ZeroFox Daily Intelligence Brief - August 14, 2025

ZeroFox Daily Intelligence Brief - August 14, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Fictitious Law Firms Targeting Cryptocurrency Scam Victims Combine Multiple Exploitation Tactics While Offering to Recover Funds
• Fortinet Warns of Critical Flaw in FortiSIEM with Practical Exploit Code in Wild
• CISA and Partners Release Advisory to Strengthen OT Security

Fictitious Law Firms Targeting Cryptocurrency Scam Victims Combine Multiple Exploitation Tactics While Offering to Recover Funds

Source: https://www.ic3.gov/PSA/2025/PSA250813

What we know: The FBI has warned that scammers posing as law firms are impersonating real lawyers and government partners to target victims of previous cryptocurrency scams. They promise fund recovery, but steal more money and personal information.

Context: This alert, along with another from June 2024, addresses the new tactic of further defrauding cryptocurrency scam victims. Scammers misuse fake legal and regulatory identities to appear credible.

Analyst note: This scam targets individuals, particularly the elderly, who have already been scammed and are exposed to further financial losses and fraud. To protect themselves, the FBI recommends verifying credentials, demanding proof of identity, and avoiding any payments until legitimacy is confirmed.

Fortinet Warns of Critical Flaw in FortiSIEM with Practical Exploit Code in Wild

Source: https://www.bleepingcomputer.com/news/security/fortinet-warns-of-fortisiem-pre-auth-rce-flaw-with-exploit-in-the-wild/

What we know: Fortinet is alerting of a critical command injection vulnerability (CVE-2025-25256) in FortiSIEM that has a “practical exploit code” in the wild, but it is not confirmed yet if a functional exploit code exists.

Context: FortiSIEM is a central security monitoring system often used by governments, businesses, and financial institutions, among others. The alert coincides with a report warning of a spike in brute force attacks targeting Fortinet SSL VPNs, but it is not confirmed if the two developments are related.

Analyst note: The flaw is likely to enable threat actors to breach a target’s network without being detected, as Fortinet also warned the exploitation does not produce distinctive indicators of compromise (IOCs). Data theft, encryption, or disruptions are likely in case of compromise.

CISA and Partners Release Advisory to Strengthen OT Security

Source: https://www.cisa.gov/news-events/news/cisa-and-partners-release-asset-inventory-guidance-strengthen-operational-technology-security

What we know: CISA and partners have issued guidance to help organizations dealing with operational technology (OT) build and maintain detailed asset inventories to better secure critical infrastructure. This resource aims to support organizations in risk reduction and protecting vital assets.

Context: OT systems control critical infrastructure like energy and water, making it essential to protect them from threat actors seeking to exploit vulnerabilities, weak authentication, poor segmentation, and insecure protocols to disrupt operations and cause harm.

Analyst note: Threat actors are likely to target OT environments without asset inventories, enabling longer undetected access for data theft and code execution. Stronger cybersecurity postures improve vulnerability patching, segmentation, and remote access security.

DEEP AND DARK WEB INTELLIGENCE

ZeroFox advisory on Scattered Lapsu$ Hunters: Telegram channel “scattered lapsu$ hunters - The Com HQ SCATTERED SP1D3R HUNTERS,” reportedly consisting of members from threat collectives Scattered Spider, ShinyHunters, and Lapsu$, was banned from the platform. ZeroFox observed that the group has since migrated to a new backup channel. Member “Shiny” also alleged that BreachForums is under the control of French law enforcement. There is a roughly even chance that the launch of the new Telegram channel signals an intent by the three collectives to collaborate in future cybercrime operations.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CISA flags two vulnerabilities: CISA has added two actively exploited flaws, CVE-2025-8875 (insecure deserialization) and CVE-2025-8876 (command injection), to its Known Exploited Vulnerability (KEV) catalog on August 13, 2025. Unpatched systems could enable attackers to compromise systems through remote monitoring, giving them control over enterprise networks.

Affected products: The affected products are listed in this advisory.

Zoom and Xerox’s bug fixes: Zoom has patched a flaw, CVE-2025-49457, involving unauthenticated privilege escalation via network access. Xerox has fixed two vulnerabilities, CVE-2025-8355 and CVE-2025-8356, which could enable threat actors to perform server-side request forgery and remote code execution. If left unpatched, threat actors could gain elevated privileges on affected systems, enabling them to install malware, exfiltrate data, and disable security controls.

Affected products: The affected products are included in Zoom's and Xerox's advisories.