ZeroFox Daily Intelligence Brief - June 5, 2025

ZeroFox Daily Intelligence Brief - June 5, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Authorities Seize BidenCash Carding Market and Its Crypto Profits
• CISA and Partners Issue Updated Advisory on Play Ransomware
• RAMP User Advertises “Full medical oracle data base”

Authorities Seize BidenCash Carding Market and Its Crypto Profits

Source: https://www.justice.gov/usao-edva/pr/us-government-seizes-approximately-145-criminal-marketplace-domains

What we know: U.S. authorities have seized 145 domains and cryptocurrency linked to the BidenCash darknet marketplace, which was used to traffic over 15 million stolen credit cards and personally identifiable information.

Context: Operating since March 2022, BidenCash served 117,000 users and earned over USD 17 million in illicit revenue.

Analyst note: Although law enforcement has taken down the marketplace, past victims whose card details were stolen could still be at risk of fraud unless they take mitigative actions such as freezing their cards, requesting replacements, or closely monitoring their accounts and reporting suspicious activities.

CISA and Partners Issue Updated Advisory on Play Ransomware

Source: https://www.cisa.gov/news-events/alerts/2025/06/04/updated-guidance-play-ransomware

What we know: CISA and partners have issued an updated advisory on Play ransomware (aka Playcrypt), highlighting the group’s new tactics, techniques, and procedures (TTPs) and updated indicators of compromise (IOCs) to enhance threat detection.

Context: Since June 2022, ZeroFox observed Play ransomware group carrying out at least 850 attacks targeting diverse businesses and critical infrastructure across North America, South America, and Europe.

Analyst note: Play ransomware actors could continue to target critical infrastructure if the mandated measures are not implemented. To mitigate Play ransomware threats, organizations are advised to prioritize fixing known vulnerabilities, enable multifactor authentication (MFA) for key services, and regularly update software while conducting vulnerability assessments.

RAMP User Advertises “Full medical oracle data base”

Source: https://cloud.zerofox.com/intelligence/advanced_dark_web/87148

What we know: Untested threat actor "ansgar" has advertised access to an Oracle database containing medical, personal, and identification information relating to over 100,000 patients from a U.S.-based healthcare company.

Context: The healthcare industry has been one of the most lucrative for threat actors, with significant breaches including the Oracle Health breach earlier this year. ZeroFox has observed threat actor ansgar previously targeting the healthcare sector on dark web forums such as RAMP and Exploit.

Analyst note: Considering the low reputation of the threat actor, it is likely that the records contain previously exposed data. However, leaking of medical data carries the risks of social-engineering attacks, blackmail, extortion, and follow-on attacks.

DEEP AND DARK WEB INTELLIGENCE

Hackers leak AT&T’s database: Hackers have reportedly leaked an AT&T database stolen by the ShinyHunters group in April 2024, after supposedly exploiting significant security vulnerabilities in the Snowflake cloud data platform. The leaked data contains a comprehensive set of personal information, including full names, dates of birth, phone numbers, email addresses, physical addresses, and nearly 44 million Social Security numbers (SSNs).

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-20286: Cisco has released a patch for this static credential vulnerability in its Identity Services Engine (ISE), caused by improper credential generation. The flaw results in credentials being shared across different cloud deployments, if the Primary Administration node is active in a cloud platform. Threat actors are likely to exploit the vulnerability to steal sensitive information and disrupt operations by configuring systems.

Affected products: The affected products are listed in this advisory.