ZeroFox Daily Intelligence Brief - September 2, 2025

ZeroFox Daily Intelligence Brief - September 2, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Zscaler Confirms Data Breach Tied to Salesloft Drift Compromise
• North Korea Suspected Behind Spear Phishing Campaign
• Threat Actor Claims Live Access to AT&T Database

Zscaler Confirms Data Breach Tied to Salesloft Drift Compromise

Source: https://www.bleepingcomputer.com/news/security/zscaler-data-breach-exposes-customer-info-after-salesloft-drift-compromise/

What we know: Zscaler has disclosed a data breach after attackers exploited a compromise in the Salesloft Drift Salesforce integration. Threat actors stole OAuth tokens, gaining limited access to Zscaler’s Salesforce instance and customer support data.

Context: The breach stems from a supply-chain attack affecting Salesforce-connected tools, exposing risks in third-party integrations. While Zscaler’s core products and infrastructure remain unaffected, sensitive customer details, such as names, emails, job titles, phone numbers, and support case contents, were exposed.

Analyst note: The stolen data could fuel phishing, social engineering, and business email compromise attacks. Attackers could impersonate Zscaler or customers to escalate access in future campaigns.

North Korea Suspected Behind Spear Phishing Campaign

Source: https://thehackernews.com/2025/09/scarcruft-uses-rokrat-malware-in.html

What we know: A suspected North Korean hacking group, called “ScarCruft,” is carrying out a spear phishing campaign targeting South Korean government and academic individuals.

Context: Targets are sent a pdf with a malicious LNK file, disguised as a legitimate newsletter called the “National Intelligence Research Society Newsletter,” to lure victims. The email delivers the RokRAT malware, which attackers use to exfiltrate sensitive data.

Analyst note: Spear phishing leveraging official-looking or research documents has very likely become a popular initial access vector among state-backed threat actors targeting high-profile or specific individuals. Similar instances were observed in Russia-backed cyberattacks targeting Ukrainian defence and government persons.

Threat Actor Claims Live Access to AT&T Database

Source: https://cloud.zerofox.com/intelligence/advanced_dark_web/92282

What we know: A threat actor, named “gorgina,” on LeakBase is claiming to sell “live access” to American telecom company AT&T’s core infrastructure for USD 100,000 in BTC. The database allegedly contains information of approximately 24 million active subscribers.

Context: The threat actor claims to have persistent access, supposedly evading detection for over three weeks. A screenshot provided by the threat actor shows several data fields, including phone number, device type, registration date, account status, and last activity date. ZeroFox notes that the threat actor joined LeakBase on August 31, 2025, the same day when the post was made.

Analyst note: The actor has made sensational claims of leveraging the database to carry out SIM swapping and OTP interception. The claim is likely to be false, given the unverified reputation of the threat actor and interactions on the post claiming the data is old. Moreover, SIM swapping requires compromising or manipulating an employee of the mobile carrier company, and just access to network infrastructure is unlikely to be adequate.

DEEP AND DARK WEB INTELLIGENCE

New deep web forum BreachStars: ZeroFox has observed the emergence of a new deep web forum, “BreachStars.” The forum has been observed positioning itself as an alternative to seized cybercrime marketplaces, RaidForums and BreachForums. There are posts claiming to sell leaked data from famous breaches, such as through Salesforce attacks, but these claims are not exclusive to BreachStars. The forum is very likely in early stages of development. It is likely gaining attention from well-known threat actors, but its credibility is yet to be established.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-54857: This vulnerability in SkyBridge BASIC MB-A130, version 1.5.8 and earlier, arises from improper handling of special elements in OS commands (“OS Command Injection”). It could enable a remote, unauthenticated attacker to execute arbitrary OS commands with root-level privileges. Because no authentication is required, successful exploitation could give the attacker full control of the affected device, leading to data theft, operational disruption, malware installation, or use of the system as a launch point for further attacks.

Affected products: SkyBridge BASIC MB-A130 Ver.1.5.8 and earlier