ZeroFox Daily Intelligence Brief - June 27, 2025

ZeroFox Daily Intelligence Brief - June 27, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - Israel-Iran: Cyber Threat Landscape
• CISA Confirms Active Exploitation of AMI’s MegaRAC BMC Bug
• Threat Actors Compromising African Financial Institutions Since 2023

ZeroFox Intelligence Flash Report - Israel-Iran: Cyber Threat Landscape

Source: https://www.zerofox.com/advisories/34246/

What we know: ZeroFox observed an uptick in the attack tempo from both Israel- and Iran-aligned cyber threat groups during the recent conflict. Related mis-, dis-, and malinformation has been shared on social media platforms, likely to fuel specific narratives.

Context: In the days prior and following June 13, 2025—when initial Israeli missile strikes hit Iranian targets—ZeroFox identified multiple examples of both pro-Israeli and pro-Iranian hacktivist collectives claiming to target critical national infrastructure (CNI) with DDoSes and hack-and-leak operations.

Analyst note: Despite the June 24, 2025, ceasefire and reduced military action, adjacent offensive cyber activities are very likely to continue. An IRGC-linked Iranian group recently targeted Israeli journalists, cybersecurity experts, and professors, indicating that cross-border hacktivist attacks are more likely to target entities not directly involved in the conflict's outcome.

CISA Confirms Active Exploitation of AMI’s MegaRAC BMC Bug

Source: https://www.bleepingcomputer.com/news/security/cisa-ami-megarac-bug-that-lets-hackers-brick-servers-now-actively-exploited/

What we know: CISA has warned that the already-patched critical vulnerability in American Megatrends’s (AMI’s) MegaRAC Baseboard Management Controller (BMC) software is being exploited in the wild.

Context: The vulnerability, tracked as CVE-2024-54085, is an authentication bypass flaw that enables remote exploitation of unpatched servers, without user interaction. MegaRAC BMC software is used by vendors that provide equipment to cloud service providers and data centers.

Analyst note: Threat actors are likely to deploy malware, ransomware, and other malicious code in compromised servers that could result in indefinite reboot loops or physical damage. The impact is likely to cascade down to cloud service providers and data centers, further affecting multiple sectors.

Threat Actors Compromising African Financial Institutions Since 2023

Source: https://thehackernews.com/2025/06/cyber-criminals-exploit-open-source.html

What we know: A financially motivated campaign has been targeting African financial firms since July 2023, using open source tools to maintain access and sell it on dark web forums.

Context: The attackers have been using open source tools after gaining a foothold on the victim device’s network, disguising them with forged file signatures and trusted software icons to successfully evade detection.

Analyst note: Given the prolonged duration of this campaign, it is likely that threat actors have accumulated a substantial volume of sensitive data, now circulating on dark web forums. It is likely that this data is being monetized through multiple criminal channels—including resale to other threat groups, use in financial fraud, or exploitation for phishing and business email compromise (BEC) schemes.

DEEP AND DARK WEB INTELLIGENCE

Telegram user Hasan: Actor “Hasan,” who claims to be IntelBroker’s associate and is attempting to bring back dark web forum BreachForums, stated on their Telegram channel that posting breached data associated with the “nine eyes” countries is banned on the platform, following the recent BreachForums-related arrests. Hasan is likely using BreachForums and the recent arrests to gain publicity among the cybercriminal network, read this ZeroFox advisory to know more.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-20281 and CVE-2025-20282: Cisco has warned of two critical unauthenticated remote command execution flaws in ISE and ISE-PIC. CVE-2025-20281 enables remote command execution via a vulnerable API, which could lead to full system compromise and unauthorized control. CVE-2025-20282 enables attackers to upload and run arbitrary files as root due to poor file validation, which could allow persistent backdoors or further exploitation.

Affected products: The affected products are listed in this advisory.