Advisories

ZeroFox Weekly Intelligence Brief – September 6, 2025

|by Alpha Team

banner image

ZeroFox Weekly Intelligence Brief – September 6, 2025

ZeroFox’s Weekly Intelligence Briefing highlights the major developments and trends across the threat landscape, including digital, cyber, and physical threats. ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 6:00 AM (EDT) on September 4, 2025; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

Read the Brief

View the full report here

Salesforce Supply Chain Breach Expands: Workiva, Cloudflare, and Zscaler Disclose Impact

What we know:

  • Attackers have been exploiting the Salesloft Drift supply chain compromise to access Salesforce-connected systems.
  • Workiva, Cloudflare, Palo Alto Networks, PagerDuty, and Zscaler have recently confirmed breaches tied to the incident.
  • Stolen data includes OAuth and API tokens; customers’ personally identifiable information (PII), such as names, emails, phone numbers, and job titles; and support ticket information ranging from basic contact details to sensitive case text that could expose system or security insights.

Threat Actor Claims Live Access to AT&T Database

What we know:

  • Threat actor “gorgina” is claiming to sell “live access” to American telecom company AT&T’s core infrastructure on LeakBase for USD 100,000 in BTC. The database allegedly contains information of approximately 24 million active subscribers.

Cybercriminals Exploit Grok to Spread Malicious Links on X

What we know:

  • Cybercriminals are exploiting Grok, X (formerly, Twitter)’s AI assistant to bypass link restrictions by hiding malicious URLs in advertisement metadata.
  • To avoid detection, they push out low-quality video advertisements with adult clickbait but deliberately omit direct links in the main body.

Tags: tlp:green