ZeroFox Daily Intelligence Brief - June 30, 2025

ZeroFox Daily Intelligence Brief - June 30, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• FBI Warns of Expanding Scattered Spider Threat to Aviation Sector
• Cybercriminals Posing as Health Insurers to Defraud Targets
• Several Free VPNs Linked with Chinese Ownership

FBI Warns of Expanding Scattered Spider Threat to Aviation Sector

Source: https://thehackernews.com/2025/06/fbi-warns-of-scattered-spiders.html

What we know: The FBI has reported that the Scattered Spider ransomware group is now targeting the airline sector, using social engineering to bypass security measures and deploy ransomware.

Context: Scattered Spider bypasses multi-factor authentication (MFA) by deceiving help desks into linking unauthorized devices to compromised accounts. The group often impersonates employees to trick IT help desks into granting unauthorized access.

Analyst note: Airlines and their contractors hold sensitive operational and customer data, making them high-value targets. A successful breach could lead to major service disruptions, data theft, and ransom demands. Early reporting of any suspected activity is likely to minimize damage.

Cybercriminals Posing as Health Insurers to Defraud Targets

Source: https://www.ic3.gov/PSA/2025/PSA250627

What we know: The FBI has warned of cybercriminals targeting the public by impersonating legitimate health insurance companies through phishing attacks, attempting to defraud people of their money.

Context: The warning follows reports that threat actors behind the U.K. and U.S. retail attacks, are now targeting American insurance organizations. Erie Insurance and Aflac are among the companies that have reported recent cyber incidents.

Analyst note: Leaked data from insurance companies targeted in cyberattacks is likely being used by threat actors in further phishing and social engineering attacks. Threat actors are likely to coerce targets into paying for fake unpaid dues by pretending to be insurance providers.

Several Free VPNs Linked with Chinese Ownership

Source: https://hackread.com/researchers-warn-free-vpns-leak-us-data-to-china/

What we know: Researchers have discovered numerous free virtual private network (VPN) apps with hidden Chinese ties to major mobile application stores, raising concerns about potential user data exposure to the Chinese government.

Context: VPNs encrypt internet traffic and mask user identity, but they can access web activity, making misuse highly risky. Several of these apps have been found to be linked to Qihoo 360, a Chinese firm sanctioned for alleged connections to the Chinese People’s Liberation Army.

Analyst note: These contentious VPNs are likely funneling user data, such as browsing data, location, IP addresses, to its Chinese-owned entities. This is especially a risk for high‑profile users—such as government staff, journalists, and executives—whose online activity could be analyzed and exploited for intelligence gathering, surveillance, and blackmail.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user Kazu: Untested threat actor "Kazu" has advertised 12.3 GB of data allegedly linked to the official portal of Taif municipality, a city in Saudi Arabia, on predominantly English-language deep web forum, DarkForums. The leaked data could expose sensitive government records, employee and citizen information, and internal systems, enabling threat actors to conduct identity theft, phishing, and other targeted attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Bluetooth vulnerabilities: Three patched vulnerabilities in Airoha systems, which are widely used in audio devices like JBL and Bose, enable attackers to eavesdrop on targets, steal sensitive information, and issue commands to the connected mobile device within the bluetooth range. The bugs are likely to be used in attacks against high-value targets such as diplomats, journalists, and other government officials given the advanced technical skills and physical proximity required to exploit the bugs.

Affected products: The affected products are listed in this advisory.