ZeroFox Daily Intelligence Brief - June 13, 2025

ZeroFox Daily Intelligence Brief - June 13, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• CISA Releases Cybersecurity Advisory on SimpleHelp RMM Vulnerability
• Brussels Parliament Targeted by an Undisclosed Cyberattack
• Geopolitical Focus: Global Unrest and Conflict Escalate amid Protests and Airstrikes

CISA Releases Cybersecurity Advisory on SimpleHelp RMM Vulnerability

Source: https://www.cisa.gov/news-events/alerts/2025/06/12/cisa-releases-cybersecurity-advisory-simplehelp-rmm-vulnerability

What we know: CISA has released an advisory in response to ransomware actors exploiting unpatched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) to compromise the customers of a utility billing software provider.

Context: Ransomware actors have increasingly targeted outdated versions of SimpleHelp RMM since January 2025. Versions 5.5.7 and earlier contain multiple vulnerabilities, including a path traversal flaw, CVE-2024-57727.

Analyst note: RMM tools have privileged access, making them prime targets whose compromise can impact multiple organizations. Victims likely have faced operational outages and double extortion due to these attacks. CISA recommends organizations using SimpleHelp RMM check for compromises, patch vulnerabilities or use workarounds, and follow the Known Exploited Vulnerabilities (KEV) Catalog.

Brussels Parliament Targeted by an Undisclosed Cyberattack

Source: https://www.brusselstimes.com/brussels/1623019/brussels-parliament-hit-by-cyber-attack

What we know: Brussels Parliament has disclosed that it has been targeted by a cyberattack since Monday. This comes as Swedish Prime Minister Ulf Kristersson revealed cyberattacks targeting public broadcaster SVT and other key institutions.

Context: So far, there has been no impact on the functioning of the Parliament and efforts are being made to mitigate the situation.

Analyst note: The cyberattacks coincide with the upcoming NATO Summit in the Netherlands, very likely indicating that geopolitical tensions are the cause behind the targeting. Similar cyberattacks are likely to increase in frequency targeting the American and European government, broadcast, and other critical infrastructure entities, ahead of the NATO Summit.

Geopolitical Focus: Global Unrest and Conflict Escalate amid Protests and Airstrikes

• Millions of people are likely to participate in “No Kings Day” protests taking place in cities across the United States. Protests in Phoenix, Houston, Chicago, Atlanta, Charlotte, and Philadelphia likely carry the highest risk for unrest due to heavy promotion by organizers. Read this ZeroFox advisory for more details.
• Israel has launched airstrikes on Iran using 200 fighter jets, targeting its nuclear program. Iranian state media report the deaths of IRGC chief Hossein Salami, Iran’s highest-ranking military officer Mohammad Bagheri, former national security chief Ali Shamkhani, and several nuclear scientists. The U.S. has issued a security alert for its personnel in Israel, which is now under a state of emergency amid expectations of imminent Iranian retaliation.
• Security has been tightened as investigators arrive at the Ahmedabad crash site, where an Air India flight to London crashed on June 12, killing over 290 people. Indian Prime Minister Narendra Modi has visited the scene and a hospital treating the injured. As per reports, only one person survived the crash.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user ZeroDayX: Untested threat actor “ZeroDayX” has claimed to leak data associated with Karage, a Saudi Arabia-based online platform providing sales and services solution to automobiles industry, on DarkForums. Allegedly, the leaked data contains more than 15,000 records of Saudi customers that includes, customers name, number, license plate details, car detail, unreleased app source code, employee records, and more. To know more about how deep and dark web forums function, read this latest ZeroFox advisory.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-43200: This iMessage vulnerability was exploited to install Paragon’s Graphite spyware in targeted victims’ devices. On June 12, 2025, Apple updated its advisory dated February 10, 2025, to reveal that the bug was patched. Apple described the vulnerability as a logic issue in processing a malicious photo or video shared through an iCloud link. At least two European journalists were reportedly targeted using the bug and the spyware. The vulnerability is likely to be exploited in unpatched devices for politically-motivated attacks.

Affected products: Versions before iOS 18.3.1 and iPadOS 18.3.1