ZeroFox Daily Intelligence Brief - September 23, 2025

ZeroFox Daily Intelligence Brief - September 23, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - Cyberattacks on European Airports Reveal Contagion Risk
• SonicWall Urges Users to Safeguard Against MySonicWall Portal Breaches
• Individual Allegedly Linked to Scattered Spider Arrested in Las Vegas

ZeroFox Intelligence Flash Report - Cyberattacks on European Airports Reveal Contagion Risk

Source: https://www.zerofox.com/advisories/35882/

What we know: A ransomware attack over the weekend of September 19–21, 2025, caused widespread operational disruption at several major European airports, resulting in a host of flight cancellations and delays.

Context: The attack reportedly targeted the Multi-User System Environment (MUSE) passenger processing software, forcing airlines and ground services to deploy manual check-in and boarding procedures. There is currently no evidence that passenger data was compromised.

Analyst note: In the next few days, the impacted airports will likely continue facing delays and cancellations as restoration efforts carry on. Additionally, the targeted entities of this attack, which are yet to be confirmed, are very likely to receive ransom demands.

SonicWall Urges Users to Safeguard Against MySonicWall Portal Breaches

Source: https://www.cisa.gov/news-events/alerts/2025/09/22/sonicwall-releases-advisory-customers-after-security-incident

What we know: Attackers have brute-forced SonicWall’s MySonicWall portal, exposing some customers’ cloud backup files. CISA and SonicWall are urging all SonicWall users to verify if their devices are at risk and immediately apply the advisory’s mitigation steps.

Context: SonicWall has confirmed the breach impacted about 5 percent of its firewalls and urged customers to reset all credentials and keys.

Analyst note: Threat actors are likely to leverage the exposed firewall configuration files to further compromise SonicWall devices, reconfigure settings, or gain unauthorized access to connected networks. Following SonicWall's mitigations is likely going to minimize potential target's attack surface.

Individual Allegedly Linked to Scattered Spider Arrested in Las Vegas

Source: https://www.theregister.com/2025/09/22/teen_cuffed_scattered_spider_casino/

What we know: The Las Vegas police department has arrested an individual in connection with 2023 cyberattacks targeting Las Vegas casino properties. The network intrusions were linked to a threat group with multiple names, including Scattered Spider and UNC3944.

Context: The arrest comes as the UK police recently arrested two others, allegedly linked to Scattered Spider, for hacking Transport for London (TfL). Reportedly, at least seven suspected members of the threat group were arrested in 2024 in the casino cyberattacks.

Analyst note: Cybersecurity researchers suspect significant overlap between members of Scattered Spider and ShinyHunters, the threat group reportedly behind the ongoing Salesforce breaches. Hence, recent Scattered Spider arrests are likely to help law enforcement identify the internet infrastructure or key operatives supporting the activity of the threat groups.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user CLOBELSECTEAM: Threat actor “CLOBELSECTEAM,” has claimed to have leaked data associated with Chilean company Sky Airlines, alleging that threat actor “ClayOxtymus1337” had compromised 10 GB of the company’s data. If the claim is true, this leak could expose sensitive customer and operational information, exposing impacted customers to threats of financial loss, fraud, and further cyberattacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-55241: This is a privilege escalation bug in Microsoft Entra ID that is now-patched. The flaw reportedly arose from ACS-issued service-to-service actor tokens and a legacy Azure AD Graph API validation error, enabling cross-tenant privilege escalation. Threat actors exploiting this flaw could carry out data exfiltration, account modification, and privilege escalation.

Affected products: Microsoft Entra ID