ZeroFox Daily Intelligence Brief - October 6, 2025

ZeroFox Daily Intelligence Brief - October 6, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Threat Group Demands Ransom from Salesforce over Alleged Breach of 1 Billion Records
• Discord Customer Support Platform Breach Exposes User Data
• Unusual Spike in Scanning of Palo Alto Networks Infrastructure

Threat Group Demands Ransom from Salesforce over Alleged Breach of 1 Billion Records

Source: https://cloud.zerofox.com/intelligence/advanced_dark_web/93745

What we know: Threat collective “Scattered LAPSUS$ Hunters” has claimed to have stolen over 1 billion records from Salesforce, on its newly launched data leak site. It has threatened to leak customer data and target individual customer organizations if a ransom is not negotiated by October 10, 2025.

Context: Multiple organizations have been named on the leak site. Salesforce continues to deny the threat collective’s claims, stating that the activity relates to past or unsubstantiated incidents. The threat actor and the impacted data remain unconfirmed as of writing.

Analyst note: Multiple companies have confirmed data theft via a third-party customer relationship management (CRM) database breach, likely linked to Salesforce. Additionally, the compromise of the Salesloft Drift-Salesforce integration, combined with a critical “ForcedLeak” vulnerability in a Salesforce product known to leak CRM data, very likely indicates that there has been a software supply chain compromise, which is further impacting downstream entities.

Discord Customer Support Platform Breach Exposes User Data

Source: https://hackread.com/discord-data-breach-hackers-ids-billing-support-chats/

What we know: Hackers have compromised a third-party customer service platform used by Discord, stealing partial payment data and personally identifiable information (PII) from users who interacted with support. The attackers have demanded a ransom from Discord in exchange for not leaking the stolen data.

Context: Exposed data includes names, emails, IP addresses, support messages, attachments, and photos of government-issued IDs. Reddit users discussing the breach notification emails, sent from the address “noreply@discord[.]com,” have questioned their authenticity, calling them phishing attempts.

Analyst note: Attackers could use the stolen information to impersonate Discord staff or support agents to trick users into giving up credentials or downloading malware. Additionally, threat actors are likely to exploit the panic around the breach to spread disinformation, fake breach confirmations, and post malicious links claiming to lend mitigation support to impacted victims.

Unusual Spike in Scanning of Palo Alto Networks Infrastructure

Source: https://www.bleepingcomputer.com/news/security/massive-surge-in-scans-targeting-palo-alto-networks-login-portals/

What we know: An observed surge in scans targeting Palo Alto Networks’ login portals likely points to a coordinated reconnaissance campaign. The activity surged on October 3, when over 1,200 unique IPs were recorded, in comparison to the regular 200 in daily scans.

Context: The scans primarily originated from U.S.-based IPs, with smaller clusters in the UK, Netherlands, Canada, and Russia. Distinct transport layer security (TLS) fingerprints suggest multiple coordinated actors testing access to Palo Alto devices.

Analyst note: The alleged reconnaissance likely aims to map exposed Palo Alto GlobalProtect and PAN-OS instances for potential exploitation, including credential theft or lateral movement. If successful, it could enable large-scale intrusions or VPN compromise, intelligence gathering, and attack surface profiling to identify weaknesses for future exploitation.

DEEP AND DARK WEB INTELLIGENCE

CometJacking attack: A new attack method, called CometJacking, is reportedly exploiting URL parameters to silently instruct Perplexity's Comet AI browser to access sensitive data from connected services, like email and calendars, without requiring user interaction or credentials. Perplexity has called the threat "not applicable." Emerging AI tools are likely to carry security risks. Adoption and integration of such tools require caution.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-61882: Oracle has patched a critical vulnerability in its E-Business Suite (EBS) that is remotely exploited without authentication. The security patch comes following reports of threat actor FIN11, linked to Cl0p ransomware, exploiting it in an alleged extortion campaign. However, Oracle has not confirmed whether the vulnerability is linked to the extortion campaign or if it was a zero-day flaw. If successfully exploited, this vulnerability is likely to enable remote code execution leading to compromise of email accounts and its contents.

Affected products: Oracle E-Business Suite versions 12.2.3-12.2.14

Google Chrome fixes: Google has patched 21 vulnerabilities in Chrome, while rolling out the latest Chrome 141 version. The patches include two high-severity vulnerabilities, tracked as CVE-2025-11205 and CVE-2025-11206, that resulted in heap buffer overflow issues impacting Chrome’s WebGPU and Video components. Unpatched browsers are likely to be targeted by threat actors using infostealers that steal credentials, passwords, and other data stored on browsers.

Affected products: The affected products are listed in the advisory.