ZeroFox Daily Intelligence Brief - September 19, 2025

ZeroFox Daily Intelligence Brief - September 19, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Scattered Spider Individual Charged for Multiple Cyberattacks, Including on Critical Infrastructure
• CISA Releases Malware Analysis Report in Ivanti Attacks
• Patched Flaw in ChatGPT’s Deep Research Exposed Gmail Data Risks

Scattered Spider Individual Charged for Multiple Cyberattacks, Including on Critical Infrastructure

Source: https://www.justice.gov/opa/pr/united-kingdom-national-charged-connection-multiple-cyber-attacks-including-critical

What we know: The U.S. and UK justice departments have charged an alleged associate of the Scattered Spider threat group with computer fraud, wire fraud, and money laundering conspiracies tied to over 120 network intrusions, extortion schemes, and USD 115 million that victims made in ransom payments.

Context: The individual has also been charged for not disclosing the pins or passwords for the devices seized from them. Additionally, along with another associate, they have been charged as part of a National Crime Agency investigation into the August 2024 cyberattack on Transport for London (TfL).

Analyst note: Authorities are likely to gain more insight into Scattered Spider's operation through seized devices, cryptocurrency wallets, and communications to identify and arrest other members.

CISA Releases Malware Analysis Report in Ivanti Attacks

Source: https://www.cisa.gov/news-events/alerts/2025/09/18/cisa-releases-malware-analysis-report-malicious-listener-targeting-ivanti-endpoint-manager-mobile

What we know: CISA has released a Malware Analysis Report on the functionality of two sets of malware that were deployed by exploiting CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (Ivanti EPMM) systems.

Context: The malware samples were obtained from a compromised organization, which was targeted around May 15, 2025. Threat actors exploited a series of vulnerabilities to gain access to a server running EPMM and sent specially crafted requests to steal sensitive information, download malicious files, and access credentials.

Analyst note: The indicators of compromise and detection signatures in the Malware Analysis Report will help identify malware samples. Organizations should follow the Incident Response recommendations in the report if malware is identified.

Patched Flaw in ChatGPT’s Deep Research Exposed Gmail Data Risks

Source: https://www.securityweek.com/chatgpt-deep-research-targeted-in-server-side-data-theft-attack/

What we know: A flaw in ChatGPT’s Deep Research agent, dubbed ShadowLeak, enabled attackers to send crafted emails that triggered it to silently collect and exfiltrate Gmail data from linked accounts. OpenAI patched the flaw after it was identified.

Context: The attack required no user interaction, just a crafted email that the agent processed. It targeted Deep Research, a paid feature that can connect to Gmail for complex research tasks.

Analyst note: Attackers could exploit more such flaws to abuse AI agents that run autonomously and connect to sensitive accounts. For ChatGPT users, linking services like Gmail carries risks if the integration is exploited. If exploited, attackers could have gained access to personal or corporate Gmail data linked to ChatGPT.

DEEP AND DARK WEB INTELLIGENCE

U.S. hospital breaches impact 856K: In the span of a week, three U.S. healthcare providers disclosed major breaches impacting nearly 856,000 people. Goshen Medical Center in North Carolina reported 456,385 affected, Retina Group of Florida reported 153,429, and Medical Associates of Brevard reported 246,711, with sensitive personal information, protected health records, and financial data exposed. These breaches could expose affected patients to risks, including identity theft, financial fraud, and misuse of health records, the impact of which could last for a long time.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-9242: Patches for this remote code execution flaw in Firebox firewalls, caused by an out-of-bounds write in the IKEv2 VPN component, have been released. Deploying patches can prevent attackers from remotely executing malicious codes and target affects multiple Fireware OS versions.

Affected products: The affected products are included in this advisory.

CVE-2025-10585: Google has released emergency patches for a zero-day vulnerability in Chrome that has a public exploit. The vulnerability is caused by a type confusion weakness in the web browser's V8 JavaScript engine. It is likely to be used in targeted spyware attacks as similar flaws have previously been used against high-profile individuals by state-associated threat actors.

Affected products: The affected products are listed in the advisory.