ZeroFox Daily Intelligence Brief - September 5, 2025

ZeroFox Daily Intelligence Brief - September 5, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - Exploitation of Salesforce Systems Likely to Continue
• ABA Foundation and FBI Release New Infographic to Help Americans Spot and Avoid Deepfake Scams
• Russian APT28 Targets Companies in NATO Countries with New Backdoor Attack

ZeroFox Intelligence Flash Report - Exploitation of Salesforce Systems Likely to Continue

Source: https://www.zerofox.com/advisories/35575/

What we know: An ongoing supply chain breach involving the Drift-Salesforce integration is enabling attackers to exfiltrate sensitive Salesforce data and OAuth credentials from multiple organizations. The compromise is actively spreading across connected platforms with new victims continuing to surface.

Context: The breach affected hundreds of organizations, including Cloudflare, Palo Alto Networks, Zscaler, and PagerDuty, forcing urgent remediation. Threat group “ShinyHunters” (also tracked as UNC6040) has reportedly been linked to the Drift-Salesforce campaign.

Analyst note: ZeroFox assesses that more victims will likely be disclosed in the coming weeks, with downstream entities of affected firms also at risk. Stolen CRM datasets will likely be resold on underground forums and exploited through phishing, business email compromise (BEC), social engineering.

ABA Foundation and FBI Release New Infographic to Help Americans Spot and Avoid Deepfake Scams

Source: https://www.aba.com/about-us/press-room/press-releases/ABA-Foundation-and-FBI-Joint-Infographic-on-Deepfake-Scams

What we know: The American Bankers Association (ABA) Foundation and the FBI have released a new infographic warning consumers about the rise of AI-driven deepfake scams. The resource outlines red flags and tips to help people identify and avoid fraud.

Context: Deepfakes are being used by scammers to impersonate trusted individuals and trick victims into sending money or sensitive information. Since 2020, over 4.2 million fraud reports totaling USD 50.5 billion in losses have been filed, with deepfakes driving a growing share.

Analyst note: As AI deepfakes become more realistic and harder to detect, scams are likely to grow in scale and sophistication, posing risks not only to individuals but also to financial institutions and law enforcement. ABA’s infographic suggests tips, such as pausing before responding to urgent requests, verifying identities, and creating codewords with loved ones, to avoid deepfake scams.

Russian APT28 Targets Companies in NATO Countries with New Backdoor Attack

Source: https://thehackernews.com/2025/09/russian-apt28-deploys-notdoor-outlook.html

What we know: Advanced persistent threat (APT) group Fancy Bear (alias APT28) has targeted multiple companies across NATO countries with new backdoor NotDoor, hidden inside corporate email software. The backdoor enables command execution, file theft, and stealthy email-based control.

Context: Fancy Bear is likely associated with the General Staff of the Armed Forces of the Russian Federation, Russia’s military intelligence agency. The backdoor it has been using, NotDoor, can reportedly persist by disabling security protections.

Analyst note: State-associated actors, such as Fancy Bear, are likely to use persistent access to private networks to exfiltrate intelligence that can help further the strategies of their respective states. Additionally, such actors are likely to use email-based control to push propaganda media to launch or fuel influence campaigns in adversarial nations.

DEEP AND DARK WEB INTELLIGENCE

ZeroFox intelligence brief on hacktivism: ZeroFox researchers report on hacktivism-focusing on the tactics, techniques, and procedures (TTPs) used by modern-day hacktivists. In response to ongoing geopolitical events and growing tensions, it is likely that hacktivist attacks will continue and increase. Understanding their TTPs can help mitigate such threats.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-53690: Threat actors are exploiting a zero-day vulnerability in legacy Sitecore deployments, which can enable attackers to craft malicious_VIEWSTATE payloads that trick servers into deserializing and executing code, leading to remote code execution. Successful exploitation gives attackers full control over vulnerable servers, enabling reconnaissance, malware installation, data theft, and lateral movement across enterprise networks.

Affected products: Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud, up to version 9.0