ZeroFox Daily Intelligence Brief - October 10, 2025

ZeroFox Daily Intelligence Brief - October 10, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• BreachForums[.]hn Seized in Joint International Law Enforcement Operation
• SonicWall Confirms Breach Affecting All Cloud Backup Users
• Geopolitical Focus: Ceasefire, Strikes, and Natural Disasters

BreachForums[.]hn Seized in Joint International Law Enforcement Operation

Source: https://databreaches.net/2025/10/09/breachforums-seized-again/

What we know: BreachForums[.]hn has been officially seized by law enforcement, with its clear net and onion domains now displaying a joint seizure notice from the DOJ, FBI, and French agencies BL2C and JUNALCO.

Context: The takedown occurred as Scattered LAPSUS$ Hunters was preparing to leak data from 39 Salesforce customers after a ransom demand, with a payment deadline set for October 10.

Analyst note: The takedown will likely delay or prevent the release of sensitive data tied to Salesforce customers briefly. Members of BreachForums and groups like Scattered LAPSUS$ Hunters are likely to regroup under new domains or aliases and could also turn to other underground forums to publish the stolen data.

SonicWall Confirms Breach Affecting All Cloud Backup Users

Source: https://www.bleepingcomputer.com/news/security/sonicwall-firewall-configs-stolen-for-all-cloud-backup-customers/

What we know: SonicWall has confirmed that an unauthorized party accessed firewall configuration backup files stored in its cloud backup portal for all customers who used the service. The exposed files include AES-256-encrypted credentials and configuration data.

Context: SonicWall had previously warned customers on September 17 to reset MySonicWall credentials and provided a remediation checklist covering passwords, API keys, tokens, VPN secrets, and related credentials.

Analyst note: Although the exposed files were encrypted, they still hold valuable configuration data that could help attackers understand how affected networks are structured. If the encryption is weakly implemented or the keys are compromised, threat actors could decrypt the data to gain insights into firewall settings, access controls, or credentials. This could enable targeted attacks, unauthorized access, or changes to network defenses.

Geopolitical Focus: Ceasefire, Strikes, and Natural Disasters

• Israel and Hamas agreed to the first phase of a ceasefire, which will see the remaining Israeli hostages held in Gaza freed by October 13, 2025. While this phase is likely to proceed as planned, there is only a roughly even chance that the remainder of the deal will go forward.
• Russia launched a massive missile and drone attack on Kyiv, Ukraine early Friday, knocking out power and water supplies and injuring at least nine people. The assault, part of Moscow’s renewed campaign against Ukraine’s energy grid, also sparked fires in residential areas and triggered nationwide air raid alerts.
• Authorities have declared that the tsunami threat has passed after a 7.4-magnitude earthquake struck near the Philippines and Indonesia, killing at least one person and previously prompting tsunami warnings. The Pacific Tsunami Warning Center had initially cautioned that waves up to three meters could hit the Philippines, while smaller waves could reach Indonesia and Palau.
• At least 40 people have died and thousands displaced after severe flooding and landslides devastated northern Bengal, India. Over 18,000 hectares of land were damaged, with rescue and relief efforts ongoing amid protests over inadequate aid.

DEEP AND DARK WEB INTELLIGENCE

Exploit user nixploiter: Threat actor “nixploiter” has advertised Remote Monitoring and Management (RMM) access with administrator rights to 1,000 Point-of-Sale (POS) terminals belonging to retail companies on the Russian-language Exploit forum. Interested buyers could exploit admin RMM access and deploy memory-scraping malware in POS terminals to exfiltrate stored card data, leading to potentially large-scale card compromises and fraud.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-5947: This vulnerability is an authentication bypass and privilege escalation flaw in the Service Finder WordPress theme and its bundled Bookings plugin. Successful exploitation could enable attackers to take full control of affected sites, potentially injecting malware, redirecting users, or using the site for other malicious purposes.

Affected products: All Service Finder Bookings versions till 6.0