ZeroFox Daily Intelligence Brief - November 13, 2025

ZeroFox Daily Intelligence Brief - November 13, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• New Scam Center Strike Force Formed to Disrupt Southeast Asian Crypto Scams Targeting Americans
• CISA Reissues Alert for Federal Agencies to Patch Cisco ASA and Firepower Devices
• Australia Faces Rising Cyber Threats from State-Sponsored Actors

New Scam Center Strike Force Formed to Disrupt Southeast Asian Crypto Scams Targeting Americans

Source: https://www.justice.gov/usao-dc/pr/new-scam-center-strike-force-battles-southeast-asian-crypto-investment-fraud-targeting

What we know: The U.S. Department of Justice (DOJ) and its partners have launched the Scam Center Strike Force to dismantle Southeast Asian crypto-investment fraud networks targeting Americans. The task force has already seized over USD 400 million in stolen cryptocurrency as part of its initial operations.

Context: These scams are run out of large criminal compounds in Cambodia, Laos, Burma, and nearby regions, primarily controlled by Chinese transnational criminal groups (TCOs). They use social-media outreach, social-engineering tactics, and fake investment platforms to lure victims.

Analyst note: The initiative is likely to drive additional crypto-asset seizures, disrupt overseas enablers supporting these operations, and limit the use of U.S. infrastructure for fraud. Increased cooperation with Southeast Asian partners and the application of OFAC sanctions will likely disrupt scam operations and raise operational costs for Chinese TCOs.

CISA Reissues Alert for Federal Agencies to Patch Cisco ASA and Firepower Devices

Source: https://www.cisa.gov/news-events/alerts/2025/11/12/update-implementation-guidance-emergency-directive-cisco-asa-and-firepower-device-vulnerabilities

What we know: CISA has released an alert warning federal agencies that threat actors have continued to target vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower devices, directing agencies to update affected devices to the correct minimum versions.

Context: The U.S. cybersecurity agency flagged CVE-2025-20333 and CVE-2025-20362 in the alert. Additionally, separate research revealed that an “advanced” threat actor exploited Citrix Bleed 2 (CVE-2025-5777) flaw and Cisco Identity Service Engine (ISE) flaw CVE-2025-20337 as zero-days to deploy malware, before the issues were publicly disclosed and patched.

Analyst note: Advanced threat actors are likely to be state-backed hackers leveraging advanced resources to exploit high value targets such as network security and edge-facing devices for cyber espionage. Threat actors are likely to achieve persistent access, exfiltrate sensitive data, move laterally to target more entities, and disrupt operations.

Australia Faces Rising Cyber Threats from State-Sponsored Actors

Source: https://www.bbc.com/news/articles/cg7n43emvejo

What we know: Australia is reportedly facing rising cybersecurity threats that extend beyond espionage to potential sabotage of critical infrastructure. The Australian Security Intelligence Organisation (ASIO) chief has warned that Chinese state-linked threat actors are also targeting Australia’s water, energy, telecom, and transport networks.

Context: Cyber threat groups like Salt Typhoon and Volt Typhoon have been breaching systems to steal data and establish persistent access for future disruption. These are coordinated efforts to gain strategic leverage and economic advantage over Australia and its allies.

Analyst note: In addition to growing espionage threats, in the near future, China-linked threat actors are likely to target other Australian sectors, such as finance, healthcare, education, and defense supply chains, aiming to steal sensitive data, disrupt critical services, and gain economic and strategic advantages.

DEEP AND DARK WEB INTELLIGENCE

UST data breach: Over 630,000 internal files associated with the University of St. Thomas (UST) have been exposed on the dark web after a summer cyberattack that disrupted key campus systems and services. The breach occurred shortly after the school completed a major IT-provider transition. The exposure of such a large volume of documents increases the risk of personal and institutional information being misused, potentially enabling identity theft, fraud, and further targeted attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Ivanti November 2025 patches: Ivanti has released patches for three high vulnerabilities in its Endpoint Manager. Successful exploitation of the vulnerabilities could enable a local authenticated attacker to write arbitrary files anywhere on disk. The vulnerabilities include CVE-2025-9713, CVE-2025-11622, and CVE-2025-10918. Threat actors with initial access are likely to exploit the flaws to exfiltrate data and disrupt the system.

Affected products: Ivanti Endpoint Manager 2024 SU3 SR1 and prior