Subscribe
Share
Share
Embed
The BCM Daily Cyber News brings you clear, timely updates on threats, breaches, patches, and trends every day. Stay informed in minutes with focused audio built for busy professionals. Learn more and explore at BareMetalCyber.com.
This is today’s cyber news for October 24th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
Attackers are actively exploiting a remote-code-execution flaw in a popular endpoint management tool, letting them run code on managed Windows machines. That matters because the software often holds elevated rights, so a single foothold can turn into domain compromise. Organizations with broad admin scopes and older Windows images are most exposed. Watch for new administrator accounts on endpoints and unusual outbound traffic from management consoles to unfamiliar IP ranges. Patch the platform now, and if you can’t, block internet exposure and check for surprise local admins within a day.
Microsoft changed File Explorer’s default for internet-downloaded files to block previews that leak N T L M hashes, closing a quiet credential theft trick. That reduces lateral-movement risk with minimal impact to most workflows. Environments still relying on N T L M or legacy authentication are the most exposed. Watch for spikes in N T L M authentication failures and alerts for N T L M usage in identity logs, plus signs of S M B relay attempts. Keep the new default, and if legacy apps break, allow-list carefully while accelerating the move off N T L M.
An automatic agent update on some business laptops broke Microsoft Entra I D sign-ins, cutting users off from cloud apps until rollbacks landed. The incident shows how fragile identity stacks can be and how help desks can get swamped fast. Organizations that push “auto-update everywhere” without pilot rings are most exposed. Track device-join errors, mass failures in primary refresh tokens, and conditional-access anomalies. Implement staged rollouts with fast rollback paths, or cap auto-updates and verify you can restore Entra I D logins in under an hour.
After a ransom demand failed, the Medusa group dumped a huge cache it claims belongs to Comcast, raising the risk of targeted phishing and account takeover. The business impact is brand damage, customer churn, and regulatory scrutiny that outlasts the technical cleanup. Large consumer service providers with sprawling data estates are the most exposed. Watch for spikes in password resets, bursts of traffic to account-recovery endpoints, and credential-stuffing attempts from new networks. Tighten defenses against stuffing, prepare clear customer communications, and rotate any tokens that could be exposed.
SpaceX cut service to thousands of Starlink terminals tied to big scam centers in Southeast Asia, disrupting their phishing and fraud operations. That matters because removing cheap, reliable connectivity can shrink criminal output quickly, even if only for a while. Companies with large consumer messaging or payments flows are most exposed as displaced groups look for new targets. Watch for shifts in traffic origin in fraud analytics and clusters of new sender IPs in email security logs. Tighten geo and provider risk controls now, then loosen carefully only if fraud and abuse stay below baseline.
A long-running “DreamJob” lure posed as recruiters to target engineers at European drone programs with malware-laced documents. The business risk is theft of intellectual property and access to suppliers that can ripple across national programs. Prime contractors and small specialty suppliers with limited training are most exposed. Watch for protected-view bypasses, new OAuth consent prompts from personal accounts, and unusual exfiltration from engineering shares. Roll out a recruiter-lure playbook and force sandbox detonation before opening external resumes or portfolios.
Vidar Stealer’s latest build grabs credentials and tokens straight from memory, reducing disk traces and speeding account takeovers. That’s dangerous because a single infected workstation can expose cloud admins, finance apps, or developer systems. Smaller firms with permissive browser extensions and weak allow-lists are most exposed. Watch for “impossible travel” logins, unfamiliar OAuth grants, and sign-ins without password use due to stolen session cookies. Block malvertising at the network edge, enforce phishing-resistant multi-factor authentication, and shorten session lifetimes for high-risk apps.
Malicious extensions in third-party marketplaces like OpenVSX are infecting Visual Studio Code environments to steal tokens and tamper with builds. The impact is code poisoning and secret theft that can compromise products before deployment. Teams that allow uncurated extensions and personal devices in the toolchain are most exposed. Watch for first-seen extensions outside your allow-list and egress from build hosts to unusual code-hosting domains at odd hours. Lock extensions to a vetted catalog and run builds on isolated runners with minimal credentials.
Criminals abused compromised cloud identities to mint or inflate digital gift cards in a scheme nicknamed “Jingle Thief.” The business harm is immediate revenue leakage and customer trust damage, often blended into normal operations. Retailers with loosely permissioned roles and legacy gift-card systems are most exposed. Watch for bursts of card issuance from service principals and high-value actions outside business hours in cloud audit logs. Gate gift-card APIs behind just-in-time access and approvals, or at least cap issuance and alert on threshold breaches in real time.
Investigators say China-based operators shifted from mass texting to fewer, more convincing government-style smishing messages. That matters because better-crafted lures slip past filters and raise victim conversion, driving fraud and data theft. Public-sector staff, small-business owners, and anyone handling payments on mobile are most exposed. Watch for spikes in DNS requests to new URL shorteners and installs of sideloaded remote-support apps on Android devices. Train for verification-by-callback using official numbers, and block the sender while confirming claims through a known channel.
Toys “R” Us Canada confirmed customer information from a July incident has surfaced on criminal forums. The business impact is customer trust damage, compliance obligations, and a likely rise in targeted phishing and account takeovers. Retail brands with legacy e-commerce stacks and many third-party integrations are most exposed. Watch for credential-stuffing bursts against loyalty logins and email campaigns spoofing order updates. Enforce step-up authentication on account changes and cap risky actions while monitoring password-reset spikes.
Researchers at a live contest chained bugs on a Galaxy S25 to control the camera and access location data. That underscores how quickly modern flagship phones can be compromised, especially those used by executives. Organizations with bring-your-own-device policies and broad mobile app permissions are most exposed. Watch for M D M posture gaps, unknown processes accessing the camera, and sudden location requests from newly installed apps. Mandate same-week mobile patching for high-risk roles and confine sensitive apps to managed profiles.
A China-linked espionage group accelerated operations against telecom and energy firms using zero-days, D L L sideloading, and living-off-the-land tools. The risk is long-dwell access that pressures identity, logging, and segmentation across critical infrastructure. Mid-size carriers and regional utilities with legacy Windows servers are most exposed. Watch for service binaries loading from user-writable paths and new domain trusts or replication permissions. Lock down service paths, rotate privileged creds, and block risky management ports while verifying no domain trust changes within a day.
Security researchers showed malicious pages and extensions can spoof AI assistant sidebars, tricking users or agents into unsafe actions. That shifts the attack to the user interface layer, where trust cues are weak and permissions feel routine. Teams piloting AI-enabled browsers and sidebar extensions are most exposed. Watch for first-seen extensions with broad tab access and spikes in clipboard or D O M read events in endpoint telemetry. Restrict AI-enabled extensions to a vetted list and run tests in isolated profiles with weekly permission reviews.
Researchers say a consumer “privacy” browser is routing traffic through overseas infrastructure and quietly installing helper apps. That matters because a tool marketed to reduce tracking can actually expand it, especially on unmanaged devices. Individuals who install privacy tools from ads or side-loaders are most exposed. Watch for new scheduled tasks created by the browser and DNS lookups to first-seen domains with “privacy” or “secure” in their names. Block unapproved browsers and remove persistence artifacts, then confirm no residual services remain after reboot.
A focused phishing wave delivered a remote-access trojan called PhantomCaptcha to aid groups supporting Ukraine. The risk is mailbox and token theft that maps partnerships and logistics across humanitarian networks. Small NGOs with limited IT support and bring-your-own-device policies are most exposed. Watch for OAuth consents outside business hours and spikes in mailbox rules forwarding externally. Move high-risk accounts to managed identities or, at minimum, enforce conditional access and review new forwarding rules and app consents this week.
Have I Been Pwned added 183 million credentials sourced from stealer logs, expanding exposure checks for corporate emails. That’s a problem because reused passwords or still-valid session tokens can enable quick account takeovers. Organizations with weak password hygiene and long session lifetimes are most exposed. Watch for login attempts from first-seen countries and bursts of MFA prompts hitting the same user in minutes. Require resets for exposed emails, enforce phishing-resistant MFA, and restrict high-value apps to compliant devices while revoking risky sessions.
Maryland launched a statewide Vulnerability Disclosure Program to give researchers a safe way to report flaws in public systems. It matters because clear scope, timelines, and safe-harbor language shorten time-to-fix during tight budgets. Agencies with sprawling legacy systems and minimal security staff are most exposed—and stand to benefit. Watch for time from report to remediation and repeated findings across similar systems. Stand up a central VDP with safe-harbor terms or pilot it on top-risk systems while verifying fixes land within defined SLAs.
A screenshot and preview feature in a popular AI-assisted browser allowed hidden prompt injection from crafted pages. That’s significant because agentic browsing turns UI cues and capture permissions into part of the control plane. Early adopters testing AI features in production are most exposed. Watch for spikes in tab-capture permissions and assistant actions executed on sensitive internal apps. Disable risky capture features by default or cage testing in non-sensitive profiles and verify permission grants match approved change tickets.
That’s the BareMetalCyber Daily Brief for October 24th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back Monday.