Subscribe
Share
Share
Embed
The BCM Daily Cyber News brings you clear, timely updates on threats, breaches, patches, and trends every day. Stay informed in minutes with focused audio built for busy professionals. Learn more and explore at BareMetalCyber.com.
This is today’s cyber news for November 26th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
Emergency alerts in multiple communities went quiet after a cyberattack struck the CodeRED notification platform. Many cities and campuses suddenly lost access to the web portals and mobile apps they normally use to send warnings. Instead of connecting directly with residents, emergency managers had to scramble back to sirens, radio, local news, and social channels just to push basic safety messages. That matters because even a short outage during severe weather or a chemical spill can mean people never see orders to evacuate or shelter in place. The provider has begun restoring service and investigating the intrusion, but customers still want clear answers about what failed and what will change.
A tiny logging agent called Fluent Bit turned into a big headache when researchers found critical bugs that could let attackers seize control of it. This agent ships inside countless cloud and container images that teams quietly deploy across clusters and virtual machines. By feeding crafted log records into the system, an attacker who can influence log traffic might crash the agent or execute malicious code right next to production workloads. The risk is higher in busy cloud environments where nobody has a complete inventory of which servers and appliances rely on this component. Maintainers and cloud providers have issued fixes, and now security and operations teams need to track down every copy and make sure it is updated.
High value users of secure messaging apps found that their conversations were only as safe as their phones when commercial spyware hijacked devices running Signal and WhatsApp. Targets include journalists, political staff, executives, lawyers, and activists whose work touches sensitive issues. Attackers lured people to malicious links, booby trapped sites, or fake apps that exploited mobile software flaws, then quietly recorded chats, calls, locations, and even camera feeds. That turns an encrypted chat tool into a surveillance device and exposes not only the user but also everyone who talks with them. Phone vendors have released patches for some vulnerabilities, yet older and unmanaged devices still lag behind, so organizations are building special protection programs for high risk users.
Researchers digging through years of data on online code tools discovered thousands of live passwords, keys, and tokens that developers had pasted there for convenience. Some of those secrets belonged to banks, governments, health providers, and major technology firms. Because many of these sites store input and allow searching, anyone who knows what to look for can sift through formatted code snippets and quietly harvest database logins, remote access details, and admin console credentials. That creates a slow moving breach in which sensitive information seeps out of development teams and into the wider internet over months or years. The study pushed many organizations to roll out secrets scanning and to rotate exposed credentials, while also reminding teams not to paste production data into external helpers.
Travelers who have flown with Iberia now face the risk that detailed booking and loyalty records sit in the hands of a ransomware gang. Leaked samples suggest the stolen files include passenger names, contact details, travel histories, and some payment related information. Armed with that data, criminals can craft convincing scam emails, track high profile travelers, or combine records with other leaks to siphon money and identities. For companies that book frequent international travel, the exposure adds to concerns about stalking, corporate espionage, and tailored phishing against executives and staff. Iberia continues to work with investigators and regulators, and affected customers are starting to receive notifications and advice on watching for fraud.
In commercial real estate, a breach at SitusAMC pulled sensitive loan and deal records into the open. These systems handle back office work for banks, lenders, and investors that rely on the vendor to process complex transactions. When attackers access those files, they can see contract terms, counterparties, transaction sizes, and servicing details, giving them a map of how money flows through specific portfolios. That map can fuel targeted social engineering against finance staff, legal teams, and clients whose names appear in the documents. The company has notified customers and regulators and is working to contain the incident, while affected firms step up monitoring around related accounts and applications.
Dartmouth College confirmed that the Clop extortion group broke into an Oracle based business platform and stole administrative data. The affected systems support finance, payroll, and other back office operations rather than classroom or research work. Using a previously unknown software flaw, attackers reached the platform, copied files, and later posted samples on a leak site to pressure the university into paying. Such compromises can expose employee records, vendor details, and internal documents in ways that damage trust with staff and partners. Dartmouth has begun notifying impacted people and is working with outside experts to understand the full scope and remediate weaknesses.
Criminals posing as helpful bank support agents have driven a wave of account takeover fraud that now totals more than two hundred sixty two million dollars in reported losses. Victims receive calls, texts, or emails that look legitimate, then are coached into sharing one time codes, installing remote tools, or approving transfers the crooks control. Because the customer believes they are stopping a problem, they often read out security codes or tap approval buttons while the scammer quietly drains accounts in the background. The Federal Bureau of Investigation, F B I, has warned that these schemes cut straight through multiple security layers and leave both banks and customers arguing over who should bear the loss. Financial institutions are responding with stronger analytics and clearer client education, but fraudulent calls and messages continue to spread across many regions.
An outage in Exchange Online left many organizations staring at stalled email as classic Outlook clients failed to reach cloud mailboxes. Staff scrambled to switch to webmail, mobile apps, or side channels for urgent approvals and customer conversations. Because so many workflows run through Outlook and Exchange, even a few hours of downtime can snarl sales, support, and internal decision making. The incident highlights how a single cloud provider outage can ripple across finance teams, operations crews, and external partners who expect instant responses. Microsoft acknowledged the problem and rolled out fixes, while customers reviewed status dashboards and incident plans to see how they handled the disruption.
Researchers tracking Russian and North Korean state linked hackers see growing signs that these groups are sharing infrastructure and techniques. Overlapping command servers, reused malware code, and synchronized campaigns point to deeper collaboration than in past years. With that shared playbook, attackers can refine intrusion methods more quickly and then aim them at government agencies, defense and aerospace firms, banks, and cryptocurrency platforms across multiple regions. The result is a more efficient and harder to attribute threat landscape that puts any organization tied to strategic industries in the crosshairs. Security teams are responding by focusing more on behavior based detection and by treating activity from these regions as a potential sign of coordinated campaigns.
State linked hackers are quietly steering malware through well known cloud apps that companies already trust. Traffic to these services looks painfully ordinary. Infected machines reach out to shared documents, chat channels, or storage locations where commands and stolen data are dropped in plain sight. That matters because blocking lists and simple firewalls rarely flag connections to popular productivity platforms that staff use every day. Security teams are responding by building richer baselines for cloud activity and by working with providers when they suspect abuse.
Researchers outlined a focused campaign where the RomCom group went after a United States civil engineering firm tied to infrastructure projects. The lure was a fake software update site. Employees who downloaded tools from the bogus page pulled in the SocGholish framework, which quietly installed remote access and persistence on workstations. Because that firm works on transportation and public works designs, a deep foothold there could give attackers insight into networks and facilities they should never see. Defenders in similar organizations are now tightening software sourcing rules, expanding monitoring on engineering machines, and preparing playbooks for geopolitically motivated intrusions.
A separate investigation found that some Blender 3D assets on popular marketplaces carried hidden scripts that delivered the StealC version two information stealing malware. Artists simply opened models and got infected. On Windows, macOS, and Linux workstations, the malware tried to siphon browser passwords, crypto wallet details, and other sensitive data in one sweep. That stolen mix can unlock personal email, financial accounts, cloud consoles, and even corporate portals that designers access from the same powerful machines. Studios are responding by setting stricter rules for asset sourcing, watching for unusual scripts from creative tools, and tuning defenses around design teams.
Another campaign pushed a framework called JackFix by popping up fake Windows update prompts on adult themed websites. The prompts looked like real system messages. People who followed the instructions ran small programs or commands that installed multiple information stealers which pried passwords, cookies, and crypto wallets from their devices. Because many of these infections landed on personal laptops later used for corporate email or remote access, stolen data can now fuel workplace intrusions. Security teams are enhancing endpoint controls, sharpening identity monitoring, and reminding staff that real updates come only through trusted system channels, not random browser pop ups.
Mozilla quietly shipped an important Firefox update that closes a browser engine bug which could allow code execution on visiting a malicious website. The flaw lived in low level memory handling. An attacker who chained the issue with other weaknesses could potentially run their own instructions inside the browser context and then reach sensitive apps. This is especially worrying on machines that use Firefox to reach internal administration portals or financial tools that hold valuable data. Administrators are now pushing the fixed release across fleets and checking that users with higher privileges are not stuck on older, exposed versions.
The long running ToddyCat group has evolved its tooling to better drain corporate email and cloud access from victims. New modules target Outlook and cloud tokens. By copying mail data and harvesting tokens used to reach mailboxes and other services, attackers can impersonate users without constantly logging in again. That means a single stolen token may unlock shared mailboxes, archives, and linked applications for long stretches before anyone notices. Organizations that rely heavily on Microsoft based ecosystems are tightening conditional access, shortening token lifetimes, and adding detections for unusual mailbox and token behavior.
During the Black Friday rush, security teams counted more than two million phishing attempts aimed at shoppers and gamers. Many lures copied real brand promotions. Attackers cloned login pages for retailers, gaming platforms, and payment portals, then drove clicks with fake discounts, support chats, and giveaway messages. Once victims entered details, the sites either stole credentials and card numbers directly or tried to install malware that grabbed even more data. Companies with staff who shop or game on the same devices used for work are tightening detection, education, and controls before the next big sales season.
Fresh research into phishing shows that many of the most successful campaigns never trip traditional enterprise email or web filters. Attackers keep changing the playing field. They now lean on cloud hosted forms, compromised legal sites, and dynamic pages that only morph into malicious content after a person clicks through. Because messages also spill over into collaboration tools, text messages, and social platforms, controls that only guard the inbox miss a growing slice of risk. Mature programs are shifting toward behavior focused detection, strong multi factor authentication, M F A, and fast response drills that assume some lures will always get through.
Hardware researchers demonstrated that a relatively cheap add on device can undermine some confidential computing features by peeking at encrypted memory traffic. The attack still demands physical access and skill. In their proof of concept, they clipped hardware into server memory paths and gradually reconstructed data that should have remained hidden under chip level protections. That finding reminds cloud providers and enterprises that hardware assurances are just one layer and not an unbreakable shield for sensitive workloads. Operators of high value environments are now reviewing which platforms are affected, strengthening physical safeguards, and planning extra controls for their most sensitive data sets.
Investigators also highlighted a free chat style hacking bot that uses large language models to coach beginners through basic cybercrime steps. The bot suggests scripts and phishing copy. People who might once have given up after a few failures can now keep experimenting as the assistant proposes commands, tools, and wording to try. That does not instantly create elite attackers, yet it raises the background noise of reasonably convincing scams and crude intrusion attempts across the internet. Security teams are updating training, tuning detections for patterns these tools tend to produce, and preparing to handle a larger volume of modest but persistent threats.
That’s the BareMetalCyber Daily Brief for November 26th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at Daily Cyber dot news. We’re back tomorrow.