ZeroFox Daily Intelligence Brief - June 24, 2025

ZeroFox Daily Intelligence Brief - June 24, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Israel, Iran Agree to Ceasefire amid U.S. Mediation Efforts
• U.S. and Canada Warn of China-Linked Salt Typhoon Targeting
• Phishing Campaign Targets U.S. DMVs; Steals Financial Information

Israel, Iran Agree to Ceasefire amid U.S. Mediation Efforts

• Iran and Israel have agreed to a ceasefire, with Israeli Prime Minister Benjamin Netanyahu confirming the decision. In a statement issued this morning (Israel time), Netanyahu announced that “Israel agreed to U.S. President Donald Trump's proposed ceasefire.”
• Iran launched a missile attack on the largest U.S. military base in the Middle East (Al Udeid, Qatar) on June 22 in response to U.S. strikes on three key Iranian nuclear sites. Officials reported no casualties, and confirmed that both the United States and Qatar received advance warning of the attack, though the source of the warning remains undisclosed.
• On the other hand, Israel’s military said it detected a barrage of Iranian missiles in Israeli airspace just hours after the start of the ceasefire. However, Iran has denied the allegation.

U.S. and Canada Warn of China-Linked Salt Typhoon Targeting

Source: https://techcrunch.com/2025/06/23/canada-says-telcos-were-breached-in-china-linked-espionage-hacks/

What we know: China-linked Salt Typhoon is targeting telecommunications companies across Canada using already-known router vulnerabilities, the U.S. and the Canadian governments said in a joint advisory.

Context: The campaign appears focused on targeting the telecom sector, but the advisory said that the tactics can be used in broader attacks. Edge devices like routers and firewalls are the most at-risk of being exploited. Salt Typhoon is also known for targeting U.S. entities.

Analyst note: Salt Typhoon likely wants to maintain persistent access to targeted networks for espionage purposes, as telecom companies carry sensitive data that could be useful for nation-state adversaries. Access is likely to be used for disruptive attacks in a conflict scenario.

Phishing Campaign Targets U.S. DMVs; Steals Financial Information

Source: https://hackread.com/fake-dmv-texts-scam-widespread-phishing-campaign/

What we know: An ongoing SMS phishing campaign impersonating the U.S. Department of Motor Vehicles (DMVs) has tricked thousands of Americans into exposing their personal and financial data.

Context: The scam, suspected to be linked to a China-based group, targeted residents in several high-population U.S. states (Texas, Florida,New York, and other states) using spoofed texts and fake websites about unpaid tolls and license suspensions.

Analyst note: Threat actors could use this stolen credit card information collected through fake DMV sites for unauthorized purchases, sell it on the dark web, and use it in other fraud schemes like identity theft and financial account takeovers.

DEEP AND DARK WEB INTELLIGENCE

Hacktivist group claims Israel shelter expose: Hacktivist group Handala Hack Team has claimed to have obtained a list of “shelter locations” across Israel, which it is threatening to expose. The group added that they have the coordinates to every shelter and threatened that “hiding is no longer an option.” The claim is likely a psychological operation attempting to influence the perception of safe zones such as bomb shelters, for civilians caught in the Iran-Israel-U.S. conflict.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-49825: Teleport has disclosed a critical vulnerability affecting its open-source platform, which could enable remote attackers to bypass SSH authentication. The flaw has been fixed in recent patches across multiple versions of the affected product. Self-hosted deployments are advised to be updated immediately. Unpatched systems are at risk of unauthorized remote access, potentially exposing sensitive infrastructure.

Affected products: Teleport Community Edition versions up to 17.5.1