-after-employee-info-leaked-on-discord-servers/