ZeroFox Daily Intelligence Brief - December 4, 2025

ZeroFox Daily Intelligence Brief - December 4, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Ransomware Attack on Marquis Puts U.S. Banks and Credit Unions at Risk
• CISA and Partners Issue Guidance on Securely Integrating AI in Operational Technology
• Two Arrested in the U.S. for Conspiring to Delete Databases Storing Government Information

Ransomware Attack on Marquis Puts U.S. Banks and Credit Unions at Risk

Source: https://www.bleepingcomputer.com/news/security/marquis-data-breach-impacts-over-74-us-banks-credit-unions/

What we know: Fintech company Marquis has disclosed a data breach affecting at least 74 banks and credit unions in the United States following a ransomware attack. The threat actors reportedly exploited a SonicWall vulnerability to gain unauthorized access to Marquis’ systems.

Context: Approximately 400,000 customers have been impacted, with exposed data including names, contact details, Social Security numbers and Taxpayer Identification Numbers, financial account information, and dates of birth.

Analyst note: The compromised personal and financial data are likely to enable threat actors to extort the affected fintech company. The attackers are also likely to subsequently target other affected banks and credit unions in extortion and business email compromise attacks.

CISA and Partners Issue Guidance on Securely Integrating AI in Operational Technology

Source: https://www.cisa.gov/news-events/alerts/2025/12/03/cisa-australia-and-partners-author-joint-guidance-securely-integrating-artificial-intelligence

What we know: Multiple security departments in the United States and allies have co-authored a guidance for critical infrastructure owners and operators on the integration of artificial intelligence (AI), outlining its benefits and risks.

Context: The guidance highlights the potential for the emergence of new attack surfaces and vulnerabilities with the integration of AI, along with new and complex data-related challenges such as where data is stored and who can access it.

Analyst note: AI adoption is outpacing the development of security safeguards creating previously unseen attack surfaces, such as AI-enabled systems likely being misused by threat actors as backdoors. Recent reports of AI being deployed in large-scale cyber espionage operations underscore the risks to critical and government infrastructure.

Two Arrested in the U.S. for Conspiring to Delete Databases Storing Government Information

Source: https://www.justice.gov/opa/pr/two-virginia-men-arrested-conspiring-destroy-government-databases

What we know: Two individuals in the United States were arrested on December 3, 2025, for allegedly conspiring to destroy government databases hosted by a federal government contractor, among other crimes.

Context: The crimes took place in February 2025, following the termination of the accused individuals’s employment. They allegedly deleted about 96 databases storing U.S. government information. The duo also served prison time in 2015 for wire fraud and conspiring to hack into the State Department.

Analyst note: The incident very likely reflects insufficient vetting by the affected federal contractor, which hired two individuals with histories of conspiracy against the U.S. government. It also underscores the growing risk of insider threats within the cybersecurity and operational technology sectors.

DEEP AND DARK WEB INTELLIGENCE

Telecom company breached: Canadian telecommunication company Freedom Mobile has disclosed a data breach after threat actors used a subcontractor’s account to access its customer account management platform, exposing personally identifiable information. Although there is no evidence that the data has been misused yet, threat actors are likely to leverage it to extort the company in the near term.

VULNERABILITY AND EXPLOIT INTELLIGENCE

React library vulnerability: A vulnerability in the React library potentially enables threat actors to execute code remotely in cloud environments via unsafe deserialization. Researchers warn the flaw is easily exploitable, affecting default configurations of React Server Components and Next.js, and urge immediate remediation. This vulnerability has been assigned two CVEs, CVE-2025-55182 and CVE-2025-66478. This flaw is likely to enable remote attackers to compromise a large number of victim servers, potentially leading to full system control in affected devices.

Affected products:

• CVE-2025-55182: React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0
• CVE-2025-66478: Next.js versions 15.x, 16.x, 14.3.0-canary.77 and later canary releases