ZeroFox Daily Intelligence Brief - May 27, 2026

ZeroFox Daily Intelligence Brief - May 27, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Los Angeles Transit Breach Tied to Pro-Iran Hacktivist Operation
• FBI Issues Alert on “Silent Ransom Group” Targeting U.S. Law Firms
• ZeroFox Intelligence Brief: The Role of Initial Access Brokers in Ransomware Operations

Los Angeles Transit Breach Tied to Pro-Iran Hacktivist Operation

Source: https://www.reuters.com/legal/litigation/iranian-hackers-responsible-los-angeles-transit-system-breach-israeli-2026-05-26/

What we know: Pro-Iran hacktivist group “Ababil of Minab” has been attributed to the March 16 breach of the Los Angeles County Metropolitan Transportation Authority (LACMTA), also referred to as Metro. The attackers reportedly stole at least 700 GB of emails, backups, and internal files from LACMTA systems.

Context: Although train and bus operations had continued, the breach reportedly disrupted passenger services by disabling some arrival screens and preventing customers from adding funds to transit cards.

Analyst note: Given that Ababil of Minab presents itself as a geopolitically motivated hacktivist group, the decision to exfiltrate large volumes of LACMTA data rather than solely cause disruption likely suggests the operation also served intelligence-gathering purposes. The stolen data is likely to provide insight into how transit agencies structure networks and manage communications, supporting future disruption activity.

FBI Issues Alert on “Silent Ransom Group” Targeting U.S. Law Firms

Source: https://www.ic3.gov/CSA/2026/260526.pdf

What we know: The FBI has issued an advisory warning that the Silent Ransom Group (SRG) is particularly targeting U.S. law firms using social engineering techniques. SRG actors pose as IT employees to establish access to victim systems, either using legitimate remote access tools or by visiting the target’s location in-person, to exfiltrate data without encryption.

Context: The threat actors exfiltrate data using tools like Windows Secure Copy (WinSCP) or a version of Rclone to destinations including cloud platforms and external drives. Victims are then extorted via ransom emails, direct calls to employees, or affected clients. Additionally, traditional antivirus products are unlikely to flag intrusion attempts since the group uses legitimate tools.

Analyst note: The group's focus on data theft over encryption suggests a deliberate interest in sensitive legal information that is likely to influence active cases. Notably, the tactic of conducting in-person intrusions very likely indicates that some members are locally based.

ZeroFox Intelligence Brief: The Role of Initial Access Brokers in Ransomware Operations

Source: https://www.zerofox.com/advisories/40130/

What we know: ZeroFox assesses the role of Initial Access Brokers (IABs) in ransomware operations with affiliates such as Akira, BlackBasta, and Conti known to purchase unauthorized network access rather than conducting initial intrusions themselves. ZeroFox observed approximately 370 network access listings on the deep and dark web in Q1 2026.

Context: The division of labor between IABs and ransomware affiliates enables full ransomware deployment within hours, compressing attack timelines considerably. ZeroFox also observed a decline in publicly visible IAB listings between Q1 2025 and Q1 2026, likely reflecting market maturation rather than reduced activity.

Analyst note: High-value access is very likely being increasingly sold through private channels, while some ransomware groups appear to be internalizing access operations. Credential theft, infostealer malware, and exploitation of internet-facing infrastructure remain common access vectors, making early detection and monitoring increasingly critical.

DEEP AND DARK WEB INTELLIGENCE

ShinyHunters threatens to leak Charter data: U.S. telecommunications company Charter Communications has confirmed a data breach after the ShinyHunters extortion group listed the company on its leak site, claiming to have stolen 40 million customer records. The group claims the leak includes names, email addresses, phone numbers, plan information, and customer support ticket data.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-45659: Microsoft has patched a remote code execution (RCE) vulnerability in Microsoft Office SharePoint due to deserialization of untrusted data. The flaw enables an authorized attacker, with a minimum of Site Member permissions (PR:L), to execute code over a network. Threat actors are likely to attempt exploitation of the flaw to steal sensitive information, internal communications, and confidential data often shared via the collaboration platform.

Affected products: The affected products are listed in this advisory.