Subscribe
Share
Share
Embed
The BCM Daily Cyber News brings you clear, timely updates on threats, breaches, patches, and trends every day. Stay informed in minutes with focused audio built for busy professionals. Learn more and explore at BareMetalCyber.com.
This is today’s cyber news for October 20th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
Criminals are posting short “ClickFix” videos that walk people through fake activation steps which actually install information-stealing malware. This matters because users follow the tutorial and essentially infect themselves, exposing passwords, tokens, and wallets. The most exposed are small businesses, students, contractors, and creators who search social video for quick fixes. Watch for sudden spikes in token exfiltration and new scheduled tasks right after media app installs. Your next step is to block known stealer families at endpoint and DNS, and publish your own sanctioned how-to guides.
Attackers are abusing Azure Blob Storage to host convincing Microsoft 365 login pages that carry real Microsoft certificates. That’s risky because the brand and padlock make the pages feel safe, driving higher credential theft rates. Finance staff, executive assistants, and admins are the most exposed since they process many prompts. Watch for impossible travel sign-ins, token replays, and new inbox rules forwarding invoice threads. The move now is to require phishing-resistant authentication for high-risk roles and tighten conditional access.
A critical bug in WatchGuard Fireware’s I K E v2 service allows unauthenticated code execution on Firebox VPN appliances. This matters because a compromised edge device hands over gateway control and a pivot into internal networks. MSPs, retail chains, clinics, and branch offices with slow change control are most at risk. Watch for unexpected tunnel establishments, I K E daemon crashes, and policy or user changes outside change windows. Patch immediately or disable I K E v2 externally and confirm no new peers or admins appeared.
Microsoft fixed a severe request-smuggling flaw in the Kestrel web server used by ASP.NET Core apps. It matters because smuggled requests can hijack sessions, leak data, or bypass access checks, especially behind misconfigured proxies. SaaS providers and internal portals running .NET behind custom front ends are most exposed. Watch for mismatched 4xx or 5xx spikes on the edge alongside clean back-end logs, and odd session reuse. The practical step is to patch quickly and, if delayed, restrict exposure and verify proxy and Kestrel parsing alignment with test cases.
Attackers accessed parts of F5’s engineering environment, including some BIG-IP source code and bug notes. That matters because any leaked design detail can speed up exploit development against devices that often front critical apps. The most exposed are enterprises running legacy TMOS versions or leaving management interfaces reachable from the internet. Watch for external scans surfacing “/mgmt” endpoints and unexpected config diffs or virtual server changes. Your move is to patch and harden now, and remove public management access while you verify no surprise users or iRules were added.
A flaw in ConnectWise Automate opened a path for adversary-in-the-middle tampering during updates. This is risky because RMM tools have high privileges, so one poisoned update can spread across many customers. MSPs and the small businesses they support are most exposed when broad Automate permissions exist. Watch for unexpected task deployments outside change windows and new services or scheduled tasks right after an “update.” Update Automate servers and agents immediately, and if you can’t, disable mass deployments and validate agent binaries against vendor baselines.
Public proof-of-concept exploit code dropped for 7-Zip, the widely used file archiver. It matters because crafted archives can trigger code execution when opened or previewed, turning everyday attachments into entry points. Power users, help desks, and developers who handle many archives are most exposed. Watch for 7z.exe spawning scripts or PowerShell and executions from unusual directories. The step to take is to deploy the latest 7-Zip everywhere and temporarily restrict risky archive previews until telemetry is clean.
A Linux-PAM vulnerability with a working proof-of-concept enables local privilege escalation to root. That’s important because once attackers land, this shortens the path to full control across servers and containers. Universities, shared hosts, and DevOps fleets with many users or service accounts are most exposed. Watch for auth failure spikes followed by privilege grants and creation of new setuid binaries or PAM config changes. Patch quickly, and if maintenance lags, restrict interactive access and enforce MFA on sudo where feasible.
Zimbra Collaboration Suite had a server-side request forgery bug that let unauthenticated attackers hit internal resources. This is dangerous because it can expose tokens and internal endpoints, and chained attacks can escalate fast. Schools, local government, and small enterprises running on-prem Zimbra are most exposed. Watch for outbound requests from the mail server to cloud metadata IPs and unusual internal URL fetches in web logs. Apply the fix now, and if you’re delayed, block egress to metadata and verify logs show no SSRF patterns or unexpected token access.
Envoy, an American Airlines subsidiary, confirmed business data theft tied to a third-party Oracle E-Business Suite environment. This is significant because enterprise resource planning holds payroll, vendor, and invoice data that fuels fraud. Airlines, logistics firms, and large enterprises running customized, lagging E B S are most exposed. Watch for unusual admin logins and spikes in report or export jobs outside business hours. Apply the latest Oracle patches, restrict external access paths, and review export logs and admin audit trails.
Prosper disclosed that attackers accessed records for about seventeen point six million accounts, apparently via a partner system. It matters because that much personal data drives targeted phishing, account takeovers, and synthetic identity fraud. Fintechs, credit unions, and call centers that handle password resets are the most exposed. Watch for mismatched device fingerprints at login and first-time payee additions followed by high-value transfers. Put breach-aware authentication in place, and if you must phase it in, rate-limit resets and manually review first-time payees for affected users.
Attackers used many legitimate Zendesk tenants to blast targets with email-bomb floods. That’s dangerous because trusted helpdesk messages slip past filters, burying real alerts and reset emails. Customer support teams and any service that relies on email-only verification are most exposed. Watch for surges in ticket emails from diverse Zendesk subdomains and spikes in user-initiated password resets without successful logins. Enforce strict D M A R C, throttle inbound helpdesk flows, and set temporary inbox rules to triage floods while you validate out-of-band reset paths.
A China-nexus phishing operation called Winos rolled out version four point zero and expanded to Japan and Malaysia. This matters because localized decoys and the HoldingHands remote-access trojan increase success rates against ministries, manufacturers, and logistics firms. Those sectors in East and Southeast Asia are the most exposed. Watch for first-seen domains in email headers tied to finance or government themes and beaconing to newly registered command-and-control hosts after document opens. Strengthen localized phishing defenses, pre-block known indicators, and sandbox finance-themed attachments before delivery.
European police shut down a massive SIM-box service that fueled tens of millions of fake accounts and OTP abuse. This matters because it raises costs for fraud rings, but it won’t stop SMS-based attacks where verification remains weak. Banks, fintechs, and any platform relying on SMS-only checks are most exposed. Watch for bursts of sign-ups from new number ranges and repeated OTP requests from the same device fingerprint. Start phasing in phishing-resistant authenticators and cap OTP attempts per device while you review throttling.
Researchers detailed a focused .NET backdoor dubbed C A P I hitting Russian automotive and e-commerce firms via tax-themed ZIPs. It’s important because targeted crimeware blends into office routines, steals credentials, and moves laterally without loud signals. Accounting teams, procurement, and storefront admins handling invoices are most exposed. Watch for first-seen domains in headers and new scheduled tasks with accounting-style names after document opens. Enforce attachment sandboxing and block untrusted script execution; isolate finance workstations if exceptions exist.
The 8Base ransomware group claimed a breach tied to Volkswagen, while the company said core I T remains unaffected. That matters because even supplier-level compromises can leak sensitive data and damage the brand. Automotive manufacturers and their sprawling parts and logistics vendors are most exposed. Watch for anomalous S F T P pulls from vendor ranges and vendor VPN tokens used from unexpected geographies. Execute third-party incident playbooks and reduce vendor access to least privilege while you validate data flows.
A North Korean actor merged its BeaverTail and OtterCookie web malware into a single toolkit with keylogging and screenshots. This matters because watering-hole compromises of trusted sites can harvest credentials at audience scale. Media outlets, crypto platforms, and think tanks with high-trust readerships are most exposed. Watch for unexpected CDN reference changes and spikes in obfuscated inline scripts flagged by integrity monitors. Pin and audit production scripts with C S P and S R I, and freeze third-party additions until baselines are verified.
A hacker who extorted education software provider PowerSchool was sentenced to four years in prison. It’s notable because law-enforcement follow-through is improving, but schools and edtech remain under-resourced targets. K-12 districts, registrars, and student information system vendors are most exposed. Watch for admin logins from new regions during off-hours and unusual bulk API exports of student data. Tighten identity controls and vendor governance now, and enable conditional access for all admin portals.
That’s the BareMetalCyber Daily Brief for October 20th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber news dot com. We’re back tomorrow.