BMC Daily Cyber News

This is today’s cyber news for October 17th, 2025. Today’s brief tracks rising pressure on edge security and third-party risk: lawmakers want clearer answers from Cisco on zero-day firewalls, while Microsoft’s certificate purge aims to blunt Teams-delivered lures. On offense, North Korea hides malware in blockchain contracts and ships Trojanized “job tests,” while rootkits and loaders push deeper into Linux and mid-market Windows fleets. Critical software keeps the spotlight—Adobe Experience Manager Forms lands on the Known Exploited list, a CentreStack zero-day gets patched after live abuse, and an actively exploited Windows privilege escalation shortens the path from foothold to domain control. Data exposure remains costly and broad, from a 17.6-million-record fintech breach to a 40-billion-record email vendor leak and a Sotheby’s incident affecting high-net-worth clients.

You’ll hear concise, five-sentence rundowns for each story with the business why, who’s most exposed, concrete signals to watch, and a practical next step. Leaders get decision cues on patch lanes, vendor oversight, and fraud budgets; defenders get operational tells—from odd SNMP sets and web-shell writes to eBPF attachments and signed MSI abuse—that shorten detection time. We also cover brand impersonation via old “user:pass@” links, SEO-poisoned “Ivanti VPN” downloads, the PhantomVAI loader’s rotating payloads, “Silk Lure” and ValleyRAT persistence, China-linked “Jewelbug” inside a Russian MSP, Mango’s vendor breach, and leaked secrets in Visual Studio Code extensions. It’s a fast, executive-friendly pass designed to help you decide and act, available at DailyCyber.news.

What is BMC Daily Cyber News?

The BCM Daily Cyber News brings you clear, timely updates on threats, breaches, patches, and trends every day. Stay informed in minutes with focused audio built for busy professionals. Learn more and explore at BareMetalCyber.com.

This is today’s cyber news for October 17th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber news dot com.

Lawmakers are pressing Cisco about recent zero-day flaws in its firewall and security appliances. That matters because exploited edge devices can become single points of failure for big networks. Regulated industries and public contractors are most exposed since audits will follow public pressure. Watch for off-cycle advisories and spikes in blocked exploit signatures on gateways. Make security appliances “tier-zero” and keep an emergency lane for patches with a same-day health check.

A North Korea–linked group is hiding malware inside blockchain smart contracts using a tactic called EtherHiding. The approach makes takedowns and filtering much harder because the payload lives on-chain. Crypto firms, fintechs, and developer communities with web portals are especially at risk. Look for unusual calls to blockchain API gateways and script tags that reference contract addresses in web logs. Gate or allow-list contract endpoints and inspect responses for executable content before they reach users.

Attackers are hijacking older Cisco switches by abusing an SNMP flaw to plant Linux-based rootkits. That’s dangerous because the implant can survive reboots, hide processes, and intercept traffic. Organizations running legacy campus or branch switches with broad SNMP exposure face the highest risk. Monitor for odd SNMP set operations and verify firmware images and modules across the fleet. Patch or isolate affected switch families now and disable risky SNMP modes while you verify integrity.

The security agency added a critical Adobe Experience Manager Forms bug to its Known Exploited list after confirmed in-the-wild attacks. Remote code execution on public-facing form portals can expose identity data and documents. Government services, healthcare, and financial institutions using A E M Forms are the most exposed. Watch for unexpected web-server file writes and new .jsp or .aspx files in web roots paired with outbound beacons. Patch immediately, or if you can’t, block admin paths at the edge and hunt for new web shells.

Microsoft revoked more than two hundred code-signing certificates that attackers used with Teams-based lures tied to Rhysida ransomware. The campaign abused trusted installers and corporate chat to slip past email defenses. Companies with heavy Teams use and lenient external chat settings are most at risk. Look for external tenant file-shares in audit logs and recently executed binaries with revoked signatures in endpoint telemetry. Tighten external sharing, purge revoked binaries from allow-lists, and confirm no endpoints executed the flagged installers.

This breach at Prosper exposed data for 17.6 million current and past loan applicants. That matters because stolen application details fuel identity theft and long-tail fraud. Banks, fintech partners, and call centers are most exposed to social engineering that references real loan facts. Watch for spikes in new-account attempts tied to breached emails or phone numbers and unusual credit pull requests from unfamiliar IP ranges. Enforce step-up checks on credit-seeking flows and throttle high-risk patterns while you review queues daily.

A misconfigured marketing email platform leaked 13.4 terabytes—roughly 40 billion records—of client email data. The risk is higher phishing hit rates because attackers can mimic real brand cadence and pre-headers. Retailers, banks, and media companies that rely on bulk email are particularly exposed. Look for upticks in reply-based phishing from lookalike domains and pre-headers that mirror your legitimate campaigns. Rotate vendor-shared tokens, set DMARC to reject, and tune detections for cadence and pre-header lookalikes.

Sotheby’s disclosed a breach exposing customer information and some payment details. That’s risky because attackers can pair it with public sale records to run extortion or invoice-swap scams. Luxury retail and art services with high-net-worth clients are most exposed. Monitor for last-minute changes to payout or shipping profiles and VIP logins from atypical countries. Require out-of-band verification for any payment or shipping change and ensure VIP monitoring rules are active.

An actively exploited Windows flaw in Remote Access Connection Manager, or R A C M, lets intruders elevate from user to system. That shortens the window from a small foothold to a full network incident. Mixed desktop fleets and environments with third-party VPN clients are most exposed. Watch for abrupt token privilege changes, new services created by non-admins, and scheduled tasks appearing after initial access. Patch now, restrict local service creation, and hunt for new high-privilege tasks within 24 hours.

Gladinet patched a CentreStack zero-day local file inclusion that attackers were abusing in live attacks. The danger is sensitive file reads that lead to credential theft and code execution on file-sharing gateways. Professional services, manufacturers, and regional healthcare providers are most exposed. Watch for web-server reads of sensitive paths like /etc/passwd or appsettings.json and admin logins from unfamiliar networks. Apply the vendor fix today, geofence management access, and rotate any credentials stored on the appliance.

“Silk Lure” is a targeted phishing campaign that uses Windows Task Scheduler to quietly install ValleyRAT. It matters because scheduled tasks look like maintenance jobs, letting attackers persist and collect data for weeks. Financial services, fintech vendors, and research firms tied to capital markets are most exposed. Watch for new tasks launching scripts from user-writable paths and scripting engines triggered soon after email deliveries. Block script execution from user folders, remove unknown tasks at scale, and confirm ValleyRAT indicators are covered in endpoint detections.

Mango says a marketing vendor breach exposed customer contact details and engagement data across several countries. The risk is phishing that mirrors the brand’s exact cadence, plus account takeovers that feel routine to customers. Retailers, e-commerce brands, and loyalty program operators are most exposed. Watch for login attempts from never-seen devices right after outbound campaigns and phishing domains copying your pre-headers. Rotate vendor credentials now, enforce D M A R C p=reject, and tune anomaly detections to campaign timing.

That’s the BareMetalCyber Daily Brief for October 17th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber news dot com. We’re back Monday!