ZeroFox Daily Intelligence Brief - August 27, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - August 27, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Nevada Systems Offline After Network Incident
- Salesloft–Salesforce Integration Breach Exposes Sensitive Data
- Hacktivist Group Claims DDoS Attack on ICJ’s Website
Nevada Systems Offline After Network Incident
What we know: Nevada state government agencies have suffered a network security incident on August 24, 2025, that disrupted state technology systems, leaving some websites and phone lines unavailable. The attack has prompted immediate recovery efforts and an ongoing investigation.
Context: State offices remain closed for in-person services, at the time of writing, but emergency services like 911 are unaffected. There is no evidence yet of personal data being compromised.
Analyst note: Residents could face phishing and social engineering attempts, with attackers impersonating state agencies to steal credentials or financial data. Threat actors could also exploit service disruptions to spread misinformation with lures referencing outages, targeting both residents and state employees.
Salesloft–Salesforce Integration Breach Exposes Sensitive Data
What we know: Between August 8 to 18, 2025, threat actors reportedly exploited OAuth tokens from Salesloft’s Drift-Salesforce integration to access customer Salesforce environments and steal credentials, such as certain keys, passwords, and tokens.
Context: The company has confirmed that this incident did not impact customers "who do not use Drift-Salesforce integration." At the time of writing, there is no evidence of ongoing malicious activity related to this incident.
Analyst note: This attack could enable threat actors to carry out further campaigns, including compromising supply chains, breaching cloud services, accessing sensitive databases.
Hacktivist Group Claims DDoS Attack on ICJ’s Website
Source: https://cloud.zerofox.com/intelligence/advanced_dark_web/91585
What we know: Hacktivist group “Keymous+” has claimed to have targeted the official website of the International Court of Justice (ICJ) in a distributed denial-of-service (DDoS) attack.
Context: Keymous+ identifies itself as a North African group and has been targeting organizations in Europe, North Africa, the Middle East, and parts of Asia since late 2023. The varied range of targets indicates a lack of a solid ideological agenda.
Analyst note: The group stated that the alleged attack on the ICJ was a response to ICJ Vice President Julia Sebutinde’s statement that seemingly implied support for Israel. Keymous+ will likely keep targeting entities that support or align with Israeli policies.
DEEP AND DARK WEB INTELLIGENCE
DarkForums user Satanic: Threat actor "Satanic" has advertised a database allegedly tied to Coinbase on DarkForums, claiming it contains data on over 6.3 million users. The leaked database reportedly includes names, contact details, and addresses, with a sample shared as supposed proof. Interested buyers could use names and contact details in identity theft, SIM swapping, and credential-harvesting scams to steal cryptocurrency holdings from victims.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2025-48384: This flaw in Git arises from improper handling of carriage return characters in configuration files, causing incorrect submodule path resolution. CISA has warned that the flaw is under active exploitation and has added it to its Known Exploited Vulnerability (KEV) catalog, requiring patches to be deployed by September 15, 2025. If the flaw is left unpatched, attackers could exploit it to carry out arbitrary code execution and access sensitive data. Affected products: The affected products are listed in this advisory.
Tags: DIB, tlp:green