Subscribe
Share
Share
Embed
The BCM Daily Cyber News brings you clear, timely updates on threats, breaches, patches, and trends every day. Stay informed in minutes with focused audio built for busy professionals. Learn more and explore at BareMetalCyber.com.
This is today’s cyber news for October 29th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
Researchers demonstrated a practical hardware side-channel against enclave-protected workloads on recent Intel and A M D servers. Using a low-cost tap on D D R 5 memory traffic, they recovered keys used for attestation or encryption in some runs. The method reads patterns on the memory bus rather than breaking the cryptography inside the enclave. While it requires physical access and lab gear, vendors began evaluating firmware and platform mitigations as the findings landed.
A previously unknown flaw in Oracle E-Business Suite was exploited for months to reach finance and supply-chain data. Intruders used the bug to run code without logging in across common enterprise resource planning modules. They pulled bulk records through application functions after gaining server control. Oracle issued an out-of-band alert with fixes while investigations continued at multiple enterprises.
A critical flaw in Windows Server Update Services let attackers push malicious updates through a trusted pipeline. Organizations observed probing and exploitation of internet-exposed or poorly segmented servers, with rogue approvals and unfamiliar publishers showing up in catalogs. Because Windows Server Update Services, or W S U S, distributes patches, a single compromise could deliver malware to many endpoints. Microsoft released fixes and hardening guidance as agencies urged immediate action.
The Qilin ransomware crew executed Linux encryptors on Windows hosts by invoking Windows Subsystem for Linux. They ran Linux binaries through Windows Subsystem for Linux, or W S L, to sidestep tools tuned for Windows file signatures and behaviors. Reports also noted experiments with bring-your-own-driver techniques and remote-management tooling. Several incidents included data theft before encryption to increase pressure on victims.
United States cyber authorities added multiple D E L M I A Apriso factory-software flaws to the list of known exploited vulnerabilities after detecting real-world attacks. The issues affected releases from twenty twenty through twenty twenty-five, including remote code execution and missing authorization in web services. Because the software links shop-floor systems to enterprise planning, intruders who gained access could disrupt production and touch sensitive process data. Patch deadlines were set as plants reviewed exposure and researchers published technical details for the attack paths.
The marketing firm Merkle, owned by Dentsu, disclosed a breach that touched employee data and some client information. Attackers reached internal systems tied to people data and campaign operations. Early findings point to a targeted intrusion rather than a broad ransomware strike, and the company rotated credentials and tightened access controls. Regulators and customers were notified as services continued under contingency plans.
A fast-growing botnet named Aisuru blasted targets with distributed denial of service waves near twenty terabits per second. That’s D D O S, high-volume traffic meant to overwhelm apps and networks. Operators blended hijacked I O T devices with residential proxy networks to amplify and hide the streams. Gaming, fintech, and S A A S platforms saw short, shifting surges that strained scrubbing centers.
Automated campaigns hammered WordPress sites through bugs in the Guten Kit and Hunk Companion plugins. The flaws let intruders change site content and, in some cases, run code without logging in. Botnets scanned shared hosts for outdated versions while maintainers rushed fixes. Many small businesses stayed exposed because long-unpatched stacks remained online.
A critical flaw in Q N A P NetBak Agent backup software allowed attackers to steal credentials. Adversaries abused H T T P handling to capture Windows domain logins and tokens used by backup tasks. Because the agent often runs with elevated rights and broad network reach, intruders could pivot into file servers and directory services. Updates are available, but mixed N A S and P C environments often lag on desktop agent patches.
Attackers exploited a remote code execution flaw in X Wiki to take over publicly reachable wiki servers. Once inside, they deployed coin-mining payloads and persistence scripts, then probed adjacent web apps. Some victims first noticed degraded performance and unusual outbound connections from the application user. Patches and configuration hardening were released as misconfigured proxies and outdated extensions raised risk.
Investigators reported Blue Noroff shifted to two campaigns called Ghost Call and Ghost Hire that targeted executives in crypto exchanges, fintech, and venture firms. The operators used convincing recruiter and investor lures to deliver cross-platform implants for mac O S and Windows. Once inside, they stole credentials, session cookies, and seed phrases, then routed funds through pre-staged mixing services. Some intrusions blended legitimate remote-access tools with custom malware to reduce detection.
Researchers tied a recent Chrome sandbox-escape chain to an Italian commercial-spyware ecosystem. The chain combined a renderer bug with a privilege-escalation step and dropped a lightweight loader nicknamed Leet Agent. Infections were highly targeted and focused on journalists, lawyers, and policy figures using Android and desktop Chrome. Browser and operating-system vendors pushed emergency fixes and added detection rules for related infrastructure.
A new Android banking trojan named Herodotus mimicked human typing cadence, swipe gestures, and pauses to bypass behavioral anti-fraud checks. It overlaid fake login pages, stole notifications, and abused Accessibility Services to approve actions silently. Operators targeted users in Southern Europe and Latin America through smishing and fake app stores. Command-and-control traffic masqueraded as ad-tech beacons to blend in.
A separate Android threat dubbed GhostGrab focused on stealing credentials from banking and wallet apps while intercepting one-time passcodes. After gaining Accessibility permissions, it scraped on-screen content, auto-filled attacker forms, and forwarded S M S and notification codes to command servers. Operators distributed builds via clone sites and poisoned search ads that imitated popular banks. Some variants added call-forwarding to keep victims from seeing alerts.
The Everest ransomware group claimed it stole data tied to Sweden’s national grid operator through an external file-transfer system. Early evidence pointed to a connected vendor rather than core operational technology at the utility. The gang posted samples to pressure payment while authorities and the company investigated. Services stayed online, but concerns rose about non-public documents and internal contact information now exposed.
That’s the BareMetalCyber Daily Brief for October 29th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber news dot com. We’re back tomorrow.