ZeroFox Daily Intelligence Brief - October 8, 2025

ZeroFox Daily Intelligence Brief - October 8, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Prominent U.S. Law Firm Reportedly Breached by Chinese Hackers
• Radio Manufacturer BK Technologies Confirms Breach
• Salesforce Notifies Customers It Will Not Pay Hacker Ransom

Prominent U.S. Law Firm Reportedly Breached by Chinese Hackers

Source: https://www.nytimes.com/2025/10/07/us/politics/chinese-hackers-us-law-firms.html

What we know: Chinese hackers reportedly infiltrated the computer systems of prominent U.S. law firm Williams & Connolly that represents high-profile clients, including politicians. At least a dozen other law firms and tech companies have reportedly been affected in the hacking campaign.

Context: The FBI is reportedly investigating the breach. Williams & Connolly has assured clients that the stolen information is unlikely to be made public or sold. Some of the email accounts of the firm’s lawyers were allegedly compromised in a zero-day attack.

Analyst note: The use of a zero-day vulnerability very likely indicates that state-backed threat actors are demonstrating a shift from previous reliance on publicly known vulnerabilities. The compromise of email accounts could have begun with exploitation of flaws in enterprise-grade email platforms or targeted phishing campaigns to gain initial access.

Radio Manufacturer BK Technologies Confirms Breach

Source: https://www.theregister.com/2025/10/07/police_and_military_radio_maker_bk_admits_breach/

What we know: An unknown threat actor has infiltrated the network of BK Technologies, a manufacturer of mission-critical radios for law enforcement, emergency services, and defense sectors, and stolen non-public data.

Context: The intrusion reportedly briefly disrupted some non-critical systems but did not impact core operations. The threat actor likely stole data, including employee records, before being detected and removed.

Analyst note: Since BK Technologies serves public safety and defense agencies, it likely presents a strategically valuable target for threat actors aiming to collect intelligence, infiltrate trusted networks, or compromise communications infrastructure.

Salesforce Notifies Customers It Will Not Pay Hacker Ransom

Source: https://www.bleepingcomputer.com/news/security/salesforce-refuses-to-pay-ransom-over-widespread-data-theft-attacks/

What we know: Salesforce reportedly told its customers in an email on October 7 that it would not pay a ransom to hackers who claimed to have stolen client data and are threatening to leak it.

Context: Salesforce has reportedly obtained “credible threat intelligence” that the hackers are preparing to leak data that was stolen in an earlier breach. This announcement comes after threat collective Scattered Lapsus$ Hunters leaked samples of stolen data from the Red Hat data breach, partnering with threat group Crimson Collective.

Analyst note: If the claims of the hackers are true, without ransom negotiations they are likely to contact or extort affected Salesforce customers directly, leak portions of the stolen data, or sell the dataset to other criminal groups to maintain leverage.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user Kazu: Untested threat actor "Kazu" has advertised a sample of stolen data associated with the Kuwait Ministry of Public Works. The threat actor is holding the data for a ransom of USD 600,000, threatening to sell it for USD 40,000 if the ransom is not paid by October 16, 2025. There is a roughly even chance that the threat actor is falsely presenting open source information as sensitive stolen data. If the stolen data is legitimate, infrastructure blueprints and the technological architecture are likely to be exposed to threat actors, which can be further exploited.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-49844: Redis has disclosed a critical vulnerability dubbed RediShell that affects all Redis builds using Lua scripting and can enable remote code execution. However, exploitation requires authenticated access, and the flaw has been patched in recent updates. If left unpatched, an attacker with valid credentials could execute arbitrary code on Redis instances, seizing control, manipulating or deleting data, escalating privileges, and pivoting to other systems.

Affected products: The affected products are listed in this advisory.