ZeroFox Daily Intelligence Brief - September 4, 2025

ZeroFox Daily Intelligence Brief - September 4, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• CISA and Partners Release a Shared Vision of Software Bill of Materials (SBOM)
• Cybercriminals Exploit Grok to Spread Malicious Links on X
• Iran-Linked Threat Group Exploits Government Accounts

CISA and Partners Release a Shared Vision of Software Bill of Materials (SBOM)

Source: https://www.cisa.gov/news-events/alerts/2025/09/03/cisa-nsa-and-global-partners-release-shared-vision-software-bill-materials-sbom-guidance

What we know: CISA, NSA, and 19 international partners have released joint guidance, titled “A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity,” to help bolster software supply chain security.

Context: An SBOM, described as a software “ingredients list,” provides organizations with essential visibility into software dependencies. It helps organizations identify components, assess risks, and mitigate vulnerabilities.

Analyst note: The ongoing string of data breaches tied to Salesforce integration with Salesloft Drift is a vivid example of how supply chain attacks can have large-scale downstream impacts on organizations. The SBOM guidance stresses transparency, automation, and aligned technical approaches. It can help organizations mitigate risks, improve vulnerability management, and protect national security systems from supply chain threats.

Cybercriminals Exploit Grok to Spread Malicious Links on X

Source: https://www.bleepingcomputer.com/news/security/threat-actors-abuse-xs-grok-ai-to-spread-malicious-links/

What we know: Cybercriminals are exploiting X’s AI assistant, Grok, to bypass link restrictions by hiding malicious URLs in advertisement metadata. To avoid detection, they push out low-quality video advertisements with adult clickbait but deliberately omit direct links in the main body.

Context: X’s advertisement restrictions were designed to block malicious links. However, attackers hid URLs in the “From:” metadata of video advertisements to bypass the restrictions.

Analyst note: The hiding of the URLs enabled attackers to effectively turn malicious advertisements into credible promotions. Users are very likely to click links echoed by a system account, which could expose them to scams, fake CAPTCHA traps, and information-stealing malware.

Iran-Linked Threat Group Exploits Government Accounts

Source: https://thehackernews.com/2025/09/iranian-hackers-exploit-100-embassy.html

What we know: An Iran-linked group, “Homeland Justice,” has been running a global spear-phishing campaign exploiting over 100 compromised government accounts to impersonate diplomatic emails.

Context: The phishing emails carried malicious documents that urged recipients to enable macros, triggering a script to deploy malware. The payload established persistence, contacted command-and-control servers, and harvested system information.

Analyst note: Continued compromise could enable the group to carry out long-term espionage campaigns to spy on its geopolitical adversaries’ diplomatic missions, exposing sensitive communications, intelligence exchanges, and policy decisions.

DEEP AND DARK WEB INTELLIGENCE

Workiva joins SalesForce fallout: Workiva has disclosed that attackers accessed a third-party CRM system and stole limited customer data, including names, emails, phone numbers, and support ticket details. The breach is linked to the Salesforce incident attributed to the ShinyHunters group, which has affected several major companies. Additional SaaS providers and their customers are likely to be impacted as attackers continue to exploit stolen CRM data.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Google fixes 120 Android flaws: Google has patched 120 flaws, including two zero-days. The update also addresses issues in Qualcomm components and a remote code execution flaw in Android’s System component, making prompt patching essential. These flaws likely enable attackers to escalate privileges on affected devices, accessing communications, location, and other sensitive data.

Affected products: The affected products are included in this advisory.