Subscribe
Share
Share
Embed
The BCM Daily Cyber News brings you clear, timely updates on threats, breaches, patches, and trends every day. Stay informed in minutes with focused audio built for busy professionals. Learn more and explore at BareMetalCyber.com.
This is today’s cyber news for November 21st, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
Investigators say Iran aligned hackers used ship tracking data to help aim a real world missile strike that failed. In this campaign, attackers siphoned live location feeds from commercial tracking systems and peered through compromised onboard cameras. The danger here is very real. Maritime security teams face adversaries who blend quiet network intrusions with missile launches or drone activity against ships in contested waters. Today the incident stands as a warning case, and analysts urge shipping companies and energy firms to harden remote access, monitor unusual data flows from ship systems, and coordinate cyber and physical watch lists for high risk routes.
Researchers at a major cloud provider revealed a three year espionage campaign tied to a China linked group using malware called BadAudio. During that period, the operators quietly pried into government agencies, telecom networks, and technology firms by using BadAudio as a stealthy downloader that fetched new tools and spread deeper into compromised systems. The campaign stayed low and slow, blending into normal traffic and file activity that many basic defenses never flagged. For many organizations in East Asia and around Taiwan, that means internal emails, network maps, and intellectual property may already sit in an adversary archive. Right now vendors have shared detection guidance, and defenders are urged to hunt for strange outbound connections from endpoints that recently installed new media players, browser extensions, or seemingly harmless utilities that could have carried the first BadAudio dropper.
Security teams worldwide are responding to Fortinet alerts about an actively exploited command injection flaw in its FortiWeb web application firewall product. In real intrusions, attackers have piggybacked on access to the management interface, issuing system level commands that reshape configurations, plant web shells, and quietly redirect traffic. That turns the protector into an entry point. For organizations that expose FortiWeb management to the open internet, even a single stolen password or misconfig can let intruders clobber the appliance in minutes. Right now Fortinet has shipped fixes and workarounds, and customers are racing to patch, lock down internet facing management ports, and sweep logs for suspicious administrator actions on every FortiWeb box they own.
In the cloud software world, Salesforce is probing unusual activity involving customer managed Gainsight applications that may have exposed sensitive data. Investigators say the attackers skimmed records and behavioral metrics from connected environments by abusing high privilege authorization links between Gainsight and Salesforce. The risk hides in the integration layer. By passing through Gainsight, attackers can quietly reach deep into Salesforce objects that describe customers, revenue, and ongoing service activity. Right now Salesforce has revoked risky tokens, and many customers are reviewing which third party tools can read or export sensitive records, rotating credentials, and tightening monitoring for unusual query volumes linked to Gainsight connections.
Threat intelligence analysts have spotted an exploit for an unpatched Microsoft Office vulnerability being openly marketed to criminal buyers in underground forums. In practice, the code lets an attacker booby trap a document so that opening it can trigger remote control of a Windows machine. The threat feels uncomfortably simple today. Meanwhile, the seller is pitching the exploit as perfect for large phishing waves where spoofed emails carry invoices, contracts, or internal memos that staff feel pressure to open. For now Microsoft is analyzing the issue, and defenders are hardening Office settings, tightening attachment filters, and watching for office processes that suddenly launch scripts or command shells so they can catch abuse even before a formal patch arrives.
Attackers are exploiting a critical flaw in the Windows graphics component that lets a single malicious image take over a system. The bug lives in shared imaging code that many apps use for thumbnails and previews, so normal viewing can silently trigger it. The trigger is deceptively simple today. For many organizations, that means a routine picture from a partner or customer could hand control to an attacker before anyone notices. Patches are available now, and teams are racing to deploy them, confirm coverage, and watch for image viewers spawning suspicious child processes.
Investigators report that attackers abused an unknown flaw in Oracle E Business Suite portals to break into core enterprise resource planning systems. Those enterprise resource planning platforms handle finance, human resources, and supply chain records that companies treat as their backbone. The damage extended well beyond simple file theft. In cases the intruders mapped business processes, stole configuration data, and encrypted key systems, turning outages in planning systems into losses. Today Oracle is urging customers to apply fixes, limit exposure of portals, and comb logs from those systems for anomalies.
Researchers are tracking ransomware crews that target misconfigured Amazon Simple Storage Service buckets rather than traditional on premise file servers. Instead of dropping malware on endpoints, the attackers use overly permissive identities to encrypt or lock critical data through cloud interfaces. No new software runs on the victim machines. For many businesses that assume cloud storage is inherently safe, this means backups, logs, and application data can become locked or deleted. Today cloud security teams are tightening identity rules, monitoring for policy changes, and confirming that offline backups exist for their important buckets.
Telemetry providers have spotted a surge in malicious scanning of Palo Alto Networks GlobalProtect virtual private network portals worldwide. One report says activity jumped roughly forty times in one day, reaching levels far above normal background noise for this product. Attackers are clearly mapping exposed front doors. For organizations that use GlobalProtect as the main gateway for remote staff, this census could feed exploits against unpatched or misconfigured systems. Defenders are confirming patches, tightening authentication, hiding management interfaces from the internet, and watching logs for spikes in failed logins.
Researchers have detailed a new Android banking trojan called Sturnus that steals on screen content and enables remote control of infected devices. By abusing accessibility permissions, it can read Signal, WhatsApp, and Telegram chats after decryption and place phishing overlays over banking apps. The aim is silent, high yield fraud. For banks and financial technology firms, this means the risk goes beyond password theft, because attackers can drive transactions in real time. Today defenders are expanding detection on phones, tightening app store controls, and working with fraud teams to flag patterns from Android devices.
That’s the BareMetalCyber Daily Brief for November 21st, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back Monday.