ZeroFox Daily Intelligence Brief - October 31, 2025

ZeroFox Daily Intelligence Brief - October 31, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Conti Ransomware Affiliate Extradited to the U.S. from Ireland
• CISA and Partners Release New Guidance on Microsoft Exchange Server Security Best Practices
• Geopolitical Focus: Natural Disasters and Human Rights Violations

Conti Ransomware Affiliate Extradited to the U.S. from Ireland

Source: https://www.justice.gov/opa/pr/ukrainian-national-extradited-ireland-connection-conti-ransomware

What we know: An individual suspected of being involved in Conti ransomware group’s activities has been extraded to the United States from Ireland. The suspect has been charged with conspiracy to deploy the Conti ransomware variant in a 2023 case.

Context: The suspect and co-conspirators used ransomware to steal data and encrypt systems, extorting over USD 500,000 from two Tennessee targets and leaking data from a third. As of January 2022, the FBI reported that Conti ransomware caused at least USD 150 million in ransom losses, primarily targeting critical infrastructure.

Analyst note: The extradition is likely to help law enforcement to reach other former affiliates of Conti ransomware, which is now largely considered inactive. Its former affiliates are likely to have moved to other cybercrime networks.

CISA and Partners Release New Guidance on Microsoft Exchange Server Security Best Practices

Source: https://www.cisa.gov/news-events/alerts/2025/10/30/new-guidance-released-microsoft-exchange-server-security-best-practices

What we know: CISA and partners have released new Microsoft Exchange Server Security Best Practices to help organizations harden on-premises Exchange servers against persistent exploitation.

Context: Exchange servers remain a frequent target for threat actors exploiting unpatched or misconfigured systems. Many organizations continue to run hybrid or end-of-life Exchange instances, risking exposure even after migrating to Microsoft 365.

Analyst note: Failure to secure or decommission vulnerable Exchange servers can lead to data theft, ransomware deployment, and network compromise via credential harvesting or lateral movement. The new guidance aims to reduce these risks by enforcing stronger authentication, encryption, and attack surface minimization.

Geopolitical Focus: Natural Disasters and Human Rights Violations

• Now a Category 5 storm, Hurricane Melissa has devastated parts of the northern Caribbean, killing at least 49 people, at the time of writing. Haiti and Jamaica were hardest hit, with widespread flooding, destroyed homes, and ongoing search and rescue operations.
• Severe floods triggered by record rainfall in central Vietnam have killed at least 13 people and left 11 missing, with regions Hue and Hoi An among the worst hit, at the time of writing. Over 116,000 homes and thousands of hectares of crops were inundated as heavy rains continued.
• The UN Security Council held an emergency session after reports of mass killings and ethnic violence in El Fasher, Sudan under the Rapid Support Forces (RSF). UN officials confirmed credible evidence of widespread human rights violations, including mass executions, and more. Communication blackouts and blocked escape routes have made it reportedly difficult to determine the full death toll, although nearly 500 people were reportedly killed at the Saudi Maternity Hospital alone.
• Israeli troops have raided the southern Lebanese village of Blida, killing a municipal worker, allegedly a suspect linked to Hezbollah activity.

DEEP AND DARK WEB INTELLIGENCE

Exploit user DISSS: Untested threat actor "DISSS" has advertised an auction for remote desktop protocol (RDP) access with domain administrator rights to an undisclosed Canada-based company on Exploit. Domain‑admin RDP access would enable full network compromise leading to credential theft, lateral movement, data exfiltration, and ransomware or supply‑chain impact.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-12475: This is a Stored Cross-Site Scripting (XSS) vulnerability in the Blocksy Companion plugin for WordPress due to insufficient input sanitization. Exploitation of the vulnerability enables authenticated attackers, with contributor-level access and above, to inject malicious scripts that execute when a user visits an affected page. The vulnerability is likely to enable attackers with the required access to completely take over a webpage.

Affected products: The Blocksy Companion plugin all versions up to, and including, 2.1.14