ZeroFox Daily Intelligence Brief - November 4, 2025

ZeroFox Daily Intelligence Brief - November 4, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Ex-DigitalMint and Sygnia Employees Accused of BlackCat Ransomware Attacks
• Cyber Threat Actors Facilitating Physical Cargo Theft by Targeting Logistics Industry
• Weak Account Protections at Flock Safety Raises Security Concerns

Ex-DigitalMint and Sygnia Employees Accused of BlackCat Ransomware Attacks

Source: https://www.bleepingcomputer.com/news/security/us-cybersecurity-experts-indicted-for-blackcat-ransomware-attacks/

What we know: Three former employees of cybersecurity firms DigitalMint and Sygnia were indicted for allegedly conducting BlackCat (ALPHV) ransomware attacks on five U.S. companies between May and November 2023.

Context: The defendants, including former incident response and ransomware negotiation professionals, are accused of exploiting insider knowledge to breach networks, steal data, and extort victims for cryptocurrency payments.

Analyst note: Insider knowledge of response procedures and negotiation tactics can make ransomware campaigns more sophisticated and difficult to defend against. More individuals with similar backgrounds could be covertly exploiting their skills for financial gain. Authorities are likely to trace links between other ransomware operations and professionals with cybersecurity experience, leading to broader crackdowns.

Cyber Threat Actors Facilitating Physical Cargo Theft by Targeting Logistics Industry

Source: https://thehackernews.com/2025/11/cybercriminals-exploit-remote.html

What we know: Cybercriminals are collaborating with organized crime networks to steal cargo freight from trucking and logistics companies. The activity has been observed to be active since at least June 2025, with food and beverage products being the most targeted commodity.

Context: Threat actors reportedly use spear phishing emails to deploy legitimate remote monitoring and management (RMM) tools to infiltrate deeper into the corporate network. After gaining access, threat actors are able to manipulate existing bookings and book loads under a compromised carrier’s name, coordinating the physical theft of goods.

Analyst note: The activity very likely indicates that the cyber threats are posing a physical risk to the surface transportation industry and interconnected supply chain providers. Threat actors are very likely to increasingly use other legitimate tools like RMM software, instead of malware, to ensure obfuscation of activity.

Weak Account Protections at Flock Safety Raises Security Concerns

Source: https://techcrunch.com/2025/11/03/lawmakers-say-stolen-police-logins-are-exposing-flock-surveillance-cameras-to-hackers/

What we know: Some lawmakers have urged the U.S Federal Trade Commission to investigate Flock Safety for allegedly failing to enforce basic cybersecurity measures such as multi-factor authentication (MFA) across its nationwide license plate camera network.

Context: Until very recently, Flock Safety did not require MFA, leaving accounts protected only by passwords vulnerable to compromise. Some law enforcement logins to Flock’s system have reportedly already been found in data stolen by infostealer malware and even sold on Russian cybercrime forums.

Analyst note: A breach could enable threat actors and foreign entities to access billions of license plate images and vehicle movement records collected nationwide for law enforcement use. Weak access controls could also enable unauthorized searches or surveillance, enabling individuals to be physically tracked.

DEEP AND DARK WEB INTELLIGENCE

Exploit user BIG-BROTHER: Untested threat actor “BIG-BROTHER” has advertised data from SOAS University of London on dark web forum Exploit. The actor alleges the breach includes login credentials, emails, and other user details. Interested buyers could use the stolen data to launch social engineering or phishing attacks against SOAS affiliates, and gain unauthorized access to university systems, exfiltrating sensitive academic and administrative information.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-52665: This is an improper authentication vulnerability in the Ubiquiti UniFi Access Application. Attackers with network access to the affected system could exploit this flaw to perform privileged operations. Successful exploitation is likely to lead to full compromise of the UniFi Access control environment, leading to theft of user credentials and other critical data managed through the application’s backend API.

Affected products: UniFi Access Application version 3.3.22 through 3.4.31