ZeroFox Daily Intelligence Brief - November 27, 2025

ZeroFox Daily Intelligence Brief - November 27, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• IT Systems of Three London Councils Disrupted in Cybersecurity Incident
• Threat Actors Hijack U.S. Radio Gear to Broadcast Fake Emergency Messages
• Qilin Ransomware Strikes 28 South Korean Firms via MSP Compromise

IT Systems of Three London Councils Disrupted in Cybersecurity Incident

Source: https://www.bleepingcomputer.com/news/security/multiple-london-councils-it-systems-disrupted-by-cyberattack/

What we know: A cybersecurity incident has disrupted the IT systems of three London councils, including the Westminster City Council (WCC) with important landmarks like the Palace of Westminster (Houses of Parliament), the Buckingham Palace, and 10 Downing Street.

Context: Multiple systems, including phone lines, have been impacted in the incident. At least two councils have activated emergency plans to ensure residents receive critical services. Authorities said they are investigating potential data compromise, but added that it was too early to identify the perpetrators or their motives.

Analyst note: Shared IT infrastructure can create single points of failure, enabling widespread service disruption and likely exposing sensitive data on high-value individuals in areas like Westminster.

Threat Actors Hijack U.S. Radio Gear to Broadcast Fake Emergency Messages

Source: https://www.reuters.com/world/us/fcc-says-hackers-hijack-us-radio-gear-send-fake-alerts-obscenities-2025-11-26/

What we know: The U.S. Federal Communications Commission (FCC) has warned the public of a recent string of cyber intrusions targeting U.S. radio broadcasters resulting in threat actors broadcasting fake emergency messages and obscene language.

Context: Threat actors are misusing U.S. Emergency Alert System's Attention Signal, an attention-grabbing sound preceding official announcements regarding earthquakes, tornadoes, and other emergencies. The intrusions are a result of improperly secured equipment made by Barix, a Swiss network audio company.

Analyst note: Fake announcements from official emergency alert systems about natural disasters are very likely to create public unrest and enable misinformation. FCC has recommended basic security measures for safeguarding the targeted equipment, likely suggesting the intrusions stemmed from weak passwords and lack of updated security patches.

Qilin Ransomware Strikes 28 South Korean Firms via MSP Compromise

Source: https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.html

What we know: A supply-chain attack targeting a South Korean managed service provider (MSP) has led to widespread Qilin ransomware infections across the country’s financial sector. The campaign compromised at least 28 organizations, exfiltrating over 2TB of data.

Context: In this campaign, the attackers that deployed Qilin were suspected of working with North Korea-linked advanced persistent threat (APT) Moonstone Sleet group. The leaked data allegedly includes sensitive financial records, corporate documents, and potentially politically damaging information.

Analyst note: If the stolen 2TB of data is leaked, it is likely to trigger widespread credential compromise, identity theft, financial fraud, and targeted phishing attacks across South Korea’s financial sector and its customers.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user Samurai: Threat actor "Samurai" has allegedly leaked email conversations of Japanese Prime Minister Sanae Takaichi, claiming they contain evidence of a bribe taken from “foreign nationals.” A sample image and a download link for the emails were also shared. The alleged leak is likely to be leveraged for political disruption, media sensationalism, and disinformation campaigns, regardless of the authenticity of the emails.

VULNERABILITY AND EXPLOIT INTELLIGENCE

ASUS patches nine vulnerabilities: ASUS has released firmware updates to fix nine vulnerabilities, including a critical authentication bypass (CVE-2025-59366) in AiCloud-enabled routers that could enable remote attackers to execute functions without authorization. Unpatched devices are likely to become a covert operational relay box (ORB) network that proxies and supports threat actors’ command‑and‑control activity, as seen in the recent WrtHug campaign, where several mostly end-of-life or outdated ASUS WRT routers were hijacked.

Affected products: The affected products are listed in this advisory.