BMC Daily Cyber News

This is today’s cyber news for November 20th, 2025. Today’s brief tracks how fragile our internet plumbing has become, from hijacked home routers and a major Cloudflare outage to record-setting attacks against Azure and a fresh browser flaw already under exploitation. You will hear how a massive botnet built from aging ASUS routers, a FortiWeb zero day, and an actively abused 7-Zip bug combine into a broad, internet-facing risk picture for everyday businesses. The episode also looks at a China-linked software update hijack, a high-impact Chrome engine bug, and a sophisticated phishing kit that makes Microsoft cloud logins look and feel real even as they are stolen. Finally, we touch on sanctions against a key ransomware infrastructure host and a confirmed breach at European fiber provider Eurofiber, both of which highlight how attackers are targeting the connective tissue between organizations.
 
Listeners will get a clear rundown of what happened, who is most exposed, and why these stories matter to both leadership teams and defenders on the ground. The focus stays on practical signals to watch, from router and firewall behavior to browser versions, phishing patterns, and telecom dependencies, so you can translate headlines into concrete checks in your own environment. If you are responsible for risk, operations, or incident response, this is designed to help you decide where to look first rather than overwhelm you with jargon. The daily feed is available at DailyCyber.news, with each episode paired to a written brief you can share with colleagues and leadership.

What is BMC Daily Cyber News?

The BCM Daily Cyber News brings you clear, timely updates on threats, breaches, patches, and trends every day. Stay informed in minutes with focused audio built for busy professionals. Learn more and explore at BareMetalCyber.com.

This is today’s cyber news for November 20th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
Attackers have quietly built a large botnet out of tens of thousands of aging Asus home and small office routers. By chaining together old firmware bugs, they gain persistent control of devices that often sit at the edge of small businesses and remote workers, then use them to relay traffic, hide their origin, or support denial of service attacks against bigger targets. Many of these routers are past end of support, which means there are no new security updates and owners may not even know they are compromised or exposing corporate traffic. This matters because a cheap box under someone’s desk can now act as an invisible staging point into cloud services and corporate networks. For now the campaign appears ongoing, and defenders are racing to identify infected devices and block their traffic before the botnet is turned toward higher profile targets.
Cloud services also drew attention after a configuration change inside one major internet provider triggered the worst outage it has seen in years. A routine permissions adjustment led to a buggy internal file, which then overloaded systems that protect sites from automated abuse and caused a cascading loss of availability across multiple regions. Many organizations suddenly found that customer portals, internal tools, and third party services failed at the same time, even though their own infrastructure had not changed at all. This shows how deeply modern businesses depend on a small number of infrastructure providers and how a single internal mistake can ripple across banks, retailers, and public agencies. The provider has restored service and is adjusting its processes, but customers are now reconsidering their own resilience plans and how they would operate if this kind of outage hit again.
Law enforcement and regulators made their own move by jointly sanctioning a Russian internet hosting company accused of supporting multiple ransomware gangs. Officials say the firm provided so called bulletproof hosting, meaning it turned a blind eye to abuse reports and helped criminal groups keep command servers and leak sites online even during active investigations. The sanctions freeze assets under allied jurisdiction and warn banks, payment processors, and technology firms that doing business with the company now carries serious legal and financial risk. This matters because it targets the technical and financial infrastructure that lets ransomware groups persist even after takedowns and arrests. The hosting company and its networks are now under intense scrutiny, and many attackers will likely try to shift their infrastructure while defenders and regulators watch where they reappear.
On the product side, administrators running Fortinet FortiWeb web application firewalls are dealing with a critical vulnerability that is already under active attack. The flaw allows unauthenticated attackers to abuse path traversal tricks and gain high level control over internet facing devices that sit directly in front of sensitive web applications and programming interfaces. Security telemetry shows broad scanning and exploitation attempts, which means opportunistic actors are racing to compromise any appliance that has not yet been patched or locked down. This is important because once attackers control the firewall, they can potentially tamper with traffic, pivot deeper into networks, or plant backdoors that survive routine maintenance. Vendors and government agencies have issued strong guidance and deadlines, and organizations are now working to patch quickly, restrict management access, and comb through logs to see whether this door has already been used against them.
Another widely used tool under pressure is the seven zip file archiver, which has a vulnerability that is currently being exploited. Crafted archives can abuse how the software handles special file paths and symbolic links, which may let an attacker write files outside the intended folder and eventually run code on a Windows system. Because seven zip is free, lightweight, and used by many help desks, developers, and ordinary staff, the bug provides a tempting way to turn a simple attachment into a full compromise. This matters for any organization that relies on user managed desktops or has limited insight into which utilities people install to handle their daily work. A fixed version is available, and attention is now on pushing updates, blocking outdated installers, and watching endpoint and log data for suspicious archive activity tied to older builds.
A long running China linked group known as PlushDaemon has been caught abusing software updates to plant a backdoor called EdgeStepper. By quietly hijacking domain name system traffic and standing up fake update servers, the actors swap trusted installers for malware without raising obvious alarms. Victims so far include telecom, manufacturing, and technology companies that rely on regional software vendors woven deeply into their business systems. The trick is simple but powerful. Because the malicious code rides on normal looking updates, many organizations may already be compromised and researchers say the campaign remains active.
Microsoft Azure recently revealed that it had absorbed one of the largest distributed denial of service attacks ever recorded against its cloud platform. Traffic from a botnet built out of compromised home routers and cameras slammed public facing services in several regions, forcing automated defenses to throttle requests and reroute flows to stay online. Some customers saw slow responses and intermittent errors even though the services never fully went dark, which illustrates how attack traffic can quietly jam customer experience without a clear outage banner. For many teams it became an invisible fire drill. Azure has adjusted its defenses, yet the episode shows customers must monitor performance and rehearse what to do when shared infrastructure strains.
Google Chrome users are facing a high severity flaw in the browser engine that attackers are already exploiting through malicious web pages. The bug sits inside the JavaScript engine and can let crafted content escape normal protections and run code on laptops and desktops that simply visit a booby trapped site. Patches are available, but many devices will not receive the fix until users restart their browser or operating system, leaving a large window where exploit attempts can still succeed. This turns ordinary browsing into a quiet path for intrusion. Enterprises now need to push updates, confirm reboots, and watch security tools for blocked exploit attempts tied to older Chrome builds.
A phishing kit known as SneakyTwoFactor is making it easier for criminals to steal Microsoft cloud logins and session tokens. The service uses a browser in the browser trick, drawing fake sign in windows that perfectly mimic the look of genuine Microsoft prompts while quietly relaying everything the victim types to a control server. Once someone enters a username, password, and one time code, the kit immediately replays those details and hijacks the live session, neatly sidestepping many multi factor authentication checks. For victims, the fake prompt looks completely normal. Security teams now must rely more on conditional access, hardened admin accounts, and careful sign in monitoring than on simple user training.
European fiber provider Eurofiber has confirmed a security breach in systems that support its customer portals and operational tools. Attackers broke into parts of the environment, stole internal documents and customer related data, then tried to pressure the company with threats of public leaks and disruption. Eurofiber says the core transport network kept running, yet some business clients experienced portal problems and extra verification steps while the incident response work unfolded. That kind of event ripples through many unseen dependencies. As investigations continue, Eurofiber and its customers are tightening access paths and monitoring so misuse of data or credentials is spotted early.
That’s the BareMetalCyber Daily Brief for November 20th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back tomorrow.