ZeroFox Daily Intelligence Brief - July 2, 2025

ZeroFox Daily Intelligence Brief - July 2, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• U.S. Sanctions a Russian Internet Hosting Firm for Backing Cybercriminals
• Qantas Cyber Incident Mirrors FBI Warning on Rising Aviation Threats
• Esse Health Data Compromised in Cyberattack

U.S. Sanctions a Russian Internet Hosting Firm for Backing Cybercriminals

Source: https://home.treasury.gov/news/press-releases/sb0185

What we know: The United States has sanctioned Russian bulletproof hosting (BPH) company Aeza Group and its four associates, for providing specialized and safe computer infrastructure to ransomware groups, drug vendors, nation-state actors, and other cybercriminals.

Context: The United Kingdom has also sanctioned an Aeza Group front company. The BianLian ransomware group, darknet drug marketplace BlackSprut, and a Russian disinformation campaign were linked to Aeza’s services.

Analyst note: The presence of a U.K. front company likely indicates the existence of an affiliate network in the country. The network is very likely to be disrupted and exposed. Cybercriminals in the United States and the United Kingdom with links to Aeza’s services are likely to be apprehended in the near term.

Qantas Cyber Incident Mirrors FBI Warning on Rising Aviation Threats

Source: https://www.bleepingcomputer.com/news/security/qantas-discloses-cyberattack-amid-scattered-spider-aviation-breaches/

What we know: Australian airline Qantas detected a cyberattack earlier this week after threat actors accessed a third-party customer servicing platform via a call center breach. The platform reportedly contains service records for around six million customers.

Context: The cyber incident follows an FBI warning about the Scattered Spider ransomware group targeting the airline sector using social engineering tactics. Qantas has reported the incident to Australian authorities.

Analyst note: The aviation sector’s repository of sensitive operational and customer data makes it vulnerable to disruption, data theft, and ransomware attacks. Personal details of customers, likely exposed in the Qantas attack, could be exploited for identity theft, phishing, or fraud. Although no group has claimed responsibility yet, Scattered Spider links are likely.

Esse Health Data Compromised in Cyberattack

Source: https://www.hipaajournal.com/esse-health-cyberattack-april-2025/

What we know: Over 260,000 patients were affected by a cyberattack on healthcare provider Esse Health in April 2025. The cyberattack disrupted medical and phone systems affecting access to Esse Health’s electronic medical record system.

Context: The compromised data included names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and certain health information.

Analyst note: Threat actors are likely to use this compromised data in fraud schemes like filing false insurance claims and obtaining prescription drugs illegally. Personal and medical information could be more valuable on dark web marketplaces for resale due to its potential for enabling further crimes like physical stalking, financial theft, and blackmail.

DEEP AND DARK WEB INTELLIGENCE

Trading market user 1881547: On July 1, 2025, a threat actor, named "1881547," advertised data associated with 720,000 U.S.-based “male” credit security investors at J.P. Morgan Securities, on Chinese-language dark web market "交易市场" (Trading market). The sample data included name, email, phone number, account type, and other financial information. The data is likely to be used in phishing, social engineering, and impersonation attacks leading to financial theft.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-49596: A critical security flaw has been identified in Anthropic’s Model Context Protocol (MCP) Inspector project, likely allowing remote code execution (RCE) and enabling attackers to take full control of affected systems. This flaw could lead to data breaches, system manipulation, and unauthorized access to sensitive AI infrastructure. The bug has been fixed in MCP Inspector version 0.14.1.

Affected products: Versions of MCP Inspector below 0.14.1