BMC Daily Cyber News

This is today’s cyber news for October 30th, 2025. A broad Microsoft cloud outage led our coverage, reminding teams how identity and Domain Name System dependencies can stall entire workflows. Critical infrastructure risk followed, with Canada warning that hacktivists changed setpoints on exposed industrial gear. We then moved to active exploitation in factory software, a remote-code-execution flaw in XWiki driving cryptomining, and a coordinated wave of malicious Node Package Manager look-alikes harvesting tokens. The middle of the brief covered a four-terabyte backup exposure tied to a global consultancy, Android tap-to-pay relays, and a new leakage route from trusted enclaves on double data rate five hardware. We closed with botnets, stealthy espionage, plugin risk, regional cloud latency, data poisoning, and human-like Android malware.
 
Listeners will hear concise, four-sentence rundowns that stick to what happened and why it matters. Leaders get signal on business continuity, vendor timelines, third-party exposure, and fraud risks; defenders hear the mechanisms that made each incident possible so they can tune detection and response. It’s a fast scan of operational realities across cloud control planes, software supply chains, industrial networks, and mobile threats—useful for morning stand-ups and afternoon triage. The narrated feed is available at DailyCyber.news.

What is BMC Daily Cyber News?

The BCM Daily Cyber News brings you clear, timely updates on threats, breaches, patches, and trends every day. Stay informed in minutes with focused audio built for busy professionals. Learn more and explore at BareMetalCyber.com.

This is today’s cyber news for October 30th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.

Microsoft said a configuration change disrupted logins and routing across major cloud services. The issue affected Azure and Microsoft three sixty five users in multiple regions. A front-end path change broke Domain Name System, D N S, lookups and authentication flows. Services recovered gradually as the company rolled back changes and stabilized dependencies.

Canada’s cyber center warned that hacktivists changed settings on exposed industrial systems. The affected water, energy, and agriculture sites had interfaces reachable from the open internet. Weak or default passwords let intruders alter setpoints and reboot equipment remotely. Officials urged immediate removal from public access and stronger authentication for operational technology.

The Cybersecurity and Infrastructure Security Agency, C I S A, flagged factory software bugs under active exploitation. Vulnerabilities in Dassault’s DELMIA Apriso platform could allow code execution and production disruption. Inclusion in the Known Exploited Vulnerabilities, K E V, catalog signals real-world attacks underway. Agencies and critical operators were directed to patch on an accelerated timeline.

A critical flaw in XWiki’s search component is enabling remote code execution. Attackers are deploying cryptomining payloads that spike processor usage and degrade performance. The entry point is crafted search requests that abuse the embedded search service. Maintainers released fixed builds and urged administrators to remove persistence and update quickly.

Researchers uncovered look-alike packages on Node Package Manager, N P M, stealing developer secrets. Post-install scripts exfiltrated environment variables, GitHub tokens, and build credentials. Continuous integration and continuous delivery, C I slash C D, pipelines were particularly exposed to automated theft. Takedowns removed many packages, but teams still face token rotation and cleanup.

Investigators found a publicly accessible cloud path exposing a four terabyte backup. The file was a Structured Query Language, S Q L, Server image tied to a major consultancy. Misconfigured permissions allowed unauthenticated listing and download of the dataset. It’s now secured while teams review access logs and assess possible exposure.

Researchers detailed malware relaying tap-to-pay transactions over near field communication, N F C. The apps abused host card emulation and screen overlays to capture unlock steps. Banks later saw disputed payments that looked legitimate to their systems. Stores removed many samples, but variants persist in alternative app markets.

Academic teams showed a side channel against trusted execution environments, T E E, on double data rate five, D D R five, platforms. By manipulating memory timing, attackers could infer secrets from enclave operations. The demonstration required specialized gear and proximity to the server. Vendors are preparing firmware and controller tuning to reduce the risk.

The Aisuru botnet shifted from distributed denial of service, D D O S, floods to renting residential proxies. Infected routers and smart devices now mask scraping, fraud, and credential stuffing. Operators spread through weak passwords and unpatched flaws, then enroll nodes into proxy pools. Traffic moved from short bursts to long sessions that blend with everyday use.

New botnet waves are exploiting old bugs in Hypertext Preprocessor, P H P, apps and internet of things, I O T, gear. Attackers chain weak credentials with pre-authentication flaws to conscript devices. Small business routers and cloud gateways are frequent victims due to poor patch cadence. Activity rotates by region as herders evade blocks and rebuild capacity.

Researchers described a long espionage campaign in Ukraine that blended into normal administration. The operators used built-in Windows tools, scheduled tasks, and quiet data transfers. They stole files in small bursts and rotated infrastructure to avoid connection patterns. Targets included government bodies and critical services that rely on shared networks.

A flaw in a popular WordPress security plugin let subscribers read server files. Low-privilege accounts could trigger endpoints that exposed configuration details and keys. Attackers then pivoted to administrator takeover using the leaked information. Maintainers shipped a fix, and site owners were told to update quickly.

Marketing giant Dentsu said a subsidiary suffered an intrusion with data theft. Systems were isolated, forensics began, and regulators and customers were notified. Operations continued with contingency plans while scope and attribution remained under review. The company is rotating credentials and checking access logs for suspicious downloads.

Amazon Web Services, A W S, experienced increased latency and throttling in U S dash East dash one. Compute and container startups slowed, and retries quietly amplified pressure on services. Control-plane functions recovered unevenly as teams worked through dependency backlogs. Build pipelines, queues, and authentication flows saw spillover effects across many accounts.

New research showed websites can trick artificial intelligence, A I, crawlers into ingesting false facts. Sites served normal pages to people and poisoned variants to automated fetchers. Those planted details later surfaced in generated answers with confident tone. The authors urged provenance checks and crawler attestation to reduce manipulation.

Researchers tracked a new Android threat that imitates human typing to slip past checks. The malware arrives through trojan apps and abuses accessibility permissions to gain control. It steals credentials and hijacks sessions while mimicking natural tap delays and swipes. Campaigns focused on banking and retail accounts, and command systems rotated to avoid blocking.

That’s the BareMetalCyber Daily Brief for October 30th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back tomorrow.