ZeroFox Daily Intelligence Brief - July 21, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - July 21, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Middle East Surveillance Firm Exploits SS7 Flaw to Track Phone Locations
- Microsoft Warns of SharePoint Zero-Day Bugs Under Active Exploitation
- Cyber Campaign Hits Defense and Energy Sectors Across Asia
Middle East Surveillance Firm Exploits SS7 Flaw to Track Phone Locations
What we know: A Middle Eastern surveillance company was observed exploiting a new Signaling System 7 (SS7) bypass attack to secretly track phone locations. The technique reveals a phone’s location via its nearest cell tower, without the user’s knowledge or consent.
Context: SS7 is a global telecom protocol used by carriers to route calls and texts and determine user location for billing. Surveillance vendors have reportedly exploited SS7 vulnerabilities for spying.
Analyst note: This new attack enables covert tracking of individuals, including journalists, activists, and dissidents, exposing them to physical threats. Despite firewalls and other security protections existing against SS7 attacks, their inconsistent implementation across global networks could expose governments and companies to espionage.
Microsoft Warns of SharePoint Zero-Day Bugs Under Active Exploitation
What we know: Microsoft has advised a series of protection measures for two critical zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint under active exploitation.
Context: The remote code execution (RCE) vulnerabilities only affect on-premise SharePoint servers. At least 54 organizations have reportedly been compromised, including a private energy company in California and an AI tech company.
Analyst note: Threat actors are likely to exploit the vulnerability to steal sensitive information. SharePoint file systems and internal configurations are likely to be manipulated. The bug is likely to enable threat actors to move laterally across organization networks.
Cyber Campaign Hits Defense and Energy Sectors Across Asia
Source: https://thehackernews.com/2025/07/ung0002-group-hits-china-hong-kong.html
What we know: In a year-long campaign, South Asia-based threat group UNG0002 targeted multiple sectors in China, Hong Kong, and Pakistan.
Context: Using spear-phishing emails and tailored lures, the group deployed malicious cyber tools like Cobalt Strike, Shadow RAT, and INET RAT to steal sensitive data from defense, aviation, energy, and research sectors.
Analyst note: UNG0002 is allegedly an advanced persistent threat (APT) that is focused on long term espionage. It is likely focused on regional intelligence with geopolitical motives, such as exfiltrating sensitive data from strategically important sectors in Asia.
DEEP AND DARK WEB INTELLIGENCE
DarkForums user antigov: Untested threat actor "antigov" has advertised secure shell (SSH) access with user (sudo) rights to a server associated with Stanford University. The threat actor is likely offering initial access that could enable lateral movement, enabling interested buyers to exfiltrate data.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2025-54309: This vulnerability in enterprise file transfer server CrushFTP is under active exploitation, impacting unpatched versions. The bug enables threat actors to gain administrative access through web interface. Vulnerable systems are likely to be targeted in ransomware attacks or data theft campaigns. Ransomware groups such as Cl0p are known to exploit similar vulnerabilities.
Affected products: Versions before CrushFTP v10.8.5 and CrushFTP v11.3.4_23
Tags: DIB, tlp:green