BMC Daily Cyber News

This is today’s cyber news for November eighteenth, twenty twenty five. In this episode, you will hear how a third-party breach at a major political advocacy group, new North Korean supply chain malware, and data theft from a state attorney general’s office are reshaping the privacy and regulatory picture. We also cover active exploitation of a Fortinet web firewall flaw, a record breaking cloud denial of service attack on Microsoft Azure, and fresh pressure on email trust after a DoorDash spoofing weakness. Rounding things out, the brief walks through an alleged ransomware hit on Under Armour, breaches at Princeton and a French fiber provider, a Dutch takedown of bulletproof hosting, and the RondoDox botnet abusing old XWiki bugs.

Leaders, defenders, and builders will get a fast, plain English rundown that connects technical incidents to business risk, resilience planning, and fraud trends. You will hear how attacker tactics around supply chain implants, payroll fraud, and infrastructure abuse are evolving, and what it means for priorities like vendor governance, backup strategy, and secure-by-design coding. The brief focuses on practical signals to watch in your own logs and access patterns so you can adapt controls without drowning in detail. A narrated feed of these daily episodes is also available at DailyCyber.news.

What is BMC Daily Cyber News?

The BCM Daily Cyber News brings you clear, timely updates on threats, breaches, patches, and trends every day. Stay informed in minutes with focused audio built for busy professionals. Learn more and explore at BareMetalCyber.com.

This is today’s cyber news for November eighteenth, twenty twenty five. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
American Israel Public Affairs Committee, A I P A C, has disclosed that a third party handling supporter data was breached. Investigators say attackers had access to an external system for months, long enough to siphon personal records out of supporter lists. Many affected individuals are long time political supporters. Leaders now worry about harassment, targeted phishing, and intimidation that could follow if more details linked to advocacy work circulate among hostile actors. Right now, A I P A C and the vendor are narrowing the scope, notifying impacted people, and preparing for questions from regulators and the public.
North Korean operators are quietly turning ordinary development projects into malware delivery channels. Researchers say the groups trojanize tools developers download, then pull additional payloads from common cloud storage sites as the code runs. Developers see a helpful utility, not a trap. Executives face the risk that poisoned components will slip into build pipelines, where they can compromise releases and leak source code. Meanwhile, defenders are racing to catalog affected projects, tighten dependency rules, and watch build servers for strange outbound connections and new processes.
Pennsylvania’s attorney general has confirmed that a cyberattack in August led to the theft of files containing legal and medical information. Officials explain that attackers spent enough time inside internal systems to locate sensitive case folders and copy records tied to people seeking help from the office. The stolen details cover both personal data and health related histories. Communities that already feel vulnerable may now worry about embarrassment, blackmail, or fraud attempts that exploit those combined legal and medical facts. Finally, the office is notifying affected individuals, reviewing protections around mixed data repositories, and coordinating with partners that may also hold overlapping records.
Fortinet’s FortiWeb web application firewall, W A F, is under active attack because of a critical vulnerability that grants remote control to unauthenticated users. Reports indicate that attackers are scanning the internet for exposed devices, sending crafted requests, and using successful hits to run commands with administrator privileges. Those commands can reshape how protected websites handle traffic. Business leaders face the possibility that once trusted perimeter gear could be turned into a launchpad for data theft, credential harvesting, or silent traffic redirection. In response, security teams are racing to inventory FortiWeb appliances, apply patches, restrict management access, and check logs for strange configuration changes or outbound connections.
Microsoft Azure recently absorbed a record breaking distributed denial of service, D D o S, attack measured at roughly fifteen point seven terabits per second. According to Microsoft, the Aisuru botnet assembled traffic from more than half a million compromised devices, blending multiple protocols to flood targeted services. Customer workloads stayed online, but stress on defenses was clear. Organizations that rely on Azure for public facing applications now have a concrete example of how massive these storms can become and how quickly they evolve. Today, cloud and network teams are tuning D D o S protections, revisiting capacity assumptions, and watching telemetry for abnormal traffic spikes that might signal copycat campaigns.
DoorDash recently fixed a flaw that let outsiders send emails that looked fully legitimate to customers and drivers. Researchers showed how an attacker could spoof messages from a real DoorDash domain and slip past standard authenticity checks. That mechanism created a nearly perfect lane for phishing where users might hand over card data, passwords, or install rogue apps without suspecting anything. For many organizations, this incident matters because it proves that even well known consumer brands can have email defenses quietly bypassed, turning brand trust into a weapon. Today the company has updated its controls and monitoring, but defenders elsewhere are urged to review their own email authentication settings and watch for forged messages that still manage to reach inboxes.
Everest, a ransomware group, claims it gained access to Under Armour systems and copied hundreds of gigabytes of internal data. Investigators have seen screenshots that appear to show customer records and corporate documents, though the full scope of what was siphoned remains under review. The group is following the double extortion model by encrypting systems, stealing data, and then threatening to leak or sell it if demands are not met. For companies that live on consumer trust, an event like this matters because it merges disruption, privacy risk, and brand damage into a single prolonged crisis. Under Armour is working with experts and authorities, while security teams everywhere are revisiting how they segment sensitive data, log access, and detect large transfers before attackers can quietly exfiltrate information.
Princeton University has confirmed that attackers broke into systems tied to advancement and fundraising, exposing data about alumni, donors, and affiliates. Evidence suggests the intrusion started with a targeted phishing email that captured a user password, which then opened the door to move deeper into databases that track giving history and contact details. Those records can be mined to craft believable scams that mention real donation amounts, events, and staff names, making it easier to fool generous supporters. For the wider higher education sector, this matters because fundraising offices often hold rich personal profiles but have not always been treated as high security zones. Princeton is notifying affected individuals and tightening protections, while other universities are being urged to strengthen multifactor authentication, watch login patterns, and limit who can run large data exports from donor systems.
Dutch police have seized roughly two hundred and fifty servers that formed the backbone of a so called bulletproof hosting operation for cybercriminals. Investigators mapped how those servers supported phishing pages, malware distribution, and command infrastructure, then coordinated with partners to raid data centers and pull machines offline. That takedown clobbered active campaigns overnight, though many of the same crews are expected to rebuild on new infrastructure in time. For security teams and leaders, the operation matters because it provides fresh indicators to feed into blocking rules and shows the value of sharing intelligence with law enforcement. As cases progress, organizations can compare their own logs against seized network ranges, update filters, and stay alert for criminals who try to piggyback on other permissive hosting providers.
Researchers have uncovered a botnet called RondoDox that is compromising servers by exploiting an old remote code execution flaw in the XWiki platform. Automated scans hunt for unpatched XWiki installations exposed to the internet, then send crafted requests that install malware and quietly enroll each system into the botnet. Once under control, those hijacked servers can be used to launch further attacks, host phishing content, or relay malicious traffic that is hard to trace back to the original operators. For organizations that rely on collaboration and documentation tools, this trend matters because forgotten or abandoned apps can silently become launchpads for wider campaigns. System owners are now being urged to inventory any XWiki deployments, apply overdue updates, and monitor for unusual processes or outbound connections that suggest a compromised server is helping to drive the RondoDox network.
That’s the BareMetalCyber Daily Brief for November eighteenth, twenty twenty five. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber news dot com. We’re back tomorrow.