ZeroFox Daily Intelligence Brief - November 7, 2025

ZeroFox Daily Intelligence Brief - November 7, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Nation-State Threat Actor Stole SonicWall Firewall Backups
• Sandworm Targets Ukraine’s Key Sectors in Coordinated Campaign
• Seven ChatGPT Flaws Expose Users to 0-Click and Memory Injection Attacks

Nation-State Threat Actor Stole SonicWall Firewall Backups

Source: https://www.darkreading.com/cyberattacks-data-breaches/sonicwall-firewall-backups-nation-state-actor

What we know: A nation-state threat actor was found to be behind the breach of SonicWall’s cloud backup service, MySonicWall. The attack impacted all customers of the service, in which attackers stole firewall configuration files.

Context: The breach stemmed from an API call but there is no information on how it was achieved. SonicWall says the breach is unrelated to the ongoing Akira ransomware attacks targeting SonicWall VPNs and does not impact any of its products, firmware, source code, or production network.

Analyst note: The stolen firewall configuration files are likely to enable threat actors to map affected organization’s network and identify flaws and misconfigurations leading to intrusion. Digital certificates, if stored in backups, are likely to be used for impersonation in further cyberattacks.

Sandworm Targets Ukraine’s Key Sectors in Coordinated Campaign

Source: https://www.bleepingcomputer.com/news/security/sandworm-hackers-use-data-wipers-to-disrupt-ukraines-grain-sector/

What we know: Russia-linked group Sandworm carried out data-wiping attacks against Ukraine’s government, education, logistics, and grain sectors in June and September 2025. The wipers were reportedly designed to irreversibly destroy data, disrupting operations without seeking ransom.

Context: Researchers have observed that another threat actor, UAC-0099, along with Sandworm cooperated in the same attack chain. UAC-0099 had gained initial access into affected devices and handed over that access to Sandworm, who then used this access to deploy the wiper malware.

Analyst note: As a part of Russia’s broader hybrid warfare strategy, Russia is likely targeting Ukraine’s critical industries to supplement its wartime effort by weakening its economy, disrupting essential services, and inhibiting its ability to sustain the war.

Seven ChatGPT Flaws Expose Users to 0-Click and Memory Injection Attacks

Source: https://hackread.com/chatgpt-vulnerabilities-hackers-hijack-memory/

What we know: Seven vulnerabilities were found in ChatGPT, including GPT-5, that enable attackers to use “0-click” and “memory injection” techniques to steal user data and bypass safety features.

Context: The vulnerabilities exploit hidden prompt injections where malicious instructions are secretly embedded in external content such as blogs or indexed web pages. When ChatGPT processes this information during normal use, it can unknowingly execute those hidden commands and expose user data or system information.

Analyst note: The vulnerabilities expose how AI models can be manipulated without user interaction to access sensitive information. Attackers could exfiltrate data, implant persistent threats via memory, or hijack conversations across sessions, potentially leading to large-scale data leaks, automated phishing, and long-term compromise of AI systems.

DEEP AND DARK WEB INTELLIGENCE

Telegram user NoName057: Pro-Russian hacktivist group NoName057 has claimed responsibility for distributed denial-of-service (DDoS) attacks against the websites of Belgian telecom operators Proximus and Scarlet. Proximus confirmed unusual traffic detection on early November 5, 2025. However, the telecom operator added the impact was limited. Pro-Russian cyberattacks against European government and critical infrastructure entities are very likely to increase in frequency and impact with Ukraine’s successful strikes inside Russia.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Cisco fixes multiple bugs: Cisco has released patches for multiple vulnerabilities in its Unified Contact Center Express (UCCX) software, including CVE-2025-20354. CVE-2025-20354 is associated with improper authentication mechanisms, which threat actors could exploit to execute arbitrary commands. If patches are not deployed, threat actors could exploit these flaws to gain root-level access, enabling them to install backdoors, exfiltrate sensitive call and customer data, and disrupt operations.

Affected products: Unified Contact Center Express (UCCX) software