ZeroFox Daily Intelligence Brief - July 11, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - July 11, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Four Arrested in UK over Cyberattacks on M&S and More
- Basketball Player Arrested over Alleged Ransomware Ties
- Critical MCP Flaw Exposes Users to Remote Code Execution
Four Arrested in UK over Cyberattacks on M&S and More
What we know: Four individuals have been arrested in the United Kingdom under suspicion of cyber offences targeting M&S, Co-op, and a luxury department store.
Context: The four suspects arrested in association with the M&S cyberattack are also believed to have orchestrated another cyberattack targeting a different luxury department store, which caused major disruption and business impact.
Analyst note: The seizure of electronic devices could lead to the identification of co-conspirators and infrastructure. It is also likely that the findings will reveal connections to a broader cybercriminal network or a ransomware-as-a-service (RaaS) model, potentially extending the investigation beyond UK borders.
Basketball Player Arrested over Alleged Ransomware Ties
What we know: A Russian professional basketball player has been arrested in France at the behest of the United States for being allegedly involved with a ransomware group that targeted over 900 organizations, including two U.S. government agencies.
Context: The suspect’s lawyer has denied the accusations, alleging that it is linked to a second-hand computer, which was either already hacked or a hacker deliberately sold the device to the suspect to cover their tracks. The Russian embassy in Paris is seeking consular access to the arrested national.
Analyst note: The case is reportedly linked to the Conti ransomware group, though it has not been officially named. The United States is increasingly collaborating with European law enforcement agencies in arresting international cybercriminals, including an alleged Salt Typhoon hacker recently in Italy.
Critical MCP Flaw Exposes Users to Remote Code Execution
Source: https://thehackernews.com/2025/07/critical-mcp-remote-vulnerability.html
What we know: Researchers have uncovered a critical flaw, CVE-2025-6514, in the mcp-remote tool that enables threat actors to execute code remotely when users attempt to connect to untrusted MCP servers.
Context: Model Context Protocol (MCP) is an open-source framework designed to help large language model (LLM) applications, like AI chatbots, connect to external tools, data sources, or services.
Analyst note: As AI tools increasingly rely on MCP to connect with external systems, any vulnerabilities in MCP could open users to cyberattacks. The risk is likely to grow if users continue to connect to untrusted servers, use insecure connections, and run outdated tools like mcp-remote.
DEEP AND DARK WEB INTELLIGENCE
Exploit user btcokiz: Threat actor "btcokiz" has offered access to allegedly high-value crypto account data from major exchanges, like Coinbase. The actor has claimed that the accounts include wallet addresses and balances of up to USD 2 million, and is seeking a profit-sharing partnership in exchange for the data. If their claims are true, by offering a revenue-sharing model, the actor could encourage collaboration with other cybercriminals, scaling the potential for coordinated cyberattacks.
VULNERABILITY AND EXPLOIT INTELLIGENCE
PerfektBlue vulnerabilities: Four already patched vulnerabilities in OpenSynergy’s BlueSDK Bluetooth stack can be chained together in an exploit to carry out remote code execution (RCE). Widely used in the automotive industry, the security patches have reportedly not been pushed by some automakers. A successful exploit is likely to enable access to critical elements in a targeted vehicle, including location tracking and eavesdropping.
Affected products: OpenSynergy BlueSDK Bluetooth
Tags: DIB, tlp:green