BMC Daily Cyber News

This is today’s cyber news for November 7th, 2025. We lead with a confirmed incident at the Congressional Budget Office, where compromised mailboxes and files could expose draft budget work and internal policy discussions. Nevada’s rare after-action report then maps a ransomware crew’s path from a trojanized admin tool to encrypting roughly sixty agencies, surfacing practical fixes. Cisco warns unpatched Secure Firewall devices can reload under attack, and separately ships a critical contact-center fix that closes a root-level takeover. SonicWall says a state actor accessed a cloud-backup environment, raising follow-on intrusion risk from exposed rules and credentials. Taken together, these stories underscore how edge resilience and disciplined vendor hygiene can prevent outages and ugly surprises.

Listeners will also hear a concise rundown of Clop’s claim against the Washington Post, Sandworm’s destructive wipers hitting parts of Ukraine’s grain sector, and new findings that ChatGPT and similar platforms can leak data or keep sessions alive longer than intended. We close with Google’s warning about self-modifying malware and a malicious Visual Studio Code extension that briefly delivered ransomware. Leaders get plain business impact and priority calls; defenders get clear signals to watch and immediate steps. The daily feed and narrated archive are available at DailyCyber.news.

What is BMC Daily Cyber News?

The BCM Daily Cyber News brings you clear, timely updates on threats, breaches, patches, and trends every day. Stay informed in minutes with focused audio built for busy professionals. Learn more and explore at BareMetalCyber.com.

This is today’s cyber news for November 7th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
The Congressional Budget Office, C B O, confirmed a cyber incident affecting internal communications and files. Early signs point to a foreign actor probing mailboxes and shared folders used for draft budget work. Sensitive budget analyses may now be exposed. That matters because previewing negotiation lines and embargoed numbers can sway markets and policy debates. Officials say operations continue under heightened monitoring while investigators track access attempts and add new mail safeguards.
In Nevada, a rare public report maps how a ransomware crew moved from entry to encryption. Attackers seeded a trojanized admin tool found through search ads, lingered for months, then encrypted roughly sixty agencies. The state did not pay ransom. For governments and vendors, the step by step timeline shows where software download controls and privileged workstation isolation tend to break down. Recovery restored most data within weeks, and the findings now guide tighter download policies and stricter admin access.
Cisco reports a new attack variant that forces Secure Firewall devices to reload unexpectedly. Repeated reloads can drop remote sessions, stall transactions, and leave branch sites unreachable during business hours. Outage risk rises fast for many. The issue affects Adaptive Security Appliance, A S A, and Firepower Threat Defense, F T D, software on unpatched edge systems, which carry significant customer traffic. Cisco published updated guidance and patches, and teams should schedule maintenance so devices stop cycling under load.
Cisco fixed critical bugs in Unified Contact Center Express that allow unauthenticated remote code execution as root. A flaw in a remote invocation path can hand attackers full control of call routing, recordings, and related data stores. That threatens uptime and customer privacy. Because contact centers drive revenue and compliance, even short takeover windows can disrupt service metrics and expose sensitive recordings. Patches are available now with no complete workaround, so change windows and rollback plans should be lined up and executed quickly.
SonicWall says a nation state accessed a specific cloud environment and siphoned a subset of firewall backup files through an application programming interface. The company estimates fewer than five percent of customers using the backup service were affected and urged rotations of keys and configurations. Backups can reveal far too much. Those files often contain network maps, rules, and sometimes credentials, which make targeted follow on intrusions easier and faster. Investigations continue as tenants confirm scope, re issue device credentials and tokens, and validate that rule baselines match known good versions.
Today, Clop claims it breached the Washington Post and stole internal data. The listing sits on the gang’s leak site while the publisher assesses scope and authenticity. It matters because even an unverified claim can spark phishing, forged invoices, and confusion across newsrooms and vendors. The pressure play is to dangle a leak, seed lures that piggyback on brand trust, and force a hasty response. Verification is still pending at the publisher.
Meanwhile, Sandworm deployed data wipers across Ukraine, disrupting parts of the grain sector along with education and government networks. The malware erases files and logs, which clobbers recovery and day to day operations. Impact is immediate for affected operators. Attackers lean on flat networks, shared admin domains, and repeated waves tuned to each environment. Authorities and vendors issued guidance, and teams are restoring services while staging offline rebuilds.
By contrast, researchers found weaknesses in popular chat platforms that could let attackers extract data and reopen sessions without a fresh login. Edge cases in cross origin checks, risky integrations, and loose token scoping can be chained to siphon prompts and documents. The privacy risk is very real. In certain setups, reused cookies or access tokens revive a prior session and quietly persist access across devices. Providers and plugin developers are shipping fixes and guidance, and teams are rotating keys and tightening settings.
Soon after, Google analysts warned about malware that changes behavior mid run to frustrate static signatures and simple sandboxes. Payloads can swap modules, alter indicators, or call remote logic that mutates execution on the fly. Static rules alone will not hold. Defenders need behavior analytics, script control, and tuned telemetry that watches process chains rather than file names. Research teams are tracking families testing these techniques in the wild, and rapid rule updates are now essential.
In the end, a malicious Visual Studio Code extension slipped into the official marketplace and pulled a second payload after install. Developers who grabbed it risked file encryption and credential theft on workstations tied to code and cloud access. Developer trust was exploited very quickly. The listing used a plausible name and description to pry trust, then phoned home to fetch ransomware behavior. Removal followed, and maintainer accounts are under review as teams scan endpoints for remnants.
That’s the BareMetalCyber Daily Brief for November 7th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back Monday.