ZeroFox Daily Intelligence Brief - June 18, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - June 18, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Hacktivist Group Claims to have “Destroyed” Iranian Bank’s Data
- Automaker Scania Confirms Insurance Documents Stolen in Cyberattack
- CISA Highlights TP-Link Router Flaw under Exploitation
Hacktivist Group Claims to have “Destroyed” Iranian Bank’s Data
What we know: Pro-Israeli hacktivist group Predatory Sparrow (also known as Gonjeshke Darande) has claimed to target Iran’s Bank Sepah, reportedly leading to destruction of data, amid the ongoing Iran-Israel conflict.
Context: Predatory Sparrow alleged that Iran’s government used the institution to fund its terrorist proxies, military and nuclear programs, and evade international sanctions. The group is reportedly known for targeting an Iranian steel plant that led to a fire and disrupting gas station operations.
Analyst note: The claim is likely true as Bank Sepah customers have recently reported seeing error messages on ATM machines. The disruption is likely to immediately result in a cash crunch for customers. Trust in Iran’s cyber resilience is likely to take a hit.
Automaker Scania Confirms Insurance Documents Stolen in Cyberattack
What we know: Swedish automaker Scania confirmed a cyberattack that has resulted in certain insurance claim documents being stolen. Threat actors have reportedly emailed multiple Scania employees threatening to leak the documents.
Context: Scania revealed that its systems were breached using an external IT partner’s stolen credentials. Additionally, a threat actor, named “Hensi,” had advertised data from insurance[.]scania[.]com.
Analyst note: The stolen data likely includes personally identifiable information (PII) and financial and medical data of insurance claimants. Exposed individuals are likely at risk of being targeted in phishing and social engineering attacks. Threat actors are also likely to use the data in impersonation attacks to carry out financial and insurance fraud.
CISA Highlights TP-Link Router Flaw under Exploitation
Source: https://nvd.nist.gov/vuln/detail/CVE-2023-33538
What we know: TP-Link has a high-severity command injection vulnerability—CVE-2023-33538—which CISA has added to its Known Exploit Vulnerability catalogue.
Context: This vulnerability could also be present in end-of-life (EOL) TP-Link router models. With official support discontinued, users are urged to stop using them if no mitigations exist.
Analyst note: EOL devices no longer receive updates and support as they reach the end of their lifecycle, but users with such devices that do not replace older models for newer ones likely expose themselves to unmitigated risks.
DEEP AND DARK WEB INTELLIGENCE
Xss user spartanking: Threat actor "spartanking" has advertised access with admin rights for AnyDesk, a remote desktop application, of a South Korean company's server on xss. If the actor’s claims are true, interested buyers could gain access to affected devices and maintain persistence to monitor users’s activities in cyber espionage campaigns.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2025-23121: This vulnerability affects only domain-joined backup servers and enables authenticated domain users to remotely execute code on the Backup Server. Threat actors could exploit this vulnerability to access networks and target other entities, like vendors and clients, along the supply chain.
Affected products: Veeam Backup & Replication 12 through 12.3.1.1139 and earlier version 12 builds
Tags: DIB, tlp:green