ZeroFox Daily Intelligence Brief - November 26, 2025

ZeroFox Daily Intelligence Brief - November 26, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• FBI Warns of Account Takeover Scams Targeting Various Sectors
• Cyberattack Hits CodeRED Platform, Disrupts Emergency Alerts
• Canon and Dartmouth College Latest Victims in the Oracle EBS Campaign

FBI Warns of Account Takeover Scams Targeting Various Sectors

Source: https://www.ic3.gov/PSA/2025/PSA251125

What we know: The FBI has warned about Account Takeover (ATO) fraud schemes, wherein cybercriminals impersonate a financial institution's staff or website to steal money or information for personal gain. More than 5,100 complaints reporting ATO fraud have been registered this year, with losses exceeding USD 262 million.

Context: Scammers target individuals, businesses, and organizations across sectors to access payrolls or health savings accounts. They use social engineering calls, emails, or texts, or even fake websites, to deceive victims.

Analyst note: ATO fraud schemes are likely to become more sophisticated as threat actors leverage AI and deepfakes to make social engineering lures more believable. Advisories from law enforcement bodies, such as the FBI, are likely to play a crucial role in public awareness, hence in combating such fraud schemes.

Cyberattack Hits CodeRED Platform, Disrupts Emergency Alerts

Source: https://www.bleepingcomputer.com/news/security/onsolve-codered-cyberattack-disrupts-emergency-alert-systems-nationwide/

What we know: Threat actors have targeted CodeRED emergency notification platform, which has disrupted emergency alerts across the United States. The breach reportedly exposed personally identifiable information (PII), although no public leaks have been confirmed yet by the company.

Context: Threat group INC Ransom has claimed to have breached the platform’s company and encrypted its files. The company behind CodeRED is rebuilding the platform using a March 31, 2025, backup, possibly leaving some accounts created after the backup date unretrievable.

Analyst note: While the platform is being rebuilt, threat actors are likely to exploit operational uncertainty by impersonating CodeRED and its company through phishing emails and SMS spoofing. These campaigns could impersonate public safety personnel, emergency responders, and companies to obtain credentials and facilitate further compromise.

Canon and Dartmouth College Latest Victims in the Oracle EBS Campaign

Source: https://www.securityweek.com/canon-says-subsidiary-impacted-by-oracle-ebs-hack/

What we know: Canon has confirmed it was targeted in the ongoing Oracle EBS vulnerability exploitation campaign, but said the impact was limited to a subsidiary’s web server with no leaked data. Meanwhile, Dartmouth College has confirmed data theft from its Oracle EBS servers affecting at least 1,494 individuals, including Social Security numbers and financial details.

Context: Canon and Dartmouth join a growing list of organizations targeted in the campaign, in which attackers exploited an Oracle EBS zero-day vulnerability to steal sensitive data before extortion attempts. More than 100 victims have been named on Cl0p’s leak site so far.

Analyst note: Even if Canon’s exposure was limited, threat actors could attempt additional intrusions targeting other subsidiaries with unpatched Oracle EBS systems. Additionally, personal information from Dartmouth could be exploited for identity theft, phishing, and financial fraud targeting affected individuals.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user Alz_157s: Threat actor "Alz_157s" has allegedly leaked 48,000 patient records from a Mexico-based non-profit healthcare center. They have also shared a download link in the post. The leaked data risks privacy violations and is likely to be exploited for identity theft, phishing attacks, and blackmail.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-13016: This Firefox WebAssembly vulnerability left roughly 180 million users exposed to potential code execution for nearly six months. Threat actors are likely to have intruded in vulnerable systems during the six months to establish covert control. Additionally, unpatched systems are likely at a risk of threat actors obtaining complete control, which they can use to run unauthorized code.

Affected products: Firefox versions 143, 144, and 145 (before the fix); Firefox ESR versions 140.0 through 140.4